Hi Mike,

On 27/04/15 16:49, Mike Spreitzer wrote:

 > My use case is that I have two behaviorally different external
 > subnets --- they are treated differently by stuff outside of
 > OpenStack, with consequences that are meaningful to tenants.  Thus,
 > I have two categories of floating IP addresses, depending on which
 > external subnet holds the floating IP address.  The difference is
 > meaningful to tenants.  So I need to enable a tenant to request a
 > floating IP address of a specific category.  Since Neutron equates
 > floating IP address allocation pool with network, I need two
 > external networks.
 >
 > Both of these external subnets are present on the same actual
 > external LAN, thus both are reached through the same host NIC.
 >
 > It looks to me like the allowed mac/IP address pair feature will not
 > solve this problem.

Sorry, I simplified too much.  Here is one other critical detail.  I do
not really have just two different external subnets.  What I really have
is two behaviorally different collections of subnets.  I need to make a
Neutron external network for each of the two collections of external
subnets.


Do your tenants' instances, that are addressed within the same IP subnet, require real L2 broadcast connectivity between each other, or just IP connectivity?

If the latter, an option would be for you to use the Calico networking driver. The Calico solution, for your requirements as I understand them, would be as follows.

- Define networks for all the IP ranges from which you want to allocate addresses for your instances.

  - One with the range for your first external network.

  - One with the range for your second external network.

- One with a range that is private within the data center, for instances that don't need to be addressable from outside.

- Define a security group representing the tenant, allowing all instances in the SG to speak to each other, plus any external access that that may require.

- When launching a group of instances, specify the network that provides the desired range of IP addresses, and the SG representing the tenant.

Is that of interest?

Regards,
        Neil

_______________________________________________
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

Reply via email to