From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 45E9D1FF2AE for ; Mon, 22 Jul 2024 21:18:06 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 08FAD38382; Mon, 22 Jul 2024 21:18:36 +0200 (CEST) Date: Mon, 22 Jul 2024 21:18:26 +0200 To: pve-user@lists.proxmox.com References: <6aee1ef2-47f5-4d1c-8600-88cd796be6e7@dkfz-heidelberg.de> In-Reply-To: <6aee1ef2-47f5-4d1c-8600-88cd796be6e7@dkfz-heidelberg.de> MIME-Version: 1.0 Message-ID: List-Id: Proxmox VE user list List-Post: From: Bastian Sebode via pve-user Precedence: list Cc: Bastian Sebode X-Mailman-Version: 2.1.29 X-BeenThere: pve-user@lists.proxmox.com List-Subscribe: , List-Unsubscribe: , List-Archive: Reply-To: Proxmox VE user list List-Help: Subject: Re: [PVE-User] Mapping of VLAN tags to Linux bridges: Is that possible? Content-Type: multipart/mixed; boundary="===============5660138075481548016==" Errors-To: pve-user-bounces@lists.proxmox.com Sender: "pve-user" --===============5660138075481548016== Content-Type: message/rfc822 Content-Disposition: inline Return-Path: X-Original-To: pve-user@lists.proxmox.com Delivered-To: pve-user@lists.proxmox.com Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id B8BA1C2440 for ; Mon, 22 Jul 2024 21:18:34 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 95A223834A for ; Mon, 22 Jul 2024 21:18:34 +0200 (CEST) Received: from enkidu.linet-services.de (enkidu.linet-services.de [IPv6:2a01:4f8:c0:fb01::6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Mon, 22 Jul 2024 21:18:32 +0200 (CEST) Received: from [IPV6:2001:9e8:68d8:9100:78a2:435c:a36d:95c4] (unknown [IPv6:2001:9e8:68d8:9100:78a2:435c:a36d:95c4]) by enkidu.bs.linet-services.de (Postfix) with ESMTPSA id 98A2D152C67 for ; Mon, 22 Jul 2024 21:18:26 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linet-services.de; s=mail2019122001; t=1721675906; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LAWs1MjsgT6NZhmD0jzjGDBNmv3MnPLifzwStiKQjiM=; b=l897PgbvsPWZdJm2cqcIV+HtmxwCPmnPF/8sL7vG2c/mQ7DodXMDDxO/9K42VL0YNVcFuh +NwxCv36ZWMIwDHZL+Nm5SXTsheICiJFLfEpUniz/igfT0Y12YgbZ5ev2bF7FYqCuiGOqe 7YC6jIS+Qu1OCVmUIGGb1xr4FxaMm3nPAp0hRD62rU7PRX2LiaqE5a5WLTfdurLO51dOo7 NILr2P5QKniVrI2ApPbqDDk6PuPGAjCKJsZCR/KzxM8XfwaRw54gIkQAcOLCUqISESohdF Fx0SgYhRk3FgSUn6vR4oU+YQh1mvxcCwDiTzUxdAZNgi275sz5Y/RmRlsX9hEw== Message-ID: Date: Mon, 22 Jul 2024 21:18:26 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PVE-User] Mapping of VLAN tags to Linux bridges: Is that possible? To: pve-user@lists.proxmox.com References: <6aee1ef2-47f5-4d1c-8600-88cd796be6e7@dkfz-heidelberg.de> Content-Language: en-US From: Bastian Sebode In-Reply-To: <6aee1ef2-47f5-4d1c-8600-88cd796be6e7@dkfz-heidelberg.de> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 BAYES_00 -1.9 Bayes spam probability is 0 to 1% DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain DMARC_PASS -0.1 DMARC pass policy SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Hello Frank, you can achieve that with normal Linux networking already, without the need of SDN. Over the Network Tab of the Hosts GUI (interface names are examples): - Create the Bond/LAG/Port Channel/Trunk on the switch, put the needed VLANs tagged on it - Create a "Linux Bond" `bond0` with the host interfaces `ens18 ens19`, preferably with LACP on Host and Switch. No IP address necessary - Create a "Linux VLAN" `bond0.90` with the "vlan raw device" `bond0`. No IP address necessary - Create a "Linux Bridge" `vmbr90` with the slave interface `bond0.90`. No IP address necessary, only if you want to manage the server over it - Attach the VMs to the VLAN bridge - Repeat for every VLAN you need There is also the possibility to have the VLAN Tags on the Linux bridge, but I would always prefer the mentioned above. Hope this helps and others can confirm that the are using such a setup. Peace Bastian On 22.07.24 19:38, Frank Thommen wrote: > Dear list members, > > our current three-node PVE cluster hosts VMs from three different > subnets/VLANs. Each host has - besides the network ports for the Ceph > cluster - eight physical network ports (two for the host itself and > two for each of the three VLANs). Always two ports are configured like > this: > >    switch port - host port (1 Gbit) \ >                                      +- bond - bridge >    switch port - host port (1 Gbit) / > > This is nice, because when configuring a VM, we can choose the > appropriate bridge from the network menu, which also shows me the > bridge's description, so that there can't be any mistakes as to which > brigde has to be selected. However that comes with too many cables and > too many NICs. Especially as we expect to have to support more subnets > in the near future. > > Our networking department has suggested to move from dedicated switch > ports to VLAN tags. This would reduce the eight 1 Gbit ports to two 25 > Gbit ports per host (LACP bonded), but as far as I can see, we would > then have to - manually - enter the correct VLAN tag number for each > virtual network device. I expect this to be very error prone and > unintuitive. Best would be, if it would be possible to create Linux > bridges which map to individual VLAN tags like this: > >    switch port - host port (25 Gbit) \         / VLAN 12 - bridge1 >                                       +- bond -- VLAN 56 - bridge2 >    switch port - host port (25 Gbit) /         \ VLAN 25 - bridge3 > > > but unfortunately with PVE 7.x I could not find a way to achieve this. > Is such a setup possible at all? > > I've read, that PVE 8.x greatly enhances the SDN capabilities of PVE. > Will these SDN capabilities enable us, to achieve the VLAN-bridge > mapping? > > Thanks for any hint or pointer > Frank > > _______________________________________________ > pve-user mailing list > pve-user@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-user > -- Bastian Sebode Fachinformatiker Systemintegration LINET Services GmbH | Cyriaksring 10a | 38118 Braunschweig Tel. 0531-180508-0 | Fax 0531-180508-29 | http://www.linet-services.de LINET in den sozialen Netzwerken: www.twitter.com/linetservices | www.facebook.com/linetservices Wissenswertes aus der IT-Welt: www.linet-services.de/blog/ Geschäftsführung: Timo Springmann, Mirko Savic und Moritz Bunkus HR B 9170 Amtsgericht Braunschweig USt-IdNr. DE 259 526 516 --===============5660138075481548016== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ pve-user mailing list pve-user@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-user --===============5660138075481548016==--