Virtualized network models in Linux and using QEMU-KVM to create isolation models

The first model of isolation:

Both Guest1 and Guest2 are virtual machines.

First of all, to understand that the virtual machine in Linux network card contains the first half and the second half, the first half of the virtual machine, the second half on the host, here CENTOS6 for example,

Eth0 for the GUEST1 virtual Machine network card, corresponding to the second half of the vnet0, on Guest1 all the data sent to eth0 directly to Vnet0, you can also consider vnet0 as

A network card

Guest1 how to communicate with Guest2?

Very simple to do a virtual switch in the host, so that Vnet0 and Vnet1 is a virtual Switch interface, the switch can also be called bridge, as long as two virtual machine network card

the former half of the IP address in the same network segment, you can communicate with each other, this is the isolation model

The second type of routing model:

VIRNET1 network card in the switch, the eth0 and eth1 gateways to Virnet1, and then the core forwarding function of Linux, the virtual machine can communicate with the external

Ways to turn on core forwarding sysctl-w net.ipv4.ip_ipforward=1

The third Kind of NAT model:

In the routing model, although the IP packets of the virtual machine can be emitted to communicate with the outside, the external host may not find a route to the virtual machine but can communicate with the host, for the virtual machine

Can get the response of the external host, will be issued to the external host to communicate with the source address of the IP message is converted Cheng Host physical network card address, this is the NAT model, is also the most used

more the Model

The last type of bridging model:

Create a bridge device in the host, put the host's eth0 on the bridge, so that the Guest1 on the eth0 will send the message to Vnet0, and then directly to the host on the eth0, the source

Address to the Eth0 address on the host

When the response message arrives at the eth0 on the physical machine, how to determine whether this response message is sent to the virtual machine or the physical machine itself?

Physical opportunity to create a virtual network card, on the physical machine open promiscuous mode (regardless of whether the MAC address is not their own will receive the response message), if the MAC address is its own then go

sent to Virtual NIC, if not your own then forwarded to the VNET0, this is the bridge model, because the physical machine's network card has the function of the bridge, so called bridging model

How do I create a bridge device on Linux?

Bridge devices are implemented in the kernel

Modinfo Bridge to see if the kernel installs this module

The command to create the bridge is Brctl, use brctl-h to view the command help, use Brctl ADDBR br0 to create a network interface called BR0

Brctl Show shows all bridges on the current host

Ifconfig br0 up Activation Br0 interface

QEMU-KVM Net Options Introduction

NIC, tap, and user three types of network interface properties, Nic is the first half of the virtual machine NIC, and tap is the corresponding second part

NET Nic: Create a new virtual machine NIC interface, using the method:

-net Nic[,vlan=n][,macaddr=mac][,model=type][,name=name][,addr=addr][,vectors=v]

Create a new NIC device and connect to the specified VLAN, macaddr to specify the MAC address for it

model Specifies the type of NIC, QEMU can emulate multiple types of NIC devices, such as the default NIC for e1000 on the VIRTIO,PC architecture, and you can use the qemu-

kvm-net nic,model=? " To get the classes supported by the front platform

Name is used to specify a network card device name to display when monitoring

-net Tap[,vlan=n][,name=name][,fd=h][,ifname=name][,script=file][,downscript=dfile]

Connect to the specified VLAN via the physical machine's TAP network interface, ifname specify the name of the second half of the NIC

When the virtual machine starts, the second half of the NIC is not added automatically and requires a script to add, using the scripts specified by Script=file (/etc/qemu-ifup by default) to

Configures the current network interface and uses the script specified by Downscript=file (/etc/qemu-ifdown by default) to undo the interface configuration, using Script=no and

Downscript=no can be used to prohibit script execution separately

Qemu-kvm-m 128-cpu host-smp 2-name "First"-drive file=/root/cirros-no_cloud-0.3.0-x86_64-disk.img,if=virtio,media= Disk,format=qcow2,cache=writeback-nographic-net nic-net Tap,ifname=vnet0.0,script=no

Start a virtual machine without specifying the tap script

Go back to the physical machine to execute ifconfig-a

The second half of the virtual machine NIC is added automatically, but it does not take effect because no script is specified

Startup script Example: Vim/etc/qemu-ifup

#!/bin/Bash # Bridge=br0if[-N" $"]; ThenIP Link Set $1 upSleep 1brctl addif $bridge $1    [ $? -eq0] && exit0|| Exit1        Else        Echo "Error:no interface specified."Exit1    fi

QEMU-KVM automatically passes the name of the second half of the virtual machine's NIC as a parameter to this script

Example of closing a script: Vim/etc/qemu-ifdown

 #!/bin/bash # bridge  =br0  if  [-N  $1  " ]; then   Brctl delif $bridge $  1   IP link Set $  1   down exit  0  e Cho   error:no interface specified.   "  exit  1  fi  

Qemu-kvm-m 128-cpu host-smp 2-name "First"-drive file=/root/cirros-no_cloud-0.3.0-x86_64-disk.img,if=virtio,media= Disk,format=qcow2,cache=writeback-nographic-net nic-net Tap,ifname=vnet0.0,script=/etc/qemu-ifup

Verify:

vnet0.0 has been added to the bridge of the physical machine.

Start a virtual machine, configure the network card address in the two virtual machines to the same network segment, the two virtual machines can communicate, but remember to create a virtual machine, the specified MAC address

The MAC address of the two virtual machines is the same for non-specified, causing the inability to communicate, configuring the Mac when the first three bits do not move fixed: After 52:54:00 three-bit self-change

For example:

Qemu-kvm-m 128-cpu host-smp 2-name "First"-drive file=/root/cirros-no_cloud-0.3.0-x86_64-disk.img,if=virtio,media= Disk,format=qcow2,cache=writeback-nographic-net nic,macaddr=52:54:00:11:22:33-net tap,ifname=vnet0.0,script=/etc /qemu-ifup

The virtual network to which this isolation model is created is completed.

Virtualized network models in Linux and using QEMU-KVM to create isolation models