THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Page History
Bug Reference
https://issues.apache.org/jira/browse/CLOUDSTACK-1456
Branch
Haven't branch out yet.
Introduction
Purpose
Implement isolation in advanced zone. Focus on shared network. The target is:
1. All the user VM cannot reach other user VM.
2. All the user VM can reach DHCP server and Gateway.
The mechanism we chose to implement this feature is Private VLAN.
References
Document History
Glossary
Feature Specifications
- The isolated port(I-port) in private vlan concept fit prefect for our requirement. Basically we just need to make every user VM connect to I-port of the switch(vswitch or open vswitch), every dhcp server connect to P-port of the switch, then it would be enough for isolation and communication.
- But open vswitch(used by XenServer and KVM) doesn't have PVLAN support. vSwitch(for VMware) support it by default.
- So we need extra effort to simulate PVLAN on open vswitch(ovs) for Xen and KVM.
- We would modify flow table, to:
- 1. For every traffic leave user VM, tagged with secondary isolate vlan tag.
- 2. Allow secondary isolated vlan tagged traffic reach DHCP server, by change the vlan tag to primary vlan tag.
- 3. The gateway should know nothing about PVLAN, and the switch connect to the gateway should translate all the secondary vlan to primary vlan for communicating with gateway.
...
- Need PVLAN supported switch(refer to http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080094830.shtml) to connect to host.
- Only one switch would connect to gateway, other switches need to be connect to this switch via trunk port.
- It's an ideal situation. Only Cisco Catalyst 4500 has pvlan promiscuous trunk mode to trunk both normal vlan and pvlan to pvlan-unaware switch.
- For other Catalyst pvlan support switch, you need to connect switch to upper switch using at least (pvlan number + 1) cables to archive this.
...
Overview
Content Tools
Apps