You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2020/01/29 10:25:32 UTC
[GitHub] [cloudstack] nvazquez opened a new pull request #3732: [Vmware]
Enable PVLAN support on L2 networks
nvazquez opened a new pull request #3732: [Vmware] Enable PVLAN support on L2 networks
URL: https://github.com/apache/cloudstack/pull/3732
## Description
Feature specification: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Private+VLAN+%28PVLAN%29+support+on+Layer+2+networks
**NOTE: This PR is targeted for Vmware only. Support for XenServer and KVM on future PRs**
A regular VLAN is a single broadcast domain which is isolated at Layer 2. However, it has two main limitations:
A switch can have up to a theoretical maximum of 4094 VLANs (as the first and last VLANs are reserved). This maximum number is usually lower, depending on the switch which is used. A traditional isolation solution consists on assigning a VLAN per customer and in some scenarios, this maximum number may not be enough to cover every customer.
IP address management problem: as IP addresses may not be used completely when assigning a subnet per VLAN.
The private VLAN (PVLAN) architecture tackles these problems providing scalability and IP address management benefits for service providers, as well as Layer 2 security for customers.
PVLANs partition a VLAN domain into subdomains, these subdomains are represented by a pair: (PRIMARY_VLAN_ID, SECONDARY_VLAN_ID). Every pair in a PVLAN share the PRIMARY_VLAN_ID.
There are two types of subdomains: isolated and community subdomains.
Within a PVLAN, there are three types of port designations, corresponding to the PVLAN type:
Promiscuous: An endpoint connected to a promiscuous port can communicate with any endpoint within the PVLAN
Isolated: An endpoint connected to an isolated port can only communicate with endpoints connected to promiscuous ports.
Community: An endpoint connected to a community port can communicate with another endpoint in the same community and can also communicate with any promiscuous port but not with other communities.
The following table summarizes the communication between different PVLAN types:
| | Promiscuous | Isolated | Community 1 | Community 2 |
|---|---|---|---|---|
| Promiscuous | ALLOW | ALLOW | ALLOW | ALLOW |
| Isolated | ALLOW | DENY | DENY | DENY |
| Community 1 | ALLOW | DENY | ALLOW | DENY |
| Community 2 | ALLOW | DENY | DENY | ALLOW |
The PVLAN support already exists in CloudStack only for Shared networks in Advanced zones. This feature allows extending the PVLAN support to Layer 2 (L2) networks in CloudStack.
## Types of changes
<!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: -->
- [ ] Breaking change (fix or feature that would cause existing functionality to change)
- [x] New feature (non-breaking change which adds functionality)
- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] Enhancement (improves an existing feature and functionality)
- [ ] Cleanup (Code refactoring and cleanup, that may add test cases)
## Screenshots (if appropriate):
## How Has This Been Tested?
- Create L2 network selecting a VLAN ID and secondary VLAN ID as well as the PVLAN type
- Verify PVLAN type on vSphere for the portgroup on the dvSwitch
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services