[Users] Re: several nics on the hn

Timh B timh at shiwebs.net
Fri Oct 7 08:06:36 EDT 2011


Daniel,

On Fri, October 7, 2011 12:46, Daniel Bauer wrote:
> It's an really interesting solution. I've to look at the VLAN technic,
> because I've never used it.
>
> One thing was, that nobody - only the HN - could change the IP for a CT.
> This issue couldn't be solved by VLAN or veth, so I thought to use
> venet.
>
> Now I think I'll prefer the bultin veth technic to solve my problem
> right now.
>

I would also suggest you go this path, configure your "dedicated" hn-nic
(for this example, let's say it's eth0) as usual with the ip-address you
want.

Example (debian):
iface eth0 inet static
   address x.y.z.n
   netmask x.x.x.0
   gateway x.y.z.n

iface eth1 inet manual

iface eth1.100 inet manual
  vlan_raw_device eth0

iface eth1.200 inet manual
  vlan_raw_device eth0

iface vmbr100 inet manual
  bridge_ports eth1.100
  bridge_stp off
  bridge_fd 0

iface vmbr200 inet manual
  bridge_ports eth1.200
  bridge_stp off
  bridge_fd 0

--

Then, when creating your ct's you simple omit the --ipaddress flag on
vzctl command and run vzctl <VEID> set --save --netif_add eth0,,,,vmbr100
and configure "eth0" within the CT.

This will put the ct-network in vlan100 on (hn) eth1 (which as you can
see, has no ip-address configured) on the bridge vmbr100 as veth<VEID>.0
(confirm with "brctl show"). Note: you will have to configure your switch
to send the vlan as "tagged" to the eth1 interface.

For your security concerns I suggest you look into mac-filtering or maybe
check for mismatches between mac and ip addresses you have configured for
the CT, the --netif_add command will generate a mac-address or you can set
one manually.

The veth<VEID>.0 interface will also show up in the HN and you can do
firewalling with something like this;

-A OUTPUT -o veth<VEID>.0 -s <IP> -j ACCEPT
-A OUTPUT -o veth<VEID>.0 -j DROP

(You will have to check the iptables-commands as I wrote them from the top
of my head!)

Good luck!

-- Timh




More information about the Users mailing list