1*4882a593Smuzhiyun.. SPDX-License-Identifier: GPL-2.0 2*4882a593Smuzhiyun 3*4882a593Smuzhiyun=================== 4*4882a593SmuzhiyunIPVLAN Driver HOWTO 5*4882a593Smuzhiyun=================== 6*4882a593Smuzhiyun 7*4882a593SmuzhiyunInitial Release: 8*4882a593Smuzhiyun Mahesh Bandewar <maheshb AT google.com> 9*4882a593Smuzhiyun 10*4882a593Smuzhiyun1. Introduction: 11*4882a593Smuzhiyun================ 12*4882a593SmuzhiyunThis is conceptually very similar to the macvlan driver with one major 13*4882a593Smuzhiyunexception of using L3 for mux-ing /demux-ing among slaves. This property makes 14*4882a593Smuzhiyunthe master device share the L2 with it's slave devices. I have developed this 15*4882a593Smuzhiyundriver in conjunction with network namespaces and not sure if there is use case 16*4882a593Smuzhiyunoutside of it. 17*4882a593Smuzhiyun 18*4882a593Smuzhiyun 19*4882a593Smuzhiyun2. Building and Installation: 20*4882a593Smuzhiyun============================= 21*4882a593Smuzhiyun 22*4882a593SmuzhiyunIn order to build the driver, please select the config item CONFIG_IPVLAN. 23*4882a593SmuzhiyunThe driver can be built into the kernel (CONFIG_IPVLAN=y) or as a module 24*4882a593Smuzhiyun(CONFIG_IPVLAN=m). 25*4882a593Smuzhiyun 26*4882a593Smuzhiyun 27*4882a593Smuzhiyun3. Configuration: 28*4882a593Smuzhiyun================= 29*4882a593Smuzhiyun 30*4882a593SmuzhiyunThere are no module parameters for this driver and it can be configured 31*4882a593Smuzhiyunusing IProute2/ip utility. 32*4882a593Smuzhiyun:: 33*4882a593Smuzhiyun 34*4882a593Smuzhiyun ip link add link <master> name <slave> type ipvlan [ mode MODE ] [ FLAGS ] 35*4882a593Smuzhiyun where 36*4882a593Smuzhiyun MODE: l3 (default) | l3s | l2 37*4882a593Smuzhiyun FLAGS: bridge (default) | private | vepa 38*4882a593Smuzhiyun 39*4882a593Smuzhiyune.g. 40*4882a593Smuzhiyun 41*4882a593Smuzhiyun (a) Following will create IPvlan link with eth0 as master in 42*4882a593Smuzhiyun L3 bridge mode:: 43*4882a593Smuzhiyun 44*4882a593Smuzhiyun bash# ip link add link eth0 name ipvl0 type ipvlan 45*4882a593Smuzhiyun (b) This command will create IPvlan link in L2 bridge mode:: 46*4882a593Smuzhiyun 47*4882a593Smuzhiyun bash# ip link add link eth0 name ipvl0 type ipvlan mode l2 bridge 48*4882a593Smuzhiyun 49*4882a593Smuzhiyun (c) This command will create an IPvlan device in L2 private mode:: 50*4882a593Smuzhiyun 51*4882a593Smuzhiyun bash# ip link add link eth0 name ipvlan type ipvlan mode l2 private 52*4882a593Smuzhiyun 53*4882a593Smuzhiyun (d) This command will create an IPvlan device in L2 vepa mode:: 54*4882a593Smuzhiyun 55*4882a593Smuzhiyun bash# ip link add link eth0 name ipvlan type ipvlan mode l2 vepa 56*4882a593Smuzhiyun 57*4882a593Smuzhiyun 58*4882a593Smuzhiyun4. Operating modes: 59*4882a593Smuzhiyun=================== 60*4882a593Smuzhiyun 61*4882a593SmuzhiyunIPvlan has two modes of operation - L2 and L3. For a given master device, 62*4882a593Smuzhiyunyou can select one of these two modes and all slaves on that master will 63*4882a593Smuzhiyunoperate in the same (selected) mode. The RX mode is almost identical except 64*4882a593Smuzhiyunthat in L3 mode the slaves wont receive any multicast / broadcast traffic. 65*4882a593SmuzhiyunL3 mode is more restrictive since routing is controlled from the other (mostly) 66*4882a593Smuzhiyundefault namespace. 67*4882a593Smuzhiyun 68*4882a593Smuzhiyun4.1 L2 mode: 69*4882a593Smuzhiyun------------ 70*4882a593Smuzhiyun 71*4882a593SmuzhiyunIn this mode TX processing happens on the stack instance attached to the 72*4882a593Smuzhiyunslave device and packets are switched and queued to the master device to send 73*4882a593Smuzhiyunout. In this mode the slaves will RX/TX multicast and broadcast (if applicable) 74*4882a593Smuzhiyunas well. 75*4882a593Smuzhiyun 76*4882a593Smuzhiyun4.2 L3 mode: 77*4882a593Smuzhiyun------------ 78*4882a593Smuzhiyun 79*4882a593SmuzhiyunIn this mode TX processing up to L3 happens on the stack instance attached 80*4882a593Smuzhiyunto the slave device and packets are switched to the stack instance of the 81*4882a593Smuzhiyunmaster device for the L2 processing and routing from that instance will be 82*4882a593Smuzhiyunused before packets are queued on the outbound device. In this mode the slaves 83*4882a593Smuzhiyunwill not receive nor can send multicast / broadcast traffic. 84*4882a593Smuzhiyun 85*4882a593Smuzhiyun4.3 L3S mode: 86*4882a593Smuzhiyun------------- 87*4882a593Smuzhiyun 88*4882a593SmuzhiyunThis is very similar to the L3 mode except that iptables (conn-tracking) 89*4882a593Smuzhiyunworks in this mode and hence it is L3-symmetric (L3s). This will have slightly less 90*4882a593Smuzhiyunperformance but that shouldn't matter since you are choosing this mode over plain-L3 91*4882a593Smuzhiyunmode to make conn-tracking work. 92*4882a593Smuzhiyun 93*4882a593Smuzhiyun5. Mode flags: 94*4882a593Smuzhiyun============== 95*4882a593Smuzhiyun 96*4882a593SmuzhiyunAt this time following mode flags are available 97*4882a593Smuzhiyun 98*4882a593Smuzhiyun5.1 bridge: 99*4882a593Smuzhiyun----------- 100*4882a593SmuzhiyunThis is the default option. To configure the IPvlan port in this mode, 101*4882a593Smuzhiyunuser can choose to either add this option on the command-line or don't specify 102*4882a593Smuzhiyunanything. This is the traditional mode where slaves can cross-talk among 103*4882a593Smuzhiyunthemselves apart from talking through the master device. 104*4882a593Smuzhiyun 105*4882a593Smuzhiyun5.2 private: 106*4882a593Smuzhiyun------------ 107*4882a593SmuzhiyunIf this option is added to the command-line, the port is set in private 108*4882a593Smuzhiyunmode. i.e. port won't allow cross communication between slaves. 109*4882a593Smuzhiyun 110*4882a593Smuzhiyun5.3 vepa: 111*4882a593Smuzhiyun--------- 112*4882a593SmuzhiyunIf this is added to the command-line, the port is set in VEPA mode. 113*4882a593Smuzhiyuni.e. port will offload switching functionality to the external entity as 114*4882a593Smuzhiyundescribed in 802.1Qbg 115*4882a593SmuzhiyunNote: VEPA mode in IPvlan has limitations. IPvlan uses the mac-address of the 116*4882a593Smuzhiyunmaster-device, so the packets which are emitted in this mode for the adjacent 117*4882a593Smuzhiyunneighbor will have source and destination mac same. This will make the switch / 118*4882a593Smuzhiyunrouter send the redirect message. 119*4882a593Smuzhiyun 120*4882a593Smuzhiyun6. What to choose (macvlan vs. ipvlan)? 121*4882a593Smuzhiyun======================================= 122*4882a593Smuzhiyun 123*4882a593SmuzhiyunThese two devices are very similar in many regards and the specific use 124*4882a593Smuzhiyuncase could very well define which device to choose. if one of the following 125*4882a593Smuzhiyunsituations defines your use case then you can choose to use ipvlan: 126*4882a593Smuzhiyun 127*4882a593Smuzhiyun 128*4882a593Smuzhiyun(a) The Linux host that is connected to the external switch / router has 129*4882a593Smuzhiyun policy configured that allows only one mac per port. 130*4882a593Smuzhiyun(b) No of virtual devices created on a master exceed the mac capacity and 131*4882a593Smuzhiyun puts the NIC in promiscuous mode and degraded performance is a concern. 132*4882a593Smuzhiyun(c) If the slave device is to be put into the hostile / untrusted network 133*4882a593Smuzhiyun namespace where L2 on the slave could be changed / misused. 134*4882a593Smuzhiyun 135*4882a593Smuzhiyun 136*4882a593Smuzhiyun6. Example configuration: 137*4882a593Smuzhiyun========================= 138*4882a593Smuzhiyun 139*4882a593Smuzhiyun:: 140*4882a593Smuzhiyun 141*4882a593Smuzhiyun +=============================================================+ 142*4882a593Smuzhiyun | Host: host1 | 143*4882a593Smuzhiyun | | 144*4882a593Smuzhiyun | +----------------------+ +----------------------+ | 145*4882a593Smuzhiyun | | NS:ns0 | | NS:ns1 | | 146*4882a593Smuzhiyun | | | | | | 147*4882a593Smuzhiyun | | | | | | 148*4882a593Smuzhiyun | | ipvl0 | | ipvl1 | | 149*4882a593Smuzhiyun | +----------#-----------+ +-----------#----------+ | 150*4882a593Smuzhiyun | # # | 151*4882a593Smuzhiyun | ################################ | 152*4882a593Smuzhiyun | # eth0 | 153*4882a593Smuzhiyun +==============================#==============================+ 154*4882a593Smuzhiyun 155*4882a593Smuzhiyun 156*4882a593Smuzhiyun(a) Create two network namespaces - ns0, ns1:: 157*4882a593Smuzhiyun 158*4882a593Smuzhiyun ip netns add ns0 159*4882a593Smuzhiyun ip netns add ns1 160*4882a593Smuzhiyun 161*4882a593Smuzhiyun(b) Create two ipvlan slaves on eth0 (master device):: 162*4882a593Smuzhiyun 163*4882a593Smuzhiyun ip link add link eth0 ipvl0 type ipvlan mode l2 164*4882a593Smuzhiyun ip link add link eth0 ipvl1 type ipvlan mode l2 165*4882a593Smuzhiyun 166*4882a593Smuzhiyun(c) Assign slaves to the respective network namespaces:: 167*4882a593Smuzhiyun 168*4882a593Smuzhiyun ip link set dev ipvl0 netns ns0 169*4882a593Smuzhiyun ip link set dev ipvl1 netns ns1 170*4882a593Smuzhiyun 171*4882a593Smuzhiyun(d) Now switch to the namespace (ns0 or ns1) to configure the slave devices 172*4882a593Smuzhiyun 173*4882a593Smuzhiyun - For ns0:: 174*4882a593Smuzhiyun 175*4882a593Smuzhiyun (1) ip netns exec ns0 bash 176*4882a593Smuzhiyun (2) ip link set dev ipvl0 up 177*4882a593Smuzhiyun (3) ip link set dev lo up 178*4882a593Smuzhiyun (4) ip -4 addr add 127.0.0.1 dev lo 179*4882a593Smuzhiyun (5) ip -4 addr add $IPADDR dev ipvl0 180*4882a593Smuzhiyun (6) ip -4 route add default via $ROUTER dev ipvl0 181*4882a593Smuzhiyun 182*4882a593Smuzhiyun - For ns1:: 183*4882a593Smuzhiyun 184*4882a593Smuzhiyun (1) ip netns exec ns1 bash 185*4882a593Smuzhiyun (2) ip link set dev ipvl1 up 186*4882a593Smuzhiyun (3) ip link set dev lo up 187*4882a593Smuzhiyun (4) ip -4 addr add 127.0.0.1 dev lo 188*4882a593Smuzhiyun (5) ip -4 addr add $IPADDR dev ipvl1 189*4882a593Smuzhiyun (6) ip -4 route add default via $ROUTER dev ipvl1 190