Versions Compared

Old Version 1

changes.mady.by.user Sheng Yang

Saved on

compared with

New Version 2

changes.mady.by.user Sheng Yang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Straightforward for VMware to enable PVLAN feature.
  • For OVS, flow table need following modifications:
    1. For each VM:
    Outgoing tag with pvlan: priority=50,dl_src=<VM MAC> actions=mod_vlan_vid:<secondary isolated vlan>,output:<trunk port>
    2. For each VM in the same host as DHCP server:
    <a> Allow communitcation with DHCP server(e.g. DNS): priority=100,dl_src=<VM MAC>,dl_dst=<DHCP MAC> actions=NORMAL
    <b> Allow DHCP request: priority=60,udp,dl_src=<VM MAC>,nw_dst=255.255.255.255,tp_dst=67 actions=NORMAL
    3. For each host:
    <a> ARP for DHCP server: priority=160,arp,dl_vlan=<secondary isolated vlan>, nw_dst=<DHCP IP> actions=mod_vlan_vid:<primary vlan>,NORMAL
    <b> ARP for DHCP server: priority=150,arp,nw_dst=<DHCP IP> actions=NORMAL
    4. For each host has DHCP server:
    <a> Accept packets from outside(e.g. DNS): priority=100,dl_vlan=<secondary isolated vlan>,dl_dst=<DHCP MAC> actions=mod_vlan_vid:<primary vlan>,NORMAL
    <b> Accept DHCP request from outside: priority=60,udp,dl_vlan=<secondary isolated vlan>,nw_dst=255.255.255.255,tp_dst=67 actions=mod_vlan_vid:<primary vlan>,NORMAL
  • The VM migration and host restart would affect the rules, need to be reprogrammed.

Switch configuration

  • Though CloudStack didn't control switch, the switches must support Private VLAN in order to get the whole setup work. This would require certain Cisco Catalyst switches.
    • It's likely we would need Catalyst 4500 series for PVLAN promiscuous trunk support.
  • The topological of switch and router would be:
    • All L2 switch(which are aware of PVLAN) connected to each other, and one of them(and only one of them) connect to router.
    • All the ports connected to the host would be configured in trunk mode, allow mgmt vlan, primary vlan(public vlan) and secondary isolated vlan.
    • The switch port connect to the router would be configured in PVLAN promiscuous trunk mode, which would translate secondary isolated vlan to primary vlan for router(which doesn't have knowledge of PVLAN).

Web Services APIs

...

Modify createNetworkCmd:

  • Add a new parameter: secondary_isolated_vlan: not required. if the parameter is not null, then PVLAN would be enabled.

UI flow

  • either demonstrate it visually here or link to relevant mockups

...