[crossbow-discuss] Getting Started With Crossbow Technology or Network Virtualization paper

Ralf Weber opensolaris at fl1ger.de
Tue Jun 17 05:23:46 PDT 2008 

Moin!

On Jun 17, 2008, at 13:51 , Steffen Weiberle wrote:
>> My comments or questions on crossbow in general:
>> - What is the use of a VNIC on a physical interface? What is the   
>> difference to configuring arbitrary virtual interfaces on a  
>> physical  interface, which was suggested to me as private  
>> interconnects between  zones, but what I didn't want to use because  
>> of security concerns.
>
> The primary reason my customers want VNICs is so they can use  
> exclusive IP Instance zones without needing a physical NIC per zone.  
> This allows them to create, say, three zones and have them share a  
> single NIC. Many want to run six, 12, or 15 or so zones per system,  
> and don't have the switch ports or NICs to dedicate one to each. So  
> far they have been less worried about applying bandwidth and CPU  
> controls, but that will be a great feature once they consolidate  
> interfaces.
Absolutely, that's what I use them for. But I always create an  
etherstub first so that this is kind of a physical ethernet in the  
box. My question was why do you want to attach a VNIC to a physical  
interface? I couldn't find a use case for this. Anything can be done  
purely virtual (with etherstubs). Is there an advantage (other than  
that you don't have to create the interface) on using this technique  
as described in the beginning of the document. My fear is that if I  
have it on a physical interface a hacker might get to it from the  
outside with a special crafted packet.

> A requirement of some customers is to force traffic out of the  
> system and into the switch/router/firewall, even if it is between  
> zones on the same system. They will have to be careful how they  
> configure and use VNICs, as traffic using the same physical NIC will  
> not leave the system. The implementation of an etherstub came later  
> on, where you can create VNICs to allow zones to communicate  
> *without* assigning a physical interface, and keep all the traffic  
> in the system.
Ok hopefully the implementation is hacker safe. Anyway my view on this  
is that to explaining the technology now it would be better to start  
with etherstub as this is purely virtual and the concept IMHO is  
easier to understand from a network point of view.


> In lieu of VNICs, I wrote the following how they can do this with  
> VLANs. To use VLANs you need a switch capable of that, and it adds  
> other complexities. With VNICs you need no special networking  
> hardware.
>
> http://blogs.sun.com/stw/entry/using_ip_instances_with_vlans
Yeah did that and still doing it (our production servers are solaris  
10). I also used crossover cables to  generate a private network  
between containers ;-).

>> - Wouldn't it be good if we could name VNICs like e0v1 for  
>> etherstub 0
>
> With vanity naming as part of Clearview, you will be able to do  
> that. All my work has been with older beta builds on NV81 and prior,  
> so I have not played with that myself, yet.
Great - looking forward to using it. When will this be available in  
binary (either opensolaris or Solaris Express or whatever that is  
called at the moment ;-)?

So long
-Ralf
opensolaris at fl1ger.de

More information about the crossbow-discuss mailing list