Hi Navdeep,
To get this to work, you will need to disable port security on the B device’s
ports, or at a minimum, modify the allowed-address-pairs on the port to allow
the traffic out towards C. Disabling port security is typically the way to go
about satisfying this particular use case.
Hi Vikash,
The VXLAN tunnel endpoint address is listed in the output of a neutron
agent-show :
$ neutron agent-show cb45e3f8-4a28-475a-994d-83bc27806c38
+-++
| Field | Value |
Hi Amit,
You can create a port on a particular subnet using the neutron/openstack CLI,
and then boot the instance using the port rather than the network. The
difference being nova boot --port-id versus --net-id.
James
From: Amit Uniyal
Date: Friday, April 28, 2017 at
Hi Vikash,
The VXLAN tunnel endpoint address is listed in the output of a neutron
agent-show :
$ neutron agent-show cb45e3f8-4a28-475a-994d-83bc27806c38
+-++
| Field | Value |
the VM.
> Does OpenStack support SR-IOV VF vlan trunk? If yes, what kind of
> configuration is needed?
VLAN filtering is the default (and only) behavior supported by Neutron as far
as I know. Without modifying the code, you’d be limited to a single VLAN per VF
(untagged within the VM).
--
Hi Lars,
By default, networks marked as ‘external’ are visible/usable from all projects,
even if shared is False. Ordinary networks (non-external) should not be usable
or visible from projects other than the one they’re associated with. Neutron
RBAC policies can be used to provide granular
Hi Manuel,
In my home lab, I run OpenStack control plane nodes on ESXi and compute on bare
metal. At a minimum, you'll want to enable 'promiscuous mode' on the virtual
switch(es) in VMware to ensure traffic to the Neutron router doesn't get
dropped.
This link may help:
Hi Grant,
You should have an IP address configured on the br-vxlan interface of each host.
- Can you confirm connectivity between the hosts using the IP
addresses assigned to br-vxlan? Ping from within the neutron_agents container,
as well, since this is ultimately where the Neutron
Hi Satish,
It’s hard to tell from this output, the port was likely added using the
‘router-gateway-set’ command. Try using the ‘router-gateway-clear
’ command and syntax instead. You can only delete ports
with router-interface-delete if they were added with ‘router-interface-add’.
--
James
he physical gateway device to the router’s IP address
you specified when creating the port, since the router will not SNAT traffic on
that interface. It’s a wonky configuration that I don’t really recommend you
implement unless you absolutely have to.
--
James Denton
Network Architect
Rackspac
, reducing
the total number of IPs available for use as floating IPs.
--
James Denton
Network Architect
Rackspace Private Cloud
james.den...@rackspace.com
On 9/2/16, 1:26 PM, "Satish Patel" <satish@gmail.com> wrote:
Thanks James,
I didn't understand your fol
Hi Satish,
You can create multiple non-contiguous allocation pools for the external
(floating) network, even as small as a single IP address. Keep in mind that the
Neutron router will take an IP address from this pool for its ‘qg’ interface.
You may want to refrain from enabling DHCP on that
Hi Satish,
Routers cannot be shared amongst tenants/projects, though the networks attached
to those routers *may* be shared with the appropriate RBAC policy in place. The
general understanding is that projects create/manage their own networks and
routers, and can attach routers to shared
Hi Satish,
Are you using the ‘router-gateway-set’ command? Or the ‘router-interface-add’
command? Based on the behavior you described, it sounds like the latter.
If you need to attach the router to the external network, use the
‘router-gateway-set’ command. An IP should be allocated from the
I don’t have the exact steps offhand, but you should be able to create a veth
pair manually, attach one end to your existing bridge, and specify the other
end in the bridge_mappings section. Make sure you set both ends up using ‘ip
link set up’ prior to this. The veth pair will end up linking
Hi Andreas,
LinuxBridge w/ VXLAN and l2population was incompatible with
allowed-address-pairs, or any case where an IP may be configured on an
interface that isn't defined on a port or moves around from VM to VM, for some
time. It is more of a limitation of the ARP proxy implementation in the
Hi John,
What you are describing is a perfectly valid and common scenario. The
segmentation IDs don't really come out of thin air, though. They are defined as
a range of IDs in the ML2 or openvswitch agent configuration file depending on
the version of OpenStack. There could be a performance
Hi Li,
Yes, this is absolutely possible. The easiest way would be to create a VLAN
interface (e.g. eth0.50) for use as your management/API network as well as your
VXLAN VTEP address, or you can create a separate interface for that. You will
then use eth0 for your provider bridge interface
Hi Chris,
>> If I set --router:external=False on the Public net, will that cause Neutron
>> to create a purely virtual router based on an instance instead of playing
>> games with the hardware NIC?
No. It simply means that routers cannot be attached to the network using the
router-gateway-set
Hi Brent,
I managed to do this by creating the port first, and then associating it with
the instance:
instance0_port0:
type: OS::Neutron::Port
properties:
admin_state_up: true
network_id: e0be3064-2011-4d92-b73c-5c4c6825b0c1
security_groups:
-
I believe this will be addressed in Mitaka:
https://bugs.launchpad.net/neutron/+bug/1459423
JD
On 3/18/16, 12:15 PM, "iain smith" wrote:
>Hi all -
>
>When using neutron's VPNaaS with the Strongswan back-end, has anyone
>come up against the seemingly needless
Each DVR router has a unique MAC address that can be found in the Neutron DB in
the dvr_host_macs table. Those will MACs will likely match what’s in the flow
rules there.
This presentation from the Paris summit (Page 19-20) breaks it down in some
detail.
Err… correction. Each host has a unique MAC, not each router. Sorry!
http://assafmuller.com/2015/04/15/distributed-virtual-routing-overview-and-eastwest-routing/
James
From: James Denton
<james.den...@rackspace.com<mailto:james.den...@rackspace.com>>
Reply-To: "OpenStack De
I use a consistent, known working answers file and from time to time Puppet
will bomb out on some operation. Simply rerunning Packstack will, in most
cases, result in a working installation on the next run. Sometimes it takes
three runs, but it gets there. This is using CentOS 7.1 inside a
My opinion is that the current stance of ‘deny all’ is probably the safest bet
for all parties (including users) at this point. It’s been that way for years
now, and is a substantial change that may result in little benefit. After all,
you’re probably looking at most users removing the default
Hi Takashi,
At least in Liberty, with the reference iptables firewall, it looks like
setting the admin state of the firewall to DOWN results in traffic hitting only
the neutron-l3-agent-fwaas-defau chain. The action there is to DROP all traffic.
James
On 1/26/16, 4:15 AM, "Takashi
Hi,
>> You cannot get around each tenant gateway router consuming an extra public
>> IP address itself as far as I know.
Almost. With DVR, a FIP namespace is created on compute nodes, with one FIP
namespace per external network. The FIP namespace owns an IP address from the
external provider
Hi Akshay,
In most cases, you won’t have IP addresses configured on interfaces used by
Neutron.
The Neutron L2 agents set up or configure the virtual bridges/switches on the
host based on the type of network in use (VLAN, FLAT, VXLAN, etc). In many
cases, an external provider network may be
Old (and undesirable) behavior was to apply the ‘firewall’ with all tenant
routers.
Using --router allows you to apply the ‘firewall’ with one or more specified
routers.
IIRC, there’s nothing special needed to utilize this other than to have the
FWaaS driver and extension enabled.
James
>
As a workaround, maybe you can try putting using firewall-update
--admin-state-up after it goes into error state to recover after
making the rule change.
James
> On Nov 6, 2015, at 5:27 AM, Erdősi Péter wrote:
>
> Hy guys!
>
> We facing a problem with FWaaS on Kilo release.
Hi Florian,
It is possible, though maybe not for the faint of heart depending on your
strategy. You can:
1. Create new VLAN networks using the same subnet CIDRs as the existing GRE
networks, then detach existing interfaces and attach new interfaces with the
same IPs. You would need to
Hi Thiago,
I'm not sure, but this may be a change from v1 API to v2 API. Here's a bug I
found a few months ago that may be related:
https://bugs.launchpad.net/python-glanceclient/+bug/1399778
James
From: Martinx - ジェームズ
Sent:
Hi Amir,
A couple of recommendations:
- Your vxlan_group setting has an extra dot at the end that may be causing
issues:
[ml2_type_vxlan]
vxlan_group = 239.0.0.0.
- Your [OVS] block has some incorrect options. Use underscores rather than
spaces:
[ovs]
bridge_mappings = public:br-ex
local_ip =
Hi Georgios,
You should be able to create a Neutron port with the custom MAC address and
boot the instance with that port using --nic port-id rather than --nic net-id.
James
> On Oct 8, 2015, at 6:43 AM, Georgios Dimitrakakis
> wrote:
>
> Dear all,
>
> I am wondering
If eth1 is used for the vxlan tunnel end points, it can't also be used in a
bridge ala provider_bridge_mappings. You should have a dedicated interface or a
vlan interface off eth1 (i.e. Eth1.20) that is dedicated to the overlay
traffic. Move the local_ip address to that interface on respective
Have you tried configuring 172.29.236.100 on br-mgmt in addition to the address
that is there? That is the default IP set for internal_lb_vip_address if I’m
not mistaken, and is what haproxy will bind to.
James
> On Sep 11, 2015, at 4:06 PM, Duck Euler wrote:
>
>
>
in the bridge. If it were a vlan
network, Neutron would put eth11.xxx in the bridge instead.
James Denton
Network Architect
Rackspace Private Cloud
james.den...@rackspace.com
> On Sep 2, 2015, at 12:39 AM, Michael Gale <gale.mich...@gmail.com> wrote:
>
> Hello,
>
> I am run
Hi Thiago,
* I can see the untagged packets arriving at brq50b13311-fa, by using
tcpdump -eni brq50b13311-fa;
Do you mind posting the packet capture from eth3 and the bridge on pastebin?
For example, I can not see the string Cisco while running tcpdump -eni
brq50b13311-fa | grep -i
: Thursday, July 9, 2015 8:51 PM
To: James Denton
Cc: openstack@lists.openstack.org
Subject: Re: [Openstack] 99.5% of packets are disappearing somewhere between
the Linux Bridge (brq-yy) and the tap (tap-yy).
Hello James!
On 9 July 2015 at 11:17, James Denton
james.den
the vlan
range 100-199
network_vlan_ranges = physnet1:775
#
Thanks,
Yang
Sent from my iPhone
On Jun 26, 2015, at 8:54 AM, James Denton james.den...@rackspace.com
mailto:james.den...@rackspace.com wrote:
You can absolutely have instances in the same network span different compute
nodes
reside on different
compute nodes right? how do I tell which compute node a instance is on?
Thanks,
Yang
On Jun 24, 2015, at 10:27 AM, James Denton james.den...@rackspace.com
mailto:james.den...@rackspace.com wrote:
Hello.
all three nodes will have eth0 on management/api network. since
Hello.
all three nodes will have eth0 on management/api network. since I am using
ml2 plugin with vlan for tenant network, I think all compute node should have
eth1 as the second nic on provider network. Is this correct? I understand
provider network is for instance to get external access
Hi Saju,
Host routes added to a subnet get pushed to the instances in that subnet via
dhcp.
A route added to a router via router-create or router-update is added to the
routing table within the qrouter namespace and affects all connected
subnets/instances.
James
Sent from my iPhone
On
Madhavan
+91 09535134654
On Wed, Jun 10, 2015 at 4:52 PM, James Denton james.den...@rackspace.com
mailto:james.den...@rackspace.com wrote:
Hi Saju,
Host routes added to a subnet get pushed to the instances in that subnet via
dhcp.
A route added to a router via router-create or router
Hi Steven,
Can I ask how Kolla would differ from another project on StackForge known as
OpenStack Ansible Deployment (OSAD)? It deploys a production-ready multi-node
OpenStack cloud using containers and Ansible, and the team recently released
v11 based on Kilo. Hate to see duplication of
with you.
On Sat, Jun 6, 2015 at 5:43 AM, James Denton
james.den...@rackspace.commailto:james.den...@rackspace.com wrote:
Hi Geo,
When configuring multiple provider bridges, try to think of a 1:1 relationship
between a provider bridge and a physical interface on the host that connects
Hi Geo,
When configuring multiple provider bridges, try to think of a 1:1 relationship
between a provider bridge and a physical interface on the host that connects to
a particular switching layer (in many cases). For example:
br-eth0 is a bridge containing eth0. Eth0 connects to a switching
Hi Wilson,
Can you clarify a couple of things here?
- Does each tenant have their own router in front of their respective instance?
- have you confirmed connectivity to the admin instance from the router
namespace?
- can you verify the dnat/snat entries for the admin instance exist in
Hi Janki,
The IP address should be from a common network between the hosts. It can be the
primary host address (ie. the one you use for management) or it can be an IP
from a dedicated network/vlan reserved for tunneled traffic. It’s not routed
traffic, so there’s no need to have a gateway if
should be modified.
Thank you in advance!
Regards
Byeong-Gi KIM
2015-04-21 7:19 GMT+09:00 Martinx - ジェームズ thiagocmarti...@gmail.com
mailto:thiagocmarti...@gmail.com:
Hi James!
On 20 April 2015 at 18:16, James Denton james.den...@rackspace.com
mailto:james.den...@rackspace.com
Hi Christina,
Is 131.154.96.28 configured as a floating IP and associated with the LB VIP
port? The NAT is configured on the router connected to the VIP network, in this
case private_net. Can the router access the VIP 10.0.1.22? I’d start there.
James
On May 1, 2015, at 4:21 PM, Cristina
Hi Thiago,
VXLAN requires an IP address on each host from which to build the overlay mesh
between hosts. Some choose to use a dedicated interface/IP/VLAN for this, but
its not required.
As for ‘vconfig’ missing - It appears that the 'ip link’ command (iproute2) is
being used instead to create
Hi Mike,
With those requirements, I think dual-homing the instances may be the best
approach.
In my mind, you would have 5 networks:
A - External Network 1
B - External Network 2
C - Tenant Network 1
D - Tenant Network 2
E - Shared Tenant Network (No gateway)
Because routers can only
Hi Geert,
Assuming you're using an Ubuntu instance, what do you see in the
/var/lib/dhcp/dhclient.leases file? It may be named dhclient.ethX.leases. In
there would be lease information provided by dnsmasq. Is the 'option routers'
line there? It may also be helpful to see what dnsmasq is
I’m not sure, but the X may be arbitrary. You should be able to correlate the
nova-compute-inst-X chain to the instance by looking at the
'nova-compute-local’ chain and looking for the fixed IP:
-A nova-compute-local -d 10.239.0.11/32 -j nova-compute-inst-25
-A nova-compute-local -d
There used to be a limitation of one external network per agent, which meant
some folks ran more than one on the same node. Not needed anymore as agents can
now support multiple networks.
If you still need to go down that route, have you ensured that each agent is
started with its respective
Hi Mitchell,
I am able to ping from router to the router gateway (172.29.105.101) and
router to internal tenant gateway (192.168.2.1)
You are pinging these IPs within the router namespace, which I would expect to
work, as those are the IPs configured on the router’s interfaces.
… but still
' option in l3_agent.ini plays a part in this as
well. The 'net-show' output would help me deduce what your intentions were and
go from there.
James
From: Mitchell Chen mitchell.c...@mediatek.com
Sent: Wednesday, March 4, 2015 8:12 PM
To: Kevin Benton
Cc: James Denton
, we are routing to another
instance off the router.
Thanks!
—
James Denton
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http
Hi Subbareddy,
SNAT, or source NAT, is the ‘many-to-one’ NAT mode you are referring to.
Instances that do not have a floating IP will be NAT’d to the IP address of the
qg interface of the router. This is akin to a PAT on other firewalls.
A floating IP is akin to a static 1-to-1 NAT, and takes
Hi Ross,
* can I share the br-ex interface or do I need to use a separate physical
interface on the network node? Neutron complains loudly when I try to do
this, so I suspect the answer is an emphatic NO.
If you already have a flat network associated with a provider bridge, you will
be
Hi Uwe,
What leads you to believe it’s defective? I think with the right output and
config files we can figure out what’s missing.
James
On Jan 15, 2015, at 3:14 PM, Uwe Sauter uwe.sauter...@gmail.com wrote:
Bump
Noone to comment on this approach? Am I missing something or is this the
to post them
somewhere.
James
From: Chinasubbareddy M [chinasubbaredd...@persistent.com]
Sent: Thursday, January 01, 2015 6:26 PM
To: James Denton; openstack@lists.openstack.org
Subject: RE: [Openstack] [juno][DVR]
Hi James,
If I try with out –-name, this is the output
| 00b1617b007d41b7aa777e0c97afdccc |
+---+--+
James
From: Chinasubbareddy M [chinasubbaredd...@persistent.com]
Sent: Wednesday, December 31, 2014 5:06 AM
To: James Denton; openstack@lists.openstack.org
Subject: RE
Subbareddy,
I have been working on this over the last day or so, and have been using the
link you sent as reference. It is lacking in a few details, however, I got it
to work.
A couple of questions:
1. Did you have a working legacy router configuration prior to messing with DVR?
2. Did you
Try nova floating-ip-list, rather than the nova-manage commands.
http://docs.openstack.org/user-guide/content/floating_ips_proc.html
My experience is to avoid nova-manage when possible. Much better results using
the python-novaclient equivalents.
James
On Nov 10, 2014, at 8:54 AM, mad
for my second question that I asked in the mail?
If each tenant wants to create their own floating ip networks , what is the
best design?
From: James Denton [mailto:james.den...@rackspace.com]
Sent: Thursday, October 16, 2014 11:12 PM
To: Chinasubbareddy M;
openstack
Subbareddy,
The external bridge (br-ex), when set, is used only for the external (qg) port
of the router AFAIK and does not need to connect to br-int. The internal
interface of the router (qr) is connected to the integration bridge. If
floating IPs are working ok, and your router is properly
Hi Amit,
Have you tried specifying a name server with dig? Ie. dig domain.com @8.8.8.8
—google DNS
Have you confirmed your instances have a resolver configured in
/etc/resolv.conf? This usually occurs via DHCP.
James
From: Amit Anand mr_amitan...@yahoo.commailto:mr_amitan...@yahoo.com
Hi Danny,
Did your instance get its IP from DHCP? This may be seen in the console log
using ‘nova console-log instance_uuid’. The output will vary depending on the
instance's OS. To troubleshoot DHCP issues, use tcpdump across the different
interfaces (taps, bridges, physical interfaces) to
Hi Vijay,
For those components to work you need a functional L3 agent and then specific
configuration for each service. Do you mind elaborating on what it is you're
looking to do or configure?
James Denton
Network Engineer
Rackspace Private Cloud
james.den...@rackspace.com
Sent from my iPhone
Hi Danny,
If the subnet had DCHP enabled, then that 'extra' port likely belongs to the
DHCP namespace. It gets created upon the first boot of an instance in that
network. The port will then hang around until the network is deleted. A
port-show should show you the owner of the port.
James
connectivity to instances
via floating IPs (ie NATs) sourced from the external network.
The management network is used for OpenStack service traffic. You can get
creative and collapse some of those networks in some cases.
James Denton
Network Engineer
Rackspace Private Cloud
james.den
is defined in
tenant_network_type).
James
From: Danny Choi (dannchoi) dannc...@cisco.commailto:dannc...@cisco.com
Date: Friday, October 3, 2014 at 8:16 AM
To: James Denton
james.den...@rackspace.commailto:james.den...@rackspace.com,
openstack@lists.openstack.orgmailto:openstack
Which version of OpenStack? If the router is plugged into br-ex and not br-int
you may see this condition. Often, an external bridge like br-ex is not
properly configured, leading to issues. You might try creating a provider
bridge using the ovs-vsctl tool, defining the mapping in the plugin
Hi Danny,
When 'admin' creates a network they are able to specify the following
attributes:
- provider:network_type (ie. vxlan, gre, vlan, flat, local)
- provider:segmentation_id (ie. 802.1q tag, gre key, vxlan vni)
- provider:physical_network (ie. provider label of the physical interface -
Hi Masoom,
I assume your instance is connected to a tenant network that is attached to a
router, and the router is attached to a publicly-accessible network? Are you
able to hop into the router via ‘ip netns exec qrouter-x’ and initiate
successful pings to the outside world? If that
77 matches
Mail list logo