L2 Guest Networks: exclusive VLAN range

[luganofer]

ISSUE TYPE

• Improvement Request

  COMPONENT NAME

  Cloudstack 4.14 onwards

  CONFIGURATION

  Enviroment with adcanced networking

  OS / ENVIRONMENT

  N/A

  SUMMARY

  Currently, in an advanced network environment, L2 networks can only be specified a VLAN id by a root admin user (which makes a lot of sense). L2 type networks can be created by users only if they do not specify a VLAN. All good up to this point. However the L2 network that a user creates takes a VLAN id from the "VLAN/VNI Range (s)" assigned to guest traffic. It would be desirable that the L2 networks have a dedicated VLAN range (different than the guest VLAN range) and thus the L2 networks created by the users consume a VLAN id from this range. In this way, the VLANs assigned to this service could be planned and delimited, and this VLAN range could be pre-configured to physical equipment too, among other advantages.

  STEPS TO REPRODUCE

  1) A root admin user creates a VLAN range dedicated to L2 networks.
  2) A user (with sufficient privileges to create a network) creates an L2 network and it consumes a VLAN id from this range.

  EXPECTED RESULTS

  The L2 network created by the user consumes a VLAN id from the pre-established and planned range.

  ACTUAL RESULTS

  The L2 network created by the user takes a VLAN id from the range for guest traffic.

[rohityadavcloud]

@luganofer CloudStack already supports feature to dedicate VLAN range to an account by root admin, have you tried that? (goto zone, phy net...)

[luganofer]

Hello @rhtyd,

Thank you for your response and for always being well-disposed to help the ACS community. It is true, there is a similar function to dedicate a range of VLANs to accounts or domains. The function I propose here is very similar to this function, but instead of reserving a range of VLANs to a specific account/domain, a range of VLANs is used or reserved for this "network type" (L2 network) regardless of the account/domain using this network type. This way this range can be planned to be "presented" in advance to physical equipment, for example, among other use cases.

[weizhouapache]

@luganofer Do you want to support reserved vlan range for L2 network, in a global setting, zone setting, or physical network (this requires a new column in physical_network_traffic_types, but makes more sense) ?

cc @nvazquez @rohityadavcloud

[weizhouapache]

starting on this feature (1) add new column vlan_for_l2 to physical_network table. (2) add/update physical networks with vlan for L2 networks. it contains a vlan id check, and overlap check with vnet and shared networks. (3) service layer changes: pick up vlan id when create a L2 network, and vlan id is released when remove a L2 network.

@nvazquez any opinions ?

[nvazquez]

@weizhouapache I mostly agree on 2 and 3, but instead of 1 I propose:

• Add a new boolean parameter to the dedicateGuestVlanRange API (something like this):

  

• Add a column on the op_dc_vnet_alloc to indicate each VLAN on the range is dedicated to an L2 network

[nvazquez]

As discussed offline with @weizhouapache it will still need proper definition, moving it to the next milestone

[shwstppr]

We do not have any work in progress for this at the moment so moving it out of 4.19.0.0 milestone