Neutron North-South DVR Floating IP Address Traffic Flow
Check to see if there are any free floating ip addresses
nova floating-ip-list
root@overcloud-ce-controller-controller0-dlmy4f5tbc5d:~# nova floating-ip-list +----+-----------+----------+------+ | Ip | Server Id | Fixed Ip | Pool | +----+-----------+----------+------+ +----+-----------+----------+------+
[Note if no floating IP are available then create some]
nova floating-ip-create <ext-network-name>
nova floating-ip-create ext-net
root@overcloud-ce-controller-controller0-dlmy4f5tbc5d:~# nova floating-ip-create ext-net +--------------+-----------+----------+---------+ | Ip | Server Id | Fixed Ip | Pool| +--------------+-----------+----------+---------+ | 10.254.27.48 | - | - | ext-net | +--------------+-----------+----------+---------+
nova floating-ip-associate <server-id>
nova floating-ip-associate 374b3e1c-0e89-4481-b9dd-a9a420a498e1 10.254.27.48
root@overcloud-ce-controller-controller0-dlmy4f5tbc5d:~# nova floating-ip-associate 374b3e1c-0e89-4481-b9dd-a9a420a498e1 10.254.27.48 root@overcloud-ce-controller-controller0-dlmy4f5tbc5d:~#
nova show <server-id>
root@overcloud-ce-controller-controller0-dlmy4f5tbc5d:~# nova show 374b3e1c-0e89-4481-b9dd-a9a420a498e1
+--------------------------------------+--------------------------------------------------------------------------+
| Property | Value|
+--------------------------------------+--------------------------------------------------------------------------+
| HPinternal network | 10.0.0.5, 10.254.27.48 |
| OS-EXT-AZ:availability_zone | nova |
| OS-EXT-SRV-ATTR:host | overcloud-ce-novacompute1-novacompute1-tpodwp2ljbhw |
| OS-EXT-SRV-ATTR:hypervisor_hostname | overcloud-ce-novacompute1-novacompute1-tpodwp2ljbhw.novalocal|
| OS-EXT-SRV-ATTR:instance_name | instance-00000084|
| OS-EXT-STS:power_state | 1|
| OS-EXT-STS:task_state | -|
| OS-EXT-STS:vm_state | active |
| OS-SRV-USG:launched_at | 2015-11-23T10:06:14.000000 |
| OS-SRV-USG:terminated_at | -|
| accessIPv4 | |
| accessIPv6 | |
| config_drive | |
| created | 2015-11-23T10:05:35Z |
| flavor | m1.tiny (1) |
| hostId | 528ae3e885715e8a63ee541508e197b78e24fd194b4f0da6af44edb6 |
| id | 374b3e1c-0e89-4481-b9dd-a9a420a498e1 |
| image | debian-wheezy-amd64-20140929-disk (1cb50c3f-4606-4e94-b85f-1d323f6a70fd) |
| key_name | pilot-key|
| metadata | {} |
| name | HPdemo-instance1 |
| os-extended-volumes:volumes_attached | [] |
| progress | 0|
| security_groups | default |
| status | ACTIVE |
| tenant_id | 3935f5d20d2848b69324bb8bd75a0389 |
| updated | 2015-11-23T10:06:14Z |
| user_id | 86fe8295656d495db6b06c57274adbf2 |
+--------------------------------------+--------------------------------------------------------------------------+
Verify Network Namespaces
ip netns
root@overcloud-ce-novacompute1-novacompute1-tpodwp2ljbhw:~# ip netns fip-35510045-decf-491e-9990-87a3f77f0284 qrouter-8c8a0159-2b37-4fae-93e9-b302a9d59573 qrouter-6903d563-80f4-40b0-ba77-8774a915a323 qrouter-8497d1cb-c2fa-46a5-9e42-1bfceb810204 qrouter-64b856f2-00a7-4e2f-8abd-aa34ab454c34
ip netns exec <qrouter-namespace from above> ip a | grep “inet “
ip netns exec qrouter-8c8a0159-2b37-4fae-93e9-b302a9d59573 ip a | grep “inet “
root@overcloud-ce-novacompute1-novacompute1-tpodwp2ljbhw:~# ip netns exec qrouter-8c8a0159-2b37-4fae-93e9-b302a9d59573 ip a | grep "inet " inet 127.0.0.1/8 scope host lo inet 169.254.31.28/31 scope global rfp-8c8a0159-2 inet 10.254.27.48/32 brd 10.254.27.48 scope global rfp-8c8a0159-2 inet 10.0.0.1/24 brd 10.0.0.255 scope global qr-2202c460-bb
ip netns exec <qrouter-namespace from above> iptables-save -t nat | grep “^-A”|grep l3-agent
ip netns exec qrouter-8c8a0159-2b37-4fae-93e9-b302a9d59573 iptables-save -t nat | grep “^-A”|grep l3-agent
root@overcloud-ce-novacompute1-novacompute1-tpodwp2ljbhw:~# ip netns exec qrouter-8c8a0159-2b37-4fae-93e9-b302a9d59573 iptables-save -t nat | grep "^-A"|grep l3-agent -A PREROUTING -j neutron-l3-agent-PREROUTING -A OUTPUT -j neutron-l3-agent-OUTPUT -A POSTROUTING -j neutron-l3-agent-POSTROUTING -A neutron-l3-agent-OUTPUT -d 10.254.27.48/32 -j DNAT --to-destination 10.0.0.5 -A neutron-l3-agent-POSTROUTING ! -i rfp-8c8a0159-2 ! -o rfp-8c8a0159-2 -m conntrack ! --ctstate DNAT -j ACCEPT -A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697 -A neutron-l3-agent-PREROUTING -d 10.254.27.48/32 -j DNAT --to-destination 10.0.0.5 -A neutron-l3-agent-float-snat -s 10.0.0.5/32 -j SNAT --to-source 10.254.27.48 -A neutron-l3-agent-snat -j neutron-l3-agent-float-snat -A neutron-postrouting-bottom -j neutron-l3-agent-snat
ip netns exec <fip-namespace from above> ip a | grep “inet “
ip netns exec fip-35510045-decf-491e-9990-87a3f77f0284 ip a | grep “inet “
root@overcloud-ce-novacompute1-novacompute1-tpodwp2ljbhw:~# ip netns exec fip-35510045-decf-491e-9990-87a3f77f0284 ip a | grep "inet " inet 127.0.0.1/8 scope host lo inet 169.254.31.29/31 scope global fpr-8c8a0159-2 inet 10.254.27.49/24 brd 10.254.27.255 scope global fg-9da149e3-be
ip netns exec <qrouter-namespace from above> ip rule ls
ip netns exec qrouter-8c8a0159-2b37-4fae-93e9-b302a9d59573 ip rule ls
root@overcloud-ce-novacompute1-novacompute1-tpodwp2ljbhw:~# ip netns exec qrouter-8c8a0159-2b37-4fae-93e9-b302a9d59573 ip rule ls 0: from all lookup local 32766: from all lookup main 32767: from all lookup default 32768: from 10.0.0.5 lookup 16 167772161: from 10.0.0.1/24 lookup 167772161 167772161: from 10.0.0.1/24 lookup 167772161
ip netns exec <qrouter-namespace from above> ip route show table <16 match from ipaddress above>
ip netns exec qrouter-8c8a0159-2b37-4fae-93e9-b302a9d59573 ip route show table 167772161
root@overcloud-ce-novacompute1-novacompute1-tpodwp2ljbhw:~# ip netns exec qrouter-8c8a0159-2b37-4fae-93e9-b302a9d59573 ip route show table 167772161 default via 10.0.0.4 dev qr-2202c460-bb
ip netns exec <fip-namespace from above> ip route
ip netns exec fip-35510045-decf-491e-9990-87a3f77f0284 ip route
root@overcloud-ce-novacompute1-novacompute1-tpodwp2ljbhw:~# ip netns exec fip-35510045-decf-491e-9990-87a3f77f0284 ip route default via 10.254.27.1 dev fg-9da149e3-be 10.254.27.0/24 dev fg-9da149e3-be proto kernel scope link src 10.254.27.49 10.254.27.48 via 169.254.31.28 dev fpr-8c8a0159-2 169.254.31.28/31 dev fpr-8c8a0159-2 proto kernel scope link src 169.254.31.29
Both Ping and SSH will both fail due to the default settings in the OpenStack security group
Adding appropriate rules for ICMP and SSH allows the traffic to flow through the firewall
Pinging the Gateway from the instance
debian@hpdemo-instance1:~$ ping 10.254.27.49 PING 10.254.27.49 (10.254.27.49) 56(84) bytes of data. 64 bytes from 10.254.27.49: icmp_req=1 ttl=63 time=0.252 ms 64 bytes from 10.254.27.49: icmp_req=2 ttl=63 time=0.295 ms 64 bytes from 10.254.27.49: icmp_req=3 ttl=63 time=0.280 ms 64 bytes from 10.254.27.49: icmp_req=4 ttl=63 time=0.271 ms 64 bytes from 10.254.27.49: icmp_req=5 ttl=63 time=0.278 ms ^C --- 10.254.27.49 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 3998ms rtt min/avg/max/mdev = 0.252/0.275/0.295/0.017 ms
allthingscloud.eu 
2 thoughts on “HOS North-South DVR Floating IP Traffic Flow Verification (3 of 4)”