Shulou(Shulou.com)06/01 Report--

How to carry out macvlan network isolation and connectivity, in view of this problem, this article introduces the corresponding analysis and answers in detail, hoping to help more partners who want to solve this problem to find a more simple and easy way.

Verify connectivity between macvlan

Bbox1 can ping bbox3,bbox2 and ping bbox4. That is, the same macvlan network can communicate.

Bbox1 cannot ping bbox2 and bbox4. That is, there is no communication between different macvlan networks. But it should be more accurate to say that different macvlan networks cannot communicate on layer 2. On the third layer, the macvlan can be connected through the gateway, so let's enable the gateway.

We will configure Host 192.168.56.101 as a virtual router, set up gateways and forward VLAN10 and VLAN20 traffic. Of course, you can also use a physical router to achieve the same effect. First make sure that the operating system IP Forwarding is enabled.

If the output is 1, it is enabled, and if it is 0, you can enable it with the following command:

Sysctl-w net.ipv4.ip_forward=1

Configure vlan sub-interface in / etc/network/interfaces:

Auto eth3

Iface eth3 inet manual

Auto eth3.10

Iface eth3.10 inet manual

Vlan-raw-device eth3

Auto eth3.20

Iface eth3.20 inet manual

Vlan-raw-device eth3

Enable sub-interface:

Ifup eth3.10

Ifup eth3.20

Configure the gateway IP to sub-interface:

Ifconfig eth3.10 172.16.10.1 netmask 255.255.255.0 up

Ifconfig eth3.20 172.16.20.1 netmask 255.255.255.0 up

Add iptables rules to forward packets of different VLAN.

Iptables-t nat-A POSTROUTING-o eth3.10-j MASQUERADE

Iptables-t nat-A POSTROUTING-o eth3.20-j MASQUERADE

Iptables-A FORWARD-I eth3.10-o eth3.20-m state-- state RELATED,ESTABLISHED-j ACCEPT

Iptables-A FORWARD-I eth3.20-o eth3.10-m state-- state RELATED,ESTABLISHED-j ACCEPT

Iptables-A FORWARD-I eth3.10-o eth3.20-j ACCEPT

Iptables-A FORWARD-I eth3.20-o eth3.10-j ACCEPT

Bbox1 at mac_net10 on host1 can now communicate with bbox4 at mac_net20 on host2.

Let's analyze how packets arrive at bbox4 (172.16.20.11) from bbox1 (172.16.10.10).

① because bbox1 and bbox4 are in different IP network segments, according to the routing table of bbox1:

The packet will be sent to the gateway 172.16.10.1.

The ② router receives the packet from eth3.10, finds that the destination address is 172.16.20.11, and looks at its routing table.

The packet is then forwarded out of eth3.20.

Through the information recorded by ARP, the router can learn that 172.16.20.11 is on host2 and sends the packet to host2.

④ host2 sends the packet to bbox4 based on the destination address and VLAN information.

The connectivity and isolation of macvlan networks are completely dependent on VLAN, IP subnet and routing. Docker itself does not impose any restrictions, and users can manage macvlan just like traditional VLAN networks.

This is the end of the answer to the question on how to isolate and connect the macvlan network. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.