Ask Your Question
0

FWaaS with Neutron L3 Agent High Availability

asked 2016-04-27 02:50:02 -0500

zsolt-krenak gravatar image

Hi All!

I have 2 neutron network node with simple l3 agent rescheduling on Kilo. I started to experiment with fwaas, and what I found that after an L3 agent dies Neutron reschedules the router to the other node, firewall won't be configured on the rescheduled router.

As I understand fwaas in this reference design is an iptables ruleset in the virtual router namespace. After rescheduling why this iptables rules are not recreated?

If I start to use L3 Agent HA mode with keepalived, would that make the firewall rules appear in both router namespace? If yes, then what would happen at a case of complete neutron node loss, where Neutron would have to reschedule the lost router to another node, would that mean that one of the routers would have the firewall rules the other not?

I have a usecase where it would be really nice to use perimeter firewalling on the virtual routers, but providing HA raises a lot of questions.

Thanks in advance!

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
0

answered 2016-04-27 03:13:02 -0500

dbaxps gravatar image

I used to follow doc https://github.com/beekhof/osp-ha-dep...
but didn't configure FWAAS. However, looking at mentioned link seems like L3 HA Router (VRRP based Liberty) plays with FWAAS. Mentioned page is inside main Howto - https://github.com/beekhof/osp-ha-dep.... Neutron setup on HA Controller Nodes.

edit flag offensive delete link more

Comments

I'll try it with HA (VRRP) routers, but I have feeling the rescheduling will still be a problem in a case of full neutron node loss. And Kilo doesn't support converting legacy routers to HA. Upgrade...upgrade...

zsolt-krenak gravatar imagezsolt-krenak ( 2016-04-27 04:08:55 -0500 )edit

Okay, so I tried FWaaS with VRRP HA, both routers get the proper iptables rules for firewall, failover works as expected, but the recovery... When the failed node returns, there's a complete loss of connectivity.. This does not happen if fwaas not enabled.

zsolt-krenak gravatar imagezsolt-krenak ( 2016-04-28 02:44:51 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2016-04-27 02:50:02 -0500

Seen: 264 times

Last updated: Apr 27 '16