Skip to content

Week 16 - Bridges, VLANs, OVS

16.1 Conceptual Core

  • A Linux bridge is an in-kernel L2 switch. Used by virtually every container runtime and VM hypervisor.
  • VLAN (802.1Q) tagging segments a single L2 network into many.
  • Open vSwitch (OVS) is a programmable virtual switch: flow-table-based (OpenFlow-compatible), with hardware offload to smartNICs. Used by OpenStack Neutron, Kubernetes (older networking), and OVN.

16.2 Mechanical Detail

  • Linux bridge management with ip link: 
    ip link add br0 type bridge
ip link set veth0 master br0
ip link set br0 up
  • VLAN: ip link add link eth0 name eth0.10 type vlan id 10.
  • OVS: ovs-vsctl add-br br0; ovs-vsctl add-port br0 eth0; ovs-ofctl dump-flows br0. The flow table is the programmable part.
  • Bridge vs OVS decision matrix: simple L2 connectivity → bridge. Programmable flows, OpenFlow, hardware offload → OVS.

16.3 Lab-"Three Network Topologies"

  1. Two namespaces connected via a Linux bridge: classic container networking.
  2. Two namespaces on tagged VLANs sharing one bridge.
  3. The same topology in OVS, with explicit OpenFlow rules.

For each, verify connectivity with ping, capture with tcpdump, document the difference.

16.4 Hardening Drill

  • Bridge iptables integration: sysctl net.bridge.bridge-nf-call-iptables=1 (so bridged traffic traverses iptables). Understand whether you want this-for some setups (e.g., transparent bridges) you don't.

16.5 Performance Tuning Slice

  • Compare per-packet latency through a bridge vs OVS vs a direct veth pair under load.

Month 4 Capstone Deliverable

A linux-networking/ directory: 1. nft-firewall/ - a default-deny stateful firewall with documented allowlist. 2.ipvs-lb/ - IPVS-DR load balancer with two backends and a health-check sidecar. 3. xdp-scrubber/ - the DDoS scrubber + Prometheus exporter. 4.bridge-vs-ovs/ - three topologies + a comparison report.

A NETWORK_RUNBOOK.md documenting interface inventory, MTU, sysctl tunables, and the firewall ruleset.

Comments