Re: [Openstack] Routing in connected VMs

Hi Navdeep, To get this to work, you will need to disable port security on the B device’s ports, or at a minimum, modify the allowed-address-pairs on the port to allow the traffic out towards C. Disabling port security is typically the way to go about satisfying this particular use case.

Re: [Openstack] [openstack-dev][openstack] API to get tunnel port connect to other host

Hi Vikash, The VXLAN tunnel endpoint address is listed in the output of a neutron agent-show : $ neutron agent-show cb45e3f8-4a28-475a-994d-83bc27806c38 +-++ | Field | Value |

Re: [Openstack] How Launch to a VM on particular subnet in network.

Hi Amit, You can create a port on a particular subnet using the neutron/openstack CLI, and then boot the instance using the port rather than the network. The difference being nova boot --port-id versus --net-id. James From: Amit Uniyal Date: Friday, April 28, 2017 at

Re: [openstack-dev] [Openstack] [openstack] API to get tunnel port connect to other host

Hi Vikash, The VXLAN tunnel endpoint address is listed in the output of a neutron agent-show : $ neutron agent-show cb45e3f8-4a28-475a-994d-83bc27806c38 +-++ | Field | Value |

Re: [Openstack] [OpenStack]SRIOV VLAN Trunk Support

the VM. > Does OpenStack support SR-IOV VF vlan trunk? If yes, what kind of > configuration is needed? VLAN filtering is the default (and only) behavior supported by Neutron as far as I know. Without modifying the code, you’d be limited to a single VLAN per VF (untagged within the VM). --

Re: [Openstack] [openstack] Tenant/Project resource name spaces does not seem to work

Hi Lars, By default, networks marked as ‘external’ are visible/usable from all projects, even if shared is False. Ordinary networks (non-external) should not be usable or visible from projects other than the one they’re associated with. Neutron RBAC policies can be used to provide granular

Re: [Openstack] running control plane on a vmware VM

Hi Manuel, In my home lab, I run OpenStack control plane nodes on ESXi and compute on bare metal. At a minimum, you'll want to enable 'promiscuous mode' on the virtual switch(es) in VMware to ensure traffic to the Neutron router doesn't get dropped. This link may help:

Re: [Openstack-operators] VXLAN / Tenant Network Issue

Hi Grant, You should have an IP address configured on the br-vxlan interface of each host. - Can you confirm connectivity between the hosts using the IP addresses assigned to br-vxlan? Ping from within the neutron_agents container, as well, since this is ultimately where the Neutron

Re: [Openstack] delete router interface issue

Hi Satish, It’s hard to tell from this output, the port was likely added using the ‘router-gateway-set’ command. Try using the ‘router-gateway-clear ’ command and syntax instead. You can only delete ports with router-interface-delete if they were added with ‘router-interface-add’. -- James

Re: [Openstack] individual floating ips in single vlan

he physical gateway device to the router’s IP address you specified when creating the port, since the router will not SNAT traffic on that interface. It’s a wonky configuration that I don’t really recommend you implement unless you absolutely have to. -- James Denton Network Architect Rackspac

Re: [Openstack] individual floating ips in single vlan

, reducing the total number of IPs available for use as floating IPs. -- James Denton Network Architect Rackspace Private Cloud james.den...@rackspace.com On 9/2/16, 1:26 PM, "Satish Patel" <satish@gmail.com> wrote: Thanks James, I didn't understand your fol

Re: [Openstack] individual floating ips in single vlan

Hi Satish, You can create multiple non-contiguous allocation pools for the external (floating) network, even as small as a single IP address. Keep in mind that the Neutron router will take an IP address from this pool for its ‘qg’ interface. You may want to refrain from enabling DHCP on that

Re: [Openstack] Single router shared between multiple project

Hi Satish, Routers cannot be shared amongst tenants/projects, though the networks attached to those routers *may* be shared with the appropriate RBAC policy in place. The general understanding is that projects create/manage their own networks and routers, and can attach routers to shared

Re: [Openstack] Eternal fixed ip to router interface strange behavior

Hi Satish, Are you using the ‘router-gateway-set’ command? Or the ‘router-interface-add’ command? Based on the behavior you described, it sounds like the latter. If you need to attach the router to the external network, use the ‘router-gateway-set’ command. An IP should be allocated from the

Re: [Openstack-operators] neutron flat network on existing bridge fails

I don’t have the exact steps offhand, but you should be able to create a veth pair manually, attach one end to your existing bridge, and specify the other end in the bridge_mappings section. Make sure you set both ends up using ‘ip link set up’ prior to this. The veth pair will end up linking

Re: [Openstack] neutron, l2population, linuxbridge and multiple ips

Hi Andreas, LinuxBridge w/ VXLAN and l2population was incompatible with allowed-address-pairs, or any case where an IP may be configured on an interface that isn't defined on a port or moves around from VM to VM, for some time. It is more of a limitation of the ARP proxy implementation in the

Re: [Openstack] Multi-Node OpenStack with no VLANs

Hi John, What you are describing is a perfectly valid and common scenario. The segmentation IDs don't really come out of thin air, though. They are defined as a range of IDs in the ML2 or openvswitch agent configuration file depending on the version of OpenStack. There could be a performance

Re: [Openstack] [OpenStack] How to deploy Liberty Neutron with linuxbridge on physical machine having single NIC

Hi Li, Yes, this is absolutely possible. The easiest way would be to create a VLAN interface (e.g. eth0.50) for use as your management/API network as well as your VXLAN VTEP address, or you can create a separate interface for that. You will then use eth0 for your provider bridge interface

Re: [Openstack-operators] [neutron] Interesting networking issue - need help

Hi Chris, >> If I set --router:external=False on the Public net, will that cause Neutron >> to create a purely virtual router based on an instance instead of playing >> games with the hardware NIC? No. It simply means that routers cannot be attached to the network using the router-gateway-set

Re: [Openstack] Neutron Provider Networks Without DHCP

Hi Brent, I managed to do this by creating the port first, and then associating it with the instance: instance0_port0: type: OS::Neutron::Port properties: admin_state_up: true network_id: e0be3064-2011-4d92-b73c-5c4c6825b0c1 security_groups: -

Re: [Openstack] VPNaaS limited to one subnet

I believe this will be addressed in Mitaka: https://bugs.launchpad.net/neutron/+bug/1459423 JD On 3/18/16, 12:15 PM, "iain smith" wrote: >Hi all - > >When using neutron's VPNaaS with the Strongswan back-end, has anyone >come up against the seemingly needless

Re: [openstack-dev] [neutron][dvr]What does table 9 used for in br-tun?

Each DVR router has a unique MAC address that can be found in the Neutron DB in the dvr_host_macs table. Those will MACs will likely match what’s in the flow rules there. This presentation from the Paris summit (Page 19-20) breaks it down in some detail.

Re: [openstack-dev] [neutron][dvr]What does table 9 used for in br-tun?

Err… correction. Each host has a unique MAC, not each router. Sorry! http://assafmuller.com/2015/04/15/distributed-virtual-routing-overview-and-eastwest-routing/ James From: James Denton <james.den...@rackspace.com<mailto:james.den...@rackspace.com>> Reply-To: "OpenStack De

Re: [Openstack] Error when installing RDO

I use a consistent, known working answers file and from time to time Puppet will bomb out on some operation. Simply rerunning Packstack will, in most cases, result in a working installation on the next run. Sometimes it takes three runs, but it gets there. This is using CentOS 7.1 inside a

Re: [openstack-dev] [neutron] - Changing the Neutron default security group rules

My opinion is that the current stance of ‘deny all’ is probably the safest bet for all parties (including users) at this point. It’s been that way for years now, and is a substantial change that may result in little benefit. After all, you’re probably looking at most users removing the default

Re: [openstack-dev] [neutron][fwaas] how a disabled firewall should behave

Hi Takashi, At least in Liberty, with the reference iptables firewall, it looks like setting the admin state of the firewall to DOWN results in traffic hitting only the neutron-l3-agent-fwaas-defau chain. The action there is to DROP all traffic. James On 1/26/16, 4:15 AM, "Takashi

Re: [Openstack] DVR and public IP consumption

Hi, >> You cannot get around each tenant gateway router consuming an extra public >> IP address itself as far as I know. Almost. With DVR, a FIP namespace is created on compute nodes, with one FIP namespace per external network. The FIP namespace owns an IP address from the external provider

Re: [Openstack] [openstack][neutron]external network packets to network node

Hi Akshay, In most cases, you won’t have IP addresses configured on interfaces used by Neutron. The Neutron L2 agents set up or configure the virtual bridges/switches on the host based on the type of network in use (VLAN, FLAT, VXLAN, etc). In many cases, an external provider network may be

Re: [Openstack] [neutron] User documentation for Neutron's Firewall-as-a-Service (FWaaS)?

Old (and undesirable) behavior was to apply the ‘firewall’ with all tenant routers. Using --router allows you to apply the ‘firewall’ with one or more specified routers. IIRC, there’s nothing special needed to utilize this other than to have the FWaaS driver and extension enabled. James >

Re: [Openstack] FWaaS bug (error state on update thing)

As a workaround, maybe you can try putting using firewall-update --admin-state-up after it goes into error state to recover after making the rule change. James > On Nov 6, 2015, at 5:27 AM, Erdősi Péter wrote: > > Hy guys! > > We facing a problem with FWaaS on Kilo release.

Re: [Openstack] Convert from GRE to VLAN

Hi Florian, It is possible, though maybe not for the faint of heart depending on your strategy. You can: 1. Create new VLAN networks using the same subnet CIDRs as the existing GRE networks, then detach existing interfaces and attach new interfaces with the same IPs. You would need to

Re: [Openstack] [Liberty] What happened with "glance image-create --location http://..." ?

Hi Thiago, I'm not sure, but this may be a change from v1 API to v2 API. Here's a bug I found a few months ago that may be related: https://bugs.launchpad.net/python-glanceclient/+bug/1399778 James From: Martinx - ジェームズ Sent:

Re: [Openstack] Openstack Kilo Vxlan tunnel single NIC setup

Hi Amir, A couple of recommendations: - Your vxlan_group setting has an extra dot at the end that may be causing issues: [ml2_type_vxlan] vxlan_group = 239.0.0.0. - Your [OVS] block has some incorrect options. Use underscores rather than spaces: [ovs] bridge_mappings = public:br-ex local_ip =

Re: [Openstack] Mac Address Question

Hi Georgios, You should be able to create a Neutron port with the custom MAC address and boot the instance with that port using --nic port-id rather than --nic net-id. James > On Oct 8, 2015, at 6:43 AM, Georgios Dimitrakakis > wrote: > > Dear all, > > I am wondering

Re: [Openstack] [Openstack-operators] [Neutron][Linuxbridge] Problem with configuring linux bridge agent with vxlan networks

If eth1 is used for the vxlan tunnel end points, it can't also be used in a bridge ala provider_bridge_mappings. You should have a dedicated interface or a vlan interface off eth1 (i.e. Eth1.20) that is dedicated to the overlay traffic. Move the local_ip address to that interface on respective

Re: [Openstack] os-ansible-deployment pip failing in container

Have you tried configuring 172.29.236.100 on br-mgmt in addition to the address that is there? That is the default IP set for internal_lb_vip_address if I’m not mistaken, and is what haproxy will bind to. James > On Sep 11, 2015, at 4:06 PM, Duck Euler wrote: > > >

Re: [Openstack] Neutron add external interface to external router?

in the bridge. If it were a vlan network, Neutron would put eth11.xxx in the bridge instead. James Denton Network Architect Rackspace Private Cloud james.den...@rackspace.com > On Sep 2, 2015, at 12:39 AM, Michael Gale <gale.mich...@gmail.com> wrote: > > Hello, > > I am run

Re: [Openstack] 99.5% of packets are disappearing somewhere between the Linux Bridge (brqxxxxzzzz-yy) and the tap (tapxxxxzzzz-yy).

Hi Thiago, * I can see the untagged packets arriving at brq50b13311-fa, by using tcpdump -eni brq50b13311-fa; Do you mind posting the packet capture from eth3 and the bridge on pastebin? For example, I can not see the string Cisco while running tcpdump -eni brq50b13311-fa | grep -i

Re: [Openstack] 99.5% of packets are disappearing somewhere between the Linux Bridge (brqxxxxzzzz-yy) and the tap (tapxxxxzzzz-yy).

: Thursday, July 9, 2015 8:51 PM To: James Denton Cc: openstack@lists.openstack.org Subject: Re: [Openstack] 99.5% of packets are disappearing somewhere between the Linux Bridge (brq-yy) and the tap (tap-yy). Hello James! On 9 July 2015 at 11:17, James Denton james.den

Re: [Openstack] network question on openstack installation

the vlan range 100-199 network_vlan_ranges = physnet1:775 # Thanks, Yang Sent from my iPhone On Jun 26, 2015, at 8:54 AM, James Denton james.den...@rackspace.com mailto:james.den...@rackspace.com wrote: You can absolutely have instances in the same network span different compute nodes

Re: [Openstack] network question on openstack installation

reside on different compute nodes right? how do I tell which compute node a instance is on? Thanks, Yang On Jun 24, 2015, at 10:27 AM, James Denton james.den...@rackspace.com mailto:james.den...@rackspace.com wrote: Hello. all three nodes will have eth0 on management/api network. since

Re: [Openstack] network question on openstack installation

Hello. all three nodes will have eth0 on management/api network. since I am using ml2 plugin with vlan for tenant network, I think all compute node should have eth1 as the second nic on provider network. Is this correct? I understand provider network is for instance to get external access

Re: [Openstack-operators] doubt about static routes and host routes

Hi Saju, Host routes added to a subnet get pushed to the instances in that subnet via dhcp. A route added to a router via router-create or router-update is added to the routing table within the qrouter namespace and affects all connected subnets/instances. James Sent from my iPhone On

Re: [Openstack-operators] doubt about static routes and host routes

Madhavan +91 09535134654 On Wed, Jun 10, 2015 at 4:52 PM, James Denton james.den...@rackspace.com mailto:james.den...@rackspace.com wrote: Hi Saju, Host routes added to a subnet get pushed to the instances in that subnet via dhcp. A route added to a router via router-create or router

Re: [Openstack-operators] [kolla] Inviting Operators to participate in the specification of a new deployment tool

Hi Steven, Can I ask how Kolla would differ from another project on StackForge known as OpenStack Ansible Deployment (OSAD)? It deploys a production-ready multi-node OpenStack cloud using containers and Ansible, and the team recently released v11 based on Kilo. Hate to see duplication of

Re: [Openstack-operators] [Openstack] Help with multiple external network in openstack

with you. On Sat, Jun 6, 2015 at 5:43 AM, James Denton james.den...@rackspace.commailto:james.den...@rackspace.com wrote: Hi Geo, When configuring multiple provider bridges, try to think of a 1:1 relationship between a provider bridge and a physical interface on the host that connects

Re: [Openstack] Help with multiple external network in openstack

Hi Geo, When configuring multiple provider bridges, try to think of a 1:1 relationship between a provider bridge and a physical interface on the host that connects to a particular switching layer (in many cases). For example: br-eth0 is a bridge containing eth0. Eth0 connects to a switching

Re: [Openstack] Confusion of external network

Hi Wilson, Can you clarify a couple of things here? - Does each tenant have their own router in front of their respective instance? - have you confirmed connectivity to the admin instance from the router namespace? - can you verify the dnat/snat entries for the admin instance exist in

Re: [Openstack] HA for Icehouse Neutron

Hi Janki, The IP address should be from a common network between the hosts. It can be the primary host address (ie. the one you use for management) or it can be an IP from a dedicated network/vlan reserved for tunneled traffic. It’s not routed traffic, so there’s no need to have a gateway if

Re: [Openstack] Documentation for Neutron L3 / VXLAN with LinuxBridge...

should be modified. Thank you in advance! Regards Byeong-Gi KIM 2015-04-21 7:19 GMT+09:00 Martinx - ジェームズ thiagocmarti...@gmail.com mailto:thiagocmarti...@gmail.com: Hi James! On 20 April 2015 at 18:16, James Denton james.den...@rackspace.com mailto:james.den...@rackspace.com

Re: [Openstack] LBaaS on Juno

Hi Christina, Is 131.154.96.28 configured as a floating IP and associated with the LB VIP port? The NAT is configured on the router connected to the VIP network, in this case private_net. Can the router access the VIP 10.0.1.22? I’d start there. James On May 1, 2015, at 4:21 PM, Cristina

Re: [Openstack] Documentation for Neutron L3 / VXLAN with LinuxBridge...

Hi Thiago, VXLAN requires an IP address on each host from which to build the overlay mesh between hosts. Some choose to use a dedicated interface/IP/VLAN for this, but its not required. As for ‘vconfig’ missing - It appears that the 'ip link’ command (iproute2) is being used instead to create

Re: [Openstack] [neutron] how to use multiple external networks?

Hi Mike, With those requirements, I think dual-homing the instances may be the best approach. In my mind, you would have 5 networks: A - External Network 1 B - External Network 2 C - Tenant Network 1 D - Tenant Network 2 E - Shared Tenant Network (No gateway) Because routers can only

Re: [Openstack] Neutron vxlan-setup: new instance does not get the correct network config

Hi Geert, Assuming you're using an Ubuntu instance, what do you see in the /var/lib/dhcp/dhclient.leases file? It may be named dhclient.ethX.leases. In there would be lease information provided by dnsmasq. Is the 'option routers' line there? It may also be helpful to see what dnsmasq is

Re: [Openstack] iptables chain and instance id

I’m not sure, but the X may be arbitrary. You should be able to correlate the nova-compute-inst-X chain to the instance by looking at the 'nova-compute-local’ chain and looking for the fixed IP: -A nova-compute-local -d 10.239.0.11/32 -j nova-compute-inst-25 -A nova-compute-local -d

Re: [Openstack] [neutron]Multiple l3 agents

There used to be a limitation of one external network per agent, which meant some folks ran more than one on the same node. Not needed anymore as agents can now support multiple networks. If you still need to go down that route, have you ensured that each agent is started with its respective

Re: [Openstack] Can not ping the tenant router gateway from host

Hi Mitchell, I am able to ping from router to the router gateway (172.29.105.101) and router to internal tenant gateway (192.168.2.1) You are pinging these IPs within the router namespace, which I would expect to work, as those are the IPs configured on the router’s interfaces. … but still

Re: [Openstack] Can not ping the tenant router gateway from host

​' option in l3_agent.ini plays a part in this as well. The 'net-show' output would help me deduce what your intentions were and go from there. James From: Mitchell Chen mitchell.c...@mediatek.com Sent: Wednesday, March 4, 2015 8:12 PM To: Kevin Benton Cc: James Denton

[openstack-dev] [Heat] Add extraroutes support to neutron routers

, we are routing to another instance off the router. Thanks! — James Denton __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http

Re: [Openstack] [Icehouse][neutron][manto-to-one NAT]

Hi Subbareddy, SNAT, or source NAT, is the ‘many-to-one’ NAT mode you are referring to. Instances that do not have a floating IP will be NAT’d to the IP address of the qg interface of the router. This is akin to a PAT on other firewalls. A floating IP is akin to a static 1-to-1 NAT, and takes

Re: [Openstack] Juno (Ubuntu) Flat Network

Hi Ross, * can I share the br-ex interface or do I need to use a separate physical interface on the network node? Neutron complains loudly when I try to do this, so I suspect the answer is an emphatic NO. If you already have a flat network associated with a provider bridge, you will be

Re: [Openstack] How to reset neutron (to clear leftovers from incorrect configuration)

Hi Uwe, What leads you to believe it’s defective? I think with the right output and config files we can figure out what’s missing. James On Jan 15, 2015, at 3:14 PM, Uwe Sauter uwe.sauter...@gmail.com wrote: Bump Noone to comment on this approach? Am I missing something or is this the

Re: [Openstack] [juno][DVR]

to post them somewhere. James From: Chinasubbareddy M [chinasubbaredd...@persistent.com] Sent: Thursday, January 01, 2015 6:26 PM To: James Denton; openstack@lists.openstack.org Subject: RE: [Openstack] [juno][DVR] Hi James, If I try with out –-name, this is the output

Re: [Openstack] [juno][DVR]

| 00b1617b007d41b7aa777e0c97afdccc | +---+--+ James From: Chinasubbareddy M [chinasubbaredd...@persistent.com] Sent: Wednesday, December 31, 2014 5:06 AM To: James Denton; openstack@lists.openstack.org Subject: RE

Re: [Openstack] [juno][DVR]

Subbareddy, I have been working on this over the last day or so, and have been using the link you sent as reference. It is lacking in a few details, however, I got it to work. A couple of questions: 1. Did you have a working legacy router configuration prior to messing with DVR? 2. Did you

Re: [Openstack] floating ip list shows whole subnet for non-admin user

Try nova floating-ip-list, rather than the nova-manage commands. http://docs.openstack.org/user-guide/content/floating_ips_proc.html My experience is to avoid nova-manage when possible. Much better results using the python-novaclient equivalents. James On Nov 10, 2014, at 8:54 AM, mad

Re: [Openstack] [openstack][icehouse][neutron][floatingip][br-ex]

for my second question that I asked in the mail? If each tenant wants to create their own floating ip networks , what is the best design? From: James Denton [mailto:james.den...@rackspace.com] Sent: Thursday, October 16, 2014 11:12 PM To: Chinasubbareddy M; openstack

Re: [Openstack] [openstack][icehouse][neutron][floatingip][br-ex]

Subbareddy, The external bridge (br-ex), when set, is used only for the external (qg) port of the router AFAIK and does not need to connect to br-int. The internal interface of the router (qr) is connected to the integration bridge. If floating IPs are working ok, and your router is properly

Re: [Openstack] Name Resolution problem (ICEHOUSE)

Hi Amit, Have you tried specifying a name server with dig? Ie. dig domain.com @8.8.8.8 —google DNS Have you confirmed your instances have a resolver configured in /etc/resolv.conf? This usually occurs via DHCP. James From: Amit Anand mr_amitan...@yahoo.commailto:mr_amitan...@yahoo.com

Re: [Openstack] [qa] How to troubleshoot why a VM at Compute node won't response to ARP request from Neutron router

Hi Danny, Did your instance get its IP from DHCP? This may be seen in the console log using ‘nova console-log instance_uuid’. The output will vary depending on the instance's OS. To troubleshoot DHCP issues, use tcpdump across the different interfaces (taps, bridges, physical interfaces) to

Re: [Openstack] NFV in OpenStack

Hi Vijay, For those components to work you need a functional L3 agent and then specific configuration for each service. Do you mind elaborating on what it is you're looking to do or configure? James Denton Network Engineer Rackspace Private Cloud james.den...@rackspace.com Sent from my iPhone

Re: [Openstack] Additional port is created when launch the 1st VM

Hi Danny, If the subnet had DCHP enabled, then that 'extra' port likely belongs to the DHCP namespace. It gets created upon the first boot of an instance in that network. The port will then hang around until the network is deleted. A port-show should show you the owner of the port. James

Re: [Openstack] Ping from Neutron router to VM at Compute Node

connectivity to instances via floating IPs (ie NATs) sourced from the external network. The management network is used for OpenStack service traffic. You can get creative and collapse some of those networks in some cases. James Denton Network Engineer Rackspace Private Cloud james.den

Re: [Openstack] What is the difference between provider network and tenant network?

is defined in tenant_network_type). James From: Danny Choi (dannchoi) dannc...@cisco.commailto:dannc...@cisco.com Date: Friday, October 3, 2014 at 8:16 AM To: James Denton james.den...@rackspace.commailto:james.den...@rackspace.com, openstack@lists.openstack.orgmailto:openstack

Re: [Openstack] why neutron router interfaces are done ?

Which version of OpenStack? If the router is plugged into br-ex and not br-int you may see this condition. Often, an external bridge like br-ex is not properly configured, leading to issues. You might try creating a provider bridge using the ovs-vsctl tool, defining the mapping in the plugin

Re: [Openstack] What is the difference between provider network and tenant network?

Hi Danny, When 'admin' creates a network they are able to specify the following attributes: - provider:network_type (ie. vxlan, gre, vlan, flat, local) - provider:segmentation_id (ie. 802.1q tag, gre key, vxlan vni) - provider:physical_network (ie. provider label of the physical interface -

Re: [Openstack] ssh cirros@floating-ip not working - what can be the possible reason

Hi Masoom, I assume your instance is connected to a tenant network that is attached to a router, and the router is attached to a publicly-accessible network? Are you able to hop into the router via ‘ip netns exec qrouter-x’ and initiate successful pings to the outside world? If that