[neutron] DVR / IPv6 on provider network instead?
Eric K. Miller
emiller at genesishosting.com
Sun Jun 28 23:19:44 UTC 2020
> If so, is there a possibility of using a provider network that is connected to all compute nodes where IPv6 subnets are issued to tenants from a subnet pool, with traffic being routed directly to an external router (not a Neutron router) using Linux Bridge instead of OVS? Yet, still use port security?
> Just trying to figure out the best way to support IPv6 without forwarding all traffic through a single network node, while using DVR for IPv4.
I believe I have a solution, which works for IPv4, where public IP addresses are assigned to a VM's port without the use of floating IPs. I think this approach can work for IPv6, with an upstream DHCPv6 server.
My IPv4 approach was to create an internal VLAN on our firewalls, where a public subnet is assigned (statically routed), and a gateway IP is assigned to the firewall. This VLAN is then assigned to a provider network. An OpenStack subnet is created on the provider network for the public subnet range with an allocation range associated with the IPs we want to hand out to VMs, with DHCP enabled. The subnet's gateway property is set to "None", along with DNS servers set, and a "host-route" is added for a default gateway, using our firewall's IP as the gateway.
When a server is created on this network, an IP is allocated from the public subnet, the gateway is assigned to our firewall's IP, DNS is set correctly, and security groups work fine on the port. Best of all, traffic is sent/received from the host, not through the network node, so this is a reasonably scalable solution.
More information about the openstack-discuss