2 Licensed under the Apache License, Version 2.0 (the "License"); you may
3 not use this file except in compliance with the License. You may obtain
4 a copy of the License at
6 http://www.apache.org/licenses/LICENSE-2.0
8 Unless required by applicable law or agreed to in writing, software
9 distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
10 WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
11 License for the specific language governing permissions and limitations
14 Convention for heading levels in Open vSwitch documentation:
16 ======= Heading 0 (reserved for the title in a document)
22 Avoid deeper levels because they do not render well.
24 ================================
25 Isolating VM Traffic Using VLANs
26 ================================
28 This document describes how to use Open vSwitch is to isolate VM traffic using
37 This guide assumes the environment is configured as described below.
44 Ethernet network for VM data traffic, which will carry VLAN-tagged traffic
45 between VMs. Your physical switch(es) must be capable of forwarding
46 VLAN-tagged traffic and the physical switch ports should operate as VLAN
47 trunks. (Usually this is the default behavior. Configuring your physical
48 switching hardware is beyond the scope of this document.)
52 This network is not strictly required, but it is a simple way to give the
53 physical host an IP address for remote access, since an IP address cannot be
54 assigned directly to eth0 (more on that in a moment).
59 The environment assumes the use of two hosts: `host1` and `host2`. Both hosts
60 are running Open vSwitch. Each host has two NICs, eth0 and eth1, which are
61 configured as follows:
63 - eth0 is connected to the Data Network. No IP address is assigned to eth0.
65 - eth1 is connected to the Management Network (if necessary). eth1 has an IP
66 address that is used to reach the physical host for management.
71 Each host will run two virtual machines (VMs). `vm1` and `vm2` are running on
72 `host1`, while `vm3` and `vm4` are running on `host2`.
74 Each VM has a single interface that appears as a Linux device (e.g., ``tap0``)
78 For Xen/XenServer, VM interfaces appears as Linux devices with names like
79 ``vif1.0``. Other Linux systems may present these interfaces as ``vnet0``,
85 Perform the following configuration on `host1`:
87 #. Create an OVS bridge::
89 $ ovs-vsctl add-br br0
91 #. Add ``eth0`` to the bridge::
93 $ ovs-vsctl add-port br0 eth0
97 By default, all OVS ports are VLAN trunks, so eth0 will pass all VLANs
101 When you add eth0 to the OVS bridge, any IP addresses that might have
102 been assigned to eth0 stop working. IP address assigned to eth0 should be
103 migrated to a different interface before adding eth0 to the OVS bridge.
104 This is the reason for the separate management connection via eth1.
106 #. Add `vm1` as an "access port" on VLAN 100. This means that traffic coming
107 into OVS from VM1 will be untagged and considered part of VLAN 100::
109 $ ovs-vsctl add-port br0 tap0 tag=100
111 Add VM2 on VLAN 200::
113 $ ovs-vsctl add-port br0 tap1 tag=200
115 Repeat these steps on `host2`:
117 #. Setup a bridge with eth0 as a VLAN trunk::
119 $ ovs-vsctl add-br br0
120 $ ovs-vsctl add-port br0 eth0
122 #. Add VM3 to VLAN 100::
124 $ ovs-vsctl add-port br0 tap0 tag=100
126 #. Add VM4 to VLAN 200::
128 $ ovs-vsctl add-port br0 tap1 tag=200
133 Pings from `vm1` to `vm3` should succeed, as these two VMs are on the same
136 Pings from `vm2` to `vm4` should also succeed, since these VMs are also on the
137 same VLAN as each other.
139 Pings from `vm1`/`vm3` to `vm2`/`vm4` should not succeed, as these VMs are on
140 different VLANs. If you have a router configured to forward between the VLANs,
141 then pings will work, but packets arriving at `vm3` should have the source MAC
142 address of the router, not of `vm1`.