| |
|
 |
|
 |
|
|
|
| |
|
|
xen-users
Re: [Xen-users] Ideal(istic) Xen firewall design
Hi all,
Marcus Brown wrote:
> I've got a coloured version (hey it's therapy!) with more domUs,
> but here's an ASCII version of the current design:
>
> OPTION C-v3.1
> =============
> Internet
> |
> eth1
>
> ________________________________________|__________________________________________
> |
> ________________________________|__________________________________ |
> | |
> | |
> | | Firewall
> | |
> Local eth0 =|=======| (dom1)
> |=======|= eth2 DMZ
> |
> |_________________________________________________________________| |
> (optional)
> | | | |
> |
> | eth3 eth4 eth5
> |
> | | ________________ | ______________ |
> _______________ |
> | | | Proxy Server | | | Web Server | | | iPaq
> Server | |
> | | | (domU1) | | | (domU2) | | |
> (dom2) |========|= USB Host #1
> | | |______________| | |____________| |
> |_____________| | (for BT Dongle)
> | | / | / | /
> | ( and cradle )
> | | / | / _______________ | /
> |
> | |/ |/ | Mail Server | |/
> |
> | | | | (domU3) | |
> |
> | | | |_____________| |
> |
> | | | / |
> |
> | | | / |
> |
> | | |/ |
> |
> | xen-br0 br1 br1
> |
> | | ! !
> |
> |
> ___|_______________________________________________________________ |
> | |
> | |
> | | dom0
> | |
>
> |_______|_________________________________________________________________|_______|
>
This setup works extremely well for my purposes.
I have, however, noticed network performance issues when scp'ing from dom0 to a
client in the
local 'Green Zone'.
Rather than the 4MB/s I'd expect (PIIX4 ata33 IDE with software raid), I'm only
getting 1.4MB/s :(
(screen shots here: http://marcusbrutus.cust.internode.on.net/Computers/C3-1 )
I appreciate there's a lot more calculation going on, but still ...
>Mike Tierney schrieb:
>>
>
>>>> But it is still tempting to just do away with the seperate firewall vm
>>>> and
>>>> do all the firewalling in Dom0!
>>>>
>>>>
With this in mind, I might be prepared to change my setup to something like
this:
OPTION C-v3.2
=============
Internet
|
eth1
________________________________________|__________________________________________
|
________________________________|__________________________________ |
| |
| |
| | Firewall
| |
| | (dom1)
|=======|= eth2 DMZ
|
|_________________________________________________________________| |
(optional)
| | | |
|
| eth3 eth4 eth5
|
| | ________________ | ______________ |
_______________ |
| | | Proxy Server | | | Web Server | | | iPaq
Server | |
| | | (domU1) | | | (domU2) | | |
(dom2) |========|= USB Host #1
| | |______________| | |____________| |
|_____________| | (for BT Dongle)
| | / | / | /
| ( and cradle )
| | / | / _______________ | /
|
| |/ |/ | Mail Server | |/
|
| | | | (domU3) | |
|
| | | |_____________| |
|
| | | / |
|
| | | / |
|
| | |/ |
|
| xen-br0 br1 br1
|
| | ! !
|
| |
_____________________________________________________________ |
| \ |
| |
Local eth0 =|============+| dom0
| |
|_____________|___________________________________________________________|_______|
However, as the bandwidth throughput issue would still remain for all the other
domains, I'm not
sure if there's a real benefit.
I have a burner in this machine, with the hopes of using it for domain
filesystem backups in the future.
Can I assume that this performance would be improved dramatically using a MP
machine (or HT) ?
Are there other ways of improving this performance?
Appreciate your advice.
Marcus.
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
| |
|
Home