|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Ideal(istic) Xen firewall design
Hi all, Marcus Brown wrote: > I've got a coloured version (hey it's therapy!) with more domUs, > but here's an ASCII version of the current design: > > OPTION C-v3.1 > ============= > Internet > | > eth1 > > ________________________________________|__________________________________________ > | > ________________________________|__________________________________ | > | | > | | > | | Firewall > | | > Local eth0 =|=======| (dom1) > |=======|= eth2 DMZ > | > |_________________________________________________________________| | > (optional) > | | | | > | > | eth3 eth4 eth5 > | > | | ________________ | ______________ | > _______________ | > | | | Proxy Server | | | Web Server | | | iPaq > Server | | > | | | (domU1) | | | (domU2) | | | > (dom2) |========|= USB Host #1 > | | |______________| | |____________| | > |_____________| | (for BT Dongle) > | | / | / | / > | ( and cradle ) > | | / | / _______________ | / > | > | |/ |/ | Mail Server | |/ > | > | | | | (domU3) | | > | > | | | |_____________| | > | > | | | / | > | > | | | / | > | > | | |/ | > | > | xen-br0 br1 br1 > | > | | ! ! > | > | > ___|_______________________________________________________________ | > | | > | | > | | dom0 > | | > > |_______|_________________________________________________________________|_______| > This setup works extremely well for my purposes. I have, however, noticed network performance issues when scp'ing from dom0 to a client in the local 'Green Zone'. Rather than the 4MB/s I'd expect (PIIX4 ata33 IDE with software raid), I'm only getting 1.4MB/s :( (screen shots here: http://marcusbrutus.cust.internode.on.net/Computers/C3-1 ) I appreciate there's a lot more calculation going on, but still ... >Mike Tierney schrieb: >> > >>>> But it is still tempting to just do away with the seperate firewall vm >>>> and >>>> do all the firewalling in Dom0! >>>> >>>> With this in mind, I might be prepared to change my setup to something like this: OPTION C-v3.2 ============= Internet | eth1 ________________________________________|__________________________________________ | ________________________________|__________________________________ | | | | | | | Firewall | | | | (dom1) |=======|= eth2 DMZ | |_________________________________________________________________| | (optional) | | | | | | eth3 eth4 eth5 | | | ________________ | ______________ | _______________ | | | | Proxy Server | | | Web Server | | | iPaq Server | | | | | (domU1) | | | (domU2) | | | (dom2) |========|= USB Host #1 | | |______________| | |____________| | |_____________| | (for BT Dongle) | | / | / | / | ( and cradle ) | | / | / _______________ | / | | |/ |/ | Mail Server | |/ | | | | | (domU3) | | | | | | |_____________| | | | | | / | | | | | / | | | | |/ | | | xen-br0 br1 br1 | | | ! ! | | | _____________________________________________________________ | | \ | | | Local eth0 =|============+| dom0 | | |_____________|___________________________________________________________|_______| However, as the bandwidth throughput issue would still remain for all the other domains, I'm not sure if there's a real benefit. I have a burner in this machine, with the hopes of using it for domain filesystem backups in the future. Can I assume that this performance would be improved dramatically using a MP machine (or HT) ? Are there other ways of improving this performance? Appreciate your advice. Marcus. _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |