Date: Thu, 29 Dec 2016 18:09:42 +0000 From: Matt Churchyard <churchers@gmail.com> To: Aryeh Friedman <aryeh.friedman@gmail.com>, Vincent Olivier <vincent@up4.com> Cc: "freebsd-virtualization@freebsd.org" <freebsd-virtualization@freebsd.org> Subject: Re: Multiple bhyve Guests, Single bridge/tap? Message-ID: <CANV9Nzm36Uf1=DiWbOphQe4suQ9SrGjU=zgChWfLTp7FZWATfQ@mail.gmail.com> In-Reply-To: <CAGBxaXnEs9n1DMET3y58ZouRnizj5Xn8yW1r_qr7tBiL0DgaNg@mail.gmail.com> References: <B0C8AC1D-340A-4EF9-A862-FEA3A2AE37E4@up4.com> <CAGBxaXmv1pD1Lib76jzU%2B7OntT7i50xmV6LmxYjjmOYYrmD8UA@mail.gmail.com> <EFADB4DF-5779-4228-8A22-2E336B4E46D4@up4.com> <CAGBxaXnEs9n1DMET3y58ZouRnizj5Xn8yW1r_qr7tBiL0DgaNg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
As mentioned a bridge is the virtual equivalent of a switch. It only really makes sense to have more than one bridge if you have more than one interface on your guest(s), and want to connect those interfaces to separate networks. (Or you want some guests on a different network, possibly bridged to a different physical interface). If you want to provide complete network separation between guests, it's much easier to just use the 'private' option to ifconfig when bridging the guest's tap interface. Any bridge member set to private can not talk to any other private bridge member. Of course this is only really applicable in multi-tenant situations like Aryeh says. If they are all your own guests, the fact that they can see each other on the network should hopefully be a non-issue. Matt On Thu, 29 Dec 2016 at 15:26, Aryeh Friedman <aryeh.friedman@gmail.com> wrote: > On Thu, Dec 29, 2016 at 10:19 AM, Vincent Olivier <vincent@up4.com> wrote: > > > > > Hi! > > > > > > > Use the same bridge but a different tap (each tap represents the > virtual > > > equivalent of a NIC where the bridge is the virtual equivalent of a hub) > > > > > > > > > Thanks! This is very clear. For extra isolation, could I use a new bridge > > > too or is that useless? > > > > > > > Yes but it only makes sense in a multi-tenant (aka cloud provider) setup > > because any attacker on a VM should be assumed to able to get into the host > > due to knowing your password (which typically is not all that different on > > the two machines unless you randomly generated it). > > > > -- > > Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org > > _______________________________________________ > > freebsd-virtualization@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-virtualization > > To unsubscribe, send any mail to " > freebsd-virtualization-unsubscribe@freebsd.org" > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CANV9Nzm36Uf1=DiWbOphQe4suQ9SrGjU=zgChWfLTp7FZWATfQ>