[openstack-dev] [baremetal][quantum][nova] bare metal host allocation, mac addresses, vlans, security
Jeremy Stanley
fungi at yuggoth.org
Thu Nov 15 17:13:44 UTC 2012
On 2012-11-15 22:45:57 +1300 (+1300), Robert Collins wrote:
[...]
> running trunk mode VLAN access is thoroughly unsafe for an
> untrusted tenant
[...]
Not entirely true. Pretty much all managed Ethernet switch
manufacturers provide a mechanism to filter frames by VLAN tag using
per-switchport lists (or profiles applied across multiple
switchports).
On a previous project, I had orchestration which managed the allowed
VLANs list on any 802.1q trunk wired to each untrusted tenant
device. Only VLANs allowed for exclusive use by a particular tenant
were allowed on their assigned switchports, and these VLANs were
then interconnected via traditional routing packet filters (usually
virtual firewall contexts on other hardware) for communication
between different tenants and/or external networks.
Now, whether Quantum is currently in a position to orchestrate
arbitrary device configuration to achieve this (as the configuration
management and syntax varies widely between
manufacturers/models/releases) is a different question.
--
{ WHOIS( STANL3-ARIN ); WWW( http://fungi.yuggoth.org/ );
FINGER( fungi at yuggoth.org ); IRC( fungi at irc.yuggoth.org#ccl );
PGP( 43495829 ); MUD( kinrui at katarsis.mudpy.org:6669 ); }
More information about the OpenStack-dev
mailing list