lhrslsshahi
asked on
Vyos VLANs
Hello Experts,
In VMware we have 4 VM VYOS routers.
Router 1(on ESX1) and Router 2 (on ESX2) are external facing
Router 3 (ESX1) and Router 4 (ESX2) are internal (VRRP Clustering Active/Passive)
For each client we have a dedicated interface example eth8 as below on router 3 and router 4.
However we have hit VM network interface limit of 10 and are unable to add any more new clients.
Currently the VLAN IDs are setup on the VMWare Virtual switch level for each client.
VMware is configured with a port group per environment. This is connected to a unique VLAN ID, which is propagated over a physical 10gb network cable (Direct Attach Copper) between the 2 ESXi hosts.
The VMs in a given port group can see VMs on both servers as though they are on a single physical network.
What I would like to do is take one of the interfaces (eth8) in Vyos and setup Virtual interfaces VLANS (802.1Q)
Each client would be on their own VLAN and the VLAN subnets should be able isolated and not be able to communicate with each other.
In VMware create a Virtual machine port group on ESX1 and ESX1 and set the VLAN ID 4095 so the VMs can talk to each other.
vlan 4095 is a special vlan on vmware which basically turns a virtual port group into a virtual vlan trunk port.
My preference is to leave the other interfaces as they are and just keep adding new client enironments on eth8.
Example eth8.100 vlan100
eth8.101 vlan101
Please let me know your thoughts i.e technically is this possible, is there any caveats etc?
Router3
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 172.40.2.3/29 u/u router to router link w/ospf
eth1 172.40.2.11/29 u/u backup router-router interface w/ ospf
eth2 172.40.70.2/24 u/u Bank subnet
172.40.70.1/32
eth3 172.40.60.2/24 u/u POC UAT application subnet
172.40.60.1/32
eth4 172.40.30.2/24 u/u Bas application subnet
172.40.30.1/32
eth5 172.40.40.2/24 u/u Bub application subnet
172.40.40.1/32
eth6 172.40.50.2/24 u/u Val subnet
172.40.50.1/32
eth7 172.40.80.2/24 u/u Bas UAT application subnet
172.40.80.1/32
eth8 172.40.90.2/24 u/u MS UAT subnet
172.40.90.1/32
eth9 172.40.91.2/24 u/u MS subnet
172.40.91.1/32
lo 127.0.0.1/8 u/u Router-IP(252)/Cluster-IP( 140)
172.40.2.252/32
172.40.2.140/32
::1/128
Router 4
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 172.40.2.131/29 u/u 10gb backup inter
router link subnet
eth1 172.40.2.147/29 u/u 1gb backup inter router
subnet
eth2 172.40.70.3/24 u/u Bank subnet
eth3 172.40.60.3/24 u/u POC UAT application
subnet
eth4 172.40.30.3/24 u/u Bas application
subnet
eth5 172.40.40.3/24 u/u Bub application
subnet
eth6 172.40.50.3/24 u/u Val subnet
eth7 172.40.80.3/24 u/u Bas UAT application subnet
eth8 172.40.90.3/24 u/u MS UAT subnet
eth9 172.40.91.3/24 u/u MS subnet
lo 127.0.0.1/8 u/u Router-IP
172.40.2.253/32
::1/128
In VMware we have 4 VM VYOS routers.
Router 1(on ESX1) and Router 2 (on ESX2) are external facing
Router 3 (ESX1) and Router 4 (ESX2) are internal (VRRP Clustering Active/Passive)
For each client we have a dedicated interface example eth8 as below on router 3 and router 4.
However we have hit VM network interface limit of 10 and are unable to add any more new clients.
Currently the VLAN IDs are setup on the VMWare Virtual switch level for each client.
VMware is configured with a port group per environment. This is connected to a unique VLAN ID, which is propagated over a physical 10gb network cable (Direct Attach Copper) between the 2 ESXi hosts.
The VMs in a given port group can see VMs on both servers as though they are on a single physical network.
What I would like to do is take one of the interfaces (eth8) in Vyos and setup Virtual interfaces VLANS (802.1Q)
Each client would be on their own VLAN and the VLAN subnets should be able isolated and not be able to communicate with each other.
In VMware create a Virtual machine port group on ESX1 and ESX1 and set the VLAN ID 4095 so the VMs can talk to each other.
vlan 4095 is a special vlan on vmware which basically turns a virtual port group into a virtual vlan trunk port.
My preference is to leave the other interfaces as they are and just keep adding new client enironments on eth8.
Example eth8.100 vlan100
eth8.101 vlan101
Please let me know your thoughts i.e technically is this possible, is there any caveats etc?
Router3
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 172.40.2.3/29 u/u router to router link w/ospf
eth1 172.40.2.11/29 u/u backup router-router interface w/ ospf
eth2 172.40.70.2/24 u/u Bank subnet
172.40.70.1/32
eth3 172.40.60.2/24 u/u POC UAT application subnet
172.40.60.1/32
eth4 172.40.30.2/24 u/u Bas application subnet
172.40.30.1/32
eth5 172.40.40.2/24 u/u Bub application subnet
172.40.40.1/32
eth6 172.40.50.2/24 u/u Val subnet
172.40.50.1/32
eth7 172.40.80.2/24 u/u Bas UAT application subnet
172.40.80.1/32
eth8 172.40.90.2/24 u/u MS UAT subnet
172.40.90.1/32
eth9 172.40.91.2/24 u/u MS subnet
172.40.91.1/32
lo 127.0.0.1/8 u/u Router-IP(252)/Cluster-IP(
172.40.2.252/32
172.40.2.140/32
::1/128
Router 4
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 172.40.2.131/29 u/u 10gb backup inter
router link subnet
eth1 172.40.2.147/29 u/u 1gb backup inter router
subnet
eth2 172.40.70.3/24 u/u Bank subnet
eth3 172.40.60.3/24 u/u POC UAT application
subnet
eth4 172.40.30.3/24 u/u Bas application
subnet
eth5 172.40.40.3/24 u/u Bub application
subnet
eth6 172.40.50.3/24 u/u Val subnet
eth7 172.40.80.3/24 u/u Bas UAT application subnet
eth8 172.40.90.3/24 u/u MS UAT subnet
eth9 172.40.91.3/24 u/u MS subnet
lo 127.0.0.1/8 u/u Router-IP
172.40.2.253/32
::1/128
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@Andrew Thanks for confirming on the VMware configuration.
We only have 1 physical adapter we can use vmnic0. Can I use the same adapter and virtual switch but create a different port group?
We only have 1 physical adapter we can use vmnic0. Can I use the same adapter and virtual switch but create a different port group?
Yes, if vmnic0 is a trunk port, which carries ALL VLAN traffic, the virtual machine portgroup with the Tag 4095 ALL, will carry all traffic to the VM, where the VM will then need to use Vlan Guest Tagging
ASKER
Thanks.
Now I need a networking expert to look at the Vyos configuration to see if my approach is right.
Now I need a networking expert to look at the Vyos configuration to see if my approach is right.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That is pretty straight forward part creating VIFS under eth8.
However as you can see from configuration I already have a client on the main interface eth8 with VRRP.
If I am to create eth8.100 etc how would it would it work with VRRP?
The VRRP virtual-address is the gateway of each client subnet 172.40.90.1 and used in cluster failover between router 3 and router 4.
There is also configuration required within the OS?
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/sec-Configure_802_1Q_VLAN_Tagging_Using_the_Command_Line.html
However as you can see from configuration I already have a client on the main interface eth8 with VRRP.
If I am to create eth8.100 etc how would it would it work with VRRP?
The VRRP virtual-address is the gateway of each client subnet 172.40.90.1 and used in cluster failover between router 3 and router 4.
There is also configuration required within the OS?
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/sec-Configure_802_1Q_VLAN_Tagging_Using_the_Command_Line.html
The quickest method not to cause an outage or affect existing configuration, would be to add an additional interface.
eth10, or change ALL the configuration completely to VLANs, for all interfaces eth0 to eth9, and bring them all in on a single trunk, and vifs for each VLAN - this is a big bang configuration change with more risk and impact.
OS configuration e.g, Red Hat should not be required as VyOS is the OS.
eth10, or change ALL the configuration completely to VLANs, for all interfaces eth0 to eth9, and bring them all in on a single trunk, and vifs for each VLAN - this is a big bang configuration change with more risk and impact.
OS configuration e.g, Red Hat should not be required as VyOS is the OS.
ASKER
I have got downtime for the client on eth8 and moved to vif 90 (eth8.90) 172.40.90.2
I have changed the vyos router 3 vm network adapter to be on the same (port group) in VMware with 4095 enabled as are the client VMS.
I can ping 172.40.90.1 (gateway) and 172.40.90.2 remotely and not able to ping the client VMS
ethernet eth8 {
address 172.40.89.2/24
description VLAN_Trunk
duplex auto
firewall {
in {
name APPLICATION_IN
}
out {
name APPLICATION_OUT
}
}
hw-id 00:0c:29:f0:da:c7
smp_affinity auto
speed auto
vif 90 {
address 172.40.90.2/24
firewall {
in {
name APPLICATION_IN
}
out {
name APPLICATION_OUT
}
}
vrrp {
vrrp-group 90 {
advertise-interval 1
preempt true
priority 50
virtual-address 172.40.90.1
}
}
}
vif 100 {
address 172.40.100.2/24
}
vrrp {
vrrp-group 89 {
advertise-interval 1
preempt true
priority 50
virtual-address 172.40.89.1
}
}
}
I have changed the vyos router 3 vm network adapter to be on the same (port group) in VMware with 4095 enabled as are the client VMS.
I can ping 172.40.90.1 (gateway) and 172.40.90.2 remotely and not able to ping the client VMS
ethernet eth8 {
address 172.40.89.2/24
description VLAN_Trunk
duplex auto
firewall {
in {
name APPLICATION_IN
}
out {
name APPLICATION_OUT
}
}
hw-id 00:0c:29:f0:da:c7
smp_affinity auto
speed auto
vif 90 {
address 172.40.90.2/24
firewall {
in {
name APPLICATION_IN
}
out {
name APPLICATION_OUT
}
}
vrrp {
vrrp-group 90 {
advertise-interval 1
preempt true
priority 50
virtual-address 172.40.90.1
}
}
}
vif 100 {
address 172.40.100.2/24
}
vrrp {
vrrp-group 89 {
advertise-interval 1
preempt true
priority 50
virtual-address 172.40.89.1
}
}
}
Vlan tag not working?
ASKER
No. Do I need to configure 802.1q VLAN inside the client Centos 7 VMs on VLAN90?
ASKER
Seems to be working after configuring the VLAN in the client VMs.
If these are VMs on the 4095 All portgroup - Yes!
ASKER
Thanks Andrew for your assistance.
ASKER
MS-UAT-current-configuration.txt