This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [SPAM] Re: [Xen-users] DomU(s) in different subnets

On Fri, Dec 18, 2009 at 5:07 AM, Freddie Cash <fjwcash@xxxxxxxxx> wrote:
> On Thu, Dec 17, 2009 at 1:59 PM, Sachin Goel <SACHIN.GOEL@xxxxxxxxxx> wrote:
>> Isn't it possible that with only one bridge we have the virtual machines
>> in different physical subnets, if the gateway is configured to handle that ?
> With only 1 bridge, you only have 1 physical network connection, thus you
> only have 1 physical network.  You can have multiple logical subnets
> configured to use that network (,,
>, etc).  But it's only 1 physical subnet.  (Although, I guess
> "subnet" is the wrong terminology here.)

I believe the correct term is "ethernet broadcast domain" instead of
"physical subnet".

With that setup, if you assign a domU to be on, then it
can simply add an IP address located on (or others)
since the traffic will be on the same ethernet broadcast domain. Not
good in terms of security.

IMHO a better approach is to use vlans. That is :
- you have one (or more) uplink interface from dom0 to switch/router,
configured as trunk with multiple allowed vlans. For this example,
lets assume there are 11 vlans, 10 - 20. Each of those vlans are
connected to existing network, with existing gateway. vlan10 is used
by, vlan11 is used by, and so on. If you
have more than one interface, you can configure them to use bonding
- you assign one IP for dom0 in one of those vlans (lets assume this
is vlan 10). This will be used for dom0 management.
- you create bridges (lets call this br11 - br20) for other vlans in
dom0 (vlan 11-20), but do NOT assign IP address on dom0 for those
- assign domUs to one of those bridges as necessary.

In this networking setup, dom0 functions just like a L2 switch. This
is what I use on my setup.
This setup is better because a domU located on can't
just use an IP address on since they'd be on different
vlans (thus different ethernet broadcast domain)


Xen-users mailing list