WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] transparant (secure) bridge

Hi,

Am Mittwoch, 18. Juni 2008 23:56 schrieb Michael Kershaw:
> What you've described here, is what I'm working on right now.  I've
> setup my dom0 with two nics bonded as bond0.  I'm going to be running
> say 3 or 4 vm's on this host that will each have their own static
> ip's.  I just haven't figured out how to make it all work as far as
> the vm's networking is concerned.  Do you recall the steps that you
> performed to make your setup work?

yes. First, you need to make the bond interface as active passive, otherwise 
it will conflict with the bridge:
  modprobe bonding mode=1 miimon=100
I put this in /etc/modules:
  bonding mode=1 miimon=100
On my Debian machines I setup the network with /etc/network/interfaces:
  auto bond0
  iface bond0 inet manual
        pre-up ifconfig bond0 up
        pre-up ifenslave bond0 eth2 eth3
        pre-down ifenslave -d bond0 eth2 eth3
As you see I use eth2 and eth3 as network interfaces for bonding. I also use 
vlans on top of the bonding, so i setup my xenbr0 in /etc/network/interfaces 
for vlan 2 as follows:
  auto xenbr0
  iface xenbr0 inet manual
        vlan-raw-device bond0
        bridge_ports bond0.2
        bridge_fd 0
        bridge_stp off
        post-up ip link set xenbr0 arp off
        post-up ip link set xenbr0 multicast off
Other bridges with vlans can be made in /etc/network/interfaces. Here a 
example with vlan 3:
  auto xenbr3
  iface xenbr3 inet manual
        vlan-raw-device bond0
        bridge_ports bond0.3
        bridge_fd 0
        bridge_stp off
        post-up ip link set xenbr3 arp off
        post-up ip link set xenbr3 multicast off

If you don't want to (or can't) use vlans you can use:
  auto xenbr0
  iface xenbr0 inet manual
        bridge_ports bond0
        bridge_fd 0
        bridge_stp off
        post-up ip link set xenbr0 arp off
        post-up ip link set xenbr0 multicast off

For the bridge I use no spanning tree protocol and my forward delay is 0. 
Because there are no ip adressses on my bridge I don't need arp and multicast 
on this interface.

With this setup i can use xenbr0 or xenbr3 as bridge targets in my domU xen 
configurations. Be sure that no xen script is trying to make any bridge for 
you! For this I set
  (network-script network-dummy)
in /etc/xen/xend-config.sxp .
On the other side of your real network interfaces you need a router with a ip. 
This ip will be your default gateway for the domUs. In my setup i have a 
Firewall-Cluster for this, otherwise bonding will be really needless.


PS: I'm using Debian 4.0 for this setup without any specials.


-- 
greetings

eMHa

Attachment: pgpaJAWZxGbjO.pgp
Description: PGP signature

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
<Prev in Thread] Current Thread [Next in Thread>