Return-Path: X-Original-To: apmail-cloudstack-dev-archive@www.apache.org Delivered-To: apmail-cloudstack-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id AED68108EF for ; Thu, 18 Apr 2013 00:50:09 +0000 (UTC) Received: (qmail 46865 invoked by uid 500); 18 Apr 2013 00:50:09 -0000 Delivered-To: apmail-cloudstack-dev-archive@cloudstack.apache.org Received: (qmail 46830 invoked by uid 500); 18 Apr 2013 00:50:09 -0000 Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list dev@cloudstack.apache.org Received: (qmail 46819 invoked by uid 99); 18 Apr 2013 00:50:09 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 18 Apr 2013 00:50:09 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW X-Spam-Check-By: apache.org Received-SPF: error (athena.apache.org: local policy) Received: from [209.85.212.48] (HELO mail-vb0-f48.google.com) (209.85.212.48) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 18 Apr 2013 00:50:04 +0000 Received: by mail-vb0-f48.google.com with SMTP id p13so1769803vbe.35 for ; Wed, 17 Apr 2013 17:49:23 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:content-type:x-gm-message-state; bh=0Eim0vyr/mAuuXm9dcfyAIgGrDgj66+tUuBYziG0Kbk=; b=Jri9txGK5X3UfMiFpuIBBv5XHX5vITnTJrobePEos89N7LDl26Glxo+IFtsQEVL7X8 TtDZ8Qwga/YmmWjlirvY9n1ZXRSyWAbPK4QI/CmqgTVFyRi3QEHbRZlRTALflsWfvynr Tt7kV3eU/xXTkHeWnyiuNQrBV0BjukC9+w6avg/rCKYJEXzV6h4T0X+Xqq01tiYp3mco ZiRFVLsPY7yR8qEBSN4SGWyMKNxogwuscVqPCIZkXnfoGQ+7ktbLdw3/jz7/cLGXt61u L9vEreQIDzmItqKWPxXOwbdcw81nMsvJEVuy3ecK52xvXBrVDDVxIpn6OMOF0inV+zKN nMOQ== MIME-Version: 1.0 X-Received: by 10.52.174.196 with SMTP id bu4mr5561071vdc.117.1366246163296; Wed, 17 Apr 2013 17:49:23 -0700 (PDT) Received: by 10.58.19.201 with HTTP; Wed, 17 Apr 2013 17:49:23 -0700 (PDT) X-Originating-IP: [63.110.51.11] In-Reply-To: References: Date: Wed, 17 Apr 2013 17:49:23 -0700 Message-ID: Subject: Re: [RFC][FS]PVLAN for isolation within a VLAN From: Sheng Yang To: "" Content-Type: multipart/alternative; boundary=bcaec51b15eb3d450c04da97f9d2 X-Gm-Message-State: ALoCoQm+8338qFcku2wrePZpc+e/CCgGyiwOyjfvmOArTHEGzvDRLIYqsKfE1C+Ih9UzAmUlR2oc X-Virus-Checked: Checked by ClamAV on apache.org --bcaec51b15eb3d450c04da97f9d2 Content-Type: text/plain; charset=ISO-8859-1 In fact that's the requirement for this design. We need this very strict restriction to implement isolation for the VMs. PVLAN is the way we used to approach this requirement. Community VLAN is more like normal VLANs, which shared the information in between. That's not of our concern currently. The main work for this would be add ability to OVS(which controlled by CloudStack) to setup flow-table to achieve the same effect of PVLAN, as you can see in the "design" section, which I've detailed the way of doing it. --Sheng On Wed, Apr 17, 2013 at 2:18 AM, Murali Reddy wrote: > Sheng, > > Thanks for the FS. Couple of points in FS that made me curious of the > rational behind it. > > Why do you want to all the end user VM's (except for DHCP server VM) in > shared network to be connected only to I-port's. This means that even VM's > of same user can not talk to each other, right? Is'nt it too restrictive? > How about having community secondary VLAN per user with which they gets > the isolation and their VM's can talk to each other? Only down side is > there is additional effort of managing pool of secondary community VLAN's > or there are other challenges? > > Approach proposed for Xen and KVM which does not support PVLAN is > interesting. So do you expect the admin to setup these flows on each > KVM/Xen hypervisor? Or CloudStack will be responsible for set-up of flow > tables as well? > > Thanks. > > > On 17/04/13 5:01 AM, "Sheng Yang" wrote: > > >Hi all, > > > >I am current working on a new mechanism to archive isolation for advance > >shared network. It took advantage of PVLAN feature of Cisco switch, to > >achieve isolation using a simpler way. > > > >Here is the FS. You probably need to read references(in the link) to get > >an > >idea of PVLAN first. > > > > > https://cwiki.apache.org/CLOUDSTACK/pvlan-for-isolation-within-a-vlan.html > > > >Thanks! > > > >--Sheng > > > > > --bcaec51b15eb3d450c04da97f9d2--