WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Still confused about bridging (I think)

On Sat, September 20, 2008 12:37, Mike Wright wrote:
> David Dyer-Bennet wrote:
>> Javier Guerra wrote:
>>
>>> On Fri, Sep 19, 2008 at 5:42 PM, David Dyer-Bennet <dd-b@xxxxxxxx>
>>> wrote:
>>>
>>>
>>>> I know I'm confused about *something*, because packets aren't getting
>>>> through.
>>>>
>>>> The hardware has two NICs, eth0 connects to the corporate lan on
>>>> 192.168.1.14, and to a private cluster lan on 172.17.0.1.
>>>>
>>>> In dom0, I can reach systems on both lans.
>>>>
>>>> In a guest on 172.17.1.2, I can't reach anything.  Nothing in 172.17,
>>>> nothing in 192.168.1.  The guest is domain 9, called vl01.
>>>>
>>>> In dom0 A bridge, xenbr0 (specified in my control files for the
>>>> domains),
>>>> is set up to let everybody talk to everywhere.
>>>>
>>>> [root@prcapp02 xen]# brctl show
>>>> bridge name     bridge id               STP enabled     interfaces
>>>> virbr0          8000.000000000000       yes
>>>> xenbr0          8000.2ed4b2e93fd1       no              vif9.0
>>>>                                                        vif7.0
>>>>                                                        tap0
>>>>                                                        peth0
>>>>                                                        vif0.0
>>>>
>>>
>>>
>>> where's the 'way out' from xenbr0? IOW, is peth0 connected to a real
>>> NIC?
>>>
>>
>>
>> Yes, that's the "real" nic.  Xen seems to have renamed the interfaces.
>>
>>> i think you should set two bridges, one connected to eth0
>>> (192.168.1.14) , and the other to eth1 (172.17.0.1), then if you want
>>> a DomU on 172.17.x.x, connect it's vif to the second bridge.
>
> I agree with David here.  It is the easiest way; otherwise, you'll have
> to setup your own routing.

Sounds like you're *disagreeing* with me and agreeing with Javier to me. 
Which I wouldn't bother to mention except I'm trying to be sure I'm
understanding the rest of what you say properly.

> I noticed some oddities (although things are constantly being renamed so
> everything depends on which version you are running :).  For starters,
> on my system (xen-3.0.2-2) the veth devices disappear once xend is
> started.

That's not happening in my setup (CentOS 5.2, which comes with xen 3.0.3).
 I'm still deeply confused about the different kinds of "interfaces" that
are appearing on the list (from "ip addr list") and where they come from
and what they're for, though.  There seems to be a complete and total
absence of any documentation about this.


> I have 3 nics in dom0, each dedicated to one of 3 bridges: WAN, LAN, and
> DMZ.  The bridges and the peth devices are all set to NOARP while the
> eth and vif devices are all set to ARP ON.  None of the nics, vifs,
> peths or bridges have IPs.

What's the point of your multiple bridges?  Are you trying to segment the
traffic manually rather than letting the bridges figure it out themselves
(which is after all their main purpose in life)?  And how does traffic
move between them, then?

Again, bridges are MAC-layer devices.  They don't use IP addresses in
their forwarding algorithms at all.

> domU #1 gets 3 virtual nics, one on each of the 3 bridges, and does all
> routing and firewalling between them.  All public servers are on domUs
> attached to the DMZ, all development domUs are attached to the LAN.  My
> ISP provides me with a /29 network giving me 7 public IPs on the WAN.

So it looks like the purpose here is primarily keeping things from
communicating when you don't want them too?  But my problem is that things
can't communicate when I do want them to.

-- 
David Dyer-Bennet, dd-b@xxxxxxxx; http://dd-b.net/
Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/
Photos: http://dd-b.net/photography/gallery/
Dragaera: http://dragaera.info


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users