[CentOS] hosted VMs, VLANs, and firewalld

Dennis Jacobfeuerborn dennisml at conversis.de
Mon Mar 21 16:41:00 UTC 2016 

On 21.03.2016 16:57, Gordon Messmer wrote:
> On 03/20/2016 08:51 PM, Devin Reade wrote:
>> In a CentOS 7 test HA cluster I'm building I want both traditional
>> services running on the cluster and VMs running on both nodes
> 
> On a purely subjective note: I think that's a bad design.  One of the
> primary benefits of virtualization and other containers is isolating the
> applications you run from the base OS.  Putting services other than
> virtualization into the system that runs virtualization just makes
> upgrade more difficult later.
> 
>> A given VM will be assigned a single network interface, either in
>> the DMZ, on vlan2, or on vlan3.  Default routes for each of those
>> networks are essentially different gateways.
> 
> What do you mean by "essentially"?
> 
>>   On the DMZ side, the physical interface is eno1 on which is layered
>>   bridge br0.
> ...
>>   On the other network side, the physical interface is enp1s0, on
>>   which is layered bridge br2, on which is layered VLAN devices
>>   enp1s0.2 and enp1s0.3.
> 
> That doesn't make any sense at all.  In what way are enp1s0.2 and
> enp1s0.3 layered on top of the bridge device?
> 
> Look at the output of "brctl show".  Are those two devices slaves of
> br2, like enp1s0 is?  If so, you're bridging the network segments.
> 
> You should have individual bridges for enp1s0, enp1s0.2 and enp1s0.3. 
> If there were any IP addresses needed by the KVM hosts, those would be
> on the bridge devices, just like on br0.
> 

As a side node it is actually possible now to have one bridge to manage
multiple independent vlans. Unfortunately this is basically undocumented
(at least I can't find any decent documentation about this).
One user of this is Cumulus Linux:
https://support.cumulusnetworks.com/hc/en-us/articles/204909397-Comparing-Traditional-Bridge-Mode-to-VLAN-aware-Bridge-Mode

Apparently you can manage this with the "bridge" command. Here is what i
get on my Fedora 22 System:

0 dennis at nexus ~ $ bridge fdb
01:00:5e:00:00:01 dev enp4s0 self permanent
33:33:00:00:00:01 dev enp4s0 self permanent
33:33:ff:ef:69:e6 dev enp4s0 self permanent
01:00:5e:00:00:fb dev enp4s0 self permanent
01:00:5e:00:00:01 dev virbr0 self permanent
01:00:5e:00:00:fb dev virbr0 self permanent
52:54:00:d3:ca:6b dev virbr0-nic master virbr0 permanent
52:54:00:d3:ca:6b dev virbr0-nic vlan 1 master virbr0 permanent
01:00:5e:00:00:01 dev virbr1 self permanent
52:54:00:a6:af:5d dev virbr1-nic vlan 1 master virbr1 permanent
52:54:00:a6:af:5d dev virbr1-nic master virbr1 permanent
0 dennis at nexus ~ $ bridge vlan
port	vlan ids
virbr0	 1 PVID Egress Untagged

virbr0-nic	 1 PVID Egress Untagged

virbr1	 1 PVID Egress Untagged

virbr1-nic	 1 PVID Egress Untagged

I'm not sure if the CentOS 7 kernel is recent enough to support this but
I thought I'd mention this anyway to make people aware that the "one
bridge per vlan" model is no longer the only one in existence.

Regards,
  Dennis

More information about the CentOS mailing list