[Openstack] Anyone using L3 HA in production?

Kevin Benton blak111 at gmail.com
Fri Oct 16 19:15:10 UTC 2015 

If SNAT is being done on the tenant routers, then all of the traffic looks
like it's coming from the external network. You shouldn't need any routes
that point to tenant routers.

On Fri, Oct 16, 2015 at 11:30 AM, Abhishek Chanda <abhishek.lists at gmail.com>
wrote:

> SNAT is still done on the virtual tenant routers. We need the upstream
> routers to route traffic out of the openstack cloud (and back). Isn't
> that a typical deployment?
>
> Thanks
>
> On Thu, Oct 15, 2015 at 5:05 PM, Kevin Benton <blak111 at gmail.com> wrote:
> > I think the mismatch of expectations between the normal use-case and
> yours
> > is that you have SNAT disabled on the tenant routers so you need upstream
> > routes to point back to the tenant routers. Is that correct?
> >
> > On Thu, Oct 15, 2015 at 3:16 PM, Abhishek Chanda <
> abhishek.lists at gmail.com>
> > wrote:
> >>
> >> Hi all,
> >>
> >> We are trying to deploy L3 HA using Kilo. Our model is to have a
> >> single public network for floating IPs and that each tenant will have
> >> it's own neutron router connected to internal networks. We have a
> >> mechanism to use the neutron API to find out which node has the active
> >> router. That route is then announced to upstream routers. The br-ex
> >> interface on the nodes which does not have the active routers are
> >> downed. This works fine for a single tenant, with one router. Now, for
> >> a cloud with multiple tenants, each having their own tenant routers,
> >> we have seen that often active routers end up on different nodes. That
> >> messes up the return path of a packet from outside the cloud. My
> >> questions are:
> >>
> >> 1. Is the deployment model with one public network and multiple tenant
> >> routers compatible with L3 HA or does it expect any other model?
> >> 2. How are people solving the problem of different nodes hosting the
> >> active router? How do we route back to it?
> >>
> >> If neutron used a single keepalived instance for all the routers, this
> >> wouldn't be an issue. Are we missing something?
> >>
> >> Thanks
> >>
> >> _______________________________________________
> >> Mailing list:
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> >> Post to     : openstack at lists.openstack.org
> >> Unsubscribe :
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> >
> >
> >
> >
> > --
> > Kevin Benton
>



-- 
Kevin Benton
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20151016/11022431/attachment.html>

More information about the Openstack mailing list