directly to VMs or Containers. • Both do not use bridge. • Both are implicitly namespace aware. • Traditionally we have been using Linux Bridge to get VM access to the outside network or default gateway, now you don't need that extra NATing overhead. • Lightweight and Fast.
Containers to external network overlay and underlay: ◦ Overlay is using VXLAN or NVGRE, etc., with extra encapsulation. ◦ Underlay is using Linux Bridge, ipvlan or macvlan by directly exposing it to host's external network. ◦ These implementations are extremely lightweight than the traditional linux bridge.
MAC and IP addresses using macvlan sub-interfaces. • This is different from creating sub-interfaces on a physical interface using VLAN, here every sub-interface belongs to different Layer-2 domain and all sub-interfaces have different MAC address.
docker support was introduced. • Each interface will have different MAC address and will be exposed directly in the underlay network. • This will help people who wanna use the existing network infrastructure with Containers and VMs.
that matches interface’s MAC address. • macvlan has 4 types (private, bridge, passthrough, VEPA(Virtual Ethernet Port Aggregator)) ◦ Commonly used is a macvlan bridge because it allows the Container or VMs on the same host to talk to each other without packet leaving the host. ◦ Bridge mode works like traditional bridge and removes the requirement of learning and STP, learning not needed because it already knows what MAC addresses.
• Unlike macvlan no unique MAC addresses. • Can be used in scenarios where MAC addresses per port are restricted. • Right now supported modes are l2 and l3.
very similar in many regards and the specific use case could very well define which device to choose. ◦ The Linux host that is connected to the external switch / router has policy configured that allows only one mac per port. ◦ No of virtual devices created on a master exceed the MAC capacity and puts the NIC in promiscuous mode and degraded performance is a concern. ◦ If the slave device is to be put into the hostile / untrusted network namespace where l2 on the slave could be changed / misused.