Home Cisco Vlans

Thursday, February 14, 2019

Vlans

Topic:
Isolating VM traffic using VLANs
Setup:
Two Physical Networks:

  • Data Network:  Ethernet network for VM information traffic, which volition bear VLAN tagged traffic betwixt VMs.  Your physical switch(es) must hold out capable of forwarding VLAN tagged traffic too the physical switch ports should hold out VLAN trunks (Usually this is default behavior.  Configuring your physical switching hardware is beyond the compass of this document).
  • Management Network: This network is non strictly required, precisely it is a uncomplicated means to laissez passer on the physical host an IP address for remote access, since an IP address cannot hold out assigned straight to eth0. 
Two Physical Hosts:
Host1, Host2.  Both hosts are running Open vSwitch.  Each host has 2 NICs:
  • eth0 is connected to the Data Network.  No IP address tin hold out assigned on eth0.
  • eth1 is connected to the Management Network (if necessary).   eth1 has an IP address that is used to gain the physical host for management.
Four VMs:
VM1,VM2 run on Host1.  VM3,VM4 run on Host2.
Each VM has a unmarried interface that appears equally a Linux device (e.g., “tap0″) on the physical host.  (Note: for Xen/XenServer, VM interfaces appears equally Linux devices amongst names similar “vif1.0″)



Goal:
Isolate VMs using VLANs on the Data Network.
VLAN 1: VM1,VM3
VLAN 2: VM2,VM4
Configuration:
Perform the next configuration on Host 1:
Create an OVS bridge:
ovs-vsctl add-br br0
Add eth0 to the twain (by default, all OVS ports are VLAN trunks, too hence eth0 volition cash inwards one's chips all VLANs):
ovs-vsctl add-port br0 eth0
Add VM1 equally an “access port” on VLAN 1:
ovs-vsctl add-port br0 tap0 tag=1
Add VM2 on VLAN 2:
ovs-vsctl add-port br0 tap1 tag=2
On Host 2, repeat the same configuration to setup a twain amongst eth0 equally a trunk:
ovs-vsctl add-br br0
ovs-vsctl add-port br0 eth0
Add VM3 to VLAN 1:
ovs-vsctl add-port br0 tap0 tag=1
Add VM4 to VLAN 2:
ovs-vsctl add-port br0 tap1 tag=2

Trouble-Shooting:
Ping from VM1 to VM3, this should succeed.
Ping from VM2 to VM4, this should succeed.
Ping from VM1/VM3 to VM2/VM4, this should non succeed (unless you lot convey a router configured to frontwards betwixt the VLANs, inwards which case, packets arriving at VM3 should convey the origin MAC address of the router, non of VM1).


Related

Subscribe to: Post Comments (Atom)