On 2024-08-02 12:14:40 +0200 (+0200), David Pineau wrote: [...]
The various VMs on this network must not be able to see each-other, as this network may be exposed to multiple customers/projects.
Note that in this context, we're using the OVN driver for our network stack.
We were initially looking at external networks for this, but understood through our attempts and experimentations that: [...] - VMs on this network can communicate with each other - Applying FlowControl does not solve this for VMs on the same Hypervisor (as they're directly communicating, and traffic does not seem to go through the host) - Only security groups can prevent such communication, but since it's associated to a Port, we cannot enforce it [...]
As far as what's possible through Neutron, I'm not sure, but it sounds like a classic case for port isolation (i.e. "private VLAN" or what Cisco calls "protected ports"). Since Linux 4.18, the bridge module can set isolated mode on individual ports, like: bridge link set dev tap0 isolated on Setting all the guest switchports for this bridge to isolated will prevent any crosstalk at layer 2, since they'll only be able to communicate with your non-isolated ("promiscuous") switchport out to the routed external network and/or where your dhcpd resides. Port isolation is a fairly blunt instrument though, only applicable in certain situations like what you've described, and often misused confusing folks who don't understand its implications, so supporting that concept from Neutron's perspective might not be a great idea regardless. I also don't know whether this works with OVN, or if it has a similar feature of its own. -- Jeremy Stanley