You might want to take a look at some of the Neutron and physical switching integrations provided by https://github.com/openstack/networking-generic-switch and https://opendev.org/x/networking-ansible to see if either approach would help with that problem. Being able to toggle the provisioning/cleaning/inspection vlan on/off for baremetal port(s) during those operations has been super useful in cases like this. However, you’ll need the support of your network team for Neutron to hit those switches (via management address), which tends to be the blocker in most cases. -- James Denton Principal Architect Rackspace Private Cloud - OpenStack james.denton@rackspace.com From: Hajasolo <hajasolo@gmail.com> Date: Tuesday, October 1, 2024 at 7:24 AM To: openstack-discuss@lists.openstack.org <openstack-discuss@lists.openstack.org> Subject: Automating Network VLAN Reconfiguration Post-Bare Metal Provisioning with OpenStack Ironic You don't often get email from hajasolo@gmail.com. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> CAUTION: This message originated externally, please use caution when clicking on links or opening attachments! Hello OpenStack Community, I am currently working with OpenStack Ironic for provisioning bare metal servers and facing a specific challenge related to network security and automation. I would appreciate any insights or experiences you could share! We use Ironic to provision bare metal servers, which involves utilizing a management VLAN during the PXE boot and initial OS installation process. Post-provisioning, the server’s management interface remains accessible, posing a security risk as it can potentially access the management network. I need to ensure that once a server is provisioned and handed over to a user, it cannot access the management VLAN until it is deprovisioned. 1. How can we automate the process of removing the management VLAN from the server’s network interface post-provisioning to prevent unauthorized access to the management network? 2. Upon server deprovisioning, how can we automatically re-enable the management VLAN to allow for server re-provisioning? 3. Are there any built-in OpenStack tools or common practices within the Ironic or larger OpenStack community to handle such scenarios? Our goal is to maintain a high level of automation and self-service capability in our OpenStack environment while ensuring rigorous network security standards. Solutions that integrate seamlessly with OpenStack’s existing architecture would be ideal. Thank you for your time and help! Best regards, Haja, Joel