Network Bonds, Bridges, VLANs in Linux (specifically CentOS7/RHEL7)
- Bonding is used to bond 2 or more network interfaces in order to make them act as 1; this can be used for increased throughput and or fault tolerance.
- Bridging is used to unite 2 or more network segments, a bridge acts as a virtual switch; this can be used to connected virtual network interfaces of virtual guests to the physical interface of a physical server.
- VLANs are layer 2 broadcast domains that are partitioned from each other; they are typically used to create mutilple virtual LANs on switch instead of having a single broadcast domain. They are useful for creating separate networks for different devices, departments, security sensitive devices, etc on the same switching hardware.
Bonded Network Interface
- Disable NetworkManager
systemctl stop NetworkManager systemctl disable NetworkManager
- Take note of the names of your NICs and their MAC addresses
ip link
In my case they are called eno1 and eno2 so you will need to substitute your own values accordingly in the following steps.
Setup your switch ports as an LACP trunk. You'll need to consult your documentation on how to do that.
- Edit /etc/sysconfig/network-scripts/ifcfg-eno1
DEVICE=eno1 NM_CONTROLLED=no BOOTPROTO=none NAME=eno1 ONBOOT=yes SLAVE=yes MASTER=bond0
- Edit /etc/sysconfig/network-scripts/ifcfg-eno2
DEVICE=eno2 NM_CONTROLLED=no BOOTPROTO=none NAME=eno2 ONBOOT=yes SLAVE=yes MASTER=bond0
- Edit /etc/sysconfig/network-scripts/ifcfg-bond0
Note: Redhat states as of RHEL7 that the bonding module doesn't support STP so the network switch shouldn't send BDPU packets over the bonded ports: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sec-configuring_a_vlan_over_a_bond
DEVICE=bond0 NAME=bond0 IPADDR=10.1.1.5 NETMASK=255.255.255.0 GATEWAY=10.1.1.1 DNS1=10.1.1.1 DNS2=10.1.1.2 ONBOOT=yes USERCTL=no BONDING_OPTS="mode=4 miimon=100 lacp_rate=1" NM_CONTROLLED=no
Restart your server so that the bonding module is loaded with the correct options during boot.
- Check that the bond0 interface is up
ip addr
Bridged Network Interface
- Turn off Network manager:
systemctl disable NetworkManager systemctl stop NetworkManager
To find the HWADDR do this: ethtool -P <if-name>
In the /etc/sysconfig/network-scripts directory it is necessary to create 2 config files. The first (ifcfg-eth1) (or ifcfg-em1 or em0 or eth0 etc) defines your physical network interface, and says that it will be part of a bridge:
vim /etc/sysconfig/network-scripts/ifcfg-eth1 DEVICE=eth1 HWADDR=00:16:76:D6:C9:45 (Use your HWADDR/mac address here) ONBOOT=yes BRIDGE=br0 NM_CONTROLLED=no
- The second config file (ifcfg-br0) defines the bridge device
vim /etc/sysconfig/network-scripts/ifcfg-br0 DEVICE=br0 TYPE=Bridge BOOTPROTO=none ONBOOT=yes DELAY=0 NM_CONTROLLED=no
WARNING: The line TYPE=Bridge is case-sensitive - it must have uppercase 'B' and lower case 'ridge' Also, if you have only 1 Ethernet adapter you will want to give the Bridge device an IP on your LAN for management, see static IP example below. After changing this restart networking (or simply reboot) .
systemctl restart network
Example of ifcfg-br0 for static IP:
DEVICE=br0 TYPE=Bridge BOOTPROTO=static ONBOOT=yes DELAY=0 NM_CONTROLLED=no IPADDR=10.222.190.249 NETWORK=10.222.190.0 NETMASK=255.255.255.0 GATEWAY=10.222.190.250 DNS1=208.67.220.220 DNS2=208.67.222.222
VLAN configuration
Sources: 1
Configure the parent interface in /etc/sysconfig/network-scripts/ifcfg-ethX, where X is a unique number corresponding to a specific interface, as follows:
DEVICE=ethX
TYPE=Ethernet
BOOTPROTO=none
ONBOOT=yes
Configure the VLAN interface configuration in the /etc/sysconfig/network-scripts/ directory. The configuration file name should be the parent interface plus a . character plus the VLAN ID number. For example, if the VLAN ID is 192, and the parent interface is eth0, then the configuration file name should be ifcfg-eth0.192:
DEVICE=ethX.192
BOOTPROTO=none
ONBOOT=yes
IPADDR=192.168.1.1
PREFIX=24
NETWORK=192.168.1.0
VLAN=yes
If there is a need to configure a second VLAN, with for example, VLAN ID 193, on the same interface, eth0, add a new file with the name eth0.193 with the VLAN configuration details.
Restart the networking service in order for the changes to take effect. As root issue the following command:
systemctl restart network
Steps for a Virtualization Host
This will bond 2 or more NICs for LACP, then create a bridge to that bond and add a static IP for the management LAN, then create VLANs for the different networks that virtual guests will be connected to, then create bridges for each of those VLANs.
Why is the management LAN bridged directly to the bond? Because we want to be able to access the virtual host without a managed switch in case of emergency. This means on the switch port, the management VLAN should be untagged and all other VLANs should be tagged.
When creating the bridge name, make it's name reflect the tagged VLAN it's to be used with, e.g. VLAN 20 would be DEVICE=bond0.20 and BRIDGE=br20
1. Create the bond file
- ifcfg-bond0
DEVICE=bond0 ONBOOT=yes TYPE=Ethernet NM_CONTROLLED=no USERCTL=no BOOTPROTO=none BONDING_OPTS="mode=4 miimon=100 lacp_rate=1" BRIDGE=br0 NAME="LACP bond0"
2. Modify the interface files for use with bond
- ifcfg-em1
DEVICE=em1 ONBOOT=yes TYPE=Ethernet NM_CONTROLLED=no USERCTL=no BOOTPROTO=none MASTER=bond0 SLAVE=yes HWADDR=00:16:76:D6:C9:45 (use your own)
- ifcfg-em2
DEVICE=em2 ONBOOT=yes TYPE=Ethernet NM_CONTROLLED=no USERCTL=no BOOTPROTO=none MASTER=bond0 SLAVE=yes HWADDR=00:16:76:D6:C9:46 (use your own)
3. Create Management LAN bridge
- ifcfg-br0
DEVICE=br0 ONBOOT=yes TYPE=Bridge NM_CONTROLLED=no USERCTL=no BOOTPROTO=none IPADDR=172.21.21.10 NETMASK=255.255.255.0 GATEWAY=172.21.21.1 DNS1=172.21.21.1 DNS2=208.67.220.220 DELAY=0 STP=on NAME="Management LAN/Interface via br0"
4. Create VLANs to be used by virtual guests
- ifcfg-bond0.20
DEVICE=bond0.20 ONBOOT=yes TYPE=Ethernet NM_CONTROLLED=no USERCTL=no BOOTPROTO=none VLAN=yes BRIDGE=br20 NAME="VLAN20"
- ifcfg-bond0.30
DEVICE=bond0.30 ONBOOT=yes TYPE=Ethernet NM_CONTROLLED=no USERCTL=no BOOTPROTO=none VLAN=yes BRIDGE=br30 NAME="VLAN30"
5. Create Bridges for use with VLANs
(it's unknown if DELAY=2 is needed but this together with STP=off got the connection working where it wasn't otherwise)
- ifcfg-br20
DEVICE=br20 ONBOOT=yes TYPE=Bridge NM_CONTROLLED=no USERCTL=no BOOTPROTO=none DELAY=2 STP=off NAME="Bridge for VLAN20"
- ifcfg-br30
DEVICE=br30 ONBOOT=yes TYPE=Bridge NM_CONTROLLED=no USERCTL=no BOOTPROTO=none DELAY=2 STP=off NAME="Bridge for VLAN30"
Notes
Per Red Hat the switch ports for bonded ports should be configured in a specific way:
11.4.3. Switch Configuration for Bonding The following is an bond example configuration for a switch. Your switch configuration may look different.
interface Port-channel11 switchport access vlan 153 switchport mode access spanning-tree portfast disable spanning-tree bpduguard disable spanning-tree guard root interface GigabitEthernet0/16 switchport access vlan 153 switchport mode access channel-group 11 mode active interface GigabitEthernet0/17 switchport access vlan 153 switchport mode access