This group is locked. No changes can be made to the group while it is locked.
Neutron networks: Shared vs External
|
Flavio Fernandes <ffernand@...>
Hi folks,
When it comes to real world deployments of OpenStack, I see (a least) 2 ways by which tenants get to access subnets that are outside their networks [1]. In odl-OVSDB, we currently disallow the ‘shared’ networks, because it implies ‘mixing’ of how L2 broadcast would be implemented. Understandably, the tenant isolation depends very heavily in knowing at all times how a packet gets flooded/multicasted. Shared networks have the potential for mudding all that. If you look at picture in [1], you can see that we could provision Openstack in a way where external access is provided w/out making a shared network. In [2], you can see the variation in the config to have shared vs external provisioning. The version of it that uses shared networks is here [3]. All in all, I’d like to explore selling the idea that use cases for reaching outside the Openstack realm should take advantage of “external” approach. That would give us the ability to leverage all floating-ip goodies, while not opening the existing restrictions on shared networks. Is that ok/doable? Lastly, I can see that there has been some discussion around this topic at the Openstack realm [SvsE], but it is not clear to me what direction it took, if any. Comments, suggestions… please!?! ;) — flavio [2]: https://gist.github.com/e887e0d1ee8f28963335 <— admin creates an external network for each tenant (2 in this case) https://gist.github.com/d5816b20692c38a5a62c <— tenant 1 using external network ext1 https://gist.github.com/3200271a905d441aedce <— tenant 2 using external network ext2 [3]: http://www.flaviof.com/blog/work/how-to-openstack-from-vagrant.html <— look for openstack_part1.sh |