Hi Andreas, LinuxBridge w/ VXLAN and l2population was incompatible with allowed-address-pairs, or any case where an IP may be configured on an interface that isn't defined on a port or moves around from VM to VM, for some time. It is more of a limitation of the ARP proxy implementation in the VXLAN kernel module more than a Neutron bug, but nonetheless, here you go:
https://bugs.launchpad.net/neutron/+bug/1445089 The workaround was to patch the LinuxBridge agent to disable the ARP proxy when creating vxlan interfaces. Try adding 'arp_responder=False' to the [vxlan] section of the linuxbridge agent config file and restart the agent. This should be done across all nodes, and will only apply to Liberty and above. James ________________________________________ From: Andreas Scheuring <scheu...@linux.vnet.ibm.com> Sent: Monday, June 20, 2016 6:06 AM To: openstack@lists.openstack.org Subject: Re: [Openstack] neutron, l2population, linuxbridge and multiple ips - What about using Neutrons "allowed address pairs"? - Or setting up a tunnel network within your existing openstack tunnel network? -- ----- Andreas IRC: andreas_s On Sa, 2016-06-18 at 18:52 +0200, Joerg Streckfuss wrote: > Dear list, > > I'm trying set up an isolated network for testing clustermanagers like > keepalived on linux and carp on openbsd. This means there are ips which > are bound to multiple ports. The main problem is when I try to configure > new ip-addresses inside the vms and _not_ in neutron, these ips are not > visible by the other vms. When I try to ping this ips I can see an local > arp request inside the bridge of the requesting vm but this request does > not reach the bridge of the destination vm. So my assumption is neutron > in particular the l2population works only for ip addresses which are > known by neutron ports. So in case of disabling dhcp I have to configure > it for the neutron port and inside the vm, right? > > My setup is a 4-node openstack environment (one controller, three > compute nodes), using liberty on centos7 carefully following the > instructions under http://docs.openstack.org/liberty/install-guide-rdo/. > > I'm using self-service networks with one flat provider-network for > external communication. I use VXLAN for overlay-networks. As mechanism > drivers I use linuxbridge and l2population. > > The isolated network and the vms are initiated by heat templates. I > disabled port security for each neutron port by setting > 'port_security_enabled: false' inside the heat template. > > So what can I do, that a neutron isolated network behaves like a > standard linuxbridge or especially a hardware switch, where no port > security is configured and which forwards all kind of arp traffic? > > Thanks in advance, > > Joerg > > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack@lists.openstack.org > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
