Commit | Line | Data |
---|---|---|
2ad7bf36 MB |
1 | |
2 | IPVLAN Driver HOWTO | |
3 | ||
4 | Initial Release: | |
5 | Mahesh Bandewar <maheshb AT google.com> | |
6 | ||
7 | 1. Introduction: | |
8 | This is conceptually very similar to the macvlan driver with one major | |
9 | exception of using L3 for mux-ing /demux-ing among slaves. This property makes | |
10 | the master device share the L2 with it's slave devices. I have developed this | |
edb9a1b8 | 11 | driver in conjunction with network namespaces and not sure if there is use case |
2ad7bf36 MB |
12 | outside of it. |
13 | ||
14 | ||
15 | 2. Building and Installation: | |
16 | In order to build the driver, please select the config item CONFIG_IPVLAN. | |
17 | The driver can be built into the kernel (CONFIG_IPVLAN=y) or as a module | |
18 | (CONFIG_IPVLAN=m). | |
19 | ||
20 | ||
21 | 3. Configuration: | |
22 | There are no module parameters for this driver and it can be configured | |
23 | using IProute2/ip utility. | |
24 | ||
a190d04d MB |
25 | ip link add link <master> name <slave> type ipvlan [ mode MODE ] [ FLAGS ] |
26 | where | |
27 | MODE: l3 (default) | l3s | l2 | |
fe89aa6b | 28 | FLAGS: bridge (default) | private | vepa |
2ad7bf36 | 29 | |
a190d04d MB |
30 | e.g. |
31 | (a) Following will create IPvlan link with eth0 as master in | |
32 | L3 bridge mode | |
33 | bash# ip link add link eth0 name ipvl0 type ipvlan | |
34 | (b) This command will create IPvlan link in L2 bridge mode. | |
35 | bash# ip link add link eth0 name ipvl0 type ipvlan mode l2 bridge | |
36 | (c) This command will create an IPvlan device in L2 private mode. | |
37 | bash# ip link add link eth0 name ipvlan type ipvlan mode l2 private | |
fe89aa6b MB |
38 | (d) This command will create an IPvlan device in L2 vepa mode. |
39 | bash# ip link add link eth0 name ipvlan type ipvlan mode l2 vepa | |
2ad7bf36 MB |
40 | |
41 | ||
42 | 4. Operating modes: | |
43 | IPvlan has two modes of operation - L2 and L3. For a given master device, | |
44 | you can select one of these two modes and all slaves on that master will | |
45 | operate in the same (selected) mode. The RX mode is almost identical except | |
46 | that in L3 mode the slaves wont receive any multicast / broadcast traffic. | |
47 | L3 mode is more restrictive since routing is controlled from the other (mostly) | |
48 | default namespace. | |
49 | ||
50 | 4.1 L2 mode: | |
51 | In this mode TX processing happens on the stack instance attached to the | |
52 | slave device and packets are switched and queued to the master device to send | |
53 | out. In this mode the slaves will RX/TX multicast and broadcast (if applicable) | |
54 | as well. | |
55 | ||
56 | 4.2 L3 mode: | |
edb9a1b8 | 57 | In this mode TX processing up to L3 happens on the stack instance attached |
2ad7bf36 MB |
58 | to the slave device and packets are switched to the stack instance of the |
59 | master device for the L2 processing and routing from that instance will be | |
60 | used before packets are queued on the outbound device. In this mode the slaves | |
61 | will not receive nor can send multicast / broadcast traffic. | |
62 | ||
4fbae7d8 MB |
63 | 4.3 L3S mode: |
64 | This is very similar to the L3 mode except that iptables (conn-tracking) | |
65 | works in this mode and hence it is L3-symmetric (L3s). This will have slightly less | |
66 | performance but that shouldn't matter since you are choosing this mode over plain-L3 | |
67 | mode to make conn-tracking work. | |
2ad7bf36 | 68 | |
a190d04d MB |
69 | 5. Mode flags: |
70 | At this time following mode flags are available | |
71 | ||
72 | 5.1 bridge: | |
73 | This is the default option. To configure the IPvlan port in this mode, | |
74 | user can choose to either add this option on the command-line or don't specify | |
75 | anything. This is the traditional mode where slaves can cross-talk among | |
bb38ccce | 76 | themselves apart from talking through the master device. |
a190d04d MB |
77 | |
78 | 5.2 private: | |
79 | If this option is added to the command-line, the port is set in private | |
bb38ccce | 80 | mode. i.e. port won't allow cross communication between slaves. |
a190d04d | 81 | |
fe89aa6b MB |
82 | 5.3 vepa: |
83 | If this is added to the command-line, the port is set in VEPA mode. | |
84 | i.e. port will offload switching functionality to the external entity as | |
85 | described in 802.1Qbg | |
86 | Note: VEPA mode in IPvlan has limitations. IPvlan uses the mac-address of the | |
87 | master-device, so the packets which are emitted in this mode for the adjacent | |
88 | neighbor will have source and destination mac same. This will make the switch / | |
89 | router send the redirect message. | |
a190d04d MB |
90 | |
91 | 6. What to choose (macvlan vs. ipvlan)? | |
2ad7bf36 MB |
92 | These two devices are very similar in many regards and the specific use |
93 | case could very well define which device to choose. if one of the following | |
94 | situations defines your use case then you can choose to use ipvlan - | |
95 | (a) The Linux host that is connected to the external switch / router has | |
96 | policy configured that allows only one mac per port. | |
97 | (b) No of virtual devices created on a master exceed the mac capacity and | |
edb9a1b8 | 98 | puts the NIC in promiscuous mode and degraded performance is a concern. |
2ad7bf36 MB |
99 | (c) If the slave device is to be put into the hostile / untrusted network |
100 | namespace where L2 on the slave could be changed / misused. | |
101 | ||
102 | ||
103 | 6. Example configuration: | |
104 | ||
105 | +=============================================================+ | |
106 | | Host: host1 | | |
107 | | | | |
108 | | +----------------------+ +----------------------+ | | |
109 | | | NS:ns0 | | NS:ns1 | | | |
110 | | | | | | | | |
111 | | | | | | | | |
112 | | | ipvl0 | | ipvl1 | | | |
113 | | +----------#-----------+ +-----------#----------+ | | |
114 | | # # | | |
115 | | ################################ | | |
116 | | # eth0 | | |
117 | +==============================#==============================+ | |
118 | ||
119 | ||
120 | (a) Create two network namespaces - ns0, ns1 | |
121 | ip netns add ns0 | |
122 | ip netns add ns1 | |
123 | ||
124 | (b) Create two ipvlan slaves on eth0 (master device) | |
125 | ip link add link eth0 ipvl0 type ipvlan mode l2 | |
126 | ip link add link eth0 ipvl1 type ipvlan mode l2 | |
127 | ||
128 | (c) Assign slaves to the respective network namespaces | |
129 | ip link set dev ipvl0 netns ns0 | |
130 | ip link set dev ipvl1 netns ns1 | |
131 | ||
132 | (d) Now switch to the namespace (ns0 or ns1) to configure the slave devices | |
133 | - For ns0 | |
134 | (1) ip netns exec ns0 bash | |
135 | (2) ip link set dev ipvl0 up | |
136 | (3) ip link set dev lo up | |
137 | (4) ip -4 addr add 127.0.0.1 dev lo | |
138 | (5) ip -4 addr add $IPADDR dev ipvl0 | |
139 | (6) ip -4 route add default via $ROUTER dev ipvl0 | |
140 | - For ns1 | |
141 | (1) ip netns exec ns1 bash | |
142 | (2) ip link set dev ipvl1 up | |
143 | (3) ip link set dev lo up | |
144 | (4) ip -4 addr add 127.0.0.1 dev lo | |
145 | (5) ip -4 addr add $IPADDR dev ipvl1 | |
146 | (6) ip -4 route add default via $ROUTER dev ipvl1 |