You could tell dnsmasq to use your router as the gateway instead of the network host and then not allow routing across vlans.
To use an external gateway use a config option like the following: dnsmasq_config_file=/path/to/config in that config file you can use: dhcp_option=3,<ip of router> to force vms to use your router as their gateway. Vish On Jun 1, 2012, at 10:30 PM, romizhang1968 wrote: > Vish, > > Thanks for your replay. > Yes,I allowed icmp ping from 0.0.0.0/0, but the question is , i think the > different instance in different tenant and vlan on the same compute node > should not touch each other, admin03(192.168.2.3) in VLAN 200 and 201 should > only could get ip touch to the same tenant instance, should not can touch > aipu01(192.168.3.3) in VLAN 300 and aipuTenant even on the same compute node. > I check the route table, openstack creates route item to each bridge on the > node, but in admin03,the route table only shows about how to go 192.168.2.0 > and 192.168.21.0, have no way to touch the net of 192.168.3.0. but in > admin03,it could ping aipu01, that means it use the node route table, i did > not know why. > so I want to know is there a way in openstack command to stop this situation, > not replay me to delete the compute node route item. and I think, each VM > should connect to the "access port" and go through trunk port(eth1 or eth2) > to communicate with others. > here is my wants. > regards, > Romi > > > > At 2012-06-02 00:47:49,"Vishvananda Ishaya" <vishvana...@gmail.com> wrote: > Broadcast traffic should be blocked via the vlan separation and direct > traffic should be blocked via security groups. Do you have a security group > that allows ping traffic from 0.0.0.0/0? > > Vish > > On Jun 1, 2012, at 1:38 AM, romi zhang wrote: > >> Hi, >> >> I use following command to create 2 NICs for the instances of adminTenant >> and 1 NICs for aipuTenant: >> >> nova-manage network create --label=admin_web --fixed_range_v4=192.168.2.0/28 >> --num_networks=1 --vlan=200 --bridge=br200 --bridge_interface=eth1 >> --network_size=16 --multi_host=T >> --project_id=5f9281bca6854fe3974a457d81afd78c >> >> nova-manage network create --label=admin_ssl >> --fixed_range_v4=192.168.21.0/28 --num_networks=1 --vlan=201 --bridge=br201 >> --bridge_interface=eth2 --network_size=16 --multi_host=T >> --project_id=5f9281bca6854fe3974a457d81afd78c >> >> nova-manage network create --label=aipu_web --fixed_range_v4=192.168.3.0/28 >> --num_networks=1 --vlan=300 --bridge=br300 --bridge_interface=eth1 >> --network_size=16 --multi_host=T >> --project_id=ee29f5730caa40958bf4812a0fbec3d9 >> >> But the result is: >> 1. the instance of admin03(192.168.2.3 192.168.21.3,belong >> adminTenant) could successfully ping aipu01(192.168.3.3,belong aipuTenant) >> on the same compute node(NC01,network+compute service) . >> 2. Of course,admin03 could not ping successfully aipu03(192.168.3.6) >> on the another compute node(NC02,network+compute service). >> >> Is there a way or setting to forbid the IP touching between the instances of >> different tenant in different bridges and VLANs on the same compute node? >> >> Romi >> >> _______________________________________________ >> Mailing list: https://launchpad.net/~openstack >> Post to : openstack@lists.launchpad.net >> Unsubscribe : https://launchpad.net/~openstack >> More help : https://help.launchpad.net/ListHelp > > >
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
