<html><body>
<p><tt><font size="2">Jay Pipes <jaypipes@gmail.com> wrote on 08/06/2014 01:04:41 PM:<br>
<br>
[snip]</font></tt><br>
<tt><font size="2"><br>
> AFAICT, there is nothing that can be done with the GBP API that cannot <br>
> be done with the low-level regular Neutron API.</font></tt><br>
<br>
<tt><font size="2">I'll take you up on that, Jay :)</font></tt><br>
<br>
<tt><font size="2">How exactly do I specify behavior between two collections of ports residing in the same IP subnet (an example of this is a bump-in-the-wire network appliance).</font></tt><br>
<br>
<tt><font size="2">I've looked around regular Neutron and all I've come up with so far is:</font></tt><br>
<tt><font size="2"> (1) use security groups on the ports</font></tt><br>
<tt><font size="2"> (2) set allow_overlapping_ips to true, set up two networks with identical CIDR block subnets and disjoint allocation pools and put a vRouter between them.</font></tt><br>
<br>
<tt><font size="2">Now #1 only works for basic allow/deny access and adds the complexity of needing to specify per-IP address security rules, which means you need the ports to have IP addresses already and then manually add them into the security groups, which doesn't seem particularly very orchestration friendly.</font></tt><br>
<br>
<tt><font size="2">Now #2 handles both allow/deny access as well as provides a potential attachment point for other behaviors, *but* you have to know to set up the disjoint allocation pools, and your depending on your drivers to handle the case of a router that isn't really a router (i.e. it's got two interfaces in the same subnet, possibly with the same address (unless you thought of that when you set things up)).</font></tt><br>
<br>
<tt><font size="2">You can say that both of these are *possible*, but they both look more complex to me than just having two groups of ports and specifying a policy between them.</font></tt><br>
<br>
<tt><font size="2">Ryan Moats</font></tt></body></html>