Andy,

thanks for looking into this. I agree 100% especially the "the main reason why people had a load of nics was not for bandwith but to keep the networking team happy". BTW the same reason for which NPIV is meant to keep the SAN people happy (which is not a good reason to implement a technology that is a step-back on the way to the virtual datacenter .... but this is another story).

For the sake of the discussion this scenario is not meant to replace Fibre Channel nor Ethernet. Quite the opposite.

This is meant to allow the networking people to continue to use their dozens of physically disconnected networks but instead of plugging dozens of different cables into dozens of physical hosts they plug these cables once into this "bridge". They do not (technically) even need to create VLAN's or things like that if they don't want to. What happens on the other side of this switch is something they shouldn't care about (so to speak obvisouly).

The idea here is keep both the networking and the server teams happy. I think there is lots of space for improvement here but I understand that "legacies" are hard to overcome....

Massimo.

Mh .... I see what you mean and I don't disagree in principle. However I think my point is that ... since "you" are trusting a black box called ESX into which you are plugging 22 NIC's (and if the box was called Windows probably you wouldn't have done so) why shouldn't you trust a black box that is the IB bridge. I am not sure there are data or studies that back the fact that ESX is more secure than a IB switch or the other way around.

BTW we did have a number of customers whose networking guys voted against having the ESX box being the concentrator for so many different networks but at the end the management did go tough a risk analysis and decided that it was well worth considering the ESX server "secure enough" to do that. They might want to do the same and "convince" the networking people that IB is at least as secure. After all let's face it .... if it was for the networking people we wouldn't be using VMware either as they would like to keep EVERYTHING separate and on small physical servers .....

Thanks.

Massimo.

I only wanted to bring up an often heard argument.

Yes, these guys use the same argument against ESX - fortunately they don't decide.

bq. I already hear the security guys scream

Really? It's the accountants that I hear screaming, regardless of which solution we pick.......

Who cares about accountants when we are on a journey...

Signature from Steve Beaver:

*Virtualization is a journey, not a project.*

Hello,

I would like to see both supported, but I am not sold on the security of VLANs. Some Intrusion Detection System work by ignoring TAGs within tagged packets. If you ignore the TCP Tag you can see all packets across every VLAN on a vSwitch, I am not sure that is true on a real switch.... But it could be possible with the less expensive Tagging pSwitches. Given this capability, using VLAN for high security issues is not a great thing. I always suggest multiple networks in many cases (vMotion, Storage, Admin). And maybe use VLANs for internal VMs, or something like that.

I like Infiniband/10G not for splitting up the bandwidth but for improving Storage network and vMotion performance. As the security issues are frightening with badly configured vNetworks.

Best regards,

Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, (c) 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074

Well, from our point of view this is great news. We're a smaller outfit looking to roll out vmware for the first time, and we're debating whether the extra cost of infiniband is worth it. Nice to have confirmation that infiniband is as good as we thought

For the records I didn't really want to say it's "good" or suggest to use it ..... I literally just wanted to throw it onto the table for more feedbacks / thoughts.

You know that in this market it's not always "the best" that wins.....

Massimo.

It is (although I didn't mean to push Xsigo specifically as a vendor... in fact I have published my article before they came out with their "business case" - I think at least).

Massimo.

Anders, completely agreed.....

Massimo.

(looking aside the new technologi, need for knowhow, eg.) Have you done any cost analysis on the subject? What are the break-even? I've been on one of the vmware supported vendors site and it's looks cheaper than I thought, but it also lacks support for iSCSI hba virtualization to avoid sw initiators. However we are a small shop with 6 hosts and each have about 4 nics and 2 hba ports and even there it already seems cheaper with Infiniband. It could also increase bandwidth at major database, mail and backup installations. The question is whether Infiniband will beat 10Gbit Ethernet on the hosts.

Anders,

good points. My very personal opinion is that with 6 hosts / 4 nics / 2 HBA's you should NOT look into this. Even assuming that you get to the break-even (debatable - IB HBA's/ IB switches / IB bridges etc etc for 6 hosts are going to be a bit expensive) the efforts you need to put into it to change your status-quo are going to be big. I see IB better (potentially) for large organizations with lots of servers and a big number of ethernet connections. There is where the benefits of IB could be put on a large scale.

> The question is whether Infiniband will beat 10Gbit Ethernet on the hosts

This is another good point. We will definitely (mh .. likely) see a convergence on the media in the long run for storage / networks. IB <might> be that media even though there are people that think that 10Gbit Ethernet could be it as well (there are lots of discussion going on about CEE - Converged Enhanced Ethernet and FC over CEE etc etc). We'll see but obviously 10 Gbit ethernet has an advantage for obvious reasons... the point is that with IB we have a solution today .... with Ethernet these are still plans.

Massimo.

I have seen alot of theorizing on this subject but no proof of concepts yet, it is very attractive.

Is anyone doing this currently or has evaluated it, proof of concept?

Would be a huge boon in the blade chassis environments, 16 port infiniband virtual config for both SAN/Network to service all the blades....

Proof of concepts are being evaluated. The performance #'s in

combination with the number of cables / devices / ports / energy

consumed is very attractive. I also believe that by reducing the

number of devices and device drivers that reliability and availability

will signfiicantly improve.

Since VMWare decouples and "truely" virtulizes the I/O devices then no rewrite of I/O protocols are required from a VM'ed OS perspective. One of the side benefits of consolidation and the ability to effiently utilize hardware when virtualized, is that we can adopt faster technologies sooner without a high cost of change on the OS and application side.

Infiniband's current roadmap provides for 1Tbps in 3 years. Ethernet and DCE/CEE (which is more like Infiniband) only has 40 & 100 Gbps on the roadmap. In the end we are best served as customers by having at least two I/O technologies compete.

PS. Infiniband's mature low latency RDMA stacks will enable to to take advantage of shared DRAM much more efficiently than anything else available today.