[Openstack] nova-network,VRRP and NAT

Xav Paice xavpaice at gmail.com
Thu Aug 7 09:53:34 UTC 2014

On 07/08/14 21:42, mad Engineer wrote:
> but concerned whether nova security policies allow VRRP to work as it
> requires multiple IP on same MAC?
> Is clearing the rule only way to make it work,or is there nova-network
> way to make it work.
> also i am worried about NAT rule when IP fail over happens
This might help - copied from a note I put on our ops wiki:

OpenStack has anti-spoofing iptables rules that sit very close to your
instance on the hypervisor.  This means you can't just add a new address
without telling OpenStack.  To tell OpenStack, you need to add an
allowed-address-pair to the port which your instance will use with the
new IP.

For example:  I have a VM with a fixed IP of  I want to add
the alias IP to that and one other VM, for load balancing.

First, make sure you aren't using an IP in the DHCP range for this
subnet.  Then update the Ports for each instance participating in VRRP.

nova interface-list <INSTANCE_UUID>
| Port State | Port ID                              | Net
ID                               | IP addresses | MAC Addr          |
| ACTIVE     | 50eb611d-5e71-43cf-ba4d-1017bc6e488c |
623417c3-dffc-4b6d-96fa-a4ae0ec1df52 |    | fa:16:3e:5b:64:38 |

neutron port-update 50eb611d-5e71-43cf-ba4d-1017bc6e488c \
      --allowed-address-pairs type=dict list=true \

Once you have updated the ports attached to each VM, you will need some
security group rules.

neutron security-group-create vrrp_members
neutron security-group-rule-create --ethertype IPv4 \
      --direction egress --protocol 51 \
      --remote-ip-prefix vrrp_members
neutron security-group-rule-create --ethertype IPv4 \
      --direction ingress --protocol 51 \
      --remote-group-id vrrp_members vrrp_members

Then apply this security group to your VRRP instances.

More information about the Openstack mailing list