Xen users - Feb 2008 - Is this simplest path to subnets?

I''ve been making my brain hurt by reading up on xen networking,
and I wonder if I finally understand the simplest path to getting
my virtual machines on a separate subnet:

In the physical world, if I hook two subnets to a linux box with
two ethernet cards, all I need is some routing commands on that
gateway box, and the subnets can talk to one another.

In the virtual world, I''m thinking the simplest to understand
equivalent is to create a dummy ethernet interface in
/etc/network/interfaces so it gets brought up as soon as the
Dom0 boots.

Then tell the standard network-bridge script to use the dummy
interface as the "netdev", but other than that, use the default
bridge scripts (including the default vif-bridge).

If I''m even close to understanding this now, the original physical
eth0 on the Dom0 will be completely left alone by xen, and if I setup
static routes between it and the dummy ehternet, then my physical
and virtual subnets will be able to talk just like in the
two physical subnet case.

Does this make any sense at all? Am I pointing in a direction
that might work?

Thanks for any insight you can provide.

(I''m not interested in firewalls and NAT and that other brain
exploding nonsense yet, I just want to see the simplest case
working first :-).
 

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

I did a similar setup by

modprobe dummy
ifconfig dummy0 up

and using a wrapper script for network-bridge to setup bridges
for eth0 and dummy0 (i also wanted eth0 bridged)

this generally works, but i suspect this bridge as reason for
dom0 freeze on heavy net-io... maybe someone can confirm problems
with dummy bridges?


Tom Horsley schrieb:
> I''ve been making my brain hurt by reading up on xen networking,
> and I wonder if I finally understand the simplest path to getting
> my virtual machines on a separate subnet:
> 
> In the physical world, if I hook two subnets to a linux box with
> two ethernet cards, all I need is some routing commands on that
> gateway box, and the subnets can talk to one another.
> 
> In the virtual world, I''m thinking the simplest to understand
> equivalent is to create a dummy ethernet interface in
> /etc/network/interfaces so it gets brought up as soon as the
> Dom0 boots.
> 
> Then tell the standard network-bridge script to use the dummy
> interface as the "netdev", but other than that, use the default
> bridge scripts (including the default vif-bridge).
> 
> If I''m even close to understanding this now, the original physical
> eth0 on the Dom0 will be completely left alone by xen, and if I setup
> static routes between it and the dummy ehternet, then my physical
> and virtual subnets will be able to talk just like in the
> two physical subnet case.
> 
> Does this make any sense at all? Am I pointing in a direction
> that might work?
> 
> Thanks for any insight you can provide.
> 
> (I''m not interested in firewalls and NAT and that other brain
> exploding nonsense yet, I just want to see the simplest case
> working first :-).
>  
> 
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users

-- 
Stephan Seitz
Senior System Administrator

*netz-haut* e.K.
multimediale kommunikation

zweierweg 22
97074 würzburg

fon: +49 931 2876247
fax: +49 931 2876248

web: www.netz-haut.de <http://www.netz-haut.de/>

registriergericht: amtsgericht würzburg, hra 5054



_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Tuesday 19 February 2008 23:55:58 Stephan Seitz
wrote:
> I did a similar setup by
>
> modprobe dummy
> ifconfig dummy0 up
>
> and using a wrapper script for network-bridge to setup bridges
> for eth0 and dummy0 (i also wanted eth0 bridged)
>
I do this, in a very similar wrapping you use. 
> this generally works, but i suspect this bridge as reason for
> dom0 freeze on heavy net-io... maybe someone can confirm problems
> with dummy bridges?
But I don''t find any freeze problems with high I/O, and believe me I
have four
on productions server with great load on network and I trying various 
benchmarking tests between VMs and copy huge amount of data between them. I 
already stop a low cost Encore switch in one of this tests ;-)
>
> Tom Horsley schrieb:
> > I''ve been making my brain hurt by reading up on xen
networking,
> > and I wonder if I finally understand the simplest path to getting
> > my virtual machines on a separate subnet:
I create a config similar a level 2 bastion firewall with a dmz. The two 
gateways to server the edges (one to LAN and other to WAN) has two separate 
bridges each like the diagram bellow

WAN---(Brdige WAN)---[VM1]---(Bridge DMZ)---[VM2]---(Bridge LAN)---LAN

The VMs side connected on physical interface (WAN and LAN) has the normal 
config. The side on bridge DMZ has any number of VMs limited by the hardware 
attached with dummy if. I have some delay here, but it''s not
noticiable.
> >
> > In the physical world, if I hook two subnets to a linux box with
> > two ethernet cards, all I need is some routing commands on that
> > gateway box, and the subnets can talk to one another.
Yes I did this too.
> >
> > In the virtual world, I''m thinking the simplest to understand
> > equivalent is to create a dummy ethernet interface in
> > /etc/network/interfaces so it gets brought up as soon as the
> > Dom0 boots.
> >
> > Then tell the standard network-bridge script to use the dummy
> > interface as the "netdev", but other than that, use the
default
> > bridge scripts (including the default vif-bridge).
> >
> > If I''m even close to understanding this now, the original
physical
> > eth0 on the Dom0 will be completely left alone by xen, and if I setup
> > static routes between it and the dummy ehternet, then my physical
> > and virtual subnets will be able to talk just like in the
> > two physical subnet case.
> >
> > Does this make any sense at all? Am I pointing in a direction
> > that might work?
> >
> > Thanks for any insight you can provide.
> >
> > (I''m not interested in firewalls and NAT and that other brain
> > exploding nonsense yet, I just want to see the simplest case
> > working first :-).
You in the right way. I almost explode my brain in the first time, and I stay 
one week inside this problem. But now, its appear to be all right.
> >
> >
> > _______________________________________________
> > Xen-users mailing list
> > Xen-users@lists.xensource.com
> > http://lists.xensource.com/xen-users


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

The way I do it these days is just to set up a bridge outside xen with 
an ip address.  You don''t need a network script in the xen config that 
way.  Then you can just add your domU interfaces to the bridge, and 
route between the bridge device and the physical device.

    John


Valter Douglas Lisbôa Jr. wrote:
> On Tuesday 19 February 2008 23:55:58 Stephan Seitz wrote:
>   
>> I did a similar setup by
>>
>> modprobe dummy
>> ifconfig dummy0 up
>>
>> and using a wrapper script for network-bridge to setup bridges
>> for eth0 and dummy0 (i also wanted eth0 bridged)
>>
>>     
> I do this, in a very similar wrapping you use. 
>
>   
>> this generally works, but i suspect this bridge as reason for
>> dom0 freeze on heavy net-io... maybe someone can confirm problems
>> with dummy bridges?
>>     
> But I don''t find any freeze problems with high I/O, and believe me
I have four
> on productions server with great load on network and I trying various 
> benchmarking tests between VMs and copy huge amount of data between them. I
> already stop a low cost Encore switch in one of this tests ;-)
>
>   
>> Tom Horsley schrieb:
>>     
>>> I''ve been making my brain hurt by reading up on xen
networking,
>>> and I wonder if I finally understand the simplest path to getting
>>> my virtual machines on a separate subnet:
>>>       
> I create a config similar a level 2 bastion firewall with a dmz. The two 
> gateways to server the edges (one to LAN and other to WAN) has two separate
> bridges each like the diagram bellow
>
> WAN---(Brdige WAN)---[VM1]---(Bridge DMZ)---[VM2]---(Bridge LAN)---LAN
>
> The VMs side connected on physical interface (WAN and LAN) has the normal 
> config. The side on bridge DMZ has any number of VMs limited by the
hardware
> attached with dummy if. I have some delay here, but it''s not
noticiable.
>
>   
>>> In the physical world, if I hook two subnets to a linux box with
>>> two ethernet cards, all I need is some routing commands on that
>>> gateway box, and the subnets can talk to one another.
>>>       
> Yes I did this too.
>
>   
>>> In the virtual world, I''m thinking the simplest to
understand
>>> equivalent is to create a dummy ethernet interface in
>>> /etc/network/interfaces so it gets brought up as soon as the
>>> Dom0 boots.
>>>
>>> Then tell the standard network-bridge script to use the dummy
>>> interface as the "netdev", but other than that, use the
default
>>> bridge scripts (including the default vif-bridge).
>>>
>>> If I''m even close to understanding this now, the original
physical
>>> eth0 on the Dom0 will be completely left alone by xen, and if I
setup
>>> static routes between it and the dummy ehternet, then my physical
>>> and virtual subnets will be able to talk just like in the
>>> two physical subnet case.
>>>
>>> Does this make any sense at all? Am I pointing in a direction
>>> that might work?
>>>
>>> Thanks for any insight you can provide.
>>>
>>> (I''m not interested in firewalls and NAT and that other
brain
>>> exploding nonsense yet, I just want to see the simplest case
>>> working first :-).
>>>       
> You in the right way. I almost explode my brain in the first time, and I
stay
> one week inside this problem. But now, its appear to be all right.
>
>   
>>> _______________________________________________
>>> Xen-users mailing list
>>> Xen-users@lists.xensource.com
>>> http://lists.xensource.com/xen-users
>>>       
>
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
>   

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

John Morris wrote:
> The way I do it these days is just to set up a bridge outside xen with 
> an ip address.  You don''t need a network script in the xen config
that
> way.  Then you can just add your domU interfaces to the bridge, and 
> route between the bridge device and the physical device.
I don''t know which distribution you are using. Fedora, CentOS and RHEL 
would give you a solution for this out of the box through the libvirt 
which automatically creates an interface named virbr0 instead of dummy0. 
All that you have to do is enbale ip forwarding in Dom0 to route traffic 
from guests to external networks.

--Sadique
>
>    John
>
>
> Valter Douglas Lisbôa Jr. wrote:
>> On Tuesday 19 February 2008 23:55:58 Stephan Seitz wrote:
>>  
>>> I did a similar setup by
>>>
>>> modprobe dummy
>>> ifconfig dummy0 up
>>>
>>> and using a wrapper script for network-bridge to setup bridges
>>> for eth0 and dummy0 (i also wanted eth0 bridged)
>>>
>>>     
>> I do this, in a very similar wrapping you use.
>>  
>>> this generally works, but i suspect this bridge as reason for
>>> dom0 freeze on heavy net-io... maybe someone can confirm problems
>>> with dummy bridges?
>>>     
>> But I don''t find any freeze problems with high I/O, and
believe me I
>> have four on productions server with great load on network and I 
>> trying various benchmarking tests between VMs and copy huge amount of 
>> data between them. I already stop a low cost Encore switch in one of 
>> this tests ;-)
>>
>>  
>>> Tom Horsley schrieb:
>>>    
>>>> I''ve been making my brain hurt by reading up on xen
networking,
>>>> and I wonder if I finally understand the simplest path to
getting
>>>> my virtual machines on a separate subnet:
>>>>       
>> I create a config similar a level 2 bastion firewall with a dmz. The 
>> two gateways to server the edges (one to LAN and other to WAN) has 
>> two separate bridges each like the diagram bellow
>>
>> WAN---(Brdige WAN)---[VM1]---(Bridge DMZ)---[VM2]---(Bridge LAN)---LAN
>>
>> The VMs side connected on physical interface (WAN and LAN) has the 
>> normal config. The side on bridge DMZ has any number of VMs limited 
>> by the hardware attached with dummy if. I have some delay here, but 
>> it''s not noticiable.
>>  
>>>> In the physical world, if I hook two subnets to a linux box
with
>>>> two ethernet cards, all I need is some routing commands on that
>>>> gateway box, and the subnets can talk to one another.
>>>>       
>> Yes I did this too.
>>
>>  
>>>> In the virtual world, I''m thinking the simplest to
understand
>>>> equivalent is to create a dummy ethernet interface in
>>>> /etc/network/interfaces so it gets brought up as soon as the
>>>> Dom0 boots.
>>>>
>>>> Then tell the standard network-bridge script to use the dummy
>>>> interface as the "netdev", but other than that, use
the default
>>>> bridge scripts (including the default vif-bridge).
>>>>
>>>> If I''m even close to understanding this now, the
original physical
>>>> eth0 on the Dom0 will be completely left alone by xen, and if I
setup
>>>> static routes between it and the dummy ehternet, then my
physical
>>>> and virtual subnets will be able to talk just like in the
>>>> two physical subnet case.
>>>>
>>>> Does this make any sense at all? Am I pointing in a direction
>>>> that might work?
>>>>
>>>> Thanks for any insight you can provide.
>>>>
>>>> (I''m not interested in firewalls and NAT and that
other brain
>>>> exploding nonsense yet, I just want to see the simplest case
>>>> working first :-).
>>>>       
>> You in the right way. I almost explode my brain in the first time, 
>> and I stay one week inside this problem. But now, its appear to be 
>> all right.
>>
>>  
>>>> _______________________________________________
>>>> Xen-users mailing list
>>>> Xen-users@lists.xensource.com
>>>> http://lists.xensource.com/xen-users
>>>>       
>>
>>
>>
>> _______________________________________________
>> Xen-users mailing list
>> Xen-users@lists.xensource.com
>> http://lists.xensource.com/xen-users
>>   
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
>

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users