Bridging domains to tagged VLANs in Xen
5 Comments Published by tristanb February 27th, 2007 in Development, ProjectsThe base Xen installation is configured such that all domains share a bridge to the first available ethernet interface. Although this makes testing VMs quick and painless, for an upcoming project I want to be able to isolate individual DomUs from the rest of the network. Specifically, I want the Dom0 to tag all traffic from a given DomU onto a VLAN. Here’s a simple example:
Untagged traffic is sent to eth0 and ends up in Dom0. VLAN 2 traffic is set to eth0.2, which is bridged with DomU 1’s interface. The same occurs with VLAN 3 and DomU 2. One key point in this setup is that the DomUs are completely unaware of the fact that they are utilizing a VLAN, all the work is done within the bridges in Dom0. The Dom0 is also unaware of the traffic within the VLAN, as it does not have an active address on the eth0.X or vlanbrX interfaces.
To have Xen automatically create these bridges, I wrote the network-bridge-vlan and network-multi-vlan scripts. They have been tested wtih Xen 3 running on Debian Sarge, but should work with most distributions. Make both scripts executable and place them in /etc/xen/scripts. The VLAN configuratin is done within the network-multi-vlan script. To activate the VLANs, edit /etc/xen/xend-config.sxp to use the configuration line
(network-script network-multi-vlan)
To use a new VLAN bridge for an interface within your DomU, change the xen configuration file for the DomU so that the network interface has a bridge specified:
vif = [ 'bridge=vlanbr2' ]
Within the DomU, there are two things that may need to be configured. First, if your ethernet card does not natively support VLAN tags, you will have to set the maximum MTU to 1496 to make room for the tag. The command
ifconfig eth0 mtu 1496
accomplishes this in linux. Another problem is related to network optimizations done within Xen. With the DomUs bridged to VLAN interfaces, these optimizations need to be disabled or tcp and udp connections will fail. This is done by disabling transmit checksum offloading:
ethtool -K eth0 tx off
Both should be done in a script at startup. For Debian, I created the script /etc/network/if-up.d/xen containing:
#!/bin/sh
case "$IFACE" in
eth0)
ethtool -K $IFACE tx off
ifconfig $IFACE mtu 1496
;;
esac
Welcome to my corner of the internet. If you’re here, you’re probably looking for my Gallery. All of the photos are freely available for personal use. If you would like to download a bunch, just add them to your cart and choose “Download in Zip” as your checkout method.
