Reference:
https://linux-blog.anracom.com/tag/linux-bridge-linking/
https://docs.docker.com/network/bridge/
Virtual "veth" Ethernet devices are used for connecting virtual containers to virtual bridges like an Linux bridge.
"veth" comes with pair, which is used to connect between linux network namespace.
For security reason, avoid giving a Linux bridge itself an IP.
TAP:
A virtual "tap" device is a single point to point device which can be used by a program in user-space or a virtual machine to send Ethernet packets on layer 2 directly to the kernel or receive packets from it.
Limitations of standard Linux bridges:
https://linux-blog.anracom.com/tag/linux-bridge-linking/
https://docs.docker.com/network/bridge/
Virtual "veth" Ethernet devices are used for connecting virtual containers to virtual bridges like an Linux bridge.
"veth" comes with pair, which is used to connect between linux network namespace.
For security reason, avoid giving a Linux bridge itself an IP.
TAP:
A virtual "tap" device is a single point to point device which can be used by a program in user-space or a virtual machine to send Ethernet packets on layer 2 directly to the kernel or receive packets from it.
Limitations of standard Linux bridges:
- A "tap" device attached to one Linux bridge cannot be attached to another Linux bridge.
- All attached devices are switched into the promiscuous mode.
- The bridge itself (not a tap device at a port!) can get an IP address and may work as a standard Ethernet device. The host can communicate via this address with other guests attached to the bridge.
- You may attach several physical Ethernet devices (without IP !) of the host to a bridge - each as a kind of "uplink" to other physical switches/hubs and connected systems. With the spanning tree protocol activated all physical systems attached to the network behind each physical interface may communicate with physical or virtual guests linked to the bridge by other physical interfaces or virtual ports.
- Properly configured the bridge transfers packets directly between two specific bridge ports related to the communication stream of 2 attached guests - without exposing the communication to other ports and other guests. The bridge may learn and update the relevant association of MAC addresses to bridge ports.
- The virtual bridge device itself - in its role as an Ethernet device - does not work in promiscuous mode. However, packets arriving through one of its ports for (yet) unknown addresses may be flooded to all ports.
- You cannot bridge a Linux bridge directly by or with another Linux bridge (no Linux bridge cascading). You can neither connect a Linux bride to another Linux bridge via a "tap" device.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.