Ubuntu KVM 4: Second Network Interface

Often you need to expose a second network interface in your virtual machines.  Sometimes you have a second physical interface on the actual host, this is usually part of a private back end network (with a private IP space).  Other times, you are using virtualization on a single host for isolating individual components, here you can make a second (virtual) bridge with no physical backing network.

Note* For these articles I'm going to assume a clean Ubuntu 14.04 Trusty server install with minimal extras (nano, htop, openssh-server etc.) and/or the outcome of previous articles.

Second Bridge on KVM Host

Physical Interface / Bridge

If you have two network cards, you need to setup a second bridge in /etc/network/interfaces binding the second network port to the new bridge.  Note, take extra care to define all physical network ports before any bridges.

/etc/network/interfaces Before:

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto em1
iface em1 inet manual

auto br0
iface br0 inet static
  address 10.1.1.11
  network 10.1.1.0
  netmask 255.255.255.0
  broadcast 10.1.1.255
  gateway 10.1.1.1
  dns-nameservers 10.1.1.1
  bridge_ports em1
  bridge_stp off
  bridge_fd 0
  bridge_maxwait 0

... after:

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto em1
iface em1 inet manual

# The second network interface
auto em2
iface em2 inet manual

auto br0
iface br0 inet static
  address 10.1.1.11
  network 10.1.1.0
  netmask 255.255.255.0
  broadcast 10.1.1.255
  gateway 10.1.1.1
  dns-nameservers 10.1.1.1
  bridge_ports em1
  brige_stp off
  bridge_fd 0
  bridge_maxwait 0


auto br1
iface br1 inet static
  address 10.1.11.1
  network 10.1.11.0
  netmask 255.255.255.0
  broadcast 10.1.11.255
  bridge_ports em2
  bridge_stp off
  bridge_fd 0
  bridge_maxwait 0

You will note that the 'network' details are distinctly different. After rebooting, or reloading the network system, you will have a second bridge for assigning to your KVM guest hosts.

Second Virtual Bridge

If you do not have a second physical interface, you can still make a private virtual network for your guest OS's. For this I will be using virsh's built in networking. Note that this will only work for you if you still have KVM's "default" network, or if you create another one using virsh net-create .

virsh net-edit default before:

<network>
  <name>default</name>
  <uuid>7f62750f-ff4b-4fc0-8397-278d41ea0127</uuid>
  <forward mode='nat'/>
  <bridge name='virbr0' stp='on' delay='0'/>
  <ip address='192.168.122.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.122.2' end='192.168.122.254'/>
    </dhcp>
  </ip>
</network>

... after:

<network>
  <name>default</name>
  <uuid>7f62750f-ff4b-4fc0-8397-278d41ea0127</uuid>
  <bridge name='virbr0' stp='off' delay='0'/>
  <ip address='10.1.11.1' netmask='255.255.255.0'>
  </ip>
</network>

Obviously this is just an example, and your network details will be different. I don't find it necessary to run DHCP on my private network (I'm going to be setting up the guest interface by hand anyway). Likewise, I do not need this interface to have outside connectivity (the <forward /> node), as all of my guests will also have a 'public' side interface.

Second Guest Interface

Edit your guest configuration to add a <interface /> child node to the main <devices /> node. Specifically, you should basically duplicate your main network interface editing the 'source', 'mac', and 'slot' variables. Here is an example (note the source bridge will be either br1 or virbr0 depending on your previous use case):

    <interface type='bridge'>
      <mac address='52:54:00:03:fc:ff'/>
      <source bridge='virbr0'/>
      <model type='virtio'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
    </interface>

Your 'slot' needs to be unique in the context of your guest's configuration file. The MAC address needs to be unique within the network's scope. You will need to reboot the guest OS and setup the second interface. (Note that in either case this will appear to the guest as a 'physical' device.)

Having a second private network in both simulation and practice is very useful. If you have a service like MySQL you can bind it to the second network and only accept connections coming from 'your' private network. Likewise, you can unburden your 'public' interfaces from traffic that might compete with your 'public' services. Generally, the private network side will be cheaper, faster, and more secure.