Re: [Openstack] Reg. NAT
Thanks for the pointer. Will try it out. Vikram On Mon, Mar 20, 2017 at 3:37 PM, John Petriniwrote: > Hi Vikram, > > You may want to look into provider networks. Here's some documentation for > doing so in an Open vSwitch deployment. > > https://docs.openstack.org/liberty/networking-guide/ > scenario-provider-ovs.html > > Provider networks allow you to add existing networks outside of OpenStack > to your cloud. Instances can be attached to these networks directly > therefore bypassing the NAT that's required for floating IP's. > > These networks do not require a virtual router (warning: you can still > create them!) as they rely on existing routing outside of OpenStack. For > this reason they can only be created by an admin and you should also > consider keeping them private and granting access to tenants using RBAC. > > We use them extensively and they work well. We're able to add new networks > as needed by trunking the VLAN of the desired network to the compute and > controller nodes and then creating the new provider type network in > neutron. Providing a segmentation id when creating the network allows Open > vSwitch to tag the traffic with the proper vlan before it leaves the > compute node. > > Regards, > > John Petrini > ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Re: [Openstack] Reg. NAT
Hi Vikram, You may want to look into provider networks. Here's some documentation for doing so in an Open vSwitch deployment. https://docs.openstack.org/liberty/networking-guide/scenario-provider-ovs.html Provider networks allow you to add existing networks outside of OpenStack to your cloud. Instances can be attached to these networks directly therefore bypassing the NAT that's required for floating IP's. These networks do not require a virtual router (warning: you can still create them!) as they rely on existing routing outside of OpenStack. For this reason they can only be created by an admin and you should also consider keeping them private and granting access to tenants using RBAC. We use them extensively and they work well. We're able to add new networks as needed by trunking the VLAN of the desired network to the compute and controller nodes and then creating the new provider type network in neutron. Providing a segmentation id when creating the network allows Open vSwitch to tag the traffic with the proper vlan before it leaves the compute node. Regards, John Petrini ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
[Openstack] Reg. NAT
Hi All, We are using Openstack Kilo release 1:2015.1.4-0ubuntu2. We are trying to establish transport mode IPSec with one of the VM from outside. We have a floating IP from 172.17/16 network assigned to this VM that has private IP from 10.0/16 network. The IPSec is failing and we are suspecting that the NAT is the culprit. The sender is computing transport header checksum using 172.17.x.y destination but the openstack is changing it to 10.0.x.y network and the checksum is failing. In this release of Openstack, is there a way to disable this nating or any workarounds? Sender side, we cannot disable the checksum. Thanks ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack