You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by pa...@apache.org on 2019/10/30 19:52:15 UTC
[cloudstack-documentation] branch 4.13 updated: improve pvlan usage
section (#83)
This is an automated email from the ASF dual-hosted git repository.
paul_a pushed a commit to branch 4.13
in repository https://gitbox.apache.org/repos/asf/cloudstack-documentation.git
The following commit(s) were added to refs/heads/4.13 by this push:
new 980abd3 improve pvlan usage section (#83)
980abd3 is described below
commit 980abd3ee593591e126434adf0695664d164d583
Author: Paul Angus <pa...@shapeblue.com>
AuthorDate: Wed Oct 30 19:52:06 2019 +0000
improve pvlan usage section (#83)
---
source/_imagesource/pvlans.drawio | 1 +
source/_static/images/pvlans.png | Bin 0 -> 65766 bytes
.../isolation_in_advanced_zone_with_vlan.rst | 175 +++++----------------
3 files changed, 37 insertions(+), 139 deletions(-)
diff --git a/source/_imagesource/pvlans.drawio b/source/_imagesource/pvlans.drawio
new file mode 100644
index 0000000..984953a
--- /dev/null
+++ b/source/_imagesource/pvlans.drawio
@@ -0,0 +1 @@
+<mxfile host="Chrome" modified="2019-10-09T13:28:47.165Z" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36" version="12.1.0" etag="FKAbdMejNJbJpPzL8ecu" type="device" pages="1"><diagram id="cEOUKJeksBoM-9QyOMCy" name="Page-1">7Vxtc6M2EP41mWk/xIN452POd2k7vXYyzUzb+5QhINvqgeWCHNv36ysZyUYC2xjzdin5YrTAGvZ5drWrlXNnTOPtT4m/WvyGQxjd6Vq4vTM+3uk60FydfjDJLpN4mpUJ5gkK+UVHwTP6BsWdXLpGIUylCwnGEUErWRjg5RIGRJL5SYI38mUzHMnfuvLnsCB4D [...]
\ No newline at end of file
diff --git a/source/_static/images/pvlans.png b/source/_static/images/pvlans.png
new file mode 100644
index 0000000..8095a7a
Binary files /dev/null and b/source/_static/images/pvlans.png differ
diff --git a/source/adminguide/networking/isolation_in_advanced_zone_with_vlan.rst b/source/adminguide/networking/isolation_in_advanced_zone_with_vlan.rst
index 61a4e57..33fda6f 100644
--- a/source/adminguide/networking/isolation_in_advanced_zone_with_vlan.rst
+++ b/source/adminguide/networking/isolation_in_advanced_zone_with_vlan.rst
@@ -14,72 +14,16 @@
under the License.
-Isolation in Advanced Zone Using Private VLAN
----------------------------------------------
-
-Isolation of guest traffic in shared networks can be achieved by using
-Private VLANs (PVLAN). PVLANs provide Layer 2 isolation between ports
-within the same VLAN. In a PVLAN-enabled shared network, a user VM
-cannot reach other user VM though they can reach the DHCP server and
-gateway, this would in turn allow users to control traffic within a
-network and help them deploy multiple applications without communication
-between application as well as prevent communication with other users'
-VMs.
-
-- Isolate VMs in a shared networks by using Private VLANs.
-
-- Supported on KVM, XenServer, and VMware hypervisors
-
-- PVLAN-enabled shared network can be a part of multiple networks of a
- guest VM.
-
-
-About Private VLAN
-~~~~~~~~~~~~~~~~~~
-
-In an Ethernet switch, a VLAN is a broadcast domain where hosts can
-establish direct communication with each another at Layer 2. Private
-VLAN is designed as an extension of VLAN standard to add further
-segmentation of the logical broadcast domain. A regular VLAN is a single
-broadcast domain, whereas a private VLAN partitions a larger VLAN
-broadcast domain into smaller sub-domains. A sub-domain is represented
-by a pair of VLANs: a Primary VLAN and a Secondary VLAN. The original
-VLAN that is being divided into smaller groups is called Primary, which
-implies that all VLAN pairs in a private VLAN share the same Primary
-VLAN. All the secondary VLANs exist only inside the Primary. Each
-Secondary VLAN has a specific VLAN ID associated to it, which
-differentiates one sub-domain from another.
-
-Three types of ports exist in a private VLAN domain, which essentially
-determine the behaviour of the participating hosts. Each ports will have
-its own unique set of rules, which regulate a connected host's ability
-to communicate with other connected host within the same private VLAN
-domain. Configure each host that is part of a PVLAN pair can be by using
-one of these three port designation:
-
-- **Promiscuous**: A promiscuous port can communicate with all the
- interfaces, including the community and isolated host ports that
- belong to the secondary VLANs. In Promiscuous mode, hosts are
- connected to promiscuous ports and are able to communicate directly
- with resources on both primary and secondary VLAN. Routers, DHCP
- servers, and other trusted devices are typically attached to
- promiscuous ports.
-
-- **Isolated VLANs**: The ports within an isolated VLAN cannot
- communicate with each other at the layer-2 level. The hosts that are
- connected to Isolated ports can directly communicate only with the
- Promiscuous resources. If your customer device needs to have access
- only to a gateway router, attach it to an isolated port.
-
-- **Community VLANs**: The ports within a community VLAN can
- communicate with each other and with the promiscuous ports, but they
- cannot communicate with the ports in other communities at the layer-2
- level. In a Community mode, direct communication is permitted only
- with the hosts in the same community and those that are connected to
- the Primary PVLAN in promiscuous mode. If your customer has two
- devices that need to be isolated from other customers' devices, but
- to be able to communicate among themselves, deploy them in community
- ports.
+Isolation in Advanced Zone Using Private VLANs
+-----------------------------------------------
+
+About PVLANs (Secondary VLANs)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The clasic use-case for PVLANs is a shared backup network, where you wish all users'
+hosts to be able to communicate with a backup host, but not with each other.
+
+ |pvlans.png|
For further reading:
@@ -92,6 +36,19 @@ For further reading:
- `Private VLAN (PVLAN) on vNetwork Distributed Switch - Concept
Overview (1010691) <http://kb.vmware.com>`_
+Supported Secondary VLAN types
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Of the three types of Private VLAN (promiscuous, community and isolated),
+CloudStack supports **one promiscuous** PVLAN and **one isolated** PVLAN **per
+primary VLAN**. Ergo, community PVLANs are not currently supported.
+PVLANs are only currently supported on shared networks.
+The PVLAN concept is supported on KVM (when using OVS), XenServer (when using OVS), and VMware hypervisors
+
+ .. note::
+ OVS on XenServer and KVM does not support PVLAN natively. Therefore,
+ CloudStack managed to simulate PVLAN on OVS for XenServer and KVM by
+ modifying the flow table.
Prerequisites
~~~~~~~~~~~~~
@@ -119,84 +76,24 @@ Prerequisites
- Before you use PVLAN on XenServer and KVM, enable Open vSwitch (OVS).
- .. note::
- OVS on XenServer and KVM does not support PVLAN natively. Therefore,
- CloudStack managed to simulate PVLAN on OVS for XenServer and KVM by
- modifying the flow table.
-
-
-Creating a PVLAN-Enabled Guest Network
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-#. Log in to the CloudStack UI as administrator.
-
-#. In the left navigation, choose Infrastructure.
-
-#. On Zones, click View More.
-
-#. Click the zone to which you want to add a guest network.
-
-#. Click the Physical Network tab.
-
-#. Click the physical network you want to work with.
-
-#. On the Guest node of the diagram, click Configure.
-
-#. Click the Network tab.
-
-#. Click Add guest network.
-
- The Add guest network window is displayed.
-
-#. Specify the following:
-
- - **Name**: The name of the network. This will be visible to the
- user.
-
- - **Description**: The short description of the network that can be
- displayed to users.
-
- - **VLAN ID**: The unique ID of the VLAN.
-
- - **Secondary Isolated VLAN ID**: The unique ID of the Secondary
- Isolated VLAN.
-
- For the description on Secondary Isolated VLAN, see
- `About Private VLAN" <#about-private-vlan>`_.
-
- - **Scope**: The available scopes are Domain, Account, Project, and
- All.
-
- - **Domain**: Selecting Domain limits the scope of this guest
- network to the domain you specify. The network will not be
- available for other domains. If you select Subdomain Access,
- the guest network is available to all the sub domains within
- the selected domain.
-
- - **Account**: The account for which the guest network is being
- created for. You must specify the domain the account belongs
- to.
- - **Project**: The project for which the guest network is being
- created for. You must specify the domain the project belongs
- to.
+Creating a PVLAN-Enabled Shared Network
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- - **All**: The guest network is available for all the domains,
- account, projects within the selected zone.
+For a general description of how to create a shared netowrk see `"configuring a shared guest network" <#configuring-a-shared-guest-network>`_.
- - **Network Offering**: If the administrator has configured multiple
- network offerings, select the one you want to use for this
- network.
+On top of the parameters required to create a *normal* shared network, the following
+parameters must be set:
- - **Gateway**: The gateway that the guests should use.
+- **VLAN ID**: The unique ID of the primary VLAN that you want to use.
- - **Netmask**: The netmask in use on the subnet the guests will use.
+- **Secondary Isolated VLAN ID**:
- - **IP Range**: A range of IP addresses that are accessible from the
- Internet and are assigned to the guest VMs.
+ - For a **promiscuous** PVLAN, set this to the same VLAN ID as the primary VLAN
+ that the promiscuous PVLAN will be inside.
+ - For an **isolated** PVLAN, set this to the PVLAN ID which you wish to use
+ inside the primary VLAN.
- - **Network Domain**: A custom DNS suffix at the level of a network.
- If you want to assign a special domain name to the guest VM
- network, specify a DNS suffix.
-#. Click OK to confirm.
+.. |pvlans.png| image:: /_static/images/pvlans.png
+ :alt: Diagram of PVLAN communications