Yves Fauser OpenStack Networking

7/25/2019 Yves Fauser OpenStack Networking

1/61

!"#$%&'() +#&,-.)/$0!"#$"%#& () *+# ,#*&($-%,. /+011#,.#2 0,3 2(145(,2 %, !6#,7*0/-

8"#2 9042#$

:#*&($- ;%$*401%($? 7@2*#? A,.%,##$ B ;C&0$#

!7DE FGHIJ K#$1%,J GLMHGNGI


2/61

23# "#.4#(& 5&-.6

+O6PQQ#,N&%-%6#3%0N($.Q&%-%Q9%1#PR4$$%/0,#ST20U#1S)$(?ST77NV6.


3/61

23# "#.4#(& 5&-.6

!"

;#$@ )#0*4$# $%/+ "7&%*/+ WX4,,#1%,.J Y(7J

?(,%*($%,. Z ?0,0.#?#,*J 04*(?0*#3 /(,*$(1

*+$(4.+ !6#,91(& 0,3 !;7DK[

=0$* () *+# \%,4] ^#$,#1 2%,/# _N_

!"

!6#,91(& 0,3 !;7DK W`9E aGIa[ %2 42#3

U#*#, !6#,;7&%*/+ 0,3 #]*#$,01 /(,*$(11#$2

:4?#$(42 !6#,7(4$/# 0,3 E(??#$/%01

/(,*$(11#$2 #?#$.#3 %, *+# 102* @#0$2

A]0?61#2b :!cJ K#0/(,J 91((31%.+*J

!6#,D0@\%.+*J ;C&0$# :7cJ K%. E(,*$(11#$J :AE

#*/N

!"

!6#,7*0/- 3$%"#2 *+# ,##3 )($ d#]%U1# 0,3 )02*

,#*&($- 3#61(@?#,* ?(3#12

X+# !6#,7*0/- :#4*$(, =$(V#/* (e#$2 0 ,#*&($-

0U2*$0/5(, *+0* #,0U1#2 !6#,7(4$/# =$(V#/*2

0,3 /(??#$/%01 %?61#?#,*05(,2 *( %,,("0*#

&%*+ 0,3 )($ !6#,7*0/-


4/61

!"#$ 7%,/&(3


5/61

!"#$ 7%,/&(3 8#'&9.#5 75: ;/$9./?0#

$%&'()% *+%, -./0'12 30,(4 5)067%

CfE \#0$,%,. K$%3.# c c

;\f: 2466($* WLGFNHY[ c W,05"# %, !;7[ 42%,. g"10,h

7*05/ \%,- f..$#.05(, W\fi[ c W,05"# %, !;7[ 42%,. g%)#,210"#h

D@,0?%/ \%,- f..$#.05(, W\fE=[ c W,05"# %, !;7[ 42%,. g%)#,210"#h

7466($* )($ CfEM%,MT= #,/0624105(, Wi`AJ ;c\f:J j[ c W,05"# %, !;7[ ;c\f: 2466($*

%, _Na ^#$,#1 k

%6$(4*#FX$0l/ /06*4$%,. Q 7=f: W`7=f: &%*+ #,/06N %,*( i`A[ c W,05"# %, !;7[ m2%,. 03"0,/#3

*$0l/ /(,*$(1

91(& ?(,%*($%,. W:#*91(&J 291(&J T=9TcJ j[ c W,05"# %, !;7[ #N.N 42%,.

%6*S,#>1(&

A]*#$,01 ?0,0.#?#,* %,*#$)0/#2 W!6#,91(& Z !;7DK[ c

C41561#MX0U1# )($&0$3%,. 6%6#1%,# &%*+ d(&M/0/+%,. #,.%,# c

=#$)($?0,/# %?6$("#?#,*2 W#N.N `77 7466($*[ c

+O6PQQ(6#,"2&%*/+N($.Q)#0*4$#2Q

+O62PQQ.%*+4UN/(?Q+(?#&($-Q(6#,"2&%*/+QU1(UQ?02*#$QnR8M!;7


6/61

8)9'(, :;?

!"#$ 7%,/&(3 @!A%B

E(,o.4$05(, D0*0

T,*#$)0/#

W("23UJ E\TJ j[

91(& D0*0 T,*#$)0/#

W!6#,91(&J E\TJ j

U)&,>+


7/61

5)9K :;


8/61

D-66-$ 6/5(-$(#"E-$5 ,/&3 .#0'.?5 &-(-$&.-CC#.5

! C%2/(,/#65(, H[

X$0l/ &%11 d(& *+$(4.+ *+# /(,*$(11#$ /142*#$J 4,51 0 26#/%o/ d(& %2 %,2*011#3 %, *+# 2&%*/+*+$(4.+ !6#,91(&

! T* 3#6#,32p

! C(2* 0$/+%*#/*4$#2 3(,h* 2#,3 0,@ *$0l/ *( *+# /(,*$(11#$

W#N.N ;C&0$# :7c 3(#2,h* 3( %*[

!

T, 2(?# 0$/+%*#/*4$#2J &+#$# 033$#22 260/# %2 1%?%*#3 W#N.N EfCQXEfC %, 1(& #,3 X(`7&%*/+#2[J *+# /(,*$(11#$ .#*2 *+# o$2* )#& 30*0 60/-#*2J 0,3 *+#, %,2*0112 0 d(& %, *+#

R0$3&0$#N X+%2 %2 424011@ ,(* *+# /02# &+#, /(,*$(11%,. !;7J 02 !;7 +(132 *+# X0U1#2 %,*+# R@6#$"%2($2 C#?($@ W0,3 *+#$# %2 61#,*@p[

! C%2/(,/#65(, F[X+# /(,*$(11#$ %2 0 2%,.1# 6(%,* () )0%14$#

!

E(,*$(11#$2 0$# 424011@ 3#61(@#3 02 2/01# (4* /142*#$2! D#6#,3%,. (, *+# /+(2#, 0$/+%*#/*4$#J #"#, 0 /(?61#*# /(,*$(11#$ /142*#$ (4*0.#

3(#2,h* 0e#/* *$0l/ )($&0$3%,.


9/61

!"#$8C-, '$? D-$&.-CC#.F'5#? +#&,-.)5


10/61

G9CE"C# /$('.$'E-$5 -4 %H+

7( &+0* %2 7D:q T* 3#6#,32 (, *+# $# @(4 2*0,3p

+O6PQQ461(03N&%-%?#3%0N($.Q&%-%6#3%0Q/(??(,2Q)Q)LQK1%,3S?#,S0,3S#1#6+0,*_NV6.


11/61

R&'& +=&,%

R0$3&0$# 26#/%o/

K(4,3 U@ f7TEQXEfC 1%?%*2 %, 6+@2%/01 3#"%/#2

O


12/61

R&'& +=&,%

R0$3&0$# 26#/%o/

K(4,3 U@ f7TEQXEfC 1%?%*2 %, 6+@2%/01 3#"%/#2

O


13/61

%H+ D-$&.-CC#.5 L;'$?5('"#M @/$(-6"C# C/5&B!"#$%&'()# +&$,(&--#(. +&//#()01- +&$,(&--#(.

Ekk 0,3 =+@*+(,

/(,*$(11#$2 (6#, 2(4$/#3U@ :%/%$0

:!c &02 *+# o$2*

/(,*$(11#$ %, *+# g?0$-#*h+O6PQQ&&&N,(]$#6(N($.

E(??#$/%01 /(,5,405(, ()

:!c &%*+ 0 )(/42 (,r:#*&($- "%$*401%


14/61

+#&,-.) A/.&9'C/N'E-$O

'$ L%H+ P""C/('E-$M


15/61

What are the key components of network virtualization?


16/61

+#&,-.) A/.&9'C/N'E-$ J P (3$/('C ?#I$/E-$

:#*&($- "%$*401%


17/61

!"#$%&'() Q.-R#(&5 S+#&,-.)/$0


18/61

%-6# -4 &3# T$.'? @')' UD-.#VB ".-R#(&5

T?0.#

$#6(

W.10,/#[

!UV#/*

7*($0.#

W7&%x[

:#*&($-

W:#4*$(,[

K1(/-

7*($0.#

W/%,3#$[

T3#,5*@

W-#@2*(,#[

D02+U(0$3

W+($%


19/61

!"#$%&'() +#&,-.)/$0 F#4-.# +#9&.-$

nova-api(OS,EC2,Admin)

nova-console(vnc/vmrc)

nova-compute

NovaDB

nova-scheduler

nova-consoleauth

Hypervisor(KVM, Xen,

etc.)

Queue

nova-cert

\%U"%$*J c#,f=TJ #*/N

nova-metadata

! :("0 +02 %*2 (&, ,#*&($-%,. 2#$"%/# y

,("0M,#*&($-N T* &02 42#3 U#)($# :#4*$(,

!

:("0M,#*&($- %2 2511 6$#2#,* *(30@J0,3 /0, U# 42#3 %,2*#03 () :#4*$(,

nova-network

nova-volume

Network-Providers

(Linux-Bridge or OVS with

brcompat, dnsmasq, IPTables)

Volume-Provider(iSCSI, LVM, etc.)

!

:("0M,#*&($- 3(#2 M

! U02# \F ,#*&($- 6$("%2%(,%,.

*+$(4.+ \%,4] K$%3.# WU$/*1[

!

T= f33$#22 ?0,0.#?#,* )($

X#,0,*2 W%, 7Y\ DK[! /(,o.4$# DRE= 0,3 D:7 #,*$%#2 %,

3,2?02t

! /(,o.4$# )&M6(1%/%#2 0,3 :fX %,

T=X0U1#2 W,("0M/(?64*#[

!

:("0M,#*&($- (,1@ -,(&2 _ U02%/ :#*&($-MC(3#12b

!

910* Z 910* DRE= y 3%$#/* U$%3.%,. () T,2*0,/# *( #]*#$,01 #*+N T,*#$)0/#

&%*+ 0,3 &Q( DRE=

! ;\f: U02#3 y A"#$@ *#,0,* .#*2 0 ;\f:J DRE= #,0U1#3

T,26%$#3 U@


20/61

+-7'=+#&,-.)/$0 J H.',F'()5 &3'&C#'? &- ?#7#C-" +#9&.-$

! :("0M:#*&($-%,. %2 ?%22%,. 0, 3#o,#3 f=T )($ /(,24?%,. ,#*&($-%,. 2#$"%/#2W*#,0,* f=T )($ 3#o,#3 *(6(1(.%#2 0,3 033$#22#2[

! :("0M:#*&($-%,. (,1@ 011(&2 )($ *+# _ 2%?61# ?(3#12b910*J 910*QDRE= 0,3 ;\f:QDRE=J 011 () *+(2# 0$# 1%?%*#3 %, 2/01# 0,3 d#]%U%1%*@ y#N.N ?0]N IGwI ;\f: TD 1%?%*

!

E1(2#3 2(145(,b :( 0U%1%*@ *( 42# ,#*&($- 2#$"%/#2 )$(? _$360$5#2 0,3Q($*( %,*#.$0*# &%*+ :#*&($- "#,3($2 ($ ("#$/(?# *+# 1%?%*05(,2 () :("0M:#*&($-

! :( 2466($* )($P

! f3"0,/#3 !6#, "7&%*/+ )#0*4$#2 1%-# :#*&($- ;%$*401%


21/61

!"#$%&'() +#9&.-$ J QC90/$ D-$(#"&

Neutron

Core API

Neutron Service (Server)

\F ,#*&($- 0U2*$0/5(, 3#o,%5(, 0,3 ?0,0.#?#,*J T= 033$#22

?0,0.#?#,*

D#"%/# 0,3 2#$"%/# 0O0/+?#,* )$0?#&($-

D(#2 :!X 3( 0,@ 0/*401 %?61#?#,*05(, () 0U2*$0/5(,

Plugin API

Vendor/User Plugin

C062 0U2*$0/5(, *( %?61#?#,*05(, (, *+# :#*&($- W!"#$10@ #N.N :7c ($ 6+@2%/01 :#*&($-[ C0-#2 011 3#/%2%(,2 0U(4* z+(&z 0 ,#*&($- %2 *( U# %?61#?#,*#3

E0, 6$("%3# 033%5(,01 )#0*4$#2 *+$(4.+ f=T #]*#,2%(,2N

A]*#,2%(,2 /0, #%*+#$ U# .#,#$%/ W#N.N \_ `(4*#$ Q :fX[J ($ ;#,3($ 76#/%o/

Neutron

API Extension

A]*#,2%(, f=T

%?61#?#,*05(, %2

(65(,01

D-.# '$? 5#.7/(# "C90/$5


22/61

D-.# '$? 5#.7/(# "C90/$5! E($# 614.%, %?61#?#,* *+# r/($#s :#4*$(, f=T )4,/5(,2

W1F :#*&($-%,.J T=fCJ j[

!

7#$"%/# 614.%,2 %?61#?#,*2 033%5(,01 ,#*&($- 2#$"%/#2W1_ $(45,.J \(03 K010,/%,.J 9%$#&011J ;=:[

! T?61#?#,*05(,2 ?%.+* /+((2# *( %?61#?#,* $#1#"0,* #]*#,2%(,2 %, *+# E($# 614.%,

%*2#1)

NeutronCore API

Function

Core L3 FW Core L3 FW Core L3 FW

Plugin

Core PluginCore

Plugin

FWplugin

Core

Plugin

FW

plugin

L3

plugin

!"#$%&'() +#9&.-$ QC90/$ C-('E-$5


23/61

!"#$%&'() +#9&.-$ J QC90/$ C-('E-$5

# cat /etc/neutron/neutron.conf | grep "core_plugin"core_plugin= neutron.plugins.ml2.plugin.Ml2Plugin

# cat /etc/neutron/neutron.conf | grep "service_pluginsservice_plugins= neutron.services.l3_router.l3_router_plugin.L3RouterPlugin

# ls /usr/share/pyshared/neutron/plugins/

bigswitch cisco embrane__init__.py metapluginml2 nec openvswitch ryu

brocade common hyperv linuxbridgemidonet mlnx nicira plumgrid

# ls /usr/share/pyshared/neutron/services/firewall __init__.py l3_router loadbalancermetering provider_configuration.pyservice_base.py vpn

!"#$%&'() +#9&.-$ G-?9C'. QC90/$5


24/61

!"#$%&'() +#9&.-$ J G-?9C'. QC90/$5! K#)($# *+# ?(3410$ 614.%, WC\F[J #"#$@ *#0? ($ "#,3($ +03 *( %?61#?#,* 0

/(?61#*# 614.%, %,/143%,. T=fCJ DK f//#22J #*/N

! X+# C\F =14.%, 2#60$0*#2 /($# )4,/5(,2 1%-# T=fCJ "%$*401 ,#*&($- %3 ?0,0.#?#,*J

#*/N )$(? "#,3($Q%?61#?#,*05(, 26#/%o/ )4,/5(,2J 0,3 *+#$#)($# ?0-#2 %* #02%#$)($ "#,3($2 ,(* *( $#%,"#,* *( &+##1 &%*+ $#.0$32 *( TD C0,0.#?#,*J DK 0//#22 j

! A]%25,. 0,3 )4*4$# ,(,M?(3410$ 614.%,2 0$# /011#3 r?(,(1%*+%/s 614.%,2

! C\F /0112 *+# ?0,0.#?#,* () ,#*&($- *@6#2 r*@6# 3$%"#$2sJ 0,3 *+# %?61#?#,*05(,26#/%o/ 60$* r?#/+0,%2? 3$%"#$2s

f$%2*0

E%2/(\%,4] K$%3.#

!;7 #*/N

Me

chanism

D

rivers

i`A

;\f:

;c\f:

#*/NType

Driver

s

Type Manager

Mechanism Manager

ML2 Plugin & API Extensions

!"#$%&'() +#9&.-$ G;W C-('E-$5


25/61

!"#$%&'() +#9&.-$ G;W J C-('E-$5

# cat /etc/neutron/plugins/ml2/ml2_conf.ini | grep type_drivers# the neutron.ml2.type_driversnamespace.# Example: type_drivers= flat,vlan,gre,vxlan

type_drivers= gre

# cat /etc/neutron/plugins/ml2/ml2_conf.ini | grep mechanism_drivers# to be loaded from the neutron.ml2.mechanism_driversnamespace.# Example:mechanism_drivers= arista# Example:mechanism_drivers= cisco,logger

mechanism_drivers= openvswitch,linuxbridge

# ls /usr/share/pyshared/neutron/plugins/ml2/drivers/cisco l2pop mechanism_ncs.py mech_hyperv.py mech_openvswitch.pytype_gre.py type_tunnel.py type_vxlan.py __init__.py mech_agent.py mech_aristamech_linuxbridge.py type_flat.py type_local.py type_vlan.py

%-6# -4 &3# QC90/$5 '7'/C'FC# /$ &3# 6'.)#&


26/61

%-6# -4 &3# QC90/$5 '7'/C'FC# /$ &3# 6'.)#&@XKWB

! C\F ?(3410$ =14.%,

!

n%*+ 2466($* )($ *+# *@6# 3$%"#$2P 1(/01J d0*J ;\f:J i`AJ ;c\f:

! f,3 *+# )(11(&%,. ?#/+0,%2? 3$%"#$2P f$%2*0J E%2/( :#]42J R@6#$M; f.#,*J \F

=(64105(,J \%,4]U$%3.#J !6#, "7&%*/+ f.#,*J X0%1M) :E7

! !6#, "7&%*/+ =14.%, y X+# ?(2* 42#3 W!6#, 7(4$/#[ 614.%, *(30@

! 7466($*2 i`A U02#3 !"#$10@2J :fXQ7#/4$%*@ .$(462J #*/N

!

D#6$#/05(, 610,,#3 )($ T/#+(42# $#1#02# %, )0"($ () C\F

! \%,4]U$%3.# =14.%,

! \%?%*#3 *( \F )4,/5(,01%*@J\_J d(05,. T=2 0,3 6$("%3#$ ,#*&($-2N:( 2466($* )($ !"#$10@2

! D#6$#/05(, 610,,#3 )($ T/#+(42# $#1#02# %, )0"($ () C\F

%-6# -4 &3# QC90/$5 '7'/C'FC# /$ &3# 6'.)#&


27/61

%-6# -4 &3# QC90/$5 '7'/C'FC# /$ &3# 6'.)#&@WKWB

! ;C&0$# :7c W0-0 :%/%$0 :;=[ =14.%,

!

:#*&($- ;%$*401%


28/61

+#, QC90/$5 K G;W H./7#.5 /$ T(#3-95# Y#C#'5#

! :#& C\F C#/+0,%2? D$%"#$2P

!

C#/+0,%2? D$%"#$ )($ !6#,D0@1%.+* E(,*$(11#$! K$(/03# C\F C#/+0,%2? D$%"#$ )($ ;Dc 7&%*/+ E142*#$

! :#& :#4*$(, =14.%,2

! TKC 7D:M;A E(,*$(11#$ =14.%,

! :40.# :#*&($-2 E(,*$(11#$ =14.%,

!

7#$"%/# =14.%,2

! A?U$0,# 0,3 `03&0$# \K007 3$%"#$

! E%2/( ;=:007 3$%"#$

! ;0$%(42

! ;C&0$# :7c M DRE= 0,3 C#*030*0 7#$"%/#

! X+%2 1%2* %2 %,/(?61#*#J 61#02# 2## +#$# )($ ?($# 3#*0%12P+O62PQQU14#6$%,*2N104,/+603N,#*Q,#4*$(,Q%/#+(42#

+#9&.-$ J!A% P0#$& P.(3/(&9.#


29/61

+#9&.-$ !A% P0#$& P.(3/(&9.#

! X+# )(11(&%,. /(?6(,#,*2 610@ 0 $(1# %, !;7 f.#,* f$/+%*#/*4$#

! :#4*$(,M!;7Mf.#,*P `#/#%"#2 *4,,#1 Z d(& 2#*46 %,)($?05(, )$(? !;7M=14.%, 0,3 6$(.$0?2 !;7 *( U4%13*4,,#12 0,3 *( 2*##$2 *$0l/ %,*( *+(2# *4,,#12

!

:#4*$(,MDRE=Mf.#,*P 7#*2 46 3,2?02t %, 0 ,0?#260/# 6#$ /(,o.4$#3 ,#*&($-Q24U,#*J0,3 #,*#$2 ?0/Q%6 /(?U%,05(, %, 3,2?02t 3+/6 1#02# o1#

! :#4*$(,M\_Mf.#,*P 7#*2 46 %6*0U1#2Q$(45,.Q:fX X0U1#2 W$(4*#$2[ 02 3%$#/*#3 U@ !;7 =14.%, ($ C\F !;7

?#/+S3$%"#$

! T, ?(2* /02#2 i`A ($ ;c\f: ("#$10@*4,,#12 0$# 42#3J U4* d0* 0,3 "10,

?(3#2 0$# 012( 6(22%U1#

@A .'&1B

V%(')Q

)6

3&]%) W U)&,>+


30/61

! E#,*$01%6

3&]%) W U)&,>+


31/61

+O62PQQ&&&Nd%/-$N/(?Q6+(*(2QHaF{LLwFB:G{QF{LL_Ia||LQ1%.+*U(]Q


32/61

23'$) \-9]f,3 +0"# 0 .$#0* E(,)#$#,/#

!7DE FGHIJ K#$1%,J GLMHGNGI


33/61

>'()9" %C/?#5

+#9&.-$ J P0#$& %&'&95


34/61

0

!

X+%2 (4*64* 2+(&2 *+# :#4*$(, 0.#,*2 2*0*42 0x#$ 0 U02# %,2*01105(,

# neutron agent-list+--------------------------------------+--------------------+---------------+-------+----------------+

| id | agent_type | host | alive | admin_state_up |

+--------------------------------------+--------------------+---------------+-------+----------------+

| 1a58601c-ff41-4dc5-914f-d37ec5761b06 | L3 agent | os-controller | :-) | True |

| 416c854b-611b-42f9-b7b1-3bbe0bd840f2 | DHCP agent | os-controller | :-) | True || 57bed0b7-55da-455a-8351-fd28e05cf1dc | Open vSwitch agent | os-controller | :-) | True || 7b1ae4e8-7bc2-480e-82a7-0eb6a02b119f | Open vSwitch agent | os-compute-1 | :-) | True || d5d27e99-ba76-4e5f-bdfe-ef7d0638a52e | Open vSwitch agent | os-compute-2 | :-) | True |+--------------------------------------+--------------------+---------------+-------+----------------+

+#9&.-$ J !A% J 29$$#C %&.9(&9.#


35/61

!

X+%2 (4*64* 2+(&2 *+# !;7 /(,o. (, *+# !6#,7*0/- :#*&($-M:(3# U#)($# 0,@ 1(.%/01 ,#*&($- +02

U##, /(,o.4$#3

# ovs-vsctl show

09d5b89a-600d-4da3-b761-11206456385a

Bridge br-ex

Port br-ex

Interface br-extype: internal

Port "eth2"

Interface "eth2"Bridge br-tun

Port br-tunInterface br-tun

type: internalPort patch-int

Interface patch-inttype: patch

options: {peer=patch-tun}

Port "gre-172.16.0.11"Interface "gre-172.16.0.11"

type: greoptions: {in_key=flow, local_ip="172.16.0.10", out_key=flow, remote_ip="172.16.0.11"}



Bridge br-intPort patch-tun

Interface patch-tun

type: patchoptions: {peer=patch-int}

Port br-intInterface br-int

type: internalovs_version: "1.10.2"

+#9&.-$ J !A% J 29$$#C %&.9(&9.#


36/61

!

X+%2 (4*64* 2+(&2 *+# !;7 /(,o. (, *+# !6#,7*0/- :#*&($-M:(3# U#)($# 0,@ 1(.%/01 ,#*&($- +02

U##, /(,o.4$#3

# ovs-vsctl show

09d5b89a-600d-4da3-b761-11206456385a

Bridge br-ex

Port br-ex


Port "eth2"











Interface patch-tun

type: patch

options: {peer=patch-int}Port br-int

Interface br-inttype: internal

ovs_version: "1.10.2"

# Interface to first compute node


type: greoptions:

{in_key=flow, local_ip="172.16.0.10",

out_key=flow, remote_ip="172.16.0.11"}

# Interface to second compute node


type: greoptions:

{in_key=flow, local_ip="172.16.0.10",out_key=flow, remote_ip="172.16.0.12"}

+#9&.-$ J !A% J 29$$#C %&.9(&9.#


37/61

!

X+%2 (4*64* 2+(&2 *+# !;7 /(,o. (, *+# !6#,7*0/- :#*&($-M:(3# U#)($# 0,@ 1(.%/01 ,#*&($- +02

U##, /(,o.4$#3

# ovs-vsctl show

09d5b89a-600d-4da3-b761-11206456385a

Bridge br-ex

Port br-ex


Port "eth2"











Interface patch-tun

type: patch

options: {peer=patch-int}Port br-int

Interface br-inttype: internal


# Patch from br-tun table to br-int table

Port patch-intInterface patch-int

type: patch


# patch from br-int table to br-tun table

Port patch-tunInterface patch-tun

type: patchoptions: {peer=patch-int}

+#9&.-$ J T$.$'C +#&,-.) D.#'E-$


38/61

!

:(& &%11 /$#0*# 0 1(.%/01 \F ,#*&($-J &%*+(4* 0,@ 24U,#* 022%.,#3 *( %*

# neutron net-create Internal-Network

Created a new network:+---------------------------+--------------------------------------+

| Field | Value |

+---------------------------+--------------------------------------+| admin_state_up | True || id | 56a76117-8910-4d85-b91d-8e6842e0a510 || name | Internal-Network || provider:network_type | gre || provider:physical_network | |

| provider:segmentation_id | 1 |

| shared | False || status | ACTIVE |

| subnets | || tenant_id | b1178a03969b4f638937f5a632fb547a |+---------------------------+--------------------------------------+

# neutron net-list

+--------------------------------------+------------------+---------+

| id | name | subnets |

+--------------------------------------+------------------+---------+| 56a76117-8910-4d85-b91d-8e6842e0a510 | Internal-Network | |

+--------------------------------------+------------------+---------+

+#9&.-$ J T$.$'C %9F$#& D.#'E-$


39/61

!

:(& &%11 /$#0*# 0,3 0O0/+ 0 ,#& 74U,#* *( *+# \F ,#*&($-J &%*+(4* 0,@ 24U,#* 022%.,#3 *( %*

# neutron subnet-create Internal-Network --name Internal-Subnet 10.12.13.0/24Created a new subnet:+------------------+------------------------------------------------+

| Field | Value |

+------------------+------------------------------------------------+| allocation_pools | {"start": "10.12.13.2", "end": "10.12.13.254"} |

| cidr | 10.12.13.0/24 |

| dns_nameservers | |

| enable_dhcp | True || gateway_ip | 10.12.13.1 || host_routes | || id | b4c95b8b-65a4-402e-8359-69b55d6c9bf1 || ip_version | 4 || name | Internal-Subnet |

| network_id | 56a76117-8910-4d85-b91d-8e6842e0a510 |

| tenant_id | b1178a03969b4f638937f5a632fb547a |

+------------------+------------------------------------------------+

# neutron subnet-list -c id -c cidr -c name+--------------------------------------+----------------+-----------------+| id | cidr | name |+--------------------------------------+----------------+-----------------+

| b4c95b8b-65a4-402e-8359-69b55d6c9bf1 | 10.12.13.0/24 | Internal-Subnet |

+--------------------------------------+----------------+-----------------+

# ip netns show#

! :(*#P X+# 3+/6 ,0?#260/# &%11 U# /$#0*#3 &+#, *+# o$2* %,2*0,/# U((*2

+#9&.-$ J #


40/61

!

:(& &%11 /$#0*# 0 #]*#$,01 ,#*&($- 3#o,%5(,J 0,3 033 0, T= 24U,#* 0,3 6((1 *( %*

# neutron net-create External-Net --router:external=True

Created a new network:+---------------------------+--------------------------------------+

| Field | Value |

+---------------------------+--------------------------------------+| admin_state_up | True || id | 8998c547-ff7c-45f8-884a-a6d4bcaa5de7 || name | External-Net || provider:network_type | gre || provider:physical_network | |

| provider:segmentation_id | 2 |

| router:external | True || shared | False |

| status | ACTIVE || subnets | || tenant_id | b1178a03969b4f638937f5a632fb547a |+---------------------------+--------------------------------------+

+#9&.-$ J #


41/61

!

:(& &%11 /$#0*# 0 #]*#$,01 ,#*&($- 3#o,%5(,J 0,3 033 0, T= 24U,#* 0,3 6((1 *( %*

# neutron subnet-create External-Net 172.16.65.0/24 \--allocation-pool start=172.16.65.100,end=172.16.65.150

Created a new subnet:

+------------------+----------------------------------------------------+

| Field | Value |+------------------+----------------------------------------------------+| allocation_pools | {"start": "172.16.65.100", "end": "172.16.65.150"} || cidr | 172.16.65.0/24 || dns_nameservers | || enable_dhcp | True |

| gateway_ip | 172.16.65.1 |

| host_routes | || id | 16eb9d34-819f-4525-99ab-ec9358ea132f |

| ip_version | 4 || name | || network_id | 8998c547-ff7c-45f8-884a-a6d4bcaa5de7 || tenant_id | b1178a03969b4f638937f5a632fb547a |+------------------+----------------------------------------------------+

+#9&.-$ J Y-9. D.#'E-$ XK^


42/61

!

:(& &%11 /$#0*# 0 $(4*#$J 0,3 /(,,#/* %* *( *+# rm61%,-s W#]*#$,01 ,#*&($-[ /$#0*#3 #0$1%#$

# neutron router-create MyRouter

Created a new router:+-----------------------+--------------------------------------+

| Field | Value |

+-----------------------+--------------------------------------+| admin_state_up | True || external_gateway_info | || id | bda86e19-4831-4bfb-b3f4-bb79113ceab1 || name | MyRouter || status | ACTIVE |

| tenant_id | b1178a03969b4f638937f5a632fb547a |

+-----------------------+--------------------------------------+

# neutron router-gateway-set MyRouter External-NetSet gateway for router MyRouter

# neutron router-interface-add MyRouter Internal-SubnetAdded interface a86dfa2b-9ceb-43ba-90ea-fb67ef5c5d17 to router MyRouter.

+#9&.-$ J Y-9. D.#'E-$ WK^


43/61

!

:(& &%11 /$#0*# 0 $(4*#$J 0,3 /(,,#/* %* *( *+# rm61%,-s W#]*#$,01 ,#*&($-[ /$#0*#3 #0$1%#$

# neutron router-show MyRouter+-----------------------+-----------------------------------------------------------------------------+| Field | Value |+-----------------------+-----------------------------------------------------------------------------+

| admin_state_up | True |

| external_gateway_info | {"network_id": "8998c547-ff7c-45f8-884a-a6d4bcaa5de7", "enable_snat": true} || id | bda86e19-4831-4bfb-b3f4-bb79113ceab1 || name | MyRouter || routes | || status | ACTIVE || tenant_id | b1178a03969b4f638937f5a632fb547a |

+-----------------------+-----------------------------------------------------------------------------+

# neutron router-port-list MyRouter -c fixed_ips+--------------------------------------------------------------------------------------+| fixed_ips |+--------------------------------------------------------------------------------------+| {"subnet_id": "b4c95b8b-65a4-402e-8359-69b55d6c9bf1", "ip_address": "10.12.13.1"} || {"subnet_id": "16eb9d34-819f-4525-99ab-ec9358ea132f", "ip_address": "172.16.65.100"} |

+--------------------------------------------------------------------------------------+

+#9&.-$ J Y-9. D.#'E-$ _K^


44/61

!

:(& *+0* *+# $(4*#$ %2 /$#0*#3J 0,3 %,*#$)0/#2 0$# 022%.,#3 *( %*J &%11 2## 0 ,#& ,0?#260/#

# ip netns showqrouter-bda86e19-4831-4bfb-b3f4-bb79113ceab1

# ip netns exec qrouter-bda86e19-4831-4bfb-b3f4-bb79113ceab1 /bin/bash

# ip addr1: lo: mtu 65536 qdisc noqueue state UNKNOWN

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host loinet6 ::1/128 scope host

valid_lft forever preferred_lft forever

10: qg-f9d1f494-7f: mtu 1500 qdisc noqueue state UNKNOWN

link/ether fa:16:3e:02:9a:1c brd ff:ff:ff:ff:ff:ffinet 172.16.65.100/24 brd 172.16.65.255 scope global qg-f9d1f494-7f

inet6 fe80::f816:3eff:fe02:9a1c/64 scope linkvalid_lft forever preferred_lft forever

11: qr-a86dfa2b-9c: mtu 1500 qdisc noqueue state UNKNOWNlink/ether fa:16:3e:7b:1a:92 brd ff:ff:ff:ff:ff:ffinet 10.12.13.1/24 brd 10.12.13.255 scope global qr-a86dfa2b-9c

inet6 fe80::f816:3eff:fe7b:1a92/64 scope linkvalid_lft forever preferred_lft forever

# netstat -rn

Kernel IP routing tableDestination Gateway Genmask Flags MSS Window irtt Iface0.0.0.0 172.16.65.1 0.0.0.0 UG 0 0 0 qg-f9d1f494-7f10.12.13.0 0.0.0.0 255.255.255.0 U 0 0 0 qr-a86dfa2b-9c

172.16.65.0 0.0.0.0 255.255.255.0 U 0 0 0 qg-f9d1f494-7f

+#9&.-$ J Y-9. D.#'E-$ ^K^ J !A% A/#,


45/61

!

X+# !;7 2+(& &%11 ,(& 2+(& *+# *06 %,*#$)0/#2 *( *+# $(4*#$ :0?#260/#J 0,3 *( *+# #]*#$,01 %,*#$)0/#

root@os-controller:/home/localadmin# ovs-vsctl show09d5b89a-600d-4da3-b761-11206456385a

Bridge br-ex

Port "qg-f9d1f494-7f"

Interface "qg-f9d1f494-7f"

type: internalPort br-ex


Port "eth2"Interface "eth2

.... SNIP ....


Interface patch-tuntype: patchoptions: {peer=patch-int}

Port "qr-a86dfa2b-9c"

tag: 1

Interface "qr-a86dfa2b-9c"

type: internal

Port br-intInterface br-int

type: internalovs_version: "1.10.2"

# external router interface is patchedto br-ex, and therefore bridged out tointerface eth2

# Internal router interface is patched

to br-int, and therefore connected tothe br-int flow table

+#9&.-$ J `-./N-$ H'53F-'.? A/#,


46/61

+-7' J >--& &,- T$5&'$(#5


47/61

! :(& &%11 U((* *&( g/%$$(2h T,2*0,/#2J 0,3 /(,,#/* *+(2# *( *+# "%$*401 ,#*&($- /$#0*#3 #0$1%#$

# nova boot --flavor 1 --image 'CirrOS 0.3.1 \--nic net-id=56a76117-8910-4d85-b91d-8e6842e0a510 Instance1

+--------------------------------------+--------------------------------------+| Property | Value |

+--------------------------------------+--------------------------------------+

| OS-EXT-STS:task_state | scheduling |

| image | CirrOS 0.3.1 |

| OS-EXT-STS:vm_state | building || OS-EXT-SRV-ATTR:instance_name | instance-0000000b |

... SNIP ...

# nova boot --flavor 1 --image 'CirrOS 0.3.1' \

--nic net-id=56a76117-8910-4d85-b91d-8e6842e0a510 Instance2

+--------------------------------------+--------------------------------------+| Property | Value |+--------------------------------------+--------------------------------------+| OS-EXT-STS:task_state | scheduling || image | CirrOS 0.3.1 || OS-EXT-STS:vm_state | building |

| OS-EXT-SRV-ATTR:instance_name | instance-0000000c |

... SNIP ...

+#9&.-$ J `-./N-$ H'53F-'.? A/#,


48/61

+#9&.-$ J H`DQ +'6#5"'(# K ?$56'5a ".-(#55! fx#$ *+# o$2* T,2*0,/#2 &02 2*0$*#3 :#4*$(, /$#0*#3 *+# 3+/6 ,0?#260/# 0,3 2*0$*#3 0 3,2?02t


49/61

fx#$ *+# o$2* T,2*0,/#2 &02 2*0$*#3J :#4*$(, /$#0*#3 *+# 3+/6 ,0?#260/# 0,3 2*0$*#3 0 3,2?02t

6$(/#22 %, %*

# ip netns showqdhcp-56a76117-8910-4d85-b91d-8e6842e0a510qrouter-bda86e19-4831-4bfb-b3f4-bb79113ceab1

# ip netns exec qdhcp-56a76117-8910-4d85-b91d-8e6842e0a510 /bin/bash

# ip addr... SNIP ...12: tap383cd579-5e: mtu 1500 qdisc noqueue state UNKNOWN

link/ether fa:16:3e:de:5f:bf brd ff:ff:ff:ff:ff:ffinet 10.12.13.3/24 brd 10.12.13.255 scope global tap383cd579-5e

inet 169.254.169.254/16 brd 169.254.255.255 scope global tap383cd579-5e

inet6 fe80::f816:3eff:fede:5fbf/64 scope linkvalid_lft forever preferred_lft forever

# ps -ef | grep dnsmasqnobody 16209 1 0 22:29 ? 00:00:00 dnsmasq--no-hosts --no-resolv --strict-order --bind-interfaces --interface=tap383cd579-5e --except-interface=lo --pid-file=/var/lib/neutron/dhcp/56a76117-8910-4d85-b91d-8e6842e0a510/pid --dhcp-hostsfile=/var/lib/neutron/dhcp/56a76117-8910-4d85-b91d-8e6842e0a510/host --dhcp-optsfile=/var/lib/neutron/dhcp/56a76117-8910-4d85-b91d-8e6842e0a510/opts--leasefile-ro --dhcp-range=set:tag0,10.12.13.0,static,86400s --dhcp-lease-max=256 --conf-file= --domain=openstacklocal

root 22102 15608 0 22:58 pts/0 00:00:00 grep --color=auto dnsmasq

# cat /var/lib/neutron/dhcp/56a76117-8910-4d85-b91d-8e6842e0a510/hostfa:16:3e:ee:1e:2f,host-10-12-13-2.openstacklocal,10.12.13.2fa:16:3e:7b:1a:92,host-10-12-13-1.openstacklocal,10.12.13.1

fa:16:3e:17:75:f6,host-10-12-13-4.openstacklocal,10.12.13.4

+#9&.-$ J T$5&'$(# (-$I0 IC#! R#$#h2 &+0* *+# ,#*&($- 60$* () *+# T,2*0,/# /(,o.4$05(, )($ ^;C 1((-2 1%-#


50/61

R#$# 2 &+0* *+# ,#*&($- 60$* () *+# T,2*0,/# /(,o.4$05(, )($ ^;C 1((-2 1%-#

-- COMPUTE NODE 1 ---

# virsh list

Id Name State----------------------------------------------------

6 instance-0000000b running

# virsh dumpxml 6

instance-0000000b

... SNIP ...

... SNIP ...

# Instance Port id tap32141443-07

+#9&.-$ J !A% 7/#, 'b#. T$5&'$(#5 '.# (-$$#(?! :(& 1#*h2 #]0?%,# &+0* *+# 60*/+#2 0,3 d(& *0U1#2 1((- 1%-# (, !;7 0x#$ *+# T,2*0,/#2 $# 2*0$*#3


51/61

6


root@os-compute-1:/home/localadmin# ovs-vsctl show

Bridge br-int... SNIP ...

Port patch-tun

Interface patch-tun

type: patch

options: {peer=patch-int}Port "tap32141443-07"

tag: 6Interface "tap32141443-07"

Bridge br-tun

... SNIP ...

Port "gre-172.16.0.12"

Interface "gre-172.16.0.12"


Port patch-intInterface patch-int

type: patchoptions: {peer=patch-tun}

Port "gre-172.16.0.10"

Interface "gre-172.16.0.10"type: greoptions: {in_key=flow, local_ip="172.16.0.11", out_key=flow, remote_ip="172.16.0.10"}


# Instance Port id tap32141443-07

# Instance Port mapping into br-intflow-table

+#9&.-$ J !A% c-,5 (.#'? &3.-903 .--&,.'" Fd !A%=P0#$&! !;7 d(&2 0,3 %,*#$)0/#2 .#* /$#0*#3 *+$(4.+ $((*&$066#$ U@ *+# !;7 f.#,*


52/61

. . 66 @ .


# tail -f /var/log/syslog

Apr 6 23:51:34 os-compute-1 ovs-vsctl: 00001|vsctl|INFO|Called as ovs-vsctl --timeout=5 -- --may-exist add-port br-int tap60b3782b-80 -- set Interface tap60b3782b-80 "external-ids:attached-mac=\"fa:16:3e:64:20:31\"" -- set Interface tap60b3782b-80 "external-ids:iface-id=\"60b3782b-8096-497d-96a4-f3a8dc187eb6\"" -- set Interface tap60b3782b-80 "external-ids:vm-id=\"17f0fdee-3ecd-440f-8e77-c43d2fcda9de\"" -- set Interface tap60b3782b-80 external-ids:iface-status=active

Apr 6 23:51:37 os-compute-1 neutron-rootwrap: (root > root) Executing ['/usr/bin/ovs-ofctl', 'mod-flows,'br_tun,'hard_timeout=0,idle_timeout=0,priority=1,table=21,dl_vlan=6,actions=strip_vlan,set_tunnel:1, output 3,2'] (filter match = ovs-ofctl)

Apr 6 23:51:37 os-compute-1 neutron-rootwrap: (root > root) Executing ['/usr/bin/ovs-ofctl', 'add-flow', 'br-tun', 'hard_timeout=0,idle_timeout=0,priority=1,table=2,tun_id=1,actions=mod_vlan_vid:6,resubmit(,10)'] (filter match = ovs-ofctl)

Apr 6 23:51:37 os-compute-1 neutron-rootwrap: (root > root) Executing ['/usr/bin/ovs-vsctl', '--timeout=2', 'set', 'Port', 'tap60b3782b-80', 'tag=6'] (filter match = ovs-vsctl)

Apr 6 23:51:37 os-compute-1 ovs-vsctl: 00001|vsctl|INFO|Called as /usr/bin/ovs-vsctl --timeout=2 setPort tap60b3782b-80 tag=6

Apr 6 23:51:37 os-compute-1 neutron-rootwrap: (root > root) Executing ['/usr/bin/ovs-ofctl', 'del-flows', 'br-int', 'in_port=7'] (filter match = ovs-ofctl)

+#9&.-$ J !A% J GPD C#'.$/$0! !;7 &%*+ !;7 f.#,* 2511 42#2 /1022%/ CfE \#0$,%,. *( 4,3#$2*0,3 $# &+%/+ CfE f33$#22 %2 %, *+#


53/61

:#*&($-


# ovs-appctl fdb/show br-int

port VLAN MAC Age

4 6 fa:16:3e:64:20:31 4-1 6 fa:16:3e:de:5f:bf 4

# ovs-appctl dpif/show br-intbr-int (system@ovs-system):

lookups: hit:1461 missed:343

flows: cur: 0, avg: 8.634, max: 39, life span: 7746(ms)hourly avg: add rate: 0.654/min, del rate: 0.658/min

overall avg: add rate: 0.775/min, del rate: 0.775/min

br-int 65534/1: (internal)patch-tun 1/none: (patch: peer=patch-int)tap60b3782b-80 7/4:

# ovs-appctl dpif/show br-tun

br-tun (system@ovs-system):lookups: hit:568 missed:364flows: cur: 0, avg: 9.707, max: 39, life span: 5976(ms)

hourly avg: add rate: 0.730/min, del rate: 0.731/minoverall avg: add rate: 0.817/min, del rate: 0.817/min

br-tun 65534/2: (internal)

gre-172.16.0.10 2/3: (gre: key=flow, local_ip=172.16.0.11, remote_ip=172.16.0.10)

gre-172.16.0.12 3/3: (gre: key=flow, local_ip=172.16.0.11, remote_ip=172.16.0.12)

patch-int 1/none: (patch: peer=patch-tun)

+#9&.-$ J !A% J 2'FC# %&.9(&9.#! !;7 f.#,* 6$(.$0?2 0 /(?61#] X0U1# 2*$4/*4$# %,*( !;7


54/61

+O62PQQ&%-%N(6#,2*0/-N($.Q&%-%Q!"2Md(&M1(.%/

+#9&.-$ J TQ2'FC# Y9C#5 J D-6"9 +-?#5 J %#(9./&d e:! X+# )(11(&%,. (4*64* 2+(&2 &+0* :#4*$(, /(,o.4$#2 %,*( T=X0U1#2 (, *+# /(?64*# ,(3# *( %?61#?#,*


55/61

2#/4$%*@ .$(462


# iptables L

SNIP

Chain neutron-openvswi-i7fff0812-9 (1 references)target prot opt source destinationDROP all -- anywhere anywhere state INVALID

RETURN all -- anywhere anywhere state RELATED,ESTABLISHED

RETURN tcp -- anywhere anywhere tcp multiport dports tcpmux:65535RETURN icmp -- anywhere anywhereRETURN udp -- anywhere anywhere udp multiport dports 1:65535RETURN udp -- 10.12.13.3 anywhere udp spt:bootps dpt:bootpc SNIP

Chain neutron-openvswi-o7fff0812-9 (2 references)

target prot opt source destinationRETURN udp -- anywhere anywhere udp spt:bootpc dpt:bootps

neutron-openvswi-s7fff0812-9 all -- anywhere anywhereDROP udp -- anywhere anywhere udp spt:bootps dpt:bootpcDROP all -- anywhere anywhere state INVALIDRETURN all -- anywhere anywhere state RELATED,ESTABLISHEDRETURN all -- anywhere anywhere

Chain neutron-openvswi-s7fff0812-9 (1 references)target prot opt source destinationRETURN all -- 10.12.13.2 anywhere MAC FA:16:3E:43:C6:20DROP all -- anywhere anywhere

+#9&.-$ J TQ2'FC# Y9C#5 J D-6"9 +-?#5 J %#(9./&d e:! X+# )(11(&%,. (4*64* 2+(&2 &+0* :#4*$(, /(,o.4$#2 %,*( T=X0U1#2 (, *+# /(?64*# ,(3# *( %?61#?#,*


56/61

2#/4$%*@ .$(462


# iptables L

SNIP

Chain neutron-openvswi-i7fff0812-9 (1 references)target prot opt source destinationDROP all -- anywhere anywhere state INVALID

RETURN all -- anywhere anywhere state RELATED,ESTABLISHED

RETURN tcp -- anywhere anywhere tcp multiport dports tcpmux:65535RETURN icmp -- anywhere anywhereRETURN udp -- anywhere anywhere udp multiport dports 1:65535RETURN udp -- 10.12.13.3 anywhere udp spt:bootps dpt:bootpc SNIP

Chain neutron-openvswi-o7fff0812-9 (2 references)

target prot opt source destinationRETURN udp -- anywhere anywhere udp spt:bootpc dpt:bootps

neutron-openvswi-s7fff0812-9 all -- anywhere anywhereDROP udp -- anywhere anywhere udp spt:bootps dpt:bootpcDROP all -- anywhere anywhere state INVALIDRETURN all -- anywhere anywhere state RELATED,ESTABLISHEDRETURN all -- anywhere anywhere

Chain neutron-openvswi-s7fff0812-9 (1 references)target prot opt source destinationRETURN all -- 10.12.13.2 anywhere MAC FA:16:3E:43:C6:20DROP all -- anywhere anywhere

# Inbound rule to Instances

# Default outbound allow dhcp

# Port Security Rule onlyallow Instance MAC outbound

+#9&.-$ J '?? c-'E$0=/" &- /$5&'$(#! n# &%11 ,(& 033 0 d(05,.M%6 *( 0, %,2*0,/#


57/61

# neutron floatingip-create External-NetCreated a new floatingip:+---------------------+--------------------------------------+| Field | Value |

+---------------------+--------------------------------------+

| fixed_ip_address | || floating_ip_address | 172.16.65.101 || floating_network_id | 8998c547-ff7c-45f8-884a-a6d4bcaa5de7 || id | 5d3a71e6-f94e-4c9f-9389-474abc559900 || port_id | || router_id | |

| tenant_id | 94fa9a0f01f24ba2983d06575add8764 |

+---------------------+--------------------------------------+

# nova list

+--------------------------------------+---------------+--------+------------+-------------+---------

| ID | Name | Status | Task State | Power State | Networks|+--------------------------------------+---------------+--------+------------+-------------+----------| af2d9b9f-3e25-4242-82f9-b059778cf217 | Instance1 | ACTIVE | None | Running | Internal-Network=10.12.13.2 || 2206f513-9313-4c87-be09-3cfacbc6d2a2 | Instance2 | ACTIVE | None | Running | Internal-Network=10.12.13.4 |+--------------------------------------+---------------+--------+------------+-------------+----------

# nova add-floating-ip Instance1 172.16.65.101#

+#9&.-$ J '?? c-'E$0=/" &- /$5&'$(#! n# &%11 ,(& 033 0 d(05,.M%6 *( 0, %,2*0,/#


58/61

# nova show Instance1+--------------------------------------+----------------------------------------------------------+| Property | Value |+--------------------------------------+----------------------------------------------------------+

| status | ACTIVE |

| updated | 2014-04-08T00:08:23Z || OS-EXT-STS:task_state | None || OS-EXT-SRV-ATTR:host | os-compute-1 || key_name | None || image | CirrOS 0.3.1 (55438187-bc0e-4245-b4a7-edb338cf47bd) |

... SNIP ...|

| accessIPv4 | |

| accessIPv6 | |

| Internal-Network network | 10.12.13.2, 172.16.65.101 || progress | 0 || OS-EXT-STS:power_state | 1 || OS-EXT-AZ:availability_zone | nova |

| config_drive | |+--------------------------------------+----------------------------------------------------------+

+#9&.-$ Jc-'E$0=/"O .-9. $'6#5"'(#! X+%2 %2 &+0* 0 d(05,. T= 1((-2 1%-# %, *+# $(4*#$ :0?#260/# 0,3 %, T=X0U1#2


59/61

# ip netns exec qrouter-c6687e7c-ab1c-4336-ab1e-8021f9c59925 /bin/bash

# ip addr

1: lo: mtu 65536 qdisc noqueue state UNKNOWNlink/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host loinet6 ::1/128 scope host

valid_lft forever preferred_lft forever13: qg-92d91e4c-2d: mtu 1500 qdisc noqueue state UNKNOWN

link/ether fa:16:3e:58:f6:2c brd ff:ff:ff:ff:ff:ff

inet 172.16.65.100/24 brd 172.16.65.255 scope global qg-92d91e4c-2d

inet 172.16.65.101/32 brd 172.16.65.101 scope global qg-92d91e4c-2dinet6 fe80::f816:3eff:fe58:f62c/64 scope link


14: qr-8abeb2b0-a6: mtu 1500 qdisc noqueue state UNKNOWNlink/ether fa:16:3e:18:6e:93 brd ff:ff:ff:ff:ff:ffinet 10.12.13.1/24 brd 10.12.13.255 scope global qr-8abeb2b0-a6inet6 fe80::f816:3eff:fe18:6e93/64 scope link


# Router IP

# configured floating-ip

+#9&.-$ Jc-'E$0=/"O TQ2'FC#5 +P2! X+%2 %2 &+0* 0 d(05,. T= 1((-2 1%-# %, *+# $(4*#$ :0?#260/# 0,3 %, T=X0U1#2


60/61

# iptables -t nat -L

...SNIP ...

Chain neutron-l3-agent-OUTPUT (1 references)

target prot opt source destinationDNAT all -- anywhere 172.16.65.101 to:10.12.13.2

Chain neutron-l3-agent-POSTROUTING (1 references)target prot opt source destinationACCEPT all -- anywhere anywhere ! ctstate DNAT

Chain neutron-l3-agent-PREROUTING (1 references)target prot opt source destinationREDIRECT tcp -- anywhere 169.254.169.254 tcp dpt:http redir ports 9697

DNAT all -- anywhere 172.16.65.101 to:10.12.13.2

Chain neutron-l3-agent-float-snat (1 references)target prot opt source destinationSNAT all -- 10.12.13.2 anywhere to:172.16.65.101

Chain neutron-l3-agent-snat (1 references)target prot opt source destination

neutron-l3-agent-float-snat all -- anywhere anywhereSNAT all -- 10.12.13.0/24 anywhere to:172.16.65.100

Chain neutron-postrouting-bottom (1 references)target prot opt source destinationneutron-l3-agent-snat all -- anywhere anywhere

+#9&.-$ Jc-'E$0=/"O TQ2'FC#5 +P2! X+%2 %2 &+0* 0 d(05,. T= 1((-2 1%-# %, *+# $(4*#$ :0?#260/# 0,3 %, T=X0U1#2


61/61

# iptables -t nat -L

...SNIP ...

Chain neutron-l3-agent-OUTPUT (1 references)target prot opt source destination


Chain neutron-l3-agent-POSTROUTING (1 references)target prot opt source destinationACCEPT all -- anywhere anywhere ! ctstate DNAT

Chain neutron-l3-agent-PREROUTING (1 references)target prot opt source destinationREDIRECT tcp -- anywhere 169.254.169.254 tcp dpt:http redir ports 9697


Chain neutron-l3-agent-float-snat (1 references)target prot opt source destinationSNAT all -- 10.12.13.2 anywhere to:172.16.65.101

Chain neutron-l3-agent-snat (1 references)target prot opt source destination

neutron-l3-agent-float-snat all -- anywhere anywhereSNAT all -- 10.12.13.0/24 anywhere to:172.16.65.100

Chain neutron-postrouting-bottom (1 references)target prot opt source destinationneutron-l3-agent-snat all -- anywhere anywhere

# floating-ip DNAT

# floating-ip SNAT

# default SNAT for allinstances

Documents

Yves Fauser OpenStack Networking