[Fedora-xen] VLANs on DomU domains

Thu Nov 23 00:10:54 UTC 2006

Thanks Bertho,
I managed to get it to work something along the lines of your first 
method before I read your email. I was also unsuccessful using your 
second method.

I wanted a Dom0 host to be accessable only on an administration network 
with the guests accessing their relevant VLANs

I used one Gig (eth0) real interface as an 802.1Q trunk with the Dom0 
having no interfaces mapped to it.
The Dom0 was connected (without VLANS) to the administration network via 
eth1. I had to modify /etc/xen/xend-config.sxp to bridge eth0 otherwise 
it would bridge the active device (eth1)

eth0 --> xenbr0 -> Dom1 --> VLAN1
                                         |-> VLAN2
                                         |->...
eth1-->Dom0

(network-script 'network-bridge netdev=eth0')

The guests were then set up as normal hosts connected to an 802.1Q trunk 
network as you detailed.

I found that if I used VLANs on the Dom0 on eth0 then the trunk would 
not pass through to the guests,  Hence why Dom0 is not using VLANs on eth0.
I did not do much research to discover why except that the instant I 
removed the VLANs from Dom0 eth0 the VLAN networks started working on 
the guest.

My initial email came about because I was expecting to have to plumb the 
individual VLANs through to the guests as you also failed to do. This is 
much like VMWare ESX works.

Regards
Darryl

Bertho Stultiens wrote:
>> I am setting up a box with FC6 + xen with FC6 for the DomU guests.
>> I have a server with 4 gigabit ports and I want to use 802.1Q vlans on
>> one of the gig ports.
>> I have the VLANs configured in Dom0 without any addresses attached to
>> them.
>> How do I make the VLANs available to the guests? I want to make 4
>> VLANs available to each guest. I have thought of a few alternatives
>> but I cannot get any to work.
>>     
>
> The easy way; I have installed FC6 with 802.1Q and 4 guests. It works
> very nicely. For each guest do:
> 1 - You need to enable vlans /etc/sysconfig/network.
> 	NETWORKING=yes
> 	VLAN=yes
> 	NETWORKING_IPV6=no
> 	HOSTNAME=xenbox2.example.com
> 	GATEWAY=192.168.42.1
>
> 2 - create a subinterface by file editting
> /etc/sysconfig/network-scripts/ifcfg-eth0.42:
> 	DEVICE=eth0.42
> 	BOOTPROTO=static
> 	ONBOOT=yes
> 	IPADDR=192.168.42.102
> 	NETMASK=255.255.255.0
> 	TYPE=Ethernet
>
> 3 - depending on whether you want untagged packets on the same
> interface, you need to edit the /etc/.../ifcfg-eth0 file too. (note: the
> parent interface must be up for the tagged interface to work.) The lines
> commented out will assign an IP address to the untagged interface:
> 	DEVICE=eth0
> 	BOOTPROTO=none
> 	ONBOOT=yes
> 	TYPE=Ethernet
> 	# BOOTPROTO=static
> 	# IPADDR=172.16.42.102
> 	# NETMASK=255.255.255.0
>
> 4 - make sure that your /etc/hosts setup is correct. If you have DNS
> available 24/7, then only define localhost[.localdomain} as 127.0.0.1
> and not the hostname itself.
>
> When you restart the network in the guest, then your guest will default
> to use the tagged interface vlan 42 (above example). If you want the
> untagged interface as default, then you can change the gateway and
> assign an IP address to it.
>
> On the host, you need to do a similar thing. Create a subinterface
> eth0.42 and assign an IP address to it. Once that is done, you can talk
> to your guests via dot1Q from your host.
>
> Beware of iptables! If you have a firewall setup, then you need to make
> sure that it is done right. Doing it right, though, is a though job with
> dot1Q in place. I have the firewall completely disabled on the host and
> guests. My firewall is placed physically separated on another box.
>
>
>   
>> 1. Bridge the tagged 802.1Q stream from the Gig port through to the
>> guests and configure eth0.x. on the guests
>>     
>
> This would be above scenario.
>
>
>   
>> 2. Create a bridge on Dom0 for each VLAN so that they appear as
>> eth0...eth3 on the guests.
>>     
>
> The xenbrX interfaces on the host already transport all packets because
> they are L2 bridges (see brctl). The bridge does not care whether the
> packets are .1Q tagged or not. The only thing you need is to instruct
> the kernel to look for/act on specifics by creating (sub-)interfaces.
>
> Now, if you want the guests not to know that they are connected to a
> VLAN, then you need a brigde-interface to do (un-)tagging for you. That
> means that you need to create a dot1Q subinterface on the host's
> physical peth[0-3] and add the subinterface to a new bridge.
>
> Normal scenario:
> peth0  -> xenbr0 -> vif0.0(host eth0)
>                     vif1.0(guest1 eth0)
>
> Dot1Q scenario:
> peth0.42 -> xenbr42 -> vif1.0(guest1 eth0)
>
> i.e.:
> # brctl addbr xenbr42
> # ip link set xenbr42 up
> # vconfig add peth0 42
> # ip link set peth0.42 up
> # brctl addif xenbr42 peth0.42
>
> In the VM config you have now something like:
> vif = [ 'mac=00:16:3e:11:22:33, bridge=xenbr42', ]
>
> The VM's eth0 interface is created as part of bridge that will fowrard
> to a subinterface. The kernel will now do the tagging/untagging (note:
> slow) and the VM cannot see that it is attached to a VLAN.
>
> Theoretically it should work, but I was not able to make this scenario
> work as expected though. I suspect that the hosts peth0 -> eth0 bridge
> is interfering (which has a tagged interface too in my setup). Or maybe
> my fingers were too fast at typing and I forgot a simple thing...
>
>
>
>   
>> The xen documentation is minimal for configuring VLANs. Is there a
>> (FC6) supported way of configuring them?
>>     
>
> Vlans is a no-issue for xen. It is layered in the network and xen only
> passes the packets.
>
>
>   
__________________________________________________________________________________
                                DISCLAIMER

The contents of this electronic message and any attachments are intended only
for the addressee and may contain legally privileged, personal, sensitive or
confidential information. If you are not the intended addressee, and have
received this email, any transmission, distribution, downloading, printing or
photocopying of the contents of this message or attachments is strictly
prohibited. Any legal privilege or confidentiality attached to this message and
attachments is not waived, lost or destroyed by reason of delivery to any
person other than intended addressee. If you have received this message and
are not the intended addressee you should notify the sender by return email and
destroy all copies of the message and any attachments.  Unless expressly
attributed, the views expressed in this email do not necessarily represent the
views of the company.