The L3 agent provided with Neutron uses the Linux networking stack to perform L3 forwarding and NAT between tenant networks and external networks. Before the Juno release of OpenStack, the L3 agent could only be made highly available using Pacemaker (active/passive). It could not be scaled out natively. However, in the Juno release, the concept of distributed routing was introduced. With distributed routing enabled, the L3 agent will on all the compute nodes and on a centralized "service" node.
On the compute nodes, the L3 agent provides NAT for instances that are associated with a floating IP address. This means that ingress traffic (traffic from external to tenant networks) capacity scales out with each additional compute node. It also means that when an instance is migrated off of a compute node (because of maintenance or failure), the floating IP address will be moved to the new compute node.
On the service nodes, the L3 agent provides NAT for egress traffic (traffic from the tenant to external networks).
This deployment guide assumes the following architecture.
- 1+ service nodes
- 1+ compute nodes
- Flat external network
- VXLAN tenant networks
-
Edit the
/etc/sysctl.conf
file to contain the following parameters:net.ipv4.ip_forward=1 net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.default.rp_filter=0
-
Apply the changes:
$ sysctl -p
-
Install packages
$ apt-get install neutron-plugin-openvswitch-agent neutron-l3-agent
-
Change
/etc/neutron/neutron.conf
to reflect the following:[DEFAULT] ... core_plugin = ml2 service_plugins = router allow_overlapping_ips = True router_distributed = True rpc_backend = rabbit rabbit_host = CONTROLLER rabbit_password = RABBIT_PASS auth_strategy = keystone [keystone_authtoken] auth_uri = http://CONTROLLER:5000/v2.0 identity_uri = http://CONTROLLER:35357 admin_tenant_name = service admin_user = neutron admin_password = NEUTRON_PASS
-
Change
/etc/neutron/plugins/ml2/ml2_conf.ini
to reflect the following:[ml2] type_drivers = flat,vxlan tenant_network_types = vxlan mechanism_drivers = openvswitch,l2population [ml2_type_flat] flat_networks = external [ml2_type_vxlan] vni_ranges = 1:1000 [securitygroup] enable_security_group = True enable_ipset = True firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver [agent] enable_distributed_routing = True l2_population = True tunnel_types = vxlan [ovs] local_ip = INSTANCE_TUNNELS_INTERACE_IP_ADDRESS tunnel_type = vxlan tenant_network_type = vxlan enable_tunneling = True bridge_mappings = external:br-ex
-
Change
/etc/neutron/l3_agent.ini
to reflect the following:On the service node, use
dvr_snat
for the agent mode instead ofdvr
.[DEFAULT] ... interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver use_namespaces = True agent_mode = dvr
-
Configure the metadata agent as normal
-
Restart all Neutron services
$ service neutron-plugin-openvswitch-agent restart $ service neutron-l3-agent restart $ service neutron-metadata-agent restart