b9db6828ff
External networks shouldn't be "shared" Change-Id: I7511e2f956c219ab2155ca44023bdc6754400828 Closes-bug: #1405403
267 lines
15 KiB
XML
267 lines
15 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
version="5.0"
|
|
xml:id="neutron-initial-networks">
|
|
<title>Create initial networks</title>
|
|
<para>Before launching your first instance, you must create the
|
|
necessary virtual network infrastructure to which the instance will
|
|
connect, including the
|
|
<link linkend="neutron_initial-external-network">external network</link>
|
|
and
|
|
<link linkend="neutron_initial-tenant-network">tenant network</link>.
|
|
See <xref linkend="neutron_figure-neutron-initial-networks"/>. After
|
|
creating this infrastructure, we recommend that you
|
|
<link linkend="neutron_initial-networks-verify">verify
|
|
connectivity</link> and resolve any issues before proceeding further.
|
|
<xref linkend="neutron_figure-neutron-initial-networks"/> provides a
|
|
basic architectural overview of the components that Networking implements
|
|
for the initial networks and shows how network traffic flows from the
|
|
instance to the external network or Internet.</para>
|
|
<figure xml:id="neutron_figure-neutron-initial-networks">
|
|
<title>Initial networks</title>
|
|
<mediaobject>
|
|
<imageobject>
|
|
<imagedata contentwidth="6in"
|
|
fileref="../common/figures/installguide-neutron-initialnetworks.png"/>
|
|
</imageobject>
|
|
</mediaobject>
|
|
</figure>
|
|
<section xml:id="neutron_initial-external-network">
|
|
<title>External network</title>
|
|
<para>The external network typically provides Internet access for
|
|
your instances. By default, this network only allows Internet
|
|
access <emphasis>from</emphasis> instances using
|
|
<glossterm>Network Address Translation (NAT)</glossterm>. You can
|
|
enable Internet access <emphasis>to</emphasis> individual instances
|
|
using a <glossterm>floating IP address</glossterm> and suitable
|
|
<glossterm>security group</glossterm> rules. The <literal>admin</literal>
|
|
tenant owns this network because it provides external network
|
|
access for multiple tenants.</para>
|
|
<note>
|
|
<para>Perform these commands on the controller node.</para>
|
|
</note>
|
|
<procedure>
|
|
<title>To create the external network</title>
|
|
<step>
|
|
<para>Source the <literal>admin</literal> credentials to gain access to
|
|
admin-only CLI commands:</para>
|
|
<screen><prompt>$</prompt> <userinput>source admin-openrc.sh</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Create the network:</para>
|
|
<screen><prompt>$</prompt> <userinput>neutron net-create ext-net --router:external True \
|
|
--provider:physical_network external --provider:network_type flat</userinput>
|
|
<computeroutput>Created a new network:
|
|
+---------------------------+--------------------------------------+
|
|
| Field | Value |
|
|
+---------------------------+--------------------------------------+
|
|
| admin_state_up | True |
|
|
| id | 893aebb9-1c1e-48be-8908-6b947f3237b3 |
|
|
| name | ext-net |
|
|
| provider:network_type | flat |
|
|
| provider:physical_network | external |
|
|
| provider:segmentation_id | |
|
|
| router:external | True |
|
|
| shared | False |
|
|
| status | ACTIVE |
|
|
| subnets | |
|
|
| tenant_id | 54cd044c64d5408b83f843d63624e0d8 |
|
|
+---------------------------+--------------------------------------+</computeroutput></screen>
|
|
</step>
|
|
</procedure>
|
|
<para>Like a physical network, a virtual network requires a
|
|
<glossterm>subnet</glossterm> assigned to it. The external network
|
|
shares the same subnet and <glossterm>gateway</glossterm> associated
|
|
with the physical network connected to the external interface on the
|
|
network node. You should specify an exclusive slice of this subnet
|
|
for <glossterm>router</glossterm> and floating IP addresses to prevent
|
|
interference with other devices on the external network.</para>
|
|
<procedure>
|
|
<title>To create a subnet on the external network</title>
|
|
<step>
|
|
<para>Create the subnet:</para>
|
|
<screen><prompt>$</prompt> <userinput>neutron subnet-create ext-net --name ext-subnet \
|
|
--allocation-pool start=<replaceable>FLOATING_IP_START</replaceable>,end=<replaceable>FLOATING_IP_END</replaceable> \
|
|
--disable-dhcp --gateway <replaceable>EXTERNAL_NETWORK_GATEWAY</replaceable> <replaceable>EXTERNAL_NETWORK_CIDR</replaceable></userinput></screen>
|
|
<para>Replace <replaceable>FLOATING_IP_START</replaceable> and
|
|
<replaceable>FLOATING_IP_END</replaceable> with the first and last
|
|
IP addresses of the range that you want to allocate for floating IP
|
|
addresses. Replace <replaceable>EXTERNAL_NETWORK_CIDR</replaceable>
|
|
with the subnet associated with the physical network. Replace
|
|
<replaceable>EXTERNAL_NETWORK_GATEWAY</replaceable> with the gateway
|
|
associated with the physical network, typically the ".1" IP address.
|
|
You should disable <glossterm>DHCP</glossterm> on this subnet because
|
|
instances do not connect directly to the external network and
|
|
floating IP addresses require manual assignment.</para>
|
|
<para>For example, using <literal>203.0.113.0/24</literal> with
|
|
floating IP address range <literal>203.0.113.101</literal> to
|
|
<literal>203.0.113.200</literal>:</para>
|
|
<screen><prompt>$</prompt> <userinput>neutron subnet-create ext-net --name ext-subnet \
|
|
--allocation-pool start=203.0.113.101,end=203.0.113.200 \
|
|
--disable-dhcp --gateway 203.0.113.1 203.0.113.0/24</userinput>
|
|
<computeroutput>Created a new subnet:
|
|
+-------------------+------------------------------------------------------+
|
|
| Field | Value |
|
|
+-------------------+------------------------------------------------------+
|
|
| allocation_pools | {"start": "203.0.113.101", "end": "203.0.113.200"} |
|
|
| cidr | 203.0.113.0/24 |
|
|
| dns_nameservers | |
|
|
| enable_dhcp | False |
|
|
| gateway_ip | 203.0.113.1 |
|
|
| host_routes | |
|
|
| id | 9159f0dc-2b63-41cf-bd7a-289309da1391 |
|
|
| ip_version | 4 |
|
|
| ipv6_address_mode | |
|
|
| ipv6_ra_mode | |
|
|
| name | ext-subnet |
|
|
| network_id | 893aebb9-1c1e-48be-8908-6b947f3237b3 |
|
|
| tenant_id | 54cd044c64d5408b83f843d63624e0d8 |
|
|
+-------------------+------------------------------------------------------+</computeroutput></screen>
|
|
</step>
|
|
</procedure>
|
|
</section>
|
|
<section xml:id="neutron_initial-tenant-network">
|
|
<title>Tenant network</title>
|
|
<para>The tenant network provides internal network access for instances.
|
|
The architecture isolates this type of network from other tenants. The
|
|
<literal>demo</literal> tenant owns this network because it only
|
|
provides network access for instances within it.</para>
|
|
<note>
|
|
<para>Perform these commands on the controller node.</para>
|
|
</note>
|
|
<procedure>
|
|
<title>To create the tenant network</title>
|
|
<step>
|
|
<para>Source the <literal>demo</literal> credentials to gain access to
|
|
user-only CLI commands:</para>
|
|
<screen><prompt>$</prompt> <userinput>source demo-openrc.sh</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Create the network:</para>
|
|
<screen><prompt>$</prompt> <userinput>neutron net-create demo-net</userinput>
|
|
<computeroutput>Created a new network:
|
|
+-----------------+--------------------------------------+
|
|
| Field | Value |
|
|
+-----------------+--------------------------------------+
|
|
| admin_state_up | True |
|
|
| id | ac108952-6096-4243-adf4-bb6615b3de28 |
|
|
| name | demo-net |
|
|
| router:external | False |
|
|
| shared | False |
|
|
| status | ACTIVE |
|
|
| subnets | |
|
|
| tenant_id | cdef0071a0194d19ac6bb63802dc9bae |
|
|
+-----------------+--------------------------------------+</computeroutput></screen>
|
|
</step>
|
|
</procedure>
|
|
<para>Like the external network, your tenant network also requires
|
|
a subnet attached to it. You can specify any valid subnet because the
|
|
architecture isolates tenant networks. By default, this subnet will
|
|
use DHCP so your instances can obtain IP addresses.</para>
|
|
<procedure>
|
|
<title>To create a subnet on the tenant network</title>
|
|
<step>
|
|
<para>Create the subnet:</para>
|
|
<screen><prompt>$</prompt> <userinput>neutron subnet-create demo-net --name demo-subnet \
|
|
--gateway <replaceable>TENANT_NETWORK_GATEWAY</replaceable> <replaceable>TENANT_NETWORK_CIDR</replaceable></userinput></screen>
|
|
<para>Replace <replaceable>TENANT_NETWORK_CIDR</replaceable> with the
|
|
subnet you want to associate with the tenant network and
|
|
<replaceable>TENANT_NETWORK_GATEWAY</replaceable> with the gateway
|
|
you want to associate with it, typically the ".1" IP address.</para>
|
|
<para>Example using <literal>192.168.1.0/24</literal>:</para>
|
|
<screen><prompt>$</prompt> <userinput>neutron subnet-create demo-net --name demo-subnet \
|
|
--gateway 192.168.1.1 192.168.1.0/24</userinput>
|
|
<computeroutput>Created a new subnet:
|
|
+-------------------+------------------------------------------------------+
|
|
| Field | Value |
|
|
+-------------------+------------------------------------------------------+
|
|
| allocation_pools | {"start": "192.168.1.2", "end": "192.168.1.254"} |
|
|
| cidr | 192.168.1.0/24 |
|
|
| dns_nameservers | |
|
|
| enable_dhcp | True |
|
|
| gateway_ip | 192.168.1.1 |
|
|
| host_routes | |
|
|
| id | 69d38773-794a-4e49-b887-6de6734e792d |
|
|
| ip_version | 4 |
|
|
| ipv6_address_mode | |
|
|
| ipv6_ra_mode | |
|
|
| name | demo-subnet |
|
|
| network_id | ac108952-6096-4243-adf4-bb6615b3de28 |
|
|
| tenant_id | cdef0071a0194d19ac6bb63802dc9bae |
|
|
+-------------------+------------------------------------------------------+</computeroutput></screen>
|
|
</step>
|
|
</procedure>
|
|
<para>A virtual router passes network traffic between two or more virtual
|
|
networks. Each router requires one or more
|
|
<glossterm baseform="interface">interfaces</glossterm> and/or gateways
|
|
that provide access to specific networks. In this case, you will create
|
|
a router and attach your tenant and external networks to it.</para>
|
|
<procedure>
|
|
<title>To create a router on the tenant network and attach the external
|
|
and tenant networks to it</title>
|
|
<step>
|
|
<para>Create the router:</para>
|
|
<screen><prompt>$</prompt> <userinput>neutron router-create demo-router</userinput>
|
|
<computeroutput>Created a new router:
|
|
+-----------------------+--------------------------------------+
|
|
| Field | Value |
|
|
+-----------------------+--------------------------------------+
|
|
| admin_state_up | True |
|
|
| external_gateway_info | |
|
|
| id | 635660ae-a254-4feb-8993-295aa9ec6418 |
|
|
| name | demo-router |
|
|
| routes | |
|
|
| status | ACTIVE |
|
|
| tenant_id | cdef0071a0194d19ac6bb63802dc9bae |
|
|
+-----------------------+--------------------------------------+</computeroutput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Attach the router to the <literal>demo</literal> tenant
|
|
subnet:</para>
|
|
<screen><prompt>$</prompt> <userinput>neutron router-interface-add demo-router demo-subnet</userinput>
|
|
<computeroutput>Added interface b1a894fd-aee8-475c-9262-4342afdc1b58 to router demo-router.</computeroutput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Attach the router to the external network by setting it as
|
|
the gateway:</para>
|
|
<screen><prompt>$</prompt> <userinput>neutron router-gateway-set demo-router ext-net</userinput>
|
|
<computeroutput>Set gateway for router demo-router</computeroutput></screen>
|
|
</step>
|
|
</procedure>
|
|
</section>
|
|
<section xml:id="neutron_initial-networks-verify">
|
|
<title>Verify connectivity</title>
|
|
<para>We recommend that you verify network connectivity and resolve any
|
|
issues before proceeding further. Following the external network
|
|
subnet example using <literal>203.0.113.0/24</literal>, the tenant
|
|
router gateway should occupy the lowest IP address in the floating
|
|
IP address range, <literal>203.0.113.101</literal>. If you configured
|
|
your external physical network and virtual networks correctly, you
|
|
should be able to <command>ping</command> this IP address from any
|
|
host on your external physical network.</para>
|
|
<note>
|
|
<para>If you are building your OpenStack nodes as virtual machines,
|
|
you must configure the hypervisor to permit promiscuous mode on the
|
|
external network.</para>
|
|
</note>
|
|
<procedure>
|
|
<title>To verify network connectivity</title>
|
|
<step>
|
|
<para>Ping the tenant router gateway:</para>
|
|
<screen><prompt>$</prompt> <userinput>ping -c 4 203.0.113.101</userinput>
|
|
<computeroutput>PING 203.0.113.101 (203.0.113.101) 56(84) bytes of data.
|
|
64 bytes from 203.0.113.101: icmp_req=1 ttl=64 time=0.619 ms
|
|
64 bytes from 203.0.113.101: icmp_req=2 ttl=64 time=0.189 ms
|
|
64 bytes from 203.0.113.101: icmp_req=3 ttl=64 time=0.165 ms
|
|
64 bytes from 203.0.113.101: icmp_req=4 ttl=64 time=0.216 ms
|
|
|
|
--- 203.0.113.101 ping statistics ---
|
|
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
|
|
rtt min/avg/max/mdev = 0.165/0.297/0.619/0.187 ms</computeroutput></screen>
|
|
</step>
|
|
</procedure>
|
|
</section>
|
|
</section>
|