<div dir="ltr"><span style="font-family:arial,sans-serif;font-size:13px">Thiago,</span><div><font face="arial, sans-serif"><br></font></div><div><font face="arial, sans-serif">You mention static IPv6 addresses for VMs.</font></div><div><font face="arial, sans-serif">How do tenants get their static IPv6 address / how does OpenStack know which IPv6 address a tenant has?</font></div><div><font face="arial, sans-serif"><br></font></div><div>My local cloud is using "nova-network with multi-host FlatDHCP networking" and trying to provide IPv4/IPv6 dual-stack.</div><div><span style="font-family:arial,sans-serif">The VM's IPv4 addresses are managed via dsnmasq DHCPv4 as per usual.</span></div><div><font face="arial, sans-serif"><br></font></div><div><font face="arial, sans-serif">Because the upstream Cisco router sends IPv6 Router Advertisements, </font><span style="font-family:arial,sans-serif">VMs create an IPv6 address using SLAAC (great), </span><span style="font-family:arial,sans-serif">but some VMs don't have IPv6 temporary/privacy addressing disabled and so create and use extra IPv6 addresses that OpenStack doesn't know about (bad).</span></div><div><span style="font-family:arial,sans-serif">[ We don't control all the VM images that our tenants may wish to run. ]</span></div><div><span style="font-family:arial,sans-serif"><br></span></div><div><span style="font-family:arial,sans-serif">With Icehouse, Horizon can now set IPv6 security policy, but we are wondering how to configure it to block IPv6 address spoofing,</span></div><div><span style="font-family:arial,sans-serif">... which would also block IPv6 </span><span style="font-family:arial,sans-serif">temporary/privacy addresses ... and the VM would think it can use IPv6, but it wouldn't work.</span></div><div><span style="font-family:arial,sans-serif"><br></span></div><div><div><span style="font-family:arial,sans-serif">Is using DHCPv6 a viable option for configuring the IPv6 addresses on VMs?</span></div></div><div><span style="font-family:arial,sans-serif">[ Disable SLAAC by the router setting the M (managed) flag on the Router Advertisement, and clearing the A (autonomous) flag on the Prefix Information. ]</span><br></div><div><span style="font-family:arial,sans-serif"><br></span></div><div><span style="font-family:arial,sans-serif">Thanks,</span><br></div><div><span style="font-family:arial,sans-serif"> John</span></div><div><div class="gmail_extra"><br><div class="gmail_quote">On 14 October 2014 09:36, Martinx - ジェームズ <span dir="ltr"><<a href="mailto:thiagocmartinsc@gmail.com" target="_blank">thiagocmartinsc@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">Sure Brandon,<div><br></div><div>My files ml2_conf.init looks like this:</div><div><br></div><div>---</div><div><div>[ml2]</div><div>type_drivers = vlan</div><div>tenant_network_types = vlan<br></div><div>mechanism_drivers = openvswitch<br></div><div><br></div><div>[ml2_type_flat]</div><div><br></div><div>[ml2_type_vlan]</div><div>network_vlan_ranges = physnet1:2090:4094</div><div><br></div><div>[ml2_type_gre]</div><div><br></div><div>[ml2_type_vxlan]</div><div><br></div><div>[securitygroup]</div><div>enable_security_group = True</div><div>firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver</div><div><br></div><div>[ovs]</div><div>enable_tunneling = False</div><div>tenant_network_type = vlan<br></div><div>integration_bridge = br-int</div><div>network_vlan_ranges = physnet1:2090:4094</div><div>bridge_mappings = physnet1:br-eth1</div></div><div>---</div><div><br></div><div>My Compute Nodes have two ethernets, eth0 in for "Node Internet Access at vlan200" / "Node Management at vlan210" and eth1 is where the "VLAN Provider Network" traffic flows on top of "br-eth1"...</div><div><br></div><div>Then I created each "net" as follows (1 for each tenant):</div><div><br></div><div>---</div><div>neutron net-create --tenant-id $TENANT1_ID --provider:physical_network=physnet1 --provider:network_type=vlan --provider:segmentation_id=2090 physnet1-vlan2090<br></div><div>neutron net-create --tenant-id $TENANT2_ID --provider:physical_network=physnet1 --provider:network_type=vlan --provider:segmentation_id=2091 physnet1-vlan2091<br></div><div>---</div><div><br></div><div>And after this, I connected via Horizon, to create the "subnets" (both IPv4-dhcp and IPv6-static).</div><div><br></div><div>Hope it helps! :-)</div><div><br></div><div>Cheers!</div><div>Thiago</div><div><br></div></div><div class=""><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On 13 October 2014 19:17, Brandon Sawyers <span dir="ltr"><<a href="mailto:brandor5@gmail.com" target="_blank">brandor5@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><p dir="ltr">I would love to see your config for vlan provider networks. We're interested in using these but are running into trouble getting it set up correctly, even using the link you provided.</p>
<p dir="ltr">Thanks,<br>
Brandon</p><div><div>
<div class="gmail_quote">On Oct 13, 2014 2:40 PM, "Martinx - ジェームズ" <<a href="mailto:thiagocmartinsc@gmail.com" target="_blank">thiagocmartinsc@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">Hey guys,<div><br></div><div>A few people asked me what kind of problems I reached when using GRE/VXLAN tunnels, well, here we go:</div><div><br></div><div>---</div><div><div>I faced lots of problems with Neutron L3 Router in the past, now, I'm using in production, the topology called "VLAN Provider Networks" (no GRE / VXLAN tunnels, only plain Flat tagged VLANs).</div><div><br></div><div>Like this:</div><div><br></div><div><a href="https://developer.rackspace.com/blog/neutron-networking-vlan-provider-networks/" target="_blank">https://developer.rackspace.com/blog/neutron-networking-vlan-provider-networks/</a></div><div><br></div><div>It is by far, much more stable, even when with OpenvSwitch. No more Neutron L3 Router... I'll start testing it again, with Juno (because of its native IPv6 support, seems pretty cool, BTW), looking to put it into prod again with K...</div><div><br></div><div>This way (Flat / VLAN provider), the Network Node runs only the dhcp and the metadata (iptables redirect to compute) services.</div><div><br></div><div>Also, there is no GRE / VXLAN tunnels, only plain tagged VLANs.</div><div><br></div><div>I have a guide to configure Flat Provider Network, which is very similar with VLANs (only that it have only 1 LAN, same topology with upstream router), take a look: <a href="https://github.com/tmartinx/openstack-guides/tree/master/IceHouse" target="_blank">https://github.com/tmartinx/openstack-guides/tree/master/IceHouse</a></div><div><br></div><div>-</div><div>Neutron L3 Router problems I faced (already fixed) - (there are more problems, like the one you're facing):</div><div><br></div><div>Directional network performance issues with Neutron + OpenvSwitch:<br></div><div><a href="https://bugs.launchpad.net/neutron/+bug/1252900" target="_blank">https://bugs.launchpad.net/neutron/+bug/1252900</a> - huge problem with a simple fix, by disabling gro with ethtool at your L3 Router</div><div><br></div><div>Attaching a IPv6 private subnet to a L3 Router, breaks it and its IPv4 Floating IPs:<br></div><div><a href="https://bugs.launchpad.net/neutron/+bug/1322945" target="_blank">https://bugs.launchpad.net/neutron/+bug/1322945</a></div><div>-</div></div><div><br></div><div>Another problem:</div><div><br></div><div>Neutron router and nf_conntrack performance problems:<br></div><div><a href="http://lists.openstack.org/pipermail/openstack-dev/2014-August/043269.html" target="_blank">http://lists.openstack.org/pipermail/openstack-dev/2014-August/043269.html</a></div><div>---</div><div><br></div><div>Not to mention that, when I first deployed OpenStack with Neutron L3 couple years ago, everything appeared to be working, Floating IPs, and ICMP connectivity but, when I tried to run "apt-get update" within a Instance. it did not worked... After digging a lot on the Interwebs, I figured out that I was seeing the infamous "MTU problem"... Lowering it to 1450 was the first workaround I touched with Neutron L3...</div><div><br></div><div>Also, during the life cycle of random instances, it sees too many network outages. Forcing me (the architect / operator) to shutdown the instances lots of times, run `neutron-ovs-cleanup` at the network and compute nodes, compute nodes reboots and then, "out-of-nothing", instance got connectivity again...</div><div><br></div><div>None of this problems exists on a plain VLAN topology.</div><div><br></div><div>And BTW, from my point of view, it seems very weird to deploy IPv6 connectivity to the instances, on top of IPv4 tunnels! That GRE / VXLAN... While I like the idea of "per-tenant routers with private networks", I also like the idea of stability and of the performance of plain (V)LANs. Q-in-Q seems a nice approach either.</div><div><br></div><div>-</div><div> Thiago</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 9 October 2014 23:17, Martinx - ジェームズ <span dir="ltr"><<a href="mailto:thiagocmartinsc@gmail.com" target="_blank">thiagocmartinsc@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">Just for the record, I gave up on Neutron L3 Router, powered by GRE/VXLAN tunnels. There are too many problems on this architecture.<div>I'm using Flat/VLAN Provider Networks right now (still with OpenvSwitch but, no problems), I'm looking for a new solution (with IPv6), I'll take a look at OpenContrail!</div><div><br></div><div>Thanks!<br></div></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On 9 October 2014 20:35, Rudrajit Tapadar <span dir="ltr"><<a href="mailto:rudrajit.tapadar+osgen@gmail.com" target="_blank">rudrajit.tapadar+osgen@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">At Symantec's Cloud Platform Engineering, we have deployed OpenStack+OpenContrail at a fairly large scale. I can't give you exact numbers, but you can get some data points from our SDN evaluation presentation in the Atlanta summit: <a href="https://www.openstack.org/summit/openstack-summit-atlanta-2014/session-videos/presentation/software-defined-networking-performance-and-architecture-evaluation" target="_blank">https://www.openstack.org/summit/openstack-summit-atlanta-2014/session-videos/presentation/software-defined-networking-performance-and-architecture-evaluation</a><div><div><br><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 29, 2014 at 4:14 PM, Raghu Vadapalli <span dir="ltr"><<a href="mailto:rvatspacket@gmail.com" target="_blank">rvatspacket@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span>
<br>
<div>On 09/29/2014 01:52 PM, Tim Bell wrote:<br>
</div>
<blockquote type="cite">
<div>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Are
there any references for people running OpenContrail at
scale ?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
</div>
</blockquote></span>
Though reference are good to have, in general, L3 networks are known
to scale better than L2 networks. <br>
Having said that, the complexity of two large frameworks OpenStack
+ OpenContrail working together nicely in<br>
deployment is not known to me. Any ideas ?<br>
<br>
<blockquote type="cite"><span>
<div>
<div style="border-style:none none none solid;border-left-color:blue;border-left-width:1.5pt;padding:0cm 0cm 0cm 4pt">
<div>
<div style="border-style:solid none none;border-top-color:rgb(225,225,225);border-top-width:1pt;padding:3pt 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:11pt;font-family:Calibri,sans-serif" lang="EN-US">From:</span></b><span style="font-size:11pt;font-family:Calibri,sans-serif" lang="EN-US"> NAPIERALA, MARIA H
[<a href="mailto:mn1921@att.com" target="_blank">mailto:mn1921@att.com</a>]
<br>
<b>Sent:</b> 29 September 2014 19:26<br>
<b>To:</b> <a href="mailto:dennisml@conversis.de" target="_blank">dennisml@conversis.de</a><br>
<b>Cc:</b> <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br>
<b>Subject:</b> Re: [Openstack] Rackspace abandons
Open vSwitch ?<u></u><u></u></span></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">……<u></u><u></u></span></p>
<div>
<p class="MsoNormal"><span></span><span><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span>> What are the alternatives though? As far
as I know the regular linux<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span>> bridge lacks most of the features of OVS
and these are the only to<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span>> options I've played with so far. Is the
a third alternative out there<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span>> that they've switched to?<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span> <u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span>One alternative is OpenContrail vRouter as
ML3 plugin. It meets the scale and feature requirements.<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span> <u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span>Maria<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif"> </span><span><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif"> </span><span><u></u><u></u></span></p>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</span><span><pre>_______________________________________________
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
</pre>
</span></blockquote>
<br>
</div>
<br>_______________________________________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
<br></blockquote></div><br></div></div></div></div>
<br>_______________________________________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
<br></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
<br>_______________________________________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
<br></blockquote></div>
</div></div></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
<br></blockquote></div><br></div></div></div>