A regular VLAN is a single broadcast domain which is isolated at Layer 2. However, it has two main limitations:
The private VLAN (PVLAN) architecture tackles these problems providing scalability and IP address management benefits for service providers, as well as Layer 2 security for customers.
PVLANs partition a VLAN domain into subdomains, these subdomains are represented by a pair: (PRIMARY_VLAN_ID, SECONDARY_VLAN_ID). Every pair in a PVLAN share the PRIMARY_VLAN_ID.
There are two types of subdomains: isolated and community subdomains.
Within a PVLAN, there are three types of port designations, corresponding to the PVLAN type:
The following table summarizes the communication between different PVLAN types:
Promiscuous | Isolated | Community 1 | Community 2 | |
---|---|---|---|---|
Promiscuous | ALLOW | ALLOW | ALLOW | ALLOW |
Isolated | ALLOW | DENY | DENY | DENY |
Community 1 | ALLOW | DENY | ALLOW | DENY |
Community 2 | ALLOW | DENY | DENY | ALLOW |
The PVLAN support already exists in CloudStack only for Shared networks in Advanced zones. This feature allows extending the PVLAN support to Layer 2 (L2) networks in CloudStack.
Pull request: https://github.com/apache/cloudstack/pull/3732
This feature does not introduce any new API, however it extends the 'createNetwork' API:
The private VLAN type is persisted as a detail on the 'network_details' table
A new dropdown is added to the networks creation dialog, allowing administratos to selected the PVLAN type along with the secondary VLAN ID
This is currently supported in VMware through dvSwitch and in KVM via OpenFlow rules. It requires OVS > 2.9.2. Since XenServer only supports OVS 2.6, PVLAN is unsupported in XenServer.