Documentation/networking/ipvlan.rst

1dc2a785SMauro Carvalho Chehab.. SPDX-License-Identifier: GPL-2.0
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab===================
1dc2a785SMauro Carvalho ChehabIPVLAN Driver HOWTO
1dc2a785SMauro Carvalho Chehab===================
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho ChehabInitial Release:
1dc2a785SMauro Carvalho Chehab	Mahesh Bandewar <maheshb AT google.com>
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab1. Introduction:
1dc2a785SMauro Carvalho Chehab================
1dc2a785SMauro Carvalho ChehabThis is conceptually very similar to the macvlan driver with one major
1dc2a785SMauro Carvalho Chehabexception of using L3 for mux-ing /demux-ing among slaves. This property makes
404a5ad7SRandy Dunlapthe master device share the L2 with its slave devices. I have developed this
1dc2a785SMauro Carvalho Chehabdriver in conjunction with network namespaces and not sure if there is use case
1dc2a785SMauro Carvalho Chehaboutside of it.
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab2. Building and Installation:
1dc2a785SMauro Carvalho Chehab=============================
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho ChehabIn order to build the driver, please select the config item CONFIG_IPVLAN.
1dc2a785SMauro Carvalho ChehabThe driver can be built into the kernel (CONFIG_IPVLAN=y) or as a module
1dc2a785SMauro Carvalho Chehab(CONFIG_IPVLAN=m).
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab3. Configuration:
1dc2a785SMauro Carvalho Chehab=================
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho ChehabThere are no module parameters for this driver and it can be configured
1dc2a785SMauro Carvalho Chehabusing IProute2/ip utility.
1dc2a785SMauro Carvalho Chehab::
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab    ip link add link <master> name <slave> type ipvlan [ mode MODE ] [ FLAGS ]
1dc2a785SMauro Carvalho Chehab       where
1dc2a785SMauro Carvalho Chehab	 MODE: l3 (default) | l3s | l2
1dc2a785SMauro Carvalho Chehab	 FLAGS: bridge (default) | private | vepa
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehabe.g.
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab    (a) Following will create IPvlan link with eth0 as master in
1dc2a785SMauro Carvalho Chehab	L3 bridge mode::
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab	  bash# ip link add link eth0 name ipvl0 type ipvlan
1dc2a785SMauro Carvalho Chehab    (b) This command will create IPvlan link in L2 bridge mode::
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab	  bash# ip link add link eth0 name ipvl0 type ipvlan mode l2 bridge
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab    (c) This command will create an IPvlan device in L2 private mode::
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab	  bash# ip link add link eth0 name ipvlan type ipvlan mode l2 private
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab    (d) This command will create an IPvlan device in L2 vepa mode::
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab	  bash# ip link add link eth0 name ipvlan type ipvlan mode l2 vepa
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab4. Operating modes:
1dc2a785SMauro Carvalho Chehab===================
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho ChehabIPvlan has two modes of operation - L2 and L3. For a given master device,
1dc2a785SMauro Carvalho Chehabyou can select one of these two modes and all slaves on that master will
1dc2a785SMauro Carvalho Chehaboperate in the same (selected) mode. The RX mode is almost identical except
*a266ef69SRandy Dunlapthat in L3 mode the slaves won't receive any multicast / broadcast traffic.
1dc2a785SMauro Carvalho ChehabL3 mode is more restrictive since routing is controlled from the other (mostly)
1dc2a785SMauro Carvalho Chehabdefault namespace.
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab4.1 L2 mode:
1dc2a785SMauro Carvalho Chehab------------
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho ChehabIn this mode TX processing happens on the stack instance attached to the
1dc2a785SMauro Carvalho Chehabslave device and packets are switched and queued to the master device to send
1dc2a785SMauro Carvalho Chehabout. In this mode the slaves will RX/TX multicast and broadcast (if applicable)
1dc2a785SMauro Carvalho Chehabas well.
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab4.2 L3 mode:
1dc2a785SMauro Carvalho Chehab------------
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho ChehabIn this mode TX processing up to L3 happens on the stack instance attached
1dc2a785SMauro Carvalho Chehabto the slave device and packets are switched to the stack instance of the
1dc2a785SMauro Carvalho Chehabmaster device for the L2 processing and routing from that instance will be
1dc2a785SMauro Carvalho Chehabused before packets are queued on the outbound device. In this mode the slaves
1dc2a785SMauro Carvalho Chehabwill not receive nor can send multicast / broadcast traffic.
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab4.3 L3S mode:
1dc2a785SMauro Carvalho Chehab-------------
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho ChehabThis is very similar to the L3 mode except that iptables (conn-tracking)
1dc2a785SMauro Carvalho Chehabworks in this mode and hence it is L3-symmetric (L3s). This will have slightly less
1dc2a785SMauro Carvalho Chehabperformance but that shouldn't matter since you are choosing this mode over plain-L3
1dc2a785SMauro Carvalho Chehabmode to make conn-tracking work.
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab5. Mode flags:
1dc2a785SMauro Carvalho Chehab==============
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho ChehabAt this time following mode flags are available
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab5.1 bridge:
1dc2a785SMauro Carvalho Chehab-----------
1dc2a785SMauro Carvalho ChehabThis is the default option. To configure the IPvlan port in this mode,
1dc2a785SMauro Carvalho Chehabuser can choose to either add this option on the command-line or don't specify
1dc2a785SMauro Carvalho Chehabanything. This is the traditional mode where slaves can cross-talk among
1dc2a785SMauro Carvalho Chehabthemselves apart from talking through the master device.
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab5.2 private:
1dc2a785SMauro Carvalho Chehab------------
1dc2a785SMauro Carvalho ChehabIf this option is added to the command-line, the port is set in private
1dc2a785SMauro Carvalho Chehabmode. i.e. port won't allow cross communication between slaves.
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab5.3 vepa:
1dc2a785SMauro Carvalho Chehab---------
1dc2a785SMauro Carvalho ChehabIf this is added to the command-line, the port is set in VEPA mode.
1dc2a785SMauro Carvalho Chehabi.e. port will offload switching functionality to the external entity as
1dc2a785SMauro Carvalho Chehabdescribed in 802.1Qbg
1dc2a785SMauro Carvalho ChehabNote: VEPA mode in IPvlan has limitations. IPvlan uses the mac-address of the
1dc2a785SMauro Carvalho Chehabmaster-device, so the packets which are emitted in this mode for the adjacent
1dc2a785SMauro Carvalho Chehabneighbor will have source and destination mac same. This will make the switch /
1dc2a785SMauro Carvalho Chehabrouter send the redirect message.
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab6. What to choose (macvlan vs. ipvlan)?
1dc2a785SMauro Carvalho Chehab=======================================
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho ChehabThese two devices are very similar in many regards and the specific use
1dc2a785SMauro Carvalho Chehabcase could very well define which device to choose. if one of the following
1dc2a785SMauro Carvalho Chehabsituations defines your use case then you can choose to use ipvlan:
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab(a) The Linux host that is connected to the external switch / router has
1dc2a785SMauro Carvalho Chehab    policy configured that allows only one mac per port.
1dc2a785SMauro Carvalho Chehab(b) No of virtual devices created on a master exceed the mac capacity and
1dc2a785SMauro Carvalho Chehab    puts the NIC in promiscuous mode and degraded performance is a concern.
1dc2a785SMauro Carvalho Chehab(c) If the slave device is to be put into the hostile / untrusted network
1dc2a785SMauro Carvalho Chehab    namespace where L2 on the slave could be changed / misused.
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab6. Example configuration:
1dc2a785SMauro Carvalho Chehab=========================
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab::
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab  +=============================================================+
1dc2a785SMauro Carvalho Chehab  |  Host: host1                                                |
1dc2a785SMauro Carvalho Chehab  |                                                             |
1dc2a785SMauro Carvalho Chehab  |   +----------------------+      +----------------------+    |
1dc2a785SMauro Carvalho Chehab  |   |   NS:ns0             |      |  NS:ns1              |    |
1dc2a785SMauro Carvalho Chehab  |   |                      |      |                      |    |
1dc2a785SMauro Carvalho Chehab  |   |                      |      |                      |    |
1dc2a785SMauro Carvalho Chehab  |   |        ipvl0         |      |         ipvl1        |    |
1dc2a785SMauro Carvalho Chehab  |   +----------#-----------+      +-----------#----------+    |
1dc2a785SMauro Carvalho Chehab  |              #                              #               |
1dc2a785SMauro Carvalho Chehab  |              ################################               |
1dc2a785SMauro Carvalho Chehab  |                              # eth0                         |
1dc2a785SMauro Carvalho Chehab  +==============================#==============================+
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab(a) Create two network namespaces - ns0, ns1::
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab	ip netns add ns0
1dc2a785SMauro Carvalho Chehab	ip netns add ns1
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab(b) Create two ipvlan slaves on eth0 (master device)::
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab	ip link add link eth0 ipvl0 type ipvlan mode l2
1dc2a785SMauro Carvalho Chehab	ip link add link eth0 ipvl1 type ipvlan mode l2
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab(c) Assign slaves to the respective network namespaces::
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab	ip link set dev ipvl0 netns ns0
1dc2a785SMauro Carvalho Chehab	ip link set dev ipvl1 netns ns1
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab(d) Now switch to the namespace (ns0 or ns1) to configure the slave devices
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab	- For ns0::
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab		(1) ip netns exec ns0 bash
1dc2a785SMauro Carvalho Chehab		(2) ip link set dev ipvl0 up
1dc2a785SMauro Carvalho Chehab		(3) ip link set dev lo up
1dc2a785SMauro Carvalho Chehab		(4) ip -4 addr add 127.0.0.1 dev lo
1dc2a785SMauro Carvalho Chehab		(5) ip -4 addr add $IPADDR dev ipvl0
1dc2a785SMauro Carvalho Chehab		(6) ip -4 route add default via $ROUTER dev ipvl0
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab	- For ns1::
1dc2a785SMauro Carvalho Chehab
1dc2a785SMauro Carvalho Chehab		(1) ip netns exec ns1 bash
1dc2a785SMauro Carvalho Chehab		(2) ip link set dev ipvl1 up
1dc2a785SMauro Carvalho Chehab		(3) ip link set dev lo up
1dc2a785SMauro Carvalho Chehab		(4) ip -4 addr add 127.0.0.1 dev lo
1dc2a785SMauro Carvalho Chehab		(5) ip -4 addr add $IPADDR dev ipvl1
1dc2a785SMauro Carvalho Chehab		(6) ip -4 route add default via $ROUTER dev ipvl1