[Lxc-users] appropriate architecture for two sets of containers on one host
Mike
sourceforge at good-with-numbers.com
Thu Mar 14 03:04:43 UTC 2013
Guido, thanks for the reply.
Guido Jäkel wrote:
> if your separate networks are already organized with VLANs externally,
> then you might use it (like me) in the following way:
>
> -{vlan-trunk}--[eth0]--+--[vlaNNN]--{vlanNNN}--[brNNN]--+--[veth.c1|eth0]
> | +--[veth.c2|eth0]
> +--[vlanMMM]--....
>
> On your host, attach vlan adapters to the physical interface. This
> will switch the into promicuous mode (L2-Mode) and needs not IP (L3)
> configuration. Each vlan interfaces will untrunk one vlan. Then
> connect bridges to this vlan interfaces. Also, as the bridge is a L2
> device, it needs no IP configuration. But you may use the bridge's IP
> configuration parameters to access this net on the host; think it as
> an additional virtual network card which is already connected to the
> bridge. But normaly, you dont't wont that and use an additional vlan
> here. Attach an additional vlan adapter to the eth0 for this and
> assign the hosts IP config to it.
That's where I was headed.
I already use VLANs at the switch with PVIDs, as a security mechanism to
separate traffic: between the firewall and each internal computer, from
all other internal computers. So the original configuration was:
+-------------------------------+
|+----+ |
|| |------------+ c1 |
|| c1 | eth0/.17.3 |---\ |
|| |------------+ +-----+ |------------+
|+----+ | br1 |---| eth1/.17.2 |-----
|+----+ +-----+ |------------+
|| |------------+ | |
|| c2 | eth0/.17.4 |---/ |
|| |------------+ c2 |
|+----+ |
+-------------------------------+
with all the traffic going through the switch on VLAN 17. So that
became:
+------------------------------------------------+
|+----+ |
|| |------------+ c1 |
|| c1 | eth0/.17.3 |---\ |
|| |------------+ +--------+ +---------+ |------------+
|+----+ | br1.17 |---| eth1.17 |---| eth1/.17.2 |-----
|+----+ +--------+ +---------+ |------------+
|| |------------+ | |
|| c2 | eth0/.17.4 |---/ |
|| |------------+ c2 |
|+----+ |
+------------------------------------------------+
dropping the PVID from the switch. But when I added another VLAN:
+------------------------------------------------+
|+----+ |
|| |------------+ c1 |
|| c1 | eth0/.17.3 |---\ |
|| |------------+ +--------+ +---------+ |------------+
|+----+ | br1.17 |---| eth1.17 |---| eth1/.17.2 |-----
|+----+ +--------+ +---------+ | |------------+
|| |------------+ | | |
|| c2 | eth0/.17.4 |---/ | |
|| |------------+ c2 | |
|+----+ | |
| +--------+ +---------+ | |
| | br1.18 |---| eth1.18 |-/ |
| +--------+ +---------+ |
+------------------------------------------------+
with
---------------------------------------------
iface eth1.18 inet manual
auto br1.18
iface br1.18 inet static
bridge_ports eth1.18
bridge_maxwait 0
bridge_fd 0
bridge_stp off
address 192.168.18.2
netmask 255.255.255.0
gateway 192.168.18.1
dns...
iface eth1.17 inet manual
auto br1.17
iface br1.17 inet static
bridge_ports eth1.17
bridge_maxwait 0
bridge_fd 0
bridge_stp off
address 192.168.17.2
netmask 255.255.255.0
gateway 192.168.17.1
dns...
---------------------------------------------
in /etc/network/interfaces, I got two default routes:
---------------------------------------------
host$ ip route show
192.168.18.0/24 dev br1.18 proto kernel scope link src 192.168.18.2
192.168.17.0/24 dev br1.17 proto kernel scope link src 192.168.17.2
default via 192.168.17.1 dev br1.17
default via 192.168.18.1 dev br1.18
---------------------------------------------
I'm curious how you configured yours.
> On the host's route, you need to switch the port for the host to
> trunked vlan mode as if you will interconnect switches. And you should
> prune the vlan trunk to the vlans you need to reduce the (broadcast)
> traffic to the hosts interface.
I removed the PVID on the switch port, and placed the port into VLANs 17
& 18. Something I need to do on the host, too? Not sure what
configuration you're referring to there.
> But you may also do it without using vlans and may good-old subnets
> for separation. Then, just connect one bridge to the eth0 of the host
> and also attach the veths of the containers to it. Here you probably
> want to assign an IP to the bridge for accessing host. Note that the
> access to the subnet here is "selected" only by the IP configuration
> inside the container.
I assume by "IP configuration" you mean "iptables configuration".
More information about the lxc-users
mailing list