Authored By : Xiaohan Qin
A number of customers have enquired if PowerVM supports Private VLANs and how to configure it. Private VLAN (PVLAN) was introduced in RFC 5517 (https://tools.ietf.org/html/rfc5517) to support the growing multi-tenant environment. This blog explains how to configure PVLANs with PowerVM which allows providing better isolation for PowerVM tenants.
At a high level, an isolated private VLAN uses two VLANs, one primary VLAN and one secondary VLAN. The isolated end points (including physical and virtual NICs) are to be placed on the secondary VLAN (see Figure 1). One of the switch ports is to be configured with the primary VLAN (promiscuous port). The end ports on the secondary VLAN are only allowed to communicate with the promiscuous port on the primary VLAN, but not to each other.
Figure 1: PVLAN configuration with PowerVM Servers
PowerVM supports PVLANs via a new virtual switch mode called VEPA (Virtual Ethernet Port Aggregation), and leverages the external switch support of PVLANs. VEPA is defined in IEEE 802.1qbg standard. When a PowerVM virtual switch is set in VEPA mode, all the network traffic from VMs are forwarded to the trunk port and sent out on the physical NIC under SEA, preventing VM to VM communication through the internal virtual switch.
The configuration for PowerVM PVLAN support consists of two steps:
- Configuring isolated private VLANs on the physical switch ports (please refer to respective switch manuals)
- Configuring the VEPA mode on the virtual switch on the PowerVM server to achieve VM isolation within the server.
For the PowerVM hypervisor virtual switch, there are two ways to configure the VEPA mode. One is through IEEE 802.1qbg protocol negotiation with the adjacent physical switch. The minimum requirements include the following code levels and that the external switch supports VEPA negotiation (via the 802.1qbg protocol, now a part of 802.1Q).
- System Firmware 770
- HMC V7R7.8
- VIOS 22.214.171.124
The links below give detailed instructions on how to set the virtual switch to VEPA and enable 802.1qbg on Shared Ethernet Adapters(SEA).
For the switches that support IEEE 802.1qbg VEPA, please also verify that their 802.1qbg implementation is compatible with that of PVLAN.
For switches that do not support 802.1qbg VEPA negotiation (such as Cisco switches), an alternative method to enable VEPA mode is via HMC command chhwres to set the virtual switch to VEPA by force, without the negotiation with the external switch (requires HMC 830 or later). For the detailed syntax and semantics of chhwres, please refer to IBM Power System document. A sample of the command is given below ($server_name and $vswitch_name to be replaced with proper values)
chhwres -r virtualio -m $server_name -o s --rsubtype vswitch --vswitch $vswitch_name --force -a switch_mode=VEPA
The VEPA mode is also supported on all SR-IOV adapters on Power systems. Refer to “Introduction to SR-IOV FAQs” blog for details on systems that support SR-IOV. Figure 2 shows the advanced configuration menu for setting SR-IOV VEPA mode. Please note that the setting is applicable to vNIC as well as to directly attached logical port.
Figure 2: Advanced Configuration for SRIOV VEPA mode
In summary, PowerVM does support PVLANs as long as you have the correct PowerVM level (firmware, HMC, VIOS) and switches that support this configuration. It is simple to configure and gives you better tenant isolation and is very popular for cloud deployments.
Contacting the PowerVM Team
Have questions for the PowerVM team or want to learn more? Follow our discussion group on LinkedIn IBM PowerVM or IBM Community Discussions