Merge "[network] Clean up address scopes section"
This commit is contained in:
commit
d58a0705e1
@ -2,93 +2,79 @@
|
||||
Address scopes
|
||||
==============
|
||||
|
||||
Address scopes have been made available since the Mitaka release. They build
|
||||
from subnet pools added in Kilo. While subnet pools provide a mechanism for
|
||||
controlling the allocation of addresses to subnets, address scopes provide a
|
||||
way to know where addresses are viable. Like subnet pools, they also prevent
|
||||
using overlapping addresses in any two subnets.
|
||||
This page serves as an introduction to the address scopes feature of the
|
||||
Networking service.
|
||||
|
||||
Why you need them
|
||||
~~~~~~~~~~~~~~~~~
|
||||
The basics
|
||||
~~~~~~~~~~
|
||||
|
||||
With address scopes, OpenStack Networking knows where addresses can be routed
|
||||
essentially because all of the allocated addresses within the scope are
|
||||
non-overlapping and they are under the control of the address scope owner.
|
||||
Address scopes build from subnet pools. While subnet pools provide a mechanism
|
||||
for controlling the allocation of addresses to subnets, address scopes show
|
||||
where addresses can be routed between networks, preventing the use of
|
||||
overlapping addresses in any two subnets. Because all addresses allocated in
|
||||
the address scope do not overlap, neutron routers do not NAT between your
|
||||
tenants' network and your external network. As long as the addresses within
|
||||
an address scope match, the Networking service performs simple routing
|
||||
between networks.
|
||||
|
||||
You can set up the address scopes for tenants to pull addresses from. Then,
|
||||
since neutron routers understand address scopes, they will not NAT between
|
||||
these networks and your external network as long as the scopes match. They will
|
||||
just do simple routing.
|
||||
Accessing address scopes
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
How it works
|
||||
~~~~~~~~~~~~
|
||||
Anyone with access to the Networking service can create their own address
|
||||
scopes. However, network administrators can create shared address scopes,
|
||||
allowing other projects to create networks within that address scope.
|
||||
|
||||
Anyone can create an address scope. Admins can create shared address
|
||||
scopes seen by all tenants.
|
||||
Access to addresses in a scope are managed through subnet pools.
|
||||
Subnet pools can either be created in an address scope, or updated to belong
|
||||
to an address scope.
|
||||
|
||||
Access to addresses in a scope is managed through subnet pools. You can
|
||||
create a subnet pool in an address scope or you can update existing
|
||||
subnet pools to belong to a scope.
|
||||
With subnet pools, all addresses in use within the address
|
||||
scope are unique from the point of view of the address scope owner. Therefore,
|
||||
add more than one subnet pool to an address scope if the
|
||||
pools have different owners, allowing for delegation of parts of the
|
||||
address scope. Delegation prevents address overlap across the
|
||||
whole scope. Otherwise, you receive an error if two pools have the same
|
||||
address ranges.
|
||||
|
||||
It may be useful to add more than one subnet pool to an address scope if
|
||||
the pools have different owners. This allows delegation of parts of the
|
||||
address scope. Address overlap is prevented across the whole scope so
|
||||
you will get an error if two pools have some of the same address ranges
|
||||
in them.
|
||||
Each router interface is associated with an address scope by looking at
|
||||
subnets connected to the network. When a router connects
|
||||
to an external network with matching address scopes, network traffic routes
|
||||
between without Network address translation (NAT).
|
||||
The router marks all traffic connections originating from each interface
|
||||
with its corresponding address scope. If traffic leaves an interface in the
|
||||
wrong scope, the router blocks the traffic.
|
||||
|
||||
A Neutron router connects at least a couple of networks. Each router
|
||||
interface is associated with an address scope by looking at the subnets
|
||||
on the network its connected to. The router internally marks all
|
||||
traffic connections originating from each interface with the
|
||||
corresponding address scope to track it. If traffic tries to leave an
|
||||
interface in the wrong scope, it is blocked.
|
||||
Backwards compatibility
|
||||
~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
When a router connects to two networks with the same address scope, it
|
||||
knows that these networks can be routed without any kind of address
|
||||
translation. Also, since subnet pools are part of the foundation of
|
||||
address scopes, Neutron knows that all of the addresses in use within an
|
||||
address scope are unique and legitimate from the address scope owner's
|
||||
point of view.
|
||||
|
||||
No scope
|
||||
~~~~~~~~
|
||||
|
||||
OpenStack Networking preserves backwards compatibility with pre-Mitaka
|
||||
Networking. You will not notice any difference until you decide to begin using
|
||||
hem so you will not be forced to change your behavior.
|
||||
|
||||
When subnets are not explicitly part of an explicit address scope. They can be
|
||||
considered part of a catch all implicit scope which is different in a few ways
|
||||
to preserve backwards compatibility.
|
||||
Networks created before the Mitaka release do not
|
||||
contain explicitly named address scopes, unless the network contains
|
||||
subnets from a subnet pool that belongs to a created or updated
|
||||
address scope. The Networking service preserves backwards compatibility with
|
||||
pre-Mitaka networks through special address scope properties so that
|
||||
these networks can perform advanced routing:
|
||||
|
||||
#. Unlimited address overlap is allowed.
|
||||
#. Neutron routers, by default, will NAT traffic from internal networks
|
||||
to external networks even if they are all in this scope (unless snat
|
||||
is disabled for the router.)
|
||||
#. This scope is not visible through the API. It will not show up when you
|
||||
list address scopes and you cannot show details. It exists only
|
||||
implicitly to catch all addresses which are not explicitly scoped.
|
||||
to external networks.
|
||||
#. Pre-Mitaka address scopes are not visible through the API. You cannot
|
||||
list address scopes or show details. Scopes exist
|
||||
implicitly as a catch-all for addresses that are not explicitly scoped.
|
||||
|
||||
Demo
|
||||
----
|
||||
Create shared address scopes as an administrative user
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Give it a try. Starting with devstack is recommended.
|
||||
This section shows how to set up shared address scopes to
|
||||
allow simple routing for project networks with the same subnet pools.
|
||||
|
||||
.. note:: Some irrelevant fields have been trimmed from the output of
|
||||
these commands just for brevity and to avoid distracting with too
|
||||
many details.
|
||||
.. note:: Irrelevant fields have been trimmed from the output of
|
||||
these commands for brevity.
|
||||
|
||||
Admin commands
|
||||
______________
|
||||
#. Create IPv6 and IPv4 address scopes:
|
||||
|
||||
First, as admin, create a couple of shared address scopes, subnet pools to
|
||||
manage the addresses inside them, and an external network with subnets from
|
||||
these pools so that tenant networks from the same pools will be routed straight
|
||||
through. The following examples show how to accomplish this.
|
||||
.. code-block:: console
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
admin> neutron address-scope-create --shared address-scope-ip6 6
|
||||
$ neutron address-scope-create --shared address-scope-ip6 6
|
||||
Created a new address_scope:
|
||||
+------------+--------------------------------------+
|
||||
| Field | Value |
|
||||
@ -99,9 +85,9 @@ through. The following examples show how to accomplish this.
|
||||
| shared | True |
|
||||
+------------+--------------------------------------+
|
||||
|
||||
.. code-block:: console
|
||||
.. code-block:: console
|
||||
|
||||
admin> neutron address-scope-create --shared address-scope-ip4 4
|
||||
$ neutron address-scope-create --shared address-scope-ip4 4
|
||||
Created a new address_scope:
|
||||
+------------+--------------------------------------+
|
||||
| Field | Value |
|
||||
@ -112,14 +98,14 @@ through. The following examples show how to accomplish this.
|
||||
| shared | True |
|
||||
+------------+--------------------------------------+
|
||||
|
||||
Next, create subnet pools specifying the name (or UUID) of the address
|
||||
scope that the subnet pool should belong to. If you have existing
|
||||
subnet pools, you can use the subnet-pool-update command to put them in
|
||||
to a new address scope.
|
||||
#. Create subnet pools specifying the name (or UUID) of the address
|
||||
scope that the subnet pool belongs to. If you have existing
|
||||
subnet pools, use the ``subnet-pool-update`` command to put them in
|
||||
a new address scope:
|
||||
|
||||
.. code-block:: console
|
||||
.. code-block:: console
|
||||
|
||||
admin> neutron subnetpool-create --address-scope address-scope-ip6 \
|
||||
$ neutron subnetpool-create --address-scope address-scope-ip6 \
|
||||
--shared --pool-prefix 2001:db8:a583::/48 --default-prefixlen 64 \
|
||||
subnet-pool-ip6
|
||||
Created a new subnetpool:
|
||||
@ -135,9 +121,9 @@ to a new address scope.
|
||||
| shared | True |
|
||||
+-------------------+--------------------------------------+
|
||||
|
||||
.. code-block:: console
|
||||
.. code-block:: console
|
||||
|
||||
admin> neutron subnetpool-create --address-scope address-scope-ip4 \
|
||||
$ neutron subnetpool-create --address-scope address-scope-ip4 \
|
||||
--shared --pool-prefix 203.0.113.0/21 --default-prefixlen 26 \
|
||||
subnet-pool-ip4
|
||||
Created a new subnetpool:
|
||||
@ -153,9 +139,9 @@ to a new address scope.
|
||||
| shared | True |
|
||||
+-------------------+--------------------------------------+
|
||||
|
||||
Now that these are created, create subnets on an external network.
|
||||
#. Make sure that the subnets use an external network:
|
||||
|
||||
.. code-block:: console
|
||||
.. code-block:: console
|
||||
|
||||
$ neutron subnet-show ipv6-public-subnet
|
||||
+-------------------+--------------------------------------+
|
||||
@ -171,13 +157,7 @@ Now that these are created, create subnets on an external network.
|
||||
| subnetpool_id | 14813344-d11a-4896-906c-e4c378291058 |
|
||||
+-------------------+--------------------------------------+
|
||||
|
||||
.. note:: In the interest of full disclosure, I didn't explain here how to go
|
||||
about creating an external subnets with this subnet pool. How should we
|
||||
handle this in the final docs? It is pretty much covered in the subnet
|
||||
pools doc but it isn't all shown here which could make this little tutorial
|
||||
a tiny bit frustrating.
|
||||
|
||||
.. code-block:: console
|
||||
.. code-block:: console
|
||||
|
||||
$ neutron subnet-show public-subnet
|
||||
+-------------------+--------------------------------------+
|
||||
@ -193,19 +173,15 @@ Now that these are created, create subnets on an external network.
|
||||
| subnetpool_id | e2c4f12d-307f-4616-a4df-203a45e6cb7f |
|
||||
+-------------------+--------------------------------------+
|
||||
|
||||
This completes the portion of the demo that requires admin privileges. The
|
||||
address scope has been created with subnet pools to manage addresses. Finally,
|
||||
the external network has been created with subnets from the address scope.
|
||||
Routing with address scopes for non-privileged users
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Non-admin tenant commands
|
||||
_________________________
|
||||
This section shows how non-privileged users can use address scopes to
|
||||
route straight to an external network without NAT.
|
||||
|
||||
As a tenant, create networks that will be routed straight to the external
|
||||
network without NAT. Also, create a network the old way to demonstrate how
|
||||
routing between address scopes is not allowed between tenant networks. Start
|
||||
by creating a couple of networks to host the subnets.
|
||||
#. Create a couple of networks to host subnets:
|
||||
|
||||
.. code-block:: console
|
||||
.. code-block:: console
|
||||
|
||||
$ neutron net-create network1
|
||||
Created a new network:
|
||||
@ -217,7 +193,7 @@ by creating a couple of networks to host the subnets.
|
||||
| subnets | |
|
||||
+-------------------------+--------------------------------------+
|
||||
|
||||
.. code-block:: console
|
||||
.. code-block:: console
|
||||
|
||||
$ neutron net-create network2
|
||||
Created a new network:
|
||||
@ -229,10 +205,10 @@ by creating a couple of networks to host the subnets.
|
||||
| subnets | |
|
||||
+-------------------------+--------------------------------------+
|
||||
|
||||
First, create a subnet the old way, it will not be associated with a
|
||||
subnetpool nor an address scope.
|
||||
#. Create a subnet not associated with a subnet pool or
|
||||
an address scope:
|
||||
|
||||
.. code-block:: console
|
||||
.. code-block:: console
|
||||
|
||||
$ neutron subnet-create --name subnet-ip4-1 network1 198.51.100.0/26
|
||||
Created a new subnet:
|
||||
@ -246,7 +222,7 @@ subnetpool nor an address scope.
|
||||
| subnetpool_id | |
|
||||
+-------------------+--------------------------------------+
|
||||
|
||||
.. code-block:: console
|
||||
.. code-block:: console
|
||||
|
||||
$ neutron subnet-create --name subnet-ip6-1 network1 \
|
||||
--ipv6-ra-mode slaac --ipv6-address-mode slaac \
|
||||
@ -262,10 +238,10 @@ subnetpool nor an address scope.
|
||||
| subnetpool_id | |
|
||||
+-------------------+--------------------------------------+
|
||||
|
||||
Next, create a subnet using an subnet pool. These subnets come from the
|
||||
address scope as the external network.
|
||||
#. Create a subnet using a subnet pool associated with a address scope
|
||||
from an external network:
|
||||
|
||||
.. code-block:: console
|
||||
.. code-block:: console
|
||||
|
||||
$ neutron subnet-create --name subnet-ip4-2 \
|
||||
--subnetpool subnet-pool-ip4 network2
|
||||
@ -280,7 +256,7 @@ address scope as the external network.
|
||||
| subnetpool_id | e2c4f12d-307f-4616-a4df-203a45e6cb7f |
|
||||
+-------------------+--------------------------------------+
|
||||
|
||||
.. code-block:: console
|
||||
.. code-block:: console
|
||||
|
||||
$ neutron subnet-create --name subnet-ip6-2 --ip_version 6 \
|
||||
--ipv6-ra-mode slaac --ipv6-address-mode slaac \
|
||||
@ -296,10 +272,10 @@ address scope as the external network.
|
||||
| subnetpool_id | 14813344-d11a-4896-906c-e4c378291058 |
|
||||
+-------------------+--------------------------------------+
|
||||
|
||||
Note that by creating subnets from scoped subnet pools, the network is
|
||||
now associated with the address scope.
|
||||
By creating subnets from scoped subnet pools, the network is
|
||||
associated with the address scope.
|
||||
|
||||
.. code-block:: console
|
||||
.. code-block:: console
|
||||
|
||||
$ neutron net-show network2
|
||||
+-------------------------+--------------------------------------+
|
||||
@ -313,10 +289,10 @@ now associated with the address scope.
|
||||
| | 917f9360-a840-45c1-83a1-2a093bd7b376 |
|
||||
+-------------------------+--------------------------------------+
|
||||
|
||||
Connect a router to each of the tenant subnets that have been created. This
|
||||
example uses a pre-existing router called router1.
|
||||
#. Connect a router to each of the tenant subnets that have been created, for
|
||||
example, using a router called ``router1``:
|
||||
|
||||
.. code-block:: console
|
||||
.. code-block:: console
|
||||
|
||||
$ neutron router-interface-add router1 subnet-ip4-1
|
||||
Added interface 73d832e1-e4a7-4029-9a66-f4e0f4ba0e76 to router router1.
|
||||
@ -328,13 +304,18 @@ example uses a pre-existing router called router1.
|
||||
Added interface f5904a4b-9547-4c08-bc7e-bc5fc71a8db9 to router router1.
|
||||
|
||||
Checking connectivity
|
||||
_____________________
|
||||
---------------------
|
||||
|
||||
Boot two vms, instance1 on network1 and instance2 on network2 and give
|
||||
them floating ip addresses. Adjust security groups to allow pings and
|
||||
ssh (both IPv4 and IPv6).
|
||||
This example shows how to check the connectivity between networks
|
||||
with address scopes.
|
||||
|
||||
.. code-block:: console
|
||||
#. Launch two instances, ``instance1`` on ``network1`` and
|
||||
``instance2`` on ``network2``. Associate a floating IP address to both
|
||||
instances.
|
||||
|
||||
#. Adjust security groups to allow pings and SSH (both IPv4 and IPv6):
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ nova list
|
||||
+--------------+-----------+---------------------------------------------------------------------------+
|
||||
@ -344,8 +325,8 @@ ssh (both IPv4 and IPv6).
|
||||
| ceba9638-... | instance2 | network2=203.0.112.3, 2001:db8:a583:0:f816:3eff:fe42:1eeb, 172.24.4.4 |
|
||||
+--------------+-----------+---------------------------------------------------------------------------+
|
||||
|
||||
Regardless of address scopes, the floating IPs are pingable from the
|
||||
external network.
|
||||
Regardless of address scopes, the floating IPs can be pinged from the
|
||||
external network:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
@ -354,15 +335,11 @@ external network.
|
||||
$ ping -c 1 172.24.4.4
|
||||
1 packets transmitted, 1 received, 0% packet loss, time 0ms
|
||||
|
||||
With just a little bit of routing help, the internal network2 is
|
||||
pingable directly because it is in the the same address scope as the
|
||||
external network.
|
||||
You can now ping ``instance2`` directly because ``instance2`` shares the
|
||||
same address scope as the external network:
|
||||
|
||||
.. note:: When I wrote this, I didn't have
|
||||
the BGP routing work available in Neutron. So, I added a static route
|
||||
manually. However, now BGP is available which could fill the gap but at the
|
||||
cost of going through all of that setup. How should we handle this in the
|
||||
docs?
|
||||
.. note:: BGP routing can be used to automatically set up a static
|
||||
route for your instances.
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
@ -376,8 +353,8 @@ external network.
|
||||
$ ping6 -c 1 2001:db8:a583:0:f816:3eff:fe42:1eeb
|
||||
1 packets transmitted, 1 received, 0% packet loss, time 0ms
|
||||
|
||||
The other network is not pingable directly because the scopes do not
|
||||
match.
|
||||
You cannot ping ``instance1`` directly because the address scopes do not
|
||||
match:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
@ -391,7 +368,7 @@ match.
|
||||
$ ping6 -c 1 2001:db8:80d2:c4d3:f816:3eff:fe52:b69f
|
||||
1 packets transmitted, 0 received, 100% packet loss, time 0ms
|
||||
|
||||
In general, if address scopes are used and the scope matches between
|
||||
networks then pings (and other traffic) route directly through. If the
|
||||
scopes do not match between networks then the router either drops the
|
||||
traffic or it applies NAT to cross scope boundaries.
|
||||
If the address scopes match between
|
||||
networks then pings and other traffic route directly through. If the
|
||||
scopes do not match between networks, the router either drops the
|
||||
traffic or applies NAT to cross scope boundaries.
|
||||
|
Loading…
Reference in New Issue
Block a user