[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Xen-users] xen bridged network config woes [repost w/apology]



9:57pm Ali Roze said:

> On Mon, 5 Feb 2007 19:43:17 -0800 (PST), "Curtis Doty"
> <Curtis@xxxxxxxxxxxx> said:
> > Actually it can. If his upstream/ISP was designed by a Cisco engineer for 
> > single-server-per-port hosting, then it is conceivable they use "port 
> > security" to restrict access.
> 
> I just heard back from them. The word is that if an unexpected MAC were
> to show up, a security measure in the switch would simply shut it down
> until someone from the ISP can look at it. Since that has never
> happened, by definition my domU's packets have never even left the box
> and reached the switch! They were kind of amazed to find out from me
> that Xen makes up MAC addresses that may change for the same IP by
> default, and instructed me to define a single MAC address for each IP in
> my xen config, and give it to them so that they can tell the switch not
> to shut down.
> 

Yep. It would appear that I guessed totally on target here. :-p Depending 
on the architecture, you may be able to get them to do this on your access 
interface:

        port security max-mac-count 2

Since it appears you are hosting all the other ip addresses on Dom0, you 
only need *one* additional DomU MAC (in addition to your existing Dom0 
MAC) to swim up the bridge.

This really isn't an issue of security in the malicous "bad guy" sense. 
But more of a security design element that prevents catastrophe when some 
night-shift lackey plugs the wrong cable into the wrong port. :-/

(Never happened to me. Nope. Not once. Never. No way. Un uh. Impossible.)

> > suggestion to try routing instead.
> 
> I don't understand networking very well, which is why I just went with
> bridging because I understood from reading the Wiki that it was the
> It-Just-Works default. Aside from switching to the routing scripts in my
> xend-config.sxp, what do I need to do to make this work?

This is actually adds complexity because, without re-design, it requires 
something called proxy ARP. I.e. your Dom0 presents its own layer two MAC 
on the wire so your other DomUs don't have to. Plus it requires more 
netfilter tweaks.

> 
> > Ali, are the other addresses in your /29 netblock also for use only on 
> > your one server? (vips)
> 
> I'm not sure I understand your question, but I'll try to answer it
> anyway. As configured by the host, the IPs were all assigned to my
> server, in the rc.local file. 94.226 is my main eth0 IP and the others
> are all aliases on eth0:227, eth0:228, eth0:229 and eth0:230. 
> 

Yes you have answered it. Your upstream ISP is not Xen-aware, and is 
probably setup for a single layer two MAC per port. Hopefully you can now 
justify to them why you need just one more.

../C


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.