Hi Jon, On Sep 27, 2012, at 17:53, Jon Hudson <[email protected]> wrote:
<snipped> >> Kind of what I guessed. When you say "I don't want VM_A_01 to touch >> VM_A_08", wouldn't you do that by putting them in different vlans, rather >> than both in vlan A? > > Yes ideally! Cool. > However since today you can't move a live VM from one VLAN to another, more > and more interpret "flat network" to mean one VLAN. Got it. > And will then use per interface ACLs or other more silly things like playing > with netmasks to create larger spheres of mobility. <shudder> > If you want every VM to have the option of moving to every possible > hypervisor then you are either doing one VLAN, VLAN tagging, or putting > hypervisors on multiple networks. > > To be very honest, it's all this madness that I am describing that makes NVo3 > coming out right so very important. With you. <snipped> > For example having quarantined VMs that you may want to have in the VN, > pulling live data, but not responding to requests or being added to resource > queues or even viewable until they are blessed and promoted to production. *Very* interesting example! Gotta mull over this. > But perhaps I am thinking of intra-VN policies incorrectly? I think rather, you're struggling with two orthogonal notions: a VN as a mobility domain and a VN as a CUG (or ACL domain: talk freely inside, talk via firewall outside). That's something we absolutely need to fix in NVO3, to your point above. Kireeti _______________________________________________ nvo3 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nvo3
