Hi,
all the descriptions of networking setups with VMs I`m seeing involve bridges. The only use I see for bridges is when I actually want to be able to send network traffic to multiple arbitrary interfaces connected to the bridge. I do neither need, nor want bridges when I want to keep the VMs separated, like when separating a VM in a DMZ from a VM in the LAN.
The bridge acts like a hub. Looking at [1] makes it seem that this is undesirable --- otherwise there wouldn`t be need for a software switch to prevent network traffic on a bridge from going to all of the connected interfaces.
When there`s a bridge with multiple VMs connected to it, is a software switch desirable to prevent network traffic on the bridge from going to interfaces it doesn`t need to go to? If so, isn`t it better not to use a bridge to begin with?
Can`t we simply have virtual interfaces on the physical host which are the "other end" of the interfaces showing up in the VMs, without bridges?
[2] seems to suggest to leave all bridges "dangling", i. e. it says you`re not supposed to connect an interface to the bridge. What`s the point of a bridge when only a single interface is connected to it?
[1]: http://openvswitch.org/support/config-cookbooks/vlan-configuration-cookbook/
[2]: http://wiki.libvirt.org/page/Networking
You may create as many bridges as you want to have virtual interfaces, each bridge consisting only of connection to single VM, and handle traffic between bridges and between physical interfaces of host through iptables/iproute.
IHMO bridging is the most proper and popular technique because it provides the most flexible configuration. Your VM sees NIC as Ethernet card (so with all L2 features), so either you can terminate this L2 pipe with bridge in host, and perform L3/higher level handling, or you can use for example DHCP server on host binded to your bridge, or VLAN-handling config.
On 03.06.2014 06:25, lee wrote:
Hi,
all the descriptions of networking setups with VMs I`m seeing involve bridges. The only use I see for bridges is when I actually want to be able to send network traffic to multiple arbitrary interfaces connected to the bridge. I do neither need, nor want bridges when I want to keep the VMs separated, like when separating a VM in a DMZ from a VM in the LAN.
The bridge acts like a hub. Looking at [1] makes it seem that this is undesirable --- otherwise there wouldn`t be need for a software switch to prevent network traffic on a bridge from going to all of the connected interfaces.
When there`s a bridge with multiple VMs connected to it, is a software switch desirable to prevent network traffic on the bridge from going to interfaces it doesn`t need to go to? If so, isn`t it better not to use a bridge to begin with?
Can`t we simply have virtual interfaces on the physical host which are the "other end" of the interfaces showing up in the VMs, without bridges?
[2] seems to suggest to leave all bridges "dangling", i. e. it says you`re not supposed to connect an interface to the bridge. What`s the point of a bridge when only a single interface is connected to it?
Hi Lee
If you are to virtualize the network stack properly you need to do it all the way down to layer2. How do you connect multiple layer 2 devices together? Well a bridge, a switch being many bridges all in the one box. Hubs are not relevant here as there is no physical medium. As the llya said it totally possible to have a 1:1 relationship between the vms and host, ie a dedicated bridge per vm, with its own ip network on (/30 for ipv4, or /64 for ipv6). The host machine then does all the routing and/or natting for the guests
On 3 June 2014 04:06, Ilya Ponetayev instenet@gmail.com wrote:
You may create as many bridges as you want to have virtual interfaces, each bridge consisting only of connection to single VM, and handle traffic between bridges and between physical interfaces of host through iptables/iproute.
IHMO bridging is the most proper and popular technique because it provides the most flexible configuration. Your VM sees NIC as Ethernet card (so with all L2 features), so either you can terminate this L2 pipe with bridge in host, and perform L3/higher level handling, or you can use for example DHCP server on host binded to your bridge, or VLAN-handling config.
On 03.06.2014 06:25, lee wrote:
Hi,
all the descriptions of networking setups with VMs I`m seeing involve bridges. The only use I see for bridges is when I actually want to be able to send network traffic to multiple arbitrary interfaces connected to the bridge. I do neither need, nor want bridges when I want to keep the VMs separated, like when separating a VM in a DMZ from a VM in the LAN.
The bridge acts like a hub. Looking at [1] makes it seem that this is undesirable --- otherwise there wouldn`t be need for a software switch to prevent network traffic on a bridge from going to all of the connected interfaces.
When there`s a bridge with multiple VMs connected to it, is a software switch desirable to prevent network traffic on the bridge from going to interfaces it doesn`t need to go to? If so, isn`t it better not to use a bridge to begin with?
Can`t we simply have virtual interfaces on the physical host which are the "other end" of the interfaces showing up in the VMs, without bridges?
[2] seems to suggest to leave all bridges "dangling", i. e. it says you`re not supposed to connect an interface to the bridge. What`s the point of a bridge when only a single interface is connected to it?
configuration-cookbook/
--
Sincerely yours, Ilya Ponetayev instenet@gmail.com
CentOS-virt mailing list CentOS-virt@centos.org http://lists.centos.org/mailman/listinfo/centos-virt
Ilya Ponetayev instenet@gmail.com writes:
You may create as many bridges as you want to have virtual interfaces, each bridge consisting only of connection to single VM, and handle traffic between bridges and between physical interfaces of host through iptables/iproute.
In that case, I`d prefer not to have bridges. Things are easier to deal with when you only have those network devices you actually need. Dangling bridges seem to be pretty obsolete.
IHMO bridging is the most proper and popular technique because it provides the most flexible configuration. Your VM sees NIC as Ethernet card (so with all L2 features), so either you can terminate this L2 pipe with bridge in host, and perform L3/higher level handling, or you can use for example DHCP server on host binded to your bridge, or VLAN-handling config.
Bridges are cool when you actually need them. That doesn`t mean that they must be there when not needed.
Is there something I don`t understand which makes them always a requirement? If so, perhaps it would be a nice feature if we were able to hide bridges we don`t need.
-
Ilya Ponetayev -
krad -
lee