Documentation/howto/vlan.rst

   1 ..
   2       Licensed under the Apache License, Version 2.0 (the "License"); you may
   3       not use this file except in compliance with the License. You may obtain
   4       a copy of the License at
   5
   6           http://www.apache.org/licenses/LICENSE-2.0
   7
   8       Unless required by applicable law or agreed to in writing, software
   9       distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  10       WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
  11       License for the specific language governing permissions and limitations
  12       under the License.
  13
  14       Convention for heading levels in Open vSwitch documentation:
  15
  16       =======  Heading 0 (reserved for the title in a document)
  17       -------  Heading 1
  18       ~~~~~~~  Heading 2
  19       +++++++  Heading 3
  20       '''''''  Heading 4
  21
  22       Avoid deeper levels because they do not render well.
  23
  24 ================================
  25 Isolating VM Traffic Using VLANs
  26 ================================
  27
  28 This document describes how to use Open vSwitch is to isolate VM traffic using
  29 VLANs.
  30
  31 .. image:: vlan.png
  32    :align: center
  33
  34 Setup
  35 -----
  36
  37 This guide assumes the environment is configured as described below.
  38
  39 Two Physical Networks
  40 ~~~~~~~~~~~~~~~~~~~~~
  41
  42 - Data Network
  43
  44   Ethernet network for VM data traffic, which will carry VLAN-tagged traffic
  45   between VMs. Your physical switch(es) must be capable of forwarding
  46   VLAN-tagged traffic and the physical switch ports should operate as VLAN
  47   trunks. (Usually this is the default behavior. Configuring your physical
  48   switching hardware is beyond the scope of this document.)
  49
  50 - Management Network
  51
  52   This network is not strictly required, but it is a simple way to give the
  53   physical host an IP address for remote access, since an IP address cannot be
  54   assigned directly to eth0 (more on that in a moment).
  55
  56 Two Physical Hosts
  57 ~~~~~~~~~~~~~~~~~~
  58
  59 The environment assumes the use of two hosts: `host1` and `host2`. Both hosts
  60 are running Open vSwitch. Each host has two NICs, eth0 and eth1, which are
  61 configured as follows:
  62
  63 - eth0 is connected to the Data Network. No IP address is assigned to eth0.
  64
  65 - eth1 is connected to the Management Network (if necessary). eth1 has an IP
  66   address that is used to reach the physical host for management.
  67
  68 Four Virtual Machines
  69 ~~~~~~~~~~~~~~~~~~~~~
  70
  71 Each host will run two virtual machines (VMs). `vm1` and `vm2` are running on
  72 `host1`, while `vm3` and `vm4` are running on `host2`.
  73
  74 Each VM has a single interface that appears as a Linux device (e.g., ``tap0``)
  75 on the physical host.
  76
  77 .. note::
  78   For Xen/XenServer, VM interfaces appears as Linux devices with names like
  79   ``vif1.0``. Other Linux systems may present these interfaces as ``vnet0``,
  80   ``vnet1``, etc.
  81
  82 Configuration Steps
  83 -------------------
  84
  85 Perform the following configuration on `host1`:
  86
  87 #. Create an OVS bridge::
  88
  89      $ ovs-vsctl add-br br0
  90
  91 #. Add ``eth0`` to the bridge::
  92
  93      $ ovs-vsctl add-port br0 eth0
  94
  95    .. note::
  96
  97       By default, all OVS ports are VLAN trunks, so eth0 will pass all VLANs
  98
  99    .. note::
 100
 101       When you add eth0 to the OVS bridge, any IP addresses that might have
 102       been assigned to eth0 stop working. IP address assigned to eth0 should be
 103       migrated to a different interface before adding eth0 to the OVS bridge.
 104       This is the reason for the separate management connection via eth1.
 105
 106 #. Add `vm1` as an "access port" on VLAN 100. This means that traffic coming
 107    into OVS from VM1 will be untagged and considered part of VLAN 100::
 108
 109      $ ovs-vsctl add-port br0 tap0 tag=100
 110
 111    Add VM2 on VLAN 200::
 112
 113      $ ovs-vsctl add-port br0 tap1 tag=200
 114
 115 Repeat these steps on `host2`:
 116
 117 #. Setup a bridge with eth0 as a VLAN trunk::
 118
 119      $ ovs-vsctl add-br br0
 120      $ ovs-vsctl add-port br0 eth0
 121
 122 #. Add VM3 to VLAN 100::
 123
 124      $ ovs-vsctl add-port br0 tap0 tag=100
 125
 126 #. Add VM4 to VLAN 200::
 127
 128      $ ovs-vsctl add-port br0 tap1 tag=200
 129
 130 Validation
 131 ----------
 132
 133 Pings from `vm1` to `vm3` should succeed, as these two VMs are on the same
 134 VLAN.
 135
 136 Pings from `vm2` to `vm4` should also succeed, since these VMs are also on the
 137 same VLAN as each other.
 138
 139 Pings from `vm1`/`vm3` to `vm2`/`vm4` should not succeed, as these VMs are on
 140 different VLANs. If you have a router configured to forward between the VLANs,
 141 then pings will work, but packets arriving at `vm3` should have the source MAC
 142 address of the router, not of `vm1`.