Hi Jonathan,
I'm NO expert with tens of Xenified production systems running core business (I
just made small research/evaluation regarding network performance of
virtualized router/fw in Xen environment and we use Xen and XenServer to run
various auxiliary VMs the classic "standard" way). PCI passthru can boost the
network performance (mainly reducing the delay) when communicating with the
world outside of the Xen driven physical system - question might be, if it's
proved production solution (and the answer might depend on underlying HW and SW
(xen, dom0 and domU kernels...)).
Also the DomUs with assigned real PCI devices cannot be live migrated to
another Xen host - this might or might not be issue at all depending on the
virtualization scenario and particular needs. :)
Yes, the setup looks otherwise ok IMHO. :)
Regars
Matej
-----Original Message-----
From: Jonathan Tripathy [mailto:jonnyt@xxxxxxxxxxx]
Sent: Thursday, May 20, 2010 3:45 PM
To: Matej Zary; xen-users@xxxxxxxxxxxxxxxxxxx
Subject: RE: [Xen-users] Openvswitch
Hi Matej,
So in your opinion, my setup is ok, except that I should use a DomU distro
which supports PV for the sake of performance?
Otherwise everything else is ok (even with the PCI passthrough of the 2 NICS
and the 2 briges etc..)
Thanks
________________________________
From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx on behalf of Matej Zary
Sent: Thu 20/05/2010 14:00
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: RE: [Xen-users] Openvswitch
Well, just one thing - I wouldn't use HVM DomU as firewall/router for my
virtual networks. On older hardware the HVM DomUs have weak (don't want to say
terrible/horrible/dreadful :D) network performance unless pv-on-hvm drivers
used (PCI passthru doesn't help a lot in this topology - it would not solve the
slowness of inter DomUs network communication).
What about Vyatta for FW/router (http://www.vyatta.com/)?
Dedicated management NIC for Dom0 is always good idea - Dom0 shouldn't be on
the same network with DomUs IMHO - Dom0 lan access should be treated like
IPMI/ILO/KVM access ports on physical servers IMO.
Regards
Matej
-----Original Message-----
From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
[mailto:xen-users-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Jonathan Tripathy
Sent: Thursday, May 20, 2010 2:40 PM
To: Nick Couchman
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: RE: [Xen-users] Openvswitch
Hi Nick,
Thanks for your very helpful email.
What I want to set up, is a 3 interface system: WAN, LAN and DMZ.
So far, the lauout I'm thinking is similar to this:
http://www.shorewall.net/XenMyWay.html
In a nutshell, I will probably create a firewall in a DomU, and delegate a PCI
physical NIC to it (which will be used for the firewall's WAN interfae). Then
create 2 "bridges" (one for "LAN" interface, and one for "DMZ" interface) and
assign a vif from each bridge to the firewall DomU. Neither bridges will have a
physical NIC attached to it. Of course, there will be other DomUs connected to
the respective bridge. The 2nd physical NIC of the server will be delegated to
a DomU machine in the "LAN" subnet. This will be an LTSP Terminal Server, and
will be connected to a physical switch for all my thin clients to connect to.
I intend to use pfsense (Which is BSD based, which I think works with HVM mode)
in the DomU, instead of shorewall (as described in that link).
For the actual bridges, I will probably follow the following link so make it
more "Layer 3 switch like":
http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/
<http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/>
I will probably need a 3rd NIC to access as a management interface. I really do
need some help secureing the Dom0.
Think this is safe? I really do need it to be very secure, due to PCI (credit
card details) compliance
Thanks
Jonny
________________________________
From: Nick Couchman [mailto:Nick.Couchman@xxxxxxxxx]
Sent: Thu 20/05/2010 13:22
To: Jonathan Tripathy; xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Openvswitch
> Hi Nick,
>
> Thanks for the email.
>
> I currently use the free version of VMWare ESXi, and I can make my
> "own world" with it. You say I can do this with XCP, however is it
> just for testing purposes? Is it insecure for production purposes?
>
Sorry to be unclear about that - my pointing out the usefulness for testing
purposes, I was not saying that it's insecure or unstable for production use.
It just seems to me that about the only time you want your virtual machines on
an isolated network is when you're doing some sort of Test/Dev environment -
production machines are most useful when they're connected with the rest of the
world. I can see some scenarios where you'd use an internal network, though,
to connect some production machines, in addition to their external network
devices. Anyway, the point is that, yes, the ability to create a bridge in
XenServer/XCP/Xen is stable, secure, and production-ready. Just create a
bridge without an external network device!
-Nick
--------
This e-mail may contain confidential and privileged material for the sole use
of the intended recipient. If this email is not intended for you, or you are
not responsible for the delivery of this message to the intended recipient,
please note that this message may contain SEAKR Engineering (SEAKR)
Privileged/Proprietary Information. In such a case, you are strictly
prohibited from downloading, photocopying, distributing or otherwise using this
message, its contents or attachments in any way. If you have received this
message in error, please notify us immediately by replying to this e-mail and
delete the message from your mailbox. Information contained in this message
that does not relate to the business of SEAKR is neither endorsed by nor
attributable to SEAKR.
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|