You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@cloudstack.apache.org by Manan Shah <ma...@citrix.com> on 2013/02/28 22:35:59 UTC

[PROPOSAL][CLOUDSTACK-1456] SG Isolation in Advanced Zone for VMWare Hypervisor using PVLANs

Hi,

I would like to propose a new feature for adding SG Isolation support for
VMWare Hypervisor using PVLANs. I have created a JIRA ticket and provided
the requirements at the following location. Please provide feedback on the
requirements.

JIRA Ticket: 
https://cwiki.apache.org/confluence/display/CLOUDSTACK/SG+Isolation+in+Adva
nced+Zone+for+VMWare+Hypervisor+using+PVLANs
Requirements: 
https://cwiki.apache.org/confluence/display/CLOUDSTACK/SG+Isolation+in+Adva
nced+Zone+for+VMWare+Hypervisor+using+PVLANs

Regards,
Manan Shah

[PROPOSAL][CLOUDSTACK-1456] SG Isolation in Advanced Zone for VMWare Hypervisor using PVLANs

Posted by Manan Shah <ma...@citrix.com>.

Hi,

I would like to propose a new feature for adding SG Isolation support for
VMWare Hypervisor using PVLANs. I have created a JIRA ticket and provided
the requirements at the following location. Please provide feedback on the
requirements.
 
JIRA Ticket: 
https://cwiki.apache.org/confluence/display/CLOUDSTACK/SG+Isolation+in+Adva
nced+Zone+for+VMWare+Hypervisor+using+PVLANs
Requirements: 
https://cwiki.apache.org/confluence/display/CLOUDSTACK/SG+Isolation+in+Adva
nced+Zone+for+VMWare+Hypervisor+using+PVLANs
Regards,
Manan Shah

Re: [PROPOSAL][CLOUDSTACK-1456] SG Isolation in Advanced Zone for VMWare Hypervisor using PVLANs

Posted by Chip Childers <ch...@sungard.com>.

On Wed, Mar 20, 2013 at 03:52:26PM -0700, Manan Shah wrote:
> I have updated the JIRA ticket as well as the requirements document.
> 
> Update the requirements to mention:
> 
> 1. Made the feature requirements broader by covering all Hypervisors and
> not just VMWare
> 2. Mentioned that the original requirements are for SG type feature with
> more use cases but the primary use case can be achieved using PVLANs

LGTM Manan.  Thanks!

Re: [PROPOSAL][CLOUDSTACK-1456] SG Isolation in Advanced Zone for VMWare Hypervisor using PVLANs

Posted by Manan Shah <ma...@citrix.com>.

I have updated the JIRA ticket as well as the requirements document.

Update the requirements to mention:

1. Made the feature requirements broader by covering all Hypervisors and
not just VMWare
2. Mentioned that the original requirements are for SG type feature with
more use cases but the primary use case can be achieved using PVLANs


Regards,
Manan Shah




On 3/13/13 11:03 AM, "Chip Childers" <ch...@sungard.com> wrote:

>On Mar 13, 2013, at 1:34 PM, Kelven Yang <ke...@citrix.com> wrote:
>
>> PVLAN provides "subnet within subnet" L2 isolation, it operates very
>> differently with current L3/L4 capable SG implementation, would it be a
>> good idea to just separate it as L2 isolation feature on its own?
>
>It works differently and is normally used for different reasons, so
>probably.
>
>IMo, the real value if PVLANs is on shared networks, specifically in
>the provider environment to enable instance level telemetry.
>
>>
>> Kelven
>>
>> On 3/13/13 6:10 AM, "Chip Childers" <ch...@sungard.com> wrote:
>>
>>> On Mar 12, 2013, at 11:56 PM, Manan Shah <ma...@citrix.com> wrote:
>>>
>>>> Yes, Chiradeep, you are correct. The PVLAN would only be able to
>>>>provide
>>>> isolation at L2. The primary use case from the providers perspective
>>>>is
>>>> to
>>>> run multiple shared networks (services network for monitoring,
>>>>patching,
>>>> etc). And on each of these services network, the VMs should only be
>>>> allowed to talk to the admin servers. This can be achieved using
>>>>PVLANs
>>>> to
>>>> prevent multiple Tenant VMs to talk to each other.
>>>
>>> This is a really important use case, primarily for the providers
>>> themselves.
>>>
>>>>
>>>> I will update the PRD to reflect this.
>>>>
>>>> Regards,
>>>> Manan Shah
>>>>
>>>>
>>>>
>>>>
>>>> On 3/11/13 10:49 PM, "Chiradeep Vittal" <Ch...@citrix.com>
>>>> wrote:
>>>>
>>>>> As far as I can tell most of the requirements can NOT be satisfied by
>>>>> PVLAN.
>>>>> The only thing PVLAN can do is:
>>>>> 1. Restrict a VM's traffic to the upstream router
>>>>> 2. Restrict a VM's traffic to a set of Vms on the same physical VLAN.
>>>>>
>>>>> PVLAN does not offer any L4 access control, nor can it work across L3
>>>>> domains.
>>>>> Of the 4 use cases, the first one can be supported in a limited
>>>>>fashion
>>>>> (no security groups, but restricting Vms from communicating using L2
>>>>> isolation).
>>>>>
>>>>> On 2/28/13 1:35 PM, "Manan Shah" <ma...@citrix.com> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I would like to propose a new feature for adding SG Isolation
>>>>>>support
>>>>>> for
>>>>>> VMWare Hypervisor using PVLANs. I have created a JIRA ticket and
>>>>>> provided
>>>>>> the requirements at the following location. Please provide feedback
>>>>>>on
>>>>>> the
>>>>>> requirements.
>>>>>>
>>>>>> JIRA Ticket:
>>>>>>
>>>>>> 
>>>>>>https://cwiki.apache.org/confluence/display/CLOUDSTACK/SG+Isolation+i
>>>>>>n+
>>>>>> Ad
>>>>>> v
>>>>>> a
>>>>>> nced+Zone+for+VMWare+Hypervisor+using+PVLANs
>>>>>> Requirements:
>>>>>>
>>>>>> 
>>>>>>https://cwiki.apache.org/confluence/display/CLOUDSTACK/SG+Isolation+i
>>>>>>n+
>>>>>> Ad
>>>>>> v
>>>>>> a
>>>>>> nced+Zone+for+VMWare+Hypervisor+using+PVLANs
>>>>>>
>>>>>> Regards,
>>>>>> Manan Shah
>>
>>

Re: [PROPOSAL][CLOUDSTACK-1456] SG Isolation in Advanced Zone for VMWare Hypervisor using PVLANs

Posted by Chip Childers <ch...@sungard.com>.

On Mar 13, 2013, at 1:34 PM, Kelven Yang <ke...@citrix.com> wrote:

> PVLAN provides "subnet within subnet" L2 isolation, it operates very
> differently with current L3/L4 capable SG implementation, would it be a
> good idea to just separate it as L2 isolation feature on its own?

It works differently and is normally used for different reasons, so probably.

IMo, the real value if PVLANs is on shared networks, specifically in
the provider environment to enable instance level telemetry.

>
> Kelven
>
> On 3/13/13 6:10 AM, "Chip Childers" <ch...@sungard.com> wrote:
>
>> On Mar 12, 2013, at 11:56 PM, Manan Shah <ma...@citrix.com> wrote:
>>
>>> Yes, Chiradeep, you are correct. The PVLAN would only be able to provide
>>> isolation at L2. The primary use case from the providers perspective is
>>> to
>>> run multiple shared networks (services network for monitoring, patching,
>>> etc). And on each of these services network, the VMs should only be
>>> allowed to talk to the admin servers. This can be achieved using PVLANs
>>> to
>>> prevent multiple Tenant VMs to talk to each other.
>>
>> This is a really important use case, primarily for the providers
>> themselves.
>>
>>>
>>> I will update the PRD to reflect this.
>>>
>>> Regards,
>>> Manan Shah
>>>
>>>
>>>
>>>
>>> On 3/11/13 10:49 PM, "Chiradeep Vittal" <Ch...@citrix.com>
>>> wrote:
>>>
>>>> As far as I can tell most of the requirements can NOT be satisfied by
>>>> PVLAN.
>>>> The only thing PVLAN can do is:
>>>> 1. Restrict a VM's traffic to the upstream router
>>>> 2. Restrict a VM's traffic to a set of Vms on the same physical VLAN.
>>>>
>>>> PVLAN does not offer any L4 access control, nor can it work across L3
>>>> domains.
>>>> Of the 4 use cases, the first one can be supported in a limited fashion
>>>> (no security groups, but restricting Vms from communicating using L2
>>>> isolation).
>>>>
>>>> On 2/28/13 1:35 PM, "Manan Shah" <ma...@citrix.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I would like to propose a new feature for adding SG Isolation support
>>>>> for
>>>>> VMWare Hypervisor using PVLANs. I have created a JIRA ticket and
>>>>> provided
>>>>> the requirements at the following location. Please provide feedback on
>>>>> the
>>>>> requirements.
>>>>>
>>>>> JIRA Ticket:
>>>>>
>>>>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/SG+Isolation+in+
>>>>> Ad
>>>>> v
>>>>> a
>>>>> nced+Zone+for+VMWare+Hypervisor+using+PVLANs
>>>>> Requirements:
>>>>>
>>>>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/SG+Isolation+in+
>>>>> Ad
>>>>> v
>>>>> a
>>>>> nced+Zone+for+VMWare+Hypervisor+using+PVLANs
>>>>>
>>>>> Regards,
>>>>> Manan Shah
>
>

Re: [PROPOSAL][CLOUDSTACK-1456] SG Isolation in Advanced Zone for VMWare Hypervisor using PVLANs

Posted by Kelven Yang <ke...@citrix.com>.

PVLAN provides "subnet within subnet" L2 isolation, it operates very
differently with current L3/L4 capable SG implementation, would it be a
good idea to just separate it as L2 isolation feature on its own?

Kelven

On 3/13/13 6:10 AM, "Chip Childers" <ch...@sungard.com> wrote:

>On Mar 12, 2013, at 11:56 PM, Manan Shah <ma...@citrix.com> wrote:
>
>> Yes, Chiradeep, you are correct. The PVLAN would only be able to provide
>> isolation at L2. The primary use case from the providers perspective is
>>to
>> run multiple shared networks (services network for monitoring, patching,
>> etc). And on each of these services network, the VMs should only be
>> allowed to talk to the admin servers. This can be achieved using PVLANs
>>to
>> prevent multiple Tenant VMs to talk to each other.
>
>This is a really important use case, primarily for the providers
>themselves.
>
>>
>> I will update the PRD to reflect this.
>>
>> Regards,
>> Manan Shah
>>
>>
>>
>>
>> On 3/11/13 10:49 PM, "Chiradeep Vittal" <Ch...@citrix.com>
>> wrote:
>>
>>> As far as I can tell most of the requirements can NOT be satisfied by
>>> PVLAN.
>>> The only thing PVLAN can do is:
>>> 1. Restrict a VM's traffic to the upstream router
>>> 2. Restrict a VM's traffic to a set of Vms on the same physical VLAN.
>>>
>>> PVLAN does not offer any L4 access control, nor can it work across L3
>>> domains.
>>> Of the 4 use cases, the first one can be supported in a limited fashion
>>> (no security groups, but restricting Vms from communicating using L2
>>> isolation).
>>>
>>> On 2/28/13 1:35 PM, "Manan Shah" <ma...@citrix.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> I would like to propose a new feature for adding SG Isolation support
>>>>for
>>>> VMWare Hypervisor using PVLANs. I have created a JIRA ticket and
>>>>provided
>>>> the requirements at the following location. Please provide feedback on
>>>> the
>>>> requirements.
>>>>
>>>> JIRA Ticket:
>>>> 
>>>>https://cwiki.apache.org/confluence/display/CLOUDSTACK/SG+Isolation+in+
>>>>Ad
>>>> v
>>>> a
>>>> nced+Zone+for+VMWare+Hypervisor+using+PVLANs
>>>> Requirements:
>>>> 
>>>>https://cwiki.apache.org/confluence/display/CLOUDSTACK/SG+Isolation+in+
>>>>Ad
>>>> v
>>>> a
>>>> nced+Zone+for+VMWare+Hypervisor+using+PVLANs
>>>>
>>>> Regards,
>>>> Manan Shah
>>
>>

Re: [PROPOSAL][CLOUDSTACK-1456] SG Isolation in Advanced Zone for VMWare Hypervisor using PVLANs

Posted by Chip Childers <ch...@sungard.com>.

On Mar 12, 2013, at 11:56 PM, Manan Shah <ma...@citrix.com> wrote:

> Yes, Chiradeep, you are correct. The PVLAN would only be able to provide
> isolation at L2. The primary use case from the providers perspective is to
> run multiple shared networks (services network for monitoring, patching,
> etc). And on each of these services network, the VMs should only be
> allowed to talk to the admin servers. This can be achieved using PVLANs to
> prevent multiple Tenant VMs to talk to each other.

This is a really important use case, primarily for the providers themselves.

>
> I will update the PRD to reflect this.
>
> Regards,
> Manan Shah
>
>
>
>
> On 3/11/13 10:49 PM, "Chiradeep Vittal" <Ch...@citrix.com>
> wrote:
>
>> As far as I can tell most of the requirements can NOT be satisfied by
>> PVLAN.
>> The only thing PVLAN can do is:
>> 1. Restrict a VM's traffic to the upstream router
>> 2. Restrict a VM's traffic to a set of Vms on the same physical VLAN.
>>
>> PVLAN does not offer any L4 access control, nor can it work across L3
>> domains.
>> Of the 4 use cases, the first one can be supported in a limited fashion
>> (no security groups, but restricting Vms from communicating using L2
>> isolation).
>>
>> On 2/28/13 1:35 PM, "Manan Shah" <ma...@citrix.com> wrote:
>>
>>> Hi,
>>>
>>> I would like to propose a new feature for adding SG Isolation support for
>>> VMWare Hypervisor using PVLANs. I have created a JIRA ticket and provided
>>> the requirements at the following location. Please provide feedback on
>>> the
>>> requirements.
>>>
>>> JIRA Ticket:
>>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/SG+Isolation+in+Ad
>>> v
>>> a
>>> nced+Zone+for+VMWare+Hypervisor+using+PVLANs
>>> Requirements:
>>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/SG+Isolation+in+Ad
>>> v
>>> a
>>> nced+Zone+for+VMWare+Hypervisor+using+PVLANs
>>>
>>> Regards,
>>> Manan Shah
>
>

Re: [PROPOSAL][CLOUDSTACK-1456] SG Isolation in Advanced Zone for VMWare Hypervisor using PVLANs

Posted by Manan Shah <ma...@citrix.com>.

Yes, Chiradeep, you are correct. The PVLAN would only be able to provide
isolation at L2. The primary use case from the providers perspective is to
run multiple shared networks (services network for monitoring, patching,
etc). And on each of these services network, the VMs should only be
allowed to talk to the admin servers. This can be achieved using PVLANs to
prevent multiple Tenant VMs to talk to each other.

I will update the PRD to reflect this.

Regards,
Manan Shah

On 3/11/13 10:49 PM, "Chiradeep Vittal" <Ch...@citrix.com>
wrote:

>As far as I can tell most of the requirements can NOT be satisfied by
>PVLAN.
>The only thing PVLAN can do is:
>1. Restrict a VM's traffic to the upstream router
>2. Restrict a VM's traffic to a set of Vms on the same physical VLAN.
>
>PVLAN does not offer any L4 access control, nor can it work across L3
>domains.
>Of the 4 use cases, the first one can be supported in a limited fashion
>(no security groups, but restricting Vms from communicating using L2
>isolation).
>
>On 2/28/13 1:35 PM, "Manan Shah" <ma...@citrix.com> wrote:
>
>>Hi,
>>
>>I would like to propose a new feature for adding SG Isolation support for
>>VMWare Hypervisor using PVLANs. I have created a JIRA ticket and provided
>>the requirements at the following location. Please provide feedback on
>>the
>>requirements.
>>
>>JIRA Ticket: 
>>https://cwiki.apache.org/confluence/display/CLOUDSTACK/SG+Isolation+in+Ad
>>v
>>a
>>nced+Zone+for+VMWare+Hypervisor+using+PVLANs
>>Requirements: 
>>https://cwiki.apache.org/confluence/display/CLOUDSTACK/SG+Isolation+in+Ad
>>v
>>a
>>nced+Zone+for+VMWare+Hypervisor+using+PVLANs
>>
>>Regards,
>>Manan Shah
>>
>>
>>
>>
>>
>>
>>
>>
>>
>

Re: [PROPOSAL][CLOUDSTACK-1456] SG Isolation in Advanced Zone for VMWare Hypervisor using PVLANs

Posted by Chiradeep Vittal <Ch...@citrix.com>.

As far as I can tell most of the requirements can NOT be satisfied by
PVLAN.
The only thing PVLAN can do is:
1. Restrict a VM's traffic to the upstream router
2. Restrict a VM's traffic to a set of Vms on the same physical VLAN.

PVLAN does not offer any L4 access control, nor can it work across L3
domains.
Of the 4 use cases, the first one can be supported in a limited fashion
(no security groups, but restricting Vms from communicating using L2
isolation).

On 2/28/13 1:35 PM, "Manan Shah" <ma...@citrix.com> wrote:

>Hi,
>
>I would like to propose a new feature for adding SG Isolation support for
>VMWare Hypervisor using PVLANs. I have created a JIRA ticket and provided
>the requirements at the following location. Please provide feedback on the
>requirements.
>
>JIRA Ticket: 
>https://cwiki.apache.org/confluence/display/CLOUDSTACK/SG+Isolation+in+Adv
>a
>nced+Zone+for+VMWare+Hypervisor+using+PVLANs
>Requirements: 
>https://cwiki.apache.org/confluence/display/CLOUDSTACK/SG+Isolation+in+Adv
>a
>nced+Zone+for+VMWare+Hypervisor+using+PVLANs
>
>Regards,
>Manan Shah
>
>
>
>
>
>
>
>
>