Private external network is visible to other tenant
I am trying to create an external network for a dedicate tenant. I have 2 external network created. One is created within admin tenant for all tenants usage. It works well. The 2nd is created like : neutron net-create ext_net2 --provider:network_type flat --provider:physical_network physnet2 --router:external=True --tenant-id 71caaafeaf9446acb134cd337d13d1d5
Per this link: https://wiki.openstack.org/wiki/Neutr... ext-net2 should be private to tenant 71caaafeaf9446acb134cd337d13d1d5, but all other tenants can create router and set gateway to this external network.
UPDATE 1
oot@network:~# ovs-vsctl show
aacb4736-666f-4e3d-b3eb-7a002db35481
Bridge br-tun
Port patch-int
Interface patch-int
type: patch
options: {peer=patch-tun}
Port br-tun
Interface br-tun
type:internal
Port "gre-c0a80207"
Interface "gre-c0a80207"
type:gre
options: {df_default="true", in_key=flow, local_ip="192.168.2.6", out_key=flow, remote_ip="192.168.2.7"}
Port "gre-c0a80205"
Interface "gre-c0a80205"
type:gre
options: {df_default="true", in_key=flow, local_ip="192.168.2.6", out_key=flow, remote_ip="192.168.2.5"}
Bridge "br-eth3"
Port "br-eth3"
Interface "br-eth3"
type: internal
Port "eth3"
Interface "eth3"
Port "phy-br-eth3"
Interface "phy-br-eth3"
type: patch
options: {peer="int-br-eth3"}
Bridge br-int
fail_mode: secure
Port int-br-ex
Interface int-br-ex
type:patch
options: {peer=phy-br-ex}
Port "int-br-eth3"
Interface "int-br-eth3"
type: patch options: {peer="phy-br-eth3"}
Port br-int
Interface br-int
type: internal
Port patch-tun
Interface patch-tun
type: patch
options: {peer=patch-int}
Bridge br-ex
Port "eth2"
Interface "eth2"
Port br-ex
Interface br-ex
type: internal
Port phy-br-ex
Interface phy-br-ex
type: patch
options: {peer=int-br-ex}
ovs_version: "2.0.2"
Could anybody help me on this issue?
Thanks
UPDATE 1
root@network:~# ifconfig
br-eth3 Link encap:Ethernet HWaddr e6:c8:33:27:c5:46
inet6 addr: fe80::28bf:70ff:fe89:18f3/64 Scope:Link
UP BROADCAST RUNNING MTU:1500 Metric:1
RX packets:5 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:238 (238.0 B) TX bytes:648 (648.0 B)
br-ex Link encap:Ethernet HWaddr ba:60:05:be:8d:49
inet6 addr: fe80::2469:79ff:fea4:8625/64 Scope:Link
UP BROADCAST RUNNING MTU:1500 Metric:1
RX packets:1070 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:60570 (60.5 KB) TX bytes:648 (648.0 B)
br-int Link encap:Ethernet HWaddr be:a1:0f:63:15:40
inet6 addr: fe80::74e8:2cff:fe48:cd9f/64 Scope:Link
UP BROADCAST RUNNING MTU:1500 Metric:1
RX packets:71 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:5542 (5.5 KB) TX bytes:648 (648.0 B)
br-tun Link encap:Ethernet HWaddr 7a:37:5e:0a:22:4b
inet6 addr: fe80::3470:24ff:fe47:5754/64 Scope:Link
UP BROADCAST RUNNING MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes ...
How many l3-agents are you running ? Please post l3_agent.ini ( or all of them )
as UPDATE 1 to question.
You should be running at least two l3-agents , unless you implemented approach developed in
http://blog.oddbit.com/2014/05/28/mul...
working for IceHouse ( Juno ).
Quoting this blog :
I am using Juno and Icehouse, with which one L3 agent should be able to handle multiple external networks by adding second br-ex2. And I leave external_network_bridge and gateway_external_network_id empty based on manual guidance.
Please, post
ovs-vsctl showandifconfigon network node and ml2_conf.ini on network node.