This post outlines how to add routes to a Neutron router. The outcome of this post will allow the jumphost to access VMs and networks advertised behind the SRX. Working on my lab environment I have some server infrastructure and jump hosts in the network Due to Neutron routing being very plain I could not dynamically peer the SRX with the Neutron gateway.

First time to list my routers in my project

[email protected]:~$ neutron router-list
| id                                   | name            | external_gateway_info                                                       |
| 27d89917-bb77-46c3-95d5-250a259ba304 | public_router   | {"network_id": "083ad060-d6dd-4e49-84e1-c8a2259982ff", "enable_snat": true} |
| 60aefbeb-d2f2-4daf-91b2-6f59391bfee5 | external_router | {"network_id": "083ad060-d6dd-4e49-84e1-c8a2259982ff", "enable_snat": true} |
| a41a761d-9ee1-449d-80be-3ea0f599c4f9 | isolated_router | {"network_id": "083ad060-d6dd-4e49-84e1-c8a2259982ff", "enable_snat": true} |

The router I want to use is the isolated_router. The ID is a41a761d-9ee1-449d-80be-3ea0f599c4f9.

The attached image below shows the rough network environment.



The three networks attached to the Distributed Logical Router are unknown beyond the edge of the SRX. WIN-MGT on the network has no idea of it. It can only see the interface of the SRX in the network. We need to teach the Neutron Router that routes between these two networks about

This can be done with updating the neutron router.

[email protected]:~$ neutron router-update a41a761d-9ee1-449d-80be-3ea0f599c4f9 --routes type=dict list=true destination=,nexthop= destination=,nexthop= destination=,nexthop=
destination=,nexthop= destination=,nexthop=
Updated router: a41a761d-9ee1-449d-80be-3ea0f599c4f9

The result when we look at the Neutron router again is much better.

[email protected]:~$ neutron router-show a41a761d-9ee1-449d-80be-3ea0f599c4f9
| Field                 | Value                                                                       |
| admin_state_up        | True                                                                        |
| distributed           | False                                                                       |
| external_gateway_info | {"network_id": "083ad060-d6dd-4e49-84e1-c8a2259982ff", "enable_snat": true} |
| id                    | a41a761d-9ee1-449d-80be-3ea0f599c4f9                                        |
| name                  | isolated_router                                                             |
| routes                | {"destination": "", "nexthop": ""}            |
|                       | {"destination": "", "nexthop": ""}            |
|                       | {"destination": "", "nexthop": ""}            |
|                       | {"destination": "", "nexthop": ""}            |
|                       | {"destination": "", "nexthop": ""}             |
| status                | ACTIVE                                                                      |
| tenant_id             | c3485cfe92be4f47852db87ca06b4383                                            |

As you can see there is a new field that includes the routes that I have programmed into my Neutron router. I now have connectivity from the network into my networks advertised off the DLR. Between the SRX and the DLR is an ECMP fabric.

mgt-lnxjump (                   Tue Jul 28 00:32:10 2015
Keys:  Help   Display mode   Restart statistics   Order of fields
   quit                 Packets               Pings
 Host                 Loss%   Snt   Last   Avg  Best  Wrst StDev
 1.      0.0%   173    0.5   0.3   0.2   4.7   0.3
 2.    0.0%   173    6.6   8.0   1.2  11.6   2.3
 3.        0.0%   173    3.9   4.0   1.1  23.4   2.3
 4. ???
 5.      0.0%   172    7.9   8.7   5.9  22.9   2.1

End to end connectivity. We can see at hop three is the E3 currently passing traffic. If this drops or turns off this hop will be updated with,2 or 4. ECMP is great!

Gotcha: A gotcha of this is that neutron doesn’t add additional static routes each time you execute the command. It will refresh the list. Ensure you don’t forget any else you may have some connectivity issues!

The alternative is to assign host routes under a DHCP scope. This is pretty easy. A host route is a DHCP option passed to an instance on boot that would allow an allocation of pre-defined static routes. This would do that but in my case my instance had spawned and the other instance accessing this environment was actually not a nova instance and therefore not in scope for an IP from my Neutron DHCP Client.

There you are. Connectivity to my remote network. Openstack is pretty powerful!

Leave a Reply

Your email address will not be published. Required fields are marked *