[PVE-User] How to specify VLANs for a trunk interface into the VM

Discussion:

Klaus Darilion

2018-08-06 15:25:36 UTC

Hello!

I have a trunk into my Proxmox server with plenty of vlans, into OVS
bridge vmbr0.

How can I configure a trunk into a VM and specify the allowed VLANs? The
GUI dialog only allows to specify a single VLAN tag (which causes the
interface to be an OVS access port).

I need to configure an OVS port like:
ovs-vsctl set port XXX trunks=20,30,40

Any chance to configure this via GUI or console?

Thanks
Klaus

Josh Knight

2018-08-06 16:57:40 UTC

Permalink

I don't see a way to do this via the GUI for the VM interface.

You can use that same command you listed but on the tap interface tapXiY
where X is the VM ID and Y is the interface number. E.g. tap100i1 would be
interface 1 of VMID 100. That will restrict the allowed VLANs on that
port, but of course that doesn't stick around after a reboot, ovs has no
'startup config'. But it should be obvious which IDs to use if you take a
look at the list of interfaces on the host with `ip link | grep tap`.

Or you can do something like this. But either way, the ovs-vsctl command
will work.
ovs-vsctl add port tapXiY trunks 20
ovs-vsctl add port tapXiY trunks 30
ovs-vsctl add port tapXiY trunks 40

Another thing to consider however, is by default, the ovs trunk port will
allow all VLANs. In your VM if you create subinterfaces like eth0.20,
eth0.30, eth0.40, then you'll have access to each specific VLAN without
having to configure allowed vlans in ovs. It depends on your use case.

Josh

Josh Knight

On Mon, Aug 6, 2018 at 11:25 AM, Klaus Darilion <

Post by Klaus Darilion
Hello!
I have a trunk into my Proxmox server with plenty of vlans, into OVS
bridge vmbr0.
How can I configure a trunk into a VM and specify the allowed VLANs? The
GUI dialog only allows to specify a single VLAN tag (which causes the
interface to be an OVS access port).
ovs-vsctl set port XXX trunks=20,30,40
Any chance to configure this via GUI or console?
Thanks
Klaus
_______________________________________________
pve-user mailing list
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user

Klaus Darilion

2018-08-06 19:19:55 UTC

Permalink

Hi Josh!

Post by Josh Knight
I don't see a way to do this via the GUI for the VM interface.
You can use that same command you listed but on the tap interface tapXiY
where X is the VM ID and Y is the interface number. E.g. tap100i1 would be
interface 1 of VMID 100. That will restrict the allowed VLANs on that
port, but of course that doesn't stick around after a reboot, ovs has no
'startup config'. But it should be obvious which IDs to use if you take a
look at the list of interfaces on the host with `ip link | grep tap`.
Or you can do something like this. But either way, the ovs-vsctl command
will work.
ovs-vsctl add port tapXiY trunks 20
ovs-vsctl add port tapXiY trunks 30
ovs-vsctl add port tapXiY trunks 40

That's not reasonable. The port config has to be reboot save and stick
to the VM config (ie VM is migrated to another host).

Post by Josh Knight
Another thing to consider however, is by default, the ovs trunk port will
allow all VLANs. In your VM if you create subinterfaces like eth0.20,
eth0.30, eth0.40, then you'll have access to each specific VLAN without
having to configure allowed vlans in ovs. It depends on your use case.

I want to avoid that - for security reasons and to not confuse Linux. I
had seen strange things in Linux ie. where it answered to ARP on VLANs
available on the trunk but not explicitely configured as eth0.XX
interface. So, the VM should only see the required VLANs.

I hoped that the port config is flexible to configure trunks=...., but
it is not available in the GUI.

The workaround would be to convert every trunk into access ports. That
would be 3 more interfaces - and probably the best solution at the
moment. I just was looking for a more beautiful solution.

regards
Klaus

Klaus Darilion

2018-08-06 19:25:20 UTC

Permalink

Post by Klaus Darilion
I hoped that the port config is flexible to configure trunks=...., but
it is not available in the GUI.

I think I just found it at https://pve.proxmox.com/wiki/Manual:_qm.conf:

net[n]: [model=]<enum> [,bridge=<bridge>] [,firewall=<1|0>]
[,link_down=<1|0>] [,macaddr=<XX:XX:XX:XX:XX:XX>] [,queues=<integer>]
[,rate=<number>] [,tag=<integer>] [,trunks=<vlanid[;vlanid...]>]
[,<model>=<macaddr>]

regards
Klaus

Klaus Darilion

2018-08-07 13:44:14 UTC

Permalink

Post by Klaus Darilion

Post by Klaus Darilion
I hoped that the port config is flexible to configure trunks=...., but
it is not available in the GUI.

net[n]: [model=]<enum> [,bridge=<bridge>] [,firewall=<1|0>]
[,link_down=<1|0>] [,macaddr=<XX:XX:XX:XX:XX:XX>] [,queues=<integer>]
[,rate=<number>] [,tag=<integer>] [,trunks=<vlanid[;vlanid...]>]
[,<model>=<macaddr>]

For the records - it works fine - - but probably will be overwritten if
the NIC would be editet in the GUI.

regards
Klaus