[PVE-User] How to specify VLANs for a trunk interface into the VM
klaus.mailinglists at pernau.at
Mon Aug 6 21:19:55 CEST 2018
Am 06.08.2018 um 18:57 schrieb Josh Knight:
> I don't see a way to do this via the GUI for the VM interface.
> You can use that same command you listed but on the tap interface tapXiY
> where X is the VM ID and Y is the interface number. E.g. tap100i1 would be
> interface 1 of VMID 100. That will restrict the allowed VLANs on that
> port, but of course that doesn't stick around after a reboot, ovs has no
> 'startup config'. But it should be obvious which IDs to use if you take a
> look at the list of interfaces on the host with `ip link | grep tap`.
> Or you can do something like this. But either way, the ovs-vsctl command
> will work.
> ovs-vsctl add port tapXiY trunks 20
> ovs-vsctl add port tapXiY trunks 30
> ovs-vsctl add port tapXiY trunks 40
That's not reasonable. The port config has to be reboot save and stick
to the VM config (ie VM is migrated to another host).
> Another thing to consider however, is by default, the ovs trunk port will
> allow all VLANs. In your VM if you create subinterfaces like eth0.20,
> eth0.30, eth0.40, then you'll have access to each specific VLAN without
> having to configure allowed vlans in ovs. It depends on your use case.
I want to avoid that - for security reasons and to not confuse Linux. I
had seen strange things in Linux ie. where it answered to ARP on VLANs
available on the trunk but not explicitely configured as eth0.XX
interface. So, the VM should only see the required VLANs.
I hoped that the port config is flexible to configure trunks=...., but
it is not available in the GUI.
The workaround would be to convert every trunk into access ports. That
would be 3 more interfaces - and probably the best solution at the
moment. I just was looking for a more beautiful solution.
More information about the pve-user