Skip to content

Infrastructure Platform

The WSH Infrastructure Platform (wsh_infra) is an internal management layer that sits alongside Tenantos (our billing/provisioning panel). It automates network security, switch configuration, and server management tasks that Tenantos doesn't handle natively.

What It Does

Feature Description
Virtual MACs (VMACs) Generate unique MAC addresses per IP to satisfy DHCP snooping and prevent MAC conflicts
Port Security Automation Automatically push MAC/IP/VLAN bindings to Juniper switches when IPs are assigned or removed
Switch Backups Automatic configuration backups before every switch change, plus scheduled daily backups
Apply All One-click re-push of every binding across all dedicated servers and Proxmox nodes
VLAN Allowlist Global control over which VLANs are eligible for automated binding

Architecture

Tenantos (billing/provisioning)
    |
    |-- IP assigned/removed events --> wsh_infra API --> Juniper switch (SSH)
    |
    +-- Server provisioned --> wsh_infra provisioning API --> switch port setup

Proxmox (hypervisor)
    |
    +-- VM IPs + MACs --> wsh_infra --> Juniper switch (SSH)

Admin Panel (wsh_infra)
    |-- /admin/switches -- view switches, backups, apply-all
    |-- /admin/virtual-macs -- active VMACs, event log
    |-- /admin/proxmox -- VM management, port security preview
    +-- /admin/settings -- VLAN allowlist, backup schedule, Proxmox config

Key Concepts

Dedicated Servers

Each dedicated server has its own switch port. When Tenantos assigns an IP, the infra platform pushes a secure-access-port binding (MAC + IP + VLAN) to the Juniper switch via SSH. The server's PXE MAC is used for the primary IP; any additional IPs with active VMACs use the VMAC instead.

Proxmox / VM Nodes

Multiple VMs share a single uplink port on the switch (typically an ae aggregate). When any VM's IPs change, the platform refreshes the entire port -- collecting every VM's MAC + IP from the Proxmox API and Tenantos, then doing a full replace of all bindings on that port.

VLAN Allowlist

Configured in Settings > Switches, the VLAN allowlist controls which VLAN IDs are eligible for automated binding. Any IP that resolves to a VLAN not in this list is silently skipped. This prevents the platform from touching management VLANs or customer-isolated networks.