You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Fariborz Navidan <md...@gmail.com> on 2019/11/21 12:26:06 UTC
Is VRRP possible inside KVM/ACS
Hello,
Is it possible to configure VRRP inside KVM in a security group enabled
advanced zone? Should I enable Promisscouous mode and forged transmit?
Re: Is VRRP possible inside KVM/ACS
Posted by Andrija Panic <an...@gmail.com>.
well, that's what we were mentioning.
check iptables on the destination host here your secondary IP was
originally sitting (I mean where VM is sitting) - there is a chain per VM
or something. Check also ebtables rules, if any - somewhere you will
probably see us filtering the ARP or something like that.
On Fri, 22 Nov 2019 at 18:22, Fariborz Navidan <md...@gmail.com>
wrote:
> The issue is when I assign a secondary IP to a VM, it works if I set it on
> guest1, it works well but if I unset it on that guest (i.e. ip addr del
> command) and set it on another guest via 'ip' command, it does work because
> it is not resolved by it's new MAC being announced.
>
> On Fri, Nov 22, 2019 at 8:30 PM Andrija Panic <an...@gmail.com>
> wrote:
>
> > Select * from nic_secondary_ips - will show you no presence of MAC
> > address, so both your main IP and this secondary IP will have THE SAME
> MAC
> > address from the ACS perspective. The thing here is, you are MANUALLY
> > adding this second IP address (Virtual IP address) on some of the
> existing
> > i.e. eth0 interfaces - so that secondary IP will be resolvable via ARP to
> > the same MAC address as the main IP. CloudStack has nothing to with that.
> >
> > The only thing you should worry is if we filter based on the IP address -
> > but that is something you control via ingress and egress rules and
> > hopefully will work
> >
> > On Fri, 22 Nov 2019 at 17:30, Fariborz Navidan <md...@gmail.com>
> > wrote:
> >
> > > You mean IPs are not constrained by MAC?
> > >
> > > On Fri, Nov 22, 2019 at 7:56 PM Andrija Panic <andrija.panic@gmail.com
> >
> > > wrote:
> > >
> > > > Er... not sure what MAC address has to do with the secondary IP -
> > > > secondary IP is just an "alias IP" for the existing NIC, having the
> > same
> > > > MAC address as the main NIC (since it's an additional IP for that
> NIC)
> > -
> > > > unless something is broken
> > > >
> > > > On Fri, 22 Nov 2019 at 16:50, Fariborz Navidan <
> mdvlinquest@gmail.com>
> > > > wrote:
> > > >
> > > > > It does work in that way because it seems IPs are associated with
> > > > randomly
> > > > > assigned MAC address assigned to a NIC. It means in gest OS, you
> can
> > > only
> > > > > use IPs which are reversed for a NIC on that VM. So bridge does not
> > > > accept
> > > > > traffic from that IP it is used by another guest . It means there
> is
> > a
> > > > > builtin MAC filter. So I am not able to freely use IPs on any VM I
> > > wish.
> > > > >
> > > > > I a not sure if this behavior is related to security group or is
> a a
> > > > > default behavior of KVM or ACS
> > > > >
> > > > > On Fri, Nov 22, 2019 at 5:18 PM Andrija Panic <
> > andrija.panic@gmail.com
> > > >
> > > > > wrote:
> > > > >
> > > > > > you assign a single secondary IP for just one of the VMs (so it's
> > > > > reserved
> > > > > > and will not be assigned later to other VMs via ACS). This
> > secondary
> > > IP
> > > > > is
> > > > > > NOT handled via DHCP, it is just reserved in DB as used.
> > > > > >
> > > > > > Now, go and manually use it inside both VMs. simple.
> > > > > >
> > > > > > its better question if VRRP heartbeat is allowed between 2 VMs
> > > > > > (protocol/port) and if you can allow traffic access to that
> > secondary
> > > > IP
> > > > > > address from outside.
> > > > > >
> > > > > > On Fri, 22 Nov 2019, 14:37 Fariborz Navidan, <
> > mdvlinquest@gmail.com>
> > > > > > wrote:
> > > > > >
> > > > > > > The challenge is how can we assign a single iP as secondary IP
> on
> > > two
> > > > > or
> > > > > > > more VMs?
> > > > > > >
> > > > > > > On Fri, Nov 22, 2019 at 1:57 AM Andrija Panic <
> > > > andrija.panic@gmail.com
> > > > > >
> > > > > > > wrote:
> > > > > > >
> > > > > > > > VRRP is possible to configure anywhere - it's a different
> > > question
> > > > > > > whether
> > > > > > > > it will work due to firewall rules...
> > > > > > > > The simplest way to give yourself an answer is to test (allow
> > all
> > > > > > > ingress,
> > > > > > > > all egress and test).
> > > > > > > >
> > > > > > > > On Thu, 21 Nov 2019 at 22:20, Fariborz Navidan <
> > > > > mdvlinquest@gmail.com>
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > > > If security groups use ebtables, so why does my ebtables
> does
> > > not
> > > > > > have
> > > > > > > > any
> > > > > > > > > rule on the host? Default egress policy on my guest network
> > is
> > > > > Allow
> > > > > > > and
> > > > > > > > I
> > > > > > > > > have added tcp/udp/icmp ingress rules to allow traffic go
> > > > through.
> > > > > > > > >
> > > > > > > > > On Fri, Nov 22, 2019 at 12:03 AM Rohit Yadav <
> > > > > > > rohit.yadav@shapeblue.com>
> > > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > > VRRP is a network layer protocol, uses multicast address
> > > > > 224.0.0.18
> > > > > > > and
> > > > > > > > > > protocol number 112. As long as SG can allow this, it's
> > > > possible,
> > > > > > > > however
> > > > > > > > > > that may not be available out of the box. You can try
> some
> > > > custom
> > > > > > > > > ebtables
> > > > > > > > > > rules on the KVM hosts.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Regards,
> > > > > > > > > >
> > > > > > > > > > Rohit Yadav
> > > > > > > > > >
> > > > > > > > > > Software Architect, ShapeBlue
> > > > > > > > > >
> > > > > > > > > > https://www.shapeblue.com
> > > > > > > > > >
> > > > > > > > > > ________________________________
> > > > > > > > > > From: Fariborz Navidan <md...@gmail.com>
> > > > > > > > > > Sent: Thursday, November 21, 2019 17:56
> > > > > > > > > > To: users@cloudstack.apache.org <
> > users@cloudstack.apache.org
> > > >
> > > > > > > > > > Subject: Is VRRP possible inside KVM/ACS
> > > > > > > > > >
> > > > > > > > > > Hello,
> > > > > > > > > >
> > > > > > > > > > Is it possible to configure VRRP inside KVM in a
> security
> > > > group
> > > > > > > > enabled
> > > > > > > > > > advanced zone? Should I enable Promisscouous mode and
> > forged
> > > > > > > transmit?
> > > > > > > > > >
> > > > > > > > > > rohit.yadav@shapeblue.com
> > > > > > > > > > www.shapeblue.com
> > > > > > > > > > Amadeus House, Floral Street, London WC2E 9DPUK
> > > > > > > > > > @shapeblue
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > >
> > > > > > > > Andrija Panić
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > >
> > > > Andrija Panić
> > > >
> > >
> >
> >
> > --
> >
> > Andrija Panić
> >
>
--
Andrija Panić
Re: Is VRRP possible inside KVM/ACS
Posted by Fariborz Navidan <md...@gmail.com>.
The issue is when I assign a secondary IP to a VM, it works if I set it on
guest1, it works well but if I unset it on that guest (i.e. ip addr del
command) and set it on another guest via 'ip' command, it does work because
it is not resolved by it's new MAC being announced.
On Fri, Nov 22, 2019 at 8:30 PM Andrija Panic <an...@gmail.com>
wrote:
> Select * from nic_secondary_ips - will show you no presence of MAC
> address, so both your main IP and this secondary IP will have THE SAME MAC
> address from the ACS perspective. The thing here is, you are MANUALLY
> adding this second IP address (Virtual IP address) on some of the existing
> i.e. eth0 interfaces - so that secondary IP will be resolvable via ARP to
> the same MAC address as the main IP. CloudStack has nothing to with that.
>
> The only thing you should worry is if we filter based on the IP address -
> but that is something you control via ingress and egress rules and
> hopefully will work
>
> On Fri, 22 Nov 2019 at 17:30, Fariborz Navidan <md...@gmail.com>
> wrote:
>
> > You mean IPs are not constrained by MAC?
> >
> > On Fri, Nov 22, 2019 at 7:56 PM Andrija Panic <an...@gmail.com>
> > wrote:
> >
> > > Er... not sure what MAC address has to do with the secondary IP -
> > > secondary IP is just an "alias IP" for the existing NIC, having the
> same
> > > MAC address as the main NIC (since it's an additional IP for that NIC)
> -
> > > unless something is broken
> > >
> > > On Fri, 22 Nov 2019 at 16:50, Fariborz Navidan <md...@gmail.com>
> > > wrote:
> > >
> > > > It does work in that way because it seems IPs are associated with
> > > randomly
> > > > assigned MAC address assigned to a NIC. It means in gest OS, you can
> > only
> > > > use IPs which are reversed for a NIC on that VM. So bridge does not
> > > accept
> > > > traffic from that IP it is used by another guest . It means there is
> a
> > > > builtin MAC filter. So I am not able to freely use IPs on any VM I
> > wish.
> > > >
> > > > I a not sure if this behavior is related to security group or is a a
> > > > default behavior of KVM or ACS
> > > >
> > > > On Fri, Nov 22, 2019 at 5:18 PM Andrija Panic <
> andrija.panic@gmail.com
> > >
> > > > wrote:
> > > >
> > > > > you assign a single secondary IP for just one of the VMs (so it's
> > > > reserved
> > > > > and will not be assigned later to other VMs via ACS). This
> secondary
> > IP
> > > > is
> > > > > NOT handled via DHCP, it is just reserved in DB as used.
> > > > >
> > > > > Now, go and manually use it inside both VMs. simple.
> > > > >
> > > > > its better question if VRRP heartbeat is allowed between 2 VMs
> > > > > (protocol/port) and if you can allow traffic access to that
> secondary
> > > IP
> > > > > address from outside.
> > > > >
> > > > > On Fri, 22 Nov 2019, 14:37 Fariborz Navidan, <
> mdvlinquest@gmail.com>
> > > > > wrote:
> > > > >
> > > > > > The challenge is how can we assign a single iP as secondary IP on
> > two
> > > > or
> > > > > > more VMs?
> > > > > >
> > > > > > On Fri, Nov 22, 2019 at 1:57 AM Andrija Panic <
> > > andrija.panic@gmail.com
> > > > >
> > > > > > wrote:
> > > > > >
> > > > > > > VRRP is possible to configure anywhere - it's a different
> > question
> > > > > > whether
> > > > > > > it will work due to firewall rules...
> > > > > > > The simplest way to give yourself an answer is to test (allow
> all
> > > > > > ingress,
> > > > > > > all egress and test).
> > > > > > >
> > > > > > > On Thu, 21 Nov 2019 at 22:20, Fariborz Navidan <
> > > > mdvlinquest@gmail.com>
> > > > > > > wrote:
> > > > > > >
> > > > > > > > If security groups use ebtables, so why does my ebtables does
> > not
> > > > > have
> > > > > > > any
> > > > > > > > rule on the host? Default egress policy on my guest network
> is
> > > > Allow
> > > > > > and
> > > > > > > I
> > > > > > > > have added tcp/udp/icmp ingress rules to allow traffic go
> > > through.
> > > > > > > >
> > > > > > > > On Fri, Nov 22, 2019 at 12:03 AM Rohit Yadav <
> > > > > > rohit.yadav@shapeblue.com>
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > > > VRRP is a network layer protocol, uses multicast address
> > > > 224.0.0.18
> > > > > > and
> > > > > > > > > protocol number 112. As long as SG can allow this, it's
> > > possible,
> > > > > > > however
> > > > > > > > > that may not be available out of the box. You can try some
> > > custom
> > > > > > > > ebtables
> > > > > > > > > rules on the KVM hosts.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Regards,
> > > > > > > > >
> > > > > > > > > Rohit Yadav
> > > > > > > > >
> > > > > > > > > Software Architect, ShapeBlue
> > > > > > > > >
> > > > > > > > > https://www.shapeblue.com
> > > > > > > > >
> > > > > > > > > ________________________________
> > > > > > > > > From: Fariborz Navidan <md...@gmail.com>
> > > > > > > > > Sent: Thursday, November 21, 2019 17:56
> > > > > > > > > To: users@cloudstack.apache.org <
> users@cloudstack.apache.org
> > >
> > > > > > > > > Subject: Is VRRP possible inside KVM/ACS
> > > > > > > > >
> > > > > > > > > Hello,
> > > > > > > > >
> > > > > > > > > Is it possible to configure VRRP inside KVM in a security
> > > group
> > > > > > > enabled
> > > > > > > > > advanced zone? Should I enable Promisscouous mode and
> forged
> > > > > > transmit?
> > > > > > > > >
> > > > > > > > > rohit.yadav@shapeblue.com
> > > > > > > > > www.shapeblue.com
> > > > > > > > > Amadeus House, Floral Street, London WC2E 9DPUK
> > > > > > > > > @shapeblue
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > >
> > > > > > > Andrija Panić
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > >
> > > --
> > >
> > > Andrija Panić
> > >
> >
>
>
> --
>
> Andrija Panić
>
Re: Is VRRP possible inside KVM/ACS
Posted by Andrija Panic <an...@gmail.com>.
Select * from nic_secondary_ips - will show you no presence of MAC
address, so both your main IP and this secondary IP will have THE SAME MAC
address from the ACS perspective. The thing here is, you are MANUALLY
adding this second IP address (Virtual IP address) on some of the existing
i.e. eth0 interfaces - so that secondary IP will be resolvable via ARP to
the same MAC address as the main IP. CloudStack has nothing to with that.
The only thing you should worry is if we filter based on the IP address -
but that is something you control via ingress and egress rules and
hopefully will work
On Fri, 22 Nov 2019 at 17:30, Fariborz Navidan <md...@gmail.com>
wrote:
> You mean IPs are not constrained by MAC?
>
> On Fri, Nov 22, 2019 at 7:56 PM Andrija Panic <an...@gmail.com>
> wrote:
>
> > Er... not sure what MAC address has to do with the secondary IP -
> > secondary IP is just an "alias IP" for the existing NIC, having the same
> > MAC address as the main NIC (since it's an additional IP for that NIC) -
> > unless something is broken
> >
> > On Fri, 22 Nov 2019 at 16:50, Fariborz Navidan <md...@gmail.com>
> > wrote:
> >
> > > It does work in that way because it seems IPs are associated with
> > randomly
> > > assigned MAC address assigned to a NIC. It means in gest OS, you can
> only
> > > use IPs which are reversed for a NIC on that VM. So bridge does not
> > accept
> > > traffic from that IP it is used by another guest . It means there is a
> > > builtin MAC filter. So I am not able to freely use IPs on any VM I
> wish.
> > >
> > > I a not sure if this behavior is related to security group or is a a
> > > default behavior of KVM or ACS
> > >
> > > On Fri, Nov 22, 2019 at 5:18 PM Andrija Panic <andrija.panic@gmail.com
> >
> > > wrote:
> > >
> > > > you assign a single secondary IP for just one of the VMs (so it's
> > > reserved
> > > > and will not be assigned later to other VMs via ACS). This secondary
> IP
> > > is
> > > > NOT handled via DHCP, it is just reserved in DB as used.
> > > >
> > > > Now, go and manually use it inside both VMs. simple.
> > > >
> > > > its better question if VRRP heartbeat is allowed between 2 VMs
> > > > (protocol/port) and if you can allow traffic access to that secondary
> > IP
> > > > address from outside.
> > > >
> > > > On Fri, 22 Nov 2019, 14:37 Fariborz Navidan, <md...@gmail.com>
> > > > wrote:
> > > >
> > > > > The challenge is how can we assign a single iP as secondary IP on
> two
> > > or
> > > > > more VMs?
> > > > >
> > > > > On Fri, Nov 22, 2019 at 1:57 AM Andrija Panic <
> > andrija.panic@gmail.com
> > > >
> > > > > wrote:
> > > > >
> > > > > > VRRP is possible to configure anywhere - it's a different
> question
> > > > > whether
> > > > > > it will work due to firewall rules...
> > > > > > The simplest way to give yourself an answer is to test (allow all
> > > > > ingress,
> > > > > > all egress and test).
> > > > > >
> > > > > > On Thu, 21 Nov 2019 at 22:20, Fariborz Navidan <
> > > mdvlinquest@gmail.com>
> > > > > > wrote:
> > > > > >
> > > > > > > If security groups use ebtables, so why does my ebtables does
> not
> > > > have
> > > > > > any
> > > > > > > rule on the host? Default egress policy on my guest network is
> > > Allow
> > > > > and
> > > > > > I
> > > > > > > have added tcp/udp/icmp ingress rules to allow traffic go
> > through.
> > > > > > >
> > > > > > > On Fri, Nov 22, 2019 at 12:03 AM Rohit Yadav <
> > > > > rohit.yadav@shapeblue.com>
> > > > > > > wrote:
> > > > > > >
> > > > > > > > VRRP is a network layer protocol, uses multicast address
> > > 224.0.0.18
> > > > > and
> > > > > > > > protocol number 112. As long as SG can allow this, it's
> > possible,
> > > > > > however
> > > > > > > > that may not be available out of the box. You can try some
> > custom
> > > > > > > ebtables
> > > > > > > > rules on the KVM hosts.
> > > > > > > >
> > > > > > > >
> > > > > > > > Regards,
> > > > > > > >
> > > > > > > > Rohit Yadav
> > > > > > > >
> > > > > > > > Software Architect, ShapeBlue
> > > > > > > >
> > > > > > > > https://www.shapeblue.com
> > > > > > > >
> > > > > > > > ________________________________
> > > > > > > > From: Fariborz Navidan <md...@gmail.com>
> > > > > > > > Sent: Thursday, November 21, 2019 17:56
> > > > > > > > To: users@cloudstack.apache.org <users@cloudstack.apache.org
> >
> > > > > > > > Subject: Is VRRP possible inside KVM/ACS
> > > > > > > >
> > > > > > > > Hello,
> > > > > > > >
> > > > > > > > Is it possible to configure VRRP inside KVM in a security
> > group
> > > > > > enabled
> > > > > > > > advanced zone? Should I enable Promisscouous mode and forged
> > > > > transmit?
> > > > > > > >
> > > > > > > > rohit.yadav@shapeblue.com
> > > > > > > > www.shapeblue.com
> > > > > > > > Amadeus House, Floral Street, London WC2E 9DPUK
> > > > > > > > @shapeblue
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > >
> > > > > > Andrija Panić
> > > > > >
> > > > >
> > > >
> > >
> >
> >
> > --
> >
> > Andrija Panić
> >
>
--
Andrija Panić
Re: Is VRRP possible inside KVM/ACS
Posted by Fariborz Navidan <md...@gmail.com>.
You mean IPs are not constrained by MAC?
On Fri, Nov 22, 2019 at 7:56 PM Andrija Panic <an...@gmail.com>
wrote:
> Er... not sure what MAC address has to do with the secondary IP -
> secondary IP is just an "alias IP" for the existing NIC, having the same
> MAC address as the main NIC (since it's an additional IP for that NIC) -
> unless something is broken
>
> On Fri, 22 Nov 2019 at 16:50, Fariborz Navidan <md...@gmail.com>
> wrote:
>
> > It does work in that way because it seems IPs are associated with
> randomly
> > assigned MAC address assigned to a NIC. It means in gest OS, you can only
> > use IPs which are reversed for a NIC on that VM. So bridge does not
> accept
> > traffic from that IP it is used by another guest . It means there is a
> > builtin MAC filter. So I am not able to freely use IPs on any VM I wish.
> >
> > I a not sure if this behavior is related to security group or is a a
> > default behavior of KVM or ACS
> >
> > On Fri, Nov 22, 2019 at 5:18 PM Andrija Panic <an...@gmail.com>
> > wrote:
> >
> > > you assign a single secondary IP for just one of the VMs (so it's
> > reserved
> > > and will not be assigned later to other VMs via ACS). This secondary IP
> > is
> > > NOT handled via DHCP, it is just reserved in DB as used.
> > >
> > > Now, go and manually use it inside both VMs. simple.
> > >
> > > its better question if VRRP heartbeat is allowed between 2 VMs
> > > (protocol/port) and if you can allow traffic access to that secondary
> IP
> > > address from outside.
> > >
> > > On Fri, 22 Nov 2019, 14:37 Fariborz Navidan, <md...@gmail.com>
> > > wrote:
> > >
> > > > The challenge is how can we assign a single iP as secondary IP on two
> > or
> > > > more VMs?
> > > >
> > > > On Fri, Nov 22, 2019 at 1:57 AM Andrija Panic <
> andrija.panic@gmail.com
> > >
> > > > wrote:
> > > >
> > > > > VRRP is possible to configure anywhere - it's a different question
> > > > whether
> > > > > it will work due to firewall rules...
> > > > > The simplest way to give yourself an answer is to test (allow all
> > > > ingress,
> > > > > all egress and test).
> > > > >
> > > > > On Thu, 21 Nov 2019 at 22:20, Fariborz Navidan <
> > mdvlinquest@gmail.com>
> > > > > wrote:
> > > > >
> > > > > > If security groups use ebtables, so why does my ebtables does not
> > > have
> > > > > any
> > > > > > rule on the host? Default egress policy on my guest network is
> > Allow
> > > > and
> > > > > I
> > > > > > have added tcp/udp/icmp ingress rules to allow traffic go
> through.
> > > > > >
> > > > > > On Fri, Nov 22, 2019 at 12:03 AM Rohit Yadav <
> > > > rohit.yadav@shapeblue.com>
> > > > > > wrote:
> > > > > >
> > > > > > > VRRP is a network layer protocol, uses multicast address
> > 224.0.0.18
> > > > and
> > > > > > > protocol number 112. As long as SG can allow this, it's
> possible,
> > > > > however
> > > > > > > that may not be available out of the box. You can try some
> custom
> > > > > > ebtables
> > > > > > > rules on the KVM hosts.
> > > > > > >
> > > > > > >
> > > > > > > Regards,
> > > > > > >
> > > > > > > Rohit Yadav
> > > > > > >
> > > > > > > Software Architect, ShapeBlue
> > > > > > >
> > > > > > > https://www.shapeblue.com
> > > > > > >
> > > > > > > ________________________________
> > > > > > > From: Fariborz Navidan <md...@gmail.com>
> > > > > > > Sent: Thursday, November 21, 2019 17:56
> > > > > > > To: users@cloudstack.apache.org <us...@cloudstack.apache.org>
> > > > > > > Subject: Is VRRP possible inside KVM/ACS
> > > > > > >
> > > > > > > Hello,
> > > > > > >
> > > > > > > Is it possible to configure VRRP inside KVM in a security
> group
> > > > > enabled
> > > > > > > advanced zone? Should I enable Promisscouous mode and forged
> > > > transmit?
> > > > > > >
> > > > > > > rohit.yadav@shapeblue.com
> > > > > > > www.shapeblue.com
> > > > > > > Amadeus House, Floral Street, London WC2E 9DPUK
> > > > > > > @shapeblue
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > >
> > > > > Andrija Panić
> > > > >
> > > >
> > >
> >
>
>
> --
>
> Andrija Panić
>
Re: Is VRRP possible inside KVM/ACS
Posted by Andrija Panic <an...@gmail.com>.
Er... not sure what MAC address has to do with the secondary IP -
secondary IP is just an "alias IP" for the existing NIC, having the same
MAC address as the main NIC (since it's an additional IP for that NIC) -
unless something is broken
On Fri, 22 Nov 2019 at 16:50, Fariborz Navidan <md...@gmail.com>
wrote:
> It does work in that way because it seems IPs are associated with randomly
> assigned MAC address assigned to a NIC. It means in gest OS, you can only
> use IPs which are reversed for a NIC on that VM. So bridge does not accept
> traffic from that IP it is used by another guest . It means there is a
> builtin MAC filter. So I am not able to freely use IPs on any VM I wish.
>
> I a not sure if this behavior is related to security group or is a a
> default behavior of KVM or ACS
>
> On Fri, Nov 22, 2019 at 5:18 PM Andrija Panic <an...@gmail.com>
> wrote:
>
> > you assign a single secondary IP for just one of the VMs (so it's
> reserved
> > and will not be assigned later to other VMs via ACS). This secondary IP
> is
> > NOT handled via DHCP, it is just reserved in DB as used.
> >
> > Now, go and manually use it inside both VMs. simple.
> >
> > its better question if VRRP heartbeat is allowed between 2 VMs
> > (protocol/port) and if you can allow traffic access to that secondary IP
> > address from outside.
> >
> > On Fri, 22 Nov 2019, 14:37 Fariborz Navidan, <md...@gmail.com>
> > wrote:
> >
> > > The challenge is how can we assign a single iP as secondary IP on two
> or
> > > more VMs?
> > >
> > > On Fri, Nov 22, 2019 at 1:57 AM Andrija Panic <andrija.panic@gmail.com
> >
> > > wrote:
> > >
> > > > VRRP is possible to configure anywhere - it's a different question
> > > whether
> > > > it will work due to firewall rules...
> > > > The simplest way to give yourself an answer is to test (allow all
> > > ingress,
> > > > all egress and test).
> > > >
> > > > On Thu, 21 Nov 2019 at 22:20, Fariborz Navidan <
> mdvlinquest@gmail.com>
> > > > wrote:
> > > >
> > > > > If security groups use ebtables, so why does my ebtables does not
> > have
> > > > any
> > > > > rule on the host? Default egress policy on my guest network is
> Allow
> > > and
> > > > I
> > > > > have added tcp/udp/icmp ingress rules to allow traffic go through.
> > > > >
> > > > > On Fri, Nov 22, 2019 at 12:03 AM Rohit Yadav <
> > > rohit.yadav@shapeblue.com>
> > > > > wrote:
> > > > >
> > > > > > VRRP is a network layer protocol, uses multicast address
> 224.0.0.18
> > > and
> > > > > > protocol number 112. As long as SG can allow this, it's possible,
> > > > however
> > > > > > that may not be available out of the box. You can try some custom
> > > > > ebtables
> > > > > > rules on the KVM hosts.
> > > > > >
> > > > > >
> > > > > > Regards,
> > > > > >
> > > > > > Rohit Yadav
> > > > > >
> > > > > > Software Architect, ShapeBlue
> > > > > >
> > > > > > https://www.shapeblue.com
> > > > > >
> > > > > > ________________________________
> > > > > > From: Fariborz Navidan <md...@gmail.com>
> > > > > > Sent: Thursday, November 21, 2019 17:56
> > > > > > To: users@cloudstack.apache.org <us...@cloudstack.apache.org>
> > > > > > Subject: Is VRRP possible inside KVM/ACS
> > > > > >
> > > > > > Hello,
> > > > > >
> > > > > > Is it possible to configure VRRP inside KVM in a security group
> > > > enabled
> > > > > > advanced zone? Should I enable Promisscouous mode and forged
> > > transmit?
> > > > > >
> > > > > > rohit.yadav@shapeblue.com
> > > > > > www.shapeblue.com
> > > > > > Amadeus House, Floral Street, London WC2E 9DPUK
> > > > > > @shapeblue
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > >
> > > > Andrija Panić
> > > >
> > >
> >
>
--
Andrija Panić
Re: Is VRRP possible inside KVM/ACS
Posted by Fariborz Navidan <md...@gmail.com>.
It does work in that way because it seems IPs are associated with randomly
assigned MAC address assigned to a NIC. It means in gest OS, you can only
use IPs which are reversed for a NIC on that VM. So bridge does not accept
traffic from that IP it is used by another guest . It means there is a
builtin MAC filter. So I am not able to freely use IPs on any VM I wish.
I a not sure if this behavior is related to security group or is a a
default behavior of KVM or ACS
On Fri, Nov 22, 2019 at 5:18 PM Andrija Panic <an...@gmail.com>
wrote:
> you assign a single secondary IP for just one of the VMs (so it's reserved
> and will not be assigned later to other VMs via ACS). This secondary IP is
> NOT handled via DHCP, it is just reserved in DB as used.
>
> Now, go and manually use it inside both VMs. simple.
>
> its better question if VRRP heartbeat is allowed between 2 VMs
> (protocol/port) and if you can allow traffic access to that secondary IP
> address from outside.
>
> On Fri, 22 Nov 2019, 14:37 Fariborz Navidan, <md...@gmail.com>
> wrote:
>
> > The challenge is how can we assign a single iP as secondary IP on two or
> > more VMs?
> >
> > On Fri, Nov 22, 2019 at 1:57 AM Andrija Panic <an...@gmail.com>
> > wrote:
> >
> > > VRRP is possible to configure anywhere - it's a different question
> > whether
> > > it will work due to firewall rules...
> > > The simplest way to give yourself an answer is to test (allow all
> > ingress,
> > > all egress and test).
> > >
> > > On Thu, 21 Nov 2019 at 22:20, Fariborz Navidan <md...@gmail.com>
> > > wrote:
> > >
> > > > If security groups use ebtables, so why does my ebtables does not
> have
> > > any
> > > > rule on the host? Default egress policy on my guest network is Allow
> > and
> > > I
> > > > have added tcp/udp/icmp ingress rules to allow traffic go through.
> > > >
> > > > On Fri, Nov 22, 2019 at 12:03 AM Rohit Yadav <
> > rohit.yadav@shapeblue.com>
> > > > wrote:
> > > >
> > > > > VRRP is a network layer protocol, uses multicast address 224.0.0.18
> > and
> > > > > protocol number 112. As long as SG can allow this, it's possible,
> > > however
> > > > > that may not be available out of the box. You can try some custom
> > > > ebtables
> > > > > rules on the KVM hosts.
> > > > >
> > > > >
> > > > > Regards,
> > > > >
> > > > > Rohit Yadav
> > > > >
> > > > > Software Architect, ShapeBlue
> > > > >
> > > > > https://www.shapeblue.com
> > > > >
> > > > > ________________________________
> > > > > From: Fariborz Navidan <md...@gmail.com>
> > > > > Sent: Thursday, November 21, 2019 17:56
> > > > > To: users@cloudstack.apache.org <us...@cloudstack.apache.org>
> > > > > Subject: Is VRRP possible inside KVM/ACS
> > > > >
> > > > > Hello,
> > > > >
> > > > > Is it possible to configure VRRP inside KVM in a security group
> > > enabled
> > > > > advanced zone? Should I enable Promisscouous mode and forged
> > transmit?
> > > > >
> > > > > rohit.yadav@shapeblue.com
> > > > > www.shapeblue.com
> > > > > Amadeus House, Floral Street, London WC2E 9DPUK
> > > > > @shapeblue
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > >
> > >
> > > --
> > >
> > > Andrija Panić
> > >
> >
>
Re: Is VRRP possible inside KVM/ACS
Posted by Andrija Panic <an...@gmail.com>.
you assign a single secondary IP for just one of the VMs (so it's reserved
and will not be assigned later to other VMs via ACS). This secondary IP is
NOT handled via DHCP, it is just reserved in DB as used.
Now, go and manually use it inside both VMs. simple.
its better question if VRRP heartbeat is allowed between 2 VMs
(protocol/port) and if you can allow traffic access to that secondary IP
address from outside.
On Fri, 22 Nov 2019, 14:37 Fariborz Navidan, <md...@gmail.com> wrote:
> The challenge is how can we assign a single iP as secondary IP on two or
> more VMs?
>
> On Fri, Nov 22, 2019 at 1:57 AM Andrija Panic <an...@gmail.com>
> wrote:
>
> > VRRP is possible to configure anywhere - it's a different question
> whether
> > it will work due to firewall rules...
> > The simplest way to give yourself an answer is to test (allow all
> ingress,
> > all egress and test).
> >
> > On Thu, 21 Nov 2019 at 22:20, Fariborz Navidan <md...@gmail.com>
> > wrote:
> >
> > > If security groups use ebtables, so why does my ebtables does not have
> > any
> > > rule on the host? Default egress policy on my guest network is Allow
> and
> > I
> > > have added tcp/udp/icmp ingress rules to allow traffic go through.
> > >
> > > On Fri, Nov 22, 2019 at 12:03 AM Rohit Yadav <
> rohit.yadav@shapeblue.com>
> > > wrote:
> > >
> > > > VRRP is a network layer protocol, uses multicast address 224.0.0.18
> and
> > > > protocol number 112. As long as SG can allow this, it's possible,
> > however
> > > > that may not be available out of the box. You can try some custom
> > > ebtables
> > > > rules on the KVM hosts.
> > > >
> > > >
> > > > Regards,
> > > >
> > > > Rohit Yadav
> > > >
> > > > Software Architect, ShapeBlue
> > > >
> > > > https://www.shapeblue.com
> > > >
> > > > ________________________________
> > > > From: Fariborz Navidan <md...@gmail.com>
> > > > Sent: Thursday, November 21, 2019 17:56
> > > > To: users@cloudstack.apache.org <us...@cloudstack.apache.org>
> > > > Subject: Is VRRP possible inside KVM/ACS
> > > >
> > > > Hello,
> > > >
> > > > Is it possible to configure VRRP inside KVM in a security group
> > enabled
> > > > advanced zone? Should I enable Promisscouous mode and forged
> transmit?
> > > >
> > > > rohit.yadav@shapeblue.com
> > > > www.shapeblue.com
> > > > Amadeus House, Floral Street, London WC2E 9DPUK
> > > > @shapeblue
> > > >
> > > >
> > > >
> > > >
> > >
> >
> >
> > --
> >
> > Andrija Panić
> >
>
Re: Is VRRP possible inside KVM/ACS
Posted by Fariborz Navidan <md...@gmail.com>.
The challenge is how can we assign a single iP as secondary IP on two or
more VMs?
On Fri, Nov 22, 2019 at 1:57 AM Andrija Panic <an...@gmail.com>
wrote:
> VRRP is possible to configure anywhere - it's a different question whether
> it will work due to firewall rules...
> The simplest way to give yourself an answer is to test (allow all ingress,
> all egress and test).
>
> On Thu, 21 Nov 2019 at 22:20, Fariborz Navidan <md...@gmail.com>
> wrote:
>
> > If security groups use ebtables, so why does my ebtables does not have
> any
> > rule on the host? Default egress policy on my guest network is Allow and
> I
> > have added tcp/udp/icmp ingress rules to allow traffic go through.
> >
> > On Fri, Nov 22, 2019 at 12:03 AM Rohit Yadav <ro...@shapeblue.com>
> > wrote:
> >
> > > VRRP is a network layer protocol, uses multicast address 224.0.0.18 and
> > > protocol number 112. As long as SG can allow this, it's possible,
> however
> > > that may not be available out of the box. You can try some custom
> > ebtables
> > > rules on the KVM hosts.
> > >
> > >
> > > Regards,
> > >
> > > Rohit Yadav
> > >
> > > Software Architect, ShapeBlue
> > >
> > > https://www.shapeblue.com
> > >
> > > ________________________________
> > > From: Fariborz Navidan <md...@gmail.com>
> > > Sent: Thursday, November 21, 2019 17:56
> > > To: users@cloudstack.apache.org <us...@cloudstack.apache.org>
> > > Subject: Is VRRP possible inside KVM/ACS
> > >
> > > Hello,
> > >
> > > Is it possible to configure VRRP inside KVM in a security group
> enabled
> > > advanced zone? Should I enable Promisscouous mode and forged transmit?
> > >
> > > rohit.yadav@shapeblue.com
> > > www.shapeblue.com
> > > Amadeus House, Floral Street, London WC2E 9DPUK
> > > @shapeblue
> > >
> > >
> > >
> > >
> >
>
>
> --
>
> Andrija Panić
>
Re: Is VRRP possible inside KVM/ACS
Posted by Andrija Panic <an...@gmail.com>.
VRRP is possible to configure anywhere - it's a different question whether
it will work due to firewall rules...
The simplest way to give yourself an answer is to test (allow all ingress,
all egress and test).
On Thu, 21 Nov 2019 at 22:20, Fariborz Navidan <md...@gmail.com>
wrote:
> If security groups use ebtables, so why does my ebtables does not have any
> rule on the host? Default egress policy on my guest network is Allow and I
> have added tcp/udp/icmp ingress rules to allow traffic go through.
>
> On Fri, Nov 22, 2019 at 12:03 AM Rohit Yadav <ro...@shapeblue.com>
> wrote:
>
> > VRRP is a network layer protocol, uses multicast address 224.0.0.18 and
> > protocol number 112. As long as SG can allow this, it's possible, however
> > that may not be available out of the box. You can try some custom
> ebtables
> > rules on the KVM hosts.
> >
> >
> > Regards,
> >
> > Rohit Yadav
> >
> > Software Architect, ShapeBlue
> >
> > https://www.shapeblue.com
> >
> > ________________________________
> > From: Fariborz Navidan <md...@gmail.com>
> > Sent: Thursday, November 21, 2019 17:56
> > To: users@cloudstack.apache.org <us...@cloudstack.apache.org>
> > Subject: Is VRRP possible inside KVM/ACS
> >
> > Hello,
> >
> > Is it possible to configure VRRP inside KVM in a security group enabled
> > advanced zone? Should I enable Promisscouous mode and forged transmit?
> >
> > rohit.yadav@shapeblue.com
> > www.shapeblue.com
> > Amadeus House, Floral Street, London WC2E 9DPUK
> > @shapeblue
> >
> >
> >
> >
>
--
Andrija Panić
Re: Is VRRP possible inside KVM/ACS
Posted by Fariborz Navidan <md...@gmail.com>.
If security groups use ebtables, so why does my ebtables does not have any
rule on the host? Default egress policy on my guest network is Allow and I
have added tcp/udp/icmp ingress rules to allow traffic go through.
On Fri, Nov 22, 2019 at 12:03 AM Rohit Yadav <ro...@shapeblue.com>
wrote:
> VRRP is a network layer protocol, uses multicast address 224.0.0.18 and
> protocol number 112. As long as SG can allow this, it's possible, however
> that may not be available out of the box. You can try some custom ebtables
> rules on the KVM hosts.
>
>
> Regards,
>
> Rohit Yadav
>
> Software Architect, ShapeBlue
>
> https://www.shapeblue.com
>
> ________________________________
> From: Fariborz Navidan <md...@gmail.com>
> Sent: Thursday, November 21, 2019 17:56
> To: users@cloudstack.apache.org <us...@cloudstack.apache.org>
> Subject: Is VRRP possible inside KVM/ACS
>
> Hello,
>
> Is it possible to configure VRRP inside KVM in a security group enabled
> advanced zone? Should I enable Promisscouous mode and forged transmit?
>
> rohit.yadav@shapeblue.com
> www.shapeblue.com
> Amadeus House, Floral Street, London WC2E 9DPUK
> @shapeblue
>
>
>
>
Re: Is VRRP possible inside KVM/ACS
Posted by Rohit Yadav <ro...@shapeblue.com>.
VRRP is a network layer protocol, uses multicast address 224.0.0.18 and protocol number 112. As long as SG can allow this, it's possible, however that may not be available out of the box. You can try some custom ebtables rules on the KVM hosts.
Regards,
Rohit Yadav
Software Architect, ShapeBlue
https://www.shapeblue.com
________________________________
From: Fariborz Navidan <md...@gmail.com>
Sent: Thursday, November 21, 2019 17:56
To: users@cloudstack.apache.org <us...@cloudstack.apache.org>
Subject: Is VRRP possible inside KVM/ACS
Hello,
Is it possible to configure VRRP inside KVM in a security group enabled
advanced zone? Should I enable Promisscouous mode and forged transmit?
rohit.yadav@shapeblue.com
www.shapeblue.com
Amadeus House, Floral Street, London WC2E 9DPUK
@shapeblue
Re: Is VRRP possible inside KVM/ACS
Posted by Fariborz Navidan <md...@gmail.com>.
Any idea?
On Thu, Nov 21, 2019 at 3:56 PM Fariborz Navidan <md...@gmail.com>
wrote:
> Hello,
>
> Is it possible to configure VRRP inside KVM in a security group enabled
> advanced zone? Should I enable Promisscouous mode and forged transmit?
>