Re: [PROPOSAL][CLOUDSTACK-1456] SG Isolation in Advanced Zone for VMWare Hypervisor using PVLANs

Wed, 13 Mar 2013 10:33:38 -0700 

PVLAN provides "subnet within subnet" L2 isolation, it operates very
differently with current L3/L4 capable SG implementation, would it be a
good idea to just separate it as L2 isolation feature on its own?

Kelven

On 3/13/13 6:10 AM, "Chip Childers" <chip.child...@sungard.com> wrote:

>On Mar 12, 2013, at 11:56 PM, Manan Shah <manan.s...@citrix.com> wrote:
>
>> Yes, Chiradeep, you are correct. The PVLAN would only be able to provide
>> isolation at L2. The primary use case from the providers perspective is
>>to
>> run multiple shared networks (services network for monitoring, patching,
>> etc). And on each of these services network, the VMs should only be
>> allowed to talk to the admin servers. This can be achieved using PVLANs
>>to
>> prevent multiple Tenant VMs to talk to each other.
>
>This is a really important use case, primarily for the providers
>themselves.
>
>>
>> I will update the PRD to reflect this.
>>
>> Regards,
>> Manan Shah
>>
>>
>>
>>
>> On 3/11/13 10:49 PM, "Chiradeep Vittal" <chiradeep.vit...@citrix.com>
>> wrote:
>>
>>> As far as I can tell most of the requirements can NOT be satisfied by
>>> PVLAN.
>>> The only thing PVLAN can do is:
>>> 1. Restrict a VM's traffic to the upstream router
>>> 2. Restrict a VM's traffic to a set of Vms on the same physical VLAN.
>>>
>>> PVLAN does not offer any L4 access control, nor can it work across L3
>>> domains.
>>> Of the 4 use cases, the first one can be supported in a limited fashion
>>> (no security groups, but restricting Vms from communicating using L2
>>> isolation).
>>>
>>> On 2/28/13 1:35 PM, "Manan Shah" <manan.s...@citrix.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> I would like to propose a new feature for adding SG Isolation support
>>>>for
>>>> VMWare Hypervisor using PVLANs. I have created a JIRA ticket and
>>>>provided
>>>> the requirements at the following location. Please provide feedback on
>>>> the
>>>> requirements.
>>>>
>>>> JIRA Ticket:
>>>> 
>>>>https://cwiki.apache.org/confluence/display/CLOUDSTACK/SG+Isolation+in+
>>>>Ad
>>>> v
>>>> a
>>>> nced+Zone+for+VMWare+Hypervisor+using+PVLANs
>>>> Requirements:
>>>> 
>>>>https://cwiki.apache.org/confluence/display/CLOUDSTACK/SG+Isolation+in+
>>>>Ad
>>>> v
>>>> a
>>>> nced+Zone+for+VMWare+Hypervisor+using+PVLANs
>>>>
>>>> Regards,
>>>> Manan Shah
>>
>>

Reply via email to