How to add Vxlan Tag to isolation different group of Docker Containers

First, I am aware of creating a VXLAN interface with tag based on ip command:

ip link add vxlan-br0 type vxlan id <tag-id> group <multicast-ip> local <host-ip> dstport 0

  • Should you install nginx inside docker? [closed]
  • Cant access my Docker DotNet core website
  • Dockerfile image path contains invalid charector
  • Couldn't connect to the Docker daemon on Windows 7
  • Redis in Docker container with custom redis.conf file not attaching
  • How to access files outside of docker-compose build context?
  • But it is useless for my actual demand, and my demand is to isolate multiple docker containers using different tags, something like:

    brctl addif br1 veth111111 tag=10 # veth111111 is the netdev used by docker container 1
    brctl addif br1 veth222222 tag=20 # veth222222 is the netdev used by docker container 2
    brctl addif br1 veth333333 tag=10 # veth111111 is the netdev used by docker container 3

    I want to isolate container 2 from container 1 and 3, and don’t isolate communication bewteen container 1 and 3. How to achieve this?

  • why docker image management create date is stale
  • Docker Remote API JSON schema definition
  • Having trouble setting up a persistent data volume for a Docker image
  • How to configure a Docker container to be reachable by container_ip:port from outside the host machine?
  • How to build a docker container for a synchronized source code?
  • Communication with Spark using Spark JobServer in docker
  • One Solution collect form web for “How to add Vxlan Tag to isolation different group of Docker Containers”

    Adding two bridge networks will provide isolation.

    docker create network net1
    docker create network net2
    

    Then start some containers

    docker run -d --name one --net net1 busybox sleep 600
    docker run -d --name two --net net2 busybox sleep 600
    docker run -d --name three --net net1 busybox sleep 600
    

    one and three will communicate as they are attached to the same bridge

    docker exec one ping three
    docker exec three ping one
    

    Others will fail as they cross networks/bridges

    docker exec one ping two
    docker exec two ping one
    docker exec three ping two
    

    You’ll notice docker provides host/name resolution inside a network so it’s actually the host name resolution that is failing above. IP’s are not routed between bridges either.

    $ docker exec three ip ad sh dev eth0
    17: eth0@if18: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue 
        link/ether 02:42:ac:14:00:03 brd ff:ff:ff:ff:ff:ff
        inet 172.20.0.3/16 scope global eth0
           valid_lft forever preferred_lft forever
        inet6 fe80::42:acff:fe14:3/64 scope link 
           valid_lft forever preferred_lft forever
    

    Ping two

    $ docker exec three ping -c 1 -w 1 172.21.0.2
    PING 172.21.0.2 (172.21.0.2): 56 data bytes
    
    --- 172.21.0.2 ping statistics ---
    1 packets transmitted, 0 packets received, 100% packet loss
    

    Ping one

    docker exec three ping -c 1 -w 1 172.20.0.2
    PING 172.20.0.2 (172.20.0.2): 56 data bytes
    64 bytes from 172.20.0.2: seq=0 ttl=64 time=0.044 ms
    

    This setup will work with the overlay networking driver as well but that is more complex to setup.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.