Linux Bridge

Linux bridge as a virtual switch for KVM hypervisors. Cisco-to-Linux mental model, port inventory, VM-to-vnet mapping, and connectivity troubleshooting.

Linux Bridge Architecture for KVM

Physical topology — server as a virtual switch
Physical Switch (3560CX)
    │
    │ Te1/0/1 (10G trunk, native VLAN 100)
    │
    ▼
[eno8] ─── physical NIC on Supermicro
    │
[br-mgmt] ─── Linux bridge (virtual switch)
    ├── vnet0 ─── vyos-02 (LAN trunk interface)
    ├── vnet1 ─── vyos-02 (WAN interface → br-wan)
    ├── vnet2 ─── ise-02
    ├── vnet3 ─── bind-02
    ├── vnet4 ─── vault-02
    └── vnet5 ─── vault-03
Table 1. Cisco-to-Linux mental model
Cisco IOS Linux Bridge

show interfaces trunk

bridge vlan show

show mac address-table

bridge fdb show

switchport trunk native vlan 100

bridge vlan add vid 100 dev eno8 pvid untagged

switchport trunk allowed vlan add 10

bridge vlan add vid 10 dev eno8

show spanning-tree

bridge link show

show interfaces status

ip -br link show

Bridge Inspection

List all bridges and their member ports
bridge link show
Show which interfaces belong to a specific bridge
ip link show master br-mgmt
Show bridge MAC address table (FDB)
bridge fdb show br br-mgmt
Filter FDB to VM MACs (KVM VMs use 52:54:00 prefix)
bridge fdb show br br-mgmt | awk '/52:54:00/'
Show bridge STP state
bridge link show dev eno8
# state forwarding = good, state blocking = STP issue

Port Inventory

Comprehensive port status — state, speed, bridge membership
for port in eno{1..8}; do
  state=$(cat /sys/class/net/$port/operstate 2>/dev/null || echo "missing")
  speed=$(cat /sys/class/net/$port/speed 2>/dev/null || echo "?")
  master=$(ip link show $port 2>/dev/null | awk -F'master ' '{print $2}' | awk '{print $1}')
  printf "%-6s  %-6s  %5sMbps  %s\n" "$port" "$state" "$speed" "${master:-[none]}"
done
Example output
eno1    down       -1Mbps  [none]
eno2    down       -1Mbps  [none]
eno3    down       -1Mbps  [none]
eno4    down       -1Mbps  [none]
eno5    down       -1Mbps  [none]
eno6    down       -1Mbps  [none]
eno7    up      10000Mbps  br-wan
eno8    up      10000Mbps  br-mgmt

VM-to-vnet Mapping

Find which vnet belongs to which VM
for vm in $(sudo virsh list --name); do
  vnets=$(sudo virsh domiflist $vm 2>/dev/null | awk '/vnet/ {print $1}')
  echo "$vm: $vnets"
done
Match vnet MACs to VM MACs via sysfs
for vnet in $(ip link show master br-mgmt 2>/dev/null | awk -F': ' '/vnet/{print $2}'); do
  mac=$(cat /sys/class/net/$vnet/address 2>/dev/null)
  echo "$vnet: $mac"
done

Network Connectivity Sweep

Ping sweep critical infrastructure — brace expansion
printf '%s\n' 10.50.1.{1,21,40,61,62,90,91} | xargs -I{} ping -c1 -W1 {}
Same sweep — for loop variant
for ip in 10.50.1.{1,21,40,61,62}; do ping -c1 -W1 $ip; done

Troubleshooting

Host can’t reach VMs on same bridge — check PVID mismatch
# If host is PVID 1 and VMs are PVID 100, they're in different VLANs
bridge vlan show dev br-mgmt   # host PVID
bridge vlan show dev vnet0     # VM PVID
# These must match (both PVID 100 for management VLAN)
Switch shows connected but no L2 traffic — check CRC errors
show interfaces Te1/0/2 | include errors|CRC|input
! 386 CRC errors = bad cable or dirty SFP connector
ARP table shows FAILED for VM IPs — VLAN isolation
# From VyOS — if host shows FAILED but VMs show STALE/REACHABLE
show arp
# Host and VMs are in different VLANs on the bridge

See Also

  • Bridge VLAN — VLAN filtering, PVID configuration

  • nmcli — persistent bridge configuration

  • virsh — VM network interface inspection

  • VLAN — VLAN concepts and Cisco configuration