From Notes Wiki
Jump to: navigation, search
Home > CentOS > CentOS 7.x > CentOS 7.x virtualization > CentOS 7.x libvirt > CentOS 7.x Managing virtual networks using libvirt virsh command

CentOS 7.x Managing virtual networks using libvirt virsh command

Following different types of networks for guests (VMs or containers) are possible:

Isolated guests 
In this case guests can at most talk to other guests in same isolated network. Guest cannot communicate even with the base host on which guest is running. This is useful in case of running untrusted programs as part of online-judge or analyzing viruses
Guests connected to host, but isolated from LAN 
In this case guests can talk to other guests in non-isolated networks. Guests can also communicate with host on which guest is running over TCP/IP for remote access, ping, file transfer, etc. However, guests cannot connect to any other machine apart from host on which they are running
Guests connected to LAN/Internet using NAT
In this case guests can communicate with other non-isolated guests. They can also communicate with host on which they are running. They can also potentially communicate with other machines on LAN/Internet using NAT services from host. Thus, all communicate external to host appears to come from host and identity of guest is not revealed from source IP perspective. However, other external machines cannot initiate communication to guests without corresponding port or other type of forwarding from base host. Thus, if a such guest runs a web service on TCP port 80, other non-host machines cannot communicate to the guest for accessing the site.
Guests with LAN IP similar to host
In this case guests are full network citizens and have their own IP address (often in same network as host). They can also have their own independent route and gateway. If a service (eg web service on TCP port 80) is hosted on such guests, then other members in LAN can communicate with such services directly without requiring port forward or other forwarding from base host.

For first three these cases we can use libvirt and virsh command to create the required network as shown below

Creating isolated guest network

To create isolated guest network using virsh we can use following configuration as part of file 'not_even_host.xml':

<network>
<name>not_even_host</name>
<bridge name="virbr3" />
</network>

Then create network using:

virsh net-define not_even_host.xml
virsh net-start not_even_host


Creating host-only guest network

To create network where guest can communicate only with the host on which guest is running, create 'host-only.xml' with:

<network>
<name>host-only</name>
<bridge name="virbr1" />
<ip address="192.168.123.1" netmask="255.255.255.0">
<dhcp>
<range start="192.168.123.2" end="192.168.123.254" />
</dhcp>
</ip>
</network>

Then create network using:

virsh net-define host-only.xml
virsh net-start host-only


Create NAT network for guests

To create NAT network for guests where outgoing connections from guests to LAN/Internet work via NAT (source NAT or masquerading on host using host ip), use:

<network>
<name>natted</name>
<bridge name="virbr2" />
<forward/>
<ip address="192.168.124.1" netmask="255.255.255.0">
<dhcp>
<range start="192.168.124.2" end="192.168.124.254" />
</dhcp>
</ip>
</network>

Then use the above configuration to define and start the required network.


Fully connected guests with LAN IP

For fully connected guests with LAN IP we should create network bridge. For creating network bridge refer Creating bridge interfaces (br0) for virtual hosts to use shared interface


Refer: