A regular VLAN is a single broadcast domain which is isolated at Layer 2. However, it has two main limitations:
The private VLAN (PVLAN) architecture tackles these problems providing scalability and IP address management benefits for service providers, as well as Layer 2 security for customers.
PVLANs partition a VLAN domain into subdomains, these subdomains are represented by a pair: (PRIMARY_VLAN_ID, SECONDARY_VLAN_ID). Every pair in a PVLAN share the PRIMARY_VLAN_ID.
There are two types of subdomains: isolated and community subdomains.
Within a PVLAN, there are three types of port designations, corresponding to the PVLAN type:
The following table summarizes the communication between different PVLAN types:
Promiscuous | Isolated | Community 1 | Community 2 | |
---|---|---|---|---|
Promiscuous | ALLOW | ALLOW | ALLOW | ALLOW |
Isolated | ALLOW | DENY | DENY | DENY |
Community 1 | ALLOW | DENY | ALLOW | DENY |
Community 2 | ALLOW | DENY | DENY | ALLOW |
The PVLAN support already exists in CloudStack only for Shared networks in Advanced zones. This feature allows extending the PVLAN support to Layer 2 (L2) networks in CloudStack.
This feature does not introduce any new API, however it extends the 'createNetwork' API:
The private VLAN type is persisted as a detail on the 'network_details' table
A new dropdown is added to the networks creation dialog, allowing administratos to selected the PVLAN type along with the secondary VLAN ID