[libvirt-users] Need information

Laine Stump laine at laine.org
Sun May 22 16:11:07 UTC 2016 

On 05/22/2016 12:44 AM, Gk Gk wrote:
> Hi,
>
> in bridge mode all the guests and hosts should be in the same subnet 
> always ?

(please don't top-post replies)

Your new question is irrelevant both to your original question and to my 
response. Yes, it is usually the case that the purpose of using a 
bridge-mode connection is to have the guests on the same subnet as the 
machines on the physical network, although that isn't necessarily the 
case - a bridge device doesn't care (or even understand) IP; it just 
forwards according to learned information about MAC addresses, and if 
someone wanted, they could put multiple IP subnets on the same bridge.

But you asked why it could be the case that a bridge wouldn't accept 
packets from a guest that has a public IP. First, as I say above, the IP 
address is irrelevant when talking about a filter based on MAC address. 
Second, as I said in my last messages, any managed switch can have each 
port configured to only accept packets with certain MAC addresses, and 
many/most hosting providers (and many corporate IT departments) program 
the ports of their switches to only accept traffic with the source MAC 
address of a single machine (they do this to prevent hostile hosts 
spoofing the MAC addresses of other hosts) - if you have a bridge setup 
between your guest and your physical host, the guest traffic sent to the 
switch will still have the guest interface's MAC address, which the 
switch may reject.

If, on the other hand, you use a routed setup, the guest traffic will go 
through the host's IP routing, and reemerge from the guest with the 
*host's* MAC address. So it will then at least pass the MAC address 
filter on the bridge.

But, as I said in my last message, the hosting provider's network would 
then 1) need to accept traffic from the guest's IP address, and 2) need 
to have an entry in the routing tables of its routers pointing to your 
host for the subnet you've defined for your guests. It is *highly* 
unlikely that any hosting provider would do this for you, since IPv4 
address space is at such a premium. It's more likely that they would 
allow you to register extra  MAC addresses.


If this still doesn't make sense, I suggest you read the following two 
wikipedia entries:

https://en.wikipedia.org/wiki/Bridging_%28networking%29
https://en.wikipedia.org/wiki/IP_forwarding


>
>
> Thanks
> Kumar
>
> On Sun, May 22, 2016 at 12:41 AM, Laine Stump <laine at laine.org 
> <mailto:laine at laine.org>> wrote:
>
>     On 05/20/2016 03:21 AM, Gk Gk wrote:
>>     Hi,
>>
>>     Referring to the link
>>     http://wiki.libvirt.org/page/VirtualNetworking,  the scenario
>>      described for the routed mode, explains that
>>
>>     "Host has public IP and virtual machines have static public IPs.
>>     But one can't use bridged networking, since provider accept only
>>     packets from the MAC address of the host"
>>
>>     Can someone explain to me why doesn't the switch accept the
>>     packets from the guest vms' mac addresses also since they have
>>     public IPs  in the bridged mode ?
>
>     Because the people who have administrative control over the switch
>     have configured it that way. (Of course, if they're that
>     restrictive, it's doubtful that they would allocate an entire
>     subnet to a customer's machine, and reconfigure their routing
>     tables to deal with it).
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20160522/965e5774/attachment.htm>

More information about the libvirt-users mailing list