WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Xen-users] Openvswitch

from [Jonathan Tripathy] [Permanent Link][Original]
To: "Matej Zary" <zary@xxxxxxxxx>, <xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: RE: [Xen-users] Openvswitch
From: "Jonathan Tripathy" <jonnyt@xxxxxxxxxxx>
Date: Thu, 20 May 2010 14:45:14 +0100
Cc:
Delivery-date: Thu, 20 May 2010 06:48:11 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <4BF4D5410200009900058AFA@xxxxxxxxxxxxxxxxxxxxx><46C13AA90DB8844DAB79680243857F0F061FD2@xxxxxxxxxxxxxxxxxxx> <5DB0519124BB3D4DBEEB14426D4AC7EA17E924DAFC@xxxxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: Acr4FzU6qVy1qg+RQ6CCGSQgTnFi/QAARwK7AACk57AAAfIFeg==
Thread-topic: [Xen-users] Openvswitch
Hi Matej,
 
So in your opinion, my setup is ok, except that I should use a DomU distro which supports PV for the sake of performance?
Otherwise everything else is ok (even with the PCI passthrough of the 2 NICS and the 2 briges etc..) 
 
Thanks

From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx on behalf of Matej Zary
Sent: Thu 20/05/2010 14:00
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: RE: [Xen-users] Openvswitch

Well, just one thing - I wouldn't use HVM DomU as firewall/router for my virtual networks. On older hardware the HVM DomUs have weak (don't want to say terrible/horrible/dreadful :D) network performance unless pv-on-hvm drivers used (PCI passthru doesn't help a lot in this topology - it would not solve the slowness of inter DomUs network communication).

What about Vyatta for FW/router (http://www.vyatta.com/)?


Dedicated management NIC for Dom0 is always good idea - Dom0 shouldn't be on the same network with DomUs IMHO - Dom0 lan access should be treated like IPMI/ILO/KVM access ports on physical servers IMO.


Regards

Matej



-----Original Message-----
From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx [mailto:xen-users-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Jonathan Tripathy
Sent: Thursday, May 20, 2010 2:40 PM
To: Nick Couchman
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: RE: [Xen-users] Openvswitch

Hi Nick,

Thanks for your very helpful email.

What I want to set up, is a 3 interface system: WAN, LAN and DMZ.

So far, the lauout I'm thinking is similar to this:
http://www.shorewall.net/XenMyWay.html

In a nutshell, I will probably create a firewall in a DomU, and delegate a PCI physical NIC to it (which will be used for the firewall's WAN interfae). Then create 2 "bridges" (one for "LAN" interface, and one for "DMZ" interface) and assign a vif from each bridge to the firewall DomU. Neither bridges will have a physical NIC attached to it. Of course, there will be other DomUs connected to the respective bridge. The 2nd physical NIC of the server will be delegated to a DomU machine in the "LAN" subnet. This will be an LTSP Terminal Server, and will be connected to a physical switch for all my thin clients to connect to.

I intend to use pfsense (Which is BSD based, which I think works with HVM mode) in the DomU, instead of shorewall (as described in that link).

For the actual bridges, I will probably follow the following link so make it more "Layer 3 switch like":
http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/ <http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/>

I will probably need a 3rd NIC to access as a management interface. I really do need some help secureing the Dom0.

Think this is safe? I really do need it to be very secure, due to PCI (credit card details) compliance

Thanks

Jonny


________________________________

From: Nick Couchman [mailto:Nick.Couchman@xxxxxxxxx]
Sent: Thu 20/05/2010 13:22
To: Jonathan Tripathy; xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Openvswitch



> Hi Nick,
>
> Thanks for the email.
>
> I currently use the free version of VMWare ESXi, and I can make my
> "own world" with it. You say I can do this with XCP, however is it
> just for testing purposes? Is it insecure for production purposes?
>

Sorry to be unclear about that - my pointing out the usefulness for testing purposes, I was not saying that it's insecure or unstable for production use.  It just seems to me that about the only time you want your virtual machines on an isolated network is when you're doing some sort of Test/Dev environment - production machines are most useful when they're connected with the rest of the world.  I can see some scenarios where you'd use an internal network, though, to connect some production machines, in addition to their external network devices.  Anyway, the point is that, yes, the ability to create a bridge in XenServer/XCP/Xen is stable, secure, and production-ready.  Just create a bridge without an external network device!

-Nick




--------

This e-mail may contain confidential and privileged material for the sole use of the intended recipient.  If this email is not intended for you, or you are not responsible for the delivery of this message to the intended recipient, please note that this message may contain SEAKR Engineering (SEAKR) Privileged/Proprietary Information.  In such a case, you are strictly prohibited from downloading, photocopying, distributing or otherwise using this message, its contents or attachments in any way.  If you have received this message in error, please notify us immediately by replying to this e-mail and delete the message from your mailbox.  Information contained in this message that does not relate to the business of SEAKR is neither endorsed by nor attributable to SEAKR.



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Xen-users] HXEN for MacOS X?, Stephen Spector
Next by Date:  RE: [Xen-users] RE: If a DomU was compramised.., Jonathan Tripathy
Previous by Thread:  RE: [Xen-users] Openvswitch, Matej Zary
Next by Thread:  RE: [Xen-users] Openvswitch, Matej Zary
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy