I just finished setting up open vSwitch as my VLAN isolation technology. So by now I have isolated networks and am able to group VMs into these networks. Of course I now want to be able to access certain services inside of those isolated networks. That’s where OpenNebula’s Virtual Router Appliance comes into play.
For basic setup and usage the OpenNebula Documentation is quite sufficient: http://docs.opennebula.org/4.8/administration/networking/router.html
So I set up my VR (Virtual Router) to feature 2 NICs. One of which I attached to my casual public network, while I created a fresh Virtual Network for the private network. For the private network I used a completely different IP range like 10.10.0.0/24. This network also is isolated via OpenVSwitch.
The complete contextualization part of the template for the VR looks like this:
However after setting up my router I encountered some strange behavior in that I was not able to route through to a vm hosted on another physical machine.
For quite a while I thought it had to do with the VR (since isolation worked ever since before), but then I moved all VMs to the same host machine and voilá Routing worked! So I dug deeper and found out that open vSwitch produced VLAN-IDs that were not valid for my Cisco Switch! (Valid IDs Range from 1 – 1002 in normal mode and extend from 1006 – 4094 in extended mode) Somewhere I read that the IDs are generated from the VM ID + some HASH value. At that time I already had rather high VM IDs, so maybe together with the HASH-value my VLAN-IDs extended beyond Cisco’s valid range.
By setting my VLAN-ID manually in the Virtual Network I now have a stable working isolated Virtual Network wired up to the world through my Virtual Router.
However I will need to further investigate into that VLAN-ID generation problem, since it’s a very useful feature.