How does one assign a virtual machine to a particular vlan? Using a vlan interface as a bridge member doesn’t appear to work.
nmcli con add type vlan con-name eno2.vlan401 ifname eno2.vlan401 dev eno2 id 401
nmcli con add type bridge con-name br.vlan401 ifname br.vlan401
nmcli con add type bridge-slave ifname eno2.vlan401 master br.vlan401
If I direct attach the VM nic to br.vlan401, it doesn’t work. (I use cockpit for VM management, so the “direct attach” terminology comes from that). I assume I must create a separate bridge for each VLAN as the cockpit interface doesn’t have any VLAN options.
I’m guessing vlan interfaces can’t be bridge members leading me to believe that what I want to do is not possible.
First, I don’t use cockpit, just nmcli (or Ansible).
I would probably do something like:
nmcli con add type bridge con-name Bridge401 ifname br401 bridge.stp no
nmcli con add type vlan con-name vlan-401 dev eno2 id 401 connection.slave-type bridge connection.master <UUID_of_Bridge401>
When you create the bridge, you do get UUID. That seems to work better as “master” than name of connection.
The logic is:
A packet arrives from outside to eno1
It has tag 401, so the vlan-401 grabs it and detags it
The untagged packet arrives at Bridge401
If the DST IP in the packet is for one of the VM’s that are attached to the bridge, that VM gets the packet
Reply from VM will get tagged with 401 when it passes vlan-401 into eno1
The VM does not know anything about the VLAN. It has only untagged traffic
You have to create the bridge before the vlan, because you need to set the “master” when you create the vlan. If you create the vlan first, then it will have ipv4 and ipv6 options and a “bridge-port” cannot have those.
You will need one vlan connection and one bridge connection for each VLAN that you want to handle.
You could have just one bridge on the host and set each VM to do the VLAN (de)tagging, but that does not sound comfy.
The kernel does support “bridge port vlan filtering”. With that host would again have just one bridge, but the “ports” of the bridge would do the (de)tagging, not the VM that the port represents. I have no idea how to set that up.
Thank you so very much!
I need to use cockpit. Just for the Virtual Machines though.
I figure If i set up the bridges ahead of time using nmcli/ansible, then changing the vlan that the VM is on is as simple as changing the bridge the VM nic is attached to in cockpit.