On Thu, 2021-07-22 at 22:26 +0530, Gk Gk wrote:
So, if I have a provider vlan network managed by neutron, tenant isolation and overlapping ips are not possible in this case ?
we shoudl not use the term vlan provider network as that is really conflatign 2 concepts there are vlan tenatn networks, which when you create as an admin you can also specify the physical network and vlan on which it will resided. and there are admin created networks which is just a tenant network where the admin choose the vlan id manually instead of leaving neutron select the next avaiabel vlan. so vlan network whetere created by the admin or a normal thenant support both isolation and overlap. there is a seperate concept of provider networking which can compires eight l2 networks or l3 routed networks where dhcp and routing is provided by non nueton managed element in your data center. if you created the vlan network via neutrons api and you are usign neutron to provide l3 routers and you are not neither bridging the vlans manulaly in your network switchs or violating the phsynet rules then vlan networks support isolation and ip over lap. the docs always get this wrong even upstream since they imply it the fact that create an network as an admin is what makes it a provider network. that is not the case. its only a provider network if the conectivity to, from and betwen the networks is manged in your infrastucrure not in within neutrion.
On Thu, Jul 22, 2021 at 9:34 PM Sean Mooney <smooney@redhat.com> wrote:
On Thu, 2021-07-22 at 21:20 +0530, Gk Gk wrote:
Hi,
I want to know if tenant isolation and overlapping ips, possible in the case of provider vlan networks ?
If not, how is it different when compared to tenant networks of type vlan where tenant isolation is possible ? for vlan tenant network you can have overlapping ips and tenant isolation
for provider networks however all routing between networks is providied by yoru providre routers so you as the operator have to implent that routing in such a way that supports both of your requriement.
Please explain. I am confused between the two regarding their tenant isolation and overlapping ips features. neutron support both for vlan tenant netwroks provided you do not violate neutron requriement that physnets never overlap.
e.g. if you have 2 port on a physical host attached to physnet 1 and phsynet 2 you must ensure that tehy are phsyically coonnected to different top of rack swiches and physical networks in the datachenter.
if you violate this requiremetn then you can have two tenant networks with the same segementation id but differnt physnets.
from neutron point of view they are isolated but if you have muplipel physnet lables for the same phyical network in your datacenter then tenant isolation will be broken.
some operators try to use physnets as hack for exampel to select numa ndoes on a host when usign sriov wehre tehy intentionall violate the requriement that physical networks must never hsare an l2 broadcat domains but wehn they do that they are giving ups the ablity to do tenant isolation.
Thanks Kumar