Lab 2: KVM Virtual Network

Requirements
QEMU/KVM
server1 KVM Guest Domain/VM created in Lab 1

A. Virtual Switch
libvirt implements virtual networking using a virtual network switch, which is logically equivalent to a virtual
network. A virtual network switch is a software component that runs on the virtualization host, which guests virtual
machines "plug in" to, and direct their traffic through. The traffic between guests attached to a specific virtual switch
stays within the confines of the associated virtual network. From a guest's operating system point of view, a virtual
network connection is the same as a normal physical network connection [1].

The virtual network switch can operate in several modes:

NAT mode (default) - Allows guest OSes outbound connectivity via NAT apart from LAN connectivity.
Routed mode - Routes traffic from the virtual network to the LAN without applying any NAT
Bridged mode - Operates on Layer 2 of the OSI model. When used, all of the guest virtual machines will appear
on the same subnet as the host physical machine.
Isolated mode - Allows virtual machines to communicate with each other only. They are unable to interact
with the physical network.

These virtual networks can be created by defining a network configuration in an xml file and then adding them to
libvirt. Management of this networks are then facilitated by libvirt clients such as virsh. In this lab, you'll see how this
is done with the default NAT-based virtual newtork and a custom routed virtual network. For more examples (eg,
creating an isolated, or using an existing host bridge) see [2].

B. Default NAT-based networking

The default virtual network provided and enabled out-of-the-box for all libvirt installations uses a Linux bridge in
combination with Network Address Translation (NAT) to enable a guest OS to get outbound connectivity. Typically,
the name for the default NAT bridge is virbr0 and the typical name for the default network is default.

To list which networks have been defined to the libvirt daemon for use by KVM guests, use the following command:

sudo virsh net-list

It will output something similar to:

Name     State   Autostart   Persistent

--------------------------------------------
default   active   yes         yes

We check the details of the default network from virsh via:

sudo virsh net-dumpxml default

This shows us the generated UUID, and anything else that may be in effect (ie Spanning Tree Protocol, DHCP, etc).

<network>
 <name>default</name>
 <uuid>dfd26d2f-98b0-4774-84b7-3848c5f864e1</uuid>
 <forward mode='nat'>
    <nat>
     <port start='1024' end='65535'/>
   </nat>
 </forward>
 <bridge name='virbr0' stp='on' delay='0'/>
 <mac address='52:54:00:4a:2f:3d'/>
 <ip address='192.168.122.1' netmask='255.255.255.0'>
   <dhcp>
     <range start='192.168.122.2' end='192.168.122.254'/>
   </dhcp>
 </ip>
</network>

C. Creating a Routed Network

The libvirt virtual network switch can be configured to run in routed mode. In this mode, the switch connects to the
physical LAN the virtualization host is attached to, without the intermediation of a NAT module. All the guest virtual
machines are in the same subnet, routed through the virtual switch. Each guest can have its own public IP address.
External traffic may reach the guest only if additional routing entires are added. The routed mode operates at Layer
3 of the OSI networking model.

This is specially useful if we are to setup a DMZ network or a Virtual Private Hosting [3]. Hence, this is what we'll be
using to implement our DMZ network in our virtual lab.

Follow these steps to create our DMZ network (192.168.200.0/24).

1. Create a new libvirt configuration named dmz.xml containing the following:

<network>
 <name>dmz</name>
 <bridge name="virbr1" />
 <forward mode="route" />
 <ip address="192.168.200.1" netmask="255.255.255.0" />
</network>

2. Add the new network definition XML file to libvirt:

sudo virsh net-define dmz.xml

3. Verify if this network was created by checking the network interfaces in your KVM host:

ip address show

You should be able to see a new bridge interface named virbr1 whose IPv4 address is 192.168.200.1.

 
Another way to verify that the new network definition is added on libvirt is through virsh itself:

sudo virsh net-list --all

Note! Our new network will persist (won't be transient or deleted during reboots) but is not started yet nor set
to automatically start on boot.

4. Start the virtual DMZ network:

sudo virsh net-start dmz

5. Set virtual DMZ network to start on boot:

 sudo virsh net-autostart dmz

D. Add New NIC to Server

To see how we can use our virtual DMZ network, we can add another virtual "NIC" to our existing server server1.

Follow these steps to attach our virtual network interface:

1. Start server1 and enumerate the network interfaces in it:

sudo virsh start server1

sudo virsh domiflist server1

You should see something like this one below:

Interface   Type     Source   Model   MAC

-----------------------------------------------------------
vnet0       bridge   virbr0   virtio   52:54:00:23:ec:43

2. Attach a network interface on server1.

export DOMAIN="server1"        # Name of the Domain/VM

export NETWORK="dmz"           # Name of the virtul network

sudo virsh attach-interface \

--domain ${DOMAIN} \
--type network \
--source ${NETWORK} \
--model virtio \
--config --live

3. Verify if the virtual network interface is added:

a. Enumerate interfaces in server1 again using virsh:

sudo virsh domiflist server1

The previous command should display something similar to:

Interface   Type     Source   Model   MAC

------------------------------------------------------------
vnet0       bridge   virbr0   virtio   52:54:00:23:ec:43
vnet1       network   dmz     virtio   52:54:00:36:01:41

b. Login to server1 and display its network interfaces (You can ssh, virsh console or virt-viewer to do this).

ip link show

You should now see two network interfaces in addition to the loopback interface. In my case, the newly added
interface was assigned enp6s0 as its name.
 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group
default qlen 1000
  link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT
group default qlen 1000
  link/ether 52:54:00:23:ec:43 brd ff:ff:ff:ff:ff:ff
3: enp6s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default
qlen 1000
  link/ether 52:54:00:36:01:41 brd ff:ff:ff:ff:ff:ff

E. Assign a Static IP address / Check Network Connectivity

from KVM Guest
To further test if our virtual DMZ network is working, we can assign a static IP address on server1's newly created
network interface enp6s0 and check if we can establish connection to our KVM host.

To assign a static IP 192.168.200.254/24 to server1:

1. Login to server1 (via ssh , virt-viewer , or virsh console):

# ssh glenn@192.168.122.121
# sudo virt-viewer server1
sudo virsh console server1

2. Edit /etc/netplan/00-installer-config.yaml via nano:

sudo nano /etc/netplan/00-installer-config.yaml

Modify the file to look like this one below (Note! The tab spaces are important):

# This is the network config written by 'subiquity'

network:
ethernets:
  enp1s0:
    dhcp4: true
  enp6s0:
    addresses: [192.168.200.254/24]
version: 2

3. Save file and close nano then apply changes.

sudo netplan apply

4. Verify if the IP configuration was applied:

ip address show

You should see the IP 192.168.200.254/24 assigned to enp6s0.

5. Finally, ping your KVM host:

ping 192.168.200.1 -c5

The ping command should execute successfully.

F. Verify Network Connectivity from KVM Server

 1. On server1, install QEMU Guest Agent (if not yet installed)

sudo apt install qemu-guest-agent

2. Start QEMU Guest Agent

sudo systemctl start qemu-guest-agent

3. On your KVM host, open an new terminal, and run the following commands:

sudo virsh domiflist server1

sudo virsh domifaddr server1 --source=agent
ping 192.168.200.254 -c5

4. Take a screenshot of your terminal or your entire Desktop with the terminal shown (see image below for
reference). Save it as "Your Surname - Lab 2.png" (eg, Fabia - Lab 2.png)

5. Attach the screenshot when you turn in this lab assignment in Google Classroom.

References
[1] KVM Virtual Networking Concepts. Retrieved August 21, 2021 from the WWW: https://kb.novaordis.com/index.
php/KVM_Virtual_Networking_Concepts

[2] libvirt.org. Network XML Format. Retrieved August 21, 2021 from the WWW: https://libvirt.org/formatnetwork.ht
ml

[3] Red Hat, Inc. (2020). RHEL 7 Virtualization Deployment and Administration Guide: Examples of Common
Scenarios. Retrieved August 21, 2021 from the WWW: https://access.redhat.com/documentation/en-us/red_hat_ente
rprise_linux/7/html/virtualization_deployment_and_administration_guide/sect-virtual_networking-examples_of_com
mon_scenarios