Open vSwitch 3.3 Setup for VM VLAN Networking

Configure Open vSwitch 3.3 to create isolated virtual networks for VMs with VLAN tagging, bridge management, and advanced traffic control. Essential for virtualization environments requiring network segmentation and high-performance VM networking.

Prerequisites

Root access
Physical network interface for bridge connection
Basic understanding of networking concepts
Virtual machines or containers to connect

What this solves

Open vSwitch (OVS) provides advanced virtual networking capabilities for virtual machines, containers, and cloud environments. This tutorial configures OVS 3.3 with VLAN tagging, bridge management, and VM network integration for production virtualization environments requiring network isolation and traffic control.

Step-by-step installation

Update system packages

Start by updating your package manager to ensure compatibility with Open vSwitch dependencies.

sudo apt update && sudo apt upgrade -y

sudo dnf update -y

Install Open vSwitch and dependencies

Install Open vSwitch with kernel modules and utilities for bridge and VLAN management.

sudo apt install -y openvswitch-switch openvswitch-common openvswitch-dbg
sudo apt install -y bridge-utils net-tools

sudo dnf install -y openvswitch openvswitch-devel
sudo dnf install -y bridge-utils net-tools

Enable and start Open vSwitch services

Start the OVS database server and switch daemon for bridge and port management.

sudo systemctl enable --now openvswitch-switch
sudo systemctl enable --now ovsdb-server
sudo systemctl enable --now ovs-vswitchd

Initialize Open vSwitch database

Create the initial OVS database configuration if it doesn't exist.

sudo ovs-vsctl --may-exist init

Create virtual bridges and ports

Create primary bridge for VM networking

Create an OVS bridge that will serve as the main virtual switch for VM connections.

sudo ovs-vsctl add-br br0
sudo ovs-vsctl set bridge br0 protocols=OpenFlow10,OpenFlow13
sudo ip link set br0 up

Add physical interface to bridge

Connect a physical network interface to the OVS bridge for external connectivity. Replace eth0 with your actual interface name.

Warning: Adding your management interface to the bridge may cause connection loss. Use a dedicated interface for production deployments.

sudo ovs-vsctl add-port br0 eth1
sudo ip link set eth1 up

Create VLAN-aware bridge

Create a second bridge specifically configured for VLAN traffic segmentation.

sudo ovs-vsctl add-br br-vlan
sudo ovs-vsctl set bridge br-vlan protocols=OpenFlow10,OpenFlow13
sudo ip link set br-vlan up

Configure bridge with IP address

Assign an IP address to the bridge for management access and inter-VLAN routing.

sudo ip addr add 203.0.113.1/24 dev br0
sudo ip route add default via 203.0.113.1 dev br0

Configure VLAN tagging and trunking

Create VLAN access ports

Configure ports with specific VLAN tags for network isolation. These ports will tag all traffic with the specified VLAN ID.

sudo ovs-vsctl add-port br-vlan vlan100 -- set port vlan100 tag=100
sudo ovs-vsctl add-port br-vlan vlan200 -- set port vlan200 tag=200
sudo ovs-vsctl add-port br-vlan vlan300 -- set port vlan300 tag=300

Create VLAN trunk port

Configure a trunk port that carries multiple VLAN tags for connection to external switches or hypervisors.

sudo ovs-vsctl add-port br-vlan trunk0 -- set port trunk0 trunks=100,200,300,400
sudo ovs-vsctl set port trunk0 vlan_mode=trunk

Configure internal VLAN interfaces

Create internal interfaces for each VLAN to enable inter-VLAN routing and management.

sudo ovs-vsctl add-port br-vlan vlan100-int -- set interface vlan100-int type=internal
sudo ovs-vsctl set port vlan100-int tag=100
sudo ip link set vlan100-int up
sudo ip addr add 192.168.100.1/24 dev vlan100-int

sudo ovs-vsctl add-port br-vlan vlan200-int -- set interface vlan200-int type=internal
sudo ovs-vsctl set port vlan200-int tag=200
sudo ip link set vlan200-int up
sudo ip addr add 192.168.200.1/24 dev vlan200-int

Configure VLAN native port

Set up a port with a native (untagged) VLAN for devices that don't support VLAN tagging.

sudo ovs-vsctl add-port br-vlan native100 -- set port native100 tag=100
sudo ovs-vsctl set port native100 vlan_mode=access

Set up VM network integration

Create VM tap interfaces

Create TAP interfaces for virtual machine network connections with proper permissions.

sudo ip tuntap add mode tap tap0 user $(whoami)
sudo ip tuntap add mode tap tap1 user $(whoami)
sudo ip link set tap0 up
sudo ip link set tap1 up

Add VM interfaces to bridges

Connect VM TAP interfaces to appropriate OVS bridges with VLAN configuration.

sudo ovs-vsctl add-port br-vlan tap0 -- set port tap0 tag=100
sudo ovs-vsctl add-port br-vlan tap1 -- set port tap1 tag=200

Configure QoS policies

Apply Quality of Service rules to control bandwidth and prioritize traffic for VM interfaces.

sudo ovs-vsctl -- set port tap0 qos=@newqos -- --id=@newqos create qos type=linux-htb other-config:max-rate=100000000
sudo ovs-vsctl -- set port tap1 qos=@newqos -- --id=@newqos create qos type=linux-htb other-config:max-rate=50000000

Configure OpenFlow rules

Add flow rules for advanced traffic control and security policies between VLANs.

sudo ovs-ofctl add-flow br-vlan "priority=100,dl_vlan=100,dl_dst=ff:ff:ff:ff:ff:ff,actions=flood"
sudo ovs-ofctl add-flow br-vlan "priority=50,dl_vlan=100,dl_vlan=200,actions=drop"
sudo ovs-ofctl add-flow br-vlan "priority=10,actions=normal"

Monitor and troubleshoot OVS networks

Configure persistent network settings

Create systemd service to restore OVS configuration after reboots.

[Unit]
Description=Restore Open vSwitch Configuration
After=openvswitch-switch.service
Requires=openvswitch-switch.service

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/bin/ovs-restore.sh

[Install]
WantedBy=multi-user.target

Create restoration script

Create a script to restore bridge configurations and IP addresses after system restart.

#!/bin/bash
Restore OVS bridge configuration
ip link set br0 up
ip link set br-vlan up
ip addr add 203.0.113.1/24 dev br0
ip addr add 192.168.100.1/24 dev vlan100-int
ip addr add 192.168.200.1/24 dev vlan200-int
ip link set vlan100-int up
ip link set vlan200-int up

sudo chmod 755 /usr/local/bin/ovs-restore.sh
sudo systemctl enable ovs-restore.service

Enable SNMP monitoring

Configure SNMP agent for OVS monitoring integration with network management systems.

sudo apt install -y snmpd snmp-mibs-downloader

sudo dnf install -y net-snmp net-snmp-utils

sudo ovs-vsctl set-manager ptcp:6640
sudo systemctl restart snmpd

Verify your setup

sudo ovs-vsctl show
sudo ovs-vsctl list bridge
sudo ovs-ofctl dump-flows br-vlan
sudo ovs-vsctl list port
sudo ovs-appctl fdb/show br-vlan
ip addr show br0
ip addr show vlan100-int
sudo systemctl status openvswitch-switch

For comprehensive network monitoring integration, see our guide on automated network topology discovery with SNMP and LLDP to map your virtual infrastructure.

Common issues

Symptom	Cause	Fix
Bridge won't start	Kernel modules not loaded	`sudo modprobe openvswitch`
No connectivity through bridge	Bridge interface down	`sudo ip link set br0 up`
VLAN traffic not working	Incorrect VLAN configuration	`sudo ovs-vsctl list port \| grep vlan` to verify tags
VM can't connect to network	TAP interface not in bridge	`sudo ovs-vsctl list-ports br-vlan` to check ports
Inter-VLAN routing fails	Internal interfaces misconfigured	`sudo ip addr show vlan100-int` to verify IPs
QoS policies not applied	Incorrect QoS syntax	`sudo ovs-vsctl list qos` to verify configuration
OpenFlow rules not working	Protocol version mismatch	`sudo ovs-ofctl -O OpenFlow13 dump-flows br-vlan`
Configuration lost after reboot	No persistence configured	Enable ovs-restore service: `sudo systemctl enable ovs-restore`

Next steps

Automated install script

Run this to automate the entire setup

install.sh

#!/usr/bin/env bash
set -euo pipefail

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'

# Usage function
usage() {
    echo "Usage: $0 [options]"
    echo "Options:"
    echo "  --bridge-ip IP/CIDR    IP address for main bridge (default: 203.0.113.1/24)"
    echo "  --physical-int NAME    Physical interface to add to bridge (default: auto-detect)"
    echo "  --skip-physical        Skip adding physical interface to bridge"
    echo "  -h, --help            Show this help message"
    exit 1
}

# Default values
BRIDGE_IP="203.0.113.1/24"
PHYSICAL_INT=""
SKIP_PHYSICAL=false

# Parse arguments
while [[ $# -gt 0 ]]; do
    case $1 in
        --bridge-ip)
            BRIDGE_IP="$2"
            shift 2
            ;;
        --physical-int)
            PHYSICAL_INT="$2"
            shift 2
            ;;
        --skip-physical)
            SKIP_PHYSICAL=true
            shift
            ;;
        -h|--help)
            usage
            ;;
        *)
            echo -e "${RED}Unknown option: $1${NC}"
            usage
            ;;
    esac
done

# Cleanup function for rollback
cleanup() {
    echo -e "${RED}Installation failed. Cleaning up...${NC}"
    systemctl stop openvswitch-switch ovs-vswitchd ovsdb-server 2>/dev/null || true
    ovs-vsctl del-br br0 2>/dev/null || true
    ovs-vsctl del-br br-vlan 2>/dev/null || true
}

trap cleanup ERR

# Check prerequisites
if [[ $EUID -ne 0 ]]; then
    echo -e "${RED}This script must be run as root${NC}"
    exit 1
fi

# Auto-detect distribution
if [ -f /etc/os-release ]; then
    . /etc/os-release
    case "$ID" in
        ubuntu|debian)
            PKG_MGR="apt"
            PKG_INSTALL="apt install -y"
            PKG_UPDATE="apt update && apt upgrade -y"
            OVS_SERVICE="openvswitch-switch"
            OVS_PACKAGES="openvswitch-switch openvswitch-common bridge-utils net-tools"
            ;;
        almalinux|rocky|centos|rhel|ol)
            PKG_MGR="dnf"
            PKG_INSTALL="dnf install -y"
            PKG_UPDATE="dnf update -y"
            OVS_SERVICE="openvswitch"
            OVS_PACKAGES="openvswitch bridge-utils net-tools"
            ;;
        fedora)
            PKG_MGR="dnf"
            PKG_INSTALL="dnf install -y"
            PKG_UPDATE="dnf update -y"
            OVS_SERVICE="openvswitch"
            OVS_PACKAGES="openvswitch bridge-utils net-tools"
            ;;
        amzn)
            PKG_MGR="yum"
            PKG_INSTALL="yum install -y"
            PKG_UPDATE="yum update -y"
            OVS_SERVICE="openvswitch"
            OVS_PACKAGES="openvswitch bridge-utils net-tools"
            ;;
        *)
            echo -e "${RED}Unsupported distribution: $ID${NC}"
            exit 1
            ;;
    esac
else
    echo -e "${RED}Cannot detect distribution${NC}"
    exit 1
fi

echo -e "${GREEN}Installing Open vSwitch 3.3 for VM networking${NC}"

# Step 1: Update system packages
echo -e "${YELLOW}[1/8] Updating system packages...${NC}"
$PKG_UPDATE

# Step 2: Install Open vSwitch and dependencies
echo -e "${YELLOW}[2/8] Installing Open vSwitch and dependencies...${NC}"
$PKG_INSTALL $OVS_PACKAGES

# Step 3: Enable and start Open vSwitch services
echo -e "${YELLOW}[3/8] Enabling and starting Open vSwitch services...${NC}"
systemctl enable --now $OVS_SERVICE
systemctl enable --now ovsdb-server
systemctl enable --now ovs-vswitchd

# Wait for services to be ready
sleep 2

# Step 4: Initialize Open vSwitch database
echo -e "${YELLOW}[4/8] Initializing Open vSwitch database...${NC}"
ovs-vsctl --may-exist init

# Step 5: Create virtual bridges and ports
echo -e "${YELLOW}[5/8] Creating virtual bridges...${NC}"

# Create primary bridge for VM networking
ovs-vsctl add-br br0
ovs-vsctl set bridge br0 protocols=OpenFlow10,OpenFlow13
ip link set br0 up

# Create VLAN-aware bridge
ovs-vsctl add-br br-vlan
ovs-vsctl set bridge br-vlan protocols=OpenFlow10,OpenFlow13
ip link set br-vlan up

# Auto-detect physical interface if not specified
if [[ -z "$PHYSICAL_INT" ]] && [[ "$SKIP_PHYSICAL" = false ]]; then
    PHYSICAL_INT=$(ip route | grep default | awk '{print $5}' | head -n1)
    echo -e "${YELLOW}Auto-detected physical interface: $PHYSICAL_INT${NC}"
fi

# Add physical interface to bridge if specified and not skipped
if [[ -n "$PHYSICAL_INT" ]] && [[ "$SKIP_PHYSICAL" = false ]]; then
    echo -e "${YELLOW}Adding physical interface $PHYSICAL_INT to bridge...${NC}"
    echo -e "${RED}WARNING: This may cause temporary network connectivity loss${NC}"
    sleep 3
    
    # Store current IP configuration
    CURRENT_IP=$(ip addr show $PHYSICAL_INT | grep 'inet ' | awk '{print $2}' | head -n1 || echo "")
    CURRENT_GW=$(ip route | grep default | awk '{print $3}' | head -n1 || echo "")
    
    ovs-vsctl add-port br0 $PHYSICAL_INT
    ip link set $PHYSICAL_INT up
    
    # Restore IP configuration to bridge if it existed
    if [[ -n "$CURRENT_IP" ]] && [[ -n "$CURRENT_GW" ]]; then
        ip addr flush dev $PHYSICAL_INT
        ip addr add $CURRENT_IP dev br0
        ip route add default via $CURRENT_GW dev br0
    fi
else
    # Configure bridge with specified IP
    ip addr add $BRIDGE_IP dev br0
fi

# Step 6: Configure VLAN tagging and trunking
echo -e "${YELLOW}[6/8] Configuring VLAN tagging and trunking...${NC}"

# Create VLAN access ports
ovs-vsctl add-port br-vlan vlan100 -- set port vlan100 tag=100
ovs-vsctl add-port br-vlan vlan200 -- set port vlan200 tag=200
ovs-vsctl add-port br-vlan vlan300 -- set port vlan300 tag=300

# Create VLAN trunk port
ovs-vsctl add-port br-vlan trunk0 -- set port trunk0 trunks=100,200,300,400
ovs-vsctl set port trunk0 vlan_mode=trunk

# Configure internal VLAN interfaces
ovs-vsctl add-port br-vlan vlan100-int -- set interface vlan100-int type=internal
ovs-vsctl set port vlan100-int tag=100
ip link set vlan100-int up
ip addr add 192.168.100.1/24 dev vlan100-int

ovs-vsctl add-port br-vlan vlan200-int -- set interface vlan200-int type=internal
ovs-vsctl set port vlan200-int tag=200
ip link set vlan200-int up
ip addr add 192.168.200.1/24 dev vlan200-int

# Configure VLAN native port
ovs-vsctl add-port br-vlan native100 -- set port native100 tag=100
ovs-vsctl set port native100 vlan_mode=access

# Step 7: Set up VM network integration
echo -e "${YELLOW}[7/8] Setting up VM tap interfaces...${NC}"

# Create sample TAP interfaces for VM connectivity
ip tuntap add vm1-tap0 mode tap
ovs-vsctl add-port br0 vm1-tap0
ip link set vm1-tap0 up

ip tuntap add vm2-tap0 mode tap
ovs-vsctl add-port br-vlan vm2-tap0 -- set port vm2-tap0 tag=100
ip link set vm2-tap0 up

# Step 8: Verify installation and configuration
echo -e "${YELLOW}[8/8] Verifying installation...${NC}"

# Check OVS services
if ! systemctl is-active --quiet $OVS_SERVICE ovsdb-server ovs-vswitchd; then
    echo -e "${RED}Some OVS services are not running${NC}"
    exit 1
fi

# Check bridges
if ! ovs-vsctl list-br | grep -q br0; then
    echo -e "${RED}Bridge br0 not found${NC}"
    exit 1
fi

if ! ovs-vsctl list-br | grep -q br-vlan; then
    echo -e "${RED}Bridge br-vlan not found${NC}"
    exit 1
fi

# Display configuration summary
echo -e "${GREEN}Installation completed successfully!${NC}"
echo ""
echo "Configuration Summary:"
echo "====================="
echo "Bridges created:"
ovs-vsctl list-br
echo ""
echo "Bridge br0 ports:"
ovs-vsctl list-ports br0
echo ""
echo "Bridge br-vlan ports:"
ovs-vsctl list-ports br-vlan
echo ""
echo "VLAN configuration:"
ovs-vsctl show | grep -A5 -B5 "tag\|trunk"
echo ""
echo -e "${GREEN}Open vSwitch is ready for VM networking with VLAN support${NC}"
echo -e "${YELLOW}Next steps:${NC}"
echo "1. Connect your VMs to the created tap interfaces"
echo "2. Configure VM network settings for appropriate VLANs"
echo "3. Set up routing between VLANs if needed"
echo "4. Configure firewall rules for your network topology"

Review the script before running. Execute with: bash install.sh

#open vswitch #virtual machine networking #vlan tagging #network bridges #vm isolation

Set up Open vSwitch 3.3 for advanced virtual machine networking with VLAN and bridge configuration