On 21.03.2016 16:57, Gordon Messmer wrote:
On 03/20/2016 08:51 PM, Devin Reade wrote:
In a CentOS 7 test HA cluster I'm building I want both traditional services running on the cluster and VMs running on both nodes
On a purely subjective note: I think that's a bad design. One of the primary benefits of virtualization and other containers is isolating the applications you run from the base OS. Putting services other than virtualization into the system that runs virtualization just makes upgrade more difficult later.
A given VM will be assigned a single network interface, either in the DMZ, on vlan2, or on vlan3. Default routes for each of those networks are essentially different gateways.
What do you mean by "essentially"?
On the DMZ side, the physical interface is eno1 on which is layered bridge br0.
...
On the other network side, the physical interface is enp1s0, on which is layered bridge br2, on which is layered VLAN devices enp1s0.2 and enp1s0.3.
That doesn't make any sense at all. In what way are enp1s0.2 and enp1s0.3 layered on top of the bridge device?
Look at the output of "brctl show". Are those two devices slaves of br2, like enp1s0 is? If so, you're bridging the network segments.
You should have individual bridges for enp1s0, enp1s0.2 and enp1s0.3. If there were any IP addresses needed by the KVM hosts, those would be on the bridge devices, just like on br0.
As a side node it is actually possible now to have one bridge to manage multiple independent vlans. Unfortunately this is basically undocumented (at least I can't find any decent documentation about this). One user of this is Cumulus Linux: https://support.cumulusnetworks.com/hc/en-us/articles/204909397-Comparing-Tr...
Apparently you can manage this with the "bridge" command. Here is what i get on my Fedora 22 System:
0 dennis@nexus ~ $ bridge fdb 01:00:5e:00:00:01 dev enp4s0 self permanent 33:33:00:00:00:01 dev enp4s0 self permanent 33:33:ff:ef:69:e6 dev enp4s0 self permanent 01:00:5e:00:00:fb dev enp4s0 self permanent 01:00:5e:00:00:01 dev virbr0 self permanent 01:00:5e:00:00:fb dev virbr0 self permanent 52:54:00:d3:ca:6b dev virbr0-nic master virbr0 permanent 52:54:00:d3:ca:6b dev virbr0-nic vlan 1 master virbr0 permanent 01:00:5e:00:00:01 dev virbr1 self permanent 52:54:00:a6:af:5d dev virbr1-nic vlan 1 master virbr1 permanent 52:54:00:a6:af:5d dev virbr1-nic master virbr1 permanent 0 dennis@nexus ~ $ bridge vlan port vlan ids virbr0 1 PVID Egress Untagged
virbr0-nic 1 PVID Egress Untagged
virbr1 1 PVID Egress Untagged
virbr1-nic 1 PVID Egress Untagged
I'm not sure if the CentOS 7 kernel is recent enough to support this but I thought I'd mention this anyway to make people aware that the "one bridge per vlan" model is no longer the only one in existence.
Regards, Dennis