Hi,
I'm trying to create OVN(21.06 checkout from 20210802)/OpenStack(ussuri)
topology as in the attached file, where some traffic from a VM is routed in
tenant router to another shared router which is then connected to the external
network without SNAT. The idea here is to allow some VMs access to the intranet
(via another router with its own external network used just for interconnect
between OS and the intranet), while still using standard OpenStack external
connectivity via Floating IPs: I assign IP address for a VM from an internal
subnet allocated for openstack tenants, and then configure routing and ACLs on
both routers to route traffic via LAN router (with SNAT disabled) as opposed to
routing via tenant router and FIP.
The idea here is to centralize ACLs for the intranet in one place, so that we
can enforce them and prevent users from making any changes - LAN router is in
another tenant, and users only have access to their own tenant routers that are
connected to the LAN router by a small interconnect network.
This setup seems to be working to some extent, that is I have connectivity
working in both directions via intranet network, but the traffic is not
distributed - instead all traffic is centralized on the gateway chassis node
that is assigned to the LAN router.
It feels like it should work and it's either a bug in my setup, or omission in
ovn code, where it can't tell that the traffic could be decentralized.
--
Krzysztof Klimonda
kklimo...@syntaxhighlighted.com
_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
