# neutron: network segmentation tenants vs inside tenant

Hello Team,

I have a question regarding:

a. How can i segment/isolate traffic between tenants. If i do understand correctly it's via gre, vlan or vxlans. So every tenant can use different network with different type of encapsulation, for example:

neutron net-create tenant1-net1 --provider:network_type vlan --provider:segmentation-id 100 --tenant-id Tenant1


Will create a network used by tenant1 with vlan segmentation. Which i understand will use 802.1q encapsulation for traffic leaving ovs (and going to physical switch). This way we will be able to differentiate tenants.

b. How can i segment traffic between different segments for the same tenant. Let's say tenant1 has application and database vms and i would like to put them in different network segment (vlan) ?

Thanks, Michal

edit retag close merge delete

Sort by » oldest newest most voted

a) You are right, except that only an admin can use the --provider:network_type option. The idea is that normal users should not have access to the physical implementation of their virtual resources.

b) Network segmentation doesn't work per-tenant, but per-network. Each network uses a different VLAN (or GRE, or VXLAN) ID. In other words, you don't need to do anything to put each virtual network in a different segment.

more

So if we have 500 tenants and each uses 20 separate network segments we can not use vlans (4k limitation) ? Is there any option to use double tagging ? For example vxlan to describe tenant and vlan inside to describe which network segment within that tenant is that ?

( 2015-10-18 08:00:13 -0600 )edit

As far as I know there is no "nested segmentation" (if there is such a term) in OpenStack. Each network has a different ID, that's all. Perhaps you need to implement regions? Your network infrastructure might not support GRE, but prevents you from using VXLAN?

( 2015-10-23 20:40:42 -0600 )edit