Oleg Goldshmidt wrote:
Shachar Shemesh <shac...@shemesh.biz> writes:
Unless VM0 sends an ARP inquiring about the destination IP,
This ARP is sent to a physical NIC.
Actually, no. It is sent by the VM's virtual NIC (the VM does not know
anything else), and the "switch" in the hypervisor forwards it, among
other things, to the virtual NIC of the other VM, that has its own MAC
address, etc.
I suppose it may depend on the configuration - I am not performing any
experiments.
Unless it is layer 3 aware, there is no reason for it to know that
the ARP received through a physical Ethernet device originated in
our machine.
But it isn't received on the physical interface - see above.
Who gave the VM
By "VM" I meant the virtual machine program. What you refer to as
"hypervisor". My mistake. From now on I'm using your (less confusing)
terminology.
When I bind a VM NIC to a physical NIC, especially if I do it for two
different VMs and NICs (one NIC per VM), then the hypervisor has no
right to assume the NICs are layer 2 connected. Any other functionality
is a bug, and no two ways of looking at it. The network setup will
simply misbehave if this is the case.
It sends an Ethernet frame out of its
virtual NIC (the only one it knows of), and as soon as this is done
the VM considers the frame to be out in the "network", even though it
may still be inside the physical box.
So far, so good.
The hypervisor, in turn,
contains a virtual switch, that has virtual ports virtually connected
to the VM's virtual NICs,
No no no no no!
The hypervisor is well within its right to contain a virtual switch that
connects all of the VM NICs *that connect to the same physical NIC*. It
is perfectly ok for it to forward that packet to any other VMs that
connect to the same physical NIC, except in our case there are none. If
it forwards this packet to VMs that do not connect to the same physical
NIC, it has just connected two networks that were otherwise not
connected. If VMWare does that, it is buggy (but I doubt it does).
At least this is what happens in today's VMware. Again, possibly
modulo configurations that I am not checking.
Such as the configuration I'm suggesting?
The motivation behind it
is exactly the above: not to send frames out to the physical network
if it can be avoided.
The behavior you are suggesting is akin to a hardware switch forwarding
packets between two VLANS "to save on routing". A layer 2 switch is
simply not allowed to do that.
Xen/KVM/others may be different (I have not checked lately if they
include virtual switches by default).
Of course they do (well, Xen does, at least). There is no other way to
function (a physical NIC does not "receive" its own outgoing packets
unless it's in promiscuous mode, possibly not even then). Again, this
has nothing to do with the scenario I'm describing.
Shachar
--
Shachar Shemesh
Lingnu Open Source Consulting Ltd.
http://www.lingnu.com
_______________________________________________
Linux-il mailing list
Linux-il@cs.huji.ac.il
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
