Bridge related

Overview

• Virtual switching technologies and Linux bridge

bridge and iptables

• ebtables/iptables interaction on a Linux-based bridge
• Bridge-nf Frequently Asked Questions
• Iptables - Bridge and Forward chain

bridge and containers

• Host bridge & NAT bridge

Host bridge将Host的物理NIC eth0作为bridge的端口，容器（虚拟机）看上去就像一台物理机（相同的IP网络），可以直接 与外部通信。NAT bridge不会将Host的物理NIC eth0作为bridge的端口，只用连接内部私有的容器（虚拟机）网络， 容器（虚拟机）不能直接与外部通信，需要通过Host的eth0进行DNAT/SNAT。

VLAN/MacVLAN/IPVLAN

VLAN

Overview

• VLANs on Linux

VLAN的主要优点: (1)广播域被限制在一个VLAN内,节省了带宽,提高了网络处理能力。 (2)增强局域网的安全性:VLAN间不能直接通信,即一个VLAN内的用户不能和其它VLAN内的用户直接通信,而需要通过路由器或三层交换机等三层设备。 (3)灵活构建虚拟工作组:用VLAN可以划分不同的用户到不同的工作组,同一工作组的用户也不必局限于某一固定的物理范围,网络构建和维护更方便灵活。

• 802.1Q VLAN implementation for Linux

• Create VLAN device

# ip link add link eth0 name eth0.11 type vlan id 11  ### vconfig add eth0 11
# ip a
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:50:56:2b:94:78 brd ff:ff:ff:ff:ff:ff
    inet 172.16.213.128/24 brd 172.16.213.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:fe2b:9478/64 scope link 
       valid_lft forever preferred_lft forever
4: eth0.11@eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN 
    link/ether 00:50:56:2b:94:78 brd ff:ff:ff:ff:ff:ff
# ip -d link show eth0.11
4: eth0.11@eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN 
    link/ether 00:50:56:2b:94:78 brd ff:ff:ff:ff:ff:ff
    vlan id 11 <REORDER_HDR> 

注意：VLAN设备的MAC地址与eth0相同。

MacVLAN

Overview

• Linux Networking: MAC VLANs and Virtual Ethernets
• Some notes on macvlan/macvtap
• Edge Virtual Bridging

MacVLAN的实现来自EVB标准。

• Create MacVLAN

# ip link add eth0.1 link eth0 type macvlan mode bridge
# ip a
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:50:56:2b:94:78 brd ff:ff:ff:ff:ff:ff
    inet 172.16.213.128/24 brd 172.16.213.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:fe2b:9478/64 scope link 
       valid_lft forever preferred_lft forever
3: eth0.1@eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN 
    link/ether 92:57:e0:02:3e:3d brd ff:ff:ff:ff:ff:ff

# ip -d link show eth0.1
3: eth0.1@eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN 
    link/ether 92:57:e0:02:3e:3d brd ff:ff:ff:ff:ff:ff
    macvlan  mode bridge

MacVLAN and Containers

• LXC Macvlan networking
• Macvlan, Ipvlan and 802.1q Trunk Driver Notes

IPVLAN

Overview

• IPVLAN Driver HOWTO
• IPVLAN – The beginning

MacVLAN vs IPVLAN

What to choose (macvlan vs. ipvlan)?

These two devices are very similar in many regards and the specific use case could very well define which device to choose. if one of the following situations defines your use case then you can choose to use ipvlan

• (a) The Linux host that is connected to the external switch / router has policy configured that allows only one mac per port.
• (b) No of virtual devices created on a master exceed the mac capacity and puts the NIC in promiscous mode and degraded performance is a concern.
• (c) If the slave device is to be put into the hostile / untrusted network namespace where L2 on the slave could be changed / misused.

SDN

VXLAN

Overview

• VXLAN Series – Different Components – Part 1

VXLAN and containers

• Flockport labs - LXC and VXLAN

OVN

• ovn-architecture - Open Virtual Network architecture
• Introduction to OVN

OVN & Container

• Containers Support In OVN

OVS

• OVS:Documentation

OVSDB

• The Open vSwitch Database Management Protocol
• What is Open vSwitch Database or OVSDB?

NFV

• Accelerating the NFV Data Plane: SR-IOV and DPDK… in my own words
• Boosting the NFV datapath with RHEL OpenStack Platform

Neutron

• Neutron/L2-GW
• Neutron L2 Gateway + HP 5930 switch OVSDB integration, for VXLAN bridging and routing
• L2 Gateway正式发布实现二层互联

DPDK

• 在虚拟机间 NFV 应用上使用采用 DPDK 的 Open vSwitch

• Intel DPDK Step by Step instructions

• DPDK Design Tips (Part 1 - RSS)

• Understanding DPDK
• Accelerating Neutron with Intel DPDK
• DPDK Introduction

User space driver

• Device drivers in user space

DPDK & SR-IOV

• 10. I40E/IXGBE/IGB Virtual Function Driver

Netfilter

overview

• Netfilter High Availability

iptables

overview

• A Deep Dive into Iptables and Netfilter Architecture
• An IPTABLES Primer
• Building a Professional Firewall with Linux and Iptables
• Linux Configuration for NAT and Firewall

NAT

• Address Spoofing with iptables in Linux
• Linux NAT(Network Address Translation) Router Explained
• 第九章、防火墙与 NAT 服务器

Stateless NAT

• Stateless NAT with iproute2
• Stateless Floating IPs

BPF

• Dive into BPF: a list of reading material

XDP

• [PATCH RFC 0/3] xdp: Generalize XDP

Kubernetes network

• Networking in Containers and Container Clusters

• Comparison of Networking Solutions for Kubernetes

• SIG-Networking: Kubernetes Network Policy APIs Coming in 1.3

CNM & CNI

• Container networking models: navigating differences and similarities
• Why Kubernetes doesn’t use libnetwork

Loadbalance

haproxy

• Haproxy

Routing

• Software-based routers

policy routing

• Chapter 2 - Policy Routing Theory
• Overcoming Asymmetric Routing on Multi-Homed Servers
• Stateful NAT with Asymmetric Routing

BGP

GoBGP

• GoBGP – A Control Plane Evolving Software Networking

Bird

Network stack

• Navigating the Linux kernel network stack: receive path
• napi

GRO

• JLS2009: Generic receive offload

Tools

iproute2

• iproute2

• IPROUTE2 Utility Suite Howto

• ip - show / manipulate routing, devices, policy routing and tunnels

• ip-link - network device configuration

• bridge - show / manipulate bridge addresses and devices

tcpdump

• A tcpdump Primer with Examples

Blogs

• Scott Lowe
• Gal Sagie