Ask Your Question

Self-Service networks if 2 provider nets and 2 NICs

asked 2018-02-27 11:21:57 -0500

anonymous user


Imagine that my computes have 2 NICs , NIC-A and NIC-B for User Plane traffic and Admin has declared 2 provider Nets PhysNetA on NIC-A and PhysNetB on NIC-B.

If Admin then lets tenant Users create self-service networks then via which NIC will tenant traffic pass ? How does Neutron allocate the self-service tenant net with 2 possible underlying provider nets? Maybe this is a case where only Admin configured tenant networking is recommended ?

(I understand that the Admin can define a new tenant Net linked to a given Provider Net (and then share it) , and thus fixing via which NIC traffic on that tenant net will flow, but not sure in the case of self-service nets . )

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2018-03-02 16:27:19 -0500

The key piece of information we need is what kind should the proposed self-service network be. I.e., are they:

  • Flat? In this case, you have a 1:1 mapping of physical interfaces to user networks, not much you can do.

  • VLAN? As you pointed out, only Admin has privileges to create a new VLAN-backed network while also choosing the physical interface over which the network spans. This privilege can be extended to non-admin tenants via fiddling with neutron's policy.json and maybe some Horizon settings, I suspect, if you want to expose this option to the dashboard.

  • Tunneled (VXLAN, GRE, GeNeVe)? AFAIK, the ML2 config only allows you to define one local_ip under the [ovs] section, so exposing tunneled self-service networks to tenants ties them to the L3 interface with that IP.

If you end up exposing the VLAN provider networks to non-admin tenants, you'll have to reconfigure at least these policies in Neutron's policy.json:

"create_network:provider:network_type": "rule:admin_only", "create_network:provider:physical_network": "rule:admin_only", "create_network:provider:segmentation_id": "rule:admin_only",

You'll have to change the "rule:admin_only" part to something more permissive. For example, you can create a new Role, grant that Role to tenants that should be able to create VLANs, and change the rules to "rule:admin_only or role:some_special_role". Be aware, though, that you'll essentially enable non-admin users to create VLAN-tagged traffic on your physical network, and if you aren't careful they might be able to tap into company-internal VLAN traffic.

Go ahead and ask if you're interested in the specifics.

edit flag offensive delete link more


Also, for a great introduction to Openstack networking and the compare&contrast of different scenarios, have a look at

Peter Slovak gravatar imagePeter Slovak ( 2018-03-02 16:28:53 -0500 )edit

thanks for a thorough answer, appreciate it.

AndyW gravatar imageAndyW ( 2018-03-06 11:38:12 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2018-02-27 11:21:57 -0500

Seen: 185 times

Last updated: Mar 02 '18