[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SPAM] Re: [Xen-users] DomU(s) in different subnets

  • To: Xen User-List <xen-users@xxxxxxxxxxxxxxxxxxx>
  • From: "Fajar A. Nugraha" <fajar@xxxxxxxxx>
  • Date: Fri, 18 Dec 2009 21:26:16 +0700
  • Delivery-date: Fri, 18 Dec 2009 06:26:55 -0800
  • List-id: Xen user discussion <xen-users.lists.xensource.com>
On Fri, Dec 18, 2009 at 5:07 AM, Freddie Cash <fjwcash@xxxxxxxxx> wrote:
> On Thu, Dec 17, 2009 at 1:59 PM, Sachin Goel <SACHIN.GOEL@xxxxxxxxxx> wrote:
>>
>> Isn't it possible that with only one bridge we have the virtual machines
>> in different physical subnets, if the gateway is configured to handle that ?
>
> With only 1 bridge, you only have 1 physical network connection, thus you
> only have 1 physical network.  You can have multiple logical subnets
> configured to use that network (192.168.0.0/24, 192.168.1.0/24,
> 192.168.2.0/24, etc).  But it's only 1 physical subnet.  (Although, I guess
> "subnet" is the wrong terminology here.)

I believe the correct term is "ethernet broadcast domain" instead of
"physical subnet".

With that setup, if you assign a domU to be on 192.168.1.0/24, then it
can simply add an IP address located on 192.168.2.0/24 (or others)
since the traffic will be on the same ethernet broadcast domain. Not
good in terms of security.

IMHO a better approach is to use vlans. That is :
- you have one (or more) uplink interface from dom0 to switch/router,
configured as trunk with multiple allowed vlans. For this example,
lets assume there are 11 vlans, 10 - 20. Each of those vlans are
connected to existing network, with existing gateway. vlan10 is used
by 192.168.0.0/24, vlan11 is used by 192.168.1.0/24, and so on. If you
have more than one interface, you can configure them to use bonding
- you assign one IP for dom0 in one of those vlans (lets assume this
is vlan 10). This will be used for dom0 management.
- you create bridges (lets call this br11 - br20) for other vlans in
dom0 (vlan 11-20), but do NOT assign IP address on dom0 for those
bridges
- assign domUs to one of those bridges as necessary.

In this networking setup, dom0 functions just like a L2 switch. This
is what I use on my setup.
This setup is better because a domU located on 192.168.1.0/24 can't
just use an IP address on 192.168.2.0/24 since they'd be on different
vlans (thus different ethernet broadcast domain)

-- 
Fajar

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.