[Openstack] nova-network,VRRP and NAT
mad Engineer
themadengin33r at gmail.com
Thu Aug 7 11:45:01 UTC 2014
Thanks Xav,
i am using nova-network and not neutron.Looks like this
can not work with nova-network
Thanks
On Thu, Aug 7, 2014 at 3:23 PM, Xav Paice <xavpaice at gmail.com> wrote:
> On 07/08/14 21:42, mad Engineer wrote:
> > but concerned whether nova security policies allow VRRP to work as it
> > requires multiple IP on same MAC?
> >
> > Is clearing the rule only way to make it work,or is there nova-network
> > way to make it work.
> >
> > also i am worried about NAT rule when IP fail over happens
> >
> >
> This might help - copied from a note I put on our ops wiki:
>
> OpenStack has anti-spoofing iptables rules that sit very close to your
> instance on the hypervisor. This means you can't just add a new address
> without telling OpenStack. To tell OpenStack, you need to add an
> allowed-address-pair to the port which your instance will use with the
> new IP.
>
> For example: I have a VM with a fixed IP of 10.1.1.13. I want to add
> the alias IP 10.1.1.14 to that and one other VM, for load balancing.
>
> First, make sure you aren't using an IP in the DHCP range for this
> subnet. Then update the Ports for each instance participating in VRRP.
>
> nova interface-list <INSTANCE_UUID>
>
> +------------+--------------------------------------+--------------------------------------+--------------+-------------------+
> | Port State | Port ID | Net
> ID | IP addresses | MAC Addr |
>
> +------------+--------------------------------------+--------------------------------------+--------------+-------------------+
> | ACTIVE | 50eb611d-5e71-43cf-ba4d-1017bc6e488c |
> 623417c3-dffc-4b6d-96fa-a4ae0ec1df52 | 10.1.1.13 | fa:16:3e:5b:64:38 |
>
> neutron port-update 50eb611d-5e71-43cf-ba4d-1017bc6e488c \
> --allowed-address-pairs type=dict list=true \
> mac_address=fa:16:3e:5b:64:38,ip_address=10.1.1.14
>
> Once you have updated the ports attached to each VM, you will need some
> security group rules.
>
> neutron security-group-create vrrp_members
> neutron security-group-rule-create --ethertype IPv4 \
> --direction egress --protocol 51 \
> --remote-ip-prefix 224.0.0.18/32 vrrp_members
> neutron security-group-rule-create --ethertype IPv4 \
> --direction ingress --protocol 51 \
> --remote-group-id vrrp_members vrrp_members
>
> Then apply this security group to your VRRP instances.
>
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140807/44de95b1/attachment.html>
More information about the Openstack
mailing list