hi,
at home I have setup a kvm virtualization lab. I have a layer 3 switch, a host with 3 nics and centos 6.3.
In the layer 3 switch I have setup a couple of vlans: vlan 1 (default), 5 (quarantaine) and 10 (out-of-band-management).
nic0 is configured in the switch as a trunk interface that sees all vlans. nic2 is an access port on vlan 5 and nic1 is not yet in the picture ;-)
eth0 is bridged to br0. It also has the host default gateway. I have also created eth0.5, br0.5, eth0.10 and br0.10 interfaces to add vm's to vlan 5 and 10 and that works, I can successfully create vms and assign them to br0.5 or br0.10 and they get ip's from a dchp server in the correct network and their traffic is correctly routed in the switch (inter vlan routing works). I can access the vms from my workstation on on vlan 1.
Now I configure eth2 with an ip address in the range of vlan 5 (in the switch it is an access port in vlan 5). This is the ifcfg-eth2 file:
DEVICE="eth2" HWADDR="00:15:17:51:B8:AB" IPV6INIT="no" BOOTPROTO=none MTU="1500" NM_CONTROLLED="no" ONBOOT="yes" IPADDR=192.168.5.10 NETMASK=255.255.255.0 # GATEWAY=192.168.5.254
The GATEWAY parameter is now commented out, but it does not matter.
The interface on the virtualization host comes up all right. But I cannot access it from my workstation on vlan 1 when accessing it to vlan 5.
From the virtualization host I can reach the switch vlan 5 interface
which is its gateway. From the switch I can also ping the interface eth2.
The routing table on the virt host:
# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br0 169.254.0.0 0.0.0.0 255.255.0.0 U 1003 0 0 eth2 169.254.0.0 0.0.0.0 255.255.0.0 U 1016 0 0 br0 169.254.0.0 0.0.0.0 255.255.0.0 U 1018 0 0 br_v10 169.254.0.0 0.0.0.0 255.255.0.0 U 1020 0 0 br_v5 0.0.0.0 192.168.0.254 0.0.0.0 UG 0 0 0 br0
Do you have any tips on how to reach vlan 5 on the virt host from vlan 1? -- Groeten, natxo
On 02/08/2013 07:39 AM, Natxo Asenjo wrote:
Do you have any tips on how to reach vlan 5 on the virt host from vlan 1?
Not without the configuration from your switch.
The most likely problem is this: Your workstation is sending traffic to 192.168.5.10. The switch sends it through VLAN 5 to eth2 on your virtualization host. The host replies to that traffic using the correct address, but through interface eth0, since that is the only interface with a route to the workstation. Those packets would go to the default gateway. Either your switch or your default gateway may be doing ingress filtering, or reverse path filtering, or stateful firewalling. Any of those would block the reply traffic, and at least one of them is very likely in place by default on either an L3 switch or a router.
What you're attempting to do is called multi-homing, and it's fairly complicated to do on Linux. You need to have multiple default routes, and you need the kernel to select the default route based on the addresses of the packets that it sends. That involves making multiple routing tables, tagging packets pre-routing, and using ip rules to select the appropriate routing table. Shorewall will simplify this if you use it to build your firewall rules.
On Sun, Feb 10, 2013 at 11:51 PM, Gordon Messmer yinyang@eburg.com wrote:
On 02/08/2013 07:39 AM, Natxo Asenjo wrote:
Do you have any tips on how to reach vlan 5 on the virt host from vlan 1?
Not without the configuration from your switch.
The most likely problem is this: Your workstation is sending traffic to 192.168.5.10. The switch sends it through VLAN 5 to eth2 on your virtualization host. The host replies to that traffic using the correct address, but through interface eth0, since that is the only interface with a route to the workstation. Those packets would go to the default gateway. Either your switch or your default gateway may be doing ingress filtering, or reverse path filtering, or stateful firewalling. Any of those would block the reply traffic, and at least one of them is very likely in place by default on either an L3 switch or a router.
What you're attempting to do is called multi-homing, and it's fairly complicated to do on Linux. You need to have multiple default routes, and you need the kernel to select the default route based on the addresses of the packets that it sends. That involves making multiple routing tables, tagging packets pre-routing, and using ip rules to select the appropriate routing table. Shorewall will simplify this if you use it to build your firewall rules.
thanks for the tips. Indeed, multi-homing needs 'advanced routing' (yeah right) so I needed to add vlan info to the rt_tables file and then create a rules-eth2 and route-eth2 files.
Now I can reach both nics from my workstation (finally ;-) ).
-
Gordon Messmer -
Natxo Asenjo