vnet jails on VLAN subinterfaces

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

vnet jails on VLAN subinterfaces

JÁKÓ András
 Hello everyone,

I've already asked this on forums.freebsd.org, but didn't get an answer
yet. I hope someone can answer it here.

I'd like to use 802.1Q tagged VLANs on an Ethernet interface, one VLAN
per jail. I assigned VLAN subinterfaces to the jail's network stacks:

em0 - em0.99 (host)
em0 - em0.100 (jail0)
em0 - em0.101 (jail1)

Here em0 and em0.99 belong to the base system while em0.10[01] belong to
the jails' network stacks.

This works perfectly so far. But I didn't see this setup mentioned
anywhere, that's why I'm curious whether this a "valid" setup, do I use
vnet correctly? Or does it only work by accident?


I found vnet jail examples using one epair per jail, which is connected
to the physical interface by a bridge. With tagged 802.1Q VLANs this
could look something like the following:

em0 - em0.99 (host)
em0 - em0.100 - bridge0 - epair0a - epair0b (jail0)
em0 - em0.101 - bridge1 - epair1a - epair1b (jail1)

Here epair[01]b belong to the jails' network stacks, and all other
interfaces to the base system. This works too, but is more complicated
than the one without bridges and epairs.

András
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: vnet jails on VLAN subinterfaces

Julien Cigar-4
On Thu, Jun 04, 2020 at 01:38:32PM +0200, JÁKÓ András wrote:
>  Hello everyone,

Hello,

>
> I've already asked this on forums.freebsd.org, but didn't get an answer
> yet. I hope someone can answer it here.
>
> I'd like to use 802.1Q tagged VLANs on an Ethernet interface, one VLAN
> per jail. I assigned VLAN subinterfaces to the jail's network stacks:
>
> em0 - em0.99 (host)
> em0 - em0.100 (jail0)
> em0 - em0.101 (jail1)
>
> Here em0 and em0.99 belong to the base system while em0.10[01] belong to
> the jails' network stacks.
>
> This works perfectly so far. But I didn't see this setup mentioned
> anywhere, that's why I'm curious whether this a "valid" setup, do I use
> vnet correctly? Or does it only work by accident?
>

In your case it's OK, but as VLAN ids are unique per interface you need
x different physical interfaces if x jails (VNET) need to be in the same
VLAN (and use the same interface).

Best option is to use SR-IOV (if your interface support it) to have
multiple virtual NIC, or use bridge + epair (which has an huge
performance impact due to locking issue in if_bridge, although this is
fixed in -CURRENT by @kp)

>
> I found vnet jail examples using one epair per jail, which is connected
> to the physical interface by a bridge. With tagged 802.1Q VLANs this
> could look something like the following:
>
> em0 - em0.99 (host)
> em0 - em0.100 - bridge0 - epair0a - epair0b (jail0)
> em0 - em0.101 - bridge1 - epair1a - epair1b (jail1)
>
> Here epair[01]b belong to the jails' network stacks, and all other
> interfaces to the base system. This works too, but is more complicated
> than the one without bridges and epairs.
>
> András
> _______________________________________________
> [hidden email] mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "[hidden email]"

--
Julien Cigar
Belgian Biodiversity Platform (http://www.biodiversity.be)
PGP fingerprint: EEF9 F697 4B68 D275 7B11  6A25 B2BB 3710 A204 23C0
No trees were killed in the creation of this message.
However, many electrons were terribly inconvenienced.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: vnet jails on VLAN subinterfaces

JÁKÓ András
> > I'd like to use 802.1Q tagged VLANs on an Ethernet interface, one VLAN
> > per jail. I assigned VLAN subinterfaces to the jail's network stacks:
> >
> > em0 - em0.99 (host)
> > em0 - em0.100 (jail0)
> > em0 - em0.101 (jail1)
> >
> > Here em0 and em0.99 belong to the base system while em0.10[01] belong to
> > the jails' network stacks.
> >
> > This works perfectly so far. But I didn't see this setup mentioned
> > anywhere, that's why I'm curious whether this a "valid" setup, do I use
> > vnet correctly? Or does it only work by accident?
> >
>
> In your case it's OK, but as VLAN ids are unique per interface you need
> x different physical interfaces if x jails (VNET) need to be in the same
> VLAN (and use the same interface).

Thanks! I only need one jail per VLAN right now, but I understand that
this simple setup does not work with more jails in the same VLAN.

> Best option is to use SR-IOV (if your interface support it) to have
> multiple virtual NIC, or use bridge + epair (which has an huge
> performance impact due to locking issue in if_bridge, although this is
> fixed in -CURRENT by @kp)

I didn't know about SR-IOV but it's very promising.

András
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"