Without any DNAT rules, I could not ssh to the 172.16.0.2 box. After adding the relevant DNAT rule, I was able to ssh into the 172.16.0.2 Guest from my desktop (192.168.1.69). So it turned out to be a KVM config. issue; not with the bridge. Jarrod thanks for pointing me in the right direction. Your analogy about the Linux KVM treating all the bridge and associated interfaces as one big "switch" is excellent. In other words the KVM becomes a super bridge for all the net interfaces that are given to it's purview through the various instances of VMs. -- Arun Khan