Difference between revisions of "Isolated-network"
(Isolated ports on a same broadcast domain) |
(→Possible implementation) |
||
Line 9: | Line 9: | ||
# white list of know MAC address | # white list of know MAC address | ||
# local proxy ARP | # local proxy ARP | ||
− | :* ARP broadcast | + | :* ARP broadcast modifies to unicast MAC address of a local proxy ARP (gateway) |
− | :* Multicast bootp traffic | + | :* Multicast bootp traffic modifies to unicast MAC address of the DHCP agent |
:* drop all other broadcast and multicast traffic | :* drop all other broadcast and multicast traffic | ||
:* Drop all other traffic aren't having the MAC address of the local proxy ARP as destination (broadcast, multicast, illegitimate unicast) | :* Drop all other traffic aren't having the MAC address of the local proxy ARP as destination (broadcast, multicast, illegitimate unicast) |
Revision as of 17:52, 25 March 2013
Overview
When a network is created, a broadcast domain is available to plug ports. It should be interesting to proposed an option on the network creation that enable the isolation between ports in a same broadcast domain (network), similar to a common use of private VLANs with isolated port technologies (RFC 5517). This prevents communication between VMs on the same logical switch.
This functionality could be addressed case where we create a shared network between tenants, for example. This should work also with a provider network.
Possible implementation
- white list of know MAC address
- local proxy ARP
- ARP broadcast modifies to unicast MAC address of a local proxy ARP (gateway)
- Multicast bootp traffic modifies to unicast MAC address of the DHCP agent
- drop all other broadcast and multicast traffic
- Drop all other traffic aren't having the MAC address of the local proxy ARP as destination (broadcast, multicast, illegitimate unicast)