Re: [Xen-users] Yet another question about multiple NICs

[Felix Kuperjans <felix@xxxxxxxxxxxxxxxxxx>]

Answers within quotes:

Am 19.12.2010 16:20, schrieb Philippe Combes:
>
> Felix Kuperjans a écrit :
>> Hi Philippe,
>>
>> I forgot about Xen's renaming... The firewall rules do nothing special,
>> they won't hurt anything.
>> Ip addresses are also correct (on both sides), but the routes are
>> probably not ok:
>> - The dom1 does not have a default route - so it will not be able to
>> reach anything outside the two subnets (but should reach anything inside
>> of them).
>
> It needs not so far.
>
>> - It's interesting that dom1's firewall output shows that no packages
>> were processed, so maybe you didn't ping anything since the last reboot
>> from dom1 or the firewall was loaded by reading it's statistics...
>
> You requested for the outputs "when <my> system has just started".
> Hence no packet, I guess. But shouldn't there be at least those exchanged
> for the ssh connection to the dom1 ?
> Anyway, after one minute or so, I get on the dom1:
> # iptables -nvL
> Chain INPUT (policy ACCEPT 23 packets, 884 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Chain OUTPUT (policy ACCEPT 4 packets, 816 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
That looks better.
>
>
>> Still no reasons why you can't ping local machines from the dom1 (and
>> sometimes even not from dom0). Have you tried pinging each other, so
>> dom0 -> dom1 and vice versa?
>
> Yes I tried, and it has always worked while dom0's eth1 was up.
So it's only impossible to ping the domU from other machines on the
network (and vice versa)?
I think Fajar is probably right with his guess that your physical
switches are managed. That means they do traffic filtering on their
ports based on the mac addresses.
Which switch models do you use on your two networks?
>
>> The only remaining thing that denies communication would be ARP, so the
>> output of:
>> # ip neigh show
>> on both machines *directly after* a ping would be nice (within a few
>> seconds - use && and a time-terminated ping).
>
> Nothing on a machine when not connected. But when connected (here the
> dom0):
> $ ip neigh show
> 192.168.24.125 dev eth1 lladdr 00:16:36:e0:81:2c REACHABLE
> 172.16.113.100 dev eth0 lladdr 00:16:38:4c:04:00 DELAY
> 172.16.113.123 dev eth0 lladdr 00:16:36:e0:81:2e STALE
> 172.16.113.124 dev eth0 lladdr 00:1b:24:3d:ca:95 REACHABLE
> 172.16.113.106 dev eth0 lladdr 00:16:38:28:b5:39 REACHABLE
ARP seems to work at least on the Domain-0 *if* one of those IP
addresses is the one of the domU...
Can you try doing this on the DomU when pinging a host in the network?
>
> Does that give you any clue for further investigations ?
> Thanks again,
> Philippe
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
>

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users