Difference between revisions of "Isolated-network"
m (Édouard Thuleau moved page Port-isolated to Isolated-network) |
|||
Line 7: | Line 7: | ||
= Possible implementation = | = Possible implementation = | ||
− | + | == Local proxy ARP == | |
− | + | ||
:* ARP broadcast modifies to unicast MAC address of a local proxy ARP (gateway) | :* ARP broadcast modifies to unicast MAC address of a local proxy ARP (gateway) | ||
:* Multicast bootp traffic modifies to unicast MAC address of the DHCP agent | :* Multicast bootp traffic modifies to unicast MAC address of the DHCP agent | ||
:* drop all other broadcast and multicast traffic | :* drop all other broadcast and multicast traffic | ||
:* Drop all other traffic aren't having the MAC address of the local proxy ARP as destination (broadcast, multicast, illegitimate unicast) | :* Drop all other traffic aren't having the MAC address of the local proxy ARP as destination (broadcast, multicast, illegitimate unicast) | ||
+ | |||
+ | When a network is created, a boolean can specify if it's isolated. | ||
+ | And when a gateway is added to the network, the gateway port enables a locale proxy ARP. | ||
+ | Note: If the gateway and local proxy ARP port aren't manage by Quantum (on a provider network for example), it could be possible to define trough the API (on subnet creation for example) the MAC address of the gateway/local proxy ARP. | ||
+ | |||
+ | '''Note:''' It's not sure that the local proxy ARP must be handle by the gateway. If not, we can imagine implement the local proxy ARP by a new agent. |
Revision as of 18:13, 25 March 2013
Overview
When a network is created, a broadcast domain is available to plug ports. It should be interesting to proposed an option on the network creation that enable the isolation between ports in a same broadcast domain (network), similar to a common use of private VLANs with isolated port technologies (RFC 5517). This prevents communication between VMs on the same logical switch.
This functionality could be addressed case where we create a shared network between tenants, for example. This should work also with a provider network.
Possible implementation
Local proxy ARP
- ARP broadcast modifies to unicast MAC address of a local proxy ARP (gateway)
- Multicast bootp traffic modifies to unicast MAC address of the DHCP agent
- drop all other broadcast and multicast traffic
- Drop all other traffic aren't having the MAC address of the local proxy ARP as destination (broadcast, multicast, illegitimate unicast)
When a network is created, a boolean can specify if it's isolated. And when a gateway is added to the network, the gateway port enables a locale proxy ARP. Note: If the gateway and local proxy ARP port aren't manage by Quantum (on a provider network for example), it could be possible to define trough the API (on subnet creation for example) the MAC address of the gateway/local proxy ARP.
Note: It's not sure that the local proxy ARP must be handle by the gateway. If not, we can imagine implement the local proxy ARP by a new agent.