This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] Migration of Xen Networking Setup to new ISP

To: Simon Hobson <linux@xxxxxxxxxxxxxxxx>
Subject: Re: [Xen-users] Migration of Xen Networking Setup to new ISP
From: Thomas Jensen <tom.jensen@xxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 04 Nov 2010 11:22:37 -0500
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Thu, 04 Nov 2010 09:23:57 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <p06240809c8f56270949c@xxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Organization: Digital Toolbox
References: <4ada2780210ccfe3b4d6b875dfba6a5f@localhost> <p06240809c8f56270949c@xxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Roundcube Webmail/0.4
On Tue, 2 Nov 2010 07:53:50 +0100, Simon Hobson
<linux@xxxxxxxxxxxxxxxx> wrote:
> Thomas Jensen wrote:
>>I currently use pci hide to hide a physical NIC from the Dom0.  This >NIC is 
>>passed to a firewall DomU.  Two other NICs are passed to the >firewall DomU 
>>to create a standard three NIC firewall.  The fourth >NIC in the Dom0 is on a 
>>separate subnet (not part of the firewall) >and is used only for managment of 
>>the Dom0.
>>I would like to setup a firewall DomU on the new ISP and then >migrate the 
>>DomUs to the new firewall one at a time.  I am getting >tripped up on the 
>>fact that my server can't have two gateway >addresses active at one time.
> Well a lot depends on how you want to migrate. There are different
> approaches, in part a lot depends on whether you intend to keep the
> old ISP going :

I don't plan to keep the old one going once the conversion is

> The Big Bang
> You switch off the old connection, and turn on the new one. No
> complications here, you simply switch configs and wait for the DNS
> changes to propagate. Nothing special here except to have all your
> configs worked out in advance to minimise downtime.

I am going to move forward with this approach.  It has probably been a
little more work on my end, but I have been ratcheting down the TTL on
all of the DNS records this week.  I went from 86400 to 3600 yesterday. 
This evening, I will ratchet down to 600 and commence the in the middle
of the night.  I think this will be the most straight forward move and
won't require any significant networking changes during the change over.

> Dual running
> A bit more work, but you parallel run for a while while DNS changes
> propagate and eventually turn off the old connection (unless you want
> to keep it running).
> Phased migration
> You move one bit (service or server) at a time, probably combined
> with parallel running.

I had originally thought about implementing a phased approach;
essentially having two paths out to the two ISPs running at the same
time and moving a DomU from the one to the other one at a time.

> You can do policy based routing in your firewall. Setup a new
> internal bridge for the new subnet you get from your ISP - it doesn't
> need to have a NIC assigned to it. Add extra virtual NICs to the
> guests.

I'm not real strong on the whole bridging concept yet and how that
translates into Xen space.  All of the bridges I currently have now are
linked to physical NICs.  In at least one case, the physical NIC isn't
even physically connected to anything.  This NIC would likely be a good
candidate for the process you described above.

> You then need to set up routing policies (can't help there, never
> done it but I know it can be done) so that :
> Traffic TO subnet A is routed to the old internal network
> Traffic FROM subnet A is routed out via ISP A
> Traffic TO subnet B is routed to the new network
> Traffic FROM subnet B is routed out via ISP B
> I think you can probably do this by running a shared network with
> both subnet A and subnet B on it - ie the extra internal bridge
> probably isn't necessary. Something to look into.
> This article explains how it's done with Shorewall (installed by
> default on all my systems)
> http://shorewall.net/MultiISP.html

I use Shorewall as well on my three NIC firewall.  I had done multiple
searches online, but hadn't turned up the link you provided.  Thanks for
the information.

> -- 
> Simon Hobson
> Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
> author Gladys Hobson. Novels - poetry - short stories - ideal as
> Christmas stocking fillers. Some available as e-books.
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users

Xen-users mailing list

<Prev in Thread] Current Thread [Next in Thread>