VDE Swtich- Packets Duplicate?

[dman777]

I was thinking about doing a VDE switch with KVM and guests. I read on the Gentoo wiki that packets are duplicated from the eth0 to the switch. Is this correct?

Packets
|
|
Eth0
|
|------------------------|
^Packets Duplicate^
|..............................|
Host ...............VDE Switch

And if so, does this mean:
1) The packet load is doubled because they are duplicated?
2) Packets that get duplicated to the switch do not go through iptables?
3) The Host is going to recieve all the packets that are getting duplicated to the switch?
4) Will out going packets from the VM Guests appear to originate from the Host instead of the Guests(just like KVM's defualt Slirp network)?

[xming]

Do you really need VDE? VDE does everything in userspace, while Linux Bridge does all in kernel space, speed difference is enormous, unless you need those features provided by VDE, you are probably better off with linux bridge.
_________________
http://wojia.be

[jormartr]

Please correct me if I am wrong, but AFAIK with bridges any host may sniff packets from the other hosts on the bridge (like in a network hub), and with VDE, that is not possible (like with a network switch).

Thank you.

[xming]

host and hosts? I presume you mean host and guests, host can always sniff guests' traffic not matter what you use, unless you use pci-passthru for the NICs. Linux bridge is a bridge not hub, so one guest can not see other guests' traffic.
_________________
http://wojia.be

[dman777]

[xming]

[dman777]

Yes..I am aware of the correct term.

I was told on #network that filtering on the lowest level(mac address) is always best. Since promisc mode on a Nic isn't as secure as non-promisc mode, I see the logic in that....it's better the physical device(nic) drops the packet rather than reach the OS and the kernel drops it.

I thought the convention was hubs don't filter on a mac addresses. If this is true, than what would diff. between a switch and a hub if they both filter on mac address?

[xming]

Oh my I give up. Where the hell did I ever said the hubs can do MAC filtering?
_________________
http://wojia.be

[malern]

I used to use vde_switch with vde_pcapplug on a dev machine. Like xming says, it was horribly inefficient, but I wanted something quick and easy to setup. I was running 4 or 5 guests at a time for web development, so not massively hardcore network requirements, but they shovelled a decent amount of traffic (they could easily saturate my 100mb link). I never benchmarked it but there was never any noticeable increase in lag or load due to running everything through vde (I was using reasonable modern hardware for the host though).

vde_switch by itself won't send/receive anything over eth0 (or any other interface) by default, it only routes things to the other guests connected to it. There's a number of ways to connect it to a real interface though. I went with vde_pcapplug because it was mind numbingly easy to setup, you just run "vde_pcapplug eth0" and it uses pcap to sniff and inject things into eth0. The guests appear as normal hosts on the LAN (i.e. there's no NAT or anything going on). The downside is it bypasses iptables and all the regular networking stuff, plus you can't communicate with the actual host only the rest of the network, which is a bit of a pain.

I think the duplication that the wiki talks about basically refers to copying the packets from the vde_switch program to a real interface. Really it just means it's forwarding the packets to somewhere else, you won't get any hosts seeing the same packet twice.

[jormartr]

I have been trying to capture traffic from a guest, while using a bridged setup, and it could not read anything that was not sent to it, or broadcasted.

Now I am switching to bridges again...

Thank you guys.