[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Comparing approcahes firewall on a Xen server. Any experience or recommendations?

To: Adam Goryachev <mailinglists@xxxxxxxxxxxxxxxxxxxxxx>
From: aleph2@xxxxxxxxxxx
Date: Wed, 22 Apr 2015 16:26:14 +0000
Cc: xen-users@xxxxxxxxxxxxx
Delivery-date: Wed, 22 Apr 2015 16:27:00 +0000
List-id: Xen user discussion <xen-users.lists.xen.org>

On 2015-04-22 16:05, Adam Goryachev wrote:

That depends... what is your WAN bandwidth? I would guess it is less
than 100Mbps,


Currently, 50Mbps

which should have little impact assuming you are using any
reasonably modern CPU/network card etc...


On the WAN interface, clear.  On the LAN ...

The other factor is LAN traffic, but if you are sharing the LAN
interface for multiple domU, then you can't use PCI passthrough anyway.


Right, depends on the topology.

A pass of the Dom0 bridge via VIF certainly can be shared -- but that'sobviously not "pci-passthrough".


A second pci-passthru, like I mention here

http://sourceforge.net/p/shorewall/mailman/shorewall-users/thread/7c35a8e5c7ba1dc483e6d358976a0f74%40vfemail.net/#msg33960959

avoids the sharing altogehter.

Alsom PCI passthrough will add complexity that you probably don't need
right now.

passthru with current Xen's xl toolstack's dynamic assignment is quitetrivial. easy to configure and works well. so far anyway.

There are a number of HVM-only (or, at least not easily PV'd) firewall
appliances which might be nice to use.  Wondering out loud about
performance issues of firewall in DomU ...

I'm assuming you would use some sort of "modern" Linux OS for the domU,
and therefore use PV. Note by modern I mean a linux kernel of 3.2.x or
newer, which is actually rather old...


Not necessarily.

I typically use opensuse for DomU. It is certainly a 'modern' kernel --i use 3.18.x for now; 4.0.0 is already available. It's just not pvops-- it's their 'kernel-xen' flavor, which addresses a number of issuesstill not available (but being worked on) missing/broken in pure,upstream pvops.


Also, not all 'appliances' ship PV-ready.



-------------------------------------------------

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the 
NSA's hands!

$24.95 ONETIME Lifetime accounts with Privacy Features!15GB disk! No bandwidth quotas!Commercial and Bulk Mail Options!

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users

References:
- [Xen-users] Comparing approcahes firewall on a Xen server. Any experience or recommendations?
  - From: aleph2
- Re: [Xen-users] Comparing approcahes firewall on a Xen server. Any experience or recommendations?
  - From: Adam Goryachev
- Re: [Xen-users] Comparing approcahes firewall on a Xen server. Any experience or recommendations?
  - From: aleph2
- Re: [Xen-users] Comparing approcahes firewall on a Xen server. Any experience or recommendations?
  - From: Adam Goryachev

Prev by Date: Re: [Xen-users] Comparing approcahes firewall on a Xen server. Any experience or recommendations?
Next by Date: [Xen-users] Next Document Day Moved to Wednesday, May 6
Previous by thread: Re: [Xen-users] Comparing approcahes firewall on a Xen server. Any experience or recommendations?
Next by thread: [Xen-users] Using Inter Processor Interrupt (IPI) under xen 4.4.1
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.