Differences Between venet0 and veth Modes

The veth mode demonstrates the following differences as compared to the venet0 mode:

• Each of the Ethernet interfaces constituting a veth virtual adapter has a MAC address assigned to it while venet0 does not have any. Thanks to this fact:
  • Any Container can see all broadcast and multicast packets received from or sent to the selected network adapter on the server.
  • Using a veth virtual adapter inside a Container allows you to host a DHCP or Samba server inside this Container, etc.
• There is no more need to assign all network settings (IP addresses, subnet mask, gateway, etc.) to a Container from the Host OS. All network parameters can be set from inside the Container.
• veth adapters can be bridged among themselves and with other devices. If several veth adapters are united into a bridge, this bridge can be used to handle network traffic for the Containers whose veth adapters are included in the bridge.
• Due to the fact that veth adapters act as full members on the network (rather than 'hidden' beyond venet0 ), they are more prone to security vulnerabilities: traffic sniffing, IP address collisions, etc. Therefore, veth adapters are recommended to be used in trusted network environments only.
• The veth mode has poorer scalability than the venet0 mode. This is caused by the fact that any broadcast packet meant for any veth virtual network adapter is duplicated and transmitted to all available veth network adapters, which requires the CPU(s) on the server to process all the resulting broadcast packets and may noticeably degrade the system performance. So, we highly recommend that you create no more than 100 veth network adapters for every CPU on the server.