[openstack-dev] [Neutron] DVR SNAT shortcut

Yi Sun beyounn at gmail.com
Thu Jun 26 03:41:50 UTC 2014


>     Another approach would be to use a single IP address per router
>     per compute
>     node.  This avoids the multi-tenant issue mentioned above, at the
>     cost of
>     consuming more IP addresses, potentially one default SNAT IP
>     address for each
>     VM on the compute server (which is the case when every VM on the
>     compute node
>     is from a different tenant and/or using a different router).  At
>     that point
>     you might as well give each VM a floating IP.
>
>     Hence the approach taken with the initial DVR implementation is to
>     keep
>     default SNAT as a centralized service.
>
>
> In contrast to moving service to distributed CN, we should take care 
> of keeping them as centralized, especially FIP and FW. I know a lot of 
> customer prefer using some dedicated servers to act as network nodes, 
> which have more NICs(as external connection) than compute nodes, in 
> these cases FIP must be centralized instead of being distributed. As 
> for FW, if we want stateful ACL then DVR can do nothing, except that 
> we think security group is already some kind of FW.
>
+1, I had another email to discuss about FW (FWaaS) and DVR integration. 
Traditionally, we run firewall with router so that firewall can use 
route and NAT info from router. since DVR is asymmetric when handling 
traffic, it is hard to run stateful firewall on top of DVR just like a 
traditional firewall does . When the NAT is in the picture, the 
situation can be even worse.
Yi
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140625/985d9bba/attachment.html>


More information about the OpenStack-dev mailing list