cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fariborz Navidan <mdvlinqu...@gmail.com>
Subject Re: Is VRRP possible inside KVM/ACS
Date Fri, 22 Nov 2019 17:21:56 GMT
The issue is when I assign a secondary IP to a VM, it works if I set it on
guest1, it works well but if I unset it on that guest (i.e. ip addr del
command) and set it on another guest via 'ip' command, it does work because
it is not resolved by it's new MAC being announced.

On Fri, Nov 22, 2019 at 8:30 PM Andrija Panic <andrija.panic@gmail.com>
wrote:

> Select * from nic_secondary_ips  - will show you no presence of MAC
> address,  so both your main IP and this secondary IP will have THE SAME MAC
> address from the ACS perspective. The thing here is, you are MANUALLY
> adding this second IP address (Virtual IP address) on some of the existing
> i.e. eth0 interfaces - so that secondary IP will be resolvable via ARP to
> the same MAC address as the main IP. CloudStack has nothing to with that.
>
> The only thing you should worry is if we filter based on the IP address -
> but that is something you control via ingress and egress rules and
> hopefully will work
>
> On Fri, 22 Nov 2019 at 17:30, Fariborz Navidan <mdvlinquest@gmail.com>
> wrote:
>
> > You mean IPs are not constrained by MAC?
> >
> > On Fri, Nov 22, 2019 at 7:56 PM Andrija Panic <andrija.panic@gmail.com>
> > wrote:
> >
> > > Er... not sure what MAC address has to do with the secondary IP -
> > > secondary IP is just an "alias IP" for the existing NIC, having the
> same
> > > MAC address as the main NIC (since it's an additional IP for that NIC)
> -
> > > unless something is broken
> > >
> > > On Fri, 22 Nov 2019 at 16:50, Fariborz Navidan <mdvlinquest@gmail.com>
> > > wrote:
> > >
> > > > It does work in that way because it seems IPs are associated with
> > > randomly
> > > > assigned MAC address assigned to a NIC. It means in gest OS, you can
> > only
> > > > use IPs which are reversed for a NIC on that VM. So bridge does not
> > > accept
> > > > traffic from that IP it is used by another guest . It means there is
> a
> > > > builtin MAC filter. So I am not able to freely use IPs on any VM I
> > wish.
> > > >
> > > > I a not sure if this behavior is related to  security group or is a a
> > > > default behavior of KVM or ACS
> > > >
> > > > On Fri, Nov 22, 2019 at 5:18 PM Andrija Panic <
> andrija.panic@gmail.com
> > >
> > > > wrote:
> > > >
> > > > > you assign a single secondary IP for just one of the VMs (so it's
> > > > reserved
> > > > > and will not be assigned later to other VMs via ACS). This
> secondary
> > IP
> > > > is
> > > > > NOT handled via DHCP, it is just reserved in DB as used.
> > > > >
> > > > > Now, go and manually use it inside both VMs. simple.
> > > > >
> > > > > its better question if VRRP heartbeat is allowed between 2 VMs
> > > > > (protocol/port) and if you can allow traffic access to that
> secondary
> > > IP
> > > > > address from outside.
> > > > >
> > > > > On Fri, 22 Nov 2019, 14:37 Fariborz Navidan, <
> mdvlinquest@gmail.com>
> > > > > wrote:
> > > > >
> > > > > > The challenge is how can we assign a single iP as secondary
IP on
> > two
> > > > or
> > > > > > more VMs?
> > > > > >
> > > > > > On Fri, Nov 22, 2019 at 1:57 AM Andrija Panic <
> > > andrija.panic@gmail.com
> > > > >
> > > > > > wrote:
> > > > > >
> > > > > > > VRRP is possible to configure anywhere - it's a different
> > question
> > > > > > whether
> > > > > > > it will work due to firewall rules...
> > > > > > > The simplest way to give yourself an answer is to test
(allow
> all
> > > > > > ingress,
> > > > > > > all egress and test).
> > > > > > >
> > > > > > > On Thu, 21 Nov 2019 at 22:20, Fariborz Navidan <
> > > > mdvlinquest@gmail.com>
> > > > > > > wrote:
> > > > > > >
> > > > > > > > If security groups use ebtables, so why does my ebtables
does
> > not
> > > > > have
> > > > > > > any
> > > > > > > > rule on the host? Default egress policy on my guest
network
> is
> > > > Allow
> > > > > > and
> > > > > > > I
> > > > > > > > have added tcp/udp/icmp ingress rules to allow traffic
go
> > > through.
> > > > > > > >
> > > > > > > > On Fri, Nov 22, 2019 at 12:03 AM Rohit Yadav <
> > > > > > rohit.yadav@shapeblue.com>
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > > > VRRP is a network layer protocol, uses multicast
address
> > > > 224.0.0.18
> > > > > > and
> > > > > > > > > protocol number 112. As long as SG can allow
this, it's
> > > possible,
> > > > > > > however
> > > > > > > > > that may not be available out of the box. You
can try some
> > > custom
> > > > > > > > ebtables
> > > > > > > > > rules on the KVM hosts.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Regards,
> > > > > > > > >
> > > > > > > > > Rohit Yadav
> > > > > > > > >
> > > > > > > > > Software Architect, ShapeBlue
> > > > > > > > >
> > > > > > > > > https://www.shapeblue.com
> > > > > > > > >
> > > > > > > > > ________________________________
> > > > > > > > > From: Fariborz Navidan <mdvlinquest@gmail.com>
> > > > > > > > > Sent: Thursday, November 21, 2019 17:56
> > > > > > > > > To: users@cloudstack.apache.org <
> users@cloudstack.apache.org
> > >
> > > > > > > > > Subject: Is VRRP possible inside KVM/ACS
> > > > > > > > >
> > > > > > > > > Hello,
> > > > > > > > >
> > > > > > > > > Is it possible to configure VRRP  inside KVM
in a security
> > > group
> > > > > > > enabled
> > > > > > > > > advanced zone? Should I enable Promisscouous
mode and
> forged
> > > > > > transmit?
> > > > > > > > >
> > > > > > > > > rohit.yadav@shapeblue.com
> > > > > > > > > www.shapeblue.com
> > > > > > > > > Amadeus House, Floral Street, London  WC2E 9DPUK
> > > > > > > > > @shapeblue
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > >
> > > > > > > Andrija Panić
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > >
> > > --
> > >
> > > Andrija Panić
> > >
> >
>
>
> --
>
> Andrija Panić
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message