On 05/21/2012 04:22 PM, Livnat Peer wrote:
On 21/05/12 16:19, Michael Pasternak wrote:
On 05/21/2012 03:54 PM, Shahar Havivi wrote:
On 21.05.12 15:38, Michael Pasternak wrote:
Hi Livnat,
On 05/21/2012 02:55 PM, Livnat Peer wrote:
Hi All,
After digging into the port mirroring feature I suggest a different modeling of it in the API.
The current modeling is to add to vnic a boolean property of port-mirroring, e.g.
api/vms/{vm-id}/nics
<nics> <nic> ... <network href="/api/networks/{network-id}" id="{network-id}"/> <port-mirroring> true </port mirroring> </nic> </VM>
This modeling imply 2 limitations: 1. The vnic must be connected to the network it wants to monitor 2. the nic can mirror only a single network
Both of the above limitations are correct to the current implementation. Going forward we might want to introduce the above functionalities and the above modeling won't hold. Instead of the above I suggest to change the port-mirroring property to a list of networks.
<nics> <nic> ... <network href="/api/networks/{network-id}" id="{network-id}"/> <port-mirroring> <network href="/api/networks/{network-id}" id="{network-id}"/> .... </port mirroring> </nic> </VM>
In this version we'll validate that the network under port-mirroring is equal to the network the vnic is connected to, in future versions we can remove this validation without changing the API.
iiuc you saying that in future vnic might be connected to several networks simultaneously?
yes, maybe in next version
in this case, api should be changed as at the moment we permit single network peer vnic, another option may be:
<nics> <nic> ... <networks> <network href="/api/networks/{network-id}" id="{network-id}"> <port-mirroring> true </port_mirroring> </network> <network href="/api/networks/{network-id}" id="{network-id}"> <port-mirroring> true </port_mirroring> </network> </networks> </nic> </nics>
this way we won't have to double network references, only disadvantage of this approach is abuse of network link, but we already have such precedents in api.
Hi Michael,
One of the issues I raised was to avoid association between the network the nic is attached to and the networks the nic can monitor.
The implementation in VDSM does not require that the nic will be connected to the network in order to monitor it. So going forward we might connect the VM nic to intrusion-detection-network while the monitoring will be for red network and blue network.
Thanks, Livnat
in this case +1 on your design.
Thanks, Livnat
--
Michael Pasternak RedHat, ENG-Virtualization R&D
-- Michael Pasternak RedHat, ENG-Virtualization R&D