This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] More complex Xen Networking, with VLANs and maybe with V

To: Thiago Camargo Martins Cordeiro <thiagocmartinsc@xxxxxxxxx>
Subject: Re: [Xen-users] More complex Xen Networking, with VLANs and maybe with VDE 2... but how?!
From: Brian Krusic <brian@xxxxxxxxxx>
Date: Wed, 4 Feb 2009 11:40:54 -0800
Cc: nixon.oliveira@xxxxxxxxxxxxxxx, "xen-users@xxxxxxxxxxxxxxxxxxx" <xen-users@xxxxxxxxxxxxxxxxxxx>, Daniel Ginês | World Web <daniel.gines@xxxxxxxxxxxxxxx>
Delivery-date: Wed, 04 Feb 2009 11:42:13 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <6b7f6eb0902041115u7bb7ced6i15792c9960f113b6@xxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <6b7f6eb0902041115u7bb7ced6i15792c9960f113b6@xxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Hi Thiago,

There are 3 approaches and neither is more or less secure (to all those VLAN security buffs out there).

How many nodes do you have on the network?  I assume less then 253 but thats assuming you gave yourself a class C addy.  I'll assume you have as your network for discussion.

** 1 ** (cleanest, least noisy, more complex due to VLAN implementation)
Probably the easiest thing to do w/o changing current hosts is to create a VLAN and inter VLAN routing, a static route between VLAN networks.

So you have your original group of nodes in 1 VLAN, and some other VLANs and they all have static routes to each other.

Look at VLANs as individual networks to simplify design and the fact that they needs routes to one another.

The other 2 approaches have nothing to do with VLANS.

** 2 ** (easiest, noisy, especially after 500 nodes, not complex)
Change all of your subnet masks from class C of to (this includes the gateway or router itself).

Keep your existing hosts at there current IP scheme and add new nodes with there new IP addys like

You can keep adding networks like,, etc... and if every one has, every one sees each other.

** 3 ** (noisy, but from an organizational viewpoint its very clean)
Change every one to a new Class A address scheme meaning -

Here is a list of private, none routable ranges;    -  - -

Hope this helps, I've done all 3 and if you can afford the time, do VLANs but keep in mind that you still need a security plan as VLANs, DMZs, etc don't really ensure didly especially in todays env.
- Brian

On Feb 4, 2009, at 11:15 AM, Thiago Camargo Martins Cordeiro wrote:

--- In english ---

  I am to implement a new architecture of the network in my company but I do not know right where to start ... need help!

 Currently 90% of my servers are virtual machines under Xen. I have many valid IP networks and all Hypervisors are configured in bridge mode, to simplify. We have 3 VMWare ESX Hypervisor also in bridge mode.

 Some networks are exclusive to certain customers, others are shared among different customers. However, in our switches, all the networks are all the doors. So I can move a domu through the Xen Hypervisors that the network will work. So far so good but, as we have no VLANs, there are many conflicts of IP, as well as any customer can interfere with the whole network putting, for example, the IP of the border gateway in your virtual machine ... this setup is also possible that customers sniffer neighboring networks, which is a major security breach and I want to change this with implementing VLANs.

 Well, it's time to implement the VLANs. But how?

 How to create a VLAN to a domU and it (VLAN) be available in all Hypervisor, so I can move a domu, when necessary, without moving its VLAN in the switch?

 All VLANs need to be at all doors? In the case of a move of a domu from the Hypervisor XYZ to the Hypervisor ZZZ and the network continue working? But in this case would not be all the same, ie as if there were no VLANs?

 It's necessary to use the 'vconfig' (the debian package "vlan") inside of all domus?

 Maybe I need to create the VLANs in dom0 and, then, setup the bridges using the VLANs as ethernets for them? As this example: http://renial.net/weblog/2007/02/27/xen-vlan/ ?

 With VMWare ESX virtual switches can be created (with firmware from Cisco) per client, and there, create the customer's VLANs. This sounds very interesting, but how to implement something in Xen? Can I use the VDE 2 with Xen (with paravirtual domUs)? The VDE2 is completely compatible with Xen?

 It's possible to create the effect of a virtual switch with only the tools ip, vconfig and brctl available in dom0? Avoiding the overhead of a virtual switch?

 How to make a VLAN for certain domus scattered randomly by the Hypervisors?

 Without a layer of virtualization is easy to implement the VLAN, but when you have multiple machines connected on a single physical port of the switch, the situation changes completely. It is where I am in doubt...
 I appreciate any help!


--- Em português ---

 Estou para implementar uma nova arquitetura de rede em minha empresa, mas não sei direito por onde começar... preciso de ajuda!

 Atualmente 90% dos meus servidores são máquinas virtuais sob o Xen. Possuo ínumeras redes IP válidas e todos os hypervisores estão configurados no modo bridge, para simplificar. Temos 3 hypervisores VMWare ESX também no modo bridge.

 Algumas redes são de determinados clientes, outras são compartilhadas entre clientes diferentes. Porém, em nossos switches, todas as redes estão em todas as portas. De modo que eu posso mover uma domU por entre os Hypervisores Xen que a rede continuará funcionando. Até aqui tudo bem mas, como não temos nenhuma VLAN, ocorrem muitos conflitos de IP, bem como algum cliente pode interferir em toda a rede colocando, por exemplo, o IP do firewall de borda em sua máquina virtual... neste quadro também é possível que os clientes sniffem as redes vizinhas, o que é uma grande falha de segurança e pretendo mudar tudo isso implementando VLANs.

 Bom, chegou a hora de implementarmos as VLANs. Mas como?

 Como criar uma VLAN para uma domU e esta estar acessível em todos os Hypervisores, de modo que eu possa mover uma domU, quando necessário,  sem precisar mover a sua VLAN também no switch?

  Todas as VLANs precisam estar em todas as portas? Para no caso mover uma domU do Hypervisor XYZ para o Hypervisor ZZZ e a rede continuar funcionando? Mas neste caso não ficaria tudo na mesma, ou seja, como se não existissem VLANs!?

 É necessário utilizar o 'vconfig' (pacote vlan no debian) dentro de todas as domUs!?

 Talvez seja necessário criar as VLANs na dom0 e, então, configurar as bridges utilizando as vlans como ethernets para elas? Como neste exemplo: http://renial.net/weblog/2007/02/27/xen-vlan/ ?

 No VMWare ESX é possível criar switches virtuais (com firmware da Cisco) por cliente, e nele, criar as VLANs do cliente. Isso parece muito interessante mas, como implementar algo parecido no Xen? É possível utilizar o VDE 2 com uma domU paravirtual do Xen, por exemplo? O VDE é completamente compátivel com o Xen?

 É possível criar o efeito de um switch virtual apenas com as ferramentas ip, vconfig e brctl disponíveis na dom0? Evitando assim o overhead de um switch virtual?

 Como fazer uma VLAN para certos domUs dispersas aleatoriamente pelos Hypervisores?

 Sem a camada de virtualização é fácil implementar as VLAN, porém, quando se tem várias máquinas conectadas numa única porta física do switch, a situação muda completamente. É onde estou perdido...

 Agradeço qualquer ajuda!

 PS.: Respostas em portugês em PVT, por favor.

Xen-users mailing list

Xen-users mailing list
<Prev in Thread] Current Thread [Next in Thread>