Hi Navdeep,
To get this to work, you will need to disable port security on the B device’s
ports, or at a minimum, modify the allowed-address-pairs on the port to allow
the traffic out towards C. Disabling port security is typically the way to go
about satisfying this particular use case.
James
Hi Vikash,
The VXLAN tunnel endpoint address is listed in the output of a neutron
agent-show :
$ neutron agent-show cb45e3f8-4a28-475a-994d-83bc27806c38
+-++
| Field | Value |
+
Hi Amit,
You can create a port on a particular subnet using the neutron/openstack CLI,
and then boot the instance using the port rather than the network. The
difference being nova boot --port-id versus --net-id.
James
From: Amit Uniyal
Date: Friday, April 28, 2017 at 4:12 AM
To: openstack
Su
the VM.
> Does OpenStack support SR-IOV VF vlan trunk? If yes, what kind of
> configuration is needed?
VLAN filtering is the default (and only) behavior supported by Neutron as far
as I know. Without modifying the code, you’d be limited to a single VLAN per VF
(untagged within the VM).
--
Hi Lars,
By default, networks marked as ‘external’ are visible/usable from all projects,
even if shared is False. Ordinary networks (non-external) should not be usable
or visible from projects other than the one they’re associated with. Neutron
RBAC policies can be used to provide granular visi
Hi Manuel,
In my home lab, I run OpenStack control plane nodes on ESXi and compute on bare
metal. At a minimum, you'll want to enable 'promiscuous mode' on the virtual
switch(es) in VMware to ensure traffic to the Neutron router doesn't get
dropped.
This link may help:
https://kb.vmware.com
Hi Satish,
It’s hard to tell from this output, the port was likely added using the
‘router-gateway-set’ command. Try using the ‘router-gateway-clear
’ command and syntax instead. You can only delete ports
with router-interface-delete if they were added with ‘router-interface-add’.
--
James
he physical gateway device to the router’s IP address
you specified when creating the port, since the router will not SNAT traffic on
that interface. It’s a wonky configuration that I don’t really recommend you
implement unless you absolutely have to.
--
James Denton
Network Architect
Rackspac
, reducing
the total number of IPs available for use as floating IPs.
--
James Denton
Network Architect
Rackspace Private Cloud
james.den...@rackspace.com
On 9/2/16, 1:26 PM, "Satish Patel" wrote:
Thanks James,
I didn't understand your following statement.
&
Hi Satish,
You can create multiple non-contiguous allocation pools for the external
(floating) network, even as small as a single IP address. Keep in mind that the
Neutron router will take an IP address from this pool for its ‘qg’ interface.
You may want to refrain from enabling DHCP on that su
Hi Satish,
Routers cannot be shared amongst tenants/projects, though the networks attached
to those routers *may* be shared with the appropriate RBAC policy in place. The
general understanding is that projects create/manage their own networks and
routers, and can attach routers to shared extern
Hi Satish,
Are you using the ‘router-gateway-set’ command? Or the ‘router-interface-add’
command? Based on the behavior you described, it sounds like the latter.
If you need to attach the router to the external network, use the
‘router-gateway-set’ command. An IP should be allocated from the po
Hi Andreas,
LinuxBridge w/ VXLAN and l2population was incompatible with
allowed-address-pairs, or any case where an IP may be configured on an
interface that isn't defined on a port or moves around from VM to VM, for some
time. It is more of a limitation of the ARP proxy implementation in the V
Hi John,
What you are describing is a perfectly valid and common scenario. The
segmentation IDs don't really come out of thin air, though. They are defined as
a range of IDs in the ML2 or openvswitch agent configuration file depending on
the version of OpenStack. There could be a performance pe
Hi Li,
Yes, this is absolutely possible. The easiest way would be to create a VLAN
interface (e.g. eth0.50) for use as your management/API network as well as your
VXLAN VTEP address, or you can create a separate interface for that. You will
then use eth0 for your provider bridge interface (e.g.
Hi Brent,
I managed to do this by creating the port first, and then associating it with
the instance:
instance0_port0:
type: OS::Neutron::Port
properties:
admin_state_up: true
network_id: e0be3064-2011-4d92-b73c-5c4c6825b0c1
security_groups:
- 0875fe40-c509-44bf
I believe this will be addressed in Mitaka:
https://bugs.launchpad.net/neutron/+bug/1459423
JD
On 3/18/16, 12:15 PM, "iain smith" wrote:
>Hi all -
>
>When using neutron's VPNaaS with the Strongswan back-end, has anyone
>come up against the seemingly needless limitation whereby the 'Ad
I use a consistent, known working answers file and from time to time Puppet
will bomb out on some operation. Simply rerunning Packstack will, in most
cases, result in a working installation on the next run. Sometimes it takes
three runs, but it gets there. This is using CentOS 7.1 inside a Virt
Hi,
>> You cannot get around each tenant gateway router consuming an extra public
>> IP address itself as far as I know.
Almost. With DVR, a FIP namespace is created on compute nodes, with one FIP
namespace per external network. The FIP namespace owns an IP address from the
external provider n
Hi Akshay,
In most cases, you won’t have IP addresses configured on interfaces used by
Neutron.
The Neutron L2 agents set up or configure the virtual bridges/switches on the
host based on the type of network in use (VLAN, FLAT, VXLAN, etc). In many
cases, an external provider network may be se
Old (and undesirable) behavior was to apply the ‘firewall’ with all tenant
routers.
Using --router allows you to apply the ‘firewall’ with one or more specified
routers.
IIRC, there’s nothing special needed to utilize this other than to have the
FWaaS driver and extension enabled.
James
> On
tcpdump -i gre-mirror1 # <— This is a mirror of the gre port on br-tun
>>
>> On the controller/network node I have the following:
>> 1. tcpdump -i gre-mirror2 # <— Also a gre port mirror on br-tun of
>> controller node
>>
>> I’ve done a few things with this
Hi Tyler,
You might try verifying that the instance properly received its IP address. You
can try using ‘nova console-log ’ to view the console log of the instance.
Look for the cloud-init info. Also, take a look at the syslog of the network
node to see if the DHCP request made it and was ackno
As a workaround, maybe you can try putting using firewall-update
--admin-state-up after it goes into error state to recover after
making the rule change.
James
> On Nov 6, 2015, at 5:27 AM, Erdősi Péter wrote:
>
> Hy guys!
>
> We facing a problem with FWaaS on Kilo release.
> The problem i
Hi Florian,
It is possible, though maybe not for the faint of heart depending on your
strategy. You can:
1. Create new VLAN networks using the same subnet CIDRs as the existing GRE
networks, then detach existing interfaces and attach new interfaces with the
same IPs. You would need to detach/a
Hi Thiago,
I'm not sure, but this may be a change from v1 API to v2 API. Here's a bug I
found a few months ago that may be related:
https://bugs.launchpad.net/python-glanceclient/+bug/1399778
James
From: Martinx - ジェームズ
Sent: Sunday, October 18, 2015 2:
Hi Amir,
A couple of recommendations:
- Your vxlan_group setting has an extra dot at the end that may be causing
issues:
[ml2_type_vxlan]
vxlan_group = 239.0.0.0.
- Your [OVS] block has some incorrect options. Use underscores rather than
spaces:
[ovs]
bridge_mappings = public:br-ex
local_ip = 1
Hi Georgios,
You should be able to create a Neutron port with the custom MAC address and
boot the instance with that port using --nic port-id rather than --nic net-id.
James
> On Oct 8, 2015, at 6:43 AM, Georgios Dimitrakakis
> wrote:
>
> Dear all,
>
> I am wondering if it's possible to sta
If eth1 is used for the vxlan tunnel end points, it can't also be used in a
bridge ala provider_bridge_mappings. You should have a dedicated interface or a
vlan interface off eth1 (i.e. Eth1.20) that is dedicated to the overlay
traffic. Move the local_ip address to that interface on respective n
Have you tried configuring 172.29.236.100 on br-mgmt in addition to the address
that is there? That is the default IP set for internal_lb_vip_address if I’m
not mistaken, and is what haproxy will bind to.
James
> On Sep 11, 2015, at 4:06 PM, Duck Euler wrote:
>
>
> running os-ansible-deploym
bridge. If it were a vlan
network, Neutron would put eth11.xxx in the bridge instead.
James Denton
Network Architect
Rackspace Private Cloud
james.den...@rackspace.com
> On Sep 2, 2015, at 12:39 AM, Michael Gale wrote:
>
> Hello,
>
> I am running the Kilo release using os-ans
t: Thursday, July 9, 2015 8:51 PM
To: James Denton
Cc: openstack@lists.openstack.org
Subject: Re: [Openstack] 99.5% of packets are disappearing somewhere between
the Linux Bridge (brq-yy) and the tap (tap-yy).
Hello James!
On 9 July 2015 at 11:17, James Denton
mailto:james.den...@
Hi Thiago,
> * I can see the untagged packets arriving at "brq50b13311-fa", by using
> "tcpdump -eni brq50b13311-fa";
Do you mind posting the packet capture from eth3 and the bridge on pastebin?
> For example, I can not see the string "Cisco" while running "tcpdump -eni
> brq50b13311-fa | g
rs=openvswitch
> #
> [ml2_type_vlan]
> # this tells Openstack that the internal name "physnet1" provides the vlan
> range 100-199
> network_vlan_ranges = physnet1:775
> #
>
> Thanks,
> Yang
> Sent from my iPhone
>
> On Jun 26, 2015, at 8:54 AM, &q
eside on different
> compute nodes right? how do I tell which compute node a instance is on?
>
> Thanks,
> Yang
>
>> On Jun 24, 2015, at 10:27 AM, James Denton > <mailto:james.den...@rackspace.com>> wrote:
>>
>> Hello.
>>
>>> all three no
Hello.
> all three nodes will have eth0 on management/api network. since I am using
> ml2 plugin with vlan for tenant network, I think all compute node should have
> eth1 as the second nic on provider network. Is this correct? I understand
> provider network is for instance to get external acc
You should simply be able to add a new subnet to the existing external network
using the subnet-create command:
neutron subnet-create [--all the
normal subnet options]
Caveat: The new subnet will need a respective gateway address, and that IP
should be configured on the external gateway devi
2015 at 5:43 AM, James Denton
mailto:james.den...@rackspace.com>> wrote:
Hi Geo,
When configuring multiple provider bridges, try to think of a 1:1 relationship
between a provider bridge and a physical interface on the host that connects to
a particular switching layer (in many cases). For
Hi Wilson,
Can you clarify a couple of things here?
- Does each tenant have their own router in front of their respective instance?
- have you confirmed connectivity to the admin instance from the router
namespace?
- can you verify the dnat/snat entries for the admin instance exist in iptables
Hi Geo,
When configuring multiple provider bridges, try to think of a 1:1 relationship
between a provider bridge and a physical interface on the host that connects to
a particular switching layer (in many cases). For example:
br-eth0 is a bridge containing eth0. Eth0 connects to a switching
in
hile configuring OVS setting.
> Another question is that I wonder whether configuring
> /etc/sysconfig/network-scripts/ifcfg-ethX.X is needed for VLAN setting.
>
> Best regards
>
> Byeong-Gi KIM
>
> 2015-05-27 5:36 GMT+09:00 James Denton <mailto:james.den...@racksp
Hello.
> Can I configure (let‘s say for a computer node)
> both the tunnel network and the management network on the same interface?
> (with configuring trunk port and two VLANs for this interface). <>
Yes, you can. In this case, the management (primary) interface of the compute
node would be a v
ller
>> core_plugin = ml2 (I think this should be modified but I don't know what
>> parameter indicates Linux Bridge Agent Plugin)
>>
>> 2. /etc/neutron/plugins/ml2/ml2_conf.ini on controller
>> Do I still need to modify this file? I'm confused, because the
Hi Janki,
The IP address should be from a common network between the hosts. It can be the
primary host address (ie. the one you use for management) or it can be an IP
from a dedicated network/vlan reserved for tunneled traffic. It’s not routed
traffic, so there’s no need to have a gateway if yo
Hi Christina,
Is 131.154.96.28 configured as a floating IP and associated with the LB VIP
port? The NAT is configured on the router connected to the VIP network, in this
case private_net. Can the router access the VIP 10.0.1.22? I’d start there.
James
> On May 1, 2015, at 4:21 PM, Cristina A
Hi Thiago,
VXLAN requires an IP address on each host from which to build the overlay mesh
between hosts. Some choose to use a dedicated interface/IP/VLAN for this, but
its not required.
As for ‘vconfig’ missing - It appears that the 'ip link’ command (iproute2) is
being used instead to create
Hi Geert,
Assuming you're using an Ubuntu instance, what do you see in the
/var/lib/dhcp/dhclient.leases file? It may be named dhclient.ethX.leases. In
there would be lease information provided by dnsmasq. Is the 'option routers'
line there? It may also be helpful to see what dnsmasq is config
Hi Mike,
With those requirements, I think dual-homing the instances may be the best
approach.
In my mind, you would have 5 networks:
A - External Network 1
B - External Network 2
C - Tenant Network 1
D - Tenant Network 2
E - Shared Tenant Network (No gateway)
Because routers can only c
I’m not sure, but the X may be arbitrary. You should be able to correlate the
nova-compute-inst-X chain to the instance by looking at the
'nova-compute-local’ chain and looking for the fixed IP:
-A nova-compute-local -d 10.239.0.11/32 -j nova-compute-inst-25
-A nova-compute-local -d 10.239.0.18/
There used to be a limitation of one external network per agent, which meant
some folks ran more than one on the same node. Not needed anymore as agents can
now support multiple networks.
If you still need to go down that route, have you ensured that each agent is
started with its respective co
VLAN network, there is nothing currently in
place to tag the traffic accordingly, be it OVS or a eth2.x interface in br-ex.
The 'external_network_bridge' option in l3_agent.ini plays a part in this as
well. The 'net-show' output would help me deduce what your intentions were and
g
Hi Mitchell,
>> I am able to ping from router to the router gateway (172.29.105.101) and
>> router to internal tenant gateway (192.168.2.1)
You are pinging these IPs within the router namespace, which I would expect to
work, as those are the IPs configured on the router’s interfaces.
>> … but
Hi Subbareddy,
SNAT, or source NAT, is the ‘many-to-one’ NAT mode you are referring to.
Instances that do not have a floating IP will be NAT’d to the IP address of the
qg interface of the router. This is akin to a PAT on other firewalls.
A floating IP is akin to a static 1-to-1 NAT, and takes p
Hi Uwe,
What leads you to believe it’s defective? I think with the right output and
config files we can figure out what’s missing.
James
> On Jan 15, 2015, at 3:14 PM, Uwe Sauter wrote:
>
> Bump
>
> Noone to comment on this approach? Am I missing something or is this the
> proper way to res
Hi Ross,
> * can I share the br-ex interface or do I need to use a separate physical
> interface on the network node? Neutron complains loudly when I try to do
> this, so I suspect the answer is an emphatic NO.
If you already have a flat network associated with a provider bridge, you will
be
ou want to post them
somewhere.
James
From: Chinasubbareddy M [chinasubbaredd...@persistent.com]
Sent: Thursday, January 01, 2015 6:26 PM
To: James Denton; openstack@lists.openstack.org
Subject: RE: [Openstack] [juno][DVR]
Hi James,
If I try with out –-name, this is
| 00b1617b007d41b7aa777e0c97afdccc |
+---+--+
James
From: Chinasubbareddy M [chinasubbaredd...@persistent.com]
Sent: Wednesday, December 31, 2014 5:06 AM
To: James Denton; openstack@lists.openstack.org
Subject: RE
Subbareddy,
I have been working on this over the last day or so, and have been using the
link you sent as reference. It is lacking in a few details, however, I got it
to work.
A couple of questions:
1. Did you have a working legacy router configuration prior to messing with DVR?
2. Did you hav
Try nova floating-ip-list, rather than the nova-manage commands.
http://docs.openstack.org/user-guide/content/floating_ips_proc.html
My experience is to avoid nova-manage when possible. Much better results using
the python-novaclient equivalents.
James
On Nov 10, 2014, at 8:54 AM, mad Engineer
that I asked in the mail?
If each tenant wants to create their own floating ip networks , what is the
best design?
From: James Denton [mailto:james.den...@rackspace.com]
Sent: Thursday, October 16, 2014 11:12 PM
To: Chinasubbareddy M;
openstack@lists.openstack.org<mailto:openstack@lists.open
Subbareddy,
The external bridge (br-ex), when set, is used only for the external (qg) port
of the router AFAIK and does not need to connect to br-int. The internal
interface of the router (qr) is connected to the integration bridge. If
floating IPs are working ok, and your router is properly ro
Hi Amit,
Have you tried specifying a name server with dig? Ie. dig domain.com @8.8.8.8
<—google DNS
Have you confirmed your instances have a resolver configured in
/etc/resolv.conf? This usually occurs via DHCP.
James
From: Amit Anand mailto:mr_amitan...@yahoo.com>>
Reply-To: Amit Anand mailt
Hi Danny,
Did your instance get its IP from DHCP? This may be seen in the console log
using ‘nova console-log ’. The output will vary depending on the
instance's OS. To troubleshoot DHCP issues, use tcpdump across the different
interfaces (taps, bridges, physical interfaces) to verify DHCP is w
Hi Vijay,
For those components to work you need a functional L3 agent and then specific
configuration for each service. Do you mind elaborating on what it is you're
looking to do or configure?
James Denton
Network Engineer
Rackspace Private Cloud
james.den...@rackspace.com
Sent from my i
connectivity to instances
via floating IPs (ie NATs) sourced from the external network.
The management network is used for OpenStack service traffic. You can get
creative and collapse some of those networks in some cases.
James Denton
Network Engineer
Rackspace Private Cloud
james.den...@rackspace.com
Hi Danny,
If the subnet had DCHP enabled, then that 'extra' port likely belongs to the
DHCP namespace. It gets created upon the first boot of an instance in that
network. The port will then hang around until the network is deleted. A
port-show should show you the owner of the po
Hi Chris,
If you’re looking to provide a network to a tenant that is a flat/VLAN network
using an external gateway, you should be able to create the network as a admin
and use --tenant-id in the net-create and subnet-create commands to specify the
ID of the tenant.
James
From: Martinx - ジェームズ
Good deal! Glad you were able to find it.
James
From: b t [905...@gmail.com]
Sent: Friday, October 03, 2014 11:25 PM
To: James Denton
Cc: openstack@lists.openstack.org
Subject: Re: [Openstack] why neutron router interfaces are done ?
just figured out the problem
Which version of OpenStack? If the router is plugged into br-ex and not br-int
you may see this condition. Often, an external bridge like br-ex is not
properly configured, leading to issues. You might try creating a provider
bridge using the ovs-vsctl tool, defining the mapping in the plugin
co
ever is defined in
tenant_network_type).
James
From: "Danny Choi (dannchoi)" mailto:dannc...@cisco.com>>
Date: Friday, October 3, 2014 at 8:16 AM
To: James Denton
mailto:james.den...@rackspace.com>>,
"openstack@lists.openstack.org<mailto:openstack@list
Hi Danny,
When 'admin' creates a network they are able to specify the following
attributes:
- provider:network_type (ie. vxlan, gre, vlan, flat, local)
- provider:segmentation_id (ie. 802.1q tag, gre key, vxlan vni)
- provider:physical_network (ie. provider label of the physical interface -
phy
Hi Masoom,
I assume your instance is connected to a tenant network that is attached to a
router, and the router is attached to a publicly-accessible network? Are you
able to hop into the router via ‘ip netns exec qrouter-x’ and initiate
successful pings to the outside world? If that doesn’t
72 matches
Mail list logo