IPvlan L3 Mode for Dual-Stack IPv4/IPv6 Multi-Subnet Networks

$ docker run --net=ipvlan140 --ip6=2001:db8:abc2::51 -it --rm alpine /bin/sh $ ip a show eth0 78: eth0@if77: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether 00:50:56:2b:29:40 brd ff:ff:ff:ff:ff:ff inet 192.168.140.2/24 scope global eth0 valid_lft forever preferred_lft forever inet6 2001:db8:abc4::250:56ff:fe2b:2940/64 scope link valid_lft forever preferred_lft forever inet6 2001:db8:abc9::1/64 scope link nodad valid_lft forever preferred_lft forever $$ ip route default via 192.168.140.1 dev eth0 192.168.140.0/24 dev eth0 proto kernel scope link src 192.168.140.2 $$ ip -6 route 2001:db8:abc4::/64 dev eth0 proto kernel metric 256 2001:db8:abc9::/64 dev eth0 proto kernel metric 256 default via 2001:db8:abc9::22 dev eth0 metric 1024 ``` Start a second container with a specific `--ip4` address and ping the first host using IPv4 packets: ```console $ docker run --net=ipvlan140 --ip=192.168.140.10 -it --rm alpine /bin/sh ``` > [!NOTE] > > Different subnets on the same parent interface in IPvlan `L2` mode cannot ping > one another. That requires a router to proxy-arp the requests with a secondary > subnet. However, IPvlan `L3` will route the unicast traffic between disparate > subnets as long as they share the same `-o parent` parent link. ### Dual stack IPv4 IPv6 IPvlan L3 mode Example: IPvlan L3 Mode Dual Stack IPv4/IPv6, Multi-Subnet w/ 802.1Q VLAN Tag:118 As in all of the examples, a tagged VLAN interface does not have to be used. The sub-interfaces can be swapped with `eth0`, `eth1`, `bond0` or any other valid interface on the host other then the `lo` loopback. The primary difference you will see is that L3 mode does not create a default route with a next-hop but rather sets a default route pointing to `dev eth` only since ARP/Broadcasts/Multicast are all filtered by Linux as per the design. Since the parent interface is essentially acting as a router, the parent interface IP and subnet needs to be different from the container networks. That is the opposite of bridge and L2 modes, which need to be on the same subnet (broadcast domain) in order to forward broadcast and multicast packets. ```console # Create an IPv6+IPv4 Dual Stack IPvlan L3 network # Gateways for both v4 and v6 are set to a dev e.g. 'default dev eth0' $ docker network create -d ipvlan \ --subnet=192.168.110.0/24 \ --subnet=192.168.112.0/24 \ --subnet=2001:db8:abc6::/64 \ -o parent=eth0 \ -o ipvlan_mode=l3 ipnet110 # Start a few of containers on the network (ipnet110) # in separate terminals and check connectivity $ docker run --net=ipnet110 -it --rm alpine /bin/sh # Start a second container specifying the v6 address $ docker run --net=ipnet110 --ip6=2001:db8:abc6::10 -it --rm alpine /bin/sh # Start a third specifying the IPv4 address $ docker run --net=ipnet110 --ip=192.168.112.30 -it --rm alpine /bin/sh # Start a 4th specifying both the IPv4 and IPv6 addresses $ docker run --net=ipnet110 --ip6=2001:db8:abc6::50 --ip=192.168.112.50 -it --rm alpine /bin/sh ``` Interface and routing table outputs are as follows: ```console $$ ip a show eth0 63: eth0@if59: <BROADCAST,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default

This section discusses the limitations of IPvlan L2 mode regarding inter-subnet communication and introduces IPvlan L3 mode as a solution. It explains that in L3 mode, the parent interface acts as a router, requiring its IP and subnet to be different from the container networks. The section then provides an example of creating a dual-stack IPv4/IPv6 IPvlan L3 network with multiple subnets, demonstrating how to start containers on this network with specified IPv4 and IPv6 addresses, and highlights the differences in routing compared to L2 mode. The importance of configuring the parent interface properly for L3 mode to function is emphasized.