Openstack network

Network module Neutron

Two kinds of ip, Five topologies , Three networks

The abstract way of two-layer switch ：Linux bridge perhaps Open vSwitch

Linux bridge Virtual network equipment working on the second layer , The function is similar to that of a physical switch （ The following figure br0）

Open vSwitch It can also realize the abstraction of layer-2 network , But the function is more than that

Virtual router It is an abstraction of network devices , The implementation principle is consistent with that of a real router , Forwarding packets according to the routing table , It also supports NAT Address translation and floating ip Address settings

The layer-2 network isolates the tenant network through the virtual LAN

The three-layer network is isolated by namespace

Namespace   Each namespace has its own independent network stack , Including routing table 、 Firewall rules 、 Network interface, etc , Network addresses of different namespaces are allowed to overlap

float ip  The virtual router will be enabled SNAT function ,SNAT Is to share a IP Access lnternel

But enabled NAT After function , Only virtual machines can access external networks , But it prevents the external network from accessing the virtual machine , Can pass NAT Address mapping realizes external network access to internal virtual machines through target address translation , To configure NAT Address mapping requires configuring the corresponding external network address pool on the external interface of the virtual router , The addresses in these address pools are floating ip Address , If the virtual machine does not require external network access , Floating can be unbound ip

Local The Internet

No physical network card is bound , The same local The virtual machines of the network are connected to the same virtual switch , Instances can communicate , Different local Cannot communicate with . The figure below vm1 and vm2 Can communicate ,vm3 Cannot be associated with vm1 perhaps vm2 signal communication

Flat The Internet

Every flat The network is exclusive ip Address , All virtual machines in this network share a private ip Network segment

vm1 and vm2 Connect Linux bridge1, The two can communicate with each other and through ens2 Visit the Internet

  One Flat The Internet

The tenant's network is restricted to virtual switches 1、2、3 in

 vlan The Internet

There is 4096 Limitations of virtual LANs ,

vxlan The Internet

Tunnel technology is used , The number of tenants from 4096 To 16777216 individual , Tenant internal communication can span any ip The Internet

  New network ： Create at the administrator public Build new... In the project private

  New route ： Connect the above two networks , New routes are enabled by default SNAT function

New instance ： binding private, Opening an instance cannot ping Tongbaidu

When creating an external network , The specified external network gateway address is 172.16.1.1, Then the gateway needs to exist

perform

ifconfig br-ex 172.16.1.1 netmask 255.255.255.0 up

The host machine br-ex Used to connect to OpenStack virtual network , Virtual network access to the Internet must pass through the real network card of the host computer , The host machine in br-ex There are three ways to forward traffic with a real network card

traditional method ： Add the physical network card to br-ex bridge , Cancel the physical network card configuration ip Address , To configure br-ex（ You don't succeed ）

2、 Enable the routing function of the host , Forward data by routing , At the same time, configure the loop route of the host

3、 Configure the NAT function , Forward data through routing and address translation , No packet return routing is required , There is no need to modify the existing network segment （ success ）

Use the third method , Add one nat The rules , In order to prevent the rule from disappearing after restart , Can be written to iptables In profile , Be careful enp0s3 You need to use your own physical network card

iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -o enp0s3 -m comment --comment "000 nat" -j MASQUERADE

Bind float ip Address

The virtual router created by default starts by default after connecting to the external network SNAT function , If you visit NAT The network behind the device , Need configuration NAT Mapping or target address translation implementation , That is, you need to configure the float ip Address

  Add security group rule

Some scattered knowledge ：

1、 If you do not want the virtual machine of the network to access other networks through the network , You can check disable gateway

2、DNS The address setting is usually true DNS Server address

3、 After connecting the two interfaces, the router will forward data between the networks where the two interfaces are located