[Openstack-operators] [openstack operators][neutron] Neutron Router getting address not inside allocation range on provider network

Chris Apsey bitskrieg at bitskrieg.net
Sat Mar 17 21:10:50 UTC 2018


Had a strange incident the other day that seems like it shouldn't be 
possible inside of neutron...

We are currently running Queens on Ubuntu 16.04 w/ the linuxbridge ml2 
plugin with vxlan overlays.  We have a single, large provider network 
that we have set to 'shared' and 'external', so people who need to do 
things that don't work well with NAT can connect their instances 
directly to the provider network.  Our 'allocation range' as defined in 
our provider subnet is dedicated to tenants, so there should be no 

The other day, one of our users connected a neutron router to the 
provider network (not via the 'external network' option, but rather via 
the normal 'add interface' option) and neglected to specify an IP 
address.  The neutron router decided that it was now the gateway for the 
entire provider network and began arp'ing as such (I'm sure you can 
imagine the results).

To me, this seems like it should be disallowed inside of neutron (you 
shouldn't be able to specify an IP address for a router interface that 
isn't explicitly part of your allocation range on said subnet).  Does 
neutron just expect issues like this to be handled by the physical 
provider infrastructure (spoofing prevention, etc.)?



Chris Apsey
bitskrieg at bitskrieg.net

More information about the OpenStack-operators mailing list