cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrija Panic <andrija.pa...@gmail.com>
Subject Re: Is VRRP possible inside KVM/ACS
Date Fri, 22 Nov 2019 17:00:14 GMT
Select * from nic_secondary_ips  - will show you no presence of MAC
address,  so both your main IP and this secondary IP will have THE SAME MAC
address from the ACS perspective. The thing here is, you are MANUALLY
adding this second IP address (Virtual IP address) on some of the existing
i.e. eth0 interfaces - so that secondary IP will be resolvable via ARP to
the same MAC address as the main IP. CloudStack has nothing to with that.

The only thing you should worry is if we filter based on the IP address -
but that is something you control via ingress and egress rules and
hopefully will work

On Fri, 22 Nov 2019 at 17:30, Fariborz Navidan <mdvlinquest@gmail.com>
wrote:

> You mean IPs are not constrained by MAC?
>
> On Fri, Nov 22, 2019 at 7:56 PM Andrija Panic <andrija.panic@gmail.com>
> wrote:
>
> > Er... not sure what MAC address has to do with the secondary IP -
> > secondary IP is just an "alias IP" for the existing NIC, having the same
> > MAC address as the main NIC (since it's an additional IP for that NIC) -
> > unless something is broken
> >
> > On Fri, 22 Nov 2019 at 16:50, Fariborz Navidan <mdvlinquest@gmail.com>
> > wrote:
> >
> > > It does work in that way because it seems IPs are associated with
> > randomly
> > > assigned MAC address assigned to a NIC. It means in gest OS, you can
> only
> > > use IPs which are reversed for a NIC on that VM. So bridge does not
> > accept
> > > traffic from that IP it is used by another guest . It means there is a
> > > builtin MAC filter. So I am not able to freely use IPs on any VM I
> wish.
> > >
> > > I a not sure if this behavior is related to  security group or is a a
> > > default behavior of KVM or ACS
> > >
> > > On Fri, Nov 22, 2019 at 5:18 PM Andrija Panic <andrija.panic@gmail.com
> >
> > > wrote:
> > >
> > > > you assign a single secondary IP for just one of the VMs (so it's
> > > reserved
> > > > and will not be assigned later to other VMs via ACS). This secondary
> IP
> > > is
> > > > NOT handled via DHCP, it is just reserved in DB as used.
> > > >
> > > > Now, go and manually use it inside both VMs. simple.
> > > >
> > > > its better question if VRRP heartbeat is allowed between 2 VMs
> > > > (protocol/port) and if you can allow traffic access to that secondary
> > IP
> > > > address from outside.
> > > >
> > > > On Fri, 22 Nov 2019, 14:37 Fariborz Navidan, <mdvlinquest@gmail.com>
> > > > wrote:
> > > >
> > > > > The challenge is how can we assign a single iP as secondary IP on
> two
> > > or
> > > > > more VMs?
> > > > >
> > > > > On Fri, Nov 22, 2019 at 1:57 AM Andrija Panic <
> > andrija.panic@gmail.com
> > > >
> > > > > wrote:
> > > > >
> > > > > > VRRP is possible to configure anywhere - it's a different
> question
> > > > > whether
> > > > > > it will work due to firewall rules...
> > > > > > The simplest way to give yourself an answer is to test (allow
all
> > > > > ingress,
> > > > > > all egress and test).
> > > > > >
> > > > > > On Thu, 21 Nov 2019 at 22:20, Fariborz Navidan <
> > > mdvlinquest@gmail.com>
> > > > > > wrote:
> > > > > >
> > > > > > > If security groups use ebtables, so why does my ebtables
does
> not
> > > > have
> > > > > > any
> > > > > > > rule on the host? Default egress policy on my guest network
is
> > > Allow
> > > > > and
> > > > > > I
> > > > > > > have added tcp/udp/icmp ingress rules to allow traffic
go
> > through.
> > > > > > >
> > > > > > > On Fri, Nov 22, 2019 at 12:03 AM Rohit Yadav <
> > > > > rohit.yadav@shapeblue.com>
> > > > > > > wrote:
> > > > > > >
> > > > > > > > VRRP is a network layer protocol, uses multicast address
> > > 224.0.0.18
> > > > > and
> > > > > > > > protocol number 112. As long as SG can allow this,
it's
> > possible,
> > > > > > however
> > > > > > > > that may not be available out of the box. You can
try some
> > custom
> > > > > > > ebtables
> > > > > > > > rules on the KVM hosts.
> > > > > > > >
> > > > > > > >
> > > > > > > > Regards,
> > > > > > > >
> > > > > > > > Rohit Yadav
> > > > > > > >
> > > > > > > > Software Architect, ShapeBlue
> > > > > > > >
> > > > > > > > https://www.shapeblue.com
> > > > > > > >
> > > > > > > > ________________________________
> > > > > > > > From: Fariborz Navidan <mdvlinquest@gmail.com>
> > > > > > > > Sent: Thursday, November 21, 2019 17:56
> > > > > > > > To: users@cloudstack.apache.org <users@cloudstack.apache.org
> >
> > > > > > > > Subject: Is VRRP possible inside KVM/ACS
> > > > > > > >
> > > > > > > > Hello,
> > > > > > > >
> > > > > > > > Is it possible to configure VRRP  inside KVM in a
security
> > group
> > > > > > enabled
> > > > > > > > advanced zone? Should I enable Promisscouous mode
and forged
> > > > > transmit?
> > > > > > > >
> > > > > > > > rohit.yadav@shapeblue.com
> > > > > > > > www.shapeblue.com
> > > > > > > > Amadeus House, Floral Street, London  WC2E 9DPUK
> > > > > > > > @shapeblue
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > >
> > > > > > Andrija Panić
> > > > > >
> > > > >
> > > >
> > >
> >
> >
> > --
> >
> > Andrija Panić
> >
>


-- 

Andrija Panić

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message