[pve-devel] [PATCH docs] add VLAN explanation.

Alexandre DERUMIER aderumier at odiso.com
Thu Nov 16 17:38:47 CET 2017 

Hi,

About

> +
> +auto bond0.5
> +iface bond0.5 inet static
> +        address  10.10.10.2
> +        netmask  255.255.255.0
> +        gateway  10.10.10.1


if user try to use vlan5 for his vm,

we'll create a vmbrXv5, and enslave bond0.5.

but this break network, because ip configuration can't be on the bond0.5 anymore, but must be on the vmbr0v5.

don't known if we should add some security in the code to avoid reuse vlan5 for vms, or explain in doc that it should be like:


auto bond0.5
iface bond0.5 inet manual


auto vmbr0v5
iface vmbr0v5 inet static
        address  10.10.10.2
        netmask  255.255.255.0
        gateway  10.10.10.1
        slaves bond0.5



----- Mail original -----
De: "Thomas Lamprecht" <t.lamprecht at proxmox.com>
À: "pve-devel" <pve-devel at pve.proxmox.com>, "Wolfgang Link" <w.link at proxmox.com>
Envoyé: Jeudi 16 Novembre 2017 14:37:16
Objet: Re: [pve-devel] [PATCH docs] add VLAN explanation.

Thanks for this, seems like a good start! 
Writing down some typos or thoughts I had when reading it, 
feel free do adopt (or reject, if you think they do not make sense) them. 

(oh and as said off list, please try to stay below 80 characters per line - where possible) 

On 11/15/2017 02:55 PM, Wolfgang Link wrote: 
> --- 
> pve-network.adoc | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
> 1 file changed, 88 insertions(+) 
> 
> diff --git a/pve-network.adoc b/pve-network.adoc 
> index d221c32..c5d5b40 100644 
> --- a/pve-network.adoc 
> +++ b/pve-network.adoc 
> @@ -344,6 +344,94 @@ iface vmbr0 inet static 
> 
> ---- 
> 
> +VLAN 802.1Q 
> +~~~~~~~~~~~ 
> + 
> +A virtual LAN (VLAN) is any broadcast domain that is partitioned and isolated in network at layer 2. 
> +So it is possible to have multiple networks (4096) in a pysical network. 

s/pysical/physical/ 

maybe also add: 
... network, each independent of the other ones. 

> +VLANs uses tags on network package to identify the affinity to the virtual network in the network. 

Each VLAN network is identified by a number often called `tag`. 
Network packages are then `tagged` to identify which virtual network they belong to. 

> + 
> +One or more VLANs can be used on any network device (Nic, Bond, Bridge). 
> +There are several ways to configure VLANs. 
> +Here only those based on linux network (not OpenvSwitch) recommended by us, 
> +which we have selected according to the following points. 

Hmm not sure what you want to say, maybe: 

VLANs can be configured in several ways. Here, only the most common ones get described. 
We assume a network infrastructure based on Linux Kernel Networking (opposed to, e.g., Open vSwitch). 

> +Simple configuration and clarity. 
> +Of course, there are scenarios that are not possible with this configuration 
> +but it will work for most standard setups. 
> + 

> +There are two basic usage scenarios in which you can find VLANs. 
> + 

Two of the most common and popular usage scenarios are: 

> +1.) VLAN on the host, to bring the host communication to a isolated network. 

s/bring/allow/ 
s/to a isolated/with an isolated/ 

> +As already mentioned, it is possible to apply the VLAN to all network devices. 
> +In general, you should configure the VLAN as close as possible to the physical NIC. 

maybe (not sure): 
"... the VLAN on the interface with the least abstraction layers between itself and the physical NIC." 

> +For example, in a default configuration in which you want to place the host management address on a separate VLAN, consider the VLAN on the physical NIC, not the bridge (vmbr0). 

s/in which/where/ 
s/consider/configure/ 

> + 
> +.Example: Use VLAN 5 as managment IP 

s/as managment/for the {pve} management/ 

> +---- 
> +auto lo 
> +iface lo inet loopback 
> + 
> +iface eno1 inet manual 
> + 
> +auto eno1.5 
> +iface eno1.5 inet static 
> + address 10.10.10.2 
> + netmask 255.255.255.0 
> + gateway 10.10.10.1 
> + 
> +auto vmbr0 
> +iface vmbr0 inet static 
> + bridge_ports eno1 
> + bridge_stp off 
> + bridge_fd 0 
> + 
> +---- 
> + 
> +If you want to make this network fail-safe (bonding), 
> +does the VLAN have to be created on the bond? 
> + 

A not directly answered question seems a bit weird here, IMO. 

> +.Example: Use VLAN 5 as managment IP on bond0 
> +---- 
> +auto lo 
> +iface lo inet loopback 
> + 
> +iface eno1 inet manual 
> + 
> +iface eno2 inet manual 
> + 
> +auto bond0 
> +iface bond0 inet manual 
> + slaves eno1 eno2 
> + bond_miimon 100 
> + bond_mode 802.3ad 
> + bond_xmit_hash_policy layer2+3 
> + 
> +auto bond0.5 
> +iface bond0.5 inet static 
> + address 10.10.10.2 
> + netmask 255.255.255.0 
> + gateway 10.10.10.1 
> + 
> +auto vmbr0 
> +iface vmbr0 inet static 
> + bridge_ports bond0 
> + bridge_stp off 
> + bridge_fd 0 
> + 
> +---- 
> + 
> +2.) VLAN for the guests. 

s/the guests/guest networks/ 

> +Proxmox supports 3 different ways of using VLAN in guests. 

s/3/three/ (obvious personal nit: non technical number 'til twelve 
should get written out if space is not scarce) 
Also a colon instead the full stop at the end 

> + 
> +* *VLAN with VLAN awareness on the Linux Bridge:* In this case, each guest's virtual network card is assigned a VLAN tag, which is transparently supported by the Linux Bridge. 

s/VLAN with// (repeated and not necessary here IMO, the reader knows 
that we're currently listing the three possible ways for guest VLANs) 

> +This requires a guest who wants to use multiple VLANs to have multiple virtual NICs. 

Last sentence seems a bit weird. Did you mean something like: 
This is useful for guests who wants to use multiple VLANs without adding multiple virtual NICs for each VLAN. 

> +This method is the procedure recommended by Proxmox. 
> + 
> +* *VLAN with "traditional" VLAN on the Linux bridge:* In contrast to the VLAN awareness method, this method is not transparent and creates a VLAN device with associated bridge for each VLAN. That is, if e.g. in our default network, a guest VLAN 5 is used to create ens1.5 and vmbr0v5, which remains until rebooting. 

"*VLAN on the host Linux bridge:* In contrast to the VLAN aware" (note the missing -ness in aware) 

s/with associated bridge for each VLAN/, associated with the respective bridge, for each single VLAN/ 
s/That is, if e.g. in our default/For example, with {pve}s default network/ 
s/is used to create/creates/ 

> + 
> +* *VLAN in guest:* There, the VLANs are assigned in the guest. 
> +In this case, the setup is in the guest and can not be influenced from the outside. 
> + 

For this case to work the bridge where the VMs tap devices are connect to must 
be VLAN aware, else tags do not get passed through - or do I not remember 
correctly? 

Independent of this, I do not see what the user should or should not do to 
enable this mode. If an user doesn't needs to do anything that's also worth 
a small note, to avoid confusion. 

> //// 
> TODO: explain IPv6 support? 
> TODO: explain OVS 
> 


_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

More information about the pve-devel mailing list