← Back to team overview

openstack team mailing list archive

Re: Could s/o clarify if DHCP and L3 agents *must* be on different hosts if namespaces are disabled ?

 

>> Yes, this works. The problem is ensuring the network isolation. That
>> is, someone can make changes in the routing table on the host which
>> will enable one to gain access to the quantum networks. That is why we
>> suggest that they run on different hosts. We have a review that is

>Damn, makes sense. Once you explain this, the reasons are clear.

Depending on the setup you could might be able to create policy based routing rules on the quantum l3-node to prevent this.
(e.g. traffic originating from the subnets "within quantum" are always routed to router x on the outside world)

Another small issue I can think of is that you might get a-symetrical routing. (traffic returning from the DHCP ip instead of the L3 ip)
Not sure if you can fix that with Policy Based Routing, never tried.

Cheers,
Robert van Leeuwen

References