Port isolation is a common network security feature in managed switches that prevents direct communication between devices while allowing uplink access. When working with Linux bridges for virtualization environments, we often need similar functionality to isolate VMs while permitting internet access through the host.
Standard Linux bridging doesn't natively support port isolation like commercial switches. The bridge operates as a single broadcast domain where all ports can communicate freely. However, we can implement similar functionality using these methods:
One effective approach uses VLAN filtering available in modern Linux kernels (3.9+):
# Create bridge
sudo brctl addbr br0
sudo ip link set br0 up
# Enable VLAN filtering
sudo bridge vlan filterdev br0
# Add ports with different VLANs
sudo bridge vlan add dev eth0 vid 100 pvid untagged
sudo bridge vlan add dev tap1 vid 100 pvid untagged
sudo bridge vlan add dev tap2 vid 200 pvid untagged
For older kernels or simpler setups, ebtables can enforce isolation rules:
# Block communication between VM interfaces
sudo ebtables -A FORWARD -i tap1 -o tap2 -j DROP
sudo ebtables -A FORWARD -i tap2 -o tap1 -j DROP
# Allow communication with uplink port
sudo ebtables -A FORWARD -i tap1 -o eth0 -j ACCEPT
sudo ebtables -A FORWARD -i eth0 -o tap1 -j ACCEPT
For production environments, consider combining both approaches:
# 1. Set up VLANs as shown above
# 2. Add ebtables rules for additional protection
sudo ebtables -P FORWARD DROP
sudo ebtables -A FORWARD -p ARP -j ACCEPT
sudo ebtables -A FORWARD -i eth0 -j ACCEPT
sudo ebtables -A FORWARD -o eth0 -j ACCEPT
Verify your configuration with these commands:
# Check VLAN assignments
bridge vlan show
# Test connectivity between VMs
ping -c 4 192.168.1.10 # Should fail between isolated ports
ping -c 4 8.8.8.8 # Should succeed for internet access
VLAN filtering typically offers better performance as it's handled in the kernel, while ebtables processing adds overhead. For high-throughput environments, VLANs are preferred.
For advanced scenarios, consider Virtual Ethernet Port Aggregator (VEPA) mode which requires an external 802.1Qbg-compliant switch:
# Enable VEPA mode
bridge link set dev tap1 hwmode vepa
bridge link set dev tap2 hwmode vepa
Traditional network switches implement port isolation through various vendor-specific mechanisms:
- Cisco: Promiscuous/Isolated port modes
- HP: Uplink/Private VLAN configurations
- Juniper: Private VLAN (PVLAN) implementations
While Linux bridges don't natively support VLAN-style isolation, we can achieve similar functionality through:
# Basic bridge creation
sudo brctl addbr vmbr0
sudo ip link set vmbr0 up
The most robust method uses ebtables to filter layer-2 traffic:
# Install ebtables if not present
sudo apt install ebtables
# Block inter-VM communication while allowing uplink traffic
ebtables -A FORWARD -i vnet0 -o vnet1 -j DROP
ebtables -A FORWARD -i vnet1 -o vnet0 -j DROP
# Allow traffic to/from bridge uplink port
ebtables -A FORWARD -i uplink_port -j ACCEPT
ebtables -A FORWARD -o uplink_port -j ACCEPT
For environments supporting VLANs, we can create isolated segments:
# Create VLAN subinterfaces
sudo ip link add link vmbr0 name vmbr0.100 type vlan id 100
sudo ip link add link vmbr0 name vmbr0.200 type vlan id 200
# Assign VMs to different VLANs
virsh attach-interface --domain vm1 --source vmbr0.100 --type bridge
virsh attach-interface --domain vm2 --source vmbr0.200 --type bridge
Combining nftables with bridge filtering provides enhanced security:
nft add table bridge filter
nft add chain bridge filter forward { type filter hook forward priority 0 \; }
nft add rule bridge filter forward iifname "vnet*" oifname "vnet*" counter drop
nft add rule bridge filter forward iifname "uplink_port" accept
nft add rule bridge filter forward oifname "uplink_port" accept
When implementing isolation:
- Ebtables has lower overhead than VLAN separation
- Nftables provides better performance than legacy iptables
- VLAN tagging adds ~4 bytes per frame