[fedora-virt] VM with access to outside world, but not LAN?

Dor Laor dlaor at redhat.com
Thu Jan 5 08:23:32 UTC 2012 

On 01/05/2012 01:51 AM, Gianluca Cecchi wrote:
> On Tue Jan 3 17:26:33 UTC 2012 Andrew Cathrow wrote:
>
>>>
>>> Not only that, I was actually able to make it work :-).
>>>
>>> http://home.comcast.net/~tomhorsley/wisdom/braindump/isolate.html
>>
>> on a side note, you don't seem to have delay set in the bridge definition, if you don't care about live migrations then it won't matter of course.
>>
>
> Probably useful to elaborate more...
> Information taken from linuxfoundation.org web site:
> "
> Forwarding delay time is the time spent in each of the Listening and
> Learning states before the Forwarding state is entered.
> This delay is so that when a new bridge comes onto a busy network it
> looks at some traffic before participating.
> ...
> One common mistake is that the default bridge forwarding delay setting
> is 30 seconds. This means that for the first 30 seconds after an
> interface joins a bridge, it won't send anything.
> This is because if the bridge is being used in a complex topology, it
> needs to discover other bridges and not create loops.
> This problem was one of the reasons for the creation of Rapid Spanning
> Tree Protocol (RSTP).
> "
> Is it correct to say that so if we don't explicitly set
> DELAY=0
> in our bridge configuration, it will default to 30 seconds and during
> live migration the vm on target hypervisor will loose 30 seconds when
> its virtual nic, if configured on a bridge, will join the bridge
> during its power on/paused state?
>
> On linuxfoundation.org page there is also this statement regarding
> dhcp client configuration on a bridge:
>
> "
> If the bridge is being used standalone (no other bridges near by).
> Then it is safe to turn the forwarding delay off (set it to zero),
> before adding interface to a bridge.
> "
>
> What is the meaning of the "safe" word above? Suppose a KVM
> hypervisor with several bridges configured, do we risk anything
> putting DELAY=0 to all of them then?

In case spanning tree enablement is not required (99.9% of software 
bridge installations), its completely safe to set the forwarding delay 
to 0. That's what we recommend to RHEL customers, especially for live 
migration (as you noted too)

>
> Thanks in advance,
> Gianluca
> _______________________________________________
> virt mailing list
> virt at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/virt

More information about the virt mailing list