incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chip Childers <chip.child...@sungard.com>
Subject Re: [PROPOSAL][CLOUDSTACK-1456] SG Isolation in Advanced Zone for VMWare Hypervisor using PVLANs
Date Wed, 13 Mar 2013 18:03:12 GMT
On Mar 13, 2013, at 1:34 PM, Kelven Yang <kelven.yang@citrix.com> wrote:

> PVLAN provides "subnet within subnet" L2 isolation, it operates very
> differently with current L3/L4 capable SG implementation, would it be a
> good idea to just separate it as L2 isolation feature on its own?

It works differently and is normally used for different reasons, so probably.

IMo, the real value if PVLANs is on shared networks, specifically in
the provider environment to enable instance level telemetry.

>
> Kelven
>
> On 3/13/13 6:10 AM, "Chip Childers" <chip.childers@sungard.com> wrote:
>
>> On Mar 12, 2013, at 11:56 PM, Manan Shah <manan.shah@citrix.com> wrote:
>>
>>> Yes, Chiradeep, you are correct. The PVLAN would only be able to provide
>>> isolation at L2. The primary use case from the providers perspective is
>>> to
>>> run multiple shared networks (services network for monitoring, patching,
>>> etc). And on each of these services network, the VMs should only be
>>> allowed to talk to the admin servers. This can be achieved using PVLANs
>>> to
>>> prevent multiple Tenant VMs to talk to each other.
>>
>> This is a really important use case, primarily for the providers
>> themselves.
>>
>>>
>>> I will update the PRD to reflect this.
>>>
>>> Regards,
>>> Manan Shah
>>>
>>>
>>>
>>>
>>> On 3/11/13 10:49 PM, "Chiradeep Vittal" <Chiradeep.Vittal@citrix.com>
>>> wrote:
>>>
>>>> As far as I can tell most of the requirements can NOT be satisfied by
>>>> PVLAN.
>>>> The only thing PVLAN can do is:
>>>> 1. Restrict a VM's traffic to the upstream router
>>>> 2. Restrict a VM's traffic to a set of Vms on the same physical VLAN.
>>>>
>>>> PVLAN does not offer any L4 access control, nor can it work across L3
>>>> domains.
>>>> Of the 4 use cases, the first one can be supported in a limited fashion
>>>> (no security groups, but restricting Vms from communicating using L2
>>>> isolation).
>>>>
>>>> On 2/28/13 1:35 PM, "Manan Shah" <manan.shah@citrix.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I would like to propose a new feature for adding SG Isolation support
>>>>> for
>>>>> VMWare Hypervisor using PVLANs. I have created a JIRA ticket and
>>>>> provided
>>>>> the requirements at the following location. Please provide feedback on
>>>>> the
>>>>> requirements.
>>>>>
>>>>> JIRA Ticket:
>>>>>
>>>>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/SG+Isolation+in+
>>>>> Ad
>>>>> v
>>>>> a
>>>>> nced+Zone+for+VMWare+Hypervisor+using+PVLANs
>>>>> Requirements:
>>>>>
>>>>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/SG+Isolation+in+
>>>>> Ad
>>>>> v
>>>>> a
>>>>> nced+Zone+for+VMWare+Hypervisor+using+PVLANs
>>>>>
>>>>> Regards,
>>>>> Manan Shah
>
>

Mime
View raw message