Enviar búsqueda
Cargar
LinuxConJapan2014_makita_0_MACVLAN.pdf
•
0 recomendaciones
•
25 vistas
D
DanielHanganu2
Seguir
Virtual switching and Linux Bridge
Leer menos
Leer más
Tecnología
Denunciar
Compartir
Denunciar
Compartir
1 de 47
Descargar ahora
Descargar para leer sin conexión
Recomendados
NFV Infrastructure Manager with High Performance Software Switch Lagopus
NFV Infrastructure Manager with High Performance Software Switch Lagopus
Hirofumi Ichihara
Networking in Docker Containers
Networking in Docker Containers
Attila Kanto
DPDK Summit - 08 Sept 2014 - NTT - High Performance vSwitch
DPDK Summit - 08 Sept 2014 - NTT - High Performance vSwitch
Jim St. Leger
Tech Tutorial by Vikram Dham: Let's build MPLS router using SDN
Tech Tutorial by Vikram Dham: Let's build MPLS router using SDN
nvirters
2014/09/02 Cisco UCS HPC @ ANL
2014/09/02 Cisco UCS HPC @ ANL
dgoodell
XPDS14: Xen 4.5 Roadmap - Konrad Wilk, Oracle
XPDS14: Xen 4.5 Roadmap - Konrad Wilk, Oracle
The Linux Foundation
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Samsung Open Source Group
DPDK Summit 2015 - RIFT.io - Tim Mortsolf
DPDK Summit 2015 - RIFT.io - Tim Mortsolf
Jim St. Leger
Recomendados
NFV Infrastructure Manager with High Performance Software Switch Lagopus
NFV Infrastructure Manager with High Performance Software Switch Lagopus
Hirofumi Ichihara
Networking in Docker Containers
Networking in Docker Containers
Attila Kanto
DPDK Summit - 08 Sept 2014 - NTT - High Performance vSwitch
DPDK Summit - 08 Sept 2014 - NTT - High Performance vSwitch
Jim St. Leger
Tech Tutorial by Vikram Dham: Let's build MPLS router using SDN
Tech Tutorial by Vikram Dham: Let's build MPLS router using SDN
nvirters
2014/09/02 Cisco UCS HPC @ ANL
2014/09/02 Cisco UCS HPC @ ANL
dgoodell
XPDS14: Xen 4.5 Roadmap - Konrad Wilk, Oracle
XPDS14: Xen 4.5 Roadmap - Konrad Wilk, Oracle
The Linux Foundation
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Adding IEEE 802.15.4 and 6LoWPAN to an Embedded Linux Device
Samsung Open Source Group
DPDK Summit 2015 - RIFT.io - Tim Mortsolf
DPDK Summit 2015 - RIFT.io - Tim Mortsolf
Jim St. Leger
Open vSwitch Introduction
Open vSwitch Introduction
HungWei Chiu
CloudStack and SDN
CloudStack and SDN
Sebastien Goasguen
Neutron CI Run on Docker
Neutron CI Run on Docker
Hirofumi Ichihara
Open stackaustinmeetupsept21
Open stackaustinmeetupsept21
Brent Doncaster
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
Samsung Open Source Group
FlowER Erlang Openflow Controller
FlowER Erlang Openflow Controller
Holger Winkelmann
pps Matters
pps Matters
Bangladesh Network Operators Group
FD.io Vector Packet Processing (VPP)
FD.io Vector Packet Processing (VPP)
Kirill Tsym
FD.IO Vector Packet Processing
FD.IO Vector Packet Processing
Kernel TLV
Approaching hyperconvergedopenstack
Approaching hyperconvergedopenstack
Ikuo Kumagai
SR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/Stable
SR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/Stable
juet-y
SDN/OpenFlow #lspe
SDN/OpenFlow #lspe
Chris Westin
Using oracle vm virtual box as your development platform
Using oracle vm virtual box as your development platform
OTN Systems Hub
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
Akihiro Suda
Mellanox Approach to NFV & SDN
Mellanox Approach to NFV & SDN
Mellanox Technologies
Run Your Own 6LoWPAN Based IoT Network
Run Your Own 6LoWPAN Based IoT Network
Samsung Open Source Group
[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...
[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...
OpenStack Korea Community
OpenStack and OpenContrail for FreeBSD platform by Michał Dubiel
OpenStack and OpenContrail for FreeBSD platform by Michał Dubiel
eurobsdcon
Lagopus presentation on 14th Annual ON*VECTOR International Photonics Workshop
Lagopus presentation on 14th Annual ON*VECTOR International Photonics Workshop
Lagopus SDN/OpenFlow switch
Balázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a Tunnel
hacktivity
Architecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
Más contenido relacionado
Similar a LinuxConJapan2014_makita_0_MACVLAN.pdf
Open vSwitch Introduction
Open vSwitch Introduction
HungWei Chiu
CloudStack and SDN
CloudStack and SDN
Sebastien Goasguen
Neutron CI Run on Docker
Neutron CI Run on Docker
Hirofumi Ichihara
Open stackaustinmeetupsept21
Open stackaustinmeetupsept21
Brent Doncaster
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
Samsung Open Source Group
FlowER Erlang Openflow Controller
FlowER Erlang Openflow Controller
Holger Winkelmann
pps Matters
pps Matters
Bangladesh Network Operators Group
FD.io Vector Packet Processing (VPP)
FD.io Vector Packet Processing (VPP)
Kirill Tsym
FD.IO Vector Packet Processing
FD.IO Vector Packet Processing
Kernel TLV
Approaching hyperconvergedopenstack
Approaching hyperconvergedopenstack
Ikuo Kumagai
SR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/Stable
SR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/Stable
juet-y
SDN/OpenFlow #lspe
SDN/OpenFlow #lspe
Chris Westin
Using oracle vm virtual box as your development platform
Using oracle vm virtual box as your development platform
OTN Systems Hub
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
Akihiro Suda
Mellanox Approach to NFV & SDN
Mellanox Approach to NFV & SDN
Mellanox Technologies
Run Your Own 6LoWPAN Based IoT Network
Run Your Own 6LoWPAN Based IoT Network
Samsung Open Source Group
[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...
[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...
OpenStack Korea Community
OpenStack and OpenContrail for FreeBSD platform by Michał Dubiel
OpenStack and OpenContrail for FreeBSD platform by Michał Dubiel
eurobsdcon
Lagopus presentation on 14th Annual ON*VECTOR International Photonics Workshop
Lagopus presentation on 14th Annual ON*VECTOR International Photonics Workshop
Lagopus SDN/OpenFlow switch
Balázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a Tunnel
hacktivity
Similar a LinuxConJapan2014_makita_0_MACVLAN.pdf
(20)
Open vSwitch Introduction
Open vSwitch Introduction
CloudStack and SDN
CloudStack and SDN
Neutron CI Run on Docker
Neutron CI Run on Docker
Open stackaustinmeetupsept21
Open stackaustinmeetupsept21
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
Practical Guide to Run an IEEE 802.15.4 Network with 6LoWPAN Under Linux
FlowER Erlang Openflow Controller
FlowER Erlang Openflow Controller
pps Matters
pps Matters
FD.io Vector Packet Processing (VPP)
FD.io Vector Packet Processing (VPP)
FD.IO Vector Packet Processing
FD.IO Vector Packet Processing
Approaching hyperconvergedopenstack
Approaching hyperconvergedopenstack
SR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/Stable
SR-IOV, KVM and Emulex OneConnect 10Gbps cards on Debian/Stable
SDN/OpenFlow #lspe
SDN/OpenFlow #lspe
Using oracle vm virtual box as your development platform
Using oracle vm virtual box as your development platform
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
Mellanox Approach to NFV & SDN
Mellanox Approach to NFV & SDN
Run Your Own 6LoWPAN Based IoT Network
Run Your Own 6LoWPAN Based IoT Network
[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...
[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...
OpenStack and OpenContrail for FreeBSD platform by Michał Dubiel
OpenStack and OpenContrail for FreeBSD platform by Michał Dubiel
Lagopus presentation on 14th Annual ON*VECTOR International Photonics Workshop
Lagopus presentation on 14th Annual ON*VECTOR International Photonics Workshop
Balázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a Tunnel
Último
Architecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Product Anonymous
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
The Digital Insurer
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
MadyBayot
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
The Digital Insurer
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
apidays
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
sudhanshuwaghmare1
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
debabhi2
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
Dropbox
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
apidays
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
apidays
Último
(20)
Architecting Cloud Native Applications
Architecting Cloud Native Applications
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
LinuxConJapan2014_makita_0_MACVLAN.pdf
1.
Copyright © 2014
NTT Corp. All Rights Reserved. Virtual switching technologies and Linux bridge Toshiaki Makita NTT Open Source Software Center
2.
2 Copyright © 2014
NTT Corp. All Rights Reserved. • Virtual switching technologies in Linux • Software switches (bridges) in Linux • Switching technologies for KVM environment • Performance of switches • Userland APIs and commands for bridge • Introduction to Recent features of bridge (and others) • FDB manipulation • VLAN filtering • Learning/flooding control • Features under development • 802.1ad (Q-in-Q) support for bridge • Non-promiscuous bridge Today's topics
3.
3 Copyright © 2014
NTT Corp. All Rights Reserved. • Linux kernel engineer at NTT Open Source Software Center • Technical support for NTT group companies • Active patch submitter on kernel networking subsystem • bridge, etc. Who is Toshiaki Makita?
4.
4 Copyright © 2014
NTT Corp. All Rights Reserved. • Linux has 3 types of software switches • bridge • macvlan • Open vSwitch Software switches in Linux
5.
5 Copyright © 2014
NTT Corp. All Rights Reserved. kernel • HW switch like device (IEEE 802.1D) • Has FDB (Forwarding DB), STP (Spanning tree), etc. • Using promiscuous mode that allows to receive all packets • Common NIC filters unicast whose dst is not its mac address without promiscuous mode • Many NICs also filter multicast / vlan-tagged packets by default bridge eth0 TCP/IP kernel eth0 TCP/IP bridge eth1 handler hook pass to upper layer promiscuous mode without bridge with bridge br0 if dst mac is bridge device promiscuous mode
6.
6 Copyright © 2014
NTT Corp. All Rights Reserved. • VLAN using not 802.1Q tag but mac address • 4 types of mode • private • vepa • bridge • passthru • Using unicast filtering if supported, instead of promiscuous mode (except for passthru) • Unicast filtering allows NIC to receive multiple mac addresses macvlan kernel eth0 macvlan0 macvlan1 MAC address A MAC address B macvlan handler hook unicast filtering
7.
7 Copyright © 2014
NTT Corp. All Rights Reserved. External GW • vlan device like behavior • Not a bridge • Prohibit inter- macvlan traffic (except for those via external GW) macvlan (private mode) kernel eth0 macvlan0 macvlan1 MAC address A MAC address B macvlan External SW
8.
8 Copyright © 2014
NTT Corp. All Rights Reserved. • Similar to private mode • Allow traffic between macvlans (via external SW) macvlan (vepa mode) kernel eth0 macvlan0 macvlan1 MAC address A MAC address B macvlan External SW
9.
9 Copyright © 2014
NTT Corp. All Rights Reserved. • Light weight bridge • No source learning • No STP • Only one uplink • Allow traffic between macvlans (via macvlan stack) macvlan (bridge mode) kernel eth0 macvlan0 macvlan1 MAC address A MAC address B macvlan External SW
10.
10 Copyright © 2014
NTT Corp. All Rights Reserved. • Allow only one macvlan device • Used for VM (as macvtap) • Promiscuous • allow VM to use any mac address / vlan device macvlan (passthru mode) kernel eth0 macvlan0 MAC address A macvlan External SW promiscuous
11.
11 Copyright © 2014
NTT Corp. All Rights Reserved. • Supports OpenFlow • Can be used as a normal switch as well • Has many features (VLAN tagging, VXLAN, GRE, bonding, etc.) • Flow based forwarding • Control plane in user space • flow miss-hit causes upcall to userspace daemon Open vSwitch kernel eth0 user space openvswitch (datapath) data plane eth1 handler hook promiscuous mode OpenFlow controller daemon (ovs-vswitchd) control plane upcall Flow table (cache) Flow table FDB
12.
12 Copyright © 2014
NTT Corp. All Rights Reserved. • Software switches • bridge • macvlan • Open vSwitch • Hardware switch • NIC embedded switch (in SR-IOV device) Switching technologies for KVM
13.
13 Copyright © 2014
NTT Corp. All Rights Reserved. • Used with tap device • Tap device • packet transmission -> file read • file write -> packet reception bridge with KVM kernel eth0 bridge tap0 qemu/vhost vfs Guest eth0 fd read/write
14.
14 Copyright © 2014
NTT Corp. All Rights Reserved. • macvtap • tap-like macvlan variant • packet reception -> file read • file write -> packet transmission macvtap (private, vepa, bridge) with KVM kernel eth0 macvtap0 macvtap1 macvlan qemu/vhost Guest eth0 fd read/write qemu/vhost Guest eth0 fd read/write
15.
15 Copyright © 2014
NTT Corp. All Rights Reserved. • macvtap passthru mode • PCI-passthrough like mode • Guest can exclusively use physical device • Guest can use any mac address / vlan interface • Guest can use promiscuous mode • Other modes uses unicast filtering • Don't allow to receive mac address except for macvtap device's • Don't allow vlan tagged packets if NIC has vlan filtering feature macvtap (passthru) with KVM kernel eth0 macvtap0 macvlan qemu/vhost Guest eth0 fd read/write promiscuous
16.
16 Copyright © 2014
NTT Corp. All Rights Reserved. • Configuration is the same as bridge • used with tap device Open vSwitch with KVM kernel eth0 openvswitch tap0 qemu/vhost vfs Guest eth0 fd read/write
17.
17 Copyright © 2014
NTT Corp. All Rights Reserved. • SR-IOV • Addition to PCI normal physical function (PF), allow to add light weight virtual functions (VF) • VF appears as a network interface (eth0_0, eth0_1...) • Some SR-IOV devices have switches in them • allow PF-VF / VF-VF communication NIC embedded switch (SR-IOV) kernel SR-IOV supported NIC eth0 eth0_0 eth0_1 PF VF VF embedded switch
18.
18 Copyright © 2014
NTT Corp. All Rights Reserved. • SR-IOV with KVM • Use PCI-passthrough to attach VF to guest NIC embedded switch (SR-IOV) kernel SR-IOV supported NIC eth0 embedded switch qemu Guest qemu Guest eth0_1 eth0_0
19.
19 Copyright © 2014
NTT Corp. All Rights Reserved. • SR-IOV with KVM • Or use macvtap (passthru) • migration-friendly NIC embedded switch (SR-IOV) kernel SR-IOV supported NIC eth0 embedded switch eth0_1 eth0_0 macvtap1 qemu/vhost Guest eth0 fd macvtap0 qemu/vhost Guest eth0 fd
20.
20 Copyright © 2014
NTT Corp. All Rights Reserved. • Environment • Test results • Throughput • Overhead on host Performance of switches
21.
21 Copyright © 2014
NTT Corp. All Rights Reserved. • kernel 3.14.4 (2014/5/13 Release) • Host: Xeon E5-2407 4 core * 2 socket • NIC: 10GbE, Intel 82599 chip (ixgbe) • Guest: 2 core*1 • HW Switch: BLADE G8124 • Benchmark tool: netperf-2.6 • UDP_STREAM test (1518 byte frame length) Performance: environment host host guest bridge etc. 82599 82599 BLADE G8124 netperf netserver UDP packets *1: Pinning on host: vcpus -> CPU0~3, vhost -> CPU1. NIC irq affinity on host: 0x1 (CPU0). Pinning on guest: netserver process -> CPU1. NIC irq affinity on guest: 0x1 (CPU0).
22.
22 Copyright © 2014
NTT Corp. All Rights Reserved. • Receive throughput on guest • SR-IOV (PCI-passthrough) has the highest- performance • Software switches are 6%~14% worse than SR-IOV (PCI-passthrough) Performance: throughput 0 1 2 3 4 5 6 7 Throughput (Gbps)
23.
23 Copyright © 2014
NTT Corp. All Rights Reserved. • Overhead (CPU usage) on host • SR-IOV (PCI-passthrough) has the lowest overhead • CPU usage by system and irqs are close to 0 • CPU usage by macvtap is 24~29% lower than bridge / Open vSwitch Performance: Overhead on host 0 50 100 150 200 250 300 350 CPU usage (%) user system hardirq softirq 0 50 100 150 200 250 CPU usage (%) vcpu1 vcpu0 vhost
24.
24 Copyright © 2014
NTT Corp. All Rights Reserved. • Various APIs • ioctl • sysfs • netlink • Netlink is preferred for new features • Because it is extensible • sysfs is sometimes used • Commands • brctl (in bridge-utils, using ioctl / sysfs) • ip / bridge (in iproute2, using netlink) Userland APIs and commands (bridge)
25.
25 Copyright © 2014
NTT Corp. All Rights Reserved. • brctl • These operations are now realized by netlink based commands as well (Since kernel 3.0) • And recent features can only be used by netlink based ones or direct sysfs write Userland APIs and commands (bridge) # brctl addbr <bridge> ... create new bridge # brctl addif <bridge> <port> ... attach port to bridge # brctl showmacs <bridge> ... show fdb entries # ip link add <bridge> type bridge ... create new bridge # ip link set <port> master <bridge> ... attach port # bridge fdb show ... show fdb entries # bridge fdb add # bridge vlan add etc...
26.
26 Copyright © 2014
NTT Corp. All Rights Reserved. • FDB manipulation • VLAN filtering • Learning / flooding control Recent features of bridge (and others)
27.
27 Copyright © 2014
NTT Corp. All Rights Reserved. • FDB • Forwarding database • Learning: packet arrival triggers entry creation • Source MAC address is used with incoming port • Flood if failed to find entry • Flood: deliver packet to all ports but incoming one FDB manipulation kernel eth0 bridge eth1 packet arrival from aa:bb:cc:dd:ee:ff MAC address Dst aa:bb:cc:dd:ee:ff eth0 ... learning FDB
28.
28 Copyright © 2014
NTT Corp. All Rights Reserved. • FDB manipulation commands • Since kernel 3.0 FDB manipulation kernel eth0 bridge eth1 specified port MAC address Dst specified mac port ... # bridge fdb add <mac address> dev <port> master temp # bridge fdb del <mac address> dev <port> master
29.
29 Copyright © 2014
NTT Corp. All Rights Reserved. • What's "temp"? • There are 3 types of FDB entries • permanent (local) • static • others (dynamically learned by packet arrival) • "temp" means static here • "bridge fdb"'s default is permanent • permanent here means "deliver to bridge device" (e.g. br0) • permanent doesn't deliver to specified port FDB manipulation kernel eth0 bridge (br0) eth1 br0 if match permanent # bridge fdb add <mac address> dev <port> master temp specified port
30.
30 Copyright © 2014
NTT Corp. All Rights Reserved. • What's "master"? • Remember this command # ip link set <port> master <bridge> ... attach port • "bridge fdb"'s default is "self" • It adds entry to specified port (eth0) itself! FDB manipulation kernel eth0 bridge eth1 specified port (self) master # bridge fdb add <mac address> dev <port> master temp
31.
31 Copyright © 2014
NTT Corp. All Rights Reserved. • When to use "self"? • Some NIC embedded switches support this command • ixgbe, qlcnic • macvlan (passthru) and vxlan also support it FDB manipulation kernel SR-IOV supported NIC eth0 eth0_0 eth0_1 PF VF VF embedded switch bridge master self
32.
32 Copyright © 2014
NTT Corp. All Rights Reserved. • Example: Intel 82599 (ixgbe) • Someone thinks of using both bridge and SR-IOV due to limitation of number of VFs • bridge puts eth0 (PF) into promiscuous, but... • Unknown MAC address from VF goes to wire, not to PF FDB manipulation kernel Intel 82599 (ixgbe) eth0 PF embedded switch bridge qemu Guest 2 eth0_0 qemu Guest 1 eth1 tap MAC A MAC C VF MAC B Dst. A
33.
33 Copyright © 2014
NTT Corp. All Rights Reserved. • Example: Intel 82599 (ixgbe) • Type "bridge fdb add A dev eth0" on host • Traffic to A will be forwarded to bridge FDB manipulation kernel Intel 82599 (ixgbe) eth0 PF embedded switch bridge qemu Guest 2 eth0_0 qemu Guest 1 eth1 tap MAC A MAC C VF MAC B Dst. A add fdb entry
34.
34 Copyright © 2014
NTT Corp. All Rights Reserved. • 802.1Q Bridge • Filter packets according to vlan tag • Forward packets according to vlan tag as well as mac address • Insert / strip vlan tag VLAN filtering kernel eth0 bridge eth1 MAC address Vlan Dst aa:bb:cc:dd:ee:ff 10 eth0 ... FDB filter disallowed vlan insert / strip vlan tag
35.
35 Copyright © 2014
NTT Corp. All Rights Reserved. • Ingress / egress filtering policy • Incoming / outgoing packet is filtered if matching filtering policy • Per-port per-vlan policy • Default is "disallow all vlans" • All packets are dropped VLAN filtering kernel eth0 bridge eth1 filter by vlan at ingress filter by vlan at egress Port Allowed Vlans eth0 10 20 eth1 20 30 Filtering table VID 10 allow 10 disallow 10
36.
36 Copyright © 2014
NTT Corp. All Rights Reserved. • PVID (Port VID) • Untagged (and VID 0) packet is assigned this VID • Per-port configuration • Default PVID is none (untagged packet is discarded) • Egress policy untagged • Outgoing packet that matches this policy get untagged • Per-port per-vlan policy VLAN filtering kernel eth0 bridge eth1 apply pvid (insert vid 20) apply untagged (strip tag 20) Port Allowed Vlans PVID Egress Untag eth0 10 ✔ 20 ✔ ✔ eth1 20 ✔ ✔ 30 Filtering table untagged packet
37.
37 Copyright © 2014
NTT Corp. All Rights Reserved. • Commands • Enable VLAN filtering (disabled by default) • Add / delete allowed vlan • Set pvid / untagged • Dump setting • Note: bridge device needs "self" VLAN filtering # echo 1 > /sys/class/net/<bridge>/bridge/vlan_filtering # bridge vlan add vid <vlan_id> dev <port> # bridge vlan del vid <vlan_id> dev <port> # bridge vlan add vid <vlan_id> dev <port> [pvid] [untagged] # bridge vlan show # bridge vlan add vid <vlan_id> dev br0 self # bridge vlan del vid <vlan_id> dev br0 self
38.
38 Copyright © 2014
NTT Corp. All Rights Reserved. • Traditional configuration • Use vlan devices • Needs bridges per vlan • Low flexibility • How many devices? VLAN with KVM kernel eth0 br10 tap1 qemu Guest eth0 tap0 qemu Guest eth0 br20 eth0.10 eth0.20 # ifconfig -s Iface ... eth0 eth0.10 br10 eth0.20 br20 eth0.30 br30 eth0.40 br40 ...
39.
39 Copyright © 2014
NTT Corp. All Rights Reserved. • With VLAN filtering • Simple • Flexible • Only one bridge VLAN with KVM kernel eth0 br0 tap1 qemu Guest eth0 tap0 qemu Guest eth0 pvid/untag vlan 10 pvid/untag vlan 20 vlan10 / 20 # ifconfig -s Iface ... eth0 br0
40.
40 Copyright © 2014
NTT Corp. All Rights Reserved. • Other switches • Open vSwitch • Can also handle VLANs • NIC embedded switch • Some of them support VLAN (e.g. Intel 82599) VLAN with KVM # ovs-vsctl set Port <port> tag=<vid> # ip link set <PF> vf <VF_num> vlan <vid>
41.
41 Copyright © 2014
NTT Corp. All Rights Reserved. • Limit mac addresses guest can use • Reduce FDB size • Used with static FDB entries ("bridge fdb" command) • Disable FDB learning on particular port • Since kernel 3.11 • No dynamic FDB entry • Don't flood unknown mac to specified port • Since kernel 3.11 • Control packet delivery to guests • Commands Learning / flooding control kernel eth0 bridge tap1 qemu Guest eth0 tap0 qemu Guest eth0 no learning no flooding no learning no flooding learning flooding # echo 0 > /sys/class/net/<port>/brport/learning # echo 0 > /sys/class/net/<port>/brport/unicast_flooding
42.
42 Copyright © 2014
NTT Corp. All Rights Reserved. • 802.1ad (Q-in-Q) support for bridge • Non-promiscuous bridge Features under development
43.
43 Copyright © 2014
NTT Corp. All Rights Reserved. • 802.1ad allows stacked vlan tags • Outer 802.1ad tag can be used to separate customers • Example: Guest A, B -> Customer X Guest C, D -> Customer Y • Inner 802.1Q tag can be used inside customers • Customer X and Y can use any 802.1Q tags 802.1ad (Q-in-Q) support for bridge payload MAC .1ad tag .1Q tag
44.
44 Copyright © 2014
NTT Corp. All Rights Reserved. • Bridge preserves guest .1Q tag (vid 30) when inserting .1ad tag (vid 10) • .1ad tag will be stripped at another end point of .1ad network 802.1ad (Q-in-Q) support for bridge kernel eth0 bridge (.1ad mode) tap1 qemu Guest A eth0 tap0 qemu Guest C eth0 pvid/untag vlan 10 pvid/untag vlan 20 vlan10 / 20 .1Q VID 30 eth0.30 .1ad VID 10 .1Q VID 30 .1ad VID 10 .1Q VID 30 .1ad network Customer's another site .1Q VID 30
45.
45 Copyright © 2014
NTT Corp. All Rights Reserved. • If there is only one learning/flooding port, it can be non-promisc • Instead of promisc mode, unicast filtering is set for static FDB entries • Automatically enabled if meeting some conditions • There is one or zero learning & flooding port • bridge itself is not promiscuous mode • VLAN filtering is enabled • Overhead will get closer to macvlans Non-promiscuous bridge kernel eth0 bridge tap1 qemu Guest eth0 tap0 qemu Guest eth0 no learning no flooding no learning no flooding learning flooding non-promisc
46.
46 Copyright © 2014
NTT Corp. All Rights Reserved. • Linux has 3 types of software switches • bridge, macvlan (macvtap), Open vSwitch • SR-IOV NIC enbedded switch can also be used for KVM • Bridge's recent features • FDB manipulation • VLAN filtering • Learning / Flooding control • Features under development • 802.1ad (Q-in-Q) support • Non-promiscuous bridge Summary
47.
47 Copyright © 2014
NTT Corp. All Rights Reserved. Thank you for listening. Any questions?
Descargar ahora