Xen users - Feb 2007 - xen bridged network config woes [repost w/apology]

My profuse apologies if you''ve already read this-it is a repost. I
accidentally replied to a different thread, and I fear it was buried as
a reply to that thread and may not get read by anyone but those who were
paying attention to that one. My problem is unrelated to that one, other
than that both involve xen''s networking, and I happened to be reading
that one when I decided to write my own plea for help.

Hi, I''ve been bashing my head over Xen networking for about a week now,
and I''d love to get some help from the list. I''ve read the
Wiki, the
manual, the mailing list archives, and Googled my fingers to the bone.
I''ll try to describe my problem as best as I can; if I''ve left
anything
relevant out, please let me know what you need. In a nutshell:

-The server is at a colo facility, and I have no physical access to it,
just ssh. 

-I have the IP addresses A.B.94.226 through 94.230. The gateway is at
94.225.

-Dom0 is configured with A.B.94.226. I''ve only set up a single DomU,
with A.B.94.227. I''m using Xen''s bridging scripts.

-Dom0 can ping DomU. DomU can ping Dom0. Dom0 can reach the internet and
be reached by it, but DomU cannot.

DomU''s /etc/network/interfaces:

root@domU:~# cat /etc/network/interfaces
# Used by ifup(8) and ifdown(8). See the interfaces(5) manpage or
# /usr/share/doc/ifupdown/examples for more information.
# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
# Uncomment this and configure after the system has booted for the first
time
auto eth0
iface eth0 inet static
        address A.B.94.227
        netmask 255.255.255.248
        gateway A.B.94.225

DomU config file:

root@dom0:~# cat /etc/xen/domU
#  -*- mode: python; -*-
kernel = "/boot/vmlinuz-2.6.16.29-xen"
ramdisk = "/boot/initrd.img-2.6.16-29-xen"
memory = 128
name = "domU"
vif = [''bridge=xenbr0,ip=A.B.94.227'']
disk
[''phy:/dev/xenvolume/domU,sda1,w'',''phy:/dev/xenvolume/domU-swap,sda2,w'']
netmask = "255.255.255.248"
gateway = "A.B.94.225"
hostname = "domU"
root = "/dev/sda1 ro"

Some more info from Dom0:

root@dom0:~# brctl show
bridge name     bridge id               STP enabled     interfaces
xenbr0          8000.feffffffffff       no              vif0.0
                                                        peth0
                                                        vif1.0
root@dom0:~# brctl showmacs xenbr0
port no mac addr                is local?       ageing timer
  1     00:14:85:f7:ea:67       no                 0.00
  2     00:19:56:5a:e9:d5       no                 1.03
  2     00:60:3e:0b:9c:48       no                 0.00
  1     fe:ff:ff:ff:ff:ff       yes                0.00

dom0 xend-config.sxp:

root@dom0:~# cat /etc/xen/xend-config.sxp | grep -v "^#" | grep
"[a-z]"
(xend-relocation-server yes)
(xend-relocation-hosts-allow ''^localhost$
^localhost\\.localdomain$'')
(network-script network-bridge)
(vif-script vif-bridge)
(dom0-min-mem 196)
(dom0-cpus 0)

I tried a tcpdump on dom0 while pinging an outside-the-network host from
domU, here''s what I get:

domU:

root@domU:~# ping -c4 4.2.2.1
PING 4.2.2.1 (4.2.2.1) 56(84) bytes of data.
>From A.B.94.227 icmp_seq=1 Destination Host Unreachable
>From A.B.94.227 icmp_seq=2 Destination Host Unreachable
>From A.B.94.227 icmp_seq=3 Destination Host Unreachable
>From A.B.94.227 icmp_seq=4 Destination Host Unreachable
--- 4.2.2.1 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time
3002ms
, pipe 3
root@domU:~# ping -c4 A.B.94.226
PING A.B.94.226 (A.B.94.226) 56(84) bytes of data.
64 bytes from A.B.94.226: icmp_seq=1 ttl=64 time=0.113 ms
64 bytes from A.B.94.226: icmp_seq=2 ttl=64 time=0.107 ms
64 bytes from A.B.94.226: icmp_seq=3 ttl=64 time=0.090 ms
64 bytes from A.B.94.226: icmp_seq=4 ttl=64 time=0.087 ms

--- A.B.94.226 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2997ms
rtt min/avg/max/mdev = 0.087/0.099/0.113/0.013 ms

Meanwhile in dom0:

root@dom0:~# tcpdump src host A.B.94.227 -vv -a
tcpdump: WARNING: vif0.0: no IPv4 address assigned
tcpdump: listening on vif0.0, link-type EN10MB (Ethernet), capture size
96 bytes
14:57:36.016831 arp who-has woc.gw.webhost.net tell woc-2.ce.webhost.net
14:57:37.016795 arp who-has woc.gw.webhost.net tell woc-2.ce.webhost.net
14:57:38.016804 arp who-has woc.gw.webhost.net tell woc-2.ce.webhost.net
14:57:39.026781 arp who-has woc.gw.webhost.net tell woc-2.ce.webhost.net
14:57:40.026796 arp who-has woc.gw.webhost.net tell woc-2.ce.webhost.net
14:57:41.026795 arp who-has woc.gw.webhost.net tell woc-2.ce.webhost.net
14:57:54.872056 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
ICMP (1), length: 84) woc-2.ce.webhost.net > woc-1.ce.webhost.net: ICMP
echo request, id 30474, seq 1, length 64
14:57:55.871054 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
ICMP (1), length: 84) woc-2.ce.webhost.net > woc-1.ce.webhost.net: ICMP
echo request, id 30474, seq 2, length 64
14:57:56.870039 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
ICMP (1), length: 84) woc-2.ce.webhost.net > woc-1.ce.webhost.net: ICMP
echo request, id 30474, seq 3, length 64
14:57:57.869040 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
ICMP (1), length: 84) woc-2.ce.webhost.net > woc-1.ce.webhost.net: ICMP
echo request, id 30474, seq 4, length 64
14:57:59.864254 arp reply woc-2.ce.webhost.net is-at 00:16:3e:39:f0:ab
(oui Unknown)

11 packets captured
25 packets received by filter
0 packets dropped by kernel
root@dom0:~# 

As you can see, when domU is trying to ping 4.2.2.1, it''s sending ARP
who-has requests that apparently never get answered. When domU is trying
to ping dom0, it just pings it with no problems. So where should I start
looking for a misconfiguration? How can I troubleshoot this?

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Ali, 

What does the iptables scripts look like on the Dom0.  I know that when
I originally configured my Fedora6 server I forgot to disable it and a
lot of things broke.

Gary

-----Original Message-----
From: xen-users-bounces@lists.xensource.com
[mailto:xen-users-bounces@lists.xensource.com] On Behalf Of Ali Roze
Sent: Monday, February 05, 2007 4:42 PM
To: xen-users@lists.xensource.com
Subject: [Xen-users] xen bridged network config woes [repost w/apology]

My profuse apologies if you''ve already read this-it is a repost. I
accidentally replied to a different thread, and I fear it was buried as
a reply to that thread and may not get read by anyone but those who were
paying attention to that one. My problem is unrelated to that one, other
than that both involve xen''s networking, and I happened to be reading
that one when I decided to write my own plea for help.

Hi, I''ve been bashing my head over Xen networking for about a week now,
and I''d love to get some help from the list. I''ve read the
Wiki, the
manual, the mailing list archives, and Googled my fingers to the bone.
I''ll try to describe my problem as best as I can; if I''ve left
anything
relevant out, please let me know what you need. In a nutshell:

-The server is at a colo facility, and I have no physical access to it,
just ssh. 

-I have the IP addresses A.B.94.226 through 94.230. The gateway is at
94.225.

-Dom0 is configured with A.B.94.226. I''ve only set up a single DomU,
with A.B.94.227. I''m using Xen''s bridging scripts.

-Dom0 can ping DomU. DomU can ping Dom0. Dom0 can reach the internet and
be reached by it, but DomU cannot.

DomU''s /etc/network/interfaces:

root@domU:~# cat /etc/network/interfaces
# Used by ifup(8) and ifdown(8). See the interfaces(5) manpage or
# /usr/share/doc/ifupdown/examples for more information.
# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
# Uncomment this and configure after the system has booted for the first
time
auto eth0
iface eth0 inet static
        address A.B.94.227
        netmask 255.255.255.248
        gateway A.B.94.225

DomU config file:

root@dom0:~# cat /etc/xen/domU
#  -*- mode: python; -*-
kernel = "/boot/vmlinuz-2.6.16.29-xen"
ramdisk = "/boot/initrd.img-2.6.16-29-xen"
memory = 128
name = "domU"
vif = [''bridge=xenbr0,ip=A.B.94.227'']
disk
[''phy:/dev/xenvolume/domU,sda1,w'',''phy:/dev/xenvolume/domU-swap,sda2,w'']
netmask = "255.255.255.248"
gateway = "A.B.94.225"
hostname = "domU"
root = "/dev/sda1 ro"

Some more info from Dom0:

root@dom0:~# brctl show
bridge name     bridge id               STP enabled     interfaces
xenbr0          8000.feffffffffff       no              vif0.0
                                                        peth0
                                                        vif1.0
root@dom0:~# brctl showmacs xenbr0
port no mac addr                is local?       ageing timer
  1     00:14:85:f7:ea:67       no                 0.00
  2     00:19:56:5a:e9:d5       no                 1.03
  2     00:60:3e:0b:9c:48       no                 0.00
  1     fe:ff:ff:ff:ff:ff       yes                0.00

dom0 xend-config.sxp:

root@dom0:~# cat /etc/xen/xend-config.sxp | grep -v "^#" | grep
"[a-z]"
(xend-relocation-server yes)
(xend-relocation-hosts-allow ''^localhost$
^localhost\\.localdomain$'')
(network-script network-bridge)
(vif-script vif-bridge)
(dom0-min-mem 196)
(dom0-cpus 0)

I tried a tcpdump on dom0 while pinging an outside-the-network host from
domU, here''s what I get:

domU:

root@domU:~# ping -c4 4.2.2.1
PING 4.2.2.1 (4.2.2.1) 56(84) bytes of data.
>From A.B.94.227 icmp_seq=1 Destination Host Unreachable
>From A.B.94.227 icmp_seq=2 Destination Host Unreachable
>From A.B.94.227 icmp_seq=3 Destination Host Unreachable
>From A.B.94.227 icmp_seq=4 Destination Host Unreachable
--- 4.2.2.1 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time
3002ms
, pipe 3
root@domU:~# ping -c4 A.B.94.226
PING A.B.94.226 (A.B.94.226) 56(84) bytes of data.
64 bytes from A.B.94.226: icmp_seq=1 ttl=64 time=0.113 ms
64 bytes from A.B.94.226: icmp_seq=2 ttl=64 time=0.107 ms
64 bytes from A.B.94.226: icmp_seq=3 ttl=64 time=0.090 ms
64 bytes from A.B.94.226: icmp_seq=4 ttl=64 time=0.087 ms

--- A.B.94.226 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2997ms
rtt min/avg/max/mdev = 0.087/0.099/0.113/0.013 ms

Meanwhile in dom0:

root@dom0:~# tcpdump src host A.B.94.227 -vv -a
tcpdump: WARNING: vif0.0: no IPv4 address assigned
tcpdump: listening on vif0.0, link-type EN10MB (Ethernet), capture size
96 bytes
14:57:36.016831 arp who-has woc.gw.webhost.net tell woc-2.ce.webhost.net
14:57:37.016795 arp who-has woc.gw.webhost.net tell woc-2.ce.webhost.net
14:57:38.016804 arp who-has woc.gw.webhost.net tell woc-2.ce.webhost.net
14:57:39.026781 arp who-has woc.gw.webhost.net tell woc-2.ce.webhost.net
14:57:40.026796 arp who-has woc.gw.webhost.net tell woc-2.ce.webhost.net
14:57:41.026795 arp who-has woc.gw.webhost.net tell woc-2.ce.webhost.net
14:57:54.872056 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
ICMP (1), length: 84) woc-2.ce.webhost.net > woc-1.ce.webhost.net: ICMP
echo request, id 30474, seq 1, length 64
14:57:55.871054 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
ICMP (1), length: 84) woc-2.ce.webhost.net > woc-1.ce.webhost.net: ICMP
echo request, id 30474, seq 2, length 64
14:57:56.870039 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
ICMP (1), length: 84) woc-2.ce.webhost.net > woc-1.ce.webhost.net: ICMP
echo request, id 30474, seq 3, length 64
14:57:57.869040 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
ICMP (1), length: 84) woc-2.ce.webhost.net > woc-1.ce.webhost.net: ICMP
echo request, id 30474, seq 4, length 64
14:57:59.864254 arp reply woc-2.ce.webhost.net is-at 00:16:3e:39:f0:ab
(oui Unknown)

11 packets captured
25 packets received by filter
0 packets dropped by kernel
root@dom0:~# 

As you can see, when domU is trying to ping 4.2.2.1, it''s sending ARP
who-has requests that apparently never get answered. When domU is trying
to ping dom0, it just pings it with no problems. So where should I start
looking for a misconfiguration? How can I troubleshoot this?

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Mon, 5 Feb 2007 16:58:46 -0800, "Gary W. Smith"
<gary@primeexalia.com> said:
> What does the iptables scripts look like on the Dom0.  I know that when
> I originally configured my Fedora6 server I forgot to disable it and a
> lot of things broke.
Here''s my Dom0 iptables. However, I still have the same problem even if
I drop all my iptables rules and leave the box wide open with iptables
-F.

root@Dom0:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED 
ACCEPT     tcp  --  A.B.66.248/29     anywhere            tcp dpt:ssh 
ACCEPT     tcp  --  owl.webhost.net    anywhere            tcp dpt:ssh 
ACCEPT     tcp  --  A.B.66.0/28       anywhere            tcp dpt:ssh 
ACCEPT     tcp  --  A.B.68.38         anywhere            tcp dpt:ssh 
ACCEPT     tcp  --  smtp.webhost.net   anywhere            tcp dpt:ssh 
ACCEPT     all  --  adsl-209-78-192-139.dsl.lsan03.pacbell.net  anywhere 
ACCEPT     tcp  --  70-32-242-119.ontrca.adelphia.net  anywhere         
  tcp dpt:ssh 
ACCEPT     tcp  --  A.B.66.248/29     anywhere            tcp
dpt:vmware-authd 
ACCEPT     tcp  --  70-32-242-119.ontrca.adelphia.net  anywhere         
  tcp dpt:vmware-authd 
ACCEPT     tcp  --  anywhere             anywhere            tcp
dpts:ftp-data:ftp 
ACCEPT     tcp  --  anywhere             anywhere            tcp
dpt:smtp 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www 
ACCEPT     tcp  --  anywhere             anywhere            tcp
dpt:pop3 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ntp 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ntp 
DROP       tcp  --  anywhere             anywhere            tcp
dpts:0:1023 
DROP       udp  --  anywhere             anywhere            udp
dpts:0:1023 
ACCEPT     tcp  --  outgoing.webhost.net  anywhere            tcp
dpts:amanda:10089 
ACCEPT     udp  --  outgoing.webhost.net  anywhere            udp
dpts:amanda:10089 
ACCEPT     tcp  --  am.webhost.net     anywhere            tcp
dpts:amanda:10089 
ACCEPT     udp  --  am.webhost.net     anywhere            udp
dpts:amanda:10089 
ACCEPT     tcp  --  up.webhost.net     anywhere            tcp
dpts:amanda:10089 
ACCEPT     udp  --  up.webhost.net     anywhere            udp
dpts:amanda:10089 
DROP       tcp  --  anywhere             anywhere            tcp
dpts:amanda:10089 
DROP       udp  --  anywhere             anywhere            udp
dpts:amanda:10089 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  woc-2.ce.webhost.net  anywhere            PHYSDEV
match --physdev-in vif1.0 
ACCEPT     udp  --  anywhere             anywhere            PHYSDEV
match --physdev-in vif1.0 udp spt:bootpc dpt:bootps 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       icmp --  anywhere             anywhere            state
INVALID 

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

> -----Original Message-----
> From: xen-users-bounces@lists.xensource.com [mailto:xen-users-
> bounces@lists.xensource.com] On Behalf Of Ali Roze
> Sent: Monday, February 05, 2007 5:06 PM
> To: Gary W. Smith; xen-users@lists.xensource.com
> Subject: RE: [Xen-users] xen bridged network config woes [repost
> w/apology]
> 
> 
> Here''s my Dom0 iptables. However, I still have the same problem
even
if
> I drop all my iptables rules and leave the box wide open with iptables
> -F.
> 
Hmm.  Not sure then.  Did you make any custom changes to the bridge
scripts?

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Mon, 5 Feb 2007 17:21:13 -0800, "Gary W. Smith"
<gary@primeexalia.com> said:
> Hmm.  Not sure then.  Did you make any custom changes to the bridge
> scripts?
Not a thing! They''re the stock scripts that came with Xen (3.0.3).

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

6:42pm Ali Roze said:
> 
> -The server is at a colo facility, and I have no physical access to it,
> just ssh. 
> 
> -I have the IP addresses A.B.94.226 through 94.230. The gateway is at
> 94.225.
You''ve done a fine job of obfuscating your colo/isp identity.
> root@dom0:~# brctl showmacs xenbr0
> port no mac addr                is local?       ageing timer
>   1     00:14:85:f7:ea:67       no                 0.00
>   2     00:19:56:5a:e9:d5       no                 1.03
>   2     00:60:3e:0b:9c:48       no                 0.00
>   1     fe:ff:ff:ff:ff:ff       yes                0.00
Two Cisco devices on the outside. Hrmm...I wonder if your colo/isp is 
running port security and only allows you one MAC for your one server? If 
so, you''ll have to route or NAT.

Have you tried contacting your upstream provider?

../C


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Mon, 5 Feb 2007 18:42:30 -0800 (PST), "Curtis Doty"
<Curtis@GreenKey.net> said:
> You''ve done a fine job of obfuscating your colo/isp identity.
Hi Curtis-I actually don''t care! The ISP is pixelgate.net, and the A.B
part of my IP addresses is 66.254. I obfuscated that part because I saw
someone else obfuscating theirs with A.B. while reading on the list, and
I thought "neat idea, I''ll do that too". Monkey see, monkey
do. Sorry.
So my gateway is at 66.254.94.225.
> Two Cisco devices on the outside. Hrmm...I wonder if your colo/isp is 
> running port security and only allows you one MAC for your one server? If 
> so, you''ll have to route or NAT.
> 
> Have you tried contacting your upstream provider?
I spent some time on the phone with a tech a few days ago, trying to
figure out if anything looked misconfigured to him, but he said my
domU''s /etc/interfaces and its xen config file looked fine to him. MAC
addresses didn''t come up in our conversation at all. However, they
don''t
support Xen officially, and it may not have occurred to him to look for
that. I''ve put in an email, asking them about that.

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

> I spent some time on the phone with a tech a few days ago, trying to
> figure out if anything looked misconfigured to him, but he said my
> domU''s /etc/interfaces and its xen config file looked fine to him.
MAC
> addresses didn''t come up in our conversation at all. However, they
don''t
> support Xen officially, and it may not have occurred to him to look
for
> that. I''ve put in an email, asking them about that.
> 
It really shouldn''t matter.  When you are getting ranges of
IP''s from
your ISP they shouldn''t care weather or not the server behind it is a
xen box or a physical box.  

If ISP''s start caring weather or not the server is a Xen box or not
then
we''re all in trouble.



_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

7:19pm Gary W. Smith said:
> > I spent some time on the phone with a tech a few days ago, trying to
> > figure out if anything looked misconfigured to him, but he said my
> > domU''s /etc/interfaces and its xen config file looked fine to
him. MAC
> > addresses didn''t come up in our conversation at all. However,
they
> don''t
> > support Xen officially, and it may not have occurred to him to look
> for
> > that. I''ve put in an email, asking them about that.
> > 
> 
> It really shouldn''t matter.  When you are getting ranges of
IP''s from
> your ISP they shouldn''t care weather or not the server behind it
is a
> xen box or a physical box.  
> 
Actually it can. If his upstream/ISP was designed by a Cisco engineer for 
single-server-per-port hosting, then it is conceivable they use "port 
security" to restrict access.

Since Xen is a bridge by default and each DomU makes up MACs as needed, 
then they appear as multiple layer two hosts rather than just one. Thus my 
suggestion to try routing instead.

Ali, are the other addresses in your /29 netblock also for use only on 
your one server? (vips)

../C


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Mon, 5 Feb 2007 19:43:17 -0800 (PST), "Curtis Doty"
<Curtis@GreenKey.net> said:
> Actually it can. If his upstream/ISP was designed by a Cisco engineer for 
> single-server-per-port hosting, then it is conceivable they use "port 
> security" to restrict access.
I just heard back from them. The word is that if an unexpected MAC were
to show up, a security measure in the switch would simply shut it down
until someone from the ISP can look at it. Since that has never
happened, by definition my domU''s packets have never even left the box
and reached the switch! They were kind of amazed to find out from me
that Xen makes up MAC addresses that may change for the same IP by
default, and instructed me to define a single MAC address for each IP in
my xen config, and give it to them so that they can tell the switch not
to shut down.
> suggestion to try routing instead.
I don''t understand networking very well, which is why I just went with
bridging because I understood from reading the Wiki that it was the
It-Just-Works default. Aside from switching to the routing scripts in my
xend-config.sxp, what do I need to do to make this work?
> Ali, are the other addresses in your /29 netblock also for use only on 
> your one server? (vips)
I''m not sure I understand your question, but I''ll try to
answer it
anyway. As configured by the host, the IPs were all assigned to my
server, in the rc.local file. 94.226 is my main eth0 IP and the others
are all aliases on eth0:227, eth0:228, eth0:229 and eth0:230. 

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Mon, 05 Feb 2007 21:57:27 -0600, "Ali Roze"
<xen@ayahuasca.fastmail.us> said:> I''m not sure I understand
your
question, but I''ll try to answer it
> anyway. As configured by the host, the IPs were all assigned to my
> server, in the rc.local file. 94.226 is my main eth0 IP and the others
> are all aliases on eth0:227, eth0:228, eth0:229 and eth0:230. 
I should hasten to add that I commented out the line for eth0:227 in
dom0''s rc.local and restarted networking before setting up domU. If I
don''t comment it out, I can''t even ping between domU and dom0,
so I
assume that''s the correct way to do it-assign the IP only in the domain
in which it''s used.

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

9:57pm Ali Roze said:
> On Mon, 5 Feb 2007 19:43:17 -0800 (PST), "Curtis Doty"
> <Curtis@GreenKey.net> said:
> > Actually it can. If his upstream/ISP was designed by a Cisco engineer
for
> > single-server-per-port hosting, then it is conceivable they use
"port
> > security" to restrict access.
> 
> I just heard back from them. The word is that if an unexpected MAC were
> to show up, a security measure in the switch would simply shut it down
> until someone from the ISP can look at it. Since that has never
> happened, by definition my domU''s packets have never even left the
box
> and reached the switch! They were kind of amazed to find out from me
> that Xen makes up MAC addresses that may change for the same IP by
> default, and instructed me to define a single MAC address for each IP in
> my xen config, and give it to them so that they can tell the switch not
> to shut down.
> 
Yep. It would appear that I guessed totally on target here. :-p Depending 
on the architecture, you may be able to get them to do this on your access 
interface:

	port security max-mac-count 2

Since it appears you are hosting all the other ip addresses on Dom0, you 
only need *one* additional DomU MAC (in addition to your existing Dom0 
MAC) to swim up the bridge.

This really isn''t an issue of security in the malicous "bad
guy" sense.
But more of a security design element that prevents catastrophe when some 
night-shift lackey plugs the wrong cable into the wrong port. :-/

(Never happened to me. Nope. Not once. Never. No way. Un uh. Impossible.)
> > suggestion to try routing instead.
> 
> I don''t understand networking very well, which is why I just went
with
> bridging because I understood from reading the Wiki that it was the
> It-Just-Works default. Aside from switching to the routing scripts in my
> xend-config.sxp, what do I need to do to make this work?
This is actually adds complexity because, without re-design, it requires 
something called proxy ARP. I.e. your Dom0 presents its own layer two MAC 
on the wire so your other DomUs don''t have to. Plus it requires more 
netfilter tweaks.
> 
> > Ali, are the other addresses in your /29 netblock also for use only on
> > your one server? (vips)
> 
> I''m not sure I understand your question, but I''ll try to
answer it
> anyway. As configured by the host, the IPs were all assigned to my
> server, in the rc.local file. 94.226 is my main eth0 IP and the others
> are all aliases on eth0:227, eth0:228, eth0:229 and eth0:230. 
> 
Yes you have answered it. Your upstream ISP is not Xen-aware, and is 
probably setup for a single layer two MAC per port. Hopefully you can now 
justify to them why you need just one more.

../C


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Thank you Curtis-I''ve forwarded your email to them and I''m
waiting for a
reply.

That said, while Googling, I found another interesting tcpdump
incantation that I tried, and I''d appreciate some insight into what its
output means:

root@dom0:~# tcpdump -nvvi vif2.0
tcpdump: WARNING: vif2.0: no IPv4 address assigned
tcpdump: listening on vif2.0, link-type EN10MB (Ethernet), capture size
96 bytes
21:01:36.829501 arp who-has 66.254.94.225 tell 66.254.94.227
21:01:37.215509 802.1d unknown version
21:01:37.829430 arp who-has 66.254.94.225 tell 66.254.94.227
21:01:39.230512 802.1d unknown version
21:01:39.619216 00:19:56:5a:e9:d5 > 01:00:0c:cc:cc:cc SNAP Unnumbered,
ui, Flags [Command], length 89
21:01:39.829420 arp who-has 66.254.94.225 tell 66.254.94.227
21:01:40.829443 arp who-has 66.254.94.225 tell 66.254.94.227
21:01:41.246962 802.1d unknown version
8 packets captured
16 packets received by filter
0 packets dropped by kernel
root@dom0:~# 

This raises three questions:

1. Do I care about that warning on the top, "vif2.0: no IPv4 address
assigned"?
2. What does "802.1d unknown version" mean?
3. What does the "SNAP unnumbered" message mean?

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

11:06pm Ali Roze said:
> 
> This raises three questions:
> 
> 1. Do I care about that warning on the top, "vif2.0: no IPv4 address
> assigned"?
> 2. What does "802.1d unknown version" mean?
> 3. What does the "SNAP unnumbered" message mean?
This is getting a bit off-topic from Xen. The last two are 
well-established within the LAN (layer two) networking community. Do some 
sleuthing and enjoy the experience of learning.

The first question, however, is related to Linux networking in general and 
Xen bridges specifically.

But the answer is quite plain and apparent. It''s telling you that there
is
no IPv4 (layer three) address assigned to the interface (vif2.0) that you 
chose to monitor. That is all. And that is the nature of a bridge. It does 
not care about IP addresses.

HTH,
../C


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Mon, 5 Feb 2007 21:33:19 -0800 (PST), "Curtis Doty"
<Curtis@GreenKey.net> said:
> This is getting a bit off-topic from Xen. The last two are 
> well-established within the LAN (layer two) networking community. Do some 
> sleuthing and enjoy the experience of learning.
That definitely helps, thank you. I just wanted to know whether these
were clues to solving my xen problem or not.

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Curtis, you nailed it. That was exactly the problem and everything works
great now. Thank you again!

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users