HOS North-South DVR Floating IP Traffic Flow Verification (3 of 4)
2015-11-25
Neutron North-South DVR Floating IP Address Traffic Flow
Check to see if there are any free floating ip addresses
nova floating-ip-list
root@overcloud-ce-controller-controller0-dlmy4f5tbc5d:~# nova floating-ip-list
+----+-----------+----------+------+
| Ip | Server Id | Fixed Ip | Pool |
+----+-----------+----------+------+
+----+-----------+----------+------+
[Note if no floating IP are available then create some]
nova floating-ip-create
nova floating-ip-create ext-net
root@overcloud-ce-controller-controller0-dlmy4f5tbc5d:~# nova floating-ip-create ext-net
+--------------+-----------+----------+---------+
| Ip | Server Id | Fixed Ip | Pool|
+--------------+-----------+----------+---------+
| 10.254.27.48 | - | - | ext-net |
+--------------+-----------+----------+---------+
nova floating-ip-associate
nova floating-ip-associate 374b3e1c-0e89-4481-b9dd-a9a420a498e1 10.254.27.48
root@overcloud-ce-controller-controller0-dlmy4f5tbc5d:~# nova floating-ip-associate 374b3e1c-0e89-4481-b9dd-a9a420a498e1 10.254.27.48
root@overcloud-ce-controller-controller0-dlmy4f5tbc5d:~#
nova show
root@overcloud-ce-controller-controller0-dlmy4f5tbc5d:~# nova show 374b3e1c-0e89-4481-b9dd-a9a420a498e1
+--------------------------------------+--------------------------------------------------------------------------+
| Property | Value|
+--------------------------------------+--------------------------------------------------------------------------+
| HPinternal network | 10.0.0.5, 10.254.27.48 |
| OS-EXT-AZ:availability_zone | nova |
| OS-EXT-SRV-ATTR:host | overcloud-ce-novacompute1-novacompute1-tpodwp2ljbhw |
| OS-EXT-SRV-ATTR:hypervisor_hostname | overcloud-ce-novacompute1-novacompute1-tpodwp2ljbhw.novalocal|
| OS-EXT-SRV-ATTR:instance_name | instance-00000084|
| OS-EXT-STS:power_state | 1|
| OS-EXT-STS:task_state | -|
| OS-EXT-STS:vm_state | active |
| OS-SRV-USG:launched_at | 2015-11-23T10:06:14.000000 |
| OS-SRV-USG:terminated_at | -|
| accessIPv4 | |
| accessIPv6 | |
| config_drive | |
| created | 2015-11-23T10:05:35Z |
| flavor | m1.tiny (1) |
| hostId | 528ae3e885715e8a63ee541508e197b78e24fd194b4f0da6af44edb6 |
| id | 374b3e1c-0e89-4481-b9dd-a9a420a498e1 |
| image | debian-wheezy-amd64-20140929-disk (1cb50c3f-4606-4e94-b85f-1d323f6a70fd) |
| key_name | pilot-key|
| metadata | {} |
| name | HPdemo-instance1 |
| os-extended-volumes:volumes_attached | [] |
| progress | 0|
| security_groups | default |
| status | ACTIVE |
| tenant_id | 3935f5d20d2848b69324bb8bd75a0389 |
| updated | 2015-11-23T10:06:14Z |
| user_id | 86fe8295656d495db6b06c57274adbf2 |
+--------------------------------------+--------------------------------------------------------------------------+
Verify Network Namespaces
ip netns
root@overcloud-ce-novacompute1-novacompute1-tpodwp2ljbhw:~# ip netns
fip-35510045-decf-491e-9990-87a3f77f0284
qrouter-8c8a0159-2b37-4fae-93e9-b302a9d59573
qrouter-6903d563-80f4-40b0-ba77-8774a915a323
qrouter-8497d1cb-c2fa-46a5-9e42-1bfceb810204
qrouter-64b856f2-00a7-4e2f-8abd-aa34ab454c34
ip netns exec
ip netns exec qrouter-8c8a0159-2b37-4fae-93e9-b302a9d59573 ip a | grep “inet “
root@overcloud-ce-novacompute1-novacompute1-tpodwp2ljbhw:~# ip netns exec qrouter-8c8a0159-2b37-4fae-93e9-b302a9d59573 ip a | grep "inet "
inet 127.0.0.1/8 scope host lo
inet 169.254.31.28/31 scope global rfp-8c8a0159-2
inet 10.254.27.48/32 brd 10.254.27.48 scope global rfp-8c8a0159-2
inet 10.0.0.1/24 brd 10.0.0.255 scope global qr-2202c460-bb
ip netns exec
ip netns exec qrouter-8c8a0159-2b37-4fae-93e9-b302a9d59573 iptables-save -t nat | grep “^-A”|grep l3-agent
root@overcloud-ce-novacompute1-novacompute1-tpodwp2ljbhw:~# ip netns exec qrouter-8c8a0159-2b37-4fae-93e9-b302a9d59573 iptables-save -t nat | grep "^-A"|grep l3-agent
-A PREROUTING -j neutron-l3-agent-PREROUTING
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A POSTROUTING -j neutron-l3-agent-POSTROUTING
-A neutron-l3-agent-OUTPUT -d 10.254.27.48/32 -j DNAT --to-destination 10.0.0.5
-A neutron-l3-agent-POSTROUTING ! -i rfp-8c8a0159-2 ! -o rfp-8c8a0159-2 -m conntrack ! --ctstate DNAT -j ACCEPT
-A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
-A neutron-l3-agent-PREROUTING -d 10.254.27.48/32 -j DNAT --to-destination 10.0.0.5
-A neutron-l3-agent-float-snat -s 10.0.0.5/32 -j SNAT --to-source 10.254.27.48
-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
-A neutron-postrouting-bottom -j neutron-l3-agent-snat
ip netns exec
ip netns exec fip-35510045-decf-491e-9990-87a3f77f0284 ip a | grep “inet “
root@overcloud-ce-novacompute1-novacompute1-tpodwp2ljbhw:~# ip netns exec fip-35510045-decf-491e-9990-87a3f77f0284 ip a | grep "inet "
inet 127.0.0.1/8 scope host lo
inet 169.254.31.29/31 scope global fpr-8c8a0159-2
inet 10.254.27.49/24 brd 10.254.27.255 scope global fg-9da149e3-be
ip netns exec
ip netns exec qrouter-8c8a0159-2b37-4fae-93e9-b302a9d59573 ip rule ls
root@overcloud-ce-novacompute1-novacompute1-tpodwp2ljbhw:~# ip netns exec qrouter-8c8a0159-2b37-4fae-93e9-b302a9d59573 ip rule ls
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
32768: from 10.0.0.5 lookup 16
167772161: from 10.0.0.1/24 lookup 167772161
167772161: from 10.0.0.1/24 lookup 167772161
ip netns exec
ip netns exec qrouter-8c8a0159-2b37-4fae-93e9-b302a9d59573 ip route show table 167772161
root@overcloud-ce-novacompute1-novacompute1-tpodwp2ljbhw:~# ip netns exec qrouter-8c8a0159-2b37-4fae-93e9-b302a9d59573 ip route show table 167772161
default via 10.0.0.4 dev qr-2202c460-bb
ip netns exec
ip netns exec fip-35510045-decf-491e-9990-87a3f77f0284 ip route
root@overcloud-ce-novacompute1-novacompute1-tpodwp2ljbhw:~# ip netns exec fip-35510045-decf-491e-9990-87a3f77f0284 ip route
default via 10.254.27.1 dev fg-9da149e3-be
10.254.27.0/24 dev fg-9da149e3-be proto kernel scope link src 10.254.27.49
10.254.27.48 via 169.254.31.28 dev fpr-8c8a0159-2
169.254.31.28/31 dev fpr-8c8a0159-2 proto kernel scope link src 169.254.31.29
Both Ping and SSH will both fail due to the default settings in the OpenStack security group
Adding appropriate rules for ICMP and SSH allows the traffic to flow through the firewall
Pinging the Gateway from the instance
debian@hpdemo-instance1:~$ ping 10.254.27.49
PING 10.254.27.49 (10.254.27.49) 56(84) bytes of data.
64 bytes from 10.254.27.49: icmp_req=1 ttl=63 time=0.252 ms
64 bytes from 10.254.27.49: icmp_req=2 ttl=63 time=0.295 ms
64 bytes from 10.254.27.49: icmp_req=3 ttl=63 time=0.280 ms
64 bytes from 10.254.27.49: icmp_req=4 ttl=63 time=0.271 ms
64 bytes from 10.254.27.49: icmp_req=5 ttl=63 time=0.278 ms
^C
--- 10.254.27.49 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3998ms
rtt min/avg/max/mdev = 0.252/0.275/0.295/0.017 ms
Originally published on allthingscloud.eu (2015-11-25).