openshift-docs/modules/virt-creating-linux-bridge-nad-cli.adoc

// Module included in the following assemblies:
//
// * virt/vm_networking/virt-connecting-vm-to-linux-bridge.adoc

:_mod-docs-content-type: PROCEDURE
[id="virt-creating-linux-bridge-nad-cli_{context}"]
= Creating a Linux bridge NAD by using the CLI

You can create a network attachment definition (NAD) to provide layer-2 networking to pods and virtual machines (VMs) by using the command line.

The NAD and the VM must be in the same namespace.

[WARNING]
====
Configuring IP address management (IPAM) in a network attachment definition for virtual machines is not supported.
====

.Prerequisites

* You have installed the {oc-first}.

.Procedure

. Add the VM to the `NetworkAttachmentDefinition` configuration, as in the following example:
+
--
[source,yaml]
----
apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
  name: bridge-network <1>
  annotations:
    k8s.v1.cni.cncf.io/resourceName: bridge.network.kubevirt.io/br1 <2>
spec:
  config: |
    {
      "cniVersion": "0.3.1",
      "name": "bridge-network", <3>
      "type": "bridge", <4>
      "bridge": "br1", <5>
      "macspoofchk": false, <6>
      "vlan": 100, <7>
      "disableContainerInterface": true,
      "preserveDefaultVlan": false <8>
    }
----
<1> The name for the `NetworkAttachmentDefinition` object.
<2> Optional: Annotation key-value pair for node selection for the bridge configured on some nodes. If you add this annotation to your network attachment definition, your virtual machine instances will only run on the nodes that have the defined bridge connected.
<3> The name for the configuration. It is recommended to match the configuration name to the `name` value of the network attachment definition.
<4> The actual name of the Container Network Interface (CNI) plugin that provides the network for this network attachment definition. Do not change this field unless you want to use a different CNI.
<5> The name of the Linux bridge configured on the node. The name should match the interface bridge name defined in the `NodeNetworkConfigurationPolicy` manifest.
<6> Optional: A flag to enable the MAC spoof check. When set to `true`, you cannot change the MAC address of the pod or guest interface. This attribute allows only a single MAC address to exit the pod, which provides security against a MAC spoofing attack.
<7> Optional: The VLAN tag. No additional VLAN configuration is required on the node network configuration policy.
+
[NOTE]
====
OSA interfaces on {ibm-z-name} do not support VLAN filtering and VLAN-tagged traffic is dropped. Avoid using VLAN-tagged NADs with OSA interfaces.
====

<8> Optional: Indicates whether the VM connects to the bridge through the default VLAN. The default value is `true`.
+
[NOTE]
====
A Linux bridge network attachment definition is the most efficient method for connecting a virtual machine to a VLAN.
====
--

. Optional: If you want to connect a VM to the native network, configure the Linux bridge `NetworkAttachmentDefinition` manifest without specifying any VLAN:
+
[source,yaml]
----
apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
  name: bridge-network
  annotations:
    k8s.v1.cni.cncf.io/resourceName: bridge.network.kubevirt.io/br1
spec:
  config: |
    {
      "cniVersion": "0.3.1",
      "name": "bridge-network",
      "type": "bridge",
      "bridge": "br1",
      "macspoofchk": false,
      "disableContainerInterface": true
    }
----

. Create the network attachment definition:
+
[source,terminal]
----
$ oc create -f network-attachment-definition.yaml <1>
----
<1> Where `network-attachment-definition.yaml` is the file name of the network attachment definition manifest.

.Verification

* Verify that the network attachment definition was created by running the following command:
+
[source,terminal]
----
$ oc get network-attachment-definition bridge-network
----