802.1Q VLAN network setup

Hello,

I have question about how to isolate two VM network by using 802.1Q VLAN network


**Version:**5.4.6

**Environment setting **

brctl show
bridge name bridge id STP enabled interfaces
br0 8000.0025909452b4 no enp1s0f0
one-10-0
one-17-0
one-18-0
one-9-0
br1 8000.0025909452b5 no enp1s0f1
enp1s0f1.71
enp1s0f1.72
one-11-0
one-17-1
one-18-1
virbr0 8000.52540042dc03 yes virbr0-nic

and I have created 2 802.1Q network

VLAN Network 1
BRIDGE br1
FILTER_IP_SPOOFING YES
FILTER_MAC_SPOOFING YES
PHYDEV enp1s0f1
SECURITY_GROUPS 0
VLAN_ID 71
VN_MAD vxlan

VLAN Network 2
BRIDGE br1
FILTER_IP_SPOOFING YES
FILTER_MAC_SPOOFING YES
PHYDEV enp1s0f1
SECURITY_GROUPS 0
VLAN_ID 72
VN_MAD 802.1Q

and then created 2VMs with following network config

– VM 1 —
ETH1_CONTEXT_FORCE_IPV4="",
ETH1_DNS="",
ETH1_GATEWAY="",
ETH1_GATEWAY6="",
ETH1_IP=“192.168.72.10”,
ETH1_IP6="",
ETH1_IP6_PREFIX_LENGTH="",
ETH1_IP6_ULA="",
ETH1_MAC=“02:00:c0:a8:48:0a”,
ETH1_MASK="",
ETH1_MTU="",
ETH1_NETWORK="",
ETH1_SEARCH_DOMAIN="",
ETH1_VLAN_ID=“71”,
ETH1_VROUTER_IP="",
ETH1_VROUTER_IP6="",
ETH1_VROUTER_MANAGEMENT="",
NETWORK=“YES”,

– VM 2 –

ETH1_CONTEXT_FORCE_IPV4="",
ETH1_DNS="",
ETH1_GATEWAY="",
ETH1_GATEWAY6="",
ETH1_IP=“192.168.72.20”,
ETH1_IP6="",
ETH1_IP6_PREFIX_LENGTH="",
ETH1_IP6_ULA="",
ETH1_MAC=“02:00:c0:a8:48:14”,
ETH1_MASK="",
ETH1_MTU="",
ETH1_NETWORK="",
ETH1_SEARCH_DOMAIN="",
ETH1_VLAN_ID=“72”,
ETH1_VROUTER_IP="",
ETH1_VROUTER_IP6="",
ETH1_VROUTER_MANAGEMENT="",
NETWORK=“YES”,

**Prlblem: ** The problem is VM1 and VM2 is able to PING each others.

**Expected results: ** My expected result is isolated them by different VLAN

Is there are any mistake for me? Please advise

Thanks!

Use different bridges for different VLANs, you may still use the same physical interface.

So I need to have another physical interface bind to another bridge?

or Nebula is support same physical interface binding to different interface? If no possible. Any further suggestion that I can isolate two customer of their private LAN?

Thanks!

Just test which can be allow. It can isolate difference VLAN as well.

br1 8000.0025909452b5 no enp1s0f1
onebr.71 8000.0025909452b5 no enp1s0f1.71
one-46-1
onebr.72 8000.0025909452b5 no enp1s0f1.72
one-47-1
one-48-1

Thanks!