Does using jails in FreeBSD count as having a switch?

Question

My network administrators don't like when I plug switch into the building network to fan-out to multiple computers. They want single link drop per physical NIC. Previously the blocked those MACs on the switch in automatic fashion. I understand that good network topology is as linear as possible, without extensive branching. But now I want to use FreeBSD jails.

If I run one (or several) jails in FreeBSD, I realistically have 3 NICs on the same port in the wall:

host's physical NIC, something like igb0
host's part of paired virtual interfaces, connected back-to-back, epair0a
jail's part of (2), epair0b

All of these interfaces have to be registered in order to get IP from DCHP server. Will that setup cause trouble, and why? Is it correct that there is no way I can connect my jail (though some pass-through interface?) directly to "the wall"?

What did your network administrators have to say when you asked them this question? — jscott, Jan 15 '18 at 01:22
@jscott i will ask network people, but wanted to try to learn some details. Also was scared that they might automatically ban my main IP and kill link to the server — aaaaa says reinstate Monica, Jan 15 '18 at 02:45

score 2 · Answer 1 · answered May 15 '18 at 17:16

There are many ways to run jails, virtual interfaces are one thing but with jails you can borrow just a particular IP address to the underlying system. Of course layer2 either should be allowed or limited to such jail (default it is limited). That way only single MAC address is used.

Another way is to use bridges with virtual interfaces/vlans or firewall magic forwarding or virtual switch to do what you want. That way you can have different configurations with single mac outgoing interface, so your macabre L2 spaghetti doesn't leave your system.

Does using jails in FreeBSD count as having a switch?

1 Answers1