Achieve L2 isolation between ports on a shared network?

asked 2018-11-02 05:53:44 -0600

anonymous user



Apologies if this has been answered before but I could not find much on this topic.

Question. Is there a way to achieve "port isolation" (L2 isolation between ports) in Openstack?

Scenario: I have a management network with a management server and a couple of tenants. The tenants are sharing this network, but they are not supposed to see or talk with each other. They should only see the management server.

Currently I have achieved L3 isolation using Security Groups, only allowing traffic to/from management server. This might be good enough I guess since you cannot change MAC/IP on the instance without loosing network access. But it would be really nice to have so they could not even see each other in the arp table.

Thanks. / A

edit retag flag offensive close merge delete


Just found this: ( Will look into it.

SnelHest gravatar imageSnelHest ( 2018-11-02 06:58:21 -0600 )edit

OpenStack achieves network isolation on so-called tenant networks by implementing each network as a VXLAN or GRE tunnel, or a VLAN. The networking guide should have more info on this.

Bernd Bausch gravatar imageBernd Bausch ( 2018-11-02 07:15:26 -0600 )edit

However, if you implement provider networks only, these methods don't work AFAIK.

Bernd Bausch gravatar imageBernd Bausch ( 2018-11-02 07:16:00 -0600 )edit

1 answer

Sort by ยป oldest newest most voted

answered 2018-11-09 09:24:29 -0600

The cloud provider did not support the ML2 plugin which seems to be required to support L2 isolation using VXLAN or GRE. We set up a firewall VM instance having an interface connected to each customers network.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2018-11-02 05:53:44 -0600

Seen: 49 times

Last updated: Nov 02 '18