Hi Everyone, Is Openvswitch, which is now in XCP and Xenserver, just a Xen-alternative to VMWare''s fancy virtual switches? For example, can I create virtual switches and VLANs "inside" the Xen host? One thing that was nice about VMWare, was that you could create your "own world" inside the box, regarding network layout. Thanks Jonny _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
>>> On 2010/05/19 at 07:16, "Jonathan Tripathy" <jonnyt@abpni.co.uk> wrote: > Hi Everyone, > > Is Openvswitch, which is now in XCP and Xenserver, just a Xen-alternative to > VMWare''s fancy virtual switches? > > For example, can I create virtual switches and VLANs "inside" the Xen host? > > One thing that was nice about VMWare, was that you could create your "own > world" inside the box, regarding network layout. >Yes, openvswitch is very similar to VMware''s Cisco Nexus switch provided with the enterprise-level versions of vSphere. It allows you to create a full, virtual switch inside your host, rather than relying on things like dom0 bridge support to accomplish domU network access. It has several advantages: remote administration (ability to remotely configure your switch from a central location), remote monitoring (sFlow/NetFlow support), port mirroring (useful instead of monitoring all of the traffic on a bridge), and quite a bit more. Additionally, openvswitch is an "openflow" switch, which means you can set up an openflow controller machine (physical or domU) that will actually do all of the traffic directing for your virtual network. You can create your "own world" inside a box without openvswitch or Cisco Nexus. On Xen, you can create a local bridge that has no connectivity to a physical ethernet interface, and connect your domUs to that bridge. This gives you an isolated network on which you can test stuff. The same thing can be done with VMware. You don''t need a virtual switch on either platform to accomplish this. -Nick -------- This e-mail may contain confidential and privileged material for the sole use of the intended recipient. If this email is not intended for you, or you are not responsible for the delivery of this message to the intended recipient, please note that this message may contain SEAKR Engineering (SEAKR) Privileged/Proprietary Information. In such a case, you are strictly prohibited from downloading, photocopying, distributing or otherwise using this message, its contents or attachments in any way. If you have received this message in error, please notify us immediately by replying to this e-mail and delete the message from your mailbox. Information contained in this message that does not relate to the business of SEAKR is neither endorsed by nor attributable to SEAKR. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 19/05/10 18:00, Nick Couchman wrote:>>>> On 2010/05/19 at 07:16, "Jonathan Tripathy"<jonnyt@abpni.co.uk> wrote: >>>> >> Hi Everyone, >> >> Is Openvswitch, which is now in XCP and Xenserver, just a Xen-alternative to >> VMWare''s fancy virtual switches? >> >> For example, can I create virtual switches and VLANs "inside" the Xen host? >> >> One thing that was nice about VMWare, was that you could create your "own >> world" inside the box, regarding network layout. >> >> > Yes, openvswitch is very similar to VMware''s Cisco Nexus switch provided with the enterprise-level versions of vSphere. It allows you to create a full, virtual switch inside your host, rather than relying on things like dom0 bridge support to accomplish domU network access. It has several advantages: remote administration (ability to remotely configure your switch from a central location), remote monitoring (sFlow/NetFlow support), port mirroring (useful instead of monitoring all of the traffic on a bridge), and quite a bit more. Additionally, openvswitch is an "openflow" switch, which means you can set up an openflow controller machine (physical or domU) that will actually do all of the traffic directing for your virtual network. > > You can create your "own world" inside a box without openvswitch or Cisco Nexus. On Xen, you can create a local bridge that has no connectivity to a physical ethernet interface, and connect your domUs to that bridge. This gives you an isolated network on which you can test stuff. The same thing can be done with VMware. You don''t need a virtual switch on either platform to accomplish this. > > -Nick > > > > > -------- > This e-mail may contain confidential and privileged material for the sole use of the intended recipient. If this email is not intended for you, or you are not responsible for the delivery of this message to the intended recipient, please note that this message may contain SEAKR Engineering (SEAKR) Privileged/Proprietary Information. In such a case, you are strictly prohibited from downloading, photocopying, distributing or otherwise using this message, its contents or attachments in any way. If you have received this message in error, please notify us immediately by replying to this e-mail and delete the message from your mailbox. Information contained in this message that does not relate to the business of SEAKR is neither endorsed by nor attributable to SEAKR. >---------------------------------------------------------------------------------------------------------------------------------- Hi Nick, Thanks for the email. I currently use the free version of VMWare ESXi, and I can make my "own world" with it. You say I can do this with XCP, however is it just for testing purposes? Is it insecure for production purposes? Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
> Hi Nick, > > Thanks for the email. > > I currently use the free version of VMWare ESXi, and I can make my "own > world" with it. You say I can do this with XCP, however is it just for > testing purposes? Is it insecure for production purposes? >Sorry to be unclear about that - my pointing out the usefulness for testing purposes, I was not saying that it''s insecure or unstable for production use. It just seems to me that about the only time you want your virtual machines on an isolated network is when you''re doing some sort of Test/Dev environment - production machines are most useful when they''re connected with the rest of the world. I can see some scenarios where you''d use an internal network, though, to connect some production machines, in addition to their external network devices. Anyway, the point is that, yes, the ability to create a bridge in XenServer/XCP/Xen is stable, secure, and production-ready. Just create a bridge without an external network device! -Nick -------- This e-mail may contain confidential and privileged material for the sole use of the intended recipient. If this email is not intended for you, or you are not responsible for the delivery of this message to the intended recipient, please note that this message may contain SEAKR Engineering (SEAKR) Privileged/Proprietary Information. In such a case, you are strictly prohibited from downloading, photocopying, distributing or otherwise using this message, its contents or attachments in any way. If you have received this message in error, please notify us immediately by replying to this e-mail and delete the message from your mailbox. Information contained in this message that does not relate to the business of SEAKR is neither endorsed by nor attributable to SEAKR. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Nick, Thanks for your very helpful email. What I want to set up, is a 3 interface system: WAN, LAN and DMZ. So far, the lauout I''m thinking is similar to this: http://www.shorewall.net/XenMyWay.html In a nutshell, I will probably create a firewall in a DomU, and delegate a PCI physical NIC to it (which will be used for the firewall''s WAN interfae). Then create 2 "bridges" (one for "LAN" interface, and one for "DMZ" interface) and assign a vif from each bridge to the firewall DomU. Neither bridges will have a physical NIC attached to it. Of course, there will be other DomUs connected to the respective bridge. The 2nd physical NIC of the server will be delegated to a DomU machine in the "LAN" subnet. This will be an LTSP Terminal Server, and will be connected to a physical switch for all my thin clients to connect to. I intend to use pfsense (Which is BSD based, which I think works with HVM mode) in the DomU, instead of shorewall (as described in that link). For the actual bridges, I will probably follow the following link so make it more "Layer 3 switch like": http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/ <http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/> I will probably need a 3rd NIC to access as a management interface. I really do need some help secureing the Dom0. Think this is safe? I really do need it to be very secure, due to PCI (credit card details) compliance Thanks Jonny ________________________________ From: Nick Couchman [mailto:Nick.Couchman@seakr.com] Sent: Thu 20/05/2010 13:22 To: Jonathan Tripathy; xen-users@lists.xensource.com Subject: Re: [Xen-users] Openvswitch> Hi Nick, > > Thanks for the email. > > I currently use the free version of VMWare ESXi, and I can make my "own > world" with it. You say I can do this with XCP, however is it just for > testing purposes? Is it insecure for production purposes? >Sorry to be unclear about that - my pointing out the usefulness for testing purposes, I was not saying that it''s insecure or unstable for production use. It just seems to me that about the only time you want your virtual machines on an isolated network is when you''re doing some sort of Test/Dev environment - production machines are most useful when they''re connected with the rest of the world. I can see some scenarios where you''d use an internal network, though, to connect some production machines, in addition to their external network devices. Anyway, the point is that, yes, the ability to create a bridge in XenServer/XCP/Xen is stable, secure, and production-ready. Just create a bridge without an external network device! -Nick -------- This e-mail may contain confidential and privileged material for the sole use of the intended recipient. If this email is not intended for you, or you are not responsible for the delivery of this message to the intended recipient, please note that this message may contain SEAKR Engineering (SEAKR) Privileged/Proprietary Information. In such a case, you are strictly prohibited from downloading, photocopying, distributing or otherwise using this message, its contents or attachments in any way. If you have received this message in error, please notify us immediately by replying to this e-mail and delete the message from your mailbox. Information contained in this message that does not relate to the business of SEAKR is neither endorsed by nor attributable to SEAKR. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Well, just one thing - I wouldn''t use HVM DomU as firewall/router for my virtual networks. On older hardware the HVM DomUs have weak (don''t want to say terrible/horrible/dreadful :D) network performance unless pv-on-hvm drivers used (PCI passthru doesn''t help a lot in this topology - it would not solve the slowness of inter DomUs network communication). What about Vyatta for FW/router (http://www.vyatta.com/)? Dedicated management NIC for Dom0 is always good idea - Dom0 shouldn''t be on the same network with DomUs IMHO - Dom0 lan access should be treated like IPMI/ILO/KVM access ports on physical servers IMO. Regards Matej -----Original Message----- From: xen-users-bounces@lists.xensource.com [mailto:xen-users-bounces@lists.xensource.com] On Behalf Of Jonathan Tripathy Sent: Thursday, May 20, 2010 2:40 PM To: Nick Couchman Cc: xen-users@lists.xensource.com Subject: RE: [Xen-users] Openvswitch Hi Nick, Thanks for your very helpful email. What I want to set up, is a 3 interface system: WAN, LAN and DMZ. So far, the lauout I''m thinking is similar to this: http://www.shorewall.net/XenMyWay.html In a nutshell, I will probably create a firewall in a DomU, and delegate a PCI physical NIC to it (which will be used for the firewall''s WAN interfae). Then create 2 "bridges" (one for "LAN" interface, and one for "DMZ" interface) and assign a vif from each bridge to the firewall DomU. Neither bridges will have a physical NIC attached to it. Of course, there will be other DomUs connected to the respective bridge. The 2nd physical NIC of the server will be delegated to a DomU machine in the "LAN" subnet. This will be an LTSP Terminal Server, and will be connected to a physical switch for all my thin clients to connect to. I intend to use pfsense (Which is BSD based, which I think works with HVM mode) in the DomU, instead of shorewall (as described in that link). For the actual bridges, I will probably follow the following link so make it more "Layer 3 switch like": http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/ <http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/> I will probably need a 3rd NIC to access as a management interface. I really do need some help secureing the Dom0. Think this is safe? I really do need it to be very secure, due to PCI (credit card details) compliance Thanks Jonny ________________________________ From: Nick Couchman [mailto:Nick.Couchman@seakr.com] Sent: Thu 20/05/2010 13:22 To: Jonathan Tripathy; xen-users@lists.xensource.com Subject: Re: [Xen-users] Openvswitch> Hi Nick, > > Thanks for the email. > > I currently use the free version of VMWare ESXi, and I can make my > "own world" with it. You say I can do this with XCP, however is it > just for testing purposes? Is it insecure for production purposes? >Sorry to be unclear about that - my pointing out the usefulness for testing purposes, I was not saying that it''s insecure or unstable for production use. It just seems to me that about the only time you want your virtual machines on an isolated network is when you''re doing some sort of Test/Dev environment - production machines are most useful when they''re connected with the rest of the world. I can see some scenarios where you''d use an internal network, though, to connect some production machines, in addition to their external network devices. Anyway, the point is that, yes, the ability to create a bridge in XenServer/XCP/Xen is stable, secure, and production-ready. Just create a bridge without an external network device! -Nick -------- This e-mail may contain confidential and privileged material for the sole use of the intended recipient. If this email is not intended for you, or you are not responsible for the delivery of this message to the intended recipient, please note that this message may contain SEAKR Engineering (SEAKR) Privileged/Proprietary Information. In such a case, you are strictly prohibited from downloading, photocopying, distributing or otherwise using this message, its contents or attachments in any way. If you have received this message in error, please notify us immediately by replying to this e-mail and delete the message from your mailbox. Information contained in this message that does not relate to the business of SEAKR is neither endorsed by nor attributable to SEAKR. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Matej, So in your opinion, my setup is ok, except that I should use a DomU distro which supports PV for the sake of performance? Otherwise everything else is ok (even with the PCI passthrough of the 2 NICS and the 2 briges etc..) Thanks ________________________________ From: xen-users-bounces@lists.xensource.com on behalf of Matej Zary Sent: Thu 20/05/2010 14:00 To: xen-users@lists.xensource.com Subject: RE: [Xen-users] Openvswitch Well, just one thing - I wouldn''t use HVM DomU as firewall/router for my virtual networks. On older hardware the HVM DomUs have weak (don''t want to say terrible/horrible/dreadful :D) network performance unless pv-on-hvm drivers used (PCI passthru doesn''t help a lot in this topology - it would not solve the slowness of inter DomUs network communication). What about Vyatta for FW/router (http://www.vyatta.com/)? Dedicated management NIC for Dom0 is always good idea - Dom0 shouldn''t be on the same network with DomUs IMHO - Dom0 lan access should be treated like IPMI/ILO/KVM access ports on physical servers IMO. Regards Matej -----Original Message----- From: xen-users-bounces@lists.xensource.com [mailto:xen-users-bounces@lists.xensource.com] On Behalf Of Jonathan Tripathy Sent: Thursday, May 20, 2010 2:40 PM To: Nick Couchman Cc: xen-users@lists.xensource.com Subject: RE: [Xen-users] Openvswitch Hi Nick, Thanks for your very helpful email. What I want to set up, is a 3 interface system: WAN, LAN and DMZ. So far, the lauout I''m thinking is similar to this: http://www.shorewall.net/XenMyWay.html In a nutshell, I will probably create a firewall in a DomU, and delegate a PCI physical NIC to it (which will be used for the firewall''s WAN interfae). Then create 2 "bridges" (one for "LAN" interface, and one for "DMZ" interface) and assign a vif from each bridge to the firewall DomU. Neither bridges will have a physical NIC attached to it. Of course, there will be other DomUs connected to the respective bridge. The 2nd physical NIC of the server will be delegated to a DomU machine in the "LAN" subnet. This will be an LTSP Terminal Server, and will be connected to a physical switch for all my thin clients to connect to. I intend to use pfsense (Which is BSD based, which I think works with HVM mode) in the DomU, instead of shorewall (as described in that link). For the actual bridges, I will probably follow the following link so make it more "Layer 3 switch like": http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/ <http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/> I will probably need a 3rd NIC to access as a management interface. I really do need some help secureing the Dom0. Think this is safe? I really do need it to be very secure, due to PCI (credit card details) compliance Thanks Jonny ________________________________ From: Nick Couchman [mailto:Nick.Couchman@seakr.com] Sent: Thu 20/05/2010 13:22 To: Jonathan Tripathy; xen-users@lists.xensource.com Subject: Re: [Xen-users] Openvswitch> Hi Nick, > > Thanks for the email. > > I currently use the free version of VMWare ESXi, and I can make my > "own world" with it. You say I can do this with XCP, however is it > just for testing purposes? Is it insecure for production purposes? >Sorry to be unclear about that - my pointing out the usefulness for testing purposes, I was not saying that it''s insecure or unstable for production use. It just seems to me that about the only time you want your virtual machines on an isolated network is when you''re doing some sort of Test/Dev environment - production machines are most useful when they''re connected with the rest of the world. I can see some scenarios where you''d use an internal network, though, to connect some production machines, in addition to their external network devices. Anyway, the point is that, yes, the ability to create a bridge in XenServer/XCP/Xen is stable, secure, and production-ready. Just create a bridge without an external network device! -Nick -------- This e-mail may contain confidential and privileged material for the sole use of the intended recipient. If this email is not intended for you, or you are not responsible for the delivery of this message to the intended recipient, please note that this message may contain SEAKR Engineering (SEAKR) Privileged/Proprietary Information. In such a case, you are strictly prohibited from downloading, photocopying, distributing or otherwise using this message, its contents or attachments in any way. If you have received this message in error, please notify us immediately by replying to this e-mail and delete the message from your mailbox. Information contained in this message that does not relate to the business of SEAKR is neither endorsed by nor attributable to SEAKR. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Jonathan, I''m NO expert with tens of Xenified production systems running core business (I just made small research/evaluation regarding network performance of virtualized router/fw in Xen environment and we use Xen and XenServer to run various auxiliary VMs the classic "standard" way). PCI passthru can boost the network performance (mainly reducing the delay) when communicating with the world outside of the Xen driven physical system - question might be, if it''s proved production solution (and the answer might depend on underlying HW and SW (xen, dom0 and domU kernels...)). Also the DomUs with assigned real PCI devices cannot be live migrated to another Xen host - this might or might not be issue at all depending on the virtualization scenario and particular needs. :) Yes, the setup looks otherwise ok IMHO. :) Regars Matej -----Original Message----- From: Jonathan Tripathy [mailto:jonnyt@abpni.co.uk] Sent: Thursday, May 20, 2010 3:45 PM To: Matej Zary; xen-users@lists.xensource.com Subject: RE: [Xen-users] Openvswitch Hi Matej, So in your opinion, my setup is ok, except that I should use a DomU distro which supports PV for the sake of performance? Otherwise everything else is ok (even with the PCI passthrough of the 2 NICS and the 2 briges etc..) Thanks ________________________________ From: xen-users-bounces@lists.xensource.com on behalf of Matej Zary Sent: Thu 20/05/2010 14:00 To: xen-users@lists.xensource.com Subject: RE: [Xen-users] Openvswitch Well, just one thing - I wouldn''t use HVM DomU as firewall/router for my virtual networks. On older hardware the HVM DomUs have weak (don''t want to say terrible/horrible/dreadful :D) network performance unless pv-on-hvm drivers used (PCI passthru doesn''t help a lot in this topology - it would not solve the slowness of inter DomUs network communication). What about Vyatta for FW/router (http://www.vyatta.com/)? Dedicated management NIC for Dom0 is always good idea - Dom0 shouldn''t be on the same network with DomUs IMHO - Dom0 lan access should be treated like IPMI/ILO/KVM access ports on physical servers IMO. Regards Matej -----Original Message----- From: xen-users-bounces@lists.xensource.com [mailto:xen-users-bounces@lists.xensource.com] On Behalf Of Jonathan Tripathy Sent: Thursday, May 20, 2010 2:40 PM To: Nick Couchman Cc: xen-users@lists.xensource.com Subject: RE: [Xen-users] Openvswitch Hi Nick, Thanks for your very helpful email. What I want to set up, is a 3 interface system: WAN, LAN and DMZ. So far, the lauout I''m thinking is similar to this: http://www.shorewall.net/XenMyWay.html In a nutshell, I will probably create a firewall in a DomU, and delegate a PCI physical NIC to it (which will be used for the firewall''s WAN interfae). Then create 2 "bridges" (one for "LAN" interface, and one for "DMZ" interface) and assign a vif from each bridge to the firewall DomU. Neither bridges will have a physical NIC attached to it. Of course, there will be other DomUs connected to the respective bridge. The 2nd physical NIC of the server will be delegated to a DomU machine in the "LAN" subnet. This will be an LTSP Terminal Server, and will be connected to a physical switch for all my thin clients to connect to. I intend to use pfsense (Which is BSD based, which I think works with HVM mode) in the DomU, instead of shorewall (as described in that link). For the actual bridges, I will probably follow the following link so make it more "Layer 3 switch like": http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/ <http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/> I will probably need a 3rd NIC to access as a management interface. I really do need some help secureing the Dom0. Think this is safe? I really do need it to be very secure, due to PCI (credit card details) compliance Thanks Jonny ________________________________ From: Nick Couchman [mailto:Nick.Couchman@seakr.com] Sent: Thu 20/05/2010 13:22 To: Jonathan Tripathy; xen-users@lists.xensource.com Subject: Re: [Xen-users] Openvswitch> Hi Nick, > > Thanks for the email. > > I currently use the free version of VMWare ESXi, and I can make my > "own world" with it. You say I can do this with XCP, however is it > just for testing purposes? Is it insecure for production purposes? >Sorry to be unclear about that - my pointing out the usefulness for testing purposes, I was not saying that it''s insecure or unstable for production use. It just seems to me that about the only time you want your virtual machines on an isolated network is when you''re doing some sort of Test/Dev environment - production machines are most useful when they''re connected with the rest of the world. I can see some scenarios where you''d use an internal network, though, to connect some production machines, in addition to their external network devices. Anyway, the point is that, yes, the ability to create a bridge in XenServer/XCP/Xen is stable, secure, and production-ready. Just create a bridge without an external network device! -Nick -------- This e-mail may contain confidential and privileged material for the sole use of the intended recipient. If this email is not intended for you, or you are not responsible for the delivery of this message to the intended recipient, please note that this message may contain SEAKR Engineering (SEAKR) Privileged/Proprietary Information. In such a case, you are strictly prohibited from downloading, photocopying, distributing or otherwise using this message, its contents or attachments in any way. If you have received this message in error, please notify us immediately by replying to this e-mail and delete the message from your mailbox. Information contained in this message that does not relate to the business of SEAKR is neither endorsed by nor attributable to SEAKR. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users