Docker Network - Part 2

Hello all,

Here we continue from my previous article on Docker Networks.

4a. MAC VLAN ( bridge mode )

What?

In enables containers to create a connection with Physical Interface of the Docker Host. So the ethernet network interface of containers are connected to the Physical Network of the Host

Why ?

In some docker applications, the app might require connection directly to the physical network.

Suppose u deploy a container that monitors network statistics which is to be taken from the host.

How ?

sudo docker network create -d macvlan \
--subnet X.X.X.X/X--gateway X.X.X.X -o parent=enps03 \
--ip-range X.X.X.X/X \
 <name of network>
#(-d for driver)

Here,

• subnet is specific to your LAN subnet (Format example : X.X.X.0/24)
• gateway — specific to your Docker host (Format example : X.X.X.1)
• ip-range — lets docker to assign IP ranges for containers within those ranges.
• Parent is the Ethernet interface of the Docker host. It usually has a prefix of eth/enp

Attaching Container to the Network using command:

docker run --network my-macvlan-net --name my-macvlan-demo-image <image name> <container name>

All of the containers will be connected to the same port of the switch in Docker Host ,ie different mac address on same port.

Note:

1. The MACVLAN networking driver only works on Linux hosts, and is not supported on Docker Desktop for Mac, Docker Desktop for Windows, or Docker EE for Windows Server.
2. If you need to exclude IP addresses from being used in the macvlan network, such as when a given IP address is already in use, use --aux-addresses argument.

4b. MACVLAN (802.1q trunk bridge mode )

What ?

It creates a new sub interface from the existing parent interface of the host

Why?

The IEEE’s 802.1Q standard was developed to address the problem of how to break large networks into smaller parts so broadcast and multicast traffic wouldn’t grab more bandwidth than necessary.

The same concept is used in the docker network so that it can be controlled at a much smaller level.

How?

sudo docker network create -d macvlan --subnet X.X.X.X/X \
--gateway X.X.X.X \
-o parent=enps03.20
<name of network>
#(-d for driver)

How IPVLAN comes into picture

The basic difference between MACVLAN and IPVLAN is that MACVLAN assigns a different MAC address to each attached docker container and IPVLAN assigns the same MAC address to all containers attached to it.

MACVLAN Network —CREDITS : https://ipwithease.com/macvlan-vs-ipvlan-understand-the-difference/

IPVLAN Network — CREDITS :https://ipwithease.com/macvlan-vs-ipvlan-understand-the-difference/

5a.IPvlan L2

What ?

The containers will have the same MAC address as the host but different IP addresses. So a single mac address of host can have 20 different IP ,one for each device ,

Why?

It solves the Promiscuous issue -ie it wouldn’t allow multiple connections to a single port in a switch, which was a major drawback for MACVLAN network.

How?

sudo docker network create -d ipvlan --subnet X.X.X.X/X \
--gateway X.X.X.X
-o parent=enp0s3 
<name of network>

5b. IPvlan L3

What ?

Here the host acts as a router. As obvious to it name, it uses Layer 3 of the network for this purpose.

Why?

The containers doesn’t have access from external n/w or the internet. Hence, for reaching to these containers from external network/Internet, we need to provide a route table in home network to the network interface of the host from where it acts as router, and it will forward the request to that container using that IP( easier said than done:) )

How?

sudo docker network create -d ipvlan --subnet X.X.X.X/X \
--gateway X.X.X.X \
-o parent=enp0s3 -o ipvlan_mode=l3 \
<name of network>

Note:

We need to specify ipvlan_mode=l3 . By default IPVLAN network uses l2.

We can add a 2nd subnet option , to create an different subnet on the network on the same physical interface.

Advantage:

Its takes the best of both worlds — Not only does it provide Network Isolation, the containers can connect with each other even though they are in a different subnets of the same network.

We can control on who can reach to the containers . The host network needs to be added to route tables for those trying to reach the container.

MACVLAN mode vs IPVLAN

IPVLAN should be used in cases where some switches restrict the maximum number of mac address per physical port due to port security configuration.

MACVLAN needs to be used in cases where common DHCP server is used since DHCP server would need unique mac address which IPVLAN does not have.

Now this is as less complicated about Docker Networks that I could put out there. I’ll make sure to update this article as I get more experience on this :) But, on a good note, we now know the basics of all networks in Docker and why one came after the other. This was by far one of the more interesting things about Docker.

I will be concluding the Docker Series with this , hope you all benefitted and learnt from this!

Next, I will be onto other DevOps tools, until then Too-da-loo!

Reference:

1. https://sreeninet.wordpress.com/2016/05/29/macvlan-and-ipvlan/
2. https://www.youtube.com/watch?v=bKFMS5C4CG0
3. Docker official documentations
4. https://ipwithease.com/macvlan-vs-ipvlan-understand-the-difference/ — For Images