kvm bridges: disable promiscuous mode, is it possible and is it wise?

SinaOwolabi

12/27/22, 4:20 AM

I am a little confused as to if this is the right question, but I have a number of KVM hosts with multiple bridges on (sometimes)bonded interfaces, and each bridge is mapped to its own distinct VLAN. (A KVM host can have possibly a router guest, a load balancer guest, and maybe a dns server, and internal server guests on them, each to its own bridge).

KVM host OSes are CentOS 6-8. Guests are any Linux OS that is necessary. The network switches are Cisco 2960s, configured with trunks for the KVM hosts connections.

Ive noticed when I am doing things like tcpdump, or even looking at traffic between internal and external switches, I find MAC addresses and internal IPs that I feel shouldn't be visible. (eg, some of the kvm guests are routers, and are bridged to VLANs that have access to an external switch, in order to reach internet/external resources, and some are load balancers, and some run NTOPNG/traffic sniffers).

In effect guests on different VLAN bridges can see/receive traffic not meant for them, and I see internal traffic on external switches. Is there a way of preventing the guests from seeing traffic not meant for their bridge? Is this wise?

100

0 + 3

cisco

switch

centos

linux-networking

kvm-virtualization

Tom Yan

12/27/22, 9:31 AM

`some of the kvm guests are routers, and are bridged to VLANs` Note that using a bridge for a bunch of VMs / an "internal" network does NOT require you to enslave a physical NIC to that bridge. Also, one VM can be connected to multiple bridges. You should have only VMs that serves as a gateway/router bridged to a "external" bridge (and an internal bridge). You do NOT need to enslave a physical NIC to an "internal" bridge either if the VM host is supposed to be the gateway. In such case you should make use of IP forwarding on the host (just like you would make use of that on a router VM).

Tom Yan

12/27/22, 9:32 AM

Besides, there's iptables / ebtables or nftables.

SinaOwolabi

12/29/22, 5:21 PM

Thanks but it’s a mixed bag, which happened due to insane deadlines and heavy management push to ‘get things done now’ and insane choices on hardware and planning. So I have a mixed bag of vms in different VLANs doing multiple things on multiple kvm hosts, some needing internet access (load balancers and routers), some handling inter-VLAN routing, and some just being servers, all communicating on the same switches. It’s really bad. So I was wondering how to limit some traffic leakage from the kvm hosts.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: kvm bridges: disable promiscuous mode, is it possible and is it wise?

TH: สะพาน kvm: ปิดโหมดสำส่อน เป็นไปได้ไหม และฉลาดไหม

RO: poduri kvm: dezactivați modul promiscuu, este posibil și este înțelept?

RU: kvm bridges: отключить неразборчивый режим, можно ли и разумно ли это?

VI: cầu kvm: vô hiệu hóa chế độ bừa bãi, có khả thi không và có khôn ngoan không?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.