Re: [Openstack] how to forbid the instances communicating on the same host but different bridges and vlans?
You could tell dnsmasq to use your router as the gateway instead of the network host and then not allow routing across vlans. To use an external gateway use a config option like the following: dnsmasq_config_file=/path/to/config in that config file you can use: dhcp_option=3, to force vms to use your router as their gateway. Vish On Jun 1, 2012, at 10:30 PM, romizhang1968 wrote: > Vish, > > Thanks for your replay. > Yes,I allowed icmp ping from 0.0.0.0/0, but the question is , i think the > different instance in different tenant and vlan on the same compute node > should not touch each other, admin03(192.168.2.3) in VLAN 200 and 201 should > only could get ip touch to the same tenant instance, should not can touch > aipu01(192.168.3.3) in VLAN 300 and aipuTenant even on the same compute node. > I check the route table, openstack creates route item to each bridge on the > node, but in admin03,the route table only shows about how to go 192.168.2.0 > and 192.168.21.0, have no way to touch the net of 192.168.3.0. but in > admin03,it could ping aipu01, that means it use the node route table, i did > not know why. > so I want to know is there a way in openstack command to stop this situation, > not replay me to delete the compute node route item. and I think, each VM > should connect to the "access port" and go through trunk port(eth1 or eth2) > to communicate with others. > here is my wants. > regards, > Romi > > > > At 2012-06-02 00:47:49,"Vishvananda Ishaya" wrote: > Broadcast traffic should be blocked via the vlan separation and direct > traffic should be blocked via security groups. Do you have a security group > that allows ping traffic from 0.0.0.0/0? > > Vish > > On Jun 1, 2012, at 1:38 AM, romi zhang wrote: > >> Hi, >> >> I use following command to create 2 NICs for the instances of adminTenant >> and 1 NICs for aipuTenant: >> >> nova-manage network create --label=admin_web --fixed_range_v4=192.168.2.0/28 >> --num_networks=1 --vlan=200 --bridge=br200 --bridge_interface=eth1 >> --network_size=16 --multi_host=T >> --project_id=5f9281bca6854fe3974a457d81afd78c >> >> nova-manage network create --label=admin_ssl >> --fixed_range_v4=192.168.21.0/28 --num_networks=1 --vlan=201 --bridge=br201 >> --bridge_interface=eth2 --network_size=16 --multi_host=T >> --project_id=5f9281bca6854fe3974a457d81afd78c >> >> nova-manage network create --label=aipu_web --fixed_range_v4=192.168.3.0/28 >> --num_networks=1 --vlan=300 --bridge=br300 --bridge_interface=eth1 >> --network_size=16 --multi_host=T >> --project_id=ee29f5730caa40958bf4812a0fbec3d9 >> >> But the result is: >> 1. the instance of admin03(192.168.2.3 192.168.21.3,belong >> adminTenant) could successfully ping aipu01(192.168.3.3,belong aipuTenant) >> on the same compute node(NC01,network+compute service) . >> 2. Of course,admin03 could not ping successfully aipu03(192.168.3.6) >> on the another compute node(NC02,network+compute service). >> >> Is there a way or setting to forbid the IP touching between the instances of >> different tenant in different bridges and VLANs on the same compute node? >> >> Romi >> >> ___ >> Mailing list: https://launchpad.net/~openstack >> Post to : openstack@lists.launchpad.net >> Unsubscribe : https://launchpad.net/~openstack >> More help : https://help.launchpad.net/ListHelp > > > ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] how to forbid the instances communicating on the same host but different bridges and vlans?
Vish, Thanks for your replay. Yes,I allowed icmp ping from 0.0.0.0/0, but the question is , i think the different instance in different tenant and vlan on the same compute node should not touch each other, admin03(192.168.2.3) in VLAN 200 and 201 should only could get ip touch to the same tenant instance, should not can touch aipu01(192.168.3.3) in VLAN 300 and aipuTenant even on the same compute node. I check the route table, openstack creates route item to each bridge on the node, but in admin03,the route table only shows about how to go 192.168.2.0 and 192.168.21.0, have no way to touch the net of 192.168.3.0. but in admin03,it could ping aipu01, that means it use the node route table, i did not know why. so I want to know is there a way in openstack command to stop this situation, not replay me to delete the compute node route item. and I think, each VM should connect to the "access port" and go through trunk port(eth1 or eth2) to communicate with others. here is my wants. regards, Romi At 2012-06-02 00:47:49,"Vishvananda Ishaya" wrote: Broadcast traffic should be blocked via the vlan separation and direct traffic should be blocked via security groups. Do you have a security group that allows ping traffic from 0.0.0.0/0? Vish On Jun 1, 2012, at 1:38 AM, romi zhang wrote: Hi, I use following command to create 2 NICs for the instances of adminTenant and 1 NICs for aipuTenant: nova-manage network create --label=admin_web --fixed_range_v4=192.168.2.0/28 --num_networks=1 --vlan=200 --bridge=br200 --bridge_interface=eth1 --network_size=16 --multi_host=T --project_id=5f9281bca6854fe3974a457d81afd78c nova-manage network create --label=admin_ssl --fixed_range_v4=192.168.21.0/28 --num_networks=1 --vlan=201 --bridge=br201 --bridge_interface=eth2 --network_size=16 --multi_host=T --project_id=5f9281bca6854fe3974a457d81afd78c nova-manage network create --label=aipu_web --fixed_range_v4=192.168.3.0/28 --num_networks=1 --vlan=300 --bridge=br300 --bridge_interface=eth1 --network_size=16 --multi_host=T --project_id=ee29f5730caa40958bf4812a0fbec3d9 But the result is: 1. the instance of admin03(192.168.2.3 192.168.21.3,belong adminTenant) could successfully ping aipu01(192.168.3.3,belong aipuTenant) on the same compute node(NC01,network+compute service) . 2. Of course,admin03 could not ping successfully aipu03(192.168.3.6) on the another compute node(NC02,network+compute service). Is there a way or setting to forbid the IP touching between the instances of different tenant in different bridges and VLANs on the same compute node? Romi ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] how to forbid the instances communicating on the same host but different bridges and vlans?
Broadcast traffic should be blocked via the vlan separation and direct traffic should be blocked via security groups. Do you have a security group that allows ping traffic from 0.0.0.0/0? Vish On Jun 1, 2012, at 1:38 AM, romi zhang wrote: > Hi, > > I use following command to create 2 NICs for the instances of adminTenant and > 1 NICs for aipuTenant: > > nova-manage network create --label=admin_web --fixed_range_v4=192.168.2.0/28 > --num_networks=1 --vlan=200 --bridge=br200 --bridge_interface=eth1 > --network_size=16 --multi_host=T --project_id=5f9281bca6854fe3974a457d81afd78c > > nova-manage network create --label=admin_ssl --fixed_range_v4=192.168.21.0/28 > --num_networks=1 --vlan=201 --bridge=br201 --bridge_interface=eth2 > --network_size=16 --multi_host=T --project_id=5f9281bca6854fe3974a457d81afd78c > > nova-manage network create --label=aipu_web --fixed_range_v4=192.168.3.0/28 > --num_networks=1 --vlan=300 --bridge=br300 --bridge_interface=eth1 > --network_size=16 --multi_host=T --project_id=ee29f5730caa40958bf4812a0fbec3d9 > > But the result is: > 1. the instance of admin03(192.168.2.3 192.168.21.3,belong adminTenant) > could successfully ping aipu01(192.168.3.3,belong aipuTenant) on the same > compute node(NC01,network+compute service) . > 2. Of course,admin03 could not ping successfully aipu03(192.168.3.6) on > the another compute node(NC02,network+compute service). > > Is there a way or setting to forbid the IP touching between the instances of > different tenant in different bridges and VLANs on the same compute node? > > Romi > > ___ > Mailing list: https://launchpad.net/~openstack > Post to : openstack@lists.launchpad.net > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] how to forbid the instances communicating on the same host but different bridges and vlans?
Hi, I use following command to create 2 NICs for the instances of adminTenant and 1 NICs for aipuTenant: nova-manage network create --label=admin_web --fixed_range_v4=192.168.2.0/28 --num_networks=1 --vlan=200 --bridge=br200 --bridge_interface=eth1 --network_size=16 --multi_host=T --project_id=5f9281bca6854fe3974a457d81afd78c nova-manage network create --label=admin_ssl --fixed_range_v4=192.168.21.0/28 --num_networks=1 --vlan=201 --bridge=br201 --bridge_interface=eth2 --network_size=16 --multi_host=T --project_id=5f9281bca6854fe3974a457d81afd78c nova-manage network create --label=aipu_web --fixed_range_v4=192.168.3.0/28 --num_networks=1 --vlan=300 --bridge=br300 --bridge_interface=eth1 --network_size=16 --multi_host=T --project_id=ee29f5730caa40958bf4812a0fbec3d9 But the result is: 1. the instance of admin03(192.168.2.3 192.168.21.3,belong adminTenant) could successfully ping aipu01(192.168.3.3,belong aipuTenant) on the same compute node(NC01,network+compute service) . 2. Of course,admin03 could not ping successfully aipu03(192.168.3.6) on the another compute node(NC02,network+compute service). Is there a way or setting to forbid the IP touching between the instances of different tenant in different bridges and VLANs on the same compute node? Romi ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
