I’ve been doing a lot of mucking around with KVM with libvirt (I keep promising an update here, don’t I). In my desktop virtualisation requirements I had a need for presenting VLAN traffic to guests: simple enough, and I’ve done it before. You can do what I usually do, and configure all your VLANs against the physical interface then create a bridge for each VLAN you want to present to a guest. The guest then attaches to the bridge appropriate to the VLAN it wants access to, with no need to configure 8021q.
(The other method of combining VLAN-tagging and bridging is to bridge the physical interface first, then create VLANs on the bridge. I couldn’t work out how to get VLAN-unaware guests attached to this kind of setup, and it didn’t work for me even to give IP access to the host using a br0.100 for example. Still, it must work for someone as it’s written about a lot…)
I realised that from particular virtual machines I needed to get access to the VLAN tags — I needed VLAN-awareness. Now I knew up-front that the way I could do this was to just throw another NIC into the machine and either dedicate it to the virtual guest or set up a bridge with VLAN tags intact. I really wanted to exhaust all possible avenues to solve the problem without throwing hardware around (as I’ve been doing a bit of that recently, I have to admit).
First, I tried to use standard Linux bridges as a solution, but discovered that an interface can’t belong to more than one bridge at a time, which put paid to my plan to have one or more VLAN-untagging bridges and a VLAN-tagged bridge. I figured it could be done with bridges, but I envisaged a stacked mess of bridge-to-tap-to-bridge-to-tap-to-guest connections and decided that wasn’t the way to go.
Next I checked out VDE, which I had first seen a couple of years ago — but something gave me the impression that VDE either wasn’t really going to give me anything more than bridging would, or was not flexible enough to do what I needed. I like the distributed aspect of VDE (the D in the name) but I’d rarely use that capability so it wasn’t a big drawcard. I widened my search, and found two interesting projects — one that eventually became my solution, and another that I think is quite incredible in its scope and capability.
First, the amazing one: ns-3, “a great network simulator for research and education”. As the name suggests, it simulates networks. It is completely programmable (in fact your network “scripts” are actually C++ code using the product’s libraries and functions) and can be used to accurately model the behaviour of a real network when faced with network traffic. The project states that ns-3 models of real networks have produced libpcap traces that are almost indistinguishable from the traces of the real networks being modelled… I’ll take their word for that, but when you get to configure the propogation delay between nodes in your simulated network it seems to me it’s pretty thorough. Although the way that I found ns-3 was via a forum posting from someone who claimed to have used it to solve a similar situation as me, and ns-3 does provide a way to “bridge” between the simulated network and real networks, the simulation aspect of ns-3 seems to be more complexity than I’m looking for in this instance. It does look like a fascinating tool however, and one I’ll definitely be keeping at least half-an-eye on.
To my eventual solution, then: Open vSwitch. Designed with exactly my scenario in mind–network connection for virtualisation–it has at least two functions that make it ideal for me:
- a Linux-bridging compatibility mode, allowing the brctl command to still function
- IEEE 802.1Q VLAN support (innovatively at that)
The Open vSwitch capability can be built as a kernel module (there’s a second module that supports the brctl compatibility mode), or very recent versions have the ability to be run in user-space (with a corresponding performance drop).
On the surface, configuring an OvS bridge does seem to result in something that looks exactly like a brctl bridge (especially if you use brctl and the OvS bridging compatibility feature to configure it), but its native support for VLANs really brings it into its own for me. In summary, for each “real” bridge you configure in OvS, you can configure a “fake” bridge that passes through packets for a single VLAN from the real bridge (the “parent” bridge). This is exactly what I needed!
For the guest interfaces that needed full VLAN-awareness, I simply provided the name of my OvS bridge as the name of the bridge for libvirt to connect the guest to–OvS bridge-compatibility mode took care of the brctl commands issued in the background by libvirt. The VLAN-unaware guest interfaces presented a bit of a challenge–the OvS “fake” bridge does not present itself like a Linux bridge, so it doesn’t work with libvirt’s bridge interface support. This ended up being moderately easy to overcome as well, thanks to libvirt’s ability to set up an interface configured by an arbitrary script–I hacked the supplied /etc/qemu-ifup script and made a version that adds the tap interface created by libvirt to the OvS fake bridge.
The only thing I might want from this now is an ability for an OvS bridge to have visibility over a subset of the VLANs presented on the physical NIC. The OvS website talks about extensive filtering capability though, so I’ve little doubt that the capability is there and I’m just yet to find it. From a functionality aspect, OvS is packed to the gills with support for various open management protocols, including something called OpenFlow that I’d never heard of before (but I hope that some certain folks in upstate New York have!) but is apparently an open standard that enables secure centralised management of switches.
Detail of exactly how I pulled this all together will come in a page on this site; I’ll make a bunch of pages that describe all the mucky details of my KVM adventures and update this post with a link, so stay tuned!
Crossed Wires 
Thanks for this post. I have also been trying open vSwitch with KVM lately, for a different project. I was trying to figure if libvirt could use a custom script, but it seems they have disabled that functionality [1]. I was then looking at the libvirt code, and it didn't look that hard to add, but it would be a hack. Hacking the default /etc/qemu-ifup makes more sense. I will try that. Thanks again for the idea.[1] http://www.mail-archive.com/libvir-list@redhat….
LikeLike
What’s the advantage of using Openvswitch over simply configuring 802.1Q interfaces on linux (for example with: ip link add link eth0 name eth0.3 type vlan id 3) and then connecting those (in this example eth0.3) to a bridge:
brctl addbr br3
brctl addbr addif br3 eth0.3
Sounds like you’d get the same effect without patching your kernel.
Thanks,
Guido
LikeLike
Hi Guido,
I have used that method, when running VMware Server in the past. Trouble is, it doesn’t work when you have a mixture of VLAN-aware and VLAN-unaware guests that you want to share an adapter: as soon as the 8021q module is bound to an interface (when a VLAN is configured) the “non-VLAN” or “raw” interface no longer receives all the packets. In my VMware Server days, I had to allocate an additional NIC with no VLAN membership for VLAN-aware guests.
I thought that OpenVswitch would be a way to provide more flexibility, and allow me greater control to do interesting things with my available network hardware (especially since I was moving to a new machine with reduced capacity for NIC installation). Unfortunately I had a lot of trouble integrating OpenVswitch into the boot process of Ubuntu Lucid — every bootup required manual network reconfiguration. I have not looked at it for a while though, hopefully there’s better support in distros now.
Thanks for your comment!
Vic
LikeLike
I’m also a bit confused, it looks like this should work directly with one additional interface: Assume eth0 is the physical interface of the vm-host which receives and sends tagged frames (8021q). Assume further that there’s a bridge named brtag, into which eth0 is bound. Then you add a vlan enabled device called vlan123 on brtag, that adds the vlan tag 123. Then you create a bridge named “brvlan123” and add the interface vlan123 to it. Guests which shall set tags themselves are added to brtag, guests which should not setup tags are bound to brvlan123.nnMaybe I’m misunderstanding your post, but I do not see a need for binding one interface to multiple bridges.
LikeLike
Thanks for your comment… I have to admit it took me a while to understand again what the problem was with the way I was trying to work it.
The problem was that I wanted different virtual machines to be configured differently — some to receive untagged frames for particular VLANs, and others to receive all the tagged frames straight from the switch. I can’t recall if I tried your method or not, but what I found was that the physical interface no longer saw any packets once a VLAN was configured against it, which meant the “VLAN-aware bridge” didn’t see any traffic. It didn’t appear that a bridge was sufficient isolation of that (the second paragraph in my original post implies that I tried something like what you described but it didn’t work for me). Perhaps the choice of network card makes a difference too, changing where the VLAN processing happens…?
Like I said though, I can’t recall if I tried a bridge behind a bridge as you’ve shown — perhaps I should give it a go!
LikeLike
Hi,
Do you know if openvswitch can tag untagged traffic? Like PVID functionnality on physical switch. Because our VM boots on PXE, and PXE doesn’t support VLAN. So we have to tag our vswitch port to 0 to allow untagged traffic from the VM to pass thru. Is it possible that fake bridge could handle that traffic to a tagged port?
LikeLike
Yes, I was doing something very similar to what you describe. I was having trouble trying to use the brcompat functionality to make Open vSwitch fit into the Ubuntu network startup method, but I think I’ve now learned that I need to throw away the normal network startup and let Open vSwitch take care of everything (unless Ubuntu Server has native support for Open vSwitch nowadays…).
There is a nice looking writeup of Open vSwitch in Issue 03 of ADMIN Magazine; the author discusses the use of fake bridges to achieve PVID-like function.
LikeLike
Thank you, I will try to get this issue of Admin Magazine
LikeLike