In some cases (such as hosting environments), multiple subnets of IP addresses are provided on a single interface where subnets other than the original are not assigned a default gateway. This configuration works when an IP interface exists within the same subnet as the default gateway from the primary subnet, however this is not always possible.
The diagram below depicts this scenario:
In this case, if a Virtual Machine (VM) is configured within the 172.16.20.0/24 subnet, the customer’s default gateway (172.16.1.1) cannot be used and connectivity to subnets other than 172.16.20.0/24 are not possible.
Whenever possible, configure the default gateway for the secondary subnets as secondary IP addresses on the VLAN. This completely avoids the need for complex workarounds.
Changes to the XenServer host are not officially supported and are made at your own risk. This article makes changes to the XenServer configuration which if made improperly might prevent network access to the host or compromise security. These changes might also be overwritten after updates or upgrades between XenServer releases.
One or more XenServer hosts configured with an existing management IP in the same subnet as the default gateway. Basic Linux (such as editing files) and networking knowledge.
XenServer is designed to allow a single IP address per management interface. In addition, XenServer does not, by default, facilitate routing between IP interfaces as this can compromise system security if not implemented properly.
For XenServer to work effectively in this type of environment, it must be configured to:
• Allow one or more secondary IP addresses to be configured on a given management interface.
• Enable forwarding between IP interfaces.
• Configure the in-built IPTables firewall to allow forwarding between the primary and secondary subnets.
From the secondary subnet, an IP address is designated as the default gateway, which is configured on the XenServer host. All VMs using the secondary subnet(s) route external routes to the XenServer Domain0.
The diagram below shows the modified behavior:
Perform the following steps to configure XenServer:
1. Use the following command to determine the Bridge interface used by XenServer on the same subnet: route | grep default
2. Create a file in /etc/sysconfig/network-scripts called ifcfg-xenbrX:1 (replace “xenbrX” with the appropriate name found in step 1) containing the following parameters (replace the parameters as appropriate): DEVICE=xenbrX:1 ONBOOT=yes BOOTPROTO=none NETMASK= <SUBNET MASK> IPADDR= <IP ADDRESS>
Note: The IP address and subnet mask in this case are those from the secondary subnet allocation. Because this IP address forms the default gateway for VMs using the secondary networks, this is usually the first usable IP address of the subnet.
3. Enable IP packet forwarding for the XenServer Dom0 to operate as a router by editing /etc/sysctl.conf and changing the line that states: “net.ipv4.ip_forward = 0" to: "net.ipv4.ip_forward = 1":
4. Enable forwarding between IP interfaces by adding the following line to /etc/sysconfig/iptables AFTER the line that states "-A RH-Firewall-1-INPUT -i lo -j ACCEPT" (replace xenbrX with the value determined in step 1):
-A RH-Firewall-1-INPUT -i xenbrX -o xenbrX -j ACCEPT
5. Apply the changes made by running the following commands (replace xenbrX from step 1): sysctl -p ifup xenbrX:1 service iptables restart
6. Assign VMs to the management network and configure their default gateway as assigned in step 2.
Connect on Twitter
Find us around the web