2. Introduction
● macvlan and ipvlan exposes the underlying host's interfaces directly to VMs
or Containers.
● Both do not use bridge.
● Both are implicitly namespace aware.
● Traditionally we have been using Linux Bridge to get VM access to the outside
network or default gateway, now you don't need that extra NATing overhead.
● Lightweight and Fast.
3. ● There are two ways normally to
connect VMs or Containers to
external network overlay and
underlay:
○ Overlay is using VXLAN or NVGRE, etc.,
with extra encapsulation.
○ Underlay is using Linux Bridge, ipvlan or
macvlan by directly exposing it to host's
external network.
○ These implementations are extremely
lightweight than the traditional linux
bridge.
4. Linux Bridge
● Acts similar to the physical layer 2 switch.
● It has learning capabilities.
● All the VMs or containers connect to this bridge/switch.
● For external connectivity all these are NATed.
5. macvlan
● macvlan allows a single
interface to have multiple
MAC and IP addresses using
macvlan sub-interfaces.
● This is different from creating
sub-interfaces on a physical
interface using VLAN, here
every sub-interface belongs
to different Layer-2 domain
and all sub-interfaces have
different MAC address.
6. ● macvlan has been in use with lxc
containers before docker support was
introduced.
● Each interface will have different MAC
address and will be exposed directly in the
underlay network.
● This will help people who wanna use the
existing network infrastructure with
Containers and VMs.
7. ● macvlan will only see traffic that has MAC address that matches interface’s
MAC address.
● macvlan has 4 types (private, bridge, passthrough, VEPA(Virtual Ethernet Port
Aggregator))
○ Commonly used is a macvlan bridge because it allows the Container or VMs on the same host
to talk to each other without packet leaving the host.
○ Bridge mode works like traditional bridge and removes the requirement of learning and STP,
learning not needed because it already knows what MAC addresses.
8. ipvlan
● Conceptually similar to macvlan but
uses layer 3.
● Unlike macvlan no unique MAC
addresses.
● Can be used in scenarios where MAC
addresses per port are restricted.
● Right now supported modes are l2 and
l3.
9. When to use ipvlan over macvlan?
● These two are very similar in many regards and the specific use case could
very well define which device to choose.
○ The Linux host that is connected to the external switch / router has policy configured that
allows only one mac per port.
○ No of virtual devices created on a master exceed the MAC capacity and puts the NIC in
promiscuous mode and degraded performance is a concern.
○ If the slave device is to be put into the hostile / untrusted network namespace where l2 on the
slave could be changed / misused.
10. When to use macvlan over ipvlan?
● When you have a common DHCP server, then macvlan should be used,
because DHCP would need unique MAC address for each IP address.