Open Stack

You could tell dnsmasq to use your router as the gateway instead of the network host and then not allow routing across vlans.

To use an external gateway use a config option like the following:
dnsmasq_config_file=/path/to/config

in that config file you can use:
dhcp_option=3,<ip of router> to force vms to use your router as their gateway.

Vish

On Jun 1, 2012, at 10:30 PM, romizhang1968 wrote:

> Vish,
> 
> Thanks for your replay.
> Yes,I allowed icmp ping from 0.0.0.0/0, but the question is , i think the different instance in different tenant and vlan on the same compute node should not touch each other, admin03(192.168.2.3) in VLAN 200 and 201 should only could get ip touch to the same tenant instance, should not can touch aipu01(192.168.3.3) in VLAN 300 and aipuTenant even on the same compute node.
> I check the route table, openstack creates route item to each bridge on the node, but in admin03,the route table only shows about how to go 192.168.2.0 and 192.168.21.0, have no way to touch the net of 192.168.3.0. but in admin03,it could ping aipu01, that means it use the node route table, i did not know why.
> so I want to know is there a way in openstack command to stop this situation, not replay me to delete the compute node route item. and I think, each VM should connect to the "access port" and go through trunk port(eth1 or eth2) to communicate with others.
> here is my wants. 
> regards,
> Romi
> 
> 
> 
> At 2012-06-02 00:47:49,"Vishvananda Ishaya" <vishvananda at gmail.com> wrote:
> Broadcast traffic should be blocked via the vlan separation and direct traffic should be blocked via security groups. Do you have a security group that allows ping traffic from 0.0.0.0/0?
> 
> Vish
> 
> On Jun 1, 2012, at 1:38 AM, romi zhang wrote:
> 
>> Hi,
>>  
>> I use following command to create 2 NICs for the instances of adminTenant and 1 NICs for aipuTenant:
>>  
>> nova-manage network create --label=admin_web --fixed_range_v4=192.168.2.0/28 --num_networks=1 --vlan=200 --bridge=br200 --bridge_interface=eth1 --network_size=16 --multi_host=T --project_id=5f9281bca6854fe3974a457d81afd78c
>>  
>> nova-manage network create --label=admin_ssl --fixed_range_v4=192.168.21.0/28 --num_networks=1 --vlan=201 --bridge=br201 --bridge_interface=eth2 --network_size=16 --multi_host=T --project_id=5f9281bca6854fe3974a457d81afd78c
>>  
>> nova-manage network create --label=aipu_web --fixed_range_v4=192.168.3.0/28 --num_networks=1 --vlan=300 --bridge=br300 --bridge_interface=eth1 --network_size=16 --multi_host=T --project_id=ee29f5730caa40958bf4812a0fbec3d9
>>  
>> But the result is:
>> 1.       the instance of admin03(192.168.2.3 192.168.21.3,belong adminTenant) could successfully ping aipu01(192.168.3.3,belong aipuTenant) on the same compute node(NC01,network+compute service) .
>> 2.       Of course,admin03 could not ping successfully aipu03(192.168.3.6) on the another compute node(NC02,network+compute service).
>>  
>> Is there a way or setting to forbid the IP touching between the instances of different tenant in different bridges and VLANs on the same compute node?
>>  
>> Romi
>>  
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to     : openstack at lists.launchpad.net
>> Unsubscribe : https://launchpad.net/~openstack
>> More help   : https://help.launchpad.net/ListHelp
> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120601/4539abbe/attachment.html>