>> Yes, this works. The problem is ensuring the network isolation. That >> is, someone can make changes in the routing table on the host which >> will enable one to gain access to the quantum networks. That is why we >> suggest that they run on different hosts. We have a review that is
>Damn, makes sense. Once you explain this, the reasons are clear. Depending on the setup you could might be able to create policy based routing rules on the quantum l3-node to prevent this. (e.g. traffic originating from the subnets "within quantum" are always routed to router x on the outside world) Another small issue I can think of is that you might get a-symetrical routing. (traffic returning from the DHCP ip instead of the L3 ip) Not sure if you can fix that with Policy Based Routing, never tried. Cheers, Robert van Leeuwen _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
