1414 under the License.
1515
1616
17-
18- ---------------------------------------------
19-
20- Isolation of guest traffic in shared networks can be achieved by using
21- Private VLANs (PVLAN). PVLANs provide Layer 2 isolation between ports
22- within the same VLAN. In a PVLAN-enabled shared network, a user VM
23- cannot reach other user VM though they can reach the DHCP server and
24- gateway, this would in turn allow users to control traffic within a
25- network and help them deploy multiple applications without communication
26- between application as well as prevent communication with other users'
27- VMs.
28-
29- - Isolate VMs in a shared networks by using Private VLANs.
30-
31- - Supported on KVM, XenServer, and VMware hypervisors
32-
33- - PVLAN-enabled shared network can be a part of multiple networks of a
34- guest VM.
35-
36-
37- About Private VLAN
38- ~~~~~~~~~~~~~~~~~~
39-
40- In an Ethernet switch, a VLAN is a broadcast domain where hosts can
41- establish direct communication with each another at Layer 2. Private
42- VLAN is designed as an extension of VLAN standard to add further
43- segmentation of the logical broadcast domain. A regular VLAN is a single
44- broadcast domain, whereas a private VLAN partitions a larger VLAN
45- broadcast domain into smaller sub-domains. A sub-domain is represented
46- by a pair of VLANs: a Primary VLAN and a Secondary VLAN. The original
47- VLAN that is being divided into smaller groups is called Primary, which
48- implies that all VLAN pairs in a private VLAN share the same Primary
49- VLAN. All the secondary VLANs exist only inside the Primary. Each
50- Secondary VLAN has a specific VLAN ID associated to it, which
51- differentiates one sub-domain from another.
52-
53- Three types of ports exist in a private VLAN domain, which essentially
54- determine the behaviour of the participating hosts. Each ports will have
55- its own unique set of rules, which regulate a connected host's ability
56- to communicate with other connected host within the same private VLAN
57- domain. Configure each host that is part of a PVLAN pair can be by using
58- one of these three port designation:
59-
60- - **Promiscuous **: A promiscuous port can communicate with all the
61- interfaces, including the community and isolated host ports that
62- belong to the secondary VLANs. In Promiscuous mode, hosts are
63- connected to promiscuous ports and are able to communicate directly
64- with resources on both primary and secondary VLAN. Routers, DHCP
65- servers, and other trusted devices are typically attached to
66- promiscuous ports.
67-
68- - **Isolated VLANs **: The ports within an isolated VLAN cannot
69- communicate with each other at the layer-2 level. The hosts that are
70- connected to Isolated ports can directly communicate only with the
71- Promiscuous resources. If your customer device needs to have access
72- only to a gateway router, attach it to an isolated port.
73-
74- - **Community VLANs **: The ports within a community VLAN can
75- communicate with each other and with the promiscuous ports, but they
76- cannot communicate with the ports in other communities at the layer-2
77- level. In a Community mode, direct communication is permitted only
78- with the hosts in the same community and those that are connected to
79- the Primary PVLAN in promiscuous mode. If your customer has two
80- devices that need to be isolated from other customers' devices, but
81- to be able to communicate among themselves, deploy them in community
82- ports.
17+
18+ -----------------------------------------------
19+
20+ About PVLANs (Secondary VLANs)
21+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
22+
23+ The clasic use-case for PVLANs is a shared backup network, where you wish all users'
24+ hosts to be able to communicate with a backup host, but not with each other.
25+
26+ |pvlans.png |
8327
8428For further reading:
8529
@@ -92,6 +36,19 @@ For further reading:
9236- `Private VLAN (PVLAN) on vNetwork Distributed Switch - Concept
9337 Overview (1010691) <http://kb.vmware.com> `_
9438
39+ Supported Secondary VLAN types
40+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
41+
42+ Of the three types of Private VLAN (promiscuous, community and isolated),
43+ CloudStack supports **one promiscuous ** PVLAN and **one isolated ** PVLAN **per
44+ primary VLAN **. Ergo, community PVLANs are not currently supported.
45+ PVLANs are only currently supported on shared networks.
46+ The PVLAN concept is supported on KVM (when using OVS), XenServer (when using OVS), and VMware hypervisors
47+
48+ .. note ::
49+ OVS on XenServer and KVM does not support PVLAN natively. Therefore,
50+ CloudStack managed to simulate PVLAN on OVS for XenServer and KVM by
51+ modifying the flow table.
9552
9653Prerequisites
9754~~~~~~~~~~~~~
@@ -119,84 +76,24 @@ Prerequisites
11976
12077- Before you use PVLAN on XenServer and KVM, enable Open vSwitch (OVS).
12178
122- .. note ::
123- OVS on XenServer and KVM does not support PVLAN natively. Therefore,
124- CloudStack managed to simulate PVLAN on OVS for XenServer and KVM by
125- modifying the flow table.
126-
127-
128- Creating a PVLAN-Enabled Guest Network
129- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
130-
131- #. Log in to the CloudStack UI as administrator.
132-
133- #. In the left navigation, choose Infrastructure.
134-
135- #. On Zones, click View More.
136-
137- #. Click the zone to which you want to add a guest network.
138-
139- #. Click the Physical Network tab.
140-
141- #. Click the physical network you want to work with.
142-
143- #. On the Guest node of the diagram, click Configure.
144-
145- #. Click the Network tab.
146-
147- #. Click Add guest network.
148-
149- The Add guest network window is displayed.
150-
151- #. Specify the following:
152-
153- - **Name **: The name of the network. This will be visible to the
154- user.
155-
156- - **Description **: The short description of the network that can be
157- displayed to users.
158-
159- - **VLAN ID **: The unique ID of the VLAN.
160-
161- - **Secondary Isolated VLAN ID **: The unique ID of the Secondary
162- Isolated VLAN.
163-
164- For the description on Secondary Isolated VLAN, see
165- `About Private VLAN" <#about-private-vlan >`_.
166-
167- - **Scope **: The available scopes are Domain, Account, Project, and
168- All.
169-
170- - **Domain **: Selecting Domain limits the scope of this guest
171- network to the domain you specify. The network will not be
172- available for other domains. If you select Subdomain Access,
173- the guest network is available to all the sub domains within
174- the selected domain.
175-
176- - **Account **: The account for which the guest network is being
177- created for. You must specify the domain the account belongs
178- to.
17979
180- - **Project **: The project for which the guest network is being
181- created for. You must specify the domain the project belongs
182- to.
80+ Creating a PVLAN-Enabled Shared Network
81+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
18382
184- - **All **: The guest network is available for all the domains,
185- account, projects within the selected zone.
83+ For a general description of how to create a shared netowrk see `"configuring a shared guest network" <#configuring-a-shared-guest-network >`_.
18684
187- - **Network Offering **: If the administrator has configured multiple
188- network offerings, select the one you want to use for this
189- network.
85+ On top of the parameters required to create a *normal * shared network, the following
86+ parameters must be set:
19087
191- - **Gateway **: The gateway that the guests should use.
88+ - **VLAN ID **: The unique ID of the primary VLAN that you want to use.
19289
193- - **Netmask **: The netmask in use on the subnet the guests will use.
90+ - **Secondary Isolated VLAN ID **:
19491
195- - **IP Range **: A range of IP addresses that are accessible from the
196- Internet and are assigned to the guest VMs.
92+ - For a **promiscuous ** PVLAN, set this to the same VLAN ID as the primary VLAN
93+ that the promiscuous PVLAN will be inside.
94+ - For an **isolated ** PVLAN, set this to the PVLAN ID which you wish to use
95+ inside the primary VLAN.
19796
198- - **Network Domain **: A custom DNS suffix at the level of a network.
199- If you want to assign a special domain name to the guest VM
200- network, specify a DNS suffix.
20197
202- #. Click OK to confirm.
98+ .. |pvlans.png | image :: /_static/images/pvlans.png
99+ :alt: Diagram of PVLAN communications
0 commit comments