[CentOS-virt] KVM vs ESXi

Wed May 18 22:19:43 UTC 2011
Eric Searcy <emsearcy at gmail.com>

On Wed, May 18, 2011 at 6:46 AM, Gilberto Nunes
<gilberto.nunes32 at gmail.com> wrote:
> -Does KVM have a concept of virtual switches and and are they tied to
> physical NICs? ESXi allows me to create a vSwitch that isn't tied to a
> physical NIC so I can create a DMZ that exists solely within the host
> system. I'd like to replicate that if possible.
>
> Yes... You can use VirtManager to work with this feature...

And in fact I'd say it's "concept" is *better*.  KVM/libvirt just
leverages the built-in virtual switching (bridging) support in Linux
accessible through brctl.  So you can create virtual bridges, tie
ethernet devices to them, and have visibility into what's going on
using standard tools like brctl and iproute2 tools if you'd like
(instead of VirtManager).  You can also use stuff like iptables to
filter traffic going across bridges...

Sad to admit it, but I have a Linux box functioning as a router which
also runs KVM domains ... eth0 is a bridge port (so no IP address),
the virtual switch br0 has both the router internal IP (.1) and the
"service-providing" IP of the box (still the IP I used to manage the
KVM host from before I was using it as the router), eth1 has multiple
VLANs with IPs on our Fiber WAN and the local out-of-band network.
The NICs of the guests are also attached to br0, naturally.  And of
course iptables is able to securely filter traffic across all that.
It's a stopgap measure, but works flawlessly.

If you want a NAT subnet, behind the scenes it's real Linux routing
with iptables snat module (or masquerade).  Your host-only network is
a bridge without any hardware NICs attached as ports, only KVM NICs.
And so on.  Sublime!

Eric

PS, all the above is also true for running Xen on CentOS, though it
comes with its own scripts for setting up the bridging instead of
leveraging libvirt to do it