Open Stack

Hi Andreas,

LinuxBridge w/ VXLAN and l2population was incompatible with allowed-address-pairs, or any case where an IP may be configured on an interface that isn't defined on a port or moves around from VM to VM, for some time. It is more of a limitation of the ARP proxy implementation in the VXLAN kernel module more than a Neutron bug, but nonetheless, here you go:

https://bugs.launchpad.net/neutron/+bug/1445089

The workaround was to patch the LinuxBridge agent to disable the ARP proxy when creating vxlan interfaces. Try adding 'arp_responder=False' to the [vxlan] section of the linuxbridge agent config file and restart the agent. This should be done across all nodes, and will only apply to Liberty and above.

James
________________________________________
From: Andreas Scheuring <scheuran at linux.vnet.ibm.com>
Sent: Monday, June 20, 2016 6:06 AM
To: openstack at lists.openstack.org
Subject: Re: [Openstack] neutron, l2population, linuxbridge and multiple ips

- What about using Neutrons "allowed address pairs"?
- Or setting up a tunnel network within your existing openstack tunnel
network?



--
-----
Andreas
IRC: andreas_s



On Sa, 2016-06-18 at 18:52 +0200, Joerg Streckfuss wrote:
> Dear list,
>
> I'm trying set up an isolated network for testing clustermanagers like
> keepalived on linux and carp on openbsd. This means there are ips which
> are bound to multiple ports. The main problem is when I try to configure
> new ip-addresses inside the vms and _not_ in neutron, these ips are not
> visible by the other vms. When I try to ping this ips I can see an local
> arp request inside the bridge of the requesting vm but this request does
> not reach the bridge of the destination vm. So my assumption is neutron
> in particular the l2population works only for ip addresses which are
> known by neutron ports. So in case of disabling dhcp I have to configure
> it for the neutron port and inside the vm, right?
>
> My setup is a 4-node openstack environment (one controller, three
> compute nodes), using liberty on centos7 carefully following the
> instructions under http://docs.openstack.org/liberty/install-guide-rdo/.
>
> I'm using self-service networks with one flat provider-network for
> external communication. I use VXLAN for overlay-networks. As mechanism
> drivers I use linuxbridge and l2population.
>
> The isolated network and the vms are initiated by heat templates. I
> disabled port security for each neutron port by setting
> 'port_security_enabled: false' inside the heat template.
>
> So what can I do, that a neutron isolated network behaves like a
> standard linuxbridge or especially a hardware switch, where no port
> security is configured and which forwards all kind of arp traffic?
>
> Thanks in advance,
>
> Joerg
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>


_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack at lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack