My network administrators don't like when I plug switch into the building network to fan-out to multiple computers. They want single link drop per physical NIC. Previously the blocked those MACs on the switch in automatic fashion. I understand that good network topology is as linear as possible, without extensive branching. But now I want to use FreeBSD jails.
If I run one (or several) jails in FreeBSD, I realistically have 3 NICs on the same port in the wall:
- host's physical NIC, something like
igb0
- host's part of paired virtual interfaces, connected back-to-back,
epair0a
- jail's part of (2),
epair0b
All of these interfaces have to be registered in order to get IP from DCHP server. Will that setup cause trouble, and why? Is it correct that there is no way I can connect my jail (though some pass-through interface?) directly to "the wall"?
There are many ways to run jails, virtual interfaces are one thing but with jails you can borrow just a particular IP address to the underlying system. Of course layer2 either should be allowed or limited to such jail (default it is limited). That way only single MAC address is used.
Another way is to use bridges with virtual interfaces/vlans or firewall magic forwarding or virtual switch to do what you want. That way you can have different configurations with single mac outgoing interface, so your macabre L2 spaghetti doesn't leave your system.