KVM/libvirt: Guest monopolizes bridge

Question

I'm having a problem in which the first guest started on a VM host can send traffic through both of its assigned interfaces, but subsequent guests can only send traffic through one interface.

My VM host setup:
CentOS 6.7 (kernel 2.6.32-573.7.1.el6.x86_64)
libvirt-0.10.2-54.el6.x86_64
qemu-kvm-0.12.1.2-2.479.el6_7.2.x86_64

The host has 4 interfaces: em1, em2, em3 and em4

I bonded em1 and em2 as bond0, which serves as the primary interface for the guests through MacVTap.

/etc/sysconfig/network-scripts/ifcfg-bond0:

DEVICE="bond0"
BOOTPROTO="none"
NM_CONTROLLED="no"
ONBOOT="yes"
BONDING_OPTS="miimon=80 mode=1"

/etc/sysconfig/network-scripts/ifcfg-em1:

DEVICE="em1"
HWADDR="20:47:47:82:C5:50"
NM_CONTROLLED="no"
ONBOOT="yes"
MASTER="bond0"
SLAVE="yes"

/etc/sysconfig/network-scripts/ifcfg-em2:

DEVICE="em2"
HWADDR="20:47:47:82:C5:51"
NM_CONTROLLED="no"
ONBOOT="yes"
MASTER="bond0"
SLAVE="yes"

I created a bridge br1 that is linked to em3, which serves as the secondary interface for the guests:

/etc/sysconfig/network-scripts/ifcfg-br1:

DEVICE="br1"
TYPE="Bridge"
BOOTPROTO="none"
ONBOOT="yes"

/etc/sysconfig/network-scripts/ifcfg-em3:

DEVICE="em3"
HWADDR="20:47:47:82:C5:52"
NM_CONTROLLED="no"
ONBOOT="yes"
BRIDGE="br1"

em4 is assigned a static IP for access to the host.

I use virt-manager to manage the guests. I assign two NICs, one to bond0, one to br1. The guests have static IPs for each interface (one in 192.168.100.0/24, the other in 192.168.10.0/24).

When I start the first guest, it can pass traffic through both interfaces without problem. However, subsequent guests can only pass traffic through bond0. The bridge never works for them.

I have tried all sorts of other configurations, including replacing the bridge with a MacVTap directly through em3 (in both VEPA and Bridge modes). I have also tried creating a one-NIC bond1 to em3, thinking that a similar configuration to bond0 would help. I have also played with net.ipv4.ip_forward, trying both 0 and 1. I also tried setting promiscuous mode on em3 manually. Nothing seems to work.

Has anyone else successfully assigned two NICs to multiple guests and had them all work? I Googled until I reached the end of the internet and couldn't find a good answer.

Does your switch have port security enabled? – Michael Hampton Oct 30 '15 at 23:30 — Michael Hampton, Oct 30 '15 at 23:30
No, the switch does not use port security. – Chris Oct 30 '15 at 23:52 — Chris, Oct 30 '15 at 23:52

score 0 · Answer 1 · answered Nov 14 '15 at 00:12

Just to close out this question, it turned out it was a matter of using a switch port role, which had an implicit MAC restriction. It wasn't a security option, per se, but the result was the same.

Removing the role from the port allowed multiple guests to use the bridge.

KVM/libvirt: Guest monopolizes bridge

1 Answers1