WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] configure advanced networking

To: Rob Mokkink <rob@xxxxxxxxxxxxxxxxxx>
Subject: Re: [Xen-users] configure advanced networking
From: Adrian Chadd <adrian@xxxxxxxxxxxxxxx>
Date: Mon, 15 Jan 2007 09:41:11 +0800
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Sun, 14 Jan 2007 17:36:30 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <000001c737f3$6d123980$0200a8c0@oberon>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <000001c737f3$6d123980$0200a8c0@oberon>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.9i
On Sun, Jan 14, 2007, Rob Mokkink wrote:

> So only eth1 and eth2 are bridged.
> And i configure the guests to only use xenbr1 en xenbr2.
>  
> And after doing that, how do I limit access to dom0 to eth1 and eth2, or is
> that not possible?

dom0 does the bridging! Xen doesn't handle ethernet bridging; it "just" handles
physical server resources.

You can either hide the PCI devices for eth1/eth2 from dom0 (and expose them
to one guest each) or you can run them inside dom0 and have it do bridging.
Its better to do it the latter way in almost all cases because it gives you
fine-grained control and debugging access. It also lets you do cleverer things
such as using them as VLAN trunks and binding xen bridge interfaces to
vlan interfaces.

dom0 should be secure - after all, it can control Xen anyway.

(That said, I do remember some rumour about a "virtualisation ethernet card"
which supposedly allows for multiple VMs to access it somehow without going
through the root domain. I can guess how it works but I'd love to hear how
its actually implemented, if at all.)



Adrian


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>