Implement PVLAN capability in OpenVSwitch

Issue

• We are interested in configuring a shared services network used by manila to prevent cross tenant backdoors such as this:

               Manila-NFS-VIP
               192.168.103.4
                     |          
              SharedNFS Network
              (192.168.103.4/24)
             /                 \
          Tenant A           Tenant B
              |                 |
        SharedNFS  NIC     SharedNFS NIC
        192.168.103.10     192.168.103.20
              |                 |
           Instance          Instance
              |                 |
        Internal NIC       Internal NIC
        172.16.0.50        192.168.20.20

• If openstack neutron supported PVLAN we could configure the uplink of the tenant nic on that network to be exclusively the Manila-NFS vip and stop any potential of backdoor access from other clients on that network.

• In the diagram above you can see that the storageNFS network is a shared layer 2 domain. At no point can we assume that tenants will do the right thing with regards to security groups.

• PVLAN solves this issue by preventing isolate ports from learning about each other, and the destination (in this case the NFS ganesha vip) is set in promiscuous mode.

• This is a diagram of PVLAN operation from Cisco.

• This is the actual writeup by Cisco on this capability.

• We spoke with Tom Barron (Manila PTL) and Ryan Tidwell (Neutron Developer) and they both agreed this was a problem that PVLAN could solve. As we are looking to leverage OpenStack with Manila across a multi tenant environment we want to be able to provide high performance Layer 2 access to our StorageNFS network without the security backdoors a regular layer 2 domain creates.

• We cant see any of the details of BZ or why it was closed but implementing PVLAN in neutron would certainly help our use of the product and also add some fairly powerful capabilty to OpenStack.