Linux nmcli: how to configure a bridge on a team interface

BLinux

cat lover server enthusiast
Jul 7, 2016
2,516
958
113
artofserver.com
didn't see anything like this posted and just had to do this from my own notes so thought i'd share them here:

the goal here is to combine 2 ethernets as a 'team' interface, and then add a bridge on top of that. i do this often for VM hosting on CentOS/kvm so the VMs vNICs can use the bridge.

First, create the bridge interface:

Code:
# nmcli conn add type bridge con-name "Bridge connection 1 for DMZ" ifname bridge1-dmz1
The string following "con-name" can be almost anything; it will be the name used to reference the connection when using nmcli. The string following "ifname" is the interface name as it will show in 'ip' or 'ifconfig'.

Next, add a team interface and make bridge1-dmz1 above its master:

Code:
# nmcli conn add type team con-name "bridge1-dmz1 slave 1 team0" ifname team0 master bridge1-dmz1
The next part is a little unusual and specific to doing "team" interfaces versus say "bond" interface. You have to create a JSON file for the configuration of the team. In the below sample, I'm going to team "eth0" and "eth1". So, create a file, let's call it "lacp_1.conf" and add the following content:

Code:
{
    "device":    "team0",
    "runner": {
        "name": "lacp",
        "active": true,
        "fast_rate": true,
        "tx_hash": ["eth", "ipv4", "tcp", "udp"]
    },
    "link_watch":    {"name": "ethtool"},
    "ports":        {"eth0": {}, "eth1": {}}
}
Using "lacp" means we're going to use 802.3ad, so configure the switch side accordingly. There are other options here if you want to not have to mess with the switch ports, but beyond the scope.

Next, modify the team interface with this JSON config file:

Code:
# nmcli conn modify "bridge1-dmz1 slave 1 team0" team.config lacp_1.conf
Next, we want to add the actual ethernet interfaces to the team0 interface:
Code:
# nmcli conn add type ethernet con-name "team0 slave 1" ifname eth0 master team0
# nmcli conn add type ethernet con-name "team0 slave 2" ifname eth1 master team0
Finally, to add an IP and other interface configuration for the local host on this bridge:
Code:
# nmcli conn modify "Bridge connection 1 for DMZ" ipv4.address 10.1.233.23/16
# nmcli conn modify "Bridge connection 1 for DMZ" ipv4.gateway 10.1.1.7
# nmcli conn modify "Bridge connection 1 for DMZ" ipv4.dns 172.16.200.1
# nmcli conn modify "Bridge connection 1 for DMZ" ipv4.dns-search domain.com
# nmcli conn modify "Bridge connection 1 for DMZ" ipv4.method manual
The last method=manual has to be done after the ipv4.address is set or it will not allow the change, so I usually do it last.

That's it.
 

Andrew J Hutton

New Member
Apr 22, 2019
1
0
1
I found a bug that people should probably be aware of. This is on Fedora 29 but probably affects others as well.

The mode on the interfaces is not being set correctly to promisc and at least on Fedora 29 there is no longer a way to specify this in sysinit so you need to add /etc/rc.d/rc.local containing:

[root@baldur ~]# more /etc/rc.d/rc.local
#!/bin/bash
ip link set enp5s0f0 promisc on
ip link set enp5s0f0 promisc on
exit 0

Where 'enp5s0f0/1' is replaced by the actual device names of your two nic involved in the team interface. Then create a systemd control file at /lib/systemd/system/rc-local.service containing:

[Unit]
Description=/etc/rc.d/rc.local Compatibility
Documentation=man:systemd-rc-local-generator(8)
ConditionFileIsExecutable=/etc/rc.d/rc.local
After=network.target

[Service]
Type=forking
ExecStart=/etc/rc.d/rc.local start
TimeoutSec=0
RemainAfterExit=yes
GuessMainPID=no

[Install]
WantedBy=multi-user.target

Followed by running systemctl enable rc-local so that the modes will be correctly set on next boot as well.

This issue may not affect everyone; but it took a while to figure out what was happening. Hopefully the bug will get fixed, but until then this is a viable option.