This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-users] Xen networking concepts

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] Xen networking concepts
From: René Pfeiffer <lynx@xxxxxxxxx>
Date: Tue, 20 Dec 2005 03:57:41 +0100
Delivery-date: Tue, 20 Dec 2005 03:00:16 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Mail-followup-to: xen-users@xxxxxxxxxxxxxxxxxxx
Organization: Vertical Integration
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.11
Hello, xen-users!

I am fiddling with the Xen 2.0 and Xen 3.0 configuration in order to do
a combined installation of a firewall system and a webserver on the same
machine. Now I use a recent Xen 3.0 on top (or below, depending on how
you think of it) a Debian Sarge 3.1r1. The idea is to have the

 - Dom0 connected with a single external IP routing everything to Dom1
 - Dom1 with a firewall system and two virtual network cards
 - Dom2 the webserver behind the firewall with a single virtual network

I tried to use direct access but abandoned the idea because the system
is colocated and has only one IP address. This brings me to my problem.
I read the various networking threads a couple of times (including the
ideal(istic) firewall thread). Somehow I cannot completely wrap my mind
around Xen's networking concepts. I think I can work with two bridges
and internal local networks where the Dom0 will do SNAT for outbound
packets. The setup looks a bit like this (work in progress, just a quick


After starting the two domains and manually setting up the second bridge
I get something like this on a test system:

samuel:~# xm list
Name                              ID Mem(MiB) VCPUs State  Time(s)
Domain-0                           0       64     1 r-----   143.2
astaro                             1      120     1 ------  2838.8
webserver                          2       48     1 -b----    34.5
samuel:~# brctl show
bridge name     bridge id               STP enabled     interfaces
xenbr0          8000.feffffffffff       no              peth0
xenbr1          8000.b67150095f2d       no              dummy0

vif1.0 and vif1.1 belong to the firewall, vif2.0 belongs to the
webserver. I gathered from the threads that the interface names change
when I restart the domains. What is the best practice to pin down
interface names?

How can I create xenbr1 automatically after Dom0 comes up? In the above
listing dummy0 is out of place because right after the boot process,
there are no domains running and therefore xenbr1 cannot be created with
the vif interfaces. Do I need a dummy interface for every bridge that is
used to connect domains?

Another thing I noticed is that I have a lot of network devices that are
unused. The system has 27 net devices, vif is numbered up to vif0.7 and
I have veth devices up to veth7. Why is that? Xen 2.0 didn't create so
many devices. What are they used for? Is this a kind of device pool?

I hope my questions are not redundant. I spent days wading through the
docs and the mailing list archives, I may have missed something due to
growing confusion.

Best regards,

"From the delicate strands,
 between minds we weave our mesh:
 a blanket to warm the soul."
 --- Lady Deirdre Skye (SMAC) ---

Xen-users mailing list

<Prev in Thread] Current Thread [Next in Thread>