VLAN Creation on KVM-I
Creating a VLAN on KVM requires more raw networking knowledge in comparison to VMware world. KVM requires some Linux networking knowledge beside general understanding of computer networks. I did not see more information on the Internet about that. To fill this gap I write this post. :) Actually there are more than one methods creating a VLAN on KVM. In this post I will show the first method. In this method sub-interfaces are created in the bridge NOT in the physical NIC interface. Doing so, Vlan tags wont be stripped-off or Vlan tags wont be embedded in the physical interface but bridge. I use Ubuntu 16.04 for the KVM host. In this post, I will use KVM and libvirt interchangeable.
root@ankara:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Codename: xenial
Loading 8021q module
First thing we need to load 8021q module on the KVM host in order to encapsulate or d-encapsulate IEEE 802.1Q type Vlan.
root@ankara:~# modprobe 8021q
To load module automatically on boot. Create a file 8021q.conf in the /etc/modules-load.d/ and add 8021q
root@ankara:~# cat /etc/modules-load.d/8021q.conf
8021q
Creating a Bridge(s)
In order to create a vlan(trunk and access ) we need to crate bridge(s) and tell the system tag the frames. In Linux, to create tagged frame we use vconfig command. We need to install vlan package to use it.
root@ankara:~# apt-get install vlan
Note: Creating a bridge with this method is NOT persistent. To make it persistent you need do add configuration to /etc/network/interfaces file. Because of plenty of tutorials about that, I do not explain it here.
root@ankara:~# brctl addbr br0
root@ankara:~# vconfig add br0 30 #subinterface(vlan30)
root@ankara:~# vconfig add br0 40 #subinterface(vlan40)
root@ankara:~# brctl addbr vlan30
root@ankara:~# brctl addbr vlan40
root@ankara:~# brctl addif vlan30 br0.30 #vlan30
root@ankara:~# brctl addif vlan40 br0.40 #vlan40
You can see network interfaces after creating bridges and sub-interfaces on KVM Host.
root@ankara:~# ip link show
...(omitted some output)
11: br0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
12: br0.30@br0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master vlan30 state LOWERLAYERDOWN mode DEFAULT group default qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
13: br0.40@br0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master vlan40 state LOWERLAYERDOWN mode DEFAULT group default qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
14: vlan30: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
15: vlan40: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
We also need to up links.
root@ankara:/etc/libvirt/qemu/networks# ip link set br0 up
root@ankara:/etc/libvirt/qemu/networks# ip link set br0.30 up
root@ankara:/etc/libvirt/qemu/networks# ip link set br0.40 up
root@ankara:/etc/libvirt/qemu/networks# ip link set vlan30 up
root@ankara:/etc/libvirt/qemu/networks# ip link set vlan40 up
Final bridge status
root@ankara:~# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.000000000000 no
vlan30 8000.000000000000 no br0.30
vlan40 8000.000000000000 no br0.40
Defining Bridges on KVM.
After creating bridges, We also need to define bridges to our hypervisor to use it. I will create three configuration files for the br0, vlan30 and vlan40 successively in the /etc/libvirt/qemu/networks folder. br0.xml
<network>
<name>br0</name>
<forward mode='bridge'/>
<bridge name='br0'/>
</network>
vlan30.xml
<network>
<name>vlan30</name>
<forward mode='bridge'/>
<bridge name='vlan30'/>
</network>
vlan40.xml
<network>
<name>vlan40</name>
<forward mode='bridge'/>
<bridge name='vlan40'/>
</network>
root@ankara:/etc/libvirt/qemu/networks# virsh net-define br0.xml
root@ankara:/etc/libvirt/qemu/networks# virsh net-define vlan30.xml
root@ankara:/etc/libvirt/qemu/networks# virsh net-define vlan40.xml
root@ankara:/etc/libvirt/qemu/networks# virsh net-start br0
root@ankara:/etc/libvirt/qemu/networks# virsh net-start vlan30
root@ankara:/etc/libvirt/qemu/networks# virsh net-start vlan40
#to auto start on boot.
root@ankara:/etc/libvirt/qemu/networks# virsh net-autostart br0
root@ankara:/etc/libvirt/qemu/networks# virsh net-autostart vlan30
root@ankara:/etc/libvirt/qemu/networks# virsh net-autostart vlan40
Checking bridges
root@ankara:/etc/libvirt/qemu/networks# virsh net-list
Name State Autostart Persistent
----------------------------------------------------------
br0 active yes yes
vlan30 active yes yes
vlan40 active yes yes
So far so good ?
You may confuse due to the fact that we did many things so far. I hope below figure gives you a better understanding what we did so far. It is depicted below figure how our network looks like. Only think that I did not do is adding physical interface to bridge br0. In this post, KVM guests will not connect to the Internet. According to this design we do not need to setup any VLAN configuration on the KVM virtual guests. It has all handled by br0.30 and br0.40–Any outgoing packet from VLAN30 network will be tagged by the br0.30 sub-interface. Any incoming tagged packet to VLAN30 network will be stripped-off by the br0.30 sub-interface. It is the same as VLAN40 network. 
Experiments I captured the packages on br0.30 interface and br0 bridges to check, if vlans works as expected.
Output br0.30(we see incoming tagged icmp request stripped-off by the br0.30 we see untagged frames)
root@ankara:/etc/libvirt/qemu/networks# tcpdump -i br0.30 -e
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0.30, link-type EN10MB (Ethernet), capture size 262144 bytes
15:06:46.125189 70:54:d2:99:56:c0 (oui Unknown) > 52:54:00:43:40:b7 (oui Unknown), ethertype IPv4 (0x0800), length 98: 172.16.30.50 > 172.16.30.10: ICMP echo request, id 2453, seq 520, length 64
15:06:46.125429 52:54:00:43:40:b7 (oui Unknown) > 70:54:d2:99:56:c0 (oui Unknown), ethertype IPv4 (0x0800), length 98: 172.16.30.10 > 172.16.30.50: ICMP echo reply, id 2453, seq 520, length 64
15:06:47.149216 70:54:d2:99:56:c0 (oui Unknown) > 52:54:00:43:40:b7 (oui Unknown), ethertype IPv4 (0x0800), length 98: 172.16.30.50 > 172.16.30.10: ICMP echo request, id 2453, seq 521, length 64
15:06:47.149530 52:54:00:43:40:b7 (oui Unknown) > 70:54:d2:99:56:c0 (oui Unknown), ethertype IPv4 (0x0800), length 98: 172.16.30.10 > 172.16.30.50: ICMP echo reply, id 2453, seq 521, length 64
Output on the br0 (we see tagged 802.1q encapsulation vlan30)
root@ankara:/etc/libvirt/qemu/networks# tcpdump -i br0 -e
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:06:58.413319 70:54:d2:99:56:c0 (oui Unknown) > 52:54:00:43:40:b7 (oui Unknown), ethertype 802.1Q (0x8100), length 102: vlan 30, p 0, ethertype IPv4, 172.16.30.50 > 172.16.30.10: ICMP echo request, id 2453, seq 532, length 64
15:06:58.413564 52:54:00:43:40:b7 (oui Unknown) > 70:54:d2:99:56:c0 (oui Unknown), ethertype 802.1Q (0x8100), length 102: vlan 30....
According to the figure above, hosts on the VLAN30 and hosts on the VLAN40 can not communicate each other as we do not have L3 device for Inter Vlan Routing. Next post, I will provision virtual L3 device which will be VyOS(Vyatta) on the KVM. I will add two network interfaces on it. –Connect one interface to the br0(trunk port) and the other interface to the physical NIC for the Internet connection.