On Mar 12, 2013, at 11:56 PM, Manan Shah <manan.s...@citrix.com> wrote:
> Yes, Chiradeep, you are correct. The PVLAN would only be able to provide > isolation at L2. The primary use case from the providers perspective is to > run multiple shared networks (services network for monitoring, patching, > etc). And on each of these services network, the VMs should only be > allowed to talk to the admin servers. This can be achieved using PVLANs to > prevent multiple Tenant VMs to talk to each other. This is a really important use case, primarily for the providers themselves. > > I will update the PRD to reflect this. > > Regards, > Manan Shah > > > > > On 3/11/13 10:49 PM, "Chiradeep Vittal" <chiradeep.vit...@citrix.com> > wrote: > >> As far as I can tell most of the requirements can NOT be satisfied by >> PVLAN. >> The only thing PVLAN can do is: >> 1. Restrict a VM's traffic to the upstream router >> 2. Restrict a VM's traffic to a set of Vms on the same physical VLAN. >> >> PVLAN does not offer any L4 access control, nor can it work across L3 >> domains. >> Of the 4 use cases, the first one can be supported in a limited fashion >> (no security groups, but restricting Vms from communicating using L2 >> isolation). >> >> On 2/28/13 1:35 PM, "Manan Shah" <manan.s...@citrix.com> wrote: >> >>> Hi, >>> >>> I would like to propose a new feature for adding SG Isolation support for >>> VMWare Hypervisor using PVLANs. I have created a JIRA ticket and provided >>> the requirements at the following location. Please provide feedback on >>> the >>> requirements. >>> >>> JIRA Ticket: >>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/SG+Isolation+in+Ad >>> v >>> a >>> nced+Zone+for+VMWare+Hypervisor+using+PVLANs >>> Requirements: >>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/SG+Isolation+in+Ad >>> v >>> a >>> nced+Zone+for+VMWare+Hypervisor+using+PVLANs >>> >>> Regards, >>> Manan Shah > >