Look for Virtualization Experiences/Recommendations

Hello,

I wouldn’t normally virtualize a router/firewall but since this doesn’t have a WAN interface I’m not as concerned about a security breach of the underlying hypervisor platform (only very, not extremely).

We use KVM/QEMU/Libvirt for virtualization and our virtualization hosts have an uplink to a trunk port on our switches where all VLANs are tagged. To give a virtual guest access to a specific VLAN we create a VLAN interface on the virtualization host and create a bridge for that VLAN interface and use the bridge as an interface for the guest that needs a particular VLAN. This works well.

For a VyOS install we use VLANs and firewall zones extensively and do this by abstracting the physical interfaces (NICs) via a bonded interface, so our interface names are bond0.10, bond0.20, bond0.40, etc with bond0 being 1 or 2 real interfaces. This is easy on bare metal since it links up to a trunk port and if we want a new VLAN/Zone we add a new bond0.X in VyOS and a new VLAN on the switch.

With virtualization I’d have to have 10-30 “real interfaces” (the bridges on the virtualization host). So instead of bond0.10, 20, 40, etc it would be eth1, eth2, eth3, etc and naming those according to their associated VLANs. This in my opinion would be error prone and is too much overhead (mentally). In this scenario to add a new VLAN/Zone I’d have to add the VLAN to the switch, create the VLAN and bridge interfaces on the virtualization host and reload the network config to make it active, add the new bridge to the VyOS guest as a new NIC then configure the new NIC in VyOS (and I’m not sure if the new NIC will show without rebooting the guest).

Instead I could dedicate a physical interface to the VyOS guest and continue as if it were a bare metal (interface configuration wise). But here I think I’d lose out on allowing other guests being able to use the dedicated interface.

I’ve read something about VLAN aware bridging but didn’t understand it enough to know if it applies.

I haven’t used OpenVswitch and don’t know if it could be used to keep things mentally simple and manageable.

Have any of you found a maintainable and reliable method of using multiple VLANs with a VyOS virtual guest, and do you have any other experiences with using VyOS as a virtual guest that only became obvious once it was put into production?

Thank you.

Usually, there are two approaches:

  1. Passtrough physical NICs (of virtual functions) to VyOS, and let VyOS handle traffic for all VMs and a hypervisor. This is used when you primarily route traffic, for example, if this is a single hypervisor in the network segment.

  2. Using virtual VLAN-aware switches on a hypervisor. OVS is a great example of such a tool. It acts like a real switch between a physical network and VMs and handles all the switching operations. Used when you have a lot of traffic between VMs in the same subnet on different hypervisors. This seems to be the option for your case. Add physical interfaces to OVS, create one interface for VyOS, and work with it just like it would be a physical router - by adding VLANs.

With OVS you may need to pay attention to its switching performance - it is limited to something like 1 MPPS per interface with default settings (probably almost all examples you can find on the Internet). If you expect to forward more traffic, you need to use an accelerated backend: DPDK Support — Open vSwitch 3.3.90 documentation

Good luck! :slight_smile: