[Openstack-operators] [neutron] multiple external networks on the same host NIC

Neil Jerram Neil.Jerram at metaswitch.com
Thu Apr 30 12:28:28 UTC 2015 

Hi Mike,

On 27/04/15 16:49, Mike Spreitzer wrote:

>  > My use case is that I have two behaviorally different external
>  > subnets --- they are treated differently by stuff outside of
>  > OpenStack, with consequences that are meaningful to tenants.  Thus,
>  > I have two categories of floating IP addresses, depending on which
>  > external subnet holds the floating IP address.  The difference is
>  > meaningful to tenants.  So I need to enable a tenant to request a
>  > floating IP address of a specific category.  Since Neutron equates
>  > floating IP address allocation pool with network, I need two
>  > external networks.
>  >
>  > Both of these external subnets are present on the same actual
>  > external LAN, thus both are reached through the same host NIC.
>  >
>  > It looks to me like the allowed mac/IP address pair feature will not
>  > solve this problem.
>
> Sorry, I simplified too much.  Here is one other critical detail.  I do
> not really have just two different external subnets.  What I really have
> is two behaviorally different collections of subnets.  I need to make a
> Neutron external network for each of the two collections of external
> subnets.


Do your tenants' instances, that are addressed within the same IP 
subnet, require real L2 broadcast connectivity between each other, or 
just IP connectivity?

If the latter, an option would be for you to use the Calico networking 
driver.  The Calico solution, for your requirements as I understand 
them, would be as follows.

- Define networks for all the IP ranges from which you want to allocate 
addresses for your instances.

   - One with the range for your first external network.

   - One with the range for your second external network.

   - One with a range that is private within the data center, for 
instances that don't need to be addressable from outside.

- Define a security group representing the tenant, allowing all 
instances in the SG to speak to each other, plus any external access 
that that may require.

- When launching a group of instances, specify the network that provides 
the desired range of IP addresses, and the SG representing the tenant.

Is that of interest?

Regards,
	Neil

More information about the OpenStack-operators mailing list