> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:leaf-user- > [EMAIL PROTECTED] On Behalf Of Calvin Webster > Sent: Wednesday, April 20, 2005 9:55 AM > To: LEAF Users > Subject: [leaf-user] Anyone using UML or Xen?
> Has anyone on the list successfully modeled a virtual WAN > infrastructure, or at least built a functional LEAF router within UML or > Xen? If so, I'd appreciate any suggestions you may have on the quickest > way to setup this virtual WAN. > I've been looking at 3 different virtualization methods to create VM's > in which to design and test a set of LEAF routers. These will then be > installed in flash drive or DOC on new hardware to replace routers in an > existing WAN infrastructure. To be effective I'll need between 9 and 12 > VM's, 5 of which will be LEAF routers and the remainder test client > hosts. The LEAF routers will require 6, 5, 5, 5, and 3 NICS. I'd prefer > that none of them send traffic out on the "real" network during testing, > but are capable of isolated interconnectivity. I'm in a similar situation. This is my WISH, what I actually live with may be quite a bit different. I want to have two real hosts with 3 NICs each. Each host will boot up and fetch an Xen Dom0 (host OS) that's as tiny as possible and 'just' sufficient to fetch the DomU (guest OS) images over eth0 Next in the cycle, each host fetches a DomU LEAF image and have it give hardware control of all three NICs to the LEAF image. Dom0 is then cut off 'real' interfaces. It has to accept what the firewall image allows. Each LEAF image is able to act as an independent router so if one machine goes down, the other will cheerfully act as a gateway. Our ISP will give us a second gateway, and he suggests we use NetBSD for the firewall image. I'd prefer LEAF, but it gets back to 'what I want' isn't necessarily 'what I will live with." Dom0 then loads in Bastion Network DomU's which will also have no network access beyond what goes through the firewall. 1) The Dom0 host image would be booted via the internal net, so any hacks that manage to get to it are reverted. 2) The firewall gets booted off the internal network, so hacks are again lost. 3) The Bastion images can directly talk through the NIC allowed to them via crossover cable between the hosts. 4) The Bastion images would also have LVMs 'local' on a hardware raid we already have implemented. I'm planning to have the Bastions also boot from the internal network for their binaries, and mount the RAIDs 'noexec'. It's not that I want our hardware entirely impossible to hack, I just want it to be rather difficult to do so. Of the software you mentioned, I was able to get Xen up and working within a day where UMLs were too much a pain. Xen also allows direct hardware leasing, so I can give a particular domain all three PCI NICs. Patching the OS was much less a big deal with Xen than with trying to get UML to work for me. I understand Xen will have its patches incorporated into the next release or two of Linux. --Romaq ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
