Skip to content

Instantly share code, notes, and snippets.

@nerdalert

nerdalert/docker-macvlan-ipvlan-examples.md

Last active June 14, 2023 16:52
Show Gist options
  • Star 18 You must be signed in to star a gist
  • Fork 8 You must be signed in to fork a gist
  • Save nerdalert/8b8864f4aca7ad71733e to your computer and use it in GitHub Desktop.
Save nerdalert/8b8864f4aca7ad71733e to your computer and use it in GitHub Desktop.
Download ZIP
Raw
docker-macvlan-ipvlan-examples.md

Docker Macvlan and Ipvlan Experimental Driver Examples

  • The build will be vendored into github.com/docker/docker in the next few days. In the meantime here is the binary that will be getting vendored. docker-1.11.0-dev.zip
  • Ipvlan L2 mode network with multiple subnets without a parent specified
  • For a long test that will create 54 networks and 120+ containers, then delete them all and recreate them again try ipvlan-macvlan-it.sh Instructions here Docker Macvlan and Ipvlan Manual IT Test
  • FYI Note: When the parent is empty or the --internal flag is used, a linux type dummy interface is dynamically created by Libnetwork to act as the parent. This network is completely isolated and is the equivalent to a --internal flag. This is a good mode for demoing.
  • The first test requires an interface named eth0. Change the name to any other NIC naming on the docker host.

Create multiple macvlan bridge subnets using a sub-interface eth0.215 and VLAN ID 215

  • Note: gateways for a subnet left empty will default to the first usable address on the subnet. Example: 172.16.90.128/25 would get a gateway of 172.16.90.129 unless explicitly set with --gateway=172.16.90.x
docker network  create  -d macvlan \
    --subnet=192.168.215.0/24 \
    --subnet=192.168.217.0/24 \
    --gateway=192.168.215.1  \
    -o parent=eth0.215 \
     -o macvlan_mode=bridge macnet215

# Test 192.168.215.0/24 connectivity
docker run --net=macnet215 --ip=192.168.215.10 -itd alpine /bin/sh
docker run --net=macnet215 --ip=192.168.215.9 -it --rm alpine ping -c 2 192.168.215.10

# Test 192.168.217.0/24 connectivity
docker run --net=macnet215 --ip=192.168.217.10 -itd alpine /bin/sh
docker run --net=macnet215 --ip=192.168.217.9 -it --rm alpine ping -c 2 192.168.217.10

Ipvlan L2 mode network with multiple subnets without a parent specified using a dummy interface

docker network  create  -d ipvlan \
	--subnet=192.168.210.0/24 \
	--subnet=192.168.212.0/24 \
	--gateway=192.168.210.1  \
	--gateway=192.168.212.1  \
	 -o ipvlan_mode=l2 ipnet212

# Start a container on each subnet
docker run --net=ipnet212 --ip=192.168.210.10 -itd alpine /bin/sh
docker run --net=ipnet212 --ip=192.168.212.10 -itd alpine /bin/sh

# Test 192.168.210.0/24 connectivity
docker run --net=ipnet212 --ip=192.168.210.9 -it --rm alpine ping -c 2 192.168.210.10

# Test 192.168.212.0/24 connectivity
docker run --net=ipnet212 --ip=192.168.212.9 -it --rm alpine ping -c 2 192.168.212.10

Ipvlan L3 mode network with multiple subnets without a parent specified using a dummy interface

docker network  create  -d ipvlan \
	--subnet=192.168.214.0/24 \
	--subnet=10.1.214.0/24 \
	 -o ipvlan_mode=l3 ipnet214

# Test 192.168.214.0/24 connectivity
docker run --net=ipnet214 --ip=192.168.214.10 -itd alpine /bin/sh
docker run --net=ipnet214 --ip=10.1.214.10 -itd alpine /bin/sh

# Test L3 connectivity from 10.1.214.0/24 to 192.168.212.0/24
docker run --net=ipnet214 --ip=192.168.214.9 -it --rm alpine ping -c 2 10.1.214.10

# Test L3 connectivity from 192.168.212.0/24 to 10.1.214.0/24
docker run --net=ipnet214 --ip=10.1.214.9 -it --rm alpine ping -c 2 192.168.214.10

Dual Stack Ipvlan L3 mode with an interface specified using a dummy interface

  • All modes with both Macvlan and Ipvlan support Dual Stack IPv4/IPv6
docker network  create  -d ipvlan \
   --subnet=192.168.8.0/24 \
   --subnet=192.168.9.0/24 \
   --gateway=192.168.9.254 \
   --subnet=fded:7a74:dec4:5a18::/64 \
   --gateway=fded:7a74:dec4:5a18::254 \
   --subnet=fded:7a74:dec4:5a19::/64 \
   --gateway=fded:7a74:dec4:5a19::254 \
   -o ipvlan_mode=l3 \
   dualstack

# Start containers on 192.168.8.0/24 & 7a74:dec4:5a18::/64
docker run --net=dualstack --ip6=fded:7a74:dec4:5a18::81 -itd alpine /bin/sh
docker run --net=dualstack --ip=192.168.8.80 -itd alpine /bin/sh
docker run --net=dualstack --ip=192.168.8.81 --ip6=fded:7a74:dec4:5a18::80 -itd alpine /bin/sh

# Start containers on 192.168.9.0/24 & 7a74:dec4:5a19::/64
docker run --net=dualstack --ip6=fded:7a74:dec4:5a18::91 -itd alpine /bin/sh
docker run --net=dualstack --ip=192.168.9.90 -itd alpine /bin/sh
docker run --net=dualstack --ip=192.168.9.91 --ip6=fded:7a74:dec4:5a18::90 -itd alpine /bin/sh

# Start containers on a mix of the v4/v6 networks create
docker run --net=dualstack --ip=192.168.9.100 --ip6=fded:7a74:dec4:5a18::100 -itd alpine /bin/sh
docker run --net=dualstack --ip=192.168.8.100 --ip6=fded:7a74:dec4:5a19::100 -itd alpine /bin/sh

# Ping from one v6 subnet to another enabled by L3 mode
docker run --net=dualstack --ip6=fded:7a74:dec4:5a19::25 -it --rm alpine ping6 -c 2 fded:7a74:dec4:5a18::81
docker run --net=dualstack --ip6=fded:7a74:dec4:5a19::25 -it --rm alpine ping6 -c 2 fded:7a74:dec4:5a18::100
# Ping from one v6 subnet to another enabled by L3 mode
docker run --net=dualstack --ip6=fded:7a74:dec4:5a18::25 -it --rm alpine ping6 -c 2 fded:7a74:dec4:5a18::91
docker run --net=dualstack --ip6=fded:7a74:dec4:5a18::25 -it --rm alpine ping6 -c 2 fded:7a74:dec4:5a19::100


# Ping from one v4 inside a subnet and to another enabled by L3 mode
docker run --net=dualstack --ip=192.168.8.25 -it --rm alpine ping -c 2 192.168.8.80
docker run --net=dualstack --ip=192.168.8.25 -it --rm alpine ping -c 2 192.168.9.91
# Ping from one v4 inside a subnet and to another enabled by L3 mode
docker run --net=dualstack --ip=192.168.9.25 -it --rm alpine ping -c 2 192.168.9.91
docker run --net=dualstack --ip=192.168.9.25 -it --rm alpine ping -c 2 192.168.8.80
@ThomasFreedman
Copy link

ThomasFreedman commented May 17, 2018
edited

I have read several articles about macvlan & ipvlan, but am having difficulty understanding them.

I need to implement host--> container communications with (external to host)--> container isolation. A host-only, internal network not accessible from outside the host where host and containers can connect is what I'm trying to achieve, as I describe here.

I suspect one of the examples you describe here may be the solution I need but I am not sure which provide the desired connectivity between host and container while at the same time isolating containers from connections external to the host.

I'm not a network expert, so I don't understand the L2 & L3 references in your description, tho I do understand this IP nomenclature: 192.168.8.0/24 (/24 is a mask, the number of bits in IP address allowed so it expresses a range of IP addresses).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment