Docker MacVLAN vs IPVLAN - A Practical Deep Dive into Advanced Networking
- 5 minsIntroduction
Introduction
Quick recap of how Docker networking works by default (bridge, NAT, port binding). Problem statement: Containers can’t be directly reached with their own IPs. Solution: Advanced drivers — MacVLAN & IPVLAN.
1. Why Use MacVLAN or IPVLAN?
Containers act like first-class citizens on the network.
Benefits:
- Isolation & Security – separate network identities.
- Simplified Communication – direct access via IPs (great for legacy systems).
- Advanced Scenarios – firewall rules, VPNs, monitoring.
2. MacVLAN Explained
- Works at Layer 2 (L2).
- Each container gets its own unique MAC + IP.
- Analogy: Multiple virtual machines plugged into the same switch port.
How It Works:
- Host interface acts as a parent.
- Each container gets a virtual NIC with a new MAC.
Setup Example:
#Network can be different based on your network scope
docker network create -d macvlan \
--subnet=192.168.1.0/24 \
--gateway=192.168.1.1 \
-o parent=enp1s0 \
macvlan_net
Run container:
#Ip can be different based on your network scope
docker run -itd --network macvlan_net --ip 192.168.1.195 nginx
Appears on LAN as its own device.
- Requires promiscuous mode on NIC.
- Breaks with switch port-security (multiple MACs on one port).
Testing nginx webserver connection from any other device in same network. Note: I did not expose any port to host machine and I still can able to reach nginx
3. IPVLAN Explained
Unlike MacVLAN, IPVLAN containers share the host’s MAC. Only IPs differ. 👉 Looks cleaner to the switch/router, no multiple MAC addresses to worry about.
IPVLAN Modes:
1. L2 Mode
- Works like MacVLAN but without unique MACs.
- All containers → same MAC as host.
Setup:
#Network can be different based on your network scope
docker network create -d ipvlan \
--subnet=192.168.1.0/24 \
--gateway=192.168.1.1 \
-o parent=enp1s0 \
ipvlan_l2
Containers reachable on LAN directly.
⚠️ Security tools may flag this as MAC spoofing since many IPs map to one MAC.
2. L3 Mode
- Host acts as a router for containers.
- Containers live in their own subnet.
- Other hosts need static routes pointing to the Docker host.
Example:
#Network can be different based on your network scope
docker network create -d ipvlan \
--subnet=10.10.0.0/24 \
-o parent=enp1s0 \
-o ipvlan_mode=l3 \
ipvlan_l3
Requires adding a static route on your router/gateway. Great for segmentation & isolation.
4. MacVLAN vs IPVLAN: Quick Comparison
| Feature | MacVLAN | IPVLAN L2 | IPVLAN L3 |
|---|---|---|---|
| MAC per container | Unique MACs | Shared with host | Shared with host |
| Works without promiscuous mode | ❌ No | ✅ Yes | ✅ Yes |
| Requires static routes | ❌ No | ❌ No | ✅ Yes |
| LAN reachability (same subnet) | ✅ Yes | ✅ Yes | ⚠️ Needs routes |
| Isolation / segmentation | ➖ Moderate | ➖ Moderate | ✅ Strong (routed subnets) |
| Switch port-security friendly | ❌ Can break (many MACs) | ✅ Friendlier (one MAC) | ✅ Friendlier (one MAC) |
| IDS/IPS false-positive risk | ➖ Normal | ⚠️ Many IPs → one MAC | ⚠️ Many IPs → one MAC |
| Typical use case | Legacy/LAN realism | Simpler LAN access | Routed/isolated networks |
5. Choosing the Right One
- MacVLAN → Use when you want containers to behave like separate physical machines.
- IPVLAN L2 → Use in environments where multiple MACs would break things.
- IPVLAN L3 → Use for isolation, custom routing, or multi-subnet designs.
Conclusion
MacVLAN and IPVLAN unlock powerful networking capabilities in Docker beyond the default bridge. They let containers integrate directly into existing networks or create isolated routing domains.
Like all advanced networking, the right choice depends on your environment:
- Want realism? → MacVLAN.
- Want simplicity? → IPVLAN L2.
- Want flexibility and control? → IPVLAN L3.
Thanks for reading!
—
Guneycan Sanli
Guneycan Sanli
A person who like learning, music, travelling and sports.