Mastering OpenStack Neutron: A Deep Dive into VPC, Networks, Subnets, Ports, and Routers
This article provides a comprehensive guide to OpenStack Neutron, covering its VPC virtual network model, network resource types, isolation methods, configuration examples for flat, VLAN, and VxLAN networks, as well as detailed instructions for creating subnets, ports, routers, and floating IPs with code snippets.
Neutron VPC Virtual Network Model
Neutron is an OpenStack project that offers Network Connectivity as a Service via RESTful APIs, providing resources such as Network, Subnet, Port, and Router to build multi‑tenant VPC (Virtual Private Cloud) models where tenants can define subnets, IP pools, routing tables, ACLs, and security groups.
Network Resource
The Network resource is the root L2 abstraction in Neutron. Tenants can create private networks, while admin tenants can map external physical provider networks.
Key fields (the "core three elements") are:
Network Type : distinguishes network isolation technology (Local, Flat, VLAN, VXLAN, GRE, Geneve, etc.) and networking architecture (Tenant network, Provider network, External network).
VID Range : the isolation identifier range managed by Neutron.
Physical Network Mapping : maps virtual networks to physical NICs.
Provider network fields recorded by Neutron:
provider:network_type – type of physical network.
provider:physical_network – name of the physical network.
provider:segmentation_id – ID of the isolated segment.
Network Isolation Types
Neutron supports several isolation types; the most common are Flat, VLAN, and VxLAN.
Flat Network
A non‑VLAN tagging network where all instances share the same LAN, typically used for development environments.
Flat Network configuration example :
$ vim /etc/neutron/plugins/ml2/ml2_conf.ini
[ml2]
tenant_network_type = flat
type_drivers = flat,
mechanism_drivers = openvswitch
...
[ovs]
datapath_type = system
bridge_mappings = public:br-eth1,
[ml2_type_flat]
flat_networks = public,Define a label (e.g., public) in [ml2_type_flat].
Map the label to a physical NIC in [ovs].
VLAN Network
An 802.1Q VLAN‑tagged network supporting over 4000 isolated LANs, suitable for small production environments.
VLAN Network configuration example :
$ vim /etc/neutron/plugins/ml2/ml2_conf.ini
[ml2]
tenant_network_type = vlan
type_drivers = flat,vlan,
mechanism_drivers = openvswitch,
...
[ovs]
datapath_type = system
bridge_mappings = public:br-eth1,
[ml2_type_vlan]
network_vlan_ranges = public:3001:4000,Admin users can specify VLAN IDs (1‑4096); normal users receive automatically allocated IDs from the defined range.
VxLAN Network
Designed for large‑scale cloud networks, supporting up to 16 million isolated LANs.
VxLAN configuration example :
# Control node
$ vim /etc/neutron/plugins/ml2/ml2_conf.ini
[ml2]
tenant_network_type = vxlan
type_drivers = flat,vlan,vxlan
mechanism_drivers = openvswitch,l2population
...
[ovs]
datapath_type = system
bridge_mappings = public:br-eth1,
tunnel_bridge = br-tun
local_ip = <control_ip>
[ml2_type_vxlan]
vni_ranges = 1:1000
# Compute node
[VXLAN]
enable_vxlan = True
l2_population = True
local_ip = <compute_ip>vni_rangesdefines the VNI allocation range for normal users; admins can specify any VNI within 1‑16777216.
The l2population plugin reduces ARP flooding by using a database‑driven MAC‑IP mapping.
Subnet Resource
Subnet is an L3 abstraction under a Network, providing IP core services such as CIDR, ARP, DHCP, DNS, and IPAM.
Key fields include enable_dhcp, allocation_pools, dns_nameservers, and subnetpool_id. SubnetPools, introduced in the Rocky release, allow centralized IP pool management.
$ openstack subnet create -h
... [--subnet-pool <subnet-pool> | --use-prefix-delegation ...]Creating a Subnet
Users can either select a SubnetPool or manually specify an IP CIDR. Manual creation requires defining allocation_pools for DHCP and optional host_routes and dns_nameservers.
Multi‑Segments
Multi‑Segments allow a Subnet to act as an independent L2 network, useful for avoiding ARP table exhaustion in large broadcast domains.
Port Resource
Port represents a virtual switch/router port; VMs connect to networks via ports.
mac_addr : MAC address of the port.
fixed_ips : One or more IPs allocated from subnets.
port_security_enabled : Enables security groups and allowed address pairs.
device_id and device_owner : Identify the bound entity (e.g., compute:nova).
binding:vif_type : Indicates the mechanism driver (e.g., ovs).
binding:vnic_type : Specifies the port implementation type.
Creating a simple port :
$ openstack port show Port1
+-------------------------+-----------------------------------------------------------------------------+
| Field | Value |
+-------------------------+-----------------------------------------------------------------------------+
| admin_state_up | UP |
| binding_vif_type | unbound |
| binding_vnic_type | normal |
| mac_address | fa:16:3e:0f:ff:74 |
| name | Port1 |
| network_id | e28bd712-352f-439d-88ea-35a994a4a765 |
| port_security_enabled | True |
| status | DOWN |
+-------------------------+-----------------------------------------------------------------------------+Creating a port with multiple fixed IPs :
$ openstack port create --network Net2 \
--fixed-ip subnet=Subnet2-1 \
--fixed-ip subnet=Subnet2-2 \
--enable-port-security Port2-1
+-------------------------+--------------------------------------------------------------------------------+
| Field | Value |
+-------------------------+--------------------------------------------------------------------------------+
| admin_state_up | UP |
| binding_vif_type | unbound |
| binding_vnic_type | normal |
| mac_address | fa:16:3e:df:03:8c |
| fixed_ips | ip_address='172.16.100.38', subnet_id='0f15d289-...'
| | ip_address='192.168.100.125', subnet_id='7a2fa4b5-...'
| name | Port2-1 |
| port_security_enabled | True |
| status | DOWN |
+-------------------------+--------------------------------------------------------------------------------+Mounting a port can be done during VM creation or via hot‑plug. After attachment, fields such as binding_vif_type, binding_host_id, and binding_vif_details are updated to reflect the underlying OVS bridge and TAP device.
$ openstack port show Port1
+-------------------------+-------------------------------------------------------------------------------------------+
| Field | Value |
+-------------------------+-------------------------------------------------------------------------------------------+
| binding_vif_type | ovs |
| binding_host_id | localhost.localdomain |
| binding_vif_details | bridge_name='br-int', datapath_type='system', ovs_hybrid_plug='False', port_filter='True' |
| device_id | 6da255cb-402a-4273-844f-5aad549d65e7 |
| device_owner | compute:nova |
| mac_address | fa:16:3e:0f:ff:74 |
| status | ACTIVE |
+-------------------------+-------------------------------------------------------------------------------------------+Router Resource
Router abstracts a L3 device implemented by the L3‑Agent (Linux network namespace). Two main use cases are Internal Router (connecting tenant subnets) and External Router (connecting tenant network to an external network).
Creating an External Router
An External Router acts as an edge router. Neutron creates a dedicated qrouter-XXX namespace with its own routing table. The router connects to a provider network (external) and a tenant network.
{
"external_gateway_info": {
"enable_snat": true,
"external_fixed_ips": [{
"ip_address": "182.24.4.6",
"subnet_id": "b930d7f6-ceb7-40a0-8b81-a425dd994ccf"
}],
"network_id": "ae34051f-aa6c-4c75-abf5-50dc9ac99ef3"
}
}After creation, an external port of type network:router_gateway is automatically added. The router also creates an internal port on the tenant network.
Floating IP
Floating IPs are allocated from the external network and can be associated with a tenant VM's fixed IP to enable external access. Enabling SNAT on the external router provides this functionality.
MariaDB [neutron]> select * from floatingips\G;
*************************** 1. row ***************************
project_id: 031cec3e2df143259d302aa1993fd410
id: 67272b76-493a-4a60-b63a-22e5aefebfc0
floating_ip_address: 172.18.22.204
floating_network_id: 282e146e-6948-436f-992c-f2d50588e357
floating_port_id: 04aceef8-a3b2-46e4-a815-3104a2031ed7
fixed_port_id: 07995f4e-b6b2-493f-9ce5-b1d945a13807
fixed_ip_address: 192.168.1.27
router_id: a1adb970-dba9-49f0-ba4b-4294f0d07f6f
status: ACTIVEL3‑Agent adds corresponding NAT iptables rules in the router namespace to translate traffic between the fixed and floating IPs.
Example NAT rules :
# DNAT from external IP to fixed IP
-A PREROUTING -d 172.18.22.204 -j DNAT --to-destination 192.168.1.27
# SNAT from fixed IP to external IP
-A POSTROUTING -s 192.168.1.27 -j SNAT --to-source 172.18.22.204How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.