RE: [Xen-users] Openvswitch

["Jonathan Tripathy" <jonnyt@xxxxxxxxxxx>]

Hi Nick,

 

Thanks for your very helpful email.

 

What I want to set up, is a 3 interface system: WAN, LAN and DMZ.

 

So far, the lauout I'm thinking is similar to this:

http://www.shorewall.net/XenMyWay.html

 

In a nutshell, I will probably create a firewall in a DomU, and delegate a PCI physical NIC to it (which will be used for the firewall's WAN interfae). Then create 2 "bridges" (one for "LAN" interface, and one for "DMZ" interface) and assign a vif from each bridge to the firewall DomU. Neither bridges will have a physical NIC attached to it. Of course, there will be other DomUs connected to the respective bridge. The 2nd physical NIC of the server will be delegated to a DomU machine in the "LAN" subnet. This will be an LTSP Terminal Server, and will be connected to a physical switch for all my thin clients to connect to.

 

I intend to use pfsense (Which is BSD based, which I think works with HVM mode) in the DomU, instead of shorewall (as described in that link).

 

For the actual bridges, I will probably follow the following link so make it more "Layer 3 switch like":

http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/

 

I will probably need a 3rd NIC to access as a management interface. I really do need some help secureing the Dom0.

 

Think this is safe? I really do need it to be very secure, due to PCI (credit card details) compliance

 

Thanks

 

Jonny

 

---

From: Nick Couchman [mailto:Nick.Couchman@xxxxxxxxx]
Sent: Thu 20/05/2010 13:22
To: Jonathan Tripathy; xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Openvswitch

> Hi Nick,
>
> Thanks for the email.
>
> I currently use the free version of VMWare ESXi, and I can make my "own
> world" with it. You say I can do this with XCP, however is it just for
> testing purposes? Is it insecure for production purposes?
>

Sorry to be unclear about that - my pointing out the usefulness for testing purposes, I was not saying that it's insecure or unstable for production use.  It just seems to me that about the only time you want your virtual machines on an isolated network is when you're doing some sort of Test/Dev environment - production machines are most useful when they're connected with the rest of the world.  I can see some scenarios where you'd use an internal network, though, to connect some production machines, in addition to their external network devices.  Anyway, the point is that, yes, the ability to create a bridge in XenServer/XCP/Xen is stable, secure, and production-ready.  Just create a bridge without an external network device!

-Nick




--------

This e-mail may contain confidential and privileged material for the sole use of the intended recipient.  If this email is not intended for you, or you are not responsible for the delivery of this message to the intended recipient, please note that this message may contain SEAKR Engineering (SEAKR) Privileged/Proprietary Information.  In such a case, you are strictly prohibited from downloading, photocopying, distributing or otherwise using this message, its contents or attachments in any way.  If you have received this message in error, please notify us immediately by replying to this e-mail and delete the message from your mailbox.  Information contained in this message that does not relate to the business of SEAKR is neither endorsed by nor attributable to SEAKR.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users