Xen users - Aug 2009 - can''t add vlans successfully

Hi,

I want to add 2 vlans by the following steps:
1. add the vlan interfaces:
   vconfig add eth0 100      --vlan100
   vconfig add eth0 101      --vlan101

2. modify the network-bridge script by the websit,
http://wiki.xensource.com/xenwiki/XenNetworking#head-04ebcc1760dbc4678e83b116afa310dc0612dc39
   Comment each time ifup or ifdown commands are executed.The reason
is that ifdown ends with error for vlan interfaces.

    /etc/xen/script/network-bridge  start netdev=eth0
   /etc/xen/script/network-bridge  start netdev=eth0.100
   /etc/xen/script/network-bridge start netdev=eth0.101


Then we use brctl show, we can see eth0.100 and eth0.101 bridges is
start up.  Then we start 4 xenU, 2 xenUs on each bridges.

But questions is that: I can''t get the 8021q packages with ethereal
tool.  I doubt that I don''t setup the vlans successfully. And xenU in
the vlans can''t connect the outside by using ping address.

Is anybody know about this?

Best Regards

--Li


-- 
Best regards
--Li

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Tue, Aug 11, 2009 at 10:56 AM, Zhang Li<cindy.zhangli@gmail.com>
wrote:
> Then we use brctl show, we can see eth0.100 and eth0.101 bridges is
> start up.  Then we start 4 xenU, 2 xenUs on each bridges.
Can you paste the output of brctl show? I doubt the built-in
network-bridge works for vlan interfaces as it involves some interface
renaming (e.g. eth0 -> peth0).
>
> But questions is that: I can''t get the 8021q packages with
ethereal
> tool.
Which interface did you run ethereal on?
>  I doubt that I don''t setup the vlans successfully. And xenU in
> the vlans can''t connect the outside by using ping address.
For starters, for complex configurations like this I find it easier to
simply use the OS configuration scripts to setup bridge/vlans (on
redhat this would be /etc/sysconfig/network-scripts/ifcfg-*) and
comment-out nwtroking scripts on /etc/xen/xend-config.sxp.

After that, I''d test whether vlan works before throwing in bridge and
Xen to mix. For example, I''d create eth0.100 on top of eth0, and test
it. If it works, I create br100 on top of eth0.100 and move the IP
address to br100. After it works, I tell domU to use br100 as bridge.

-- 
Fajar

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hi Zhang,

You should consider creating the bridges and the vlans by the distro''s 
networking scripts. Then use network-dummy script in xen.cfg. And use 
the bridges names in the domUs configs. Xen will attach gracefully to 
the bridges you create and work like a dream. :)

Regards,
Adrian

Zhang Li wrote:
> Hi,
>
> I want to add 2 vlans by the following steps:
> 1. add the vlan interfaces:
>    vconfig add eth0 100      --vlan100
>    vconfig add eth0 101      --vlan101
>
> 2. modify the network-bridge script by the websit,
>
http://wiki.xensource.com/xenwiki/XenNetworking#head-04ebcc1760dbc4678e83b116afa310dc0612dc39
>    Comment each time ifup or ifdown commands are executed.The reason
> is that ifdown ends with error for vlan interfaces.
>
>     /etc/xen/script/network-bridge  start netdev=eth0
>    /etc/xen/script/network-bridge  start netdev=eth0.100
>    /etc/xen/script/network-bridge start netdev=eth0.101
>
>
> Then we use brctl show, we can see eth0.100 and eth0.101 bridges is
> start up.  Then we start 4 xenU, 2 xenUs on each bridges.
>
> But questions is that: I can''t get the 8021q packages with
ethereal
> tool.  I doubt that I don''t setup the vlans successfully. And xenU
in
> the vlans can''t connect the outside by using ping address.
>
> Is anybody know about this?
>
> Best Regards
>
> --Li
>
>
>   
-- 
Deac Mihai-Adrian

W: www.mikesoftware.com
P: +40-745-256.364


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Tue, Aug 11, 2009 at 12:46 PM, Fajar A. Nugraha<fajar@fajar.net>
wrote:
> On Tue, Aug 11, 2009 at 10:56 AM, Zhang Li<cindy.zhangli@gmail.com>
wrote:
>> Then we use brctl show, we can see eth0.100 and eth0.101 bridges is
>> start up.  Then we start 4 xenU, 2 xenUs on each bridges.
>
> Can you paste the output of brctl show? I doubt the built-in
> network-bridge works for vlan interfaces as it involves some interface
> renaming (e.g. eth0 -> peth0).
>
The brctl show output:

bridge name     bridge id               STP enabled     interfaces
eth0.100                8000.0024e827dae4       no              peth0.100

           vif1.0

           vif2.0
eth0.101                8000.0024e827dae4       no              peth0.101

           vif3.0

           vif4.0
eth0            8000.0024e827dae4       no              peth0

>>
>> But questions is that: I can''t get the 8021q packages with
ethereal
>> tool.
>
> Which interface did you run ethereal on?
>
    I run ethereal on eth0.
>>  I doubt that I don''t setup the vlans successfully. And xenU
in
>> the vlans can''t connect the outside by using ping address.
>
> For starters, for complex configurations like this I find it easier to
> simply use the OS configuration scripts to setup bridge/vlans (on
> redhat this would be /etc/sysconfig/network-scripts/ifcfg-*) and
> comment-out nwtroking scripts on /etc/xen/xend-config.sxp.
>
> After that, I''d test whether vlan works before throwing in bridge
and
> Xen to mix. For example, I''d create eth0.100 on top of eth0, and
test
> it. If it works, I create br100 on top of eth0.100 and move the IP
> address to br100. After it works, I tell domU to use br100 as bridge.
>
   Thanks for your suggestion, I will have a try.
> --
> Fajar
>


-- 
Best regards
--Li

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hi, Fajar
> After that, I''d test whether vlan works before throwing in bridge
and
> Xen to mix. For example, I''d create eth0.100 on top of eth0, and
test
> it. If it works, I create br100 on top of eth0.100 and move the IP
> address to br100. After it works, I tell domU to use br100 as bridge.
I tried the way you told me, every thing is OK. eth0.100 works, br100
works and I tell domU to use br100.
And then assign one IP ADDRESS to it. it can''t ping the address of
outside internet.

Another question, does the domain U must need the 8021Q? When one
DomainU send one frame to another, will the bridge add the tag to the
frame with 8021Q?

I have some experiment here:

If domain U use the 8021Q module, it will add the tag to the frame by
itself and the vlan is setup, bridge doesn''t need to add tag. But if
domain U doesn''t use 8021Q module, I think the bridge will add the tag
to the frame, the problem of I have told still exists.  I am confused.

On Tue, Aug 11, 2009 at 12:46 PM, Fajar A. Nugraha<fajar@fajar.net>
wrote:
> On Tue, Aug 11, 2009 at 10:56 AM, Zhang Li<cindy.zhangli@gmail.com>
wrote:
>> Then we use brctl show, we can see eth0.100 and eth0.101 bridges is
>> start up.  Then we start 4 xenU, 2 xenUs on each bridges.
>
> Can you paste the output of brctl show? I doubt the built-in
> network-bridge works for vlan interfaces as it involves some interface
> renaming (e.g. eth0 -> peth0).
>
>>
>> But questions is that: I can''t get the 8021q packages with
ethereal
>> tool.
>
> Which interface did you run ethereal on?
>
>>  I doubt that I don''t setup the vlans successfully. And xenU
in
>> the vlans can''t connect the outside by using ping address.
>
> For starters, for complex configurations like this I find it easier to
> simply use the OS configuration scripts to setup bridge/vlans (on
> redhat this would be /etc/sysconfig/network-scripts/ifcfg-*) and
> comment-out nwtroking scripts on /etc/xen/xend-config.sxp.
>
> After that, I''d test whether vlan works before throwing in bridge
and
> Xen to mix. For example, I''d create eth0.100 on top of eth0, and
test
> it. If it works, I create br100 on top of eth0.100 and move the IP
> address to br100. After it works, I tell domU to use br100 as bridge.
>
> --
> Fajar
>


-- 
Best regards
--Li

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Tue, Aug 11, 2009 at 4:31 PM, Zhang Li<cindy.zhangli@gmail.com>
wrote:
> Hi, Fajar
>
>> After that, I''d test whether vlan works before throwing in
bridge and
>> Xen to mix. For example, I''d create eth0.100 on top of eth0,
and test
>> it. If it works, I create br100 on top of eth0.100 and move the IP
>> address to br100. After it works, I tell domU to use br100 as bridge.
>
> I tried the way you told me, every thing is OK. eth0.100 works, br100
> works and I tell domU to use br100.
> And then assign one IP ADDRESS to it. it can''t ping the address of
> outside internet.
OK one at a time :D
By "br100 works", does that mean if you put IP address on that
interface, you can access outside world (or at least other hosts also
located on vlan100)?

By "And then assign one IP ADDRESS to it. it can''t ping the
address of
outside internet.", does that mean you put IP address on domU but it
can''t access anywhere? If yes, do a ping from domU and a tcpdump on
br100 and eth0.100, see which packets are missing (does arp receives
no reply? or is it only the icmp echo/reply gone missing)

Another thing to check. Are you using old broadcom NIC with tg3
driver? If yes, it''s probably firmware problem. On one of my machines
I can''t get bridging to work until I updated its firmware.
>
> Another question, does the domain U must need the 8021Q? When one
> DomainU send one frame to another, will the bridge add the tag to the
> frame with 8021Q?
>
> I have some experiment here:
>
> If domain U use the 8021Q module, it will add the tag to the frame by
> itself and the vlan is setup, bridge doesn''t need to add tag. But
if
> domain U doesn''t use 8021Q module, I think the bridge will add the
tag
> to the frame, the problem of I have told still exists.  I am confused.
I''m not sure I understand your question. However you can do these:
Scenario 1: you can have eth0, create a bridge on top of it, share it
it domU, and do vlans in domU. It will work if you do NOT create the
same vlan on dom0 (e.g. do not create eth0.100 on dom0, create it only
on domUs). You may also need to set
/proc/sys/net/bridge/bridge-nf-filter-vlan-tagged to 0 (not quite sure
about this, as it has been a long time since I pass a trunk :P). From
domU perspective this is similar with connecting to a switch using a
trunk port.

Scenario2: you can do vlans on dom0, create a bridge for each vlans,
and tell domU to use the bridge. From domU perspective this is similar
with connecting to a switch using an access port.

-- 
Fajar

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Tue, Aug 11, 2009 at 5:46 PM, Fajar A. Nugraha<fajar@fajar.net>
wrote:
> On Tue, Aug 11, 2009 at 4:31 PM, Zhang Li<cindy.zhangli@gmail.com>
wrote:
>> Hi, Fajar
>>
>>> After that, I''d test whether vlan works before throwing in
bridge and
>>> Xen to mix. For example, I''d create eth0.100 on top of
eth0, and test
>>> it. If it works, I create br100 on top of eth0.100 and move the IP
>>> address to br100. After it works, I tell domU to use br100 as
bridge.
>>
>> I tried the way you told me, every thing is OK. eth0.100 works, br100
>> works and I tell domU to use br100.
>> And then assign one IP ADDRESS to it. it can''t ping the
address of
>> outside internet.
>
> OK one at a time :D
> By "br100 works", does that mean if you put IP address on that
> interface, you can access outside world (or at least other hosts also
> located on vlan100)?
>
yes. br100 can access outside world. Does it means vlan is ok? And the
domainUs in the same vlan can communicate.
> By "And then assign one IP ADDRESS to it. it can''t ping the
address of
> outside internet.", does that mean you put IP address on domU but it
> can''t access anywhere? If yes, do a ping from domU and a tcpdump
on
> br100 and eth0.100, see which packets are missing (does arp receives
> no reply? or is it only the icmp echo/reply gone missing)
yes. arp receives no reply. And ICMP echo/reply gone missing.
I think they can connect each other in the same vlan within the same
IP subnet .
if it connect to outside, it should need router. I don''t know XEN
whether can do this.
>
> Another thing to check. Are you using old broadcom NIC with tg3
> driver? If yes, it''s probably firmware problem. On one of my
machines
> I can''t get bridging to work until I updated its firmware.
>
>>
>> Another question, does the domain U must need the 8021Q? When one
>> DomainU send one frame to another, will the bridge add the tag to the
>> frame with 8021Q?
>>
>> I have some experiment here:
>>
>> If domain U use the 8021Q module, it will add the tag to the frame by
>> itself and the vlan is setup, bridge doesn''t need to add tag.
But if
>> domain U doesn''t use 8021Q module, I think the bridge will add
the tag
>> to the frame, the problem of I have told still exists.  I am confused.
>
> I''m not sure I understand your question. However you can do these:
> Scenario 1: you can have eth0, create a bridge on top of it, share it
> it domU, and do vlans in domU. It will work if you do NOT create the
> same vlan on dom0 (e.g. do not create eth0.100 on dom0, create it only
> on domUs). You may also need to set
> /proc/sys/net/bridge/bridge-nf-filter-vlan-tagged to 0 (not quite sure
> about this, as it has been a long time since I pass a trunk :P). From
> domU perspective this is similar with connecting to a switch using a
> trunk port.
>
> Scenario2: you can do vlans on dom0, create a bridge for each vlans,
> and tell domU to use the bridge. From domU perspective this is similar
> with connecting to a switch using an access port.
>
I think we are saying the same thing.
But I am not familar with the bridge of XEN, I don''t know whether it
can implement the trunck link.
For Scenario2, either domain0 or domainU don''t need the 8021Q. am I
right?
> --
> Fajar
>


-- 
Best regards
--Li

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Tue, Aug 11, 2009 at 5:39 PM, Zhang Li<cindy.zhangli@gmail.com>
wrote:
> yes. br100 can access outside world. Does it means vlan is ok? And the
> domainUs in the same vlan can communicate.
So let me get this straight.
- dom0 can access outside world
- domU and domU can communicate
- domU can''t access outside world

If that''s so, probably iptables or forwarding issue. Do you have
iptables configured? What is the value of
/proc/sys/net/ipv4/ip_forward ?
>
>> By "And then assign one IP ADDRESS to it. it can''t ping
the address of
>> outside internet.", does that mean you put IP address on domU but
it
>> can''t access anywhere? If yes, do a ping from domU and a
tcpdump on
>> br100 and eth0.100, see which packets are missing (does arp receives
>> no reply? or is it only the icmp echo/reply gone missing)
>
> yes. arp receives no reply. And ICMP echo/reply gone missing.
> I think they can connect each other in the same vlan within the same
> IP subnet .
> if it connect to outside, it should need router. I don''t know XEN
> whether can do this.
Bridging mode does not need router on dom0. To be accurate, in
bridging mode domU is just like any other physical host on that same
vlan, so you set it  to use the same router/gateway as any other
physical host.
>> Scenario2: you can do vlans on dom0, create a bridge for each vlans,
>> and tell domU to use the bridge. From domU perspective this is similar
>> with connecting to a switch using an access port.
>>
>
> I think we are saying the same thing.
> But I am not familar with the bridge of XEN, I don''t know whether
it
> can implement the trunck link.
> For Scenario2, either domain0 or domainU don''t need the 8021Q. am
I right?
On scenario2 vlan support is only on dom0. You don''t need it on domU.

-- 
Fajar

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Wed, Aug 12, 2009 at 9:48 AM, Zhang Li<cindy.zhangli@gmail.com>
wrote:
> I am considering the situation:
> If I setup VLANs, for example: domain1, domain2, domain3, domain4.
> domain1,domain2 --> vlan100 , assigning the IP address:
192.168.2.2/192.168.2.3
> domain3,domain4 -->vlan101,  assigning the IP address:
192.168.3.2/192.168.3.3
>
> domain1 can ping domain2 successfully, domain3 and domain4 can ping
> successfully.
>
> In Domain0, br100, br101 ip adress is: 192.168.1.100/192.168.1.101.
> gateway: 192.168.1.1
>
There you go, there''s you''re source of problem right there:
dom1 and
dom2 is on 192.168.2.0/24 but dom0''s br100 (which is on the same vlan)
is using 192.168.1.100/24. Is doesn''t work that way.

When using bridge (especially with vlans), think of dom0 like a L2 or
L3 switch, and domUs like any other physical network. Get help from
your networking guys if you''re not sure. For starters :
- make sure eth0 is connected to a switch, whose port is already
configured as trunk, allowing (at least) vlans 100 and 101
- br100 and br101 needs to be on different subnets (otherwise there''s
no point of having a different vlan in the first place), which is
similar to an L3 switch: you have a vlan, and you have an ip address
on that vlan interface.
You could also remove their IP address altogther, which is similar  to
an L2 switch: it knows the vlan, but it doesn''t have an Ip address on
that vlan.
- setup dom1 and dom2 to be on the same subnet as other hosts on
vlan100 on your network
- setup dom3 and dom4 to be on the same subnet as other hosts on
vlan101 on your network

Again, don''t hesitate to get help from your network guys, cause
it''s
very similar networking setup with that of a L2/L3 switch.

-- 
Fajar

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

I get it. It helps me great. Thanks very much :)

On Wed, Aug 12, 2009 at 10:57 AM, Fajar A. Nugraha<fajar@fajar.net>
wrote:
> On Wed, Aug 12, 2009 at 9:48 AM, Zhang Li<cindy.zhangli@gmail.com>
wrote:
>> I am considering the situation:
>> If I setup VLANs, for example: domain1, domain2, domain3, domain4.
>> domain1,domain2 --> vlan100 , assigning the IP address:
192.168.2.2/192.168.2.3
>> domain3,domain4 -->vlan101,  assigning the IP address:
192.168.3.2/192.168.3.3
>>
>> domain1 can ping domain2 successfully, domain3 and domain4 can ping
>> successfully.
>>
>> In Domain0, br100, br101 ip adress is: 192.168.1.100/192.168.1.101.
>> gateway: 192.168.1.1
>>
>
> There you go, there''s you''re source of problem right
there: dom1 and
> dom2 is on 192.168.2.0/24 but dom0''s br100 (which is on the same
vlan)
> is using 192.168.1.100/24. Is doesn''t work that way.
>
> When using bridge (especially with vlans), think of dom0 like a L2 or
> L3 switch, and domUs like any other physical network. Get help from
> your networking guys if you''re not sure. For starters :
> - make sure eth0 is connected to a switch, whose port is already
> configured as trunk, allowing (at least) vlans 100 and 101
> - br100 and br101 needs to be on different subnets (otherwise
there''s
> no point of having a different vlan in the first place), which is
> similar to an L3 switch: you have a vlan, and you have an ip address
> on that vlan interface.
> You could also remove their IP address altogther, which is similar  to
> an L2 switch: it knows the vlan, but it doesn''t have an Ip address
on
> that vlan.
> - setup dom1 and dom2 to be on the same subnet as other hosts on
> vlan100 on your network
> - setup dom3 and dom4 to be on the same subnet as other hosts on
> vlan101 on your network
>
> Again, don''t hesitate to get help from your network guys, cause
it''s
> very similar networking setup with that of a L2/L3 switch.
>
> --
> Fajar
>


-- 
Best regards
--Li

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users