Fedora xen - Feb 2007 - Xen network bridge questions (using network configuration tools provided by distribution)

Hi list!

I''m trying to figure out a way to use network configuration scripts
provided
by the distribution to manage network/bridge configuration with xen.. 

This means I dont''t want use xen "network-bridge" (or any
other) script at
all, because they are a bit limited in functionality.

I want to setup VLAN interfaces with the scripts/tools provided by the
distribution, and bridge each VLAN separately, so I can flexibly assign 
(and manage) specific VLAN''s to domU''s. This does not work
with the default
xen network-bridge script (the black magic it does seems to fail with VLAN
interfaces).

Example configuration:

peth0.X == xenbrX
peth0.Y == xenbrY

peth1.Z == xenbrZ
peth1.W == xenbrW

Default Xen network-bridge script does the following (in addition to other
things):

1. Changes the MAC-address of peth0 to FE:FF:FF:FF:FF:FF. If I have another
physical interface, peth1, can it have the same MAC address, or does it have 
to be different? 

2. Sets peth0 to NOARP (disables ARP). Why is this? Is it a requirement? 

3. Sets xenbr0 to NOARP. Same question goes for this.

I have working setup with FC6 network scripts/tools, but I''d like to
make
sure I do the correct things.

Thanks!

-- Pasi

Pasi Kärkkäinen wrote:
[snip]
> 1. Changes the MAC-address of peth0 to FE:FF:FF:FF:FF:FF. If I have another
> physical interface, peth1, can it have the same MAC address, or does it
have
> to be different? 
In principle, all unicast MACs in a broadcast domain have to be unique.
Each vlan is a broadcast domain, so that is fine. However, the kernel
has a slightly different view of the interfaces and I an not sure that
it can keep everything properly isolated. The FE:FF..FF addresses are
fake anyway and should be local only. There is then the STP problems you
can run into depending on whether you have all isolated STP instances
for each vlan/interface.

To make a long story short :), use unique MACs to avoid problems. You
can use them f.ex. from the 00:01:01, 10:00:00, ac:de:48... (and there
are more private MAC pools defined; see
http://standards.ieee.org/regauth/oui/oui.txt and look for PRIVATE).

[do not use MAC addresses with an odd numbered high octet; these are
reserved for multicast/broadcast]

> 2. Sets peth0 to NOARP (disables ARP). Why is this? Is it a requirement? 
> 3. Sets xenbr0 to NOARP. Same question goes for this.
The NOARP is because you do not want the interfaces to answer to arp
requests. Neither interface has an IP address assigned, so they are to
be local only and their MAC should not propagate. It is a requirement so
far as to have them shut up...

> I have working setup with FC6 network scripts/tools, but I''d like
to make
> sure I do the correct things.
If you also could post your resulting scripts or make a micro-howto,
that would be great too. Polishing can be done on the list I guess.


-- 
Greetings Bertho


Bertho Stultiens
Senior Systems Manager
Mobilethink A/S

On Mon, Feb 26, 2007 at 03:13:04PM +0100, Bertho Stultiens
wrote:
> Pasi Kärkkäinen wrote:
> [snip]
> > 1. Changes the MAC-address of peth0 to FE:FF:FF:FF:FF:FF. If I have
another
> > physical interface, peth1, can it have the same MAC address, or does
it have
> > to be different? 
> 
> In principle, all unicast MACs in a broadcast domain have to be unique.
> Each vlan is a broadcast domain, so that is fine. However, the kernel
> has a slightly different view of the interfaces and I an not sure that
> it can keep everything properly isolated. The FE:FF..FF addresses are
> fake anyway and should be local only. There is then the STP problems you
> can run into depending on whether you have all isolated STP instances
> for each vlan/interface.
> 
> To make a long story short :), use unique MACs to avoid problems. You
> can use them f.ex. from the 00:01:01, 10:00:00, ac:de:48... (and there
> are more private MAC pools defined; see
> http://standards.ieee.org/regauth/oui/oui.txt and look for PRIVATE).
> 
> [do not use MAC addresses with an odd numbered high octet; these are
> reserved for multicast/broadcast]
> 
OK. Thanks.

Because peth* and xenbr* have NOARP, it should be ok to use fake
MAC-addresses.. for example:

peth0 FE:FF:FF:FF:FF:00
peth1 FE:FF:FF:FF:FF:01

etc.

Or should I use some of the PRIVATE address ranges from that doc? 

> 
> > 2. Sets peth0 to NOARP (disables ARP). Why is this? Is it a
requirement?
> > 3. Sets xenbr0 to NOARP. Same question goes for this.
> 
> The NOARP is because you do not want the interfaces to answer to arp
> requests. Neither interface has an IP address assigned, so they are to
> be local only and their MAC should not propagate. It is a requirement so
> far as to have them shut up...
>
OK. 
 
> 
> > I have working setup with FC6 network scripts/tools, but I''d
like to make
> > sure I do the correct things.
> 
> If you also could post your resulting scripts or make a micro-howto,
> that would be great too. Polishing can be done on the list I guess.
> 
I''ll do it after I''ve tested them properly :)

-- Pasi