Re: [Openstack] nova-network,VRRP and NAT

Thu, 07 Aug 2014 04:52:51 -0700 

Thanks Xav,

                  i am using nova-network and not neutron.Looks like this
can not work with nova-network
Thanks


On Thu, Aug 7, 2014 at 3:23 PM, Xav Paice <xavpa...@gmail.com> wrote:

> On 07/08/14 21:42, mad Engineer wrote:
> > but concerned whether nova security policies allow VRRP to work as it
> > requires multiple IP on same MAC?
> >
> > Is clearing the rule only way to make it work,or is there nova-network
> > way to make it work.
> >
> > also i am worried about NAT rule when IP fail over happens
> >
> >
> This might help - copied from a note I put on our ops wiki:
>
> OpenStack has anti-spoofing iptables rules that sit very close to your
> instance on the hypervisor.  This means you can't just add a new address
> without telling OpenStack.  To tell OpenStack, you need to add an
> allowed-address-pair to the port which your instance will use with the
> new IP.
>
> For example:  I have a VM with a fixed IP of 10.1.1.13.  I want to add
> the alias IP 10.1.1.14 to that and one other VM, for load balancing.
>
> First, make sure you aren't using an IP in the DHCP range for this
> subnet.  Then update the Ports for each instance participating in VRRP.
>
> nova interface-list <INSTANCE_UUID>
>
> +------------+--------------------------------------+--------------------------------------+--------------+-------------------+
> | Port State | Port ID                              | Net
> ID                               | IP addresses | MAC Addr          |
>
> +------------+--------------------------------------+--------------------------------------+--------------+-------------------+
> | ACTIVE     | 50eb611d-5e71-43cf-ba4d-1017bc6e488c |
> 623417c3-dffc-4b6d-96fa-a4ae0ec1df52 | 10.1.1.13    | fa:16:3e:5b:64:38 |
>
> neutron port-update 50eb611d-5e71-43cf-ba4d-1017bc6e488c \
>       --allowed-address-pairs type=dict list=true \
>       mac_address=fa:16:3e:5b:64:38,ip_address=10.1.1.14
>
> Once you have updated the ports attached to each VM, you will need some
> security group rules.
>
> neutron security-group-create vrrp_members
> neutron security-group-rule-create --ethertype IPv4 \
>       --direction egress --protocol 51 \
>       --remote-ip-prefix 224.0.0.18/32 vrrp_members
> neutron security-group-rule-create --ethertype IPv4 \
>       --direction ingress --protocol 51 \
>       --remote-group-id vrrp_members vrrp_members
>
> Then apply this security group to your VRRP instances.
>
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack@lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>

_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Reply via email to