TripleO Network Isolation in Virtual Environment (VLAN)

External Network Connectivity in Isolated Networks

Have been testing around with TripleO deployments trying out the templates for network isolation. The virtual environment’s setup is quite simple. I just followed the official Openstack TripleO documentation and deployment documentation.

For network isolation testing I followed this link, and in addition also got some hints from here. The basic idea of this network isolation setup is that every service is using its own VLAN (storage, external network, tenant and so on…).

Following the documentation we are going to use the undercloud as a gateway, the vlan10 interface is create and tagged “10”, this you can see from the ovs-vsctl output:

And we can see our interface as well in ip addr output:

Also make sure to add the iptables masquerade rule as per the documentation:

This is all great stuff. Following the documentation on how to use the custom network-environment.yaml file provides us with the interfaces on the controller:

Where vlan10 appears in the list with IP addresses of the network we defined (10.0.0.0/24):

Ip route:

 

The Problem I Had

Have created a subnet for the internal VM traffic (192.168.168.0/24) and external network 10.0.0.0/24.
Created a router with gateway 10.0.0.234 and another port on 192.168.168.0/24 network. This should result in something like this:

Afterwards I made sure that the security policies are allowing SSH, ICMP and DNS.

When I tried to ping 10.0.0.1 from the router’s namespace I got no reply:

This obviously means that trying ping from within the VM will not work either, and such is the case indeed.

When looking into the router’s namespace:

So, this all looks just fine and as supposed to.

Solution: Tag the External Network in Neutron

I created the external network in neutron but didn’t configure it properly.
Instead of the “default” way I was creating the router (neutron net-create ext_net –router:external) I had to explicitly configure it as VLAN, add the physical_network name and the tag. The physical_network name can be found in /etc/neutron/plugins/ml2/ml2_conf.ini on the network node/controller:

To get things right I deleted the initial network I’ve created and re-created it properly:

Then proceeded to add the subnet:

I got lazy for the rest and just used Horizon to re-attach the new external network to the router.
After this I had the connectivity from the VM:

 

So… To sum it up: don’t forget to create the external network as type VLAN and tag it according to the tag given to the vlan10 interface — in case you run into the same issue.

Edit: I believe that much of the official documentation has been recently updated to describe the creation of external networks with VLANs.

2 thoughts on “TripleO Network Isolation in Virtual Environment (VLAN)

    • Hi Chris!

      Thanks! This was quite a long time since I’ve written this post. Yes, I believe it was ‘flat’ before I changed it.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.