Vlan

I am going to have to have a dedicated nic on a vm to use on a vlan for a
guest. Do I pass it through as a nic and than assign it to the vlan in the
vm or do I have to assign the vlan on the nic config on the host?

Thanks

Hi warper2,

[QUOTE=warper2;23432]I am going to have to have a dedicated nic on a vm to use on a vlan for a
guest. Do I pass it through as a nic and than assign it to the vlan in the
vm or do I have to assign the vlan on the nic config on the host?

Thanks[/QUOTE]

both ways will work. If the system (your VM in this case) will connect to only a single VLAN and that VLAN will not change routinely, folks usually are more comfortable seeing no trace of VLAN configuration on that system - you’d then rather configure the infrastructure (switch port or vNIC configuration on the host).

What Hypervisor are you using? I have plenty of experience with Xen environments with trunked Dom0 Ethernet connections, running IEEE 802.1q to the switches and multiple VLANs on top, with DomUs connecting to one or more of those VLANs.

Regards,
Jens

jmozdzen wrote:
[color=blue]

Hi warper2,
warper2;23432 Wrote:[color=green]

I am going to have to have a dedicated nic on a vm to use on a vlan for
a
guest. Do I pass it through as a nic and than assign it to the vlan in
the
vm or do I have to assign the vlan on the nic config on the host?

Thanks[/color]

both ways will work. If the system (your VM in this case) will connect
to only a single VLAN and that VLAN will not change routinely, folks
usually are more comfortable seeing no trace of VLAN configuration on
that system - you’d then rather configure the infrastructure (switch
port or vNIC configuration on the host).

What Hypervisor are you using? I have plenty of experience with Xen
environments with trunked Dom0 Ethernet connections, running IEEE 802.1q
to the switches and multiple VLANs on top, with DomUs connecting to one
or more of those VLANs.

Regards,
Jens

[/color]

Hi Jens

Actually this is for my firewall I am running virtual so I will explain what
I am doing and this is a fully virtualized vm.

eth0 br1
eth3 br2

I need to add a vlan on eth4 to become br4 to only listen for traffic on
vlan11.

Thanks

Hi warper 2,

[QUOTE=warper2;23468]jmozdzen wrote:Hi Jens

Actually this is for my firewall I am running virtual so I will explain what
I am doing and this is a fully virtualized vm.

eth0 br1
eth3 br2

I need to add a vlan on eth4 to become br4 to only listen for traffic on
vlan11.[/QUOTE]

(sorry for the delayed response, times are busy right now…)

I assume those device/bridge names are from the host system and your hypervisor is Xen on SLES11(SPx), since you indicated “fully virtualized vm”.

Still the picture is unclear - we’d need to know how your switch is passing the traffic to your host machine: If you have these three NICs each configured in the switch to be a member of the according VLAN, neither your host nor your guest needs to know anything about VLANs.

If your host NICs are using IEEE802.1q (“tagged VLANs”) to communicate multiple VLANs to your host (I don’t think so, but who knows :wink: ), you have a choice:

  • create a bridge per VLAN inside the host, each connecting to the corresponding VLAN interface of the host
  • connect the vNICs (those from the guest) to each bridge, so that the guest needs to know nothing about VLANs (traditional setup, especially for firewalls, where each “network” (i.e. VLAN) has its own, isolated physical interface)

or you can pass through the tagged traffic:

  • create a bridge to the physical NIC on the host (thus giving you access to the tagged traffic)
  • bridge a single vNIC (guest interface) to that bridge and use your firewall’s mechanisms to access each VLAN

If you get each VLAN’s traffic without any tagging from your switch (via those three NICs), your Dom0 sees nothing of VLANs - those are simply “networks”… create a new bridge like the two other ones (selecting the right physical NIC to bridge to, of course) and add a vNIC to your DomU, connecting that to the new bridge.

Please be (far) more specific in your description to receive a more detailed explanation of what to configure at what layer…

  • what hypervisor are you running (probably Xen on SLES, since the distinction HVM/PVM usually applies to that scenario) and what version of the host OS?
  • what OS is your firewall running - some dedicated system (since you’re running an HVM) rather than a SLES-based setup?
  • how’s the connectivity between switch and host/Dom0 set up?
  • which are the interfaces at Dom0 level, and are those 802.1q? (eth0, eth3, eth4)
  • which are the interfaces at DomU level, do you need/want 802.1q there or prefer dedicated interfaces per VLAN?

And if the “simple scenario” applies, be a bit more verbose about the difficulties you are facing / the questions you have, because that looks like “simply do it as with the other two interfaces” to me and I’d need to know what steps you’re fighting with.

Best regards,
Jens

jmozdzen wrote:
[color=blue]

Hi warper 2,
warper2;23468 Wrote:[color=green]

jmozdzen wrote:Hi Jens

Actually this is for my firewall I am running virtual so I will explain
what
I am doing and this is a fully virtualized vm.

eth0 br1
eth3 br2

I need to add a vlan on eth4 to become br4 to only listen for traffic on
vlan11.[/color]

(sorry for the delayed response, times are busy right now…)

I assume those device/bridge names are from the host system and your
hypervisor is Xen on SLES11(SPx), since you indicated “fully virtualized
vm”.

Still the picture is unclear - we’d need to know how your switch is
passing the traffic to your host machine: If you have these three NICs
each configured in the switch to be a member of the according VLAN,
neither your host nor your guest needs to know anything about VLANs.

If your host NICs are using IEEE802.1q (“tagged VLANs”) to communicate
multiple VLANs to your host (I don’t think so, but who knows :wink: ), you
have a choice:

  • create a bridge per VLAN inside the host, each connecting to the
    corresponding VLAN interface of the host
  • connect the vNICs (those from the guest) to each bridge, so that the
    guest needs to know nothing about VLANs (traditional setup, especially
    for firewalls, where each “network” (i.e. VLAN) has its own, isolated
    physical interface)

or you can pass through the tagged traffic:

  • create a bridge to the physical NIC on the host (thus giving you
    access to the tagged traffic)
  • bridge a single vNIC (guest interface) to that bridge and use your
    firewall’s mechanisms to access each VLAN

If you get each VLAN’s traffic without any tagging from your switch (via
those three NICs), your Dom0 sees nothing of VLANs - those are simply
“networks”… create a new bridge like the two other ones (selecting the
right physical NIC to bridge to, of course) and add a vNIC to your DomU,
connecting that to the new bridge.

Please be (far) more specific in your description to receive a more
detailed explanation of what to configure at what layer…

  • what hypervisor are you running (probably Xen on SLES, since the
    distinction HVM/PVM usually applies to that scenario) and what version
    of the host OS?
  • what OS is your firewall running - some dedicated system (since you’re
    running an HVM) rather than a SLES-based setup?
  • how’s the connectivity between switch and host/Dom0 set up?
  • which are the interfaces at Dom0 level, and are those 802.1q? (eth0,
    eth3, eth4)
  • which are the interfaces at DomU level, do you need/want 802.1q there
    or prefer dedicated interfaces per VLAN?

And if the “simple scenario” applies, be a bit more verbose about the
difficulties you are facing / the questions you have, because that looks
like “simply do it as with the other two interfaces” to me and I’d need
to know what steps you’re fighting with.

Best regards,
Jens

[/color]

Thanks Jens, I already got it working. It worked best with the host nic just
connected as a nic and no vlan. Than set the vlan on the vm and all was
good.