From 94fd8ea59c669d0cd113fda0429543c395921cb1 Mon Sep 17 00:00:00 2001 From: Wolfgang Link Date: Wed, 7 Feb 2018 13:02:22 +0100 Subject: [PATCH] add VLAN explanation.] add VLAN explanation. --- pve-network.adoc | 117 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 117 insertions(+) diff --git a/pve-network.adoc b/pve-network.adoc index d221c32..1755cb6 100644 --- a/pve-network.adoc +++ b/pve-network.adoc @@ -344,6 +344,123 @@ iface vmbr0 inet static ---- +VLAN 802.1Q +~~~~~~~~~~~ + +A virtual LAN (VLAN) is any broadcast domain that is partitioned +and isolated in the network at layer 2. +So it is possible to have multiple networks (4096) in a physical network, +each independent of the other ones. +Each VLAN network is identified by a number often called `tag`. +Network packages are then `tagged` to identify which virtual +network they belong to. + +One or more VLANs can be used at any network device (Nic, Bond, Bridge). +VLANs can be configured in several ways. Here, only the most common ones get +described. We assume a network infrastructure based on Linux Kernel Networking +(opposed to, e.g., Open vSwitch). +Of course, there are scenarios that are not possible with this configuration, +but it will work for most standard setups. + +Two of the most common and popular usage scenarios are: + +1.) VLAN for the guest networks. +Proxmox supports three different ways of using VLAN in guests: + +* *VLAN awareness on the Linux Bridge:* +In this case, each guest's virtual network card is assigned to a VLAN tag, +which is transparently supported by the Linux Bridge. +Trunk mode is also possible, but that makes the configuration +in the guest necessary. + +* *"traditional" VLAN on the Linux bridge:* +In contrast to the VLAN awareness method, this method is not transparent +and creates a VLAN device with associated bridge for each VLAN. +That is, if e.g. in our default network, a guest VLAN 5 is used +to create eno1.5 and vmbr0v5, which remains until rebooting. + +* *Guest configured:* The VLANs are assigned in the guest. +In this case, the setup is in the guest and can not be influenced from the +outside. +The benefit is more then one VLAN on a single virtual NIC can be used. + +2.) VLAN on the host, to allow the host communication whit an isolated network. +As already mentioned, it is possible to apply the VLAN to all network devices. +In general, you should configure the VLAN on the interface with the least +abstraction layers between itself and the physical NIC. + +For example, in a default configuration where you want to place +the host management address on a separate VLAN. + +NOTE: In the examples we use the VLAN at bridge level to ensure the correct +function of VLAN 5 in the guest network, but in combination with VLAN anwareness +bridge this it will not work for guest network VLAN 5. +The downside of this setup is more CPU usage. + +.Example: Use VLAN 5 for the {pve} management IP +---- +auto lo +iface lo inet loopback + +iface eno1 inet manual + +iface eno1.5 inet manual + +auto vmbr0v5 +iface vmbr0v5 inet static + address 10.10.10.2 + netmask 255.255.255.0 + gateway 10.10.10.1 + bridge_ports eno1.5 + bridge_stp off + bridge_fd 0 + +auto vmbr0 +iface vmbr0 inet manual + bridge_ports eno1 + bridge_stp off + bridge_fd 0 + +---- + +The next example is the same setup but a bond is used to +make this network fail-safe. + +.Example: Use VLAN 5 with bond0 for the {pve} management IP +---- +auto lo +iface lo inet loopback + +iface eno1 inet manual + +iface eno2 inet manual + +auto bond0 +iface bond0 inet manual + slaves eno1 eno2 + bond_miimon 100 + bond_mode 802.3ad + bond_xmit_hash_policy layer2+3 + +iface bond0.5 inet manual + +auto vmbr0v5 +iface vmbr0v5 inet static + address 10.10.10.2 + netmask 255.255.255.0 + gateway 10.10.10.1 + bridge_ports bond0.5 + bridge_stp off + bridge_fd 0 + +auto vmbr0 +iface vmbr0 inet manual + bridge_ports bond0 + bridge_stp off + bridge_fd 0 + +---- + //// TODO: explain IPv6 support? TODO: explain OVS -- 2.39.2