OpenStack Liberty Neutron Deployment (Part 5 Add Router and Net/Subnet)

Create a router and set a gateway

Now it’s time to create a router and set a gateway.

#
# create a router
neutron router-create r1
#
# attach the router to floating pool 1
#
# list the external networks
#
neutron net-external-list
+--------------------------------------+---------------------+-----------------------------------------------------+
| id                                   | name                | subnets                                             |
+--------------------------------------+---------------------+-----------------------------------------------------+
| f79385f6-e878-4450-9ed9-e906f6985149 | floating-198-18-0   | 7b9a75c2-fbbc-455b-9aa7-1a1bf286571e 198.18.0.0/20  |
| 97d1c4c7-c5a2-4399-9d12-cf9bf6bef739 | floating-198-18-16  | 3af17d23-8229-4022-a49f-f8b41939adc9 198.18.16.0/20 |
+--------------------------------------+---------------------+-----------------------------------------------------+
#
# list the routers
neutron router-list
+--------------------------------------+------+-----------------------+
| id                                   | name | external_gateway_info |
+--------------------------------------+------+-----------------------+
| 4b965826-e67d-4473-8436-a21db3955c38 | r1   | null                  |
+--------------------------------------+------+-----------------------+
#
# set the gateway of the router
#
neutron router-gateway-set 4b965826-e67d-4473-8436-a21db3955c38 f79385f6-e878-4450-9ed9-e906f6985149

What was configured on the nodes by Openstack?

After creating the first router and setting the gateway

After creating the first router and setting the gateway

A node local vlan has been set up by Openstack on br-int. This vlan 1 has to be connected to vlan 100 on our public network. This is done by using two Openflow rules to map Vlan IDs on br-int and br-vlan.

#
# on br-vlan
cookie=0x0, duration=16s, table=0, n_packets=5, n_bytes=115, idle_age=1711, hard_age=65534, 
            priority=4,in_port=2,dl_vlan=1 actions=mod_vlan_vid:100,NORMAL
#
# on br-int
cookie=0x0, duration=16s, table=0, n_packets=11, n_bytes=1479, idle_age=216, hard_age=65534,
            priority=3,in_port=1,dl_vlan=100 actions=mod_vlan_vid:1,NORMAL

The router is running on the network node in a Linux network namespace. The name of the network namespace is build from „qrouter-“ and the UUID of the router [qrouter-4b965826-e67d-4473-8436-a21db3955c38].

Create a second router and set a gateway

Now create a second router and set the gateway to use the second floating pool.

After adding the second router

After adding the second router

Creating a second router and setting a gateway triggered the creation of a second node local vlan on br-int. Another set of vlan mappings between the local vlan 2 and the global vlan 101 is created on br-int and br-vlan.

Create a tenant network and attach it to r2

Now let’s create a tenant network and attach it to r2

# using names instead of UUIDs works when names of resources are unique
#
# create the broadcast domain
neutron net-create n1
#
# create the subnet 
neutron subnet-create --name s1 n1 192.168.1.0/24
#
# attach the router to the created network
neutron router-interface-add r2 s1

Lets take a view on the network:

Create a net/subnet and attach it to r2

Create a net/subnet and attach it to r2

The tenant network n1/s1 is assigned the node local vlan 3. This network is using vxlan for the L2 transport, because it is a tenant vlan and the tenant network type has been set to vxlan. The global vxlan id 0x10001 is assigned to this tenant network by Neutron. On the network node, vlan 3 on br-int must be used to attach the interface of the router r2. In addition, a vxlan to vlan mapping is created on br-tun:

# map vlan --> vxlan
cookie=0x0, duration=33.693s, table=4, n_packets=0, n_bytes=0, idle_age=33, priority=1,
            tun_id=0x10001 actions=mod_vlan_vid:3,resubmit(,10)
# map vxlan -> vlan (this is a flooding entry, the traffic is flooded to all nodes in the vxlan mesh)
cookie=0x0, duration=33.750s, table=22, n_packets=3, n_bytes=182, idle_age=25, 
            dl_vlan=3 actions=strip_vlan,set_tunnel:0x10001,output:2

On the network node, a neutron namespace metadata proxy (used by Cloudinit) is running in the network namespace of the router. This proxy listens to Port 8775. All traffic, which reaches the router namespace for the target 169.254.169.254:8775 is redirected to this proxy, forwarded using a unix socket to the neutron metadata proxy in the default network namespace, and is then forwarded to the nova metadata proxy service.

The tenant’s view

On the dashboard, the tenants network view shows:

Tenant's view with two routers

Tenant’s view with two routers

The two routers are connected to the blue networks in the dashboard view, the red network in the dashboard view has been created by the tenant. This network (n1) is connected to one of the two routers.

Continue reading (part 6)

Updated: 17/01/2021 — 13:17