I've got my Neutron set up (RDO Havana on CentOS 6.5) and it seems to be working for passing traffic in and out of the external interface to and from my VMs. I can assign floating IPs, I can ssh in with the floating IPs, I can ssh out from my VMs, all good there. What I'd like to be able to do is restrict the use of the external network so that VMs cannot be connected directly to it.

Here is my OVS config:

tenant_network_type = vlan
network_vlan_ranges = physnet1:4:4,physnet1:101:104,physnet2:2:2
bridge_mappings = physnet1:br-private,physnet2:br-ex

And here are the commands I ran to set up the external network:

$ neutron net-create external --provider:network_type=vlan --provider:physical_network=physnet2 --provider:segmentation_id=2 --router:external=true --shared

$ neutron subnet-create external --disable-dhcp --gateway= --allocation-pool --start=,end= --name=LAB

Here is what my topology looks like:

                           |          |          |     
                          [VM]       [VM]       [VM]

I want multiple tenants to be able to route their networks out to the external network via their respective routers, but I don't want any tenants to place VMs directly on the external network. Can that be done?

1 answer

answered 2013-12-05 14:04:45 -0600

darragh-oreilly gravatar image

I thought that with the default policies, users without the admin role can uplink their routers to external networks, but they can't boot vms to them. But you are not seeing that?

You're right. At some point in my tinkering I had set my external network to be "shared". When I tried again without that option the other tenants could hook their routers up to the external network but not their VMs. Thanks!

