地址范围从子网池构建。 虽然子网池提供了用于控制地址到子网分配的机制,但是地址范围示出了可以在网络之间路由地址的位置,从而防止在任何两个子网中使用重叠地址。 因为在地址范围内分配的所有地址不重叠,Neutron路由器不会在项目的网络和外部网络之间NAT。 只要地址范围内的地址匹配,网络服务将在网络之间执行简单的路由。
任何有权访问网络服务的人都可以创建自己的地址范围。但是,网络管理员可以创建共享地址范围,允许其他项目在该地址范围内创建网络。
对范围中的地址的访问通过子网池管理。子网池可以在地址范围中创建,也可以更新为属于地址范围。
对于子网池,从地址范围所有者的角度来看,地址范围内使用的所有地址都是唯一的。因此,如果池具有不同的所有者,则可将多个子网池添加到地址范围,从而允许委派地址范围的部分。委派防止地址在整个范围内重叠。否则,如果两个池具有相同的地址范围,则会收到错误。
每个路由器接口通过查看连接到网络的子网与地址范围相关联。当路由器连接到具有匹配地址范围的外部网络时,网络流量在没有网络地址转换(NAT)之间路由。路由器标记来自每个接口的所有流量连接及其对应的地址范围。如果流量离开一个接口在错误的范围,路由器阻塞流量。
在Mitaka版本之前创建的网络不包含显式命名的地址范围,除非网络包含来自属于已创建或更新的地址范围的子网池的子网。 网络服务通过特殊地址范围属性保持与Mitaka以前网络的向后兼容性,以便这些网络可以执行高级路由:
允许无限制的地址重叠。
Neutron路由器默认情况下,将从内部网络到外部网络的NAT流量。
Mitaka以前地址范围不能通过API显示。 您不能列出地址范围或显示详细信息。 范围隐式存在,作为没有明确范围的地址的全部。
此部分显示如何设置共享地址范围,以允许具有相同子网池的项目网络的简单路由。
1.创建IPV6和IPV4的地址范围
$ neutron address-scope-create --shared address-scope-ip6 6
Created a new address_scope:
+------------+--------------------------------------+
| Field | Value |
+------------+--------------------------------------+
| id | 13b83fb2-beb4-4533-9e12-4bf9a5721ef5 |
| ip_version | 6 |
| name | address-scope-ip6 |
| shared | True |
+------------+--------------------------------------+
$ neutron address-scope-create --shared address-scope-ip4 4
Created a new address_scope:
+------------+--------------------------------------+
| Field | Value |
+------------+--------------------------------------+
| id | 97702525-e145-40c8-8c8f-d415930d12ce |
| ip_version | 4 |
| name | address-scope-ip4 |
| shared | True |
+------------+--------------------------------------+
2.创建子网池以指定子网池所属的地址范围的名称(或UUID)。 如果您有现有的子网池,请使用neutron subnetpool-update命令将其放在一个新的地址范围内:
$ neutron subnetpool-create --address-scope address-scope-ip6 \
--shared --pool-prefix 2001:db8:a583::/48 --default-prefixlen 64 \
subnet-pool-ip6
Created a new subnetpool:
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| address_scope_id | 13b83fb2-beb4-4533-9e12-4bf9a5721ef5 |
| default_prefixlen | 64 |
| id | 14813344-d11a-4896-906c-e4c378291058 |
| ip_version | 6 |
| name | subnet-pool-ip6 |
| prefixes | 2001:db8:a583::/48 |
| shared | True |
+-------------------+--------------------------------------+
$ neutron subnetpool-create --address-scope address-scope-ip4 \
--shared --pool-prefix 203.0.113.0/21 --default-prefixlen 26 \
subnet-pool-ip4
Created a new subnetpool:
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| address_scope_id | 97702525-e145-40c8-8c8f-d415930d12ce |
| default_prefixlen | 26 |
| id | e2c4f12d-307f-4616-a4df-203a45e6cb7f |
| ip_version | 4 |
| name | subnet-pool-ip4 |
| prefixes | 203.0.112.0/21 |
| shared | True |
+-------------------+--------------------------------------+
3.确保外部网络上的子网是从上面创建的子网池创建的:
$ neutron subnet-show ipv6-public-subnet
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| cidr | 2001:db8::/64 |
| enable_dhcp | False |
| gateway_ip | 2001:db8::2 |
| id | 8e9299bf-5c48-4143-b081-010ba26636a2 |
| ip_version | 6 |
| name | ipv6-public-subnet |
| network_id | d2ac8578-7e86-4646-849a-afdf5a05fff0 |
| subnetpool_id | 14813344-d11a-4896-906c-e4c378291058 |
+-------------------+--------------------------------------+
$ neutron subnet-show public-subnet
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| cidr | 172.24.4.0/24 |
| enable_dhcp | False |
| gateway_ip | 172.24.4.1 |
| id | 3c3029d2-8081-4e56-9842-6007ce742860 |
| ip_version | 4 |
| name | public-subnet |
| network_id | d2ac8578-7e86-4646-849a-afdf5a05fff0 |
| subnetpool_id | e2c4f12d-307f-4616-a4df-203a45e6cb7f |
+-------------------+--------------------------------------+
此部分显示非特权用户如何使用地址范围在不使用NAT的情况下直接路由到外部网络。
1.创建几个网络来托管子网
$ neutron net-create network1
Created a new network:
+-------------------------+--------------------------------------+
| Field | Value |
+-------------------------+--------------------------------------+
| id | f5a980d9-5521-438e-b831-0ebacba2b372 |
| name | network1 |
| subnets | |
+-------------------------+--------------------------------------+
$ neutron net-create network2
Created a new network:
+-------------------------+--------------------------------------+
| Field | Value |
+-------------------------+--------------------------------------+
| id | 438e4f26-0e45-4b26-9797-57d0bd817953 |
| name | network2 |
| subnets | |
+-------------------------+--------------------------------------+
2.创建与子网池或地址范围无关的子网:
$ neutron subnet-create --name subnet-ip4-1 network1 198.51.100.0/26
Created a new subnet:
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| cidr | 198.51.100.0/26 |
| id | 48ed5c71-2a1d-4f73-b29e-371deec04d44 |
| name | subnet-ip4-1 |
| network_id | f5a980d9-5521-438e-b831-0ebacba2b372 |
| subnetpool_id | |
+-------------------+--------------------------------------+
$ neutron subnet-create --name subnet-ip6-1 network1 \
--ipv6-ra-mode slaac --ipv6-address-mode slaac \
--ip_version 6 2001:db8:80d2:c4d3::/64
Created a new subnet:
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| cidr | 2001:db8:80d2:c4d3::/64 |
| id | c9f0bb79-1d7b-435f-b362-05a9a7259aa6 |
| name | subnet-ip6-1 |
| network_id | f5a980d9-5521-438e-b831-0ebacba2b372 |
| subnetpool_id | |
+-------------------+--------------------------------------+
3.使用与外部网络的地址范围相关联的子网池创建子网:
$ neutron subnet-create --name subnet-ip4-2 \
--subnetpool subnet-pool-ip4 network2
Created a new subnet:
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| cidr | 203.0.112.0/26 |
| id | deb36645-8d46-4c13-a489-1135174d8a8c |
| name | subnet-ip4-2 |
| network_id | 438e4f26-0e45-4b26-9797-57d0bd817953 |
| subnetpool_id | e2c4f12d-307f-4616-a4df-203a45e6cb7f |
+-------------------+--------------------------------------+
$ neutron subnet-create --name subnet-ip6-2 --ip_version 6 \
--ipv6-ra-mode slaac --ipv6-address-mode slaac \
--subnetpool subnet-pool-ip6 network2
Created a new subnet:
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| cidr | 2001:db8:a583::/64 |
| id | b157e288-748e-4c4b-9b2e-8b8e65241036 |
| name | subnet-ip6-2 |
| network_id | 438e4f26-0e45-4b26-9797-57d0bd817953 |
| subnetpool_id | 14813344-d11a-4896-906c-e4c378291058 |
+-------------------+--------------------------------------+
通过从作用域的子网池创建子网,网络与地址范围相关联。
$ neutron net-show network2
+-------------------------+--------------------------------------+
| Field | Value |
+-------------------------+--------------------------------------+
| id | 4f677ab6-32a1-452c-8feb-b0b6b7ed1a0f |
| ipv4_address_scope | 97702525-e145-40c8-8c8f-d415930d12ce |
| ipv6_address_scope | 13b83fb2-beb4-4533-9e12-4bf9a5721ef5 |
| name | network2 |
| subnets | d5d68ac3-3eaa-439e-b75b-0e0b2c1d221a |
| | 917f9360-a840-45c1-83a1-2a093bd7b376 |
+-------------------------+--------------------------------------+
4.将路由器连接到已创建的每个项目子网,例如使用名为router1的路由器:
$ neutron router-interface-add router1 subnet-ip4-1
Added interface 73d832e1-e4a7-4029-9a66-f4e0f4ba0e76 to router router1.
$ neutron router-interface-add router1 subnet-ip4-2
Added interface 94b4cdb2-875d-4ab3-9a6e-803c3626c4d9 to router router1.
$ neutron router-interface-add router1 subnet-ip6-1
Added interface f35c4541-d529-4bd8-af4e-1b069269c263 to router router1.
$ neutron router-interface-add router1 subnet-ip6-2
Added interface f5904a4b-9547-4c08-bc7e-bc5fc71a8db9 to router router1.
此示例显示如何检查具有地址范围的网络之间的连接。
1. 启动两个实例,instance1在network1上,实例2在network2上。 将浮动IP地址与两个实例相关联。
2. 调整安全组以允许ping和SSH(IPv4和IPv6):
$ nova list
+--------------+-----------+---------------------------------------------------------------------------+
| ID | Name | Networks |
+--------------+-----------+---------------------------------------------------------------------------+
| 97e49c8e-... | instance1 | network1=2001:db8:80d2:c4d3:f816:3eff:fe52:b69f, 198.51.100.3, 172.24.4.3 |
| ceba9638-... | instance2 | network2=203.0.112.3, 2001:db8:a583:0:f816:3eff:fe42:1eeb, 172.24.4.4 |
+--------------+-----------+---------------------------------------------------------------------------+
忽略地址范围,可以从外网ping通浮动ip
$ ping -c 1 172.24.4.3
1 packets transmitted, 1 received, 0% packet loss, time 0ms
$ ping -c 1 172.24.4.4
1 packets transmitted, 1 received, 0% packet loss, time 0ms
你能直接ping通实例2是因为实例2与外网共享一样的地址范围。
BGP路由可以用于为您的实例自动设置静态路由。
# ip route add 203.0.112.0/26 via 172.24.4.2
$ ping -c 1 203.0.112.3
1 packets transmitted, 1 received, 0% packet loss, time 0ms
# ip route add 2001:db8:a583::/64 via 2001:db8::1
$ ping6 -c 1 2001:db8:a583:0:f816:3eff:fe42:1eeb
1 packets transmitted, 1 received, 0% packet loss, time 0ms
无法ping通实例1是因为地址范围不匹配。
# ip route add 198.51.100.0/26 via 172.24.4.2
$ ping -c 1 198.51.100.3
1 packets transmitted, 0 received, 100% packet loss, time 0ms
# ip route add 2001:db8:80d2:c4d3::/64 via 2001:db8::1
$ ping6 -c 1 2001:db8:80d2:c4d3:f816:3eff:fe52:b69f
1 packets transmitted, 0 received, 100% packet loss, time 0ms
如果地址范围在网络之间匹配,则ping和其他流量路由直接通过。 如果范围在网络之间不匹配,则路由器丢弃流量或将NAT应用于跨范围边界。