[Network Virtualization] IPVlan

IPVLANs are similar to MACVLANs in that they both virtualize multiple virtual network interfaces from a single host interface. An important difference is that all virtual interfaces have the same mac address and different ip addresses.

Because all virtual interfaces share a mac address, there are some things to keep in mind.

• The DHCP protocol generally uses the mac address as the machine identifier when assigning an ip. In this case, the client needs to configure a unique ClientID field when dynamically acquiring the ip, and the DHCP server should be properly configured to use this field as the machine identifier instead of using the mac address

Ipvlan is a relatively new feature of the linux kernel. The linux kernel started to support ipvlan in 3.19, but the recommended version is >=4.2 (because of a bug in docker support for previous versions), see the kernel directory for the code: /drivers/net/ipvlan/.

Working mode

A simple way to create an ipvlan is

1

$ ip link add link <master-dev> <slave-dev> type ipvlan mode { l2 | L3 }

L2 mode

ipvlan L2 mode works very similar to macvlan bridge mode in that the parent interface acts as a switch to forward data from the child interfaces. Sub-interfaces of the same network can forward data through the parent interface, while if they want to send to other networks, the messages will be forwarded out through the parent interface’s route.

L3 mode

ipvlan functions a bit like a router, it does the job of routing and forwarding different network messages between each virtual network and the host network. As long as the parent interface is the same, virtual machines/containers can ping each other even if they are not on the same network, because ipvlan does the message forwarding in the middle.

Note that virtual interfaces in L3 mode do not receive multicast or broadcast messages (in this mode, all networks are sent to the parent interface, and all ARP processes or other multicast messages are done at the underlying parent interface). In addition, the external network is not aware of the ipvlan virtual network by default, and the ipvlan network cannot be accessed directly by the external router without configuring the corresponding routing rules on the external router.

Practice

Create IPVlan L3 mode

1
2

[root@localhost ~]#ip link add link ens224 ipvlan1 type ipvlan mode l3
[root@localhost ~]#ip link add link ens224 ipvlan2 type ipvlan mode l3

Note that the MAC addresses of ipvlan1 and ipvlan2 are the same as those of the ens224.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

[root@localhost ~]# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
   link/ether 00:0c:29:05:18:ac brd ff:ff:ff:ff:ff:ff
3: ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
   link/ether **00:0c:29:05:18:b6** brd ff:ff:ff:ff:ff:ff
4: ipvlan1@enp0s3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
   link/ether **00:0c:29:05:18:b6** brd ff:ff:ff:ff:ff:ff
5: ipvlan2@enp0s3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
   link/ether **00:0c:29:05:18:b6** brd ff:ff:ff:ff:ff:ff

Create ns binding interface

1
2
3
4

[root@localhost ~]#ip netns add net1
[root@localhost ~]#ip netns add net2
[root@localhost ~]#ip link set ipvlan1 netns net1
[root@localhost ~]#ip link set ipvlan2 netns net2

Configure IP

1
2
3
4

[root@localhost ~]#ip netns exec net1 ip addr add 10.0.2.18/24 dev ipvlan1
[root@localhost ~]#ip netns exec net2 ip addr add 10.0.3.19/24 dev ipvlan2
[root@localhost ~]#ip netns exec net1 ip link set ipvlan1 up
[root@localhost ~]#ip netns exec net2 ip link set ipvlan2 up

Add Routing

1
2

[root@localhost ~]#ip netns exec net1 route add default dev ipvlan1
[root@localhost ~]#ip netns exec net2 route add default dev ipvlan2

ping test, 2 ns can ping through each other normally, can’t ping through the host IP

catch ARP messages, the results can not catch ARP in L3 mode, indicating that layer 2 broadcast and multicast are not handled, working in L3.(This is the difference with L2 mode)

1

[root@localhost ~]#ip netns exec net1 tcpdump -ni ipvlan1 -p arp

Create L2 mode, the rest of the operation is the same as L3

1
2

# ip link add link enp0s3 ipvlan1 type ipvlan mode l2
# ip link add link enp0s3 ipvlan2 type ipvlan mode l2

The difference is that L2 can capture ARP messages in 2 ns

Summary

The external network in ipvlan L3 mode is not aware of the virtual network of ipvlan by default. If the corresponding routing rules are not configured on the external router, the network of ipvlan cannot be accessed directly by the outside.

CNI Configuration

The cni configuration format is

1
2
3
4
5
6
7
8
9

{
    "name": "mynet",
    "type": "ipvlan",
    "master": "eth0",
    "ipam": {
        "type": "host-local",
        "subnet": "10.1.2.0/24"
    }
}

It is important to note that

• Under the ipvlan plugin, the container cannot communicate with the Host network
• The host interface (i.e. master interface) cannot be the master interface of both ipvlan and macvlan

Reference https://houmin.cc/posts/d8c1414f/