Share:

Enable PVLAN support on L2 networks | CloudStack Feature First Look

Private VLANs have always been partially supported in CloudStack (for shared networks only), in versions prior to 4.14. Administrators could set up Isolated or Promiscuous PVLANs by creating their shared networks in which:

  • Primary VLAN ID = secondary VLAN ID, for Promiscuous PVLANs
  • Primary VLAN ID != secondary VLAN ID, for Isolated PVLANs

CloudStack 4.14 introduces some changes in the PVLAN support, by:

  • Extending the existing support for shared networks and L2 networks (initially supported for the VMware hypervisor when using dvSwitches)
  • Extending the PVLAN types to Isolated, Promiscuous and Community
  • Allowing the administrators to explicitly select the PVLAN type on network creation, as on the image below:

The following table summarizes the communication between these different PVLAN types:

Promiscuous Isolated Community 1 Community 2
Promiscuous ALLOW ALLOW ALLOW ALLOW
Isolated ALLOW DENY DENY DENY
Community 1 ALLOW DENY ALLOW DENY
Community 2 ALLOW DENY DENY ALLOW

Within an L2 network or shared network, it is possible to create:

  • 1 Promiscuous PVLAN
  • 1 Isolated PVLAN
  • Multiple Community PVLANs

Administrators must provide the PVLAN type and secondary VLAN ID as part of the ‘createNetwork’ API or through the UI.  If an admin requests a PVLAN which is not valid then a suitable error message will be returned, for example when:

  • A promiscuous PVLAN ID is not the same as the Primary VLAN ID
  • A community or isolated PVLAN ID which clashes with a PVLAN ID which is already in use on the same dvSwitch (i.e. the same physical network)

Share:

Related Posts:

Apache CloudStack enables existing VMware users and gives an easy way for service providers to migrate to a fully open-source solution and eliminate vendor dependency.