WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] LAN configuration?

To: Alan Murrell <lists@xxxxxxxxxx>
Subject: Re: [Xen-users] LAN configuration?
From: Marcus Brown <marcusbrutus@xxxxxxxxxxxxxxxx>
Date: Wed, 14 Sep 2005 10:35:42 +1000
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Wed, 14 Sep 2005 00:32:26 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <1126624303.12158.7.camel@xxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <1126624303.12158.7.camel@xxxxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Debian Thunderbird 1.0.6 (X11/20050802)
Hi Alan,

I guess there are several solutions to your problem. Here's mine:

(I assume you mean you want access to these servers from the LAN,
not that you want to migrate them to the LAN :) , although the
following design should still hold.)

For the LAN interface, hide the NIC from dom0 and export it to the
Firewall driver domain. For an internal DMZ create a bridge in dom0
(possibly tied to a dummy interface) without an IP assigned to it
and export it to the firewall. Any domUs you want your LAN to access
just need to have this bridge specified in their xen config, and the
appropriate firewall rules for routing between the LAN and DMZ.

You could use the Firewall driver domain as a network backend for your
domUs, but this results in a new vif being issued in the Firewall for
each domU created, and can cause problems with firewalls like Shorewall.
Hence my preference for an 'untethered' bridge.

No reason why you can't have a number of DMZ bridges for different
purposes, but the more interfaces you have the longer Shorewall takes
for calculation of rules (~60 secs for 10-12 interfaces on a P3/650!)

For the privileged firewall domain you can either compile a specialised
kernel with hardware access and the appropriate driver for your NIC,
or just use your dom0 kernel.

This idea is being worked on, and may look something like this:
http://marcusbrutus.cust.internode.on.net/Computers/v0-4-3/Xen_Firewall_0_4_33
Where, in your case the green dashed-line would actually be permanently
tied to your third NIC (for administration).

Hope that helps to start you off,

Marcus.

Alan Murrell wrote:
> Hi There,
> 
> I currently have several machines doing seperate tasks that I'd like to
> consolidate into one machine and make more efficient use of system
> resources.
> 
> I have ben reading through the Xen docs, wiki, and list archives and
> have it all figured out except for one part, which I am hoping you might
> be able to help me out with....
> 
> My Xen server has three NICs... one for remote management of dom0 and
> the other two will be hidden from dom0 and assigned to the firewall.
> One NIC onthe firewall will be for the Internet, the other for the LAN,
> and I will use a 'vif' interface for the DMZ (since the only machine in
> it will be a guest server)
> 
> My problem is that I plan on having a couple of the guest systems on the
> Xen server ontheLAN as well, but since the physical LAN NIC onthe
> firewall will be connected to a physical switch, I am not sure how to
> pull this off.
> 
> Is it possible to use a 'vif' interface and perhaps bridge it and have
> it all seamless?
> 
> If so, any pointers on how to do this (docs, HOWTO, etc.)
> 
> Thanks!  I look forward to hearing form you :-)
> 
> -Alan
> 
> 
> 
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>