WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] Xen networking concepts

from [Fernando Maior] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx, lynx@xxxxxxxxx
Subject: Re: [Xen-users] Xen networking concepts
From: Fernando Maior <fernando.souto.maior@xxxxxxxxx>
Date: Tue, 20 Dec 2005 09:28:39 -0200
Delivery-date: Tue, 20 Dec 2005 11:56:37 +0000
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=TrTuQnpUFRalNW0bXONJWBO7ltzoAyfYadVe4Am3k356Ed8xm2BtcbNAu9DpY/6J+QS3FePYQF79A/ivnsMo9BLAJiMEkElZHT7L5jVerh+anBqikq3Hj/iUYN55dKTgavMyvOtXKFZbfSkCCZR0t3Gxtpu46dOanXI65/uAWwE=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <20051220025741.GA21558@xxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <20051220025741.GA21558@xxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx 
On 12/20/05, René Pfeiffer <lynx@xxxxxxxxx> wrote:
> Hello, xen-users!
>
> I am fiddling with the Xen 2.0 and Xen 3.0 configuration in order to do
> a combined installation of a firewall system and a webserver on the same
> machine. Now I use a recent Xen 3.0 on top (or below, depending on how
> you think of it) a Debian Sarge 3.1r1. The idea is to have the
> following:
>
>  - Dom0 connected with a single external IP routing everything to Dom1
>  - Dom1 with a firewall system and two virtual network cards
>  - Dom2 the webserver behind the firewall with a single virtual network
>    card
>
> I tried to use direct access but abandoned the idea because the system
> is colocated and has only one IP address. This brings me to my problem.
> I read the various networking threads a couple of times (including the
> ideal(istic) firewall thread). Somehow I cannot completely wrap my mind
> around Xen's networking concepts. I think I can work with two bridges
> and internal local networks where the Dom0 will do SNAT for outbound
> packets. The setup looks a bit like this (work in progress, just a quick
> sketch):
>
> http://web.luchs.at/information/media/xen_setup.png
>
> After starting the two domains and manually setting up the second bridge
> I get something like this on a test system:
>
> samuel:~# xm list
> Name                              ID Mem(MiB) VCPUs State  Time(s)
> Domain-0                           0       64     1 r-----   143.2
> astaro                             1      120     1 ------  2838.8
> webserver                          2       48     1 -b----    34.5
> samuel:~# brctl show
> bridge name     bridge id               STP enabled     interfaces
> xenbr0          8000.feffffffffff       no              peth0
>                                                         vif0.0
>                                                         vif1.0
> xenbr1          8000.b67150095f2d       no              dummy0
>                                                         vif1.1
>                                                         vif2.0
> samuel:~#
>
> vif1.0 and vif1.1 belong to the firewall, vif2.0 belongs to the
> webserver. I gathered from the threads that the interface names change
> when I restart the domains. What is the best practice to pin down
> interface names?
>
> How can I create xenbr1 automatically after Dom0 comes up? In the above
> listing dummy0 is out of place because right after the boot process,
> there are no domains running and therefore xenbr1 cannot be created with
> the vif interfaces. Do I need a dummy interface for every bridge that is
> used to connect domains?
>
> Another thing I noticed is that I have a lot of network devices that are
> unused. The system has 27 net devices, vif is numbered up to vif0.7 and
> I have veth devices up to veth7. Why is that? Xen 2.0 didn't create so
> many devices. What are they used for? Is this a kind of device pool?
>
> Best regards,
> Lynx.

Hi Lynx,

With Xen 3.0 you cannot pin down vif names. Besides, there is no need for
that if you are using the scripts that come with Xen to start the network
and bind the vifs to the bridges.

If I may try to help you, there are some scripts and considerations.

In dom0, create two bridges. I will call them switches, because that is
what they really are like.

----------begin of script----------
  #!/bin/bash
  # creating switch 1
  brctl addbr sw1
  brctl stp sw1 off
  brctl setfd sw1 0

  # creating switch 2
  brctl addbr sw2
  brctl stp sw2 off
  brctl setfd sw2 0

  # creating tun/tap device
  tunctl -t tap0

  # adding tun/tap device to bridge
  brctl addif sw2 tap0

  # configuring tap0 device
  ip address add 192.168.2.2/30 dev tap0
----------end of script----------

The above script should be exec in every boot, so you should put it into
rc.local or other boot script. Also, you must install uml-utilities, where
you can have the tunctl executable.

Next, you program the binding to the dom interfaces. Files from /etc/xen:

/etc/xen/dom1:
  nics=3
  vif = [ 'mac=aa:00:00:01:01:00,bridge=xenbr0',
            'mac=aa:00:00:01:01:01,bridge=sw1',
            'mac=aa:00:00:01:01:02,bridge=sw2' ]

/etc/xen/dom2:
  nics=1
  vif = [ 'mac=aa:00:00:01:02:01,bridge=sw1'  ]

Now boot both domains and configure their interfaces (for RH based
distros, files are in /etc/sysconfig/network-scripts, and are called
ifcfg-ethX, where X is the interface number - see what is usage for
you distro):

dom1/eth0: your real IP address to internet/cidr
dom1/eth1: 192.168.1.1/30
dom1/eth2: 192.168.2.1/30
dom2/eth0: 192.168.1.2/30

After that, you will see that dom0 does not have any real interface
with an IP address. That is the deal. Look at the attached image,
that is what you have after the configuration above. You will see
it is exactly what you would have if you use real machines :)

So, the base machine is behind the firewall, you connect to the
firewall and from there you connect to the base machine. Just like
a firewall with DMZ and LAN :)

About dummy interfaces, I have never used them. Nor with xen2,
neither with xen3. And about creating bridges, the Xen network
script creates just one bridge, xenbr0. It is not prepared for creating
other bridges, that is why I use a script to create all bridges/switches
but xenbr0.

Hope that can help you.
--
Bye,
Fernando Maior
LPIC/1(31908)
LinuxCounter(391325)

Attachment: xen-simple.png
Description: PNG image

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] Is hardware PCI passthrough working in 3.0 yet?, Frank Burkhardt
Next by Date:  [Xen-users] Error: Device 2049 (vbd) could not be connected. Hotplug scripts not working., Yacine Kheddache
Previous by Thread:  [Xen-users] Xen networking concepts, René Pfeiffer
Next by Thread:  Re: [Xen-users] Xen networking concepts, René Pfeiffer
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy