Use Networking You can start and stop OpenStack Networking services using the service command. For example: # sudo service neutron-server stop # sudo service neutron-server status # sudo service neutron-server start # sudo service neutron-server restart Log files are in the /var/log/neutron directory. Configuration files are in the /etc/neutron directory. You can use Networking in the following ways: Expose the Networking API to cloud tenants, which enables them to build rich network topologies. Have the cloud administrator, or an automated administrative tool, create network connectivity on behalf of tenants. A tenant or cloud administrator can both perform the following procedures.
Core Networking API features After you install and run Networking, tenants and administrators can perform create-read-update-delete (CRUD) API networking operations by using the Networking API directly or the neutron command-line interface (CLI). The neutron CLI is a wrapper around the Networking API. Every Networking API call has a corresponding neutron command. The CLI includes a number of options. For details, refer to the OpenStack End User Guide.
API abstractions The Networking v2.0 API provides control over both L2 network topologies and the IP addresses used on those networks (IP Address Management or IPAM). There is also an extension to cover basic L3 forwarding and NAT, which provides capabilities similar to nova-network.
API abstractions
Abstraction Description
Network An isolated L2 network segment (similar to a VLAN) that forms the basis for describing the L2 network topology available in an Networking deployment.
Subnet Associates a block of IP addresses and other network configuration, such as, default gateways or dns-servers, with an Networking network. Each subnet represents an IPv4 or IPv6 address block and, if needed, each Networking network can have multiple subnets.
Port Represents an attachment port to a L2 Networking network. When a port is created on the network, by default it is allocated an available fixed IP address out of one of the designated subnets for each IP version (if one exists). When the port is destroyed, its allocated addresses return to the pool of available IPs on the subnet. Users of the Networking API can either choose a specific IP address from the block, or let Networking choose the first available IP address.
This table summarizes the attributes available for each networking abstraction. For information about API abstraction and operations, see the Networking API v2.0 Reference.
Network attributes
Attribute Type Default value Description
bool True Administrative state of the network. If specified as False (down), this network does not forward packets.
uuid-str Generated UUID for this network.
string None Human-readable name for this network; is not required to be unique.
bool False Specifies whether this network resource can be accessed by any tenant. The default policy setting restricts usage of this attribute to administrative users only.
string N/A Indicates whether this network is currently operational.
list(uuid-str) Empty list List of subnets associated with this network.
uuid-str N/A Tenant owner of the network. Only administrative users can set the tenant identifier; this cannot be changed using authorization policies.
Subnet attributes
Attribute Type Default Value Description
list(dict) Every address in , excluding (if configured). List of cidr sub-ranges that are available for dynamic allocation to ports. Syntax: [ { "start":"10.0.0.2", "end": "10.0.0.254"} ]
string N/A IP range for this subnet, based on the IP version.
list(string) Empty list List of DNS name servers used by hosts in this subnet.
bool True Specifies whether DHCP is enabled for this subnet.
string First address in Default gateway used by devices in this subnet.
list(dict) Empty list Routes that should be used by devices with IPs from this subnet (not including local subnet route).
uuid-string Generated UUID representing this subnet.
int 4 IP version.
string None Human-readable name for this subnet (might not be unique).
uuid-string N/A Network with which this subnet is associated.
uuid-string N/A Owner of network. Only administrative users can set the tenant identifier; this cannot be changed using authorization policies.
Port attributes
Attribute Type Default Value Description
bool true Administrative state of this port. If specified as False (down), this port does not forward packets.
string None Identifies the device using this port (for example, a virtual server's ID).
string None Identifies the entity using this port (for example, a dhcp agent).
list(dict) Automatically allocated from pool Specifies IP addresses for this port; associates the port with the subnets containing the listed IP addresses.
uuid-string Generated UUID for this port.
string Generated Mac address to use on this port.
string None Human-readable name for this port (might not be unique).
uuid-string N/A Network with which this port is associated.
string N/A Indicates whether the network is currently operational.
uuid-string N/A Owner of the network. Only administrative users can set the tenant identifier; this cannot be changed using authorization policies.
Basic Networking operations To learn about advanced capabilities that are available through the neutron command-line interface (CLI), read the networking section in the OpenStack End User Guide. This table shows example neutron commands that enable you to complete basic Networking operations:
Basic Networking operations
Operation Command
Creates a network. $ neutron net-create net1
Creates a subnet that is associated with net1. $ neutron subnet-create net1 10.0.0.0/24
Lists ports for a specified tenant. $ neutron port-list
Lists ports for a specified tenant and displays the , , and columns. $ neutron port-list -c id -c fixed_ips -c device_owner
Shows information for a specified port. $ neutron port-show port-id
The field describes who owns the port. A port whose begins with: network is created by Networking. compute is created by Compute.
Administrative operations The cloud administrator can run any neutron command on behalf of tenants by specifying an Identity in the command, as follows: # neutron net-create --tenant-id=tenant-id network-name For example: # neutron net-create --tenant-id=5e4bbe24b67a4410bc4d9fae29ec394e net1 To view all tenant IDs in Identity, run the following command as an Identity Service admin user: # keystone tenant-list
Advanced Networking operations This table shows example neutron commands that enable you to complete advanced Networking operations:
Advanced Networking operations
Operation Command
Creates a network that all tenants can use. # neutron net-create --shared public-net
Creates a subnet with a specified gateway IP address. # neutron subnet-create --gateway 10.0.0.254 net1 10.0.0.0/24
Creates a subnet that has no gateway IP address. # neutron subnet-create --no-gateway net1 10.0.0.0/24
Creates a subnet with DHCP disabled. # neutron subnet-create net1 10.0.0.0/24 --enable_dhcp False
Creates a subnet with a specified set of host routes. # neutron subnet-create test-net1 40.0.0.0/24 --host_routes type=dict list=true destination=40.0.1.0/24,nexthop=40.0.0.2
Creates a subnet with a specified set of dns name servers. # neutron subnet-create test-net1 40.0.0.0/24 --dns_nameservers list=true 8.8.8.7 8.8.8.8
Displays all ports and IPs allocated on a network. # neutron port-list --network_id net-id
Use Compute with Networking
Basic Compute and Networking operations This table shows example neutron and nova commands that enable you to complete basic Compute and Networking operations:
Basic Compute and Networking operations
Action Command
Checks available networks. # neutron net-list
Boots a VM with a single NIC on a selected Networking network. # nova boot --image img --flavor flavor --nic net-id=net-id vm-name
Searches for ports with a that matches the Compute instance UUID. See . # neutron port-list --device_id=vm-id
Searches for ports, but shows only the for the port. # neutron port-list --field mac_address --device_id=vm-id
Temporarily disables a port from sending traffic. # neutron port-update port-id --admin_state_up=False
The can also be a logical router ID. Create and delete VMs When you boot a Compute VM, a port on the network that corresponds to the VM NIC is automatically created and associated with the default security group. You can configure security group rules to enable users to access the VM. When you delete a Compute VM, the underlying Networking port is automatically deleted.
Advanced VM creation operations This table shows example nova and neutron commands that enable you to complete advanced VM creation operations:
Advanced VM creation operations
Operation Command
Boots a VM with multiple NICs. # nova boot --image img --flavor flavor --nic net-id=net1-id --nic net-id=net2-id vm-name
Boots a VM with a specific IP address. First, create an Networking port with a specific IP address. Then, boot a VM specifying a rather than a . # neutron port-create --fixed-ip subnet_id=subnet-id,ip_address=IP net-id # nova boot --image img --flavor flavor --nic port-id=port-id vm-name
Boots a VM that connects to all networks that are accessible to the tenant who submits the request (without the --nic option). # nova boot --image img --flavor flavor vm-name
Networking does not currently support the v4-fixed-ip parameter of the --nic option for the nova command.
Enable ping and SSH on VMs (security groups) You must configure security group rules depending on the type of plug-in you are using. If you are using a plug-in that: Implements Networking security groups, you can configure security group rules directly by using neutron security-group-rule-create. This example enables ping and ssh access to your VMs. # neutron security-group-rule-create --protocol icmp \ --direction ingress default # neutron security-group-rule-create --protocol tcp --port-range-min 22 \ --port-range-max 22 --direction ingress default Does not implement Networking security groups, you can configure security group rules by using the nova secgroup-add-rule or euca-authorize command. These nova commands enable ping and ssh access to your VMs. # nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0 # nova secgroup-add-rule default tcp 22 22 0.0.0.0/0 If your plug-in implements Networking security groups, you can also leverage Compute security groups by setting security_group_api = neutron in the nova.conf file. After you set this option, all Compute security group commands are proxied to Networking.