OpenStack Compute (nova)

Bug #1012443
Comment #16

Comment 16 for bug 1012443

Revision history for this message

Michael S. Moody (michael-sykosoft) wrote on 2013-04-07: Re: [Bug 1012443] Re: Support external gateways in VLAN mode

#16

Allow me to be more specific:

Our layout looks like this: Physical Hardware Firewalls (supporting
802.1q). These firewalls are attached to switches which also support
802.1q, and then of course we use tag interfaces on the compute nodes
(which double as network nodes, for availability), and we pre-configure
tenants with a subnet (say, a /24), a vlan tag (say, vlan 4), and various
firewall policies (and perhaps also gateway-to-gateway IPSec VPN
configurations). Then, cloud instances are configured to use these hardware
firewalls as their default gateway (let's say, 172.27.4.1/24) using the
dnsmasq patch. In some cases, the tenant may also have physical dedicated
systems on the same subnet (vlan 4), and use the openstack instances to
provide dynamic scaling for certain parts of their workload, while using
the dedicated physical hardware for other purposes (highly available
database servers for instance, which for security couldn't be on a shared
architecture, or for various other reasons).

This, when instances are started, they all use 172.27.4.1 as a default
gateway, and the nova-network is configured to tag all traffic.

There are some interesting SDN (software defined networking) features that
we want to use with Quantum, but they are (or at least seem) mutually
exclusive with our current (unchangeable) setup.

Any public IP addressing is done through our hardware firewall stack, and
is one-to-one NAT mapping generally speaking. The firewalls also serve as
IPS/IDS, and VPN gateways, this they are needed.

Does this explanation help?

Michael

On Sun, Apr 7, 2013 at 5:51 AM, Salvatore Orlando <
<email address hidden>> wrote:

> Hi, for Quantum support, are you just referring to the fix on gerrit for
> this bug?
> If yes, this should not affect quantum:
> https://github.com/openstack/quantum/blob/master/quantum/agent/linux/dhcp.py#L271
>
> If instead your question is about external gateways, Quantum has a concept
> of 'external network' which can be used to allocate gateways for routers
> and floating IPs. The externa gateway at the moment implicitly SNATs all
> the traffic, but this is becoming configurable for havana.
> Quantum does not support however multiple external gateways per router. Is
> that the feature you are looking for?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1012443
>
> Title:
> Support external gateways in VLAN mode
>
> Status in OpenStack Compute (Nova):
> Fix Released
>
> Bug description:
> Currently, there isn't a good way to configure an external gateway
> when running in VLAN mode because each network requires a separate
> gateway.
>
> Note that dnsmasq can support multiple gateways by using tagging.
>
> See http://paste.openstack.org/show/18471/ by Nate Burton for a
> solution that uses network labels as dnsmasq tags.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/nova/+bug/1012443/+subscriptions
>

Allow me to be more specific:

This, when instances are started, they all use 172.27.4.1 as a default
gateway, and the nova-network is configured to tag all traffic.

There are some interesting SDN (software defined networking) features that
we want to use with Quantum, but they are (or at least seem) mutually
exclusive with our current (unchangeable) setup.

Any public IP addressing is done through our hardware firewall stack, and
is one-to-one NAT mapping generally speaking. The firewalls also serve as
IPS/IDS, and VPN gateways, this they are needed.

Does this explanation help?

Michael

On Sun, Apr 7, 2013 at 5:51 AM, Salvatore Orlando <
1012443@bugs.launchpad.net> wrote:

> Hi, for Quantum support, are you just referring to the fix on gerrit for
> this bug?
> If yes, this should not affect quantum:
> https://github.com/openstack/quantum/blob/master/quantum/agent/linux/dhcp.py#L271
>
> If instead your question is about external gateways, Quantum has a concept
> of 'external network' which can be used to allocate gateways for routers
> and floating IPs. The externa gateway at the moment implicitly SNATs all
> the traffic, but this is becoming configurable for havana.
> Quantum does not support however multiple external gateways per router. Is
> that the feature you are looking for?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1012443
>
> Title:
>   Support external gateways in VLAN mode
>
> Status in OpenStack Compute (Nova):
>   Fix Released
>
> Bug description:
>   Currently, there isn't a good way to configure an external gateway
>   when running in VLAN mode because each network requires a separate
>   gateway.
>
>   Note that dnsmasq can support multiple gateways by using tagging.
>
>   See http://paste.openstack.org/show/18471/ by Nate Burton for a
>   solution that uses network labels as dnsmasq tags.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/nova/+bug/1012443/+subscriptions
>