Ask Your Question
0

neutron: network segmentation tenants vs inside tenant

asked 2015-10-18 07:06:12 -0500

highland gravatar image

updated 2015-10-18 07:07:55 -0500

Hello Team,

I have a question regarding:

a. How can i segment/isolate traffic between tenants. If i do understand correctly it's via gre, vlan or vxlans. So every tenant can use different network with different type of encapsulation, for example:

neutron net-create tenant1-net1 --provider:network_type vlan --provider:segmentation-id 100 --tenant-id Tenant1

Will create a network used by tenant1 with vlan segmentation. Which i understand will use 802.1q encapsulation for traffic leaving ovs (and going to physical switch). This way we will be able to differentiate tenants.

b. How can i segment traffic between different segments for the same tenant. Let's say tenant1 has application and database vms and i would like to put them in different network segment (vlan) ?

Thanks, Michal

edit retag flag offensive close merge delete
add a comment

1 answer

Sort by ยป oldest newest most voted
1

answered 2015-10-18 07:40:05 -0500

Bernd Bausch gravatar image

a) You are right, except that only an admin can use the --provider:network_type option. The idea is that normal users should not have access to the physical implementation of their virtual resources.

b) Network segmentation doesn't work per-tenant, but per-network. Each network uses a different VLAN (or GRE, or VXLAN) ID. In other words, you don't need to do anything to put each virtual network in a different segment.

edit flag offensive delete link more

Comments

So if we have 500 tenants and each uses 20 separate network segments we can not use vlans (4k limitation) ? Is there any option to use double tagging ? For example vxlan to describe tenant and vlan inside to describe which network segment within that tenant is that ?

highland gravatar imagehighland ( 2015-10-18 08:00:13 -0500 )edit

As far as I know there is no "nested segmentation" (if there is such a term) in OpenStack. Each network has a different ID, that's all. Perhaps you need to implement regions? Your network infrastructure might not support GRE, but prevents you from using VXLAN?

Bernd Bausch gravatar imageBernd Bausch ( 2015-10-23 20:40:42 -0500 )edit
add a comment

Get to know Ask OpenStack

Resources for moderators

Question Tools

subscribe to rss feed

Stats

Asked: 2015-10-18 07:06:12 -0500

Seen: 1,040 times

Last updated: Oct 18 '15

Related questions

neutron agent-list error

cannot ping vm from outside network

Mystery subnet

Cause for strange network config?

Openstack + Opendaylight + Mininet

Neutron overlay network

Use and bind to provider network

Linux bridge agent on compute node

External network and floating IPs

VM BW monitor by IP