2

Can a single physical interface act as “slave” for multiple bridge interfaces? For example, br0 and br1 would use eno1 physical.

Got KVM host with 4 physical nics, each nic assigned to a different vlan (en0=vlan1,en1=vlan2,en2=vlan3,en3=vlan3).

What I want to achieve is:

  1. First nic (en0) use for iLO and KVM host IPs (nic is shared on hp server).

  2. Second nic (en1) would like to share between three KVM VMs (so not sure if I can use same bridge or I need to create multiple bridges with single slave - "en1").

  3. For Third and Fourth nics - will assign new bridge interfaces as VMs will be load balanced later.

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
efusiweb
  • 41
  • 2
  • 4
  • 1
    Why do you want this? What are you trying to achieve? You can certainly have many VMs using the same bridge. – Michael Hampton Feb 09 '15 at 18:25
  • Thanks Michael, I know I can have multiple VMs connecting via same bridge, however not sure if that would be secure (I mean network sniffing and etc.) – efusiweb Feb 09 '15 at 18:41
  • I would think a firewall rule could be set to prevent traffic entering a bridge interface from being forwarded via the same bridge interface unless it went via a router IP on that bridge/vlan. Thus, you could isolate all of the VMs from each other but allow them to pass traffic on to a router connected to multiple bridges/switches/vlans. – BeowulfNode42 Aug 01 '18 at 08:14

2 Answers2

1

I believe you should be able to create multiple bridges to the same physical adapter, you would define the bridge in the same way, create a new bridge but bridge it back to the same adapter...

However: This would not gain you any real advantages. A single bridge would still be preferable.

In your comments you mentioned security concerns using the same bridged connection for multiple vm's, but at the end of the day, no matter how many times you bridge a single physical connection, it is still a single physical connection. Your security concerns would be the same from one bridge as it would with say 7 bridges.

Gravy
  • 770
  • 1
  • 5
  • 17
1

No, it can't. My Linux box says:

# brctl addbr br2
# brctl addbr br3
# brctl addif br2 enp8s0f0
# brctl addif br3 enp8s0f0
device enp8s0f0 is already a member of a bridge; can't enslave it to bridge br3.

And basically how would you expect it to work?

If you are looking at traffic isolation between VMs, then VLANs are probably what you are looking for. The other idea would be to create host only interfaces and do the routing on the host itself. But still it doesn't protect you from everything.

Tomek
  • 2,950
  • 1
  • 15
  • 9