Bridge to Host Network in VM

Overview

Bridge networking is a fundamental technique for connecting virtual machines directly to your host's physical network. Unlike NAT (Network Address Translation), which isolates VMs behind the host, a bridge interface acts as a virtual switch, allowing VMs to appear as independent devices on the same network as your host machine.

Key Concepts

Network Bridge: A bridge connects multiple network segments at the data link layer (OSI Layer 2), creating a unified network where all connected devices can communicate as if they were on the same physical network segment. In Linux, bridges are implemented as kernel-level network devices that forward frames between physical interfaces and virtual interfaces (like VMs), operating transparently at the Ethernet frame level.

Bridge Architecture: The Linux bridge implementation maintains a forwarding database (FDB) that tracks MAC addresses and their associated ports. When a frame arrives on one port, the bridge consults the FDB to determine which port(s) to forward the frame to. This architecture enables efficient frame switching with minimal CPU overhead.

Spanning Tree Protocol (STP): The bridge supports STP to prevent loops when multiple paths exist between segments. STP is essential in complex network topologies with redundant links, as it automatically disables redundant paths and re-enables them if a primary path fails.

Why Use Bridging?

• VMs receive their own IP addresses from the network's DHCP server
• Direct communication between VMs and physical network devices
• External devices can reach VMs without port forwarding or NAT translation overhead
• Essential for cluster deployments and distributed systems testing
• Better performance than NAT for inter-host communication
• Supports low-latency, high-throughput scenarios
• Enables VMs to participate fully in network protocols (mDNS, SSDP, ARP)

Physical Interface: The network interface card (NIC) that connects your host to the network (e.g., enp114s0, eth0, wlan0). When added to a bridge, the interface operates at Layer 2 and loses its Layer 3 (IP) configuration.

nmcli (NetworkManager CLI): Command-line interface for NetworkManager, which simplifies network configuration on Linux systems. NetworkManager abstracts the complexity of manual network configuration and automatically manages connection profiles, DNS, and routing.

MAC Address Behavior: Each VM connected to the bridge receives its own MAC address and IP address, making it indistinguishable from physical network devices. The bridge maintains MAC address tables to efficiently forward frames without flooding the network unnecessarily.

Performance Characteristics: Bridge forwarding occurs in kernel space with minimal latency, typically in the microsecond range. The throughput is limited primarily by the physical NIC bandwidth and any egress rate limiting configured on the bridge or VMs.

Create a Bridge Network

1# Delete existing br0 (clean start)
2sudo nmcli connection delete br0 || true
3
4# Delete existing standalone enp114s0 connection
5sudo nmcli connection delete enp114s0 || true
6
7# Create a new bridge named br0
8sudo nmcli connection add type bridge ifname br0 con-name br0
9
10# Add your physical interface to the bridge
11sudo nmcli connection add type ethernet ifname enp114s0 master br0 con-name enp114s0
12
13# Configure the bridge to get IP via DHCP from your router
14sudo nmcli connection modify br0 ipv4.method auto ipv6.method ignore
15
16# Make sure both auto-connect
17sudo nmcli connection modify br0 connection.autoconnect yes
18sudo nmcli connection modify enp114s0 connection.autoconnect yes
19
20# Bring it up
21sudo nmcli connection up br0
22sudo nmcli connection up enp114s0

Technical Details: NetworkManager Connection Lifecycle

When you execute the above commands, NetworkManager performs the following operations:

1. Connection Profile Creation: NetworkManager stores connection profiles in /etc/NetworkManager/system-connections/. Each profile contains the connection settings, including bridge configuration and IP assignment method.

2. Device State Transitions: The physical device (enp114s0) transitions through several states:

   • unavailable → disconnected → prepare → config → needauth → activated

3. Interface Configuration: The bridge interface performs:

   • MAC address initialization (typically inherits from the primary enslaved NIC)
   • MTU (Maximum Transmission Unit) discovery from enslaved devices
   • ARP (Address Resolution Protocol) initialization
   • DHCP client spawning for IPv4 address acquisition

4. DHCP Negotiation: The bridge sends DHCP DISCOVER packets from the MAC address of the enslaved physical interface, allowing the DHCP server to recognize the request as coming from a physical network device.

Understanding Bridge Port State Transitions

When an interface is enslaved to a bridge, it goes through the following states defined by the Spanning Tree Protocol (STP):

• Disabled: Port is administratively disabled
• Blocking: Port receives BPDU (Bridge Protocol Data Unit) messages but doesn't forward frames
• Listening: Port prepares to forward frames, learning MAC addresses but not forwarding user data
• Learning: Port forwards BPDU messages and learns MAC addresses from received frames
• Forwarding: Port actively forwards frames and learns MAC addresses

In a simple bridge without STP, ports typically move directly to the Forwarding state.

Verifying Bridge Status

1# Display bridge configuration
2ip link show type bridge
3
4# Show bridge ports and their states
5ip link show
6
7# Display MAC address forwarding table
8brctl showmacs br0
9
10# Monitor bridge statistics
11ip -s link show br0
12
13# Check if a specific interface is enslaved to the bridge
14ip link show enp114s0 | grep -i master

Bridge Configuration Persistence

NetworkManager stores bridge configuration in /etc/NetworkManager/system-connections/. The configuration includes:

• br0.nmconnection: Bridge device configuration
• enp114s0.nmconnection: Physical interface (enslaved) configuration

These files are in INI format and can be manually edited if needed:

1# /etc/NetworkManager/system-connections/br0.nmconnection
2[connection]
3id=br0
4type=bridge
5interface-name=br0
6autoconnect=true
7
8[ipv4]
9method=auto
10
11[ipv6]
12method=ignore
13
14[bridge]
15stp=false

Layer 2 Frame Forwarding Process

When a frame arrives at the bridge:

1. Frame Reception: The NIC driver places the frame in a ring buffer
2. MAC Address Lookup: Bridge kernel module performs a hash table lookup in the forwarding database
3. Decision: Determines destination port(s) based on MAC address association
4. Forwarding: Transmits the frame out the designated port(s)
5. Learning: If source MAC is unknown, adds entry to forwarding database with timestamp

This process typically completes in microseconds, making bridges very efficient Layer 2 switches.

Advanced Bridge Configuration

Using iproute2 (ip command) for Lower-Level Control

For more advanced scenarios or when NetworkManager is not suitable, you can configure bridges directly using iproute2:

1# Create a bridge device
2ip link add name br0 type bridge
3
4# Set bridge parameters (STP)
5ip link set br0 type bridge stp_state 1
6
7# Set spanning tree forward delay (in units of 0.01 seconds)
8ip link set br0 type bridge forward_delay 200
9
10# Set bridge aging time (in units of 0.01 seconds, determines how long MAC entries persist)
11ip link set br0 type bridge ageing_time 30000
12
13# Add physical interface as a port
14ip link set dev enp114s0 master br0
15
16# Bring up the bridge interface
17ip link set br0 up
18
19# Bring up the enslaved interface
20ip link set enp114s0 up
21
22# Assign IP address to bridge (DHCP or static)
23dhclient br0
24# OR for static IP:
25# ip addr add 192.168.1.100/24 dev br0
26
27# Display bridge status
28ip link show br0

Bridge and VLAN Configuration

When using VLANs with bridges, the VLAN tagging can be handled at different layers:

1# Create a bridge for untagged traffic
2ip link add name br0 type bridge
3
4# Create a VLAN interface on top of the bridge
5ip link add link br0 name br0.100 type vlan id 100
6
7# This allows the bridge to handle tagged frames on port eth0
8# while terminating VLAN 100 at the bridge device for host networking
9ip link set enp114s0 master br0

Monitoring Bridge Runtime Statistics

1# View real-time bridge forwarding statistics
2ip -s -s link show br0
3
4# Show detailed bridge interface information
5ip link show dev br0
6
7# List all interfaces and their bridge membership
8for iface in $(ip link show | grep "^[0-9]" | awk '{print $2}' | cut -d: -f1); do
9  echo "=== $iface ==="
10  ip link show "$iface"
11done
12
13# Get bridge forwarding database entries
14brctl showmacs br0 2>/dev/null || echo "brctl not installed, use: ip link show type bridge"

Performance Tuning Parameters

1# Set bridge maximum aging time (affects MAC table entry lifetime)
2# Value in centiseconds; default is 30000 (300 seconds)
3ip link set br0 type bridge ageing_time 30000
4
5# Set spanning tree priority (lower = more likely to become root bridge)
6# Value 0-61440 in steps of 4096; default is 32768
7ip link set br0 type bridge priority 32768
8
9# Configure bridge forward delay for STP convergence
10# Value is in centiseconds; default is 1500 (15 seconds)
11ip link set br0 type bridge forward_delay 1500
12
13# Set hello interval for BPDU transmission
14# Value in centiseconds; default is 200 (2 seconds)
15ip link set br0 type bridge hello_time 200

Integration with libvirt

When using libvirt for VM management, you can define networks that utilize your host bridge:

Libvirt Network XML Definition

1<network>
2  <name>host-bridge</name>
3  <forward mode="bridge"/>
4  <bridge name="br0"/>
5</network>

Libvirt Domain Network Interface Configuration

1<interface type='bridge'>
2  <source bridge='br0'/>
3  <model type='virtio'/>
4  <driver name='vhost'/>
5</interface>

Complete VM Domain Network Configuration

1<domain type='kvm'>
2  <name>vm-example</name>
3  <devices>
4    <interface type='bridge'>
5      <source bridge='br0'/>
6      <mac address='52:54:00:12:34:56'/>
7      <model type='virtio'/>
8      <driver name='vhost' queues='2'/>
9    </interface>
10  </devices>
11</domain>

Configuration Parameters Explained:

• model type='virtio': Uses the virtio network driver (preferred for KVM, better performance than e1000)
• driver name='vhost': Enables vhost-net kernel module for improved performance
• queues='2': Configures multiple vhost queues for multiqueue support (improves throughput on SMP systems)

Creating and Deploying VMs with Bridge Networking

1# Define the libvirt network
2virsh net-define /tmp/host-bridge.xml
3virsh net-start host-bridge
4virsh net-autostart host-bridge
5
6# Verify network definition
7virsh net-list --all
8virsh net-info host-bridge
9
10# Launch VM with bridge network
11virt-install --name vm-bridge-test \
12  --memory 2048 \
13  --vcpus 2 \
14  --network bridge=br0,model=virtio \
15  --disk size=20 \
16  --install ubuntu22

Troubleshooting Bridge Connectivity

Check Bridge Interface Status

1# Display all bridges and their members
2ip link show type bridge
3
4# Show detailed statistics including dropped packets
5ip -s link show br0
6
7# Check if interfaces are in LOWER_UP state
8ip link show | grep -E "^[0-9]:|UP"
9
10# Verify DHCP assignment
11ip addr show br0

Diagnose ARP Issues

1# Display ARP table to verify host and VM communication
2ip neigh show
3
4# Test ARP resolution to bridge
5ping -c 1 <gateway-ip>
6
7# Monitor ARP traffic on the bridge
8sudo tcpdump -i br0 -n arp

Verify Packet Flow Through Bridge

1# Capture frames on the bridge interface
2sudo tcpdump -i br0 -n -c 20
3
4# Check bridge forwarding database for specific MAC
5brctl showmacs br0 | grep <mac-address>
6
7# Monitor real-time bridge statistics
8watch -n 1 'ip -s link show br0'

Common Issues and Solutions

Issue: VM cannot obtain DHCP lease

• Cause: DHCP broadcast frames not being forwarded by bridge

• Solution:

  bash

  Copy

  1# Verify bridge STP state (should be forwarding)
  2ip link show br0
  3
  4# Restart NetworkManager
  5sudo systemctl restart NetworkManager

Issue: High latency on bridge communication

• Cause: STP convergence delays or heavy ARP traffic
• Solution:
  bash

  Copy

  1# Disable STP if not needed for redundancy
  2sudo nmcli connection modify br0 bridge.stp no
  3sudo nmcli connection up br0

Issue: MAC address table full (rare but possible on large deployments)

• Cause: Too many unique source MAC addresses
• Solution: Increase ageing time to reduce table growth
  bash

  Copy

  1ip link set br0 type bridge ageing_time 30000

Best Practices for Production Deployments

1. Enable STP for Redundancy: If you have multiple physical uplinks, enable Spanning Tree to prevent loops

   bash

   Copy

   1sudo nmcli connection modify br0 bridge.stp yes

2. Monitor Bridge Statistics: Regularly monitor packet loss and forwarding performance

   bash

   Copy

   1# Log bridge statistics for analysis
   2ip -s link show br0 >> bridge-stats.log

3. Document Bridge Configuration: Keep records of bridge settings and enslaved interfaces

   bash

   Copy

   1# Export current bridge configuration
   2nmcli connection show br0 > bridge-config-backup.txt

4. Use Virtio Network Model: For KVM VMs, always prefer virtio over emulated models for better performance

   xml

   Copy

   1<model type='virtio'/>

5. Configure MTU Appropriately: Ensure consistent MTU across bridge and enslaved interfaces

   bash

   Copy

   1# Check current MTU
   2ip link show | grep -i mtu
   3
   4# Set MTU for jumbo frames (if network supports)
   5sudo nmcli connection modify br0 ethernet.mtu 9000