Neutron networks: Shared vs External

Flavio Fernandes <ffernand@...>

Hi folks,

When it comes to real world deployments of OpenStack, I see (a least) 2 ways by which tenants get to access
subnets that are outside their networks [1]. In odl-OVSDB, we currently disallow the ‘shared’ networks, because it
implies ‘mixing’ of how L2 broadcast would be implemented. Understandably, the tenant isolation depends very
heavily in knowing at all times how a packet gets flooded/multicasted. Shared networks have the potential for
mudding all that. If you look at picture in [1], you can see that we could provision Openstack in a way where
external access is provided w/out making a shared network.

In [2], you can see the variation in the config to have shared vs external provisioning. The version of it that uses
shared networks is here [3].

All in all, I’d like to explore selling the idea that use cases for reaching outside the Openstack realm should
take advantage of “external” approach. That would give us the ability to leverage all floating-ip goodies, while not
opening the existing restrictions on shared networks. Is that ok/doable?

Lastly, I can see that there has been some discussion around this topic at the Openstack realm [SvsE], but it is
not clear to me what direction it took, if any.

Comments, suggestions… please!?! ;)

— flavio

[2]:   <— admin creates an external network for each tenant (2 in this case)  <— tenant 1 using external network ext1  <— tenant 2 using external network ext2

[3]:  <— look for      

Join to automatically receive all group messages.