Yes, Chiradeep, you are correct. The PVLAN would only be able to provide isolation at L2. The primary use case from the providers perspective is to run multiple shared networks (services network for monitoring, patching, etc). And on each of these services network, the VMs should only be allowed to talk to the admin servers. This can be achieved using PVLANs to prevent multiple Tenant VMs to talk to each other.
I will update the PRD to reflect this. Regards, Manan Shah On 3/11/13 10:49 PM, "Chiradeep Vittal" <chiradeep.vit...@citrix.com> wrote: >As far as I can tell most of the requirements can NOT be satisfied by >PVLAN. >The only thing PVLAN can do is: >1. Restrict a VM's traffic to the upstream router >2. Restrict a VM's traffic to a set of Vms on the same physical VLAN. > >PVLAN does not offer any L4 access control, nor can it work across L3 >domains. >Of the 4 use cases, the first one can be supported in a limited fashion >(no security groups, but restricting Vms from communicating using L2 >isolation). > >On 2/28/13 1:35 PM, "Manan Shah" <manan.s...@citrix.com> wrote: > >>Hi, >> >>I would like to propose a new feature for adding SG Isolation support for >>VMWare Hypervisor using PVLANs. I have created a JIRA ticket and provided >>the requirements at the following location. Please provide feedback on >>the >>requirements. >> >>JIRA Ticket: >>https://cwiki.apache.org/confluence/display/CLOUDSTACK/SG+Isolation+in+Ad >>v >>a >>nced+Zone+for+VMWare+Hypervisor+using+PVLANs >>Requirements: >>https://cwiki.apache.org/confluence/display/CLOUDSTACK/SG+Isolation+in+Ad >>v >>a >>nced+Zone+for+VMWare+Hypervisor+using+PVLANs >> >>Regards, >>Manan Shah >> >> >> >> >> >> >> >> >> >
