Ask Your Question

Can I restrict the use of my external network?

asked 2013-12-05 12:27:11 -0500

A.Richards gravatar image

updated 2013-12-05 16:02:38 -0500

I've got my Neutron set up (RDO Havana on CentOS 6.5) and it seems to be working for passing traffic in and out of the external interface to and from my VMs. I can assign floating IPs, I can ssh in with the floating IPs, I can ssh out from my VMs, all good there. What I'd like to be able to do is restrict the use of the external network so that VMs cannot be connected directly to it.

Here is my OVS config:

tenant_network_type = vlan
network_vlan_ranges = physnet1:4:4,physnet1:101:104,physnet2:2:2
bridge_mappings = physnet1:br-private,physnet2:br-ex

And here are the commands I ran to set up the external network:

$ neutron net-create external --provider:network_type=vlan --provider:physical_network=physnet2 --provider:segmentation_id=2 --router:external=true --shared

$ neutron subnet-create external --disable-dhcp --gateway= --allocation-pool --start=,end= --name=LAB

Here is what my topology looks like:

                           |          |          |     
                          [VM]       [VM]       [VM]

I want multiple tenants to be able to route their networks out to the external network via their respective routers, but I don't want any tenants to place VMs directly on the external network. Can that be done?

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2013-12-05 14:04:45 -0500

darragh-oreilly gravatar image

I thought that with the default policies, users without the admin role can uplink their routers to external networks, but they can't boot vms to them. But you are not seeing that?

edit flag offensive delete link more


You're right. At some point in my tinkering I had set my external network to be "shared". When I tried again without that option the other tenants could hook their routers up to the external network but not their VMs. Thanks!

A.Richards gravatar imageA.Richards ( 2013-12-05 16:01:43 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2013-12-05 12:27:11 -0500

Seen: 568 times

Last updated: Dec 05 '13