How to Set up XenServer in a Routed Network

Summary

In some cases (such as hosting environments), multiple subnets of IP addresses are provided on a single interface where subnets other than the original are not assigned a default gateway. This configuration works when an IP interface exists within the same subnet as the default gateway from the primary subnet, however this is not always possible.

The diagram below depicts this scenario:

In this case, if a VM is configured within the 172.16.20.0/24 subnet, the customer’s default gateway (172.16.1.1) cannot be used and connectivity to subnets other than 172.16.20.0/24 isn not possible.

Whenever possible, you should configure the default gateway for the secondary subnets as secondary IP addresses on the VLAN. This action completely avoids the need for complex workarounds.

Notice

This article makes changes to the XenServer configuration which, if made improperly, might prevent network access to the host or compromise security. These changes might also be overwritten after updates or upgrades between XenServer releases.

Requirements

One or more XenServer hosts configured with an existing management IP address in the same subnet as the default gateway.

To implement this procedure, it is assumed that you have basic Linux (such as editing files) and networking knowledge.

Background

XenServer is designed to allow a single IP address per management interface. In addition, XenServer does not by default facilitate routing between IP interfaces as this can compromise system security if not implemented properly.

For XenServer to work effectively in this type of environment, it must be configured to:

1. Allow one or more secondary IP addresses to be configured on a given management interface.

2. Enable forwarding between IP interfaces.

3. Configure the in-built IPTables firewall to allow forwarding between the primary and secondary subnets.

From the secondary subnet, an IP address is designated as the default gateway, which is configured on the XenServer host. All VMs using the secondary subnet(s) route external routes to the XenServer Domain0.

The diagram below shows the modified behavior:

Procedure

Perform the following steps to configure XenServer:

1. Use the following command to determine the Bridge interface used by XenServer on the same subnet
route | grep default

2. Create a file in /etc/sysconfig/network-scripts called ifcfg-xenbrX:1 (replace “xenbrX” with the appropriate name found in step 1) containing the following (replace the parameters as appropriate):

DEVICE=xenbrX:1
ONBOOT=yes
BOOTPROTO=none
NETMASK= <SUBNET MASK>
IPADDR= <IP ADDRESS>

Note: The IP address and subnet mask in this case are those from the secondary subnet allocation. Because this IP address forms the default gateway for VMs using the secondary networks, this is usually the first usable IP address of the subnet.

3. Enable IP forwarding for the XenServer Dom0 to operate as a router by editing /etc/sysctl.conf and changing the line:
- from -
net.ipv4.ip_forward = 0
- to -
net.ipv4.ip_forward = 1

4. Enable forwarding between IP interfaces by adding the following line to /etc/sysconfig/iptables AFTER the line that states "-A RH-Firewall-1-INPUT -i lo -j ACCEPT" (replace xenbrX with the value determined in step 1):
-A RH-Firewall-1-INPUT -i xenbrX -o xenbrX -j ACCEPT

5. Apply the changes made by running the following commands (replace xenbrX from step 1):

sysctl -p
ifup xenbrX:1
service iptables restart

6. Assign VMs to the management network and configure their default gateway as assigned in step 2.

More Information

Citrix Forum Discussion: http://forums.citrix.com/thread.jspa?threadID=240700&start=0&tstart=0