Linux Bridge and Virtual Networking

Software defined networking (SDN) is the current wave sweeping the networking industry. And one of the key enablers of SDN is virtual networking. While SDN and virtual networking are in vogue these days, the support for virtual networking is not a recent development. And Linux bridge has been the pioneer in this regard.

Linux Bridge – The Basics

Virtual networking requires the presence of a virtual switch inside a server/hypervisor. Even though it is called a bridge, the Linux bridge is really a virtual switch and used with KVM/QEMU hypervisor. Linux Bridge is a kernel module, first introduced in 2.2 kernel (circa 2000). And it is administered using brctl command on Linux.

The Simple Use Case

Now we will delve a bit more into Linux bridge by looking at a very basic use case. Let us say that you want to create a VM on your KVM-enabled Linux server (host). Among other things, this VM will be configured with one virtual NIC. In order to give Internet connectivity to this VM, we will have to associate the virtual NIC of the VM to the physical NIC of the server. This association is facilitated by the Linux bridge. Here is a picture of what we want to accomplish:

Simple Use Case for Linux Bridge

The above picture is based on my home Ubuntu laptop running KVM. I am using the wireless connection so that the laptop itself has network connectivity. But to illustrate Linux bridge capability, I will create a VM and associate it to my wired NIC port on the same laptop. The newly created VM will get its IP address etc (via DHCP) from the router in the middle.

Step-by-step guide

Step – 1: The first step is to create a Linux bridge using the brctl command. Note: for more ways to create Linux bridges (depends on you distro) – check this out.

Step – 2: The next step is to associate the physical NIC of the server (eth0) to this bridge. Note:– prior to this step ensure that the physical NIC does not have any IP address configured.

At the end of these two steps, the network configuration would look something like this. Note that the kvmbr0 Linux bridge has only one interface at this time (eth0).

Linux Bridge Interface Config Sample

Step – 3: The next step is to create a Virtual Machine and ensure that it uses the Linux bridge created above for the virtual networking. For this blog, I will demonstrate this step using “Virtual Machine Manager” (VMM) which is a GUI for libvirt. Here is a screenshot on how you can associate the Linux Bridge to a VM.

Associate Linux Bridge to a VM

Once the virtual machine is created and booted up, you will see that the virtual machine has external network connectivity.

Let us connect the interfaces

The output of brctl show command shows that there is another interface on the kvmbr0 Linux bridge. This interface vnet0 is a virtual interface created by libvirt (VMM) as seen in the screenshot here. This virtual interface is also called a tap interface. You can see from the PS command that the KVM/QEMU command that started the VM, uses a tap interface as a network device. More about this in the next post.

Linux Bridge with Virtual Interface

Now just like you connect an Ethernet (RJ-45) cable from a physical NIC to an port (interface) on a physical switch, the VM’s virtual NIC is connected to this virtual tap interface on the Linux bridge. The below screenshot highlights the relationship between the VM’s virtual NIC and the Linux Bridge tap interface.

  1. The first thing to notice is the similarities in the MAC address of vnet0 (on the host server) and the eth0 (virtual NIC in the VM).
  2. The next giveaway is the data transmitted and received on each of the interface. Since there is a direct 1-1 relationship, the TX bytes of the VM NIC matches the RX bytes of vnet0. And vice-versa.
  3. Finally, we can see that the Virtual NIC has been configured with IP address and gateway etc. This configuration is done using the DHCP server on my physical router. This implies that virtual NIC has external network connectivity.

VM NIC to Tap Interface relationship

To summarize:

  • We created a Linux bridge and added a physical NIC interface of the host.
  • Then while creating a VM, we specified the Linux bridge to be used for virtual networking.
  • The Virtual Machine Manager (libvirt GUI) did some behind-the-scene work to associate the Virtual NIC to the Linux bridge and in turn to the Physical NIC.
  • We then observed how the VM’s virtual NIC is associated to the virtual tap interface on the host. And how the tap interface is added to the Linux bridge.
  • This shows that the traffic will flow from the VM’s virtual NIC to the vnet0 tap interface, then onto the Linux bridge (virtual switch) which will send it out on the other virtual switch interface (eth0) on the host.

In the next blog post, we will understand what happened behind-the-scene.

  • Pingback: Tap Interfaces and Linux Bridge - the virtual networking components()

  • Pingback: Introduction to VMware Virtual Networking | Blogs by Sriram()

  • Xiang

    nice article!

  • Pingback: Using MAC table - Linux Bridge - WILT | Innervoice Blogs()

  • Junwei Nie

    Hi, Sriram:

    For “1 The first thing to notice is the similarities in the MAC address of vnet0 (on the host server) and the eth0 (virtual NIC in the VM).” part, why these two MAC address are not same?

    Thanks !

    • If you look at a physical setup, you have an ethernet port on you computer. That has a MAC address – this is equivalent to the virtual NIC MAC for a VM. In a physical setup, you will use a cable to connect the computer NIC to a ‘switch’ port. That switch port also needs to have a MAC which will be different from the computer MAC address. Similarly, the vnet0 (on the virtual switch) will be different from the virtual NIC mac address

  • aborrell

    Thanks for your excellent tutorial series on virtual networks. I’m using your material for teaching to manage vm connectivity.

    • Thanks. If you have any other topics that you would like me to research and blog, then please let me know.

  • Saurav

    Very nice article Sir. Hope you will continue with more articles on virtualization , especially on Openstack

  • Kumar Vikas

    Wondering if you published your next blog where you said that you’ll be covering what goes behind the scene.

  • Marco Reale

    Hi, Sriram

    I set up a virtual lab with some esxi hosts running within vmware workstation; there are many networks (vmotion, managemente etc…) and some vm running on nested esxi hosts. Now I would like to simulate a disaster recovery using solutions like vmware site recovery manager or VSAN but the main requiriment is a “layer2 stretched lan” (in order to have the ability to maintain the same ip address). Now the question is: how to simulate a layer2 connection between siteA and siteB (that in my lab would be another couple of esxi hosts)? Reading your blog I thought that a possibile solution could be using 2 linux vm (one per site) acting as bridge with an interface acting as the uplink between remote site (in a physical real world could be fiber) and the other networks put in bridged mode.
    The schema would be:

    eth0/eth1——bridge(SITEA)——wan——bridge(SITEB)——eth0/eth1

    What do you think?

  • Pingback: Create a virtual network with QEMU/KVM | werewblog()

  • iqra

    Hi, Sriram sir

    I found your blog very informative and helpful. I am working on virtual honeynets in KVM and i have never used KVM before nor any experience of linux networking. I am facing some problems related to its deployment. I want to deply the topology shown in fig. I have one physical NIC (eth0) in my system and i cannot understand how the 3 VMs in the diagram will route the packets and communicate and how i select there interfaces.Can you please help me regarding this ?
    Thanks,

    • Hi Iqra

      I am not able to see the topology you are referring to. But if you see my post, I also have only one NIC (eth0). You will need to create a bridge (linux bridge) so that VMs can share the single NIC.

    • iqra

      Thankyou so much for responding Sir.
      I actually was referring to this figure related to honeynet.I want to deploy this topology of honeynet in KVM but cant get through its interfaces configuration.
      Thanks,

      • Hi Iqra

        The Honeynet Topology requires servers with multiple interface. If you have only one NIC card/port, you will have to create multiple sub-interfaces. But not sure if Linux bridge allows different sub-interfaces on different bridges. Another alternative is to use VLAN to segment traffic for different subnets.

        Other than this, I am not aware of any mechanism to do this with single NIC interface.

        • iqra

          Hi Sir,
          Thanks for considering my question.
          Actually i have two network interfaces eth0 and eth1.
          Problem i am facing is to implement transparent bridge i.e interface 1 and 2 of honyewall (referring to above mentioned figure) as these intefaces should not have IP address as attacker should not know the presence of honeywall between honeypots.
          If i choose some br0 to for interface 1, it will assign IP to this address. If i choose “Host device eth0:macvtap” it will also assign IP address to it. If there is any method to implement these interfaces without IP address ?

  • Ashish

    what happens if I don’t have the “wlan0″ wireless interface and “eth0″ is the only interface for connecting to the outside world from my laptop.
    Can I assign an IP address to eth0 after it has been added to the “kvmbr0″?

    • Once an interface is added to a linux bridge – you should assign the interface IP address to the bridge to make it reachable.

      • Ashish

        Yes, it works when I assign the interface IP to the bridge interface. (kvmbr0)
        Just wondering why “eth0″ is not usable from the host..

        Thanks a lot for the clarification!

        • When you bind the interface to the bridge – the forwarding from L2 to L3 layers happens on the bridge. So the IP Address (L3) needs to be on the bridge.

          • Ashish

            Thanks !

  • Pingback: Cơ bản về docker network - Cộng đồng máy chủ()

  • Pingback: Notes on Switching – Sheridan ICT-SDN Project()

  • Jay

    great article, thanks a lot

  • Rashid

    God bless you man!

  • jamesjue

    Does the host machine lose connection through eth0 in this case?

    • Yes. But you can restore the connection by assigning the IP address to the Linux bridge instead of the eth0 interface.

      • Văn Đức Nguyễn

        sorry, can you tell me how to assigning the IP address to Linux bridge? Thank you!