On 21.03.2016 16:57, Gordon Messmer wrote: > On 03/20/2016 08:51 PM, Devin Reade wrote: >> In a CentOS 7 test HA cluster I'm building I want both traditional >> services running on the cluster and VMs running on both nodes > > On a purely subjective note: I think that's a bad design. One of the > primary benefits of virtualization and other containers is isolating the > applications you run from the base OS. Putting services other than > virtualization into the system that runs virtualization just makes > upgrade more difficult later. > >> A given VM will be assigned a single network interface, either in >> the DMZ, on vlan2, or on vlan3. Default routes for each of those >> networks are essentially different gateways. > > What do you mean by "essentially"? > >> On the DMZ side, the physical interface is eno1 on which is layered >> bridge br0. > ... >> On the other network side, the physical interface is enp1s0, on >> which is layered bridge br2, on which is layered VLAN devices >> enp1s0.2 and enp1s0.3. > > That doesn't make any sense at all. In what way are enp1s0.2 and > enp1s0.3 layered on top of the bridge device? > > Look at the output of "brctl show". Are those two devices slaves of > br2, like enp1s0 is? If so, you're bridging the network segments. > > You should have individual bridges for enp1s0, enp1s0.2 and enp1s0.3. > If there were any IP addresses needed by the KVM hosts, those would be > on the bridge devices, just like on br0. > As a side node it is actually possible now to have one bridge to manage multiple independent vlans. Unfortunately this is basically undocumented (at least I can't find any decent documentation about this). One user of this is Cumulus Linux: https://support.cumulusnetworks.com/hc/en-us/articles/204909397-Comparing-Traditional-Bridge-Mode-to-VLAN-aware-Bridge-Mode Apparently you can manage this with the "bridge" command. Here is what i get on my Fedora 22 System: 0 dennis at nexus ~ $ bridge fdb 01:00:5e:00:00:01 dev enp4s0 self permanent 33:33:00:00:00:01 dev enp4s0 self permanent 33:33:ff:ef:69:e6 dev enp4s0 self permanent 01:00:5e:00:00:fb dev enp4s0 self permanent 01:00:5e:00:00:01 dev virbr0 self permanent 01:00:5e:00:00:fb dev virbr0 self permanent 52:54:00:d3:ca:6b dev virbr0-nic master virbr0 permanent 52:54:00:d3:ca:6b dev virbr0-nic vlan 1 master virbr0 permanent 01:00:5e:00:00:01 dev virbr1 self permanent 52:54:00:a6:af:5d dev virbr1-nic vlan 1 master virbr1 permanent 52:54:00:a6:af:5d dev virbr1-nic master virbr1 permanent 0 dennis at nexus ~ $ bridge vlan port vlan ids virbr0 1 PVID Egress Untagged virbr0-nic 1 PVID Egress Untagged virbr1 1 PVID Egress Untagged virbr1-nic 1 PVID Egress Untagged I'm not sure if the CentOS 7 kernel is recent enough to support this but I thought I'd mention this anyway to make people aware that the "one bridge per vlan" model is no longer the only one in existence. Regards, Dennis