0

I am working on a thesis research project, and I am having some difficulty figuring out how to make one NIC spawn several "bridge" interfaces such that each KVM VM can be seen on the local network. I am very new to KVM, and am still exploring what it can do. Below is the scenario that I am attempting to make (on a CentOS/RHEL 6 system):

  1. Linux KVM Host has 1 NIC (eth0) connected to a switch.
  2. Create multiple "bridge" or equivalent interfaces that are spawned off of eth0 that would provide a unique IP for each VM. This is so that each VM can communicate with other hosts on the network, and that other hosts on the network can communicate with the VM.
  3. IMPORTANT: I would like iptables on the KVM host to be able to manipulate/control/restrict the traffic that would be sent on those "bridge" interfaces.
  4. I would like to create a minimum of three VM's, each using their own unique "bridge" interfaces.

I have previously made a br0 interface off of eth0, but unfortunately, I am unable to add any more to it. It appears that you can only bridge 1 interface to the NIC. I would like to bridge many to one.

Would a tap device be able to do this? If so, how would it be set up?

Effectively, I am attempting to replicate what can easily be created with VirtualBox on Windows, where each VM is given a "bridged" interface, and can live on the network. I want to achieve this very same thing with Linux KVM.

Thank You

EDIT: To be more descriptive, I want to achieve something that looks like this:

This can be found on this page: http://en.gentoo-wiki.com/wiki/KVM#Networking_2

              HOST
        +---------------+
        |               |      KVM GUEST1
        |               |   +--------------+
        |  +------+     |   |              |
 LAN ---+--- eth0 |  +--+---+---- nic0     |      KVM GUEST2
        |  | tap0----+  |   |192.168.1.13  |   +--------------+
        |  | tap1----+  |   +--------------+   |              |
        |  +------+  |  |                      |              |
        |     br0    +--+----------------------+---- nic0     |
        |192.168.1.12   |                      |192.168.1.14  |
        +---------------+                      +--------------+
Phanto
  • 891
  • 5
  • 16
  • 24

1 Answers1

6

You create one bridge on top of eth0, and plug your VM's virtual NICs into that bridge. Look at the bridge as a virtual hub to make the concept easier to grok

dyasny
  • 18,802
  • 6
  • 49
  • 64
  • I am looking at this from the context of VirtualBox, where each VM is set to "bridged". So, basically, you only need one bridge, and each VM gets a unique IP from that? – Phanto Dec 09 '12 at 19:25
  • 2
    the bridge bridges the virtual NICs to the physical one, so the VMs end up on the same physical network as eth0 of the host. To assign IPs you need a DHCP server on this network. This is exactly how vbox's and every other "bridged" network works, the difference being, vbox sets up the bridge for you – dyasny Dec 09 '12 at 19:29
  • Would this allow me to utilize `iptables` on the host to perform individualized restrictions for each VM that is connected to the bridge? I don't want to restrict *every* VM all at once, just specific ones. – Phanto Dec 09 '12 at 19:39
  • You can play with IP or MAC rules but pushing all the bridge traffic through iptables will harm performance. It is usually better to set up firewalls inside the VMs as you see fit – dyasny Dec 09 '12 at 19:56
  • 1
    The research I am attempting to perform is to more or less "jail" the VM's, such that if they violate a pre-defined policy, the host can restrict their network access on the fly. – Phanto Dec 09 '12 at 20:06
  • 1
    that's easy - detach the tap from the bridge with `brctl` – dyasny Dec 09 '12 at 20:55
  • I am actually in the process of researching about tap devices, since I don't know anything about them. If you can add how to do that to your original answer, I will mark it as the answer. – Phanto Dec 09 '12 at 20:58
  • Please see the edited change to the original question. Thank You. – Phanto Dec 09 '12 at 21:54
  • Just read through http://en.wikibooks.org/wiki/QEMU/Networking, it should answer all the questions – dyasny Dec 10 '12 at 05:16