codehaus


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[neutron] Mixed VLAN / VxLAN Network


Hi Dominic,

> We intend to slot it in to a location which uses VLANs heavily.  In
particular,
> our DMZ is on a VLAN, with the subnet's gateway at our firewall.  We
plan to
> use VxLANs within OpenStack.
> 
> Is it possible to make OpenStack aware of the DMZ VLAN, so that we can
use
> it in projects?  Is it possible to use the DMZ VLAN without routing
through the
> OpenStack network node(s)?

It is definitely possible.  In OpenStack terms, you are looking for
"Provider Networks", which can be used to bind a VLAN to OpenVSwitch
directly on the respective compute node where a VM is running.  Security
groups can be used to provide port security at the VM's "ports" (vNICs).

"Tenant Networks", in your configuration, will use VXLANs, and are
typically managed by Neutron's DVR (Distributed Virtual Routing) which
manages the VXLAN configuration on OpenVSwitches on each compute node.

SNAT will always use a network node since the NAT table has to be
consistent and is not replicated (it is an iptables configuration on the
network node in a specific Linux network namespace for the tenant
network).

Floating IPs only work with networks marked as "external", which are
provider networks that are VLAN-based.  External networks are connected
as the external gateway of an OpenStack router, where the router
performs the 1:1 NAT function.  Note that this does not work with IPv6,
only IPv4, since IPv6 does not use NAT.

The subnet assigned to the external network has a gateway property,
which can be set to your firewall's gateway IP.

Note that you can have multiple provider networks and share these
network(s) with specific projects to provide access to a specific VLAN.
These would be marked as "internal" networks.  This provides a great way
to transition VMs from VLAN-based networks to VXLAN-based networks.

This has a good overview of the items I have discussed:
https://superuser.openstack.org/articles/tenant-networks-vs-provider-net
works-in-the-private-cloud-context/

Eric


> Thank you,
> 
> Dominic L. Hilsbos, MBA
> Director - Information Technology
> Perform Air International Inc.
> DHilsbos at PerformAir.com
> www.PerformAir.com