VLAN trunking
Contents |
Introduction
What is a VLAN?
Virtual LAN, or VLAN, is a method of creating independent logical networks within a physical network. Several VLANs can co-exist within such a network. This helps in reducing the broadcast domain and administratively separating logical segments of LAN (like company departments) which should not exchange data using LAN.
VLANs and VDE
Although Virtual Distributed Ethernet is not a real physical network it is however possible to partition the virtual network into VLANs using vde_switch management console. Moreover, it is also possible to interconnect segments of the same VLAN associated with different vde_switches. This way of interconnecting VLAN segments distributed over multiple switches is called VLAN trunking.
In this tutorial we will see how to setup two VLANs distributed over two vde_switches in a simple example that interconnects qemu virtual machines and other virtual networking entities to different switches within the same VLAN.
Getting started
In this example we want to create two VLANs within the same vde virtual network. The first VLAN will interconnect qemu virtual machines, the second will interconnect an instance of umview to a locally defined tuntap interface.
Start two vde_switches
$ vde_switch -d -s /tmp/vde1 -M /tmp/mgmt1 $ vde_switch -d -s /tmp/vde2 -M /tmp/mgmt2
- -d
- -s /tmp/vde*
- -M /tmp/mgmt*
option tells vde_switch to run as daemon or background process.
is the complete path to data socket for the switch.
specifies where to create the management socket for the switch.
Create a persistent tuntap network interface
It will be connected to a vde_switch later. tunctl creates a new tuntap interface that can be accessed by the specified user. The user can connect to the tuntap interface but every host-side aspect of the interface have to be configured by the system administrator.
# tunctl -u username
Start virtual machines
Only for the purpose of this tutorial qemu virtual machines have to be connected respectively to first and second switch, in order to distribute VLANs over different switches.
$ vdeqemu -hda /somewhere/debian.img -net nic,macaddr=00:11:22:33:44:55 -net vde,sock=/tmp/vde1 & $ vdeqemu -hda /somewhere/freebsd.img -net nic,macaddr=00:ee:dd:cc:bb:aa -net vde,sock=/tmp/vde2 &
In this way two virtual machines are started and connected to the vde network. Note that MAC addresses for virtual network interfaces have been specified by hand to avoid the presence of network interfaces with the same MAC address.
Connect tuntap interface to the first vde_switch
tuntap interfaces can be connected to vde_switches both via a specific tool or while launching an instance of vde_switch specifying the tuntap interface name.
$ vde_plug2tap -d -s /tmp/vde1 tap0
- -d
- -s /tmp/vde*
- tap0
option tells vde_switch to run as daemon or background process.
is the complete path to data socket for the switch.
specifies the tuntap interface name that is being connected to the switch.
Connect vde_switches together
They will be connected with a simple vde_cable made of two vde_plugs and a bi-directional pipe.
$ dpipe vde_plug /tmp/vde1 = vde_plug /tmp/vde2 &
Start and connect umview
In order to enable networking within umview, lwipv6 module must be loaded and configured to be connected to a vde_switch (the second switch in this case)
$ umview bash $ um_add_service lwipv6.so,vd0=/tmp/vde2 $ ip link set vd0 up $ ip addr add 192.168.0.4/24 dev vd0
Checkout switches status
Now it is time to take a look inside vde_switches to see what have been connected to virtual ports and if everything is alright.
- Status of the first switch (later identified with its data socket /tmp/vde1)
$ unixterm /tmp/mgmt1 VDE switch V.2.1.6 (C) R.Davoli 2005 - GPLv2 vde: port/allprint 0000 DATA END WITH '.' Port 0001 untagged_vlan=0000 ACTIVE - Unnamed Allocatable -- endpoint ID 0006 module unix prog : vde_plug: user=root PID=3950 SOCK=/tmp/vde1.03950-00000 Port 0002 untagged_vlan=0000 ACTIVE - Unnamed Allocatable -- endpoint ID 0008 module unix prog : vdeqemu user=root PID=3952 SOCK=/tmp/vde1.03952-00000 Port 0003 untagged_vlan=0000 ACTIVE - Unnamed Allocatable -- endpoint ID 0010 module unix prog : vde_plug: user=root PID=3966 SOCK=/tmp/vde1.03966-00000 vde: vlan/allprint 0000 DATA END WITH '.' VLAN 0000 -- Port 0001 tagged=0 active=1 status=Forwarding -- Port 0002 tagged=0 active=1 status=Forwarding -- Port 0003 tagged=0 active=1 status=Forwarding
- Status of the second switch (later identified with its data socket /tmp/vde2)
$ unixterm /tmp/mgmt2 VDE switch V.2.1.6 (C) R.Davoli 2005 - GPLv2 vde: port/allprint 0000 DATA END WITH '.' Port 0001 untagged_vlan=0000 ACTIVE - Unnamed Allocatable -- endpoint ID 0006 module unix prog : vdeqemu user=root PID=3961 SOCK=/tmp/vde2.03961-00000 Port 0002 untagged_vlan=0000 ACTIVE - Unnamed Allocatable -- endpoint ID 0008 module unix prog : vde_plug: user=root PID=3967 SOCK=/tmp/vde2.03967-00000 Port 0003 untagged_vlan=0000 ACTIVE - Unnamed Allocatable -- endpoint ID 0010 module unix prog : LWIPv6 user=root PID=4080 if=vd0 vde: vlan/allprint 0000 DATA END WITH '.' VLAN 0000 -- Port 0001 tagged=0 active=1 status=Forwarding -- Port 0002 tagged=0 active=1 status=Forwarding -- Port 0003 tagged=0 active=1 status=Forwarding
By default when connecting network virtual devices to vde_switches they are all assigned to the same default VLAN 0. We want to split the network in two VLANs. First of all a new VLAN have to be created. Since members of VLANs are connected to different switches the new VLAN have to be created on both switches.
vde: ds/showinfo 0000 DATA END WITH '.' ctl dir /tmp/vde1 std mode 0700 . 1000 Success vde: vlan/create 42 1000 Success vde: vlan/allprint 0000 DATA END WITH '.' VLAN 0000 -- Port 0001 tagged=0 active=1 status=Forwarding -- Port 0002 tagged=0 active=1 status=Forwarding -- Port 0003 tagged=0 active=1 status=Forwarding VLAN 0042 . 1000 Success
In the same way on the other switch a new VLAN have to be created with the same identifier. Once done the following action is to assign desired ports to desired VLAN. For this example we want to put qemu virtual machines in the VLAN just created.
vde: port/allprint 0000 DATA END WITH '.' Port 0001 untagged_vlan=0000 ACTIVE - Unnamed Allocatable -- endpoint ID 0006 module unix prog : vde_plug: user=root PID=3950 SOCK=/tmp/vde1.03950-00000 Port 0002 untagged_vlan=0000 ACTIVE - Unnamed Allocatable -- endpoint ID 0008 module unix prog : vdeqemu user=root PID=3952 SOCK=/tmp/vde1.03952-00000 Port 0003 untagged_vlan=0000 ACTIVE - Unnamed Allocatable -- endpoint ID 0010 module unix prog : vde_plug: user=root PID=3966 SOCK=/tmp/vde1.03966-00000 vde: port/setvlan 2 42 1000 Success vde: vlan/allprint 0000 DATA END WITH '.' VLAN 0000 -- Port 0001 tagged=0 active=1 status=Forwarding -- Port 0003 tagged=0 active=1 status=Forwarding VLAN 0042 -- Port 0002 tagged=0 active=1 status=Forwarding . 1000 Success
The same procedure applies to the other switch.
vde: port/print 1 0000 DATA END WITH '.' Port 0001 untagged_vlan=0000 ACTIVE - Unnamed Allocatable -- endpoint ID 0006 module unix prog : vdeqemu user=root PID=3961 SOCK=/tmp/vde2.03961-00000 . 1000 Success vde: port/setvlan 1 42 1000 Success vde: vlan/print VLAN 0000 -- Port 0002 tagged=0 active=1 status=Forwarding -- Port 0003 tagged=0 active=1 status=Forwarding VLAN 0042 -- Port 0001 tagged=0 active=1 status=Forwarding . 1000 Success
Since we wanted to create separate VLANs for qemu virtual machines and umview/tuntap networking when something new is plugged into a vde_switch is assigned to VLAN 0 this violates the rule just defined. To solve this problem a new VLAN have to be created and umview/tuntap virtual devices will be assigned to that. In the same way we created the VLAN 42 we create a new VLAN 21. Switches configuration results in this vlan status:
- /tmp/vde1
vde: vlan/allprint 0000 DATA END WITH '.' VLAN 0000 -- Port 0003 tagged=0 active=1 status=Forwarding VLAN 0021 -- Port 0001 tagged=0 active=1 status=Forwarding VLAN 0042 -- Port 0002 tagged=0 active=1 status=Forwarding
- /tmp/vde2
vde: vlan/allprint0000 DATA END WITH '.' VLAN 0000 -- Port 0002 tagged=0 active=1 status=Forwarding VLAN 0021 -- Port 0003 tagged=0 active=1 status=Forwarding VLAN 0042 -- Port 0001 tagged=0 active=1 status=Forwarding
At this point qemu virtual machines are part of the same VLAN on different switches. The same for umview and tuntap. The situation as is does not permit virtual machines to communicate each other because there is not any link that connect two segment of the same VLAN. From the point of view of first switch there is a link to another switch at port number 3 but that port is only part of the default VLAN 0.
To create a shared link between VLANs the port connected to the other switch must be added as tagged to each VLAN that have to be interconnected to its other segments.
vde: vlan/addport 21 3 1000 Success vde: vlan/addport 42 3 1000 Success vde: vlan/allprint 0000 DATA END WITH '.' VLAN 0000 -- Port 0003 tagged=0 active=1 status=Forwarding VLAN 0021 -- Port 0001 tagged=0 active=1 status=Forwarding -- Port 0003 tagged=1 active=1 status=Forwarding VLAN 0042 -- Port 0002 tagged=0 active=1 status=Forwarding -- Port 0003 tagged=1 active=1 status=Forwarding
As specified in IEEE 802.1Q frames passing tagged ports contains a VLAN identifier to allow the other endpoint to know to which VLAN the frame has to be forwarded. Since port 3 is connected to a point-to-point link between switches it have to be added as tagged port to each VLAN that have another segment in the other switch.
Note that VLANs are managed entirely at data-link layer. This means that different VLANs could be part of the same ip subnet without creating any conflict in the network. Therefore the only way for networked machines to reach other machines in different VLANs is by routing at network layer.
