Chapter 35. Getting started with IPVLAN
This document describes the IPVLAN driver.
35.1. IPVLAN overview
IPVLAN is a driver for a virtual network device that can be used in container environment to access the host network. IPVLAN exposes a single MAC address to the external network regardless the number of IPVLAN device created inside the host network. This means that a user can have multiple IPVLAN devices in multiple containers and the corresponding switch reads a single MAC address. IPVLAN driver is useful when the local switch imposes constraints on the total number of MAC addresses that it can manage.
35.2. IPVLAN modes
The following modes are available for IPVLAN:
In IPVLAN L2 mode, virtual devices receive and respond to Address Resolution Protocol (ARP) requests. The
netfilterframework runs only inside the container that owns the virtual device. No
netfilterchains are executed in the default namespace on the containerized traffic. Using L2 mode provides good performance, but less control on the network traffic.
In L3 mode, virtual devices process only L3 traffic and above. Virtual devices do not respond to ARP request and users must configure the neighbour entries for the IPVLAN IP addresses on the relevant peers manually. The egress traffic of a relevant container is landed on the
netfilterPOSTROUTING and OUTPUT chains in the default namespace while the ingress traffic is threaded in the same way as L2 mode. Using L3 mode provides good control but decreases the network traffic performance.
In L3S mode, virtual devices process the same way as in L3 mode, except that both egress and ingress traffics of a relevant container are landed on
netfilterchain in the default namespace. L3S mode behaves in a similar way to L3 mode but provides greater control of the network.
The IPVLAN virtual device does not receive broadcast and multicast traffic in case of L3 and L3S modes.
35.3. Overview of MACVLAN
The MACVLAN driver allows to create multiple virtual network devices on top of a single NIC, each of them identified by its own unique MAC address. Packets which land on the physical NIC are demultiplexed towards the relevant MACVLAN device via MAC address of the destination. MACVLAN devices do not add any level of encapsulation.
35.4. Comparison of IPVLAN and MACVLAN
The following table shows the major differences between MACVLAN and IPVLAN.
Uses MAC address for each MACVLAN device. The overlimit of MAC addresses of MAC table in switch might cause loosing the connectivity.
Uses single MAC address which does not limit the number of IPVLAN devices.
Netfilter rules for global namespace cannot affect traffic to or from MACVLAN device in a child namespace.
It is possible to control traffic to or from IPVLAN device in L3 mode and L3S mode.
Note that both IPVLAN and MACVLAN do not require any level of incapsulation.
35.5. Creating and configuring the IPVLAN device using iproute2
This procedure shows how to set up the IPVLAN device using iproute2.
To create an IPVLAN device, enter the following command:
~]# ip link add link real_NIC_device name IPVLAN_device type ipvlan mode l2
Note that network interface controller (NIC) is a hardware component which connects a computer to a network.
Example 35.1. Creating an IPVLAN device
~]# ip link add link enp0s31f6 name my_ipvlan type ipvlan mode l2 ~]# ip link 47: my_ipvlan@enp0s31f6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 link/ether e8:6a:6e:8a:a2:44 brd ff:ff:ff:ff:ff:ff
To assign an
IPv6address to the interface, enter the following command:
~]# ip addr add dev IPVLAN_device IP_address/subnet_mask_prefix
In case of configuring an IPVLAN device in L3 mode or L3S mode, make the following setups:
Configure the neighbor setup for the remote peer on the remote host:
~]# ip neigh add dev peer_device IPVLAN_device_IP_address lladdr MAC_address
where MAC_address is the MAC address of the real NIC on which an IPVLAN device is based on.
Configure an IPVLAN device for L3 mode with the following command:
~]# ip neigh add dev real_NIC_device peer_IP_address lladdr peer_MAC_address
For L3S mode:
~]# ip route dev add real_NIC_device peer_IP_address/32
where IP-address represents the address of the remote peer.
To set an IPVLAN device active, enter the following command:
~]# ip link set dev IPVLAN_device up
To check if the IPVLAN device is active, execute the following command on the remote host:
~]# ping IP_address
where the IP_address uses the IP address of the IPVLAN device.