| 1 |
On 08/12/14 11:26, J. Roeleveld wrote: |
| 2 |
> On Sunday, December 07, 2014 11:43:38 PM lee wrote: |
| 3 |
>> "J. Roeleveld" <joost@××××××××.org> writes: |
| 4 |
>>> On Thursday, December 04, 2014 07:11:12 PM lee wrote: |
| 5 |
>>>>> Why is the networking complicated? Do you use bridging? |
| 6 |
>>>> Yes --- and it was terrible to begin with and still is very complicated. |
| 7 |
>>>> One of the VMs has a network card passed through to do pppoe for the |
| 8 |
>>>> internet connection, and it also does routing and firewalling. The |
| 9 |
>>>> Gentoo VM is supposed to have another network card passed through |
| 10 |
>>>> because I want a separate network for miscellaneous devices like IP |
| 11 |
>>>> phones and printers. Asterisk is going to run on the Gentoo VM. |
| 12 |
>>> This sounds convoluted. Why add to the complexity by adding multiple |
| 13 |
>>> network cards into the machine and pass the physical cards? |
| 14 |
>> How else do you do pppoe and keep the different networks physically |
| 15 |
>> seperated? |
| 16 |
> Networks that need to be physically seperated, require either of: |
| 17 |
> 1) seperate NICs |
| 18 |
> 2) VLANs |
| 19 |
> |
| 20 |
> My comment about the complexity, however, was related to passing physical |
| 21 |
> cards to the VMs instead of adding the cards to seperate bridges inside the |
| 22 |
> host and using virtual NICs. |
| 23 |
> |
| 24 |
>>>> Besides devices, there's the usual net, dmz and loc zones. To top it |
| 25 |
>>>> off, sooner or later I want to pass another network card to the |
| 26 |
>>>> firewall/router because I have an internet connection which is currently |
| 27 |
>>>> not in use and should be employed as an automatic fallback. |
| 28 |
>>> How many cards are you planning on having in the machine? |
| 29 |
>>> Are all these connected to the same switch? |
| 30 |
>> It has currently four network ports. Only one of them is connected to |
| 31 |
>> the switch. Another one is connected to the pppoe line, and the other |
| 32 |
>> two (on a dual card) aren't connected yet. |
| 33 |
>> |
| 34 |
>> I plan to use one for the devices network and the other one for the |
| 35 |
>> second internet connection. None of them needs to/should be connected |
| 36 |
>> to the switch. The VM running asterisk will need a second interface |
| 37 |
>> that connects to a bridge so it can reach the router/firewall. The |
| 38 |
>> interface for the second internet connection needs to be passed to the |
| 39 |
>> router/firewall. |
| 40 |
>> |
| 41 |
>> Can you think of an easier setup? |
| 42 |
> create 1 bridge per physical network port |
| 43 |
> add the physical ports to the respective bridges |
| 44 |
> |
| 45 |
> pass virtual NICs to the VMs which are part of the bridges. |
| 46 |
> |
| 47 |
> But it's your server, you decide on the complexity. |
| 48 |
> |
| 49 |
> I stopped passing physical NICs when I was encountering issues with newer |
| 50 |
> cards. |
| 51 |
> They are now resolved, but passing virtual interfaces is simpler and more |
| 52 |
> reliable. |
| 53 |
|
| 54 |
+1 for this |
| 55 |
i'm sure that one of the reasons that software defined networking is |
| 56 |
suddenly the next big buzzword is because a) the commodity hardware is |
| 57 |
now good enough to be comparable to custom asic switches and b) the |
| 58 |
amazing flexibility you have. ignoring the security issues of vlans, |
| 59 |
for a pure partitioning of the network it's very hard to beat linux+vlan |
| 60 |
switch, as you can have a virtual host have just a single network card |
| 61 |
which itself has ten vlans connected. with a vlan capable switch you can |
| 62 |
have those vlans not just be lan/dmz/wan but can section off departments |
| 63 |
too. you can then incredibly easily stand up a new server for just that |
| 64 |
department. without having to be too concerned about downing the whole |
| 65 |
server to fit a new NIC into it |
| 66 |
|
| 67 |
> |
| 68 |
> -- |
| 69 |
> Joost |
| 70 |
> |
| 71 |
> -- |
| 72 |
> Joost |
| 73 |
> |
Archives