[libvirt-users] macvtap and tagged VLANs to the VM

Marc Haber mh+libvirt-users at zugschlus.de
Thu Jan 3 14:23:07 UTC 2019 

Hi Laine,

thanks for your answer, I really appreciate that.

On Wed, Jan 02, 2019 at 11:34:30AM -0500, Laine Stump wrote:
> On 12/16/18 4:59 PM, Marc Haber wrote:
> > I would like to run a network firewall as a VM on a KVM host. There are
> > ~ 25 VLANs delivered to the KVM host on three dedicated links, no LACP
> > or other things. I have the VLANs 100-180 on the host's enp1s0, the VLANs
> > 200-280 on the host's enp2s0 and the VLANs 300-380 on the host's enp3s0.
> > 
> > To save myself from configuring all VLANs on the KVM host, I'd like to
> > hand the entire ethernet link to the VM and to have the VLAN interfaces
> > there. Using classical Linux bridges (brctl), things work fine.
> 
> When I asked the person I go to with questions about macvtap (because he
> knows the internals), his response was "if a Linux host bridge works, then
> he should use that". In other words, he was skeptical that what you want to
> do could be made to work with macvtap.

I see.

A Linux host bridge is what I build with brctl?

> Is there a specific reason you need to use macvtap than a Linux host bridge?

I somehow got the impression that using macvtap is the more "modern"
and also more performant approach to bring network to VMs. Since the VM
in question is a Firewall, I'd love to have the performance impact
caused by virtualization minimized[1].

If this is a misconception, it might have been partially caused by some
colleagues at my last customer's site who very vocal about deprecating
the classical brctl bridges in favor of macvtap/macvlan, and the fact
that virt-manager uses macvtap by default and needs to be massaged into
allowing a classic brctl bridge.

Greetings
Marc

[1] The transfer rate of a tunneled IPv6 link with a dedicated VM
handling the tunnel and a dedicated VM handling firewalling with brctl
bridges (ingress packet - hypervisor - firewall VM - hypervisor - tunnel
VM - hypervisor - firewall VM - hypervisor - egress packet) maxes out at
about 15 Mbit on the APU device being used, with negligible load on the
two VMs and the hypervisor kernel spending a non-negligible amount of
its time inside the kernel wich I interpret as the context changes
killing the machine


-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421

More information about the libvirt-users mailing list