cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrija Panic <andrija.pa...@gmail.com>
Subject Re: Is VRRP possible inside KVM/ACS
Date Fri, 22 Nov 2019 17:25:11 GMT
well, that's what we were mentioning.

check iptables on the destination host here your secondary IP was
originally sitting (I mean where VM is sitting) - there is a chain per VM
or something. Check also ebtables rules, if any - somewhere you will
probably see us filtering the ARP or something like that.

On Fri, 22 Nov 2019 at 18:22, Fariborz Navidan <mdvlinquest@gmail.com>
wrote:

> The issue is when I assign a secondary IP to a VM, it works if I set it on
> guest1, it works well but if I unset it on that guest (i.e. ip addr del
> command) and set it on another guest via 'ip' command, it does work because
> it is not resolved by it's new MAC being announced.
>
> On Fri, Nov 22, 2019 at 8:30 PM Andrija Panic <andrija.panic@gmail.com>
> wrote:
>
> > Select * from nic_secondary_ips  - will show you no presence of MAC
> > address,  so both your main IP and this secondary IP will have THE SAME
> MAC
> > address from the ACS perspective. The thing here is, you are MANUALLY
> > adding this second IP address (Virtual IP address) on some of the
> existing
> > i.e. eth0 interfaces - so that secondary IP will be resolvable via ARP to
> > the same MAC address as the main IP. CloudStack has nothing to with that.
> >
> > The only thing you should worry is if we filter based on the IP address -
> > but that is something you control via ingress and egress rules and
> > hopefully will work
> >
> > On Fri, 22 Nov 2019 at 17:30, Fariborz Navidan <mdvlinquest@gmail.com>
> > wrote:
> >
> > > You mean IPs are not constrained by MAC?
> > >
> > > On Fri, Nov 22, 2019 at 7:56 PM Andrija Panic <andrija.panic@gmail.com
> >
> > > wrote:
> > >
> > > > Er... not sure what MAC address has to do with the secondary IP -
> > > > secondary IP is just an "alias IP" for the existing NIC, having the
> > same
> > > > MAC address as the main NIC (since it's an additional IP for that
> NIC)
> > -
> > > > unless something is broken
> > > >
> > > > On Fri, 22 Nov 2019 at 16:50, Fariborz Navidan <
> mdvlinquest@gmail.com>
> > > > wrote:
> > > >
> > > > > It does work in that way because it seems IPs are associated with
> > > > randomly
> > > > > assigned MAC address assigned to a NIC. It means in gest OS, you
> can
> > > only
> > > > > use IPs which are reversed for a NIC on that VM. So bridge does not
> > > > accept
> > > > > traffic from that IP it is used by another guest . It means there
> is
> > a
> > > > > builtin MAC filter. So I am not able to freely use IPs on any VM
I
> > > wish.
> > > > >
> > > > > I a not sure if this behavior is related to  security group or is
> a a
> > > > > default behavior of KVM or ACS
> > > > >
> > > > > On Fri, Nov 22, 2019 at 5:18 PM Andrija Panic <
> > andrija.panic@gmail.com
> > > >
> > > > > wrote:
> > > > >
> > > > > > you assign a single secondary IP for just one of the VMs (so
it's
> > > > > reserved
> > > > > > and will not be assigned later to other VMs via ACS). This
> > secondary
> > > IP
> > > > > is
> > > > > > NOT handled via DHCP, it is just reserved in DB as used.
> > > > > >
> > > > > > Now, go and manually use it inside both VMs. simple.
> > > > > >
> > > > > > its better question if VRRP heartbeat is allowed between 2 VMs
> > > > > > (protocol/port) and if you can allow traffic access to that
> > secondary
> > > > IP
> > > > > > address from outside.
> > > > > >
> > > > > > On Fri, 22 Nov 2019, 14:37 Fariborz Navidan, <
> > mdvlinquest@gmail.com>
> > > > > > wrote:
> > > > > >
> > > > > > > The challenge is how can we assign a single iP as secondary
IP
> on
> > > two
> > > > > or
> > > > > > > more VMs?
> > > > > > >
> > > > > > > On Fri, Nov 22, 2019 at 1:57 AM Andrija Panic <
> > > > andrija.panic@gmail.com
> > > > > >
> > > > > > > wrote:
> > > > > > >
> > > > > > > > VRRP is possible to configure anywhere - it's a different
> > > question
> > > > > > > whether
> > > > > > > > it will work due to firewall rules...
> > > > > > > > The simplest way to give yourself an answer is to
test (allow
> > all
> > > > > > > ingress,
> > > > > > > > all egress and test).
> > > > > > > >
> > > > > > > > On Thu, 21 Nov 2019 at 22:20, Fariborz Navidan <
> > > > > mdvlinquest@gmail.com>
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > > > If security groups use ebtables, so why does
my ebtables
> does
> > > not
> > > > > > have
> > > > > > > > any
> > > > > > > > > rule on the host? Default egress policy on my
guest network
> > is
> > > > > Allow
> > > > > > > and
> > > > > > > > I
> > > > > > > > > have added tcp/udp/icmp ingress rules to allow
traffic go
> > > > through.
> > > > > > > > >
> > > > > > > > > On Fri, Nov 22, 2019 at 12:03 AM Rohit Yadav
<
> > > > > > > rohit.yadav@shapeblue.com>
> > > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > > VRRP is a network layer protocol, uses multicast
address
> > > > > 224.0.0.18
> > > > > > > and
> > > > > > > > > > protocol number 112. As long as SG can allow
this, it's
> > > > possible,
> > > > > > > > however
> > > > > > > > > > that may not be available out of the box.
You can try
> some
> > > > custom
> > > > > > > > > ebtables
> > > > > > > > > > rules on the KVM hosts.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Regards,
> > > > > > > > > >
> > > > > > > > > > Rohit Yadav
> > > > > > > > > >
> > > > > > > > > > Software Architect, ShapeBlue
> > > > > > > > > >
> > > > > > > > > > https://www.shapeblue.com
> > > > > > > > > >
> > > > > > > > > > ________________________________
> > > > > > > > > > From: Fariborz Navidan <mdvlinquest@gmail.com>
> > > > > > > > > > Sent: Thursday, November 21, 2019 17:56
> > > > > > > > > > To: users@cloudstack.apache.org <
> > users@cloudstack.apache.org
> > > >
> > > > > > > > > > Subject: Is VRRP possible inside KVM/ACS
> > > > > > > > > >
> > > > > > > > > > Hello,
> > > > > > > > > >
> > > > > > > > > > Is it possible to configure VRRP  inside
KVM in a
> security
> > > > group
> > > > > > > > enabled
> > > > > > > > > > advanced zone? Should I enable Promisscouous
mode and
> > forged
> > > > > > > transmit?
> > > > > > > > > >
> > > > > > > > > > rohit.yadav@shapeblue.com
> > > > > > > > > > www.shapeblue.com
> > > > > > > > > > Amadeus House, Floral Street, London  WC2E
9DPUK
> > > > > > > > > > @shapeblue
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > >
> > > > > > > > Andrija Panić
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > >
> > > > Andrija Panić
> > > >
> > >
> >
> >
> > --
> >
> > Andrija Panić
> >
>


-- 

Andrija Panić

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message