Go to main content

Oracle® VM Server for SPARC 3.6 Administration Guide

Exit Print View

Updated: September 2019
 
 

Using Trusted Virtual Networks

The trusted virtual network feature extends privileges to trusted guest domains to assign custom alternate MAC addresses and alternate VLAN IDs to the vnet device dynamically. These MAC addresses and VLAN IDs are used to configure virtual devices. Prior to the introduction of this feature, you could make such assignments only from the Logical Domains Manager. Moreover, the alternate MAC addresses assignment also required that the domain hosting the virtual network device be in the bound state. This feature enables the dynamic creation of virtual devices such as VNICs and VLANs on top of virtual network devices.

To use the trusted virtual network feature on a vnet device, you must create or configure the device in trusted mode by using the Logical Domains Manager. By default, a vnet device is created with trusted mode disabled.

The trusted virtual network feature seamlessly supports the live migration, service domain reboot, and multiple service domain features.

Trusted Virtual Network Requirements and Restrictions

You can configure a trusted virtual network by using the ldm add-vnet and ldm set-vnet commands to set the custom=enable property. Note that you should provide values for the custom/max-mac-addrs and custom/max-vlans properties to ensure that the number of custom MAC addresses and VLAN are limited for the specified virtual network device. Both property values are set to 4096 by default.

The trusted virtual network feature requires at least the Oracle Solaris 11.3 SRU 8 OS.

Both guest domain that has the custom virtual network device and the service domain that has the corresponding virtual switch device require that latest level of the supported system firmware.

    To configure a trusted virtual network, you must specify the following information:

  • custom Enable or disable the trusted virtual network feature. This feature enables a trusted entity to add custom alternate VLAN IDs and custom alternate MAC addresses dynamically.

  • custom/max-mac-addrs Specify the maximum number of custom alternate MAC addresses to be configured on a particular trusted virtual network device.

  • custom/max-vlans Specify the maximum number of custom alternate VLAN IDs to be configured on a particular trusted virtual network device.

    The following restrictions are for the trusted virtual network feature:

  • You cannot use the Logical Domains Manager to configure alternate MAC addresses or VLAN IDs on a given trusted virtual network.

  • To modify custom or existing alternate MAC addresses, the domain must be in the bound state.

  • You can increase the custom/max-mac-addrs and custom/max-vlans property values dynamically. However, the domain must be in the bound state to reduce these property values.


    Note - Reducing these property values might cause undesirable side effects. So, ensure that you delete any of the VNICs or VLANs created on the host that you do not need because you have no control over which MAC addresses or VLAN IDs the OS will retain.

    Also, set custom=disable on the virtual network device before using the ldm set-vnet command to reduce the number of maximum VLAN IDs and MAC addresses for the custom virtual network device.



    Caution

    Caution  - The effective use of this feature is to limit and control these properties.


  • Ensure that any VNIC and VLAN devices that have been created are removed before you reduce the number of custom VLAN IDs or custom alternate MAC addresses. Otherwise, the guest domain will have VNICs that cannot be configured and must be removed manually.

  • The dladm show-vnic -m command shows the MAC addresses and VLAN IDs that are configured on the specified virtual network. The dladm show-vnic -m command shows the alternate MAC addresses and VLAN IDs in use on the guest domain. This is a departure from older releases where in all alternate MAC addresses and VLAN IDs were preconfigured on the virtual switch.

  • The trusted virtual network feature is mutually exclusive with the PVLAN feature.

  • The Logical Domains Manager attempts to validate the guest domain and service domain support for this feature before enabling the custom feature. If the guest domain is not running, you can enable this feature if the service domain supports it. However, if the guest domain does not support the feature you must set custom=disabled before you re-enable non-custom alternate MAC addresses and VLAN IDs.

  • You can perform a live migration of a domain with trusted virtual networks only if the target service domain supports the trusted virtual network feature.

Configuring Trusted Virtual Networks

This section includes tasks that show how to create trusted virtual networks and how to obtain information about trusted virtual networks.

You can configure a trusted virtual network by setting the custom property value by using the ldm add-vnet or ldm set-vnet command. See the ldm(8) man page.

Example 53  Creating a Trusted Virtual Network

You can use the following commands to create a trusted virtual network ldg1_vnet0 on the primary-vsw0 virtual switch in the ldg1 domain. The custom/max-mac-addrs and custom/max-vlans property values use the default values of 4096.

primary# ldm add-vnet custom=enable ldg1_vnet0 primary-vsw0 ldg1
primary# ldm list -o network ldg1
...
NETWORK
    NAME         SERVICE                MACADDRESS          PVID|PVLAN|VIDs
    ----         -------                ----------          ---------------
    ldg1-vnet0   primary-vsw0@primary   00:14:4f:fa:d7:5e   1|--|--      
            DEVICE     :network@1       ID   :1              
            LINKPROP   :phys-state      MTU  :1500           
            MAXBW      :--              MODE :--             
            CUSTOM     :enable         
            MAX-CUSTOM-MACS:4096        MAX-CUSTOM-VLANS:4096
            PRIORITY   :--              COS  :--             
            PROTECTION :--             
Example 54  Enabling the Trusted Virtual Network Feature on an Existing Virtual Network

The following example shows how to enable the trusted virtual network feature by setting custom=enable for the ldg1_vnet0 virtual network device in the ldg1 domain. The custom/max-mac-addrs and custom/max-vlans property values use the default values of 4096.

primary# ldm set-vnet custom=enabled ldg1_vnet0 ldg1
primary# ldm list -o network ldg1
...
NETWORK
    NAME         SERVICE                MACADDRESS          PVID|PVLAN|VIDs
    ----         -------                ----------          ---------------
    ldg1-vnet0   primary-vsw0@primary   00:14:4f:fa:d7:5e   1|--|--      
            DEVICE     :network@1       ID   :1              
            LINKPROP   :phys-state      MTU  :1500           
            MAXBW      :--              MODE :--             
            CUSTOM     :enable         
            MAX-CUSTOM-MACS:4096        MAX-CUSTOM-VLANS:4096
            PRIORITY   :--              COS  :--             
            PROTECTION :--
Example 55  Setting the custom/max-mac-addrs and custom/max-vlans Properties

The following example sets the custom/max-vlans property value to 12 and the custom/max-mac-addrs property value to 13.

Because these new property values are lower than the previous values, you cannot change these settings dynamically. You can make these changes only to a bound or inactive domain.

primary# ldm stop ldg1
primary# ldm set-vnet custom/max-vlans=12 custom/max-mac-addrs=13 ldg1_vnet0 ldg1
primary# ldm list -o network ldg1
...
NETWORK
    NAME         SERVICE                MACADDRESS          PVID|PVLAN|VIDs
    ----         -------                ----------          ---------------
    ldg1-vnet0   primary-vsw0@primary   00:14:4f:fa:d7:5e   1|--|--      
            DEVICE     :network@1       ID   :1              
            LINKPROP   :phys-state      MTU  :1500           
            MAXBW      :--              MODE :--             
            CUSTOM     :enable         
            MAX-CUSTOM-MACS:13          MAX-CUSTOM-VLANS:12
            PRIORITY   :--              COS  :--             
            PROTECTION :--
Example 56  Resetting the custom/max-mac-addrs and custom/max-vlans Properties

The following example shows how to reset the custom/max-mac-addrs property value to its default of 4096 by specifying a null value.

When custom=enabled, you can reset the custom/max-vlans property value, the custom/max-mac-addrs property value, or both.

primary# ldm set-vnet custom/max-mac-addrs= ldg1_vnet0 ldg1
primary# ldm list -o network ldg1
...
NETWORK
    NAME         SERVICE                MACADDRESS          PVID|PVLAN|VIDs
    ----         -------                ----------          ---------------
    ldg1-vnet0   primary-vsw0@primary   00:14:4f:fa:d7:5e   1|--|--      
            DEVICE     :network@1       ID   :1              
            LINKPROP   :phys-state      MTU  :1500           
            MAXBW      :--              MODE :--             
            CUSTOM     :enable         
            MAX-CUSTOM-MACS:4096          MAX-CUSTOM-VLANS:12
            PRIORITY   :--              COS  :--             
            PROTECTION :--
Example 57  Changing the custom/max-mac-addrs and custom/max-vlans Property Values

The following example shows how to increase the custom/max-vlans property value and decrease the custom/max-mac-addrs property value. You can increase the custom/max-vlans property value to 24 dynamically, because 24 is larger than the previous value of 12. However, because you are reducing the maximum value for custom/max-mac-addrs from 4096 to 11, you must first stop the domain.

primary# ldm set-vnet custom/max-vlans=24 ldg1_vnet0 ldg1
primary# ldm stop ldg1
primary# ldm set-vnet custom/max-mac-addrs=11 ldg1_vnet0 ldg1
primary# ldm list -o network ldg1
...
NETWORK
    NAME         SERVICE                MACADDRESS          PVID|PVLAN|VIDs
    ----         -------                ----------          ---------------
    ldg1-vnet0   primary-vsw0@primary   00:14:4f:fa:d7:5e   1|--|--      
            DEVICE     :network@1       ID   :1              
            LINKPROP   :phys-state      MTU  :1500           
            MAXBW      :--              MODE :--             
            CUSTOM     :enable         
            MAX-CUSTOM-MACS:11          MAX-CUSTOM-VLANS:24
            PRIORITY   :--              COS  :--             
            PROTECTION :--
Example 58  Disabling the Trusted Virtual Network Feature

The following example shows how to disable the custom property for the ldg1_vnet0 virtual network device in the ldg1 domain.

primary# ldm set-vnet custom=disabled ldg1_vnet0 ldg1
...
NETWORK
    NAME         SERVICE                MACADDRESS          PVID|PVLAN|VIDs
    ----         -------                ----------          ---------------
    ldg1-vnet0   primary-vsw0@primary   00:14:4f:fa:d7:5e   1|--|--      
            DEVICE     :network@1       ID   :1              
            LINKPROP   :phys-state      MTU  :1500           
            MAXBW      :--              MODE :--             
            CUSTOM     :disable
            PRIORITY   :--              COS  :--             
            PROTECTION :--

Viewing Trusted Virtual Network Information

You can obtain information about trusted virtual network settings by using several of the Logical Domains Manager list subcommands. See the ldm(8) man page.

    The following examples use the ldm list-domain -o network, ldm list-bindings, and ldm list-constraints commands to show information about a trusted virtual network configuration.

  • The following example shows how to use the ldm list-domain command to view trusted virtual network configuration information for the ldg1 domain:

    primary# ldm list-domain -o network ldg1
    ...
    NETWORK
        NAME         SERVICE                MACADDRESS          PVID|PVLAN|VIDs
        ----         -------                ----------          ---------------
        ldg1-vnet0   primary-vsw0@primary   00:14:4f:fa:d7:5e   1|--|--      
                DEVICE     :network@1       ID   :1              
                LINKPROP   :phys-state      MTU  :1500           
                MAXBW      :--              MODE :--             
                CUSTOM     :enable         
                MAX-CUSTOM-MACS:11          MAX-CUSTOM-VLANS:24
                PRIORITY   :--              COS  :--             
                PROTECTION :--
  • The following examples shows how to use the ldm list-domain command to view trusted virtual network configuration information in a parseable form for the ldg1 domain:

    primary# ldm list-domain -o network -p ldg1
    VERSION 1.19
    DOMAIN|name=ldg1|
    MAC|mac-addr=00:14:4f:f9:4b:d0
    VNET|name=ldg1-vnet0|dev=network@1|service=primary-vsw0@primary|mac-addr=00:14:4f:fa:d7:5e|mode=|pvid=1|vid=|mtu=1500|linkprop=phys-state|id=1|alt-mac-addrs=|maxbw=|pvlan=|protection=|priority=|cos=|custom=enable|max-mac-addrs=11|max-vlans=24
  • The following examples shows how to use the ldm list-bindings command to view trusted virtual network configuration information for the ldg1 domain:

    primary# ldm list-bindings -e -o network ldg1
    ...
    NETWORK
        NAME         SERVICE                MACADDRESS          PVID|PVLAN|VIDs
        ----         -------                ----------          ---------------
        ldg1-vnet0   primary-vsw0@primary   00:14:4f:fa:d7:5e   1|--|--      
                DEVICE     :network@1       ID   :1              
                LINKPROP   :phys-state      MTU  :1500           
                MAXBW      :--              MODE :--             
                CUSTOM     :enable         
                MAX-CUSTOM-MACS:11          MAX-CUSTOM-VLANS:24
                PRIORITY   :--              COS  :--             
                PROTECTION :--             
    
            PEER                   MACADDRESS          PVID|PVLAN|VIDs
            ----                   ----------          ---------------
            primary-vsw0@primary   00:14:4f:f9:08:28   1|--|--      
                LINKPROP   :--              MTU  :1500           
                MAXBW      :--              LDC  :0x5
                MODE       :--
  • The following examples shows how to use the ldm list-bindings command to view trusted virtual network configuration information in a parseable form for the ldg1 domain:

    primary# ldm list-bindings -p ldg1
    ...
    VNET|name=ldg1-vnet0|dev=network@1|service=primary-vsw0@primary|mac-addr=00:14:4f:fa:d7:5e|mode=|pvid=1|vid=|mtu=1500|linkprop=phys-state|id=1|alt-mac-addrs=|maxbw=|pvlan=|protection=|priority=|cos=|custom=enable|max-mac-addrs=11|max-vlans=24
    |peer=primary-vsw0@primary|mac-addr=00:14:4f:f9:08:28|mode=|pvid=1|vid=|mtu=1500|maxbw=
  • The following example shows how to generate XML by running the ldm list-constraints -x command:

    primary# ldm list-constraints -x ldg1
    ...
    <Section xsi:type="ovf:VirtualHardwareSection_Type">
      <Item>
        <rasd:OtherResourceType>network</rasd:OtherResourceType>
        <rasd:Address>auto-allocated</rasd:Address>
        <gprop:GenericProperty key="vnet_name">ldg1-vnet0</gprop:GenericProperty>
        <gprop:GenericProperty key="service_name">primary-vsw0</gprop:GenericProperty>
        <gprop:GenericProperty key="pvid">1</gprop:GenericProperty>
        <gprop:GenericProperty key="linkprop">phys-state</gprop:GenericProperty>
        <gprop:GenericProperty key="custom">enable</gprop:GenericProperty>
        <gprop:GenericProperty key="max-mac-addrs">11</gprop:GenericProperty>
        <gprop:GenericProperty key="max-vlans">24</gprop:GenericProperty>
        <gprop:GenericProperty key="device">network@1</gprop:GenericProperty>
        <gprop:GenericProperty key="id">1</gprop:GenericProperty>
      </Item>
    </Section>