MaaS and VLAN assignments to machine interfaces

Hi all,

I am struggling to find the answer to this in the documentation. If you have a pool of servers in a rack, all connected to a set of rack switches, at provision time, when you select a vlan for an interface in a server what actually occurs:

  1. All interfaces should be connected to switch ports that allow all the required VLANs (tagged) and then when the server boots you use cloud-init etc to configure the correct tag on the interface (meaning that the vlan assignment in MaaS is measningless beyond controlling DHCP configuration - and that nothing would stop a user of the server changing the vlan tag and accessing other networks)
  2. Servers need to be connected to access ports in the correct VLAN (thus servers in the pool will only be useable in the vlan that their connected switch port is configured to use)
  3. MaaS has modules to apply switch port configuration to various brands of switches (for the life of me I cannot find this anywhere in the documentation)

Scenario 1 makes MaaS unuseable in environments that require any type of proper security to be in place
Scenario 2 makes MaaS essentially pointless in environments where their are large number of vlans and you need to dynamically provision servers into the correct vlan. You either need to manually make switch port changes (and keep a seperate mapping of all this somewhere) or you need a pool of free servers for all vlans in use.
Scenario 3 solves all the issues, but as I said I cannot find any information about this in the documentation

1 Like

I got exactly the same question and did not realize if MAAS able to manage switches or not. Otherwise I have no idea how to use it in an enviroment with lots of vlans.

It seems that no one knows the answer to how this works (or is intended to work) - given how long this has been open without any response from anyone.

actually, you posted in “Docs” category, which isn’t watched by the engineering team. i moved it to “Users”, where it will be seen.

1 Like

Use commissioning scripts to connect to your network devices and configure them appropriately.

AFAIK, MAAS doesn’t have drivers for network devices in the same way that it has BMC drivers for power management, so you have to customize it yourself according to your environment.

Looks like I found the solution, maybe yes maybe no, I am not an expert in networking…
If the host managed by MAAS in ithe same vlan with maas server, probaly need to set isolation ports on switch with combination of inter-vlan routing.

So you can manage your hosts as usual, but MAAS will still able to get hosts.

Hi, the problem with commissioning scripts is now your hosts need to be able to communicate with the switches (since the script runs there). Ideally, some kind of post deployment hooks from MAAS that actually run on MAAS would be better, or, webhooks to notify something externally that then handles switch configuration.

@jhusakowski any plans on something like webhooks to notify external systems about changes on machines? That at least would allow people to build what they need, even if MAAS itself doesn’t know how to speak to switches.

1 Like

We like the idea of webhooks and the idea is on our wishlist of things to implement, but have no short-term plans related to releasing such functionality.

It was an idea that has been around for awhile I know. But many deployments today that will want to integrate MAAS will want to rely on event driven solution design (cloud native style) - which relies heavily on webhooks.

IMO, the time is here now for MAAS to implement something like this to enable it to fit in well with other systems. This neatly allows solution architects to design MAAS in without needing to worry that it doesn’t have native integration with e.g. Cisco or other datacenter switches. In addition, a low barrier to enable very powerful behaviours (an MVP could be to start with something simple like post-deploy webhook and expand later).

Are there any feature poll/votes these days for the community, perhaps @billwear it’s time to run another one? :slight_smile:

I agree with all the above, commissioning scripts are not a viable solution to this problem in any sensible and secure environment.

I am struggling to understand how any large scale, secure deployments are being achieved by people today?

If a poll etc is created for such a web hook/event style feature set I would throw support behind it straight away. In the mean time I would point people to consider a solution like MetalSoft ( which seems to have better support for these types of requirements.