小编点评

正文

https://www.jianshu.com/p/ee7d9c8b4492

Bridge | Bridge

A bridge is a Layer 2 device that connects two Layer 2 (i.e. Ethernet) segments together.
“桥”是一个用于连接两个二层网段的二层设备。
Frames between the two segments are forwarded based on the Layer 2 addresses (i.e. MAC addresses).
不同网络段上的帧通过二层地址（MAC地址）进行转发。
Although the two words are still often used in different contexts, a bridge is effectively a switch and all the confusion started 20+ years ago for marketing purposes.
20多年前由于市场营销的需求，这两个词开始混淆，至今仍被用在不同的场景中；但是实际上“桥接”就是“交换”。

Switching was just a fancy name for bridging, and that was a 1980s technology – or so the thinking went.
广为认同的是：“交换”只是80年代“桥接”技术的一个更花哨的名称。

A bridge makes forwarding decisions based on the MAC address table. Bridge learns MAC addresses by looking into the Frames headers of communicating hosts.
“桥”根据MAC地址表决定如何转发流量。“桥”根据通信双方报文帧头部信息学习MAC地址。
A bridge can be a physical device or implemented entirely in software.
“桥”可以是个物理设备，也可以是完全软实现的虚拟设备。
Linux kernel is able to perform bridging since 1999.
从1999年开始，linux内核就实现了“桥接”功能。
By creating a bridge, you can connect multiple physical or virtual interfaces into a single Layer 2 segment.
通过创建桥，可以连接多个物理或虚拟接口至同一个二层域上。
A bridge that connects two physical interfaces on a Linux host effectively turns this host into a physical switch.
通过Linux服务器上的桥接功能连接两个物理端口，将其充当一台物理交换设备。

 

Linux Bridge

Switches have meanwhile became specialized physical devices and software bridging had almost lost its place.
与此同时交换机成为了专门的硬件设备，软件实现的桥失去了昔日的辉煌。
However, with the advent of virtualization, virtual machines running on physical hosts required Layer 2 connection to the physical network and other VMs.
然而随着虚拟化的发展，服务器上运行的虚拟机需要与物理网络、其他虚拟机打通二层连接。
Linux bridging provided a well proven technology and entered it’s Renaissance.
Linux 桥接提供了成熟的技术，并开始复兴。

A bridge can connect virtual Ethernet interfaces with each other or virtual Ethernet interfaces with a physical Ethernet device, connecting them into a single Layer 2 device.
“桥”可以连接虚拟接口和物理设备到一个二层设备之上。

 

Linux Bridge

You can verify the bridge configuration of your Linux host with the brctl utility which is part of the bridge-utils package on most distributions.
通过大多数Linux发行版携带的bridge-utils工具中的brctl命令，可以检验主机上的桥接配置。

# brctl show
bridge name  bridge id          STP enabled  interfaces
br0          8000.080006ad34d1  no           eth0  veth0
br1          8000.080021d2a187  no           veth1 veth2</pre>

Bridges have potential to create Layer 2 loops, so you have an option to run STP if required.
潜在情况下桥接会造成二层环路，必要的情况下可以运行STP功能避免该问题。

Macvlan |Macvlan

Macvlan, MACVLAN or MAC-VLAN allows you to configure multiple Layer 2 (i.e. Ethernet MAC) addresses on a single physical interface.
Macvlan。MACVLAN,MAC-VLAN可以实现在一个物理接口上配置多个二层地址（以太网MAC地址）。
Macvlan allows you to configure sub-interfaces (also termed slave devices) of a parent, physical Ethernet interface (also termed upper device), each with its own unique (randomly generated) MAC address, and consequently its own IP address.
Macvlan可以将物理接口作为一个父接口，在上面配置多个拥有独立MAC地址和IP地址的子接口。
Applications, VMs and containers can then bind to a specific sub-interface to connect directly to the physical network, using their own MAC and IP address.
应用程序，虚拟机，容器通过绑定这些子接口，使用各自的MAC,IP地址直接连接到物理网络上。

Mavlan sub-interfaces are not able to directly communicate with the parent interface, i.e.
macvlan的子接口并不能与macvlan的父接口直接通信
VMs cannot directly communicate with the host.
因此虚拟机不能直接与宿主机通信。
If you require VM-host communication, you should add another macvlan sub-interface and assign it to the host.
如果需要连接虚拟机和宿主机，则需要为宿主机额外创建一个macvlan子接口。

Macvlan sub-interfaces use a mac0@eth0 notation, to clearly identify the sub-interface and it’s parent interface.
macvlan的子接口通过mac0@eth0这样的命名方式，清楚的标识子接口以及其对应的父接口。
Sub-interface state is bound to its parent’s state – if eth0 is down, so is the mac0@eth0.
子接口的状态与父接口的状态同步。如果父接口下线，则子接口也下线。

 

Linux macvlan

Macvlan modes | Macvlan 工作模式

Each sub-interface can be in one of 4 modes that affect possible traffic flows.
每个子接口都有4种可选的工作模式，每种工作模式都会影响流量通行的方式。

Macvlan private | Macvlan 私有

Sub-interfaces on the same parent interface cannot communicate with each other.
同一个父接口上的子接口不能互相通信
All frames from sub-interfaces are forwarded out through the parent interface.
子接口上的所有报文都必须流出父接口。
Even if physical switch reflects the frame sourced from one sub-interface and destined to another sub-interface, frame gets dropped.
即使从外部交换机上将子接口的报文送回同一个父接口上的其他子接口，该报文也将被丢弃。

 

Macvlan private mode

Macvlan VEPA |Macvlan VEPA

All frames from sub-interfaces are forwarded out through the parent interface.
所有子接口之间的流量将流出父接口后再进行交换。
VEPA mode requires an IEEE 802.1Qbg aka Virtual Ethernet Port Aggregator physical switch.
VEPA模式需要物理交换机支持IEEE 802.1Qbg.
VEPA capable switch returns all frames where both source and destination are local to the macvlan interface.
使能了VEPA功能的交换机将把源和目的地址指向同一macvlan设备的报文回送。
Consequently macvlan subinterfaces on the same parent interface are capable to communicate with each other through a physical switch.
因此macvlan同一父接口上的子接口可以通过外部交换机互相通讯。
Broadcast frames coming in through the parent interface get flooded to all macvlan interfaces in VEPA mode.
父接口上流入的广播报文也将在所有VEPA模式的macvlan接口上泛洪。
VEPA mode is useful when you are enforcing policies on physical switch and you want all VM-to-VM traffic to traverse the physical switch.
VEPA模式可以实现通过物理交换机上的策略控制虚拟机与虚拟机之间的通讯。

 

Macvlan 802.1qbg VEPA mode

Macvlan Bridge| Macvlan 桥接

Macvlan connects all sub-interfaces on a parent interface with a simple bridge.
Macvlan通过桥的模式将所有子接口连接到父接口上。
Frames from one interface to another one get delivered directly and are not sent out.
子接口之间的流量可以直接交换而无需流出父接口。
Broadcast frames get flooded to all other bridge ports and to the external interface, but when they come back from a VEP switch, they are discarded.
广播包会泛洪至其他桥接的子接口和外部接口上。而VEP交换机回送的广播包将被丢弃。
Since all macvlan sub-interface MAC addresses are known, macvlan bridge mode does not require MAC learning and does not need STP.
由于macvlan知悉所有子接口的mac地址，工作在bridge模式下的macvlan并不需要MAC学习，也不需要STP功能。
Bridge mode provides fastest communication between the VMs, but has a “flaw” you should be aware of – if parent interface state goes down, so do all macvlan sub-interfaces.
Bridge模式为虚拟机提供了最快速的通信方式，但也存在一个闭端：一旦macvlan的父接口下线，所有macvlan的子接口也将一并下线。
VMs will not be able to communicate with each other when physical interfaces gets disconnected.
也即一旦物理接口失联，所有连接在macvlan上的虚拟机也将无法互相通信。

 

Macvlan bridge mode

Macvlan Passthru|Macvlan 透传

Allows a single VM to be connected directly to the physical interface.
该模式使虚拟机可以直接连接到物理接口上。
The advantage of this mode is that VM is then able to change MAC address and other interface parameters.
该模式的优势是虚拟机可以直接更改接口的MAC地址等参数。

 

Macvlan passthru mode

Macvlan vs Bridge |Macvlan 对比Bridge

The macvlan is a trivial bridge that doesn’t need to do learning as it knows every mac address it can receive, so it doesn’t need to implement learning or stp. Which makes it simple stupid and and fast.
由于macvlan认识连接在其之上的设备的mac地址，所以并不需要实现mac地址学习以及stp等功能。这也使得macvlan变的傻块。

• Eric W. Biederman

Use Macvlan: |使用Macvlan:

• When you only need to provide egress connection to the physical network to your VMs or containers.
• 当只需要提供物理网络与虚拟机和容器的连接时
• Because it uses less host CPU and provides slightly better throughput.
• 鉴于它对CPU资源消耗较少，相对提供的吞吐性能更高

Use Bridge: |使用Bridge:

• When you need to connect VMs or containers on the same host.
• 当需要连接同一台服务器上的虚拟机和容器时。
• For complex topologies with multiple bridges and hybrid environments (hosts in the same Layer2 domain both on the same host and outside the host).
• 当出现跨主机环境或者多桥环境构建复杂网络拓补结构时、
• You need to apply advanced flood control, FDB manipulation, etc.
• 当需要控制FDB、高级泛洪功能时

译自：https://hicu.be/bridge-vs-macvlan