cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yiping Zhang <yzh...@marketo.com>
Subject Re: Multiple Physical Networks in Basic Networking (KVM)
Date Sun, 10 Jun 2018 22:00:10 GMT
We have been using "advanced networking with security groups" on XenServer clusters (using
linux bridge network backend, instead of open vSwitch) for over three years now in production..
 AFAICT, this is not an officially supported/endorsed deployment scenario.    We are a private
enterprise deployment. We use our external routers as GW and VLAN separation is done at corporate
network layer using real firewalls. 

In the course of last three years, we found many features are NOT implemented for this deployment
mode, or API's not working properly.  So be warned!

Any improvements on this deployment scenario, or bring it to fully supported status, will
be warmly welcomed by this user


On 6/9/18, 1:31 AM, "Wido den Hollander" <wido@widodh.nl> wrote:

    
    
    On 06/08/2018 03:54 PM, Dag Sonstebo wrote:
    > Ivan – not sure how you deal with per-network VM bandwidth (or what your use case
is) so probably worth testing in the lab.
    > 
    
    Isn't that done by libvirt in the XML? In Basic Zone at least that
    works. It is part of the service offering.
    
    > Wido – agree, I don’t see why our current “basic zone” can’t be deprecated
in the long run for “advanced zone with security groups” since they serve the same purpose
and the latter gives more flexibility. There may be use cases where they don’t behave the
same – but personally I’ve not come across any issues.
    > 
    
    I wouldn't know those cases. I'll test and see how it works out. Give me
    some time and I'll get back to this topic.
    
    Might even be possible to convert a Basic Zone to a Advanced Zone by
    doing some database mutations.
    
    Wido
    
    > Regards,
    > Dag Sonstebo
    > Cloud Architect
    > ShapeBlue
    > 
    > On 08/06/2018, 14:44, "Wido den Hollander" <wido@widodh.nl> wrote:
    > 
    >     
    >     
    >     On 06/08/2018 03:32 PM, Dag Sonstebo wrote:
    >     > Hi Ivan,
    >     > 
    >     > Not quite – “advanced zone with security group” allows you to have
multiple “basic” type networks isolated within their own VLANs and with security groups
isolation between VMs / accounts. The VR only does DNS/DHCP, not GW/NAT.
    >     > 
    >     
    >     Hmm, yes, that was actually what we/I is/are looking for. The main
    >     reason for Basic Networking is the shared services we offer on a public
    >     cloud.
    >     
    >     A VR dies as soon as there is any flood, so that's why we have our
    >     physical routers do the work.
    >     
    >     I thought that what you mentioned is "DirectAttached" networking.
    >     
    >     But that brings me to the question why we still have Basic Networking
    >     :-) In earlier conversations I had with people I think that on the
    >     longer run Basic Networking can be dropped/merged in favor of Advanced
    >     Networking with Security Groups then, right?
    >     
    >     Accounts/VMs are deployed Inside the same VLAN and isolation is done by
    >     Security Groups.
    >     
    >     Sounds right, let me dig into that!
    >     
    >     Wido
    >     
    >     > Regards,
    >     > Dag Sonstebo
    >     > Cloud Architect
    >     > ShapeBlue
    >     > 
    >     > On 08/06/2018, 14:26, "Ivan Kudryavtsev" <kudryavtsev_ia@bw-sw.com>
wrote:
    >     > 
    >     >     Hi, Dag. Not exactly. Advanced zone uses VR as a GW with SNAT/DNAT which
is
    >     >     not quite good for public cloud in my case. Despite that it really solves
    >     >     the problem. But I would like to have it as simple as possible, without
VR
    >     >     as a GW and xNAT.
    >     >     
    >     >     пт, 8 июн. 2018 г., 15:21 Dag Sonstebo <Dag.Sonstebo@shapeblue.com>:
    >     >     
    >     >     > Wido / Ivan – I’m probably missing something – but is the
feature you are
    >     >     > looking for not the same functionality we currently have in “advanced
zones
    >     >     > with security groups”?
    >     >     >
    >     >     > Regards,
    >     >     > Dag Sonstebo
    >     >     > Cloud Architect
    >     >     > ShapeBlue
    >     >     >
    >     >     > On 08/06/2018, 14:14, "Ivan Kudryavtsev" <kudryavtsev_ia@bw-sw.com>
wrote:
    >     >     >
    >     >     >     Hi Wido, I also very interested in similar deployment, especially
    >     >     > combined
    >     >     >     with the capability of setting different network bandwidth
for
    >     >     > different
    >     >     >     networks, like
    >     >     >     10.0.0.0/8 intra dc with 1g bandwidth per vm and white ipv4/ipv6
with
    >     >     >     regular bandwidth management. But it seem it takes very big
redesign
    >     >     > of VM
    >     >     >     settings and VR redesign is also required.
    >     >     >
    >     >     >     When I tried to investigate if it possible with ACS basic network,
    >     >     > didn't
    >     >     >     succeed with any relevant information.
    >     >     >
    >     >     >
    >     >     >     пт, 8 июн. 2018 г., 14:56 Wido den Hollander <wido@widodh.nl>:
    >     >     >
    >     >     >     > Hi,
    >     >     >     >
    >     >     >     > I am looking into supporting multiple Physical Networks
inside onze
    >     >     >     > Basic Networking zone.
    >     >     >     >
    >     >     >     > First: The reason we use Basic Networking is the simplicity
and the
    >     >     > fact
    >     >     >     > that our (Juniper) routers can do the routing and not
the VR.
    >     >     >     >
    >     >     >     > ALL our VMs have external IPv4/IPv6 addresses and we do
not use NAT
    >     >     >     > anywhere.
    >     >     >     >
    >     >     >     > But right now a Hypervisor has a single VLAN/POD going
to it
    >     >     > terminated
    >     >     >     > on 'cloudbr0' using vlan://untagged.
    >     >     >     >
    >     >     >     > But to better utilize our physical hardware it would be
great it
    >     >     > Basic
    >     >     >     > Networking would support multiple physical networks using
VLAN
    >     >     > separation.
    >     >     >     >
    >     >     >     > For example:
    >     >     >     >
    >     >     >     > - PhysicalNetwork1: VLAN 100
    >     >     >     > - PhysicalNetwork2: VLAN 101
    >     >     >     > - PhysicalNetwork3: VLAN 102
    >     >     >     >
    >     >     >     > I've been looking into DirectAttached with Advanced Networking,
but I
    >     >     >     > couldn't find any reference to it on how that exactly
works.
    >     >     >     >
    >     >     >     > Right now for our use-case Basic Networking with multiple
Physical
    >     >     >     > Networks would work best for us.
    >     >     >     >
    >     >     >     > Has anybody looked at this or has any insight of the problems
we
    >     >     > might
    >     >     >     > run in to?
    >     >     >     >
    >     >     >     > Wido
    >     >     >     >
    >     >     >
    >     >     >
    >     >     >
    >     >     > Dag.Sonstebo@shapeblue.com
    >     >     > www.shapeblue.com
    >     >     > 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
    >     >     > @shapeblue
    >     >     >
    >     >     >
    >     >     >
    >     >     >
    >     >     
    >     > 
    >     > 
    >     > Dag.Sonstebo@shapeblue.com 
    >     > www.shapeblue.com
    >     > 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
    >     > @shapeblue
    >     >   
    >     >  
    >     > 
    >     
    > 
    > 
    > Dag.Sonstebo@shapeblue.com 
    > www.shapeblue.com
    > 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
    > @shapeblue
    >   
    >  
    > 
    

Mime
View raw message