On Tue, Feb 2, 2021 at 2:00 PM David Johnson <djohn...@maxistechnology.com> wrote:
> Ah ... so if I connected one of the other ethernet ports to the tagged > traffic (second physical network for tagged traffic), it should work as I > expect? > Yes, if there are no untagged networks attached > Regards, > David Johnson > Director of Development, Maxis Technology > 844.696.2947 ext 702 (o) | 479.531.3590 (c) > djohn...@maxistechnology.com > > > [image: Maxis Techncology] <http://www.maxistechnology.com> > www.maxistechnology.com > > > *stay connected <http://www.linkedin.com/in/pojoguy>* > > > On Tue, Feb 2, 2021 at 12:56 PM Dan Yasny <dya...@gmail.com> wrote: > >> You're trying to mix tagged and untagged traffic. That, iirc, isn't >> supported for security reasons (the untagged network can see all the tagged >> traffic). You can put multiple tagged networks on the same NIC though. >> >> Please check with the ovirt folks though, it's been a while since I last >> checked the state of things >> >> On Tue, Feb 2, 2021 at 1:51 PM David Johnson < >> djohn...@maxistechnology.com> wrote: >> >>> I have a physical network ovirtmgmt, and a logical network 10-non-prod >>> with the vlan tag of 10 and the network label of 10. >>> >>> The physical and vlan have both been dragged to the enp0 NIC on the host. >>> >>> What I understand from this is that the bridge has been there all along, >>> but, since I can't ping the host no traffic is crossing it. >>> >>> Host IP's : *192.168.2.18/24 <http://192.168.2.18/24> * and >>> *10.210.100.18/24 >>> <http://10.210.100.18/24>* >>> VLAN IP on host: *10.210.10.18/24 <http://10.210.10.28/24>* >>> >>> >>> Regards, >>> >>> David Johnson >>> >>> On Tue, Feb 2, 2021 at 12:44 PM Dan Yasny <dya...@gmail.com> wrote: >>> >>>> >>>> >>>> On Tue, Feb 2, 2021 at 1:38 PM David Johnson < >>>> djohn...@maxistechnology.com> wrote: >>>> >>>>> Thanks, this is a step closer, but the details are still very sketchy. >>>>> >>>>> Following the instructions at >>>>> https://www.ovirt.org/documentation/administration_guide/#appe-Custom_Network_Properties >>>>> : >>>>> >>>>> If I understand the instructions correctly: >>>>> >>>>> 1. Open the host in the Ovirt UI >>>>> 2. Go to the Network tab >>>>> 3. Select the NIC I want to bridge to >>>>> 4. Click "Setup Host Networks" >>>>> 5. Click the pencil icon on the (host? VLAN?) network >>>>> 6. Choose the Custom Properties tab >>>>> 7. In the Custom Properties (Please Select a key), choose >>>>> "bridge_opts" >>>>> 8. ???? At this point, there is no way to add the keys it looks >>>>> like it needs ??? Total loss ??? >>>>> >>>>> >>>> You need to create a logical network first. Do you have any of those? >>>> Logical networks are where you may add VLAN tags. >>>> >>>> In the hosts' network setup window you simply drag the logical network >>>> to the NIC or bond and save. The VLAN tag and bridge will be created >>>> accordingly on the host >>>> >>>> >>>>> >>>>> Regards, >>>>> David Johnson >>>>> Director of Development, Maxis Technology >>>>> 844.696.2947 ext 702 (o) | 479.531.3590 (c) >>>>> djohn...@maxistechnology.com >>>>> >>>>> >>>>> [image: Maxis Techncology] <http://www.maxistechnology.com> >>>>> www.maxistechnology.com >>>>> >>>>> >>>>> *stay connected <http://www.linkedin.com/in/pojoguy>* >>>>> >>>>> >>>>> On Tue, Feb 2, 2021 at 9:24 AM Dan Yasny <dya...@gmail.com> wrote: >>>>> >>>>>> >>>>>> >>>>>> On Tue, Feb 2, 2021 at 10:20 AM David Johnson < >>>>>> djohn...@maxistechnology.com> wrote: >>>>>> >>>>>>> This is great ... I am missing the bridge (at least). >>>>>>> >>>>>>> Does the bridge reside on the host or the VM? Is it created in the >>>>>>> Ovirt UI, or in the VM operating system? >>>>>>> >>>>>> >>>>>> On the host. Logical networks in oVirt are a virtual construct, >>>>>> translating to a "profile" that gets built on the hosts in the cluster. >>>>>> Essentially, each logical network is a bridge with the same name on the >>>>>> hosts, and if there's a vlan tag, then the interface (or bond) gets >>>>>> tagged, >>>>>> and the bridge is built on top of that tagged interface. VMs are plugged >>>>>> into the bridges and their traffic flows through the bridges to the >>>>>> switches. Very simple really, and there was a KB we published about this >>>>>> about a decade ago. >>>>>> >>>>>> >>>>>>> >>>>>>> Thanks! >>>>>>> >>>>>>> David Johnson >>>>>>> >>>>>>> On Tue, Feb 2, 2021 at 9:16 AM Dan Yasny <dya...@gmail.com> wrote: >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Tue, Feb 2, 2021 at 10:06 AM David Johnson < >>>>>>>> djohn...@maxistechnology.com> wrote: >>>>>>>> >>>>>>>>> Good morning Ales, >>>>>>>>> >>>>>>>>> Thank you for your response. >>>>>>>>> >>>>>>>>> At this point, while I believe I have marked the networks as >>>>>>>>> required, I am hesitant to assume that they are marked because I don't >>>>>>>>> understand for sure which pieces I don't understand. >>>>>>>>> >>>>>>>>> Unfortunately, what I am missing is a number of random bits and >>>>>>>>> pieces that tie everything together. >>>>>>>>> >>>>>>>>> I have fought with the networking on this cluster for over a week. >>>>>>>>> The network configuration was so messed up it was faster and cleaner >>>>>>>>> to >>>>>>>>> wipe the cluster completely and start from scratch, and I just >>>>>>>>> finished a >>>>>>>>> clean reinstallation. >>>>>>>>> >>>>>>>>> Now that it's back up and I understand it better, the VM's on >>>>>>>>> VLAN's are still unable to reach beyond themselves - they cannot even >>>>>>>>> ping >>>>>>>>> the host they are on. >>>>>>>>> >>>>>>>>> Rather than try to address it symptom by symptom, I would like to >>>>>>>>> get a solid overview of how the different pieces tie together. >>>>>>>>> Unfortunately, in the official documentation, all I found was which >>>>>>>>> buttons >>>>>>>>> to push to edit the vlan, with nothing that addresses how the >>>>>>>>> different >>>>>>>>> pieces are wired together. >>>>>>>>> >>>>>>>>> My understanding of the architecture is: >>>>>>>>> >>>>>>>>> VM -> vNIC -> virtual switch -> physical NIC -> external network >>>>>>>>> -> gateway -> internet >>>>>>>>> >>>>>>>> >>>>>>>> When you create a tagged network, the scheme changes a bit: >>>>>>>> VM -> vNIC -> BRIDGE -> NIC.tag -> NIC -> switch >>>>>>>> >>>>>>>> All the VM traffic will get tagged this way, and the switch port >>>>>>>> should be in trunk mode allowing tagged traffic through. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> What I don't understand is how to determine at which point in the >>>>>>>>> architecture the configuration is wrong, when the only symptom I have >>>>>>>>> for >>>>>>>>> sure right now is that my VM's on a VLAN won't ping the host or >>>>>>>>> anything on >>>>>>>>> the external network. >>>>>>>>> >>>>>>>>> At one point everything was working as expected, briefly, before >>>>>>>>> the whole thing came crashing down, so the external network is at >>>>>>>>> least >>>>>>>>> mostly configured. >>>>>>>>> >>>>>>>>> On Tue, Feb 2, 2021, 12:20 AM Ales Musil <amu...@redhat.com> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Tue, Feb 2, 2021 at 6:18 AM David Johnson < >>>>>>>>>> djohn...@maxistechnology.com> wrote: >>>>>>>>>> >>>>>>>>>>> Good morning all, >>>>>>>>>>> >>>>>>>>>>> On my ovirt 4.4.4 cluster, I am trying to use VLan's to separate >>>>>>>>>>> VM's for security purposes. >>>>>>>>>>> >>>>>>>>>>> Is there a usable how-to document that describes how to >>>>>>>>>>> configure the vlan's so they actually function without taking the >>>>>>>>>>> host into >>>>>>>>>>> non-operational mode? >>>>>>>>>>> >>>>>>>>>>> Thank you in advance. >>>>>>>>>>> >>>>>>>>>>> Regards, >>>>>>>>>>> David Johnson >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Users mailing list -- users@ovirt.org >>>>>>>>>>> To unsubscribe send an email to users-le...@ovirt.org >>>>>>>>>>> Privacy Statement: https://www.ovirt.org/privacy-policy.html >>>>>>>>>>> oVirt Code of Conduct: >>>>>>>>>>> https://www.ovirt.org/community/about/community-guidelines/ >>>>>>>>>>> List Archives: >>>>>>>>>>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/IYPORJKHTSVTYTTRGWIW3V2MF5CFZ6DC/ >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Hello, >>>>>>>>>> >>>>>>>>>> I assume that you have marked those networks as required. This is >>>>>>>>>> handy to make sure that all hosts in a cluster have this network >>>>>>>>>> attached. >>>>>>>>>> Which implies that the host is considered non operational until >>>>>>>>>> you assign all required networks. >>>>>>>>>> >>>>>>>>>> To avoid this you can uncheck it for a new network in the cluster >>>>>>>>>> tab of the "New Logical Network" window. For existing go to >>>>>>>>>> Compute -> Clusters -> $YOUR_CLUSTER -> Logical Networks -> >>>>>>>>>> Manage Networks and uncheck required for the affected network. >>>>>>>>>> This can be always changed back. >>>>>>>>>> >>>>>>>>>> Hopefully this helps. >>>>>>>>>> Regards, >>>>>>>>>> Ales >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> >>>>>>>>>> Ales Musil >>>>>>>>>> >>>>>>>>>> Software Engineer - RHV Network >>>>>>>>>> >>>>>>>>>> Red Hat EMEA <https://www.redhat.com> >>>>>>>>>> >>>>>>>>>> amu...@redhat.com IM: amusil >>>>>>>>>> <https://red.ht/sig> >>>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Users mailing list -- users@ovirt.org >>>>>>>>> To unsubscribe send an email to users-le...@ovirt.org >>>>>>>>> Privacy Statement: https://www.ovirt.org/privacy-policy.html >>>>>>>>> oVirt Code of Conduct: >>>>>>>>> https://www.ovirt.org/community/about/community-guidelines/ >>>>>>>>> List Archives: >>>>>>>>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/47JUY2NVTCQ76LPCVIAHY7ONYSZV3P5B/ >>>>>>>>> >>>>>>>>
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/NMSPIQA6FHUJ6MI4EQYPMMZSJPJ57NJT/
