[Openstack] [neutron] provider router with private networks, can not ping private IP and floating IP
sylecn
sylecn at gmail.com
Mon Nov 18 01:28:15 UTC 2013
Here is the route -n and ifconfig output from the qdhcp namespace:
root at 172-17-6-68:/var/log/neutron# ip netns exec
qdhcp-a63f0950-cdea-4a6d-8312-1819113dc244 route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
0.0.0.0 10.0.1.1 0.0.0.0 UG 0 0 0
tap35a8ab42-4f
10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0
tap35a8ab42-4f
root at 172-17-6-68:/var/log/neutron# ip netns exec
qdhcp-a63f0950-cdea-4a6d-8312-1819113dc244 ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:27 errors:0 dropped:0 overruns:0 frame:0
TX packets:27 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4768 (4.7 KB) TX bytes:4768 (4.7 KB)
tap35a8ab42-4f Link encap:Ethernet HWaddr fa:16:3e:44:c2:0a
inet addr:10.0.1.2 Bcast:10.0.1.255 Mask:255.255.255.0
inet6 addr: fe80::f816:3eff:fe44:c20a/64 Scope:Link
UP BROADCAST RUNNING MTU:1500 Metric:1
RX packets:50 errors:0 dropped:0 overruns:0 frame:0
TX packets:36 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2624 (2.6 KB) TX bytes:2000 (2.0 KB)
On Mon, Nov 18, 2013 at 9:24 AM, sylecn <sylecn at gmail.com> wrote:
> I have enabled namespace, but I did not use overlapping IP addresses so
> far.
>
> Here is the result of the netns command:
>
> root at 172-17-6-68:/var/log/neutron# ip netns show
> qrouter-c5b513fa-6d6a-476f-bfc0-2114954a15aa
> qdhcp-a63f0950-cdea-4a6d-8312-1819113dc244
> root at 172-17-6-68:/var/log/neutron# ip netns exec
> qdhcp-a63f0950-cdea-4a6d-8312-1819113dc244 ping 10.0.1.3
> PING 10.0.1.3 (10.0.1.3) 56(84) bytes of data.
> From 10.0.1.2 icmp_seq=1 Destination Host Unreachable
> From 10.0.1.2 icmp_seq=2 Destination Host Unreachable
> From 10.0.1.2 icmp_seq=3 Destination Host Unreachable
> From 10.0.1.2 icmp_seq=4 Destination Host Unreachable
> From 10.0.1.2 icmp_seq=5 Destination Host Unreachable
> From 10.0.1.2 icmp_seq=6 Destination Host Unreachable
> From 10.0.1.2 icmp_seq=7 Destination Host Unreachable
> From 10.0.1.2 icmp_seq=8 Destination Host Unreachable
> From 10.0.1.2 icmp_seq=9 Destination Host Unreachable
> From 10.0.1.2 icmp_seq=10 Destination Host Unreachable
> From 10.0.1.2 icmp_seq=11 Destination Host Unreachable
> From 10.0.1.2 icmp_seq=12 Destination Host Unreachable
> ^C
> --- 10.0.1.3 ping statistics ---
> 13 packets transmitted, 0 received, +12 errors, 100% packet loss, time
> 12061ms
> pipe 3
> root at 172-17-6-68:/var/log/neutron#
>
> Using ip netns exec qdhcp-* ping, I can ping 10.0.1.1 and 10.0.1.2.
> However, ping 10.0.1.3 still fail.
>
>
>
> On Mon, Nov 18, 2013 at 12:59 AM, Kyle Mestery (kmestery) <
> kmestery at cisco.com> wrote:
>
>> On Nov 17, 2013, at 2:45 AM, sylecn <sylecn at gmail.com> wrote:
>> >
>> > Thanks for the information. Now I have configured a provider router
>> based network, with Open vSwitch GRE tunnels.
>> >
>> > Here is the network topology:
>> >
>> > external network: 172.17.0.0/16
>> > external network physical router: 172.17.0.1
>> > neutron node IP: 172.17.6.68
>> >
>> > virtual provider router: 172.17.6.70
>> >
>> > virtual subnet1: 10.0.1.0/24
>> >
>> > Now I can boot a vm instance and it got an IP from private IP pool
>> (10.0.1.3). I can also associate a floating IP to it (172.17.6.71). But I
>> can't ping the private ip nor the floating ip.
>> >
>> > From the neutron node, I can ping 172.17.6.70, but can't ping 10.0.1.1,
>> 10.0.1.3, 172.17.6.71.
>> > So I can't ssh into the vm. My guess is something is wrong with the
>> 10.0.1.0/24 network, but I don't know what.
>> >
>> Are you setup to use network namespaces with overlapping IP addresses? If
>> so, each tenant network will have it's own network namespace on the node
>> running the Neutron L3 agent. To see these, run this command:
>>
>> ip netns show
>>
>> From the qdhcp-* one, you can try to ping your tenant network address:
>>
>> ip netns exec qdhcp-* ping 10.0.1.3
>>
>> Let me know if that helps.
>>
>> Thanks,
>> Kyle
>>
>> > I used the NoopFirewallDriver in OVS plugin, so icmp and tcp:22 are not
>> blocked by security-group rules.
>> >
>> > Here is the current setup:
>> > (neutron) net-list
>> >
>> +--------------------------------------+--------+----------------------------------------------------+
>> > | id | name | subnets
>> |
>> >
>> +--------------------------------------+--------+----------------------------------------------------+
>> > | a63f0950-cdea-4a6d-8312-1819113dc244 | net1 |
>> 708f2a58-bd85-4493-b91c-a6d42c0db5e7 10.0.1.0/24 |
>> > | ee318d0b-74e5-43c6-92bd-abb690df3334 | extnet |
>> 4c111c62-50f2-4332-b635-57846cf1980c 172.17.0.0/16 |
>> >
>> +--------------------------------------+--------+----------------------------------------------------+
>> > (neutron) subnet-list
>> >
>> +--------------------------------------+---------+---------------+------------------------------------------------+
>> > | id | name | cidr |
>> allocation_pools |
>> >
>> +--------------------------------------+---------+---------------+------------------------------------------------+
>> > | 4c111c62-50f2-4332-b635-57846cf1980c | extnet | 172.17.0.0/16 |
>> {"start": "172.17.6.70", "end": "172.17.6.75"} |
>> > | 708f2a58-bd85-4493-b91c-a6d42c0db5e7 | subnet1 | 10.0.1.0/24 |
>> {"start": "10.0.1.2", "end": "10.0.1.254"} |
>> >
>> +--------------------------------------+---------+---------------+------------------------------------------------+
>> > (neutron) port-list
>> >
>> +--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
>> > | id | name | mac_address |
>> fixed_ips
>> |
>> >
>> +--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
>> > | 234b4e76-7b7a-461f-8b61-2b7c58165fd2 | | fa:16:3e:86:95:d3 |
>> {"subnet_id": "708f2a58-bd85-4493-b91c-a6d42c0db5e7", "ip_address":
>> "10.0.1.1"} |
>> > | 35a8ab42-4f1a-4f1e-b656-ab4dd0e83725 | | fa:16:3e:44:c2:0a |
>> {"subnet_id": "708f2a58-bd85-4493-b91c-a6d42c0db5e7", "ip_address":
>> "10.0.1.2"} |
>> > | 85f4d2d7-c92b-4bc1-b080-2b1978bb6e17 | | fa:16:3e:cd:77:17 |
>> {"subnet_id": "708f2a58-bd85-4493-b91c-a6d42c0db5e7", "ip_address":
>> "10.0.1.3"} |
>> > | 9a24c2e9-a6da-4a24-93d4-9eef8cb0bcfa | | fa:16:3e:01:a2:ef |
>> {"subnet_id": "4c111c62-50f2-4332-b635-57846cf1980c", "ip_address":
>> "172.17.6.70"} |
>> > | f508b629-6e95-4be4-89c0-b37be3907231 | | fa:16:3e:7c:41:0a |
>> {"subnet_id": "4c111c62-50f2-4332-b635-57846cf1980c", "ip_address":
>> "172.17.6.71"} |
>> >
>> +--------------------------------------+------+-------------------+------------------------------------------------------------------------------------+
>> > (neutron) port-show 234b4e76-7b7a-461f-8b61-2b7c58165fd2
>> >
>> +-----------------------+---------------------------------------------------------------------------------+
>> > | Field | Value
>> |
>> >
>> +-----------------------+---------------------------------------------------------------------------------+
>> > | admin_state_up | True
>> |
>> > | allowed_address_pairs |
>> |
>> > | binding:capabilities | {"port_filter": false}
>> |
>> > | binding:host_id | 172-17-6-68.yygamedev.com
>> |
>> > | binding:vif_type | ovs
>> |
>> > | device_id | c5b513fa-6d6a-476f-bfc0-2114954a15aa
>> |
>> > | device_owner | network:router_interface
>> |
>> > | extra_dhcp_opts |
>> |
>> > | fixed_ips | {"subnet_id":
>> "708f2a58-bd85-4493-b91c-a6d42c0db5e7", "ip_address": "10.0.1.1"} |
>> > | id | 234b4e76-7b7a-461f-8b61-2b7c58165fd2
>> |
>> > | mac_address | fa:16:3e:86:95:d3
>> |
>> > | name |
>> |
>> > | network_id | a63f0950-cdea-4a6d-8312-1819113dc244
>> |
>> > | status | ACTIVE
>> |
>> > | tenant_id | 860483f3ceeb43aab4d1f0e8f76b4064
>> |
>> >
>> +-----------------------+---------------------------------------------------------------------------------+
>> > (neutron)
>> > root at 172-17-6-68:/etc/neutron# nova list
>> >
>> +--------------------------------------+------+--------+------------+-------------+----------------------------+
>> > | ID | Name | Status | Task State |
>> Power State | Networks |
>> >
>> +--------------------------------------+------+--------+------------+-------------+----------------------------+
>> > | ec214f0b-eede-421e-9036-a1b56bff3c37 | c1 | ACTIVE | None |
>> Running | net1=10.0.1.3, 172.17.6.71 |
>> >
>> +--------------------------------------+------+--------+------------+-------------+----------------------------+
>> >
>> >
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131118/ef2d8e25/attachment.html>
More information about the Openstack
mailing list