[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] transparant (secure) bridge

Hi,

Am Mittwoch, 18. Juni 2008 23:56 schrieb Michael Kershaw:
> What you've described here, is what I'm working on right now.  I've
> setup my dom0 with two nics bonded as bond0.  I'm going to be running
> say 3 or 4 vm's on this host that will each have their own static
> ip's.  I just haven't figured out how to make it all work as far as
> the vm's networking is concerned.  Do you recall the steps that you
> performed to make your setup work?

yes. First, you need to make the bond interface as active passive, otherwise 
it will conflict with the bridge:
  modprobe bonding mode=1 miimon=100
I put this in /etc/modules:
  bonding mode=1 miimon=100
On my Debian machines I setup the network with /etc/network/interfaces:
  auto bond0
  iface bond0 inet manual
        pre-up ifconfig bond0 up
        pre-up ifenslave bond0 eth2 eth3
        pre-down ifenslave -d bond0 eth2 eth3
As you see I use eth2 and eth3 as network interfaces for bonding. I also use 
vlans on top of the bonding, so i setup my xenbr0 in /etc/network/interfaces 
for vlan 2 as follows:
  auto xenbr0
  iface xenbr0 inet manual
        vlan-raw-device bond0
        bridge_ports bond0.2
        bridge_fd 0
        bridge_stp off
        post-up ip link set xenbr0 arp off
        post-up ip link set xenbr0 multicast off
Other bridges with vlans can be made in /etc/network/interfaces. Here a 
example with vlan 3:
  auto xenbr3
  iface xenbr3 inet manual
        vlan-raw-device bond0
        bridge_ports bond0.3
        bridge_fd 0
        bridge_stp off
        post-up ip link set xenbr3 arp off
        post-up ip link set xenbr3 multicast off

If you don't want to (or can't) use vlans you can use:
  auto xenbr0
  iface xenbr0 inet manual
        bridge_ports bond0
        bridge_fd 0
        bridge_stp off
        post-up ip link set xenbr0 arp off
        post-up ip link set xenbr0 multicast off

For the bridge I use no spanning tree protocol and my forward delay is 0. 
Because there are no ip adressses on my bridge I don't need arp and multicast 
on this interface.

With this setup i can use xenbr0 or xenbr3 as bridge targets in my domU xen 
configurations. Be sure that no xen script is trying to make any bridge for 
you! For this I set
  (network-script network-dummy)
in /etc/xen/xend-config.sxp .
On the other side of your real network interfaces you need a router with a ip. 
This ip will be your default gateway for the domUs. In my setup i have a 
Firewall-Cluster for this, otherwise bonding will be really needless.


PS: I'm using Debian 4.0 for this setup without any specials.


-- 
greetings

eMHa

Attachment: pgp11_1RNXlSp.pgp
Description: PGP signature

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.