incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Manan Shah <manan.s...@citrix.com>
Subject Re: [PROPOSAL][CLOUDSTACK-1456] SG Isolation in Advanced Zone for VMWare Hypervisor using PVLANs
Date Wed, 20 Mar 2013 22:52:26 GMT
I have updated the JIRA ticket as well as the requirements document.

Update the requirements to mention:

1. Made the feature requirements broader by covering all Hypervisors and
not just VMWare
2. Mentioned that the original requirements are for SG type feature with
more use cases but the primary use case can be achieved using PVLANs


Regards,
Manan Shah




On 3/13/13 11:03 AM, "Chip Childers" <chip.childers@sungard.com> wrote:

>On Mar 13, 2013, at 1:34 PM, Kelven Yang <kelven.yang@citrix.com> wrote:
>
>> PVLAN provides "subnet within subnet" L2 isolation, it operates very
>> differently with current L3/L4 capable SG implementation, would it be a
>> good idea to just separate it as L2 isolation feature on its own?
>
>It works differently and is normally used for different reasons, so
>probably.
>
>IMo, the real value if PVLANs is on shared networks, specifically in
>the provider environment to enable instance level telemetry.
>
>>
>> Kelven
>>
>> On 3/13/13 6:10 AM, "Chip Childers" <chip.childers@sungard.com> wrote:
>>
>>> On Mar 12, 2013, at 11:56 PM, Manan Shah <manan.shah@citrix.com> wrote:
>>>
>>>> Yes, Chiradeep, you are correct. The PVLAN would only be able to
>>>>provide
>>>> isolation at L2. The primary use case from the providers perspective
>>>>is
>>>> to
>>>> run multiple shared networks (services network for monitoring,
>>>>patching,
>>>> etc). And on each of these services network, the VMs should only be
>>>> allowed to talk to the admin servers. This can be achieved using
>>>>PVLANs
>>>> to
>>>> prevent multiple Tenant VMs to talk to each other.
>>>
>>> This is a really important use case, primarily for the providers
>>> themselves.
>>>
>>>>
>>>> I will update the PRD to reflect this.
>>>>
>>>> Regards,
>>>> Manan Shah
>>>>
>>>>
>>>>
>>>>
>>>> On 3/11/13 10:49 PM, "Chiradeep Vittal" <Chiradeep.Vittal@citrix.com>
>>>> wrote:
>>>>
>>>>> As far as I can tell most of the requirements can NOT be satisfied by
>>>>> PVLAN.
>>>>> The only thing PVLAN can do is:
>>>>> 1. Restrict a VM's traffic to the upstream router
>>>>> 2. Restrict a VM's traffic to a set of Vms on the same physical VLAN.
>>>>>
>>>>> PVLAN does not offer any L4 access control, nor can it work across L3
>>>>> domains.
>>>>> Of the 4 use cases, the first one can be supported in a limited
>>>>>fashion
>>>>> (no security groups, but restricting Vms from communicating using L2
>>>>> isolation).
>>>>>
>>>>> On 2/28/13 1:35 PM, "Manan Shah" <manan.shah@citrix.com> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I would like to propose a new feature for adding SG Isolation
>>>>>>support
>>>>>> for
>>>>>> VMWare Hypervisor using PVLANs. I have created a JIRA ticket and
>>>>>> provided
>>>>>> the requirements at the following location. Please provide feedback
>>>>>>on
>>>>>> the
>>>>>> requirements.
>>>>>>
>>>>>> JIRA Ticket:
>>>>>>
>>>>>> 
>>>>>>https://cwiki.apache.org/confluence/display/CLOUDSTACK/SG+Isolation+i
>>>>>>n+
>>>>>> Ad
>>>>>> v
>>>>>> a
>>>>>> nced+Zone+for+VMWare+Hypervisor+using+PVLANs
>>>>>> Requirements:
>>>>>>
>>>>>> 
>>>>>>https://cwiki.apache.org/confluence/display/CLOUDSTACK/SG+Isolation+i
>>>>>>n+
>>>>>> Ad
>>>>>> v
>>>>>> a
>>>>>> nced+Zone+for+VMWare+Hypervisor+using+PVLANs
>>>>>>
>>>>>> Regards,
>>>>>> Manan Shah
>>
>>


Mime
View raw message