[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Xen-users] Networking with xen


  • To: "Luke S Crawford" <lsc@xxxxxxxxx>
  • From: "Quezada, Pedro" <PedroQ@xxxxxxxxxx>
  • Date: Wed, 15 Oct 2008 09:57:53 -0400
  • Cc: xen-users@xxxxxxxxxxxxxxxxxxx
  • Delivery-date: Wed, 15 Oct 2008 06:58:59 -0700
  • List-id: Xen user discussion <xen-users.lists.xensource.com>
  • Thread-index: AckuhhffgNiEzYRzT/yTs+P4TEuTcgARcVSw
  • Thread-topic: [Xen-users] Networking with xen

So is performance throughput an issue with Xen ?

Hey I have been looking into it look at this diagram 
http://man.chinaunix.net/network/shorewall-docs-html-3.0.8/images/Xen4.p
ng

That is unbelievable what can be done with it.......
True one can plug a server with multiple nics and have same effect..
But it ends at the nic and is already something we don't like to do..
Good practice to monitor what we put out there externally..

Is just the fact that one can allow on server to go out the internet for
business purposes..
Then many machines bridged and the routed out of the external interface
and then natted...
It mean that there is another network "infrastructure" behind the server
and it can become elaborate...

Thanks for your reply...I am playing with it see what implication it
poses.
Loops and a standard method of operating with a large spanning tree
environment..




 

-----Original Message-----
From: lsc@xxxxxxxxxxxxxxxxxx [mailto:lsc@xxxxxxxxxxxxxxxxxx] On Behalf
Of Luke S Crawford
Sent: Wednesday, October 15, 2008 1:23 AM
To: Quezada, Pedro
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Networking with xen

"Quezada, Pedro" <PedroQ@xxxxxxxxxx> writes:

> is there a possibilTy to conneCt doms toguether and for a spanning
tree loop.

Well, if you setup two bridges, sure.  Or if you give a Domu 2 vifs and
bridge them in the DomU. 

It's not possible in the default setup, where you only have one bridge
and one vif in each DomU

But if you really want the "don't let me shoot myself in the foot" level
of handholding, you really shouldn't be using Open Source.  talk to
Citrix about the commercial version of Xen, or if performance isn't
critical and/or you are largely a windows shop, talk to VMware.  

> The network capabilities of xen can really cause concerns to the
network admins...
> 
> I mean this product not used well can bypass all security in a
network...

You need to think of your xen bridge as a switch.   From the network
admin perspective,  you are simply plugging in another switch and any
number of servers behind that switch.   The exact same security concerns
apply.
I don't see how this bypasses all security on a network.  

It does mean that the Dom0 administrators are administering a switch;
if you plug more than one network into the Dom0, you have the same
problems you have when you plug more than one network into any other
server (that is, someone with root on the server in question can create
bridges/tunnels between those two tunnels if they want)  



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.