WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [SPAM] Re: [Xen-users] DomU(s) in different subnets

On Fri, Dec 18, 2009 at 5:07 AM, Freddie Cash <fjwcash@xxxxxxxxx> wrote:
> On Thu, Dec 17, 2009 at 1:59 PM, Sachin Goel <SACHIN.GOEL@xxxxxxxxxx> wrote:
>>
>> Isn't it possible that with only one bridge we have the virtual machines
>> in different physical subnets, if the gateway is configured to handle that ?
>
> With only 1 bridge, you only have 1 physical network connection, thus you
> only have 1 physical network.  You can have multiple logical subnets
> configured to use that network (192.168.0.0/24, 192.168.1.0/24,
> 192.168.2.0/24, etc).  But it's only 1 physical subnet.  (Although, I guess
> "subnet" is the wrong terminology here.)

I believe the correct term is "ethernet broadcast domain" instead of
"physical subnet".

With that setup, if you assign a domU to be on 192.168.1.0/24, then it
can simply add an IP address located on 192.168.2.0/24 (or others)
since the traffic will be on the same ethernet broadcast domain. Not
good in terms of security.

IMHO a better approach is to use vlans. That is :
- you have one (or more) uplink interface from dom0 to switch/router,
configured as trunk with multiple allowed vlans. For this example,
lets assume there are 11 vlans, 10 - 20. Each of those vlans are
connected to existing network, with existing gateway. vlan10 is used
by 192.168.0.0/24, vlan11 is used by 192.168.1.0/24, and so on. If you
have more than one interface, you can configure them to use bonding
- you assign one IP for dom0 in one of those vlans (lets assume this
is vlan 10). This will be used for dom0 management.
- you create bridges (lets call this br11 - br20) for other vlans in
dom0 (vlan 11-20), but do NOT assign IP address on dom0 for those
bridges
- assign domUs to one of those bridges as necessary.

In this networking setup, dom0 functions just like a L2 switch. This
is what I use on my setup.
This setup is better because a domU located on 192.168.1.0/24 can't
just use an IP address on 192.168.2.0/24 since they'd be on different
vlans (thus different ethernet broadcast domain)

-- 
Fajar

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users