Skip to content

Port Security Automation

Overview

Port security automation keeps Juniper switch configurations in sync with Tenantos IP assignments. When Tenantos assigns or removes an IP from a server, it fires a webhook to the wsh_infra API, which then SSHs into the appropriate switch and updates the secure-access-port bindings.

How It Works

Event Flow

Tenantos assigns IP to server
    |
    v
Tenantos event listener (ServerNetworkContext.php on Tenantos server)
    |
    v
POST /api/port-security/event
    { action: "ip_assigned", serverId: 123, ip: "10.0.48.7" }
    |
    v
wsh_infra PortSecurityController
    |
    |-- Dedicated server? --> Fetch all IPs, resolve VLANs, filter to allowlist,
    |                          full replace bindings on the server's switch port
    |
    +-- VM server? --> Find Proxmox node, fetch all VMs on that node,
                        collect all MAC+IP+VLAN, full replace on the node's uplink port

Supported Actions

Action Trigger Result
ip_assigned Tenantos assigns an IP Refreshes all bindings for the server/node
ip_removed Tenantos removes an IP Refreshes all bindings (removed IP no longer included)
server_deleted Server deleted in Tenantos Wipes all bindings from the switch port

VLAN Allowlist

Configured in Settings > Switches, the VLAN allowlist is a comma-separated list of VLAN IDs (e.g., 13,100,200). Only IPs that resolve to a VLAN in this list will have bindings pushed to the switch.

Info

If the allowlist is empty, all VLANs are permitted. This is a safety mechanism -- if you're unsure, start with a specific list.

Automation Requirements

For port security automation to work on a server, all of these must be true:

  1. The server has a switch connection in Tenantos (server_agentAssignmentsRelations with type: snmp_switch)
  2. The switch connection has switchAutomation: true in its meta JSON
  3. The server's IP resolves to a VLAN in the allowlist
  4. The switch has valid management credentials (user + password) in Tenantos
  5. The PORT_SECURITY_EVENT_API_BEARER_TOKEN environment variable is set on both Tenantos and wsh_infra

Tenantos Integration

The Tenantos side runs two event listeners that fire webhooks to wsh_infra:

  • ServerNetworkContext.php -- listens for afterServerIpAssignments and afterServerIpRemovals events
  • These files live in the Tenantos installation (not synced to the wsh_infra repo) but reference copies are kept in TenantAPIHooks-Does-Not-Sync-To-Tenant/

Junos Commands

The platform generates Junos configuration commands like:

# Set binding
set ethernet-switching-options secure-access-port interface ge-0/0/1.0 \
    static-ip 10.0.48.5 vlan VLAN.13 mac aa:bb:cc:dd:ee:ff

# Delete all bindings for an interface (before full replace)
delete ethernet-switching-options secure-access-port interface ge-0/0/1.0

# Commit
commit

For Proxmox node uplinks (aggregate interfaces):

delete ethernet-switching-options secure-access-port interface ae0.0
set ethernet-switching-options secure-access-port interface ae0.0 \
    static-ip 10.0.48.10 vlan VLAN.13 mac aa:bb:cc:11:22:33
set ethernet-switching-options secure-access-port interface ae0.0 \
    static-ip 10.0.48.11 vlan VLAN.13 mac dd:ee:ff:44:55:66
commit