WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

RE: [Xen-users] Openvswitch

To: Jonathan Tripathy <jonnyt@xxxxxxxxxxx>, "xen-users@xxxxxxxxxxxxxxxxxxx" <xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: RE: [Xen-users] Openvswitch
From: Matej Zary <zary@xxxxxxxxx>
Date: Thu, 20 May 2010 16:36:52 +0200
Accept-language: en-US
Acceptlanguage: en-US
Cc:
Delivery-date: Thu, 20 May 2010 07:38:14 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <46C13AA90DB8844DAB79680243857F0F061FD4@xxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <4BF4D5410200009900058AFA@xxxxxxxxxxxxxxxxxxxxx><46C13AA90DB8844DAB79680243857F0F061FD2@xxxxxxxxxxxxxxxxxxx> <5DB0519124BB3D4DBEEB14426D4AC7EA17E924DAFC@xxxxxxxxxxxxxxxxxxxxx> <46C13AA90DB8844DAB79680243857F0F061FD4@xxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: Acr4FzU6qVy1qg+RQ6CCGSQgTnFi/QAARwK7AACk57AAAfIFegAAkZtA
Thread-topic: [Xen-users] Openvswitch
Hi Jonathan,


I'm NO expert with tens of Xenified production systems running core business (I 
just made small research/evaluation regarding network performance of 
virtualized router/fw in Xen environment and we use Xen and XenServer to run 
various auxiliary VMs the classic "standard" way). PCI passthru can boost the 
network performance (mainly reducing the delay) when communicating with the 
world outside of the Xen driven physical system - question might be, if it's 
proved production solution (and the answer might depend on underlying HW and SW 
(xen, dom0 and domU kernels...)). 

Also the DomUs with assigned real PCI devices cannot be live migrated to 
another Xen host - this might or might not be issue at all depending on the 
virtualization scenario and particular needs. :)

Yes, the setup looks otherwise ok IMHO.  :)

Regars


Matej




-----Original Message-----
From: Jonathan Tripathy [mailto:jonnyt@xxxxxxxxxxx] 
Sent: Thursday, May 20, 2010 3:45 PM
To: Matej Zary; xen-users@xxxxxxxxxxxxxxxxxxx
Subject: RE: [Xen-users] Openvswitch

Hi Matej,
 
So in your opinion, my setup is ok, except that I should use a DomU distro 
which supports PV for the sake of performance?
Otherwise everything else is ok (even with the PCI passthrough of the 2 NICS 
and the 2 briges etc..) 
 
Thanks

________________________________

From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx on behalf of Matej Zary
Sent: Thu 20/05/2010 14:00
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: RE: [Xen-users] Openvswitch



Well, just one thing - I wouldn't use HVM DomU as firewall/router for my 
virtual networks. On older hardware the HVM DomUs have weak (don't want to say 
terrible/horrible/dreadful :D) network performance unless pv-on-hvm drivers 
used (PCI passthru doesn't help a lot in this topology - it would not solve the 
slowness of inter DomUs network communication).

What about Vyatta for FW/router (http://www.vyatta.com/)?


Dedicated management NIC for Dom0 is always good idea - Dom0 shouldn't be on 
the same network with DomUs IMHO - Dom0 lan access should be treated like 
IPMI/ILO/KVM access ports on physical servers IMO.


Regards

Matej



-----Original Message-----
From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx 
[mailto:xen-users-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Jonathan Tripathy
Sent: Thursday, May 20, 2010 2:40 PM
To: Nick Couchman
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: RE: [Xen-users] Openvswitch

Hi Nick,

Thanks for your very helpful email.

What I want to set up, is a 3 interface system: WAN, LAN and DMZ.

So far, the lauout I'm thinking is similar to this:
http://www.shorewall.net/XenMyWay.html

In a nutshell, I will probably create a firewall in a DomU, and delegate a PCI 
physical NIC to it (which will be used for the firewall's WAN interfae). Then 
create 2 "bridges" (one for "LAN" interface, and one for "DMZ" interface) and 
assign a vif from each bridge to the firewall DomU. Neither bridges will have a 
physical NIC attached to it. Of course, there will be other DomUs connected to 
the respective bridge. The 2nd physical NIC of the server will be delegated to 
a DomU machine in the "LAN" subnet. This will be an LTSP Terminal Server, and 
will be connected to a physical switch for all my thin clients to connect to.

I intend to use pfsense (Which is BSD based, which I think works with HVM mode) 
in the DomU, instead of shorewall (as described in that link).

For the actual bridges, I will probably follow the following link so make it 
more "Layer 3 switch like":
http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/ 
<http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/>

I will probably need a 3rd NIC to access as a management interface. I really do 
need some help secureing the Dom0.

Think this is safe? I really do need it to be very secure, due to PCI (credit 
card details) compliance

Thanks

Jonny


________________________________

From: Nick Couchman [mailto:Nick.Couchman@xxxxxxxxx]
Sent: Thu 20/05/2010 13:22
To: Jonathan Tripathy; xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Openvswitch



> Hi Nick,
>
> Thanks for the email.
>
> I currently use the free version of VMWare ESXi, and I can make my
> "own world" with it. You say I can do this with XCP, however is it
> just for testing purposes? Is it insecure for production purposes?
>

Sorry to be unclear about that - my pointing out the usefulness for testing 
purposes, I was not saying that it's insecure or unstable for production use.  
It just seems to me that about the only time you want your virtual machines on 
an isolated network is when you're doing some sort of Test/Dev environment - 
production machines are most useful when they're connected with the rest of the 
world.  I can see some scenarios where you'd use an internal network, though, 
to connect some production machines, in addition to their external network 
devices.  Anyway, the point is that, yes, the ability to create a bridge in 
XenServer/XCP/Xen is stable, secure, and production-ready.  Just create a 
bridge without an external network device!

-Nick




--------

This e-mail may contain confidential and privileged material for the sole use 
of the intended recipient.  If this email is not intended for you, or you are 
not responsible for the delivery of this message to the intended recipient, 
please note that this message may contain SEAKR Engineering (SEAKR) 
Privileged/Proprietary Information.  In such a case, you are strictly 
prohibited from downloading, photocopying, distributing or otherwise using this 
message, its contents or attachments in any way.  If you have received this 
message in error, please notify us immediately by replying to this e-mail and 
delete the message from your mailbox.  Information contained in this message 
that does not relate to the business of SEAKR is neither endorsed by nor 
attributable to SEAKR.



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>