Xen Networking: Bridging plus VLAN
A bridge is a device that separates two or more network segments within one logical network (e.g. a single IP-subnet).The job of the bridge is to examine the destination of the data packets one at a time and decide whether or not to pass the packets to the other side of the Ethernet segment. The result is a faster, quieter network with less collisions.The bridging code decides whether to bridge data or to drop it not by looking at the protocol type (IP, IPX, NetBEUI), but by looking at the MAC-address unique to each NIC.
>) Now first step is to remove libvirt default.xml file which creates a NAT bridge which we don’t recommend.
# rm -f /etc/libvirt/qemu/networks/autostart/default.xml
Now reboot to get rid of virtbr0 shows with ifconfig.
>) Since we are going to configure the network manually, we don’t want Xen to mess up with the configuration. In order to keep Xen from reconfiguring the network, simply make sure none of the following lines appear uncommented in the file /etc/xen/xend-config.sxp:
Well this can be accomplished with brctl command too(brctl addbr xenbr2) but let’s just do the configuration part ourselves to having us full control and making us independent from possible further naming changes in Xen.
# vi /etc/sysconfig/network-scripts/ifcfg-xenbr0
# vi /etc/sysconfig/network-scripts/ifcfg-eth0
Setting up the VLAN interfaces and add them up to the existing bridging interfaces:
This can be done manually, by invoking vconfig add |ifname| |vlan| to configure VLAN number |vlan| by using 802.1q tagging on interface |ifname|. This will active a virtual interface named |ifname|.|vlan|:
# vconfig add eth0 2
# vconfig add eth0 10
Such that: > Any traffic sent to this interface will get tagged for VLAN |vlan|.
> Any traffic received from interface |ifname| carrying an 802.1q VLAN tag matching |vlan| will be untagged and received by this interface.
Once the VLAN interfaces are ready, we add them to their corresponding bridging interfaces by using brctl addif |brname| |ifname|.|vlan|. OR as earlier said:
[* Due to latest Xen incompatibility, you can't use .(dot) instead of _(underscore) in xenbr0_2 bridging interface.]
# vi /etc/sysconfig/network-scripts/ifcfg-eth0.2
When working with networking, you usually asked to comment “network-bridge” and let “vif-bridge” uncommented. Below is the reason:
When xend starts up, it runs the network-bridge script, which:
creates a new bridge named xenbr0
“real” ethernet interface eth0 is brought down
the IP and MAC addresses of eth0 are copied to virtual network interface veth0
real interface eth0 is renamed peth0
virtual interface veth0 is renamed eth0
peth0 and vif0.0 are attached to bridge xenbr0. Please notice that in xen 3.3, the default bridge name is the same than the interface it is attached to. Eg: bridge name eth0, eth1 or ethX.VlanID
the bridge, peth0, eth0 and vif0.0 are brought up.
It is good to have the physical interface and the dom0 interface separated; thus you can e.g. setup a firewall on dom0 that does not affect the traffic to the domUs (just for protecting dom0 alone).
When a domU starts up, xend (running in dom0) runs the vif-bridge script, which:
attaches vif.0 to xenbr0
vif.0 is brought up
a) Also sometimes UDP traffic gets stuck at the network stack and does not flow through unless we load the ip_conntrack.ko kernel module.
Failing to load the ip_conntrack.ko kernel module, even with an unconfigured, empty firewall, allows ICMP and TCP traffic to flow from and to the guest network stack, but UDP traffic, like DNS queries, gets stuck and doesn’t even touch the physical network interface.
b) The bridging interface, |brname| is named after the following convention: xenbr|vlan|:
e.g. xenbr2 is the bridging interface standing on VLAN2.
c) Xen manages several virtual network interfaces, named in the form of vif|X|.|Y|, where |X| equals the Xen domain numeric ID and |Y| is a sequential interface index.