Xen users - Nov 2010 - Migration of Xen Networking Setup to new ISP

I currently have a xen installation with four NICs installed. This
system has been working fine for some time with my current ISP. 

I am
planning a move to a new ISP and am currently planning how I am going to
go about moving my network over to the new ISP. Maybe I''ve analyzed it
to the point that I''ve confused myself, but I can''t seem to
think of a
way to perform the migration. 

I currently use pci hide to hide a
physical NIC from the Dom0. This NIC is passed to a firewall DomU. Two
other NICs are passed to the firewall DomU to create a standard three
NIC firewall. The fourth NIC in the Dom0 is on a separate subnet (not
part of the firewall) and is used only for managment of the Dom0. 

I
would like to setup a firewall DomU on the new ISP and then migrate the
DomUs to the new firewall one at a time. I am getting tripped up on the
fact that my server can''t have two gateway addresses active at one
time.


Any thoughts or suggestions on how I could go about this migration?

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Thomas Jensen wrote:
>I currently use pci hide to hide a physical NIC from the Dom0.  This 
>NIC is passed to a firewall DomU.  Two other NICs are passed to the 
>firewall DomU to create a standard three NIC firewall.  The fourth 
>NIC in the Dom0 is on a separate subnet (not part of the firewall) 
>and is used only for managment of the Dom0.
>
>I would like to setup a firewall DomU on the new ISP and then 
>migrate the DomUs to the new firewall one at a time.  I am getting 
>tripped up on the fact that my server can''t have two gateway 
>addresses active at one time.
Well a lot depends on how you want to migrate. There are different 
approaches, in part a lot depends on whether you intend to keep the 
old ISP going :

The Big Bang
You switch off the old connection, and turn on the new one. No 
complications here, you simply switch configs and wait for the DNS 
changes to propagate. Nothing special here except to have all your 
configs worked out in advance to minimise downtime.

Dual running
A bit more work, but you parallel run for a while while DNS changes 
propagate and eventually turn off the old connection (unless you want 
to keep it running).

Phased migration
You move one bit (service or server) at a time, probably combined 
with parallel running.

You can do policy based routing in your firewall. Setup a new 
internal bridge for the new subnet you get from your ISP - it doesn''t 
need to have a NIC assigned to it. Add extra virtual NICs to the 
guests.

You then need to set up routing policies (can''t help there, never 
done it but I know it can be done) so that :
Traffic TO subnet A is routed to the old internal network
Traffic FROM subnet A is routed out via ISP A
Traffic TO subnet B is routed to the new network
Traffic FROM subnet B is routed out via ISP B

I think you can probably do this by running a shared network with 
both subnet A and subnet B on it - ie the extra internal bridge 
probably isn''t necessary. Something to look into.

This article explains how it''s done with Shorewall (installed by 
default on all my systems)
http://shorewall.net/MultiISP.html

-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Tue, 2 Nov 2010 07:53:50 +0100, Simon Hobson
<linux@thehobsons.co.uk> wrote:
> Thomas Jensen wrote:
> 
>>I currently use pci hide to hide a physical NIC from the Dom0.  This
>NIC is passed to a firewall DomU.  Two other NICs are passed to the
>firewall DomU to create a standard three NIC firewall.  The fourth >NIC
in the Dom0 is on a separate subnet (not part of the firewall) >and is used
only for managment of the Dom0.
>>
>>I would like to setup a firewall DomU on the new ISP and then
>migrate the DomUs to the new firewall one at a time.  I am getting
>tripped up on the fact that my server can''t have two gateway
>addresses active at one time.
> 
> Well a lot depends on how you want to migrate. There are different
> approaches, in part a lot depends on whether you intend to keep the
> old ISP going :
> 
I don''t plan to keep the old one going once the conversion is
completed.
> The Big Bang
> You switch off the old connection, and turn on the new one. No
> complications here, you simply switch configs and wait for the DNS
> changes to propagate. Nothing special here except to have all your
> configs worked out in advance to minimise downtime.
>
I am going to move forward with this approach.  It has probably been a
little more work on my end, but I have been ratcheting down the TTL on
all of the DNS records this week.  I went from 86400 to 3600 yesterday. 
This evening, I will ratchet down to 600 and commence the in the middle
of the night.  I think this will be the most straight forward move and
won''t require any significant networking changes during the change
over.
> Dual running
> A bit more work, but you parallel run for a while while DNS changes
> propagate and eventually turn off the old connection (unless you want
> to keep it running).
> 
> Phased migration
> You move one bit (service or server) at a time, probably combined
> with parallel running.
> 
I had originally thought about implementing a phased approach;
essentially having two paths out to the two ISPs running at the same
time and moving a DomU from the one to the other one at a time.
> You can do policy based routing in your firewall. Setup a new
> internal bridge for the new subnet you get from your ISP - it
doesn''t
> need to have a NIC assigned to it. Add extra virtual NICs to the
> guests.
> 
I''m not real strong on the whole bridging concept yet and how that
translates into Xen space.  All of the bridges I currently have now are
linked to physical NICs.  In at least one case, the physical NIC isn''t
even physically connected to anything.  This NIC would likely be a good
candidate for the process you described above.
> You then need to set up routing policies (can''t help there, never
> done it but I know it can be done) so that :
> Traffic TO subnet A is routed to the old internal network
> Traffic FROM subnet A is routed out via ISP A
> Traffic TO subnet B is routed to the new network
> Traffic FROM subnet B is routed out via ISP B
> 
> I think you can probably do this by running a shared network with
> both subnet A and subnet B on it - ie the extra internal bridge
> probably isn''t necessary. Something to look into.
> 
> This article explains how it''s done with Shorewall (installed by
> default on all my systems)
> http://shorewall.net/MultiISP.html
> 
I use Shorewall as well on my three NIC firewall.  I had done multiple
searches online, but hadn''t turned up the link you provided.  Thanks
for
the information.
> -- 
> Simon Hobson
> 
> Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
> author Gladys Hobson. Novels - poetry - short stories - ideal as
> Christmas stocking fillers. Some available as e-books.
> 
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users