On 1/17/22 4:28 PM, Wei ZHOU wrote:
> Hi Wido,
>
> CloudStack allows users to add multiple IP ranges to a shared network. All
> these IPs share the same vlan. I hope it helps you.
>
Yes, but then they would also be allocated to VMs.
> The problem is, a secondary IP can only be assigned to a VM. I think we can
> add a flag like `floating` to secondary IP . If the flag is true, it can be
> assigned to multiple VMs (belonging to same owner) as secondary IP.
>
Something along that way. I would like to be able to add a IPv4 or IPv6
address as a secondary without it being checked. Just allow any address
to be added as a secondary address.
This would already be sufficient.
Wido
> -Wei
>
> On Mon, 17 Jan 2022 at 14:37, Wido den Hollander <w...@widodh.nl> wrote:
>
>> Hi,
>>
>> Use-case: I have a SG enabled shared network where a VM establishes a
>> BGP session with the upstream router.
>>
>> Over this BGP session the VM announces a /32 (IPv4) and/or /128 (IPv6)
>> address and the router now installs this route.
>>
>> I do the same (with the same IPs) on a few different VMs and this way I
>> can have a Anycast/Floating IP which is being routed to those VMs.
>>
>> Problem: Security Group filtering prohibits this as the 'ipset' on the
>> hypervisor checks all the packets originating from the VM and drops all
>> packets not matching the ipset.
>>
>> Name: i-79-1328-VM
>> Type: hash:ip
>> Revision: 4
>> Header: family inet hashsize 1024 maxelem 65536
>> Size in memory: 248
>> References: 5
>> Number of entries: 1
>> Members:
>> 62.221.XXX.11
>>
>> I want to add /32 and /128 addresses to this subnet so that the SG does
>> not filter away this traffic.
>>
>> They could be added as a secondary IP to the VM, but this is not allowed
>> by the API as the secondary IPs you want to add should always come from
>> the subnet configured for that network.
>>
>> I do not want to turn off security grouping as this poses other
>> potential issues.
>>
>> Solutions I see:
>>
>> - Add global/account/domain setting which allows arbitrary secondary IPs
>> - Add per-network setting which allows arbitrary secondary IPs
>> - Pre-define subnets which Anycast/Floating IPs can be picked from per
>> network
>>
>> Any ideas or suggestions?
>>
>> Wido
>>
>
