cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shanker Balan <shanker.ba...@shapeblue.com>
Subject Re: public ip of system vm and public ip of guest vm on same network segment overlaps
Date Wed, 04 Dec 2013 04:24:39 GMT
Comments inline.

On 04-Dec-2013, at 6:18 am, Domenico De Monte <d.demonte@netsons.com> wrote:

> Hello,
> i added a zone with advanced network with following network configuration on
> CS 4.2 but i was not able to setup same IP class on public traffic ( of system vm )
> and guest traffic ( of guest vm ).
>
> Scenario
> Servers with VMware ESXi 5.1 have multiple nic:

> 2 nic connected to physical internet switch ( vSwitch0 standard )

Am not intricately familiar with ESXi but I assume these 2 NICs
are in a bond (LACP/LAGG) and configured as vSwitch0 for Internet traffic.

> 2 nic connected to physical private switch ( vSwitch1 standard )

vSWitch1 is also a LACAP/LAGG bond of 2 NICs?

> On CS i create a zone with advanced network and 5 physical interface:

You would only require 2 CloudStack physical interface. “Physical Interface 1”
for Internet vSwitch0 traffic and “Physical Interface 2” for Internal vSwitch1 traffic.

> 1 physical interface for Public traffic connected to vSwitch0
> ( i think it's system vm public traffic ).

The “untrusted” public Internet traffic would go to “Physical Interface 1”.
The “Public Traffic” includes all public Internet traffic (Guest VM Public
traffic + SSVM Public Traffic + CPVM Public Traffic etc).

> 1 physical interface for Guest traffic connected to vSwitch0
> ( i think it's guest vm public traffic ).

The “untrusted” guest traffic would also go to “Physical Interface 1”.

> 1 physical interface for Guest traffic connected to vSwitch1
> ( i think it's guest vm lan traffic ).

So basically all Guest VM traffic and any Public traffic gets combined
onto “Physical Interface 1” which is mapped to vSwitch0


> 1 physical interface for Storage traffic connected to
> vSwitch1 ( i am sure it's storage traffic for snapshot, deploy and so on ).

Yep, so storage traffic is on “Physical Interface 2” which is mapped to vSwitch1


> 1 physical interface for Management traffic connected to vSwitch1
> ( i am sure it's for system vm traffic and so on ).

Yep, so Management traffic is also on “Physical Interface 2”.

> I do not want use vlan and i read on ml that if i do not setup them,
> they are just ignore from CS.

You require VLANs for “GUEST” VM traffic. This is a hard requirement.
VLAN is optional for the other traffic types of “PUBLIC”, “MANAGEMENT” and “STORAGE”.

To sum up,

Public Traffic -> Physical Interface 1 -> vSwitch0 -> 2xNICs (LACP/LAGG)
Guest Traffic  -> Physical Interface 1 -> vSwitch0 -> 2xNICs (LACP/LAGG)
Management Traffic -> Physical Interface 2 -> vSwitch1 -> 2xNICs (LACP/LAGG)
Storage Traffic    -> Physical Interface 2 -> vSwitch1 -> 2xNICs (LACP/LAGG)

> Assuming that i have a public ip class like 1.2.3.0/24.
>
> On public traffic ( system vm i think ) i setup a range like following ( example ):
> gw: 1.2.3.1
> netmask: 255.255.255.0
> start ip: 1.2.3.21
> end ip: 12.3.30

The same public IP range is used for both system VMs and guest VMs SNAT.

> On guest traffic ( on vSwitch0 so guest public traffic ) i want setup a
> different range but in SAME subnet:
> gw: 1.2.3.1
> netmask: 255.255.255.0
> start ip: 1.2.3.31
> end ip: 1.2.3.128
>
> I can not do this cause CS stop me, warning about netmask/gw overlaps.

The guest subnets are private RFC1918 ranges. By default, CloudStack uses
10.1.1.0/24 for all tenants. You should leave it as is.

If your trying to assign public IPs directly to the guest instances,
you can certainly do that later once your Zone is online by creating
a “shared network” with a public subnet.

> So i came to 2 possible solution:
>
> 1) Do subnetting for network: 1.2.3.0/24 and assign a /29 to public traffic
> ( system vm ) and different /28 to guest traffic.

I would do it as below:

(1) Assign a public range for the public traffic from the "Add zone" creation wizard
(2) Use the default 10.1.1.0/24 for guest networks and specify the VLAN ranges
(3) Create a new shared network for tenants with public IPs

If your pool of public IPs is a single /24, then split it into multiple /26.
Assign the the 1st /26 range for (1) and then create a shared network with the
remaining /26 blocks once the Zone is online.


> 2) Assign to public traffic ( system vm ), private IPs that will be natted to
> my router, so i can assign all public IPs that i want to guest vm. Also here
> i am not sure if everything works after that.

Leave your guest subnets on 10.1.1.0/24 defaults and create a shared network
later with your smaller /26 subnets.


> So my questions are:
>
> 1) Why system vm should have internet connection ? They need to
> receive incoming connection or i can nat them in order to reduce public ip usage ?

System VMs require a public interface for various reasons. SSVM for example allows
tenants to upload their templates. CPVM allows tenants to remote console into their
guest instances.

If you want tenants to use these functionalities, you will require routable addresses.

Since you mentioned conserving public IPs, that IS the default CloudStack behaviour.
RFC1918 private space is used to assign guest VM instances and ONE public IP is
assigned per tenant for NAT/SNAT on the  Virtual Router.

> 2) There is no other solution ? Can i skip somehow CS warning about netmask/gw overlap
?

Have a look at the following URLs.

http://shankerbalan.net/blog/create-a-shared-network-with-public-ips-in-cloudstack/
http://shapeblue.com/cloudstack/understanding-cloudstacks-physical-networking-architecture/

Guest traffic are private RFC1918 subnets and are VLAN tagged. Public traffic
are routable subnets. It is possible to assign public IP addresses directly to
instances by creating a shared network.

Hth. :)
@shankerbalan

--
@shankerbalan

M: +91 98860 60539 | O: +91 (80) 67935867
shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560
055

This email and any attachments to it may be confidential and are intended solely for the use
of the individual to whom it is addressed. Any views or opinions expressed are solely those
of the author and do not necessarily represent those of Shape Blue Ltd or related companies.
If you are not the intended recipient of this email, you must neither take any action based
upon its contents, nor copy or show it to anyone. Please contact the sender if you believe
you have received this email in error. Shape Blue Ltd is a company incorporated in England
& Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated
under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated
in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Mime
View raw message