Vlans and KVM; Is there something that I am missing?

carzzz215 · 2013-06-08 16:12:14

So I have been playing around with Vlans with KVM and I came across an issue thats boggling my mind. The solution is probably so simple that its stupid. But none the less I am hoping someone can set me straight.

#First I created a bridge
brctl addbr br99

#Then I attached two virtual machines to this bridge. Basically I am using the virtio driver and attaching directly to br99 for each virtual machine. If I set #up the eth0 device in each machine on the 10.11.0.0/24 network, they can easily ping each other. No problems here.

#Next I remove all IPs from the eth0 device in each virtual machine. I then set up two vlan interfaces on each virtual machine; Vlan 10 and Vlan 20
ip link add link eth0 name eth.10 type vlan id 10
ip link add link eth0 name eth.20 type vlan id 20

#I add IPs to each vlan interface
(virtual machine 1): ip addr add 10.11.0.2/24 dev eth.10
(virtual machine 1): ip addr add 10.11.0.3/24 dev eth.20

(virtual machine 2): ip addr add 10.11.0.4/24 dev eth.10
(virtual machine 2): ip addr add 10.11.0.5/24 dev eth.20

#So the even numbered IP are Vlan 10 and the odds are vlan 20. From both machines I can ping every address. No problems.

#Next I delete the eth.20 interface on Virtual Machine 2 (which is 10.11.0.5)
ip link del dev eth.20

#Which means that Virtual Machine 2 is now only a part of the vlan 10 network; Its no long a part of the vlan 20 network
#From virtual machine 2 I can still ping 10.11.0.2 because that is in vlan 10 on virtual machine 1. The even number IPs can ping each other.
#But if i ping 10.11.0.3 (which is on virtual machine 1 vlan 20) from virtual machine 2 which is only on vlan 10, it STILL pings!
#How is this possible?!

#Forwarding on each virtual machine is set to off.
#What am I missing? I am under the impression that a ping from virtual machine 2 (which is ONLY on vlan 10) cannot ping 10.11.0.3 (on virtual #machine 1) because 10.11.0.3 is on vlan 20.

#Can someone set me straight?

Strike0 · 2013-06-09 17:31:13

carzzz215 wrote:

#So the even numbered IP are Vlan 10 and the odds are vlan 20. From both machines I can ping every address. No problems.
#Next I delete the eth.20 interface on Virtual Machine 2 (which is 10.11.0.5)
ip link del dev eth.20

I wonder how you ping. With the "-I" option?

ping -I eth.20 10.11.0.2

To test it, is it not better to bring the interface down rather than deleting it?

jordi · 2013-06-09 18:49:22

Did you do tracepath? Putting them on separate vlan's only has an effect if the router also blocks the requests from one vlan into the other vlan.

carzzz215 · 2013-06-10 17:59:37

Hey Guys,

Thanks for you responses! Although I still dont seem to be getting this to work correctly

I did try:
ping -I eth.20 10.11.0.2 (10.11.0.2 being on the vlan 10 network on the other virtual machine)

But it still pings!

If I do a tracepath from virtual machine 2 which is only on vlan 10 to the both IP addresses on the other virtual machine (both vlan 10 and 20), the tracepath output is the same for both; meaning the first hop in the tracepath is the 10.11.0.4 which is on vlan 10 on virtual machine 2. And of course the next hop is whatever IP im pinging on the other virtual.

Also there are no routers involved here. Just two virtual machines connected to a bridge. The bridge is connected to nothing. Although the bridge does have an IP address of 10.11.0.1. But if use just the vlan interfaces on each virtual machine, none of them can ping 10.11.0.1 because its not on any vlan, which is to be expected.

Im stumped!

Strike0 · 2013-06-11 00:29:45

Let me summarize for my understanding.
You create them, make sure it works, then you delete/bring down the link eth.20 again, then

carzzz215 wrote:

I did try:
ping -I eth.20 10.11.0.2 (10.11.0.2 being on the vlan 10 network on the other virtual machine)
But it still pings!

and the question is why it pings at all since you deleted/brought the link down?

Let's have a look at the routing after your delete step.

Arch Linux

#1 2013-06-08 16:12:14

Vlans and KVM; Is there something that I am missing?

#2 2013-06-09 17:31:13

Re: Vlans and KVM; Is there something that I am missing?

#3 2013-06-09 18:49:22

Re: Vlans and KVM; Is there something that I am missing?

#4 2013-06-10 17:59:37

Re: Vlans and KVM; Is there something that I am missing?

#5 2013-06-11 00:29:45

Re: Vlans and KVM; Is there something that I am missing?

Board footer