On Thu, Aug 9, 2012 at 4:07 PM, Matthew Patton <mpat...@inforelay.com> wrote: > On Thu, 09 Aug 2012 03:09:30 -0400, Hugo Trippaers > <htrippa...@schubergphilis.com> wrote: > >> I think I have the clear picture now. I think there is a valid use case >> for having the option to create 'internal' networks (networks that have no >> outside connectivity so no SourceNat service) > > > You "think"? Do people here not have practical experience running a > real-world (non-)virtualized environment of any decent complexity? It's done > all the time! The router simply doesn't have an interface on said VLAN; qed > non-routable and non-SNAT'able. > > It might be more clear to use the term "isolated". It just means it can not > see any other host that isn't on the same VLAN and can't leave the VLAN. I > can't see why every such VLAN couldn't pull from the same set of subnets. > This ought to work across zones too so either we allocated the same VLAN > number in all zones on creation or we maintain an association table: > zoneA+vlanX == zoneB+vlanY. Naturally they'll have to be a layer2 VPN > between zones and the subnets will have to be different on either end. > > However, I'm pretty sure a VPN (eg. GRE) tunnel won't work if there are > duplicate or differing combinations of left vs right subnets even if their > originating interface device names are different since those decisions are > based on routes. So unfortunately these isolated subnets have to be unique > across all zones, or otherwise isolation can only be local to a zone. Though > if the virtual router (aka VPN endpoint) was unique to each customer|Account > (?domain?), that should let us do it.
Well, just to add my thoughts on the thread, There exist some of us that cant use or dont need VLANs at all As we have physically segmented networks, and dont need or cant even employ the use of VLANs I would concur there should be a mechanism to create a shared non vlan / non tagged network so that we can enable instances to be dual homed public nic and private nic. case in point... we dont have VLAN capable switches, we dont wish to run backups for instances to a public interface. There was a fairly lengthy conversation in irc reguarding this, There at the moment is no way to create a shared network, without a VLAN. and using GRE tunnels to achieve this appears to be overkill for such a simple functionality. It would be a huge improvement for those of us with basic network topologies to be able to enjoy using cloudstack. We can achieve this with XEN / XCP at the moment and its functional as they dont require use to use VLANs. Adding cloudstack to the mix negates the whole environment all together.
