Debian: Should I add vlan interface into bridge for KVM?
I am setting up a Debian Squeeze box as a KVM host. I want to add multiple interfaces to each KVM guest so I want them to be on different VLANs.
After reading about this, I believe the best method is to add multiple logical VLAN (sub)-interfaces to the physical NICs and then create a bridge adapter for each VLAN interace, and assign each bridge as a NIC for KVM guests. Does this make good sense, or madness?
Do I have to use bridged interfaces with KVM like this? Can't I just add eth1.xx and eth1.yy to my interfaces config below and then configure those directly as bridged KVM guest NICs? If so, how should this look in the interfaces config file below?
user@host:~$ cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# Management Interface
auto eth0
iface eth0 inet static
address 172.22.0.31
netmask 255.255.255.0
gateway 172.22.0.1
# Interface for guest VMs
auto eth1
# Guest1 : Use VLAN 117
auto eth1.117
iface eth1.117 inet manual
# Set up br1 for guest 1, bridging with vlan 117
auto br1.117
iface br1.117 inet manual
bridge_ports eth1.117
bridge_stp off
user@host:~$ uname -a
Linux hostname 3.4.9 #1 SMP Wed Aug 22 19:08:46 BST 2012 x86_64 GNU/Linux
UPDATE
I would really like it if someone could clarify the config for me, as I have also seen the above configured with this syntax, so I don't see why one would be preferred over the other;
# Interface for guest VMs
auto eth1
allow-hotplug eth1
iface eth1 inet static
# Vlan 117 for guest 1
auto vlan 117
iface vlan111 inet static
vlan_raw_device eth1
# Guest 1 : NIC 1
auto br1.117
iface br1.117 inet manual
bridge_ports vlan117
bridge_stp off
ANSWER
I agree with dyasny on the topology, and am happily using the following config with is similar to Silopolis' example:
# Mangement Interafce
allow-hotplug eth0
# Guest Interface
allow-hotplug eth1
# Guest 1
allow-hotplug vlan116
# Guest 2
allow-hotplug vlan117
# Management
auto eth0
iface eth0 inet static
address 10.0.0.10
netmask 255.255.255.0
gateway 10.0.0.1
# Guest 1
auto vlan116
iface vlan116 inet manual
vlan_raw_device eth1
# Guest 2
auto vlan117
iface vlan117 inet manual
vlan_raw_device eth1
allow-hotplug br116
allow-hotplug br117
# Guest 1
auto br116
iface br116 inet manual
bridge_ports vlan116
bridge_stp off
# Guest 2
auto br117
iface br117 inet manual
bridge_ports vlan117
bridge_stp off
Solution 1:
As far as I understand Debian network configuration infrastructure, using brX.YYY
should not work as it would create a VLAN pseudo interface "above" the bridge, for which support has just begun being added to the kernel: https://lwn.net/Articles/513710/
Here is the kind of config I use:
# Bring up physical interface
iface eth0 inet manual
# Create VLAN interfaces
iface eth0.10 inet manual
vlan_raw_device eth0
iface eth0.20 inet manual
...
# Create bridges
auto vmbr10
iface vmbr10 inet static
address 10.10.10.81
netmask 255.255.255.0
#gateway 10.10.10.254
bridge_ports eth0.10
bridge_stp off
bridge_fd 0
auto vmbr20
iface vmbr20 inet static
address 10.10.20.81
...
If you want to use agregated/bonded interfaces:
- bond the physical interfaces
- create the VLAN interfaces on the bondX interface (bondX.YYY)
- use the bondX.YYY as
bridge_ports
Solution 2:
I'm not too familiar with Debian configs, but what you describe is correct
eth0 -> eth0.100 -> brvlan100 <-- VM
This is the way to set this up. For one VM this might look like a lot of clutter, but with hundreds of VMs you'll see the benefit of doing it this way.
If you want to avoid doing this, you may want to set the tags inside the VMs themselves, which also works, as long as the bridge is connected to a trunk port