Host OS/HW: Debian Squeeze (amd64), openSUSE 11.3 (amd64), 6GB RAM,
Core2Quad 8600
I am trying to create "virtual" networks using bridge, ethernet and
tap interfaces in my desktop [1]
The network topology that I want to simulate is as follows:
Evaluate LiveCD distros (including GW/Firewall ISOs) using the Linux KVM.
Using brctl and tunctl I have the following setup (brctl show):
bridge name bridge id STP enabled interfaces
br0 8000.001cc09b9b54 no eth0
tap0
br1 8000.7e45d3f813b4 no tap1
tap2
br0 (192.168.1.69) (bridged to eth0) LAN has a DHCP server and it is
the bridge to the "external" network whereas br1 is supposed to be the
switch for LAN (isolated).
Through the KVM, the Guest OS is presented two ethernet interfaces
tap0 for the WAN ethernet port (tap0) and tap1 for the LAN for the
ethernet port.
The KVM command line for the "GW" VM is:
kvm \
-vga std \
-m 256 \
-boot d \
-cdrom ${KVM_LIVE_CD} \
-net nic,model=rtl8139,macaddr=${nic_mac_addr0} \
-net tap,ifname=tap0,script=no,downscript=no \
-net nic,model=e1000,macaddr=${nic_mac_addr1} \
-net tap,ifname=tap1,script=no,downscript=no \
Variable KVM_LIVE_CD points to the relevant ISO image.
When I boot a LiveCD which acquires IP on *all* the network
interfaces via DHCP; in the Guest OS, I find that both network
interfaces have been assigned IP numbers from the 192.168.1.0 network
from the DHCP server.
For the WAN port, it makes sense as br0 is connected to eth0 and the
Guest OS acquires an IP address from the DHCP server.
However, I did not expect the "LAN" port, in the Guest OS, to acquire
and IP number from the same DHCP server. As br1 does not connect to
any physical interface (like eth0), I expect the second interface eth1
(tap1 in Host OS) to not have any IP.
On 01/27/2011 11:52 AM, Arun Khan wrote:> Host OS/HW: Debian Squeeze (amd64), openSUSE 11.3 (amd64), 6GB RAM, > Core2Quad 8600 > > I am trying to create "virtual" networks using bridge, ethernet and > tap interfaces in my desktop [1] > > The network topology that I want to simulate is as follows: > > Evaluate LiveCD distros (including GW/Firewall ISOs) using the Linux KVM. > > Using brctl and tunctl I have the following setup (brctl show): > > bridge name bridge id STP enabled interfaces > br0 8000.001cc09b9b54 no eth0 > tap0 > br1 8000.7e45d3f813b4 no tap1 > tap2 > > br0 (192.168.1.69) (bridged to eth0) LAN has a DHCP server and it is > the bridge to the "external" network whereas br1 is supposed to be the > switch for LAN (isolated). > > Through the KVM, the Guest OS is presented two ethernet interfaces > tap0 for the WAN ethernet port (tap0) and tap1 for the LAN for the > ethernet port. > > The KVM command line for the "GW" VM is: > > kvm \ > -vga std \ > -m 256 \ > -boot d \ > -cdrom ${KVM_LIVE_CD} \ > -net nic,model=rtl8139,macaddr=${nic_mac_addr0} \ > -net tap,ifname=tap0,script=no,downscript=no \ > -net nic,model=e1000,macaddr=${nic_mac_addr1} \ > -net tap,ifname=tap1,script=no,downscript=no \ > > Variable KVM_LIVE_CD points to the relevant ISO image. > > When I boot a LiveCD which acquires IP on *all* the network > interfaces via DHCP; in the Guest OS, I find that both network > interfaces have been assigned IP numbers from the 192.168.1.0 network > from the DHCP server. > > For the WAN port, it makes sense as br0 is connected to eth0 and the > Guest OS acquires an IP address from the DHCP server. > > However, I did not expect the "LAN" port, in the Guest OS, to acquire > and IP number from the same DHCP server. As br1 does not connect to > any physical interface (like eth0), I expect the second interface eth1 > (tap1 in Host OS) to not have any IP. > >> From the above, it appears that even though the two bridges are > defined separately, essentially ethernet frames on either bridge are > visible to both bridge. > > Is it possible to restrict ethernet traffic to it's respective bridge > only? I am really keen on finding a solution. Any pointers / > solutions would be highly appreciated.I hit something similar that appeared due to connection tracking. I got my case working with the attached patch. This was against some hacked bridge code, so not 100% sure it will apply cleanly. Thanks, Ben -- Ben Greear <greearb at candelatech.com> Candela Technologies Inc http://www.candelatech.com -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-bridge-Allow-disabling-all-ebtables-calls-on-a-bri.patch Url: http://lists.linux-foundation.org/pipermail/bridge/attachments/20110127/d6511dd6/attachment.txt
Arun, You have assumed (as I did, when I first tried this) that the first "-net nic" and "-net tap" are automatically associated with each other. They aren't - you have to tell KVM explicitly. I find it easiest to think of it as if there was a (in your example here) *four* port switch inside the KVM process - with two ports connected to the host, and two to the guests. Like a real switch, in order to run two networks through it, you need to VLAN it. Add "vlan=1" to your first pair of "-net"'s, and "vlan=2" to the other. Hope that helps, -- Jarrod On 27 January 2011 19:52, Arun Khan <knura9 at gmail.com> wrote:> Host OS/HW: Debian Squeeze (amd64), openSUSE 11.3 (amd64), 6GB RAM, > Core2Quad 8600 > > I am trying to create "virtual" networks using bridge, ethernet and > tap interfaces in my desktop [1] > > The network topology that I want to simulate is as follows: > > Evaluate LiveCD distros (including GW/Firewall ISOs) using the Linux KVM. > > Using brctl and tunctl ?I have the following setup (brctl show): > > bridge name ? ? bridge id ? ? ? ? ? ? ? STP enabled ? ? interfaces > br0 ? ? ? ? ? ? 8000.001cc09b9b54 ? ? ? no ? ? ? ? ? ? ? ? ?eth0 > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? tap0 > br1 ? ? ? ? ? ? 8000.7e45d3f813b4 ? ? ? ?no ? ? ? ? ? ? ? ? ?tap1 > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? tap2 > > br0 (192.168.1.69) (bridged to eth0) LAN has a DHCP server and it is > the bridge to the "external" network whereas br1 is supposed to be the > switch for LAN (isolated). > > Through the KVM, the Guest OS is presented two ethernet interfaces > tap0 for the WAN ethernet port (tap0) and tap1 for the LAN for the > ethernet port. > > The KVM command line for the "GW" VM is: > > kvm \ > -vga std \ > -m 256 \ > -boot d \ > -cdrom ${KVM_LIVE_CD} \ > -net nic,model=rtl8139,macaddr=${nic_mac_addr0} \ > -net tap,ifname=tap0,script=no,downscript=no \ > -net nic,model=e1000,macaddr=${nic_mac_addr1} \ > -net tap,ifname=tap1,script=no,downscript=no \ > > Variable KVM_LIVE_CD points to the relevant ISO image. > > When I boot a LiveCD which acquires IP on *all* ?the network > interfaces via DHCP; in the Guest OS, I find that both network > interfaces have been assigned IP numbers from the 192.168.1.0 network > from the DHCP server. > > For the WAN port, it makes sense as br0 is connected to eth0 and the > Guest OS acquires an IP address from the DHCP server. > > However, I did not expect the "LAN" port, in the Guest OS, to acquire > and IP number from the same DHCP server. ?As br1 does not connect to > any physical interface (like eth0), I expect the second interface eth1 > (tap1 in Host OS) to not have any IP. > > From the above, it appears that even though the two bridges are > defined separately, essentially ethernet frames on either bridge are > visible to both bridge. > > Is it possible to restrict ethernet traffic to it's respective bridge > only? ?I am really keen on finding a solution. ?Any pointers / > solutions would be highly appreciated. > > [1] <http://www.faqs.org/docs/Linux-HOWTO/BRIDGE-STP-HOWTO.html> > > TIA, > -- Arun Khan > _______________________________________________ > Bridge mailing list > Bridge at lists.linux-foundation.org > https://lists.linux-foundation.org/mailman/listinfo/bridge >-- Jarrod Lowe