Routed (non-bridged) setup for KVM & libvirt (avoids port security) – Method 1: proxy_arp

Note: this method has been largely superseded by the one described in this post. The advantage of the newer method is easier setup and working DHCP.

Original Post

The default set up for virtual machines involving setting up a bridge, and having the virtual machine NICs appear on the same network as the host. This can be problematic if your hosting provider has port security enabled on their switches… the minute they detect more than one MAC address coming from your LAN port, they will either reject the packets from the new MACs, or disconnect you all together.

The way around this is to use a proxy arp, thereby having your host use it’s own MAC address when talking to the switch, but transparently forward packets in both directions with the correct MAC information. So, the switch sees only your host’s MAC address, and all your VMs operate as usual with their own MAC addresses. Everyone’s happy.

In my case I’m running CentOS release 6.2, and some of these instructions will be CentOS/RHEL/Fedora specific. Adapt as necessary for Debian-based or other Linux distributions.

Install the necessary tools (most likely already installed standard):

yum install iproute bridge-utils

Create /etc/sysconfig/network-scripts/ifcfg-br0, and change the relevant addresses and masks as required. The IPADDR X.X.X.X below is the IP address you’re going to assign your bridge. It’s only used internally and does not need to be a public IP. By convention, you’ll make it very similar to your hosts public IP, but with 254 as the last octet. So, if your IP was 192.168.0.20, you’d change the X.X.X.X below to 192.168.0.254.

DEVICE="br0"
TYPE="Bridge"
BOOTPROTO="static"
IPADDR="X.X.X.254"
NETWORK="X.X.X.X.0"
NETMASK="255.255.255.0"
ONBOOT="yes"
#NM_CONTROLLED="no"

Edit /etc/sysctl.conf:

Near the top, make sure “net.ipv4.ip_forward = 1” is set (the default value is 0; if the line doesn’t exist at all, add it). Directly underneath, or add the end of the file, add the line:

# br0 proxy_arp (make sure net.ipv4.ip_forward=1, above)
net.ipv4.conf.br0.proxy_arp = 1

The changes will take effect from your next reboot. To avoid the need to reboot, you can activate them for the first time with:

ifup br0
sysctl -w net.ipv4.conf.br0.proxy_arp=1
sysctl -w net.ipv4.ip_forward=1

Now, continue to deploy your VMs on br0 as usual. libvirt will take care of creating the appropriate network devices and adding them to the bridge. You can confirm this with ‘brctl show br0’ after launching a VM.

Inside the VM, set the GATEWAY address to be the IP address you gave your bridge, above, e.g. 192.168.0.254.

Note: This post was largely based off the following (intended for Debian-based systems) — http://riaschissl.blogspot.com/2009/06/port-security-proxying-kvm-mac.html

This entry was posted in kvm, linux, networking and tagged , , , , , , . Bookmark the permalink.

1 Response to Routed (non-bridged) setup for KVM & libvirt (avoids port security) – Method 1: proxy_arp

  1. Pingback: Hosting a Virtual Machine With public IP (proxy_arp) | Emil's bits

Leave a Reply

Your email address will not be published. Required fields are marked *