<div dir="ltr"><div>><span style="font-size:13.3333339691162px">Or a pool of SNAT addresses ~= to the size of the hypervisor count.</span></div><div><span style="font-size:13.3333339691162px"><br></span></div>This had originally come up as an option in the early DVR discussions. IIRC it was going to be a tunable parameter since it results in a tradeoff between spent public addresses and "distributed-ness". However, due to time constraints and complexity, the burning of extra IPs to distribute SNAT wasn't implemented because it required changes to the data model (multiple IPs per router gateway interface) and changes to when IPs were assigned (dynamically adding more IPs to the gateway interface as tenant ports were instantiated on new nodes). Someone from the DVR team can correct me if I'm missing the reasons behind some of these decisions.<div><br></div><div><br></div><div>><span style="font-size:13.3333339691162px">Conntrack synchronisation gets us HA on the SNAT node, but that's a long way from distributed SNAT.</span></div><div><span style="font-size:13.3333339691162px"><br></span></div><div><span style="font-size:13.3333339691162px">Definitely, I was not paying close attention and thought this thread was just about the HA of the SNAT node.</span></div><div><span style="font-size:13.3333339691162px"><br></span></div><div><span style="font-size:13.3333339691162px">></span><span style="font-size:13.3333339691162px">It's basically very much like floating IPs, only you're handing out a sub-slice of a floating-IP to each machine - if you like.</span></div><div><span style="font-size:13.3333339691162px"><br></span></div><div><span style="font-size:13.3333339691162px">T</span><span style="font-size:13.3333339691162px">his requires participation of the upstream router (L4 policy routing pointing to next hops that distinguish each L3 agent) or intervention on the switches between the router an L3 agents (a few OpenFlow rules would make this simple). Both approaches need to adapt to L3 agent changes so static configuration is not adequate. Unfortunately, both of these are outside of the control of Neutron so I don't see an easy way to push this state in a generic fashion.</span></div><div><span style="font-size:13.3333339691162px"><br></span></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Feb 16, 2015 at 12:33 AM, Robert Collins <span dir="ltr"><<a href="mailto:robertc@robertcollins.net" target="_blank">robertc@robertcollins.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 16 February 2015 at 21:29, Angus Lees <<a href="mailto:gus@inodes.org">gus@inodes.org</a>> wrote:<br>
> Conntrack synchronisation gets us HA on the SNAT node, but that's a long way<br>
> from distributed SNAT.<br>
><br>
> Distributed SNAT (in at least one implementation) needs a way to allocate<br>
> unique [IP + ephemeral port ranges] to hypervisors, and then some sort of<br>
> layer4 loadbalancer capable of forwarding the ingress traffic to that IP<br>
> back to the right hypervisor/guest based on the ephemeral port range. It's<br>
> basically very much like floating IPs, only you're handing out a sub-slice<br>
> of a floating-IP to each machine - if you like.<br>
<br>
</span>Or a pool of SNAT addresses ~= to the size of the hypervisor count.<br>
<br>
-Rob<br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
--<br>
Robert Collins <<a href="mailto:rbtcollins@hp.com">rbtcollins@hp.com</a>><br>
Distinguished Technologist<br>
HP Converged Cloud<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div>Kevin Benton</div></div>
</div>