| rawtaz | hi | 21:14 |
|---|---|---|
| rawtaz | im trying to understand the difference between networks and subnets. or perhaps more to the point, why we have both of them and not just e.g. subnets. i have read the docs, read various articles, watched videos. havent found a single place that actually addresses what im wondering about. | 21:16 |
| rawtaz | unless im mistaken, and im talking all tenant and self-serve here, a network is something which you can of course put subnets on, but you can also put instances with an IP directly onto networks (instead of on a subnet). | 21:17 |
| rawtaz | and to go between subnets, as well as networks, we need a router. | 21:17 |
| rawtaz | this begs the question - whats the point of having networks? why dont we have just subnets, as in e.g. imagine that you removed networks completely and renamed the remaining subnets to networks, and used that instead? these have all the features we need, so what is the darn point of the regular networks? i dont get that. | 21:18 |
| rawtaz | a similar or highly related question is what is the use case of putting resources (besides subnets) directly on networks? | 21:19 |
| rawtaz | ive seen networks being compared to regular physical networks and subnets to VLANs. and thats fine. but it still doesnt explain why we'd then need the traditional networks type, since we have to route between them anyway and we're already in SDN land so why not go all-in on just "subnets" as the one network type for tenants. | 21:21 |
| rawtaz | sorry for the long question monologue. hopefully someone can clear it up for me a bit :) | 21:22 |
| admin1 | rawtaz, a network can have multiple subnets | 21:26 |
| admin1 | so as an operator, i might not want 1000 different subnets for people to chose free ip from when they want an ip address | 21:27 |
| admin1 | i would just create a network and as the cloud grows, people don't have to recall or know what subnet the ip is coming from, as long as its from the same network | 21:28 |
| rawtaz | yeah im with you that a network can have multiple subnets. but that doesnt explain why we need networks. i mean, if you have say three networks with each their own two subnets, thats six subnets. why cant these subnets, which still have to be routed between if needed, just be there without the networks under them? | 21:28 |
| rawtaz | i mean that in the end its still the same subnets that people use. so why the need for a network that theyre put on. they could just be their own entity with the same network numbers anyway. the network doesnt dictate what CIDR the subnets on the network have anyway. | 21:29 |
| admin1 | again, as i said .. when you try to add a floating ip or create a router, you need to select a network .. imagine if we remove network and just ask people to select subnet, and say i run a cloud for 25,000 customers .and i have say 1250x /24 ips . now without network, how can the user select where to get his ip | 21:30 |
| admin1 | think you have 25000 customers or 100,000 servers that need ip and your ips are in /24 or /26 subnets .. now think of a situation how this will work without a network | 21:30 |
| rawtaz | im sorry but when i create a router interface i select the *subnet*, not the network. | 21:32 |
| admin1 | you create a router on a network .. and then add a port to the subnet | 21:32 |
| admin1 | there is a difference | 21:32 |
| rawtaz | hmm. | 21:32 |
| admin1 | you can link router on networks marked as external | 21:33 |
| admin1 | that enables your router to send traffic outside of the cloud | 21:33 |
| admin1 | then you add port to subnets which you want to connect to the external ips | 21:33 |
| admin1 | so i will say create a network called external .., mark it as external and then add 4x /24 ip ranges in it ... when you create a router, you just select this external network .. and you will get IP from any one of the 4x /24 added .... your router will get an IP .. but it still cannot connect to your instance . you have to then add a port | 21:36 |
| admin1 | from this router to your internal subnet | 21:36 |
| rawtaz | not sure what im missing here. if i go to create a new router, i have to select an *external* network. thats all fine. but i dont have to select a non-external network at all. and then i go to create an interface on it, and there i can only select *subnets* - no regular non-external *network*. | 21:37 |
| admin1 | right | 21:37 |
| admin1 | first step is to create a router and select the extenral network on which this router is going to be created | 21:38 |
| admin1 | then the 2nd step is to now link your desired internal subnet to this router | 21:38 |
| rawtaz | i might have been unclear. i am not talking about the *external* networks. im talking about non-external networks. on which you then create subnets (eg. RFC1918 ones). *those* are what i dont get the point of, since we then connect both the router interfaces AND the instances etc to the *subnets*. no need for those non-external *networks* :) | 21:38 |
| rawtaz | yes, i agree with what you just said. | 21:38 |
| admin1 | i have internal networks which multiple subnets | 21:39 |
| rawtaz | but let me clarify - in order to create a subnet, i must first create a network, to put that subnet (or more subnets) on. | 21:39 |
| rawtaz | yeah. and im saying - those subnets of yours could just be on their own, they shouldnt have to be on a non-external *network* | 21:39 |
| admin1 | no no | 21:39 |
| admin1 | each network is one layer2 | 21:39 |
| admin1 | sometimes you need multiple IP ranges in the same layer2 | 21:39 |
| admin1 | you are only thinking about 1 workload .. like client -server . web server etc .. where one network will have one subnet and job done | 21:40 |
| admin1 | but there are many workloads out there, especially data processing, traffic replaying, analaysis where in the same layer2, you need to have multiple ip ranges (subnets ) | 21:40 |
| rawtaz | yes. and to go between these layer 3 subnets, we need to go through a router, right? | 21:41 |
| admin1 | no .. because in openstack, layer2 traffic is possible, so you can have a instance that acts a a router | 21:41 |
| admin1 | and does not have to be an openstack router | 21:41 |
| rawtaz | hmmm | 21:41 |
| rawtaz | if i wanted to make my own "router" out of an instance with eg. two network interfaces on it, wouldnt i then make an instance and connect it to two subnets (the ones i want to route between)? | 21:43 |
| admin1 | yes, but you are forgetting the layer2 there .... .. there are a lot of use cases where you want multiple ip ranges from the same port , same layer 2 | 21:43 |
| admin1 | like eth0:10.10.10.1/24, eth0:1 192.168.100.1/24 ...... if network is removed, then each becomes its own subnet and i then need to have 2 ports to the instance for using 2 ips | 21:44 |
| rawtaz | should i consider a network in openstack to be like a physical network or a VLAN? | 21:44 |
| admin1 | exactly | 21:44 |
| rawtaz | which one? :D | 21:44 |
| admin1 | think one network as 1 vlan in a switch | 21:44 |
| rawtaz | i guess both - without a tag on it its one physical network and with a tag its a virtual one | 21:44 |
| admin1 | and there are use cases where you need multiple ips in the same vlan | 21:44 |
| rawtaz | ok | 21:44 |
| admin1 | which is what network allows | 21:44 |
| rawtaz | what would a use case be for having e.g. an instance connected to a l2 network with several subnets on its ip aliases? | 21:45 |
| rawtaz | sorry if im being dense. i appreciate your patience here.. | 21:45 |
| admin1 | usually DPI's , routers, bandwidth management applications etc | 21:46 |
| admin1 | imagine i am a router vendor and i am developing a router ... i need these functionality to be able to test my router virtually in openstack | 21:46 |
| admin1 | DPI = deep packet inspection engines | 21:46 |
| rawtaz | but why would one put "devices" with different subnets on one and the same network instead of just putting them on different subnets in openstack? i dont get why one would mix several subnets on the same layer2 basically, i guess. if i want different subnets, i put them on separate VLANs. | 21:47 |
| admin1 | because openstack allows layer2 , there a lot of things that is utilizing this .. | 21:47 |
| admin1 | because i want to replicate what customer does when i develop something | 21:47 |
| rawtaz | alright. well its clear that there are use cases, by what you say | 21:47 |
| rawtaz | ok | 21:47 |
| admin1 | if you can guarantee here 100% that no one in the world uses multiple subnets in the same vlan, then we would have a use case | 21:48 |
| admin1 | but that is not what happens | 21:48 |
| admin1 | sometimes datacenter gives you just 1 vlan and you have 2 ip ranges for your web servers | 21:48 |
| admin1 | and now you want to test some anti ddos software etc | 21:48 |
| admin1 | having 1 network with multiple subnet feature allows openstack to replicate what can happen in physical layer and have the same parameters virtually when replicated/tested/designed | 21:49 |
| rawtaz | is it fair to say that unless i know a reason and use case by which i want to do that type of thing, in general i would just create one network per subnet in openstack, and put my instances (e.g. servers, dbs, web, etc) on thoes different subnets, and use the router to route between them (and security groups to control access)? i guess that since i have to ask these questions i dont really have a need for connecting things right onto *networks*. | 21:49 |
| rawtaz | yeah, i hear you. one use case of networks, which are l2, is to be able to replicate the real world and/or e.g. limitations in certain situations you run into | 21:50 |
| admin1 | yes .. if you have only web servers etc then its hard for you to know why a feature is here | 21:50 |
| admin1 | but openstack has multiple use cases, telcos, appliances etc | 21:50 |
| rawtaz | good :) | 21:50 |
| admin1 | and its best if it can replicate physical world | 21:50 |
| rawtaz | yeah. pretty cool | 21:50 |
| rawtaz | so just out of curiosity, when i create a network i dont seem to specify a VLAN anywhere. e.g. if i wanted to tie a l2 network to an outside-openstacl physical network, for a certain VLAN, i suppose thats normally something that an administrator of the openstack needs to help a regular tenant with? | 21:51 |
| admin1 | when you define the openstack networking, you can select how the traffic is going to be isolated | 21:52 |
| admin1 | so it can be vlan or vxlan | 21:52 |
| rawtaz | yeah, but a regular tenant cant do that right? its an admin thing? | 21:52 |
| admin1 | its an operator thing | 21:52 |
| admin1 | its already defined for you | 21:52 |
| rawtaz | yeah. presumably its VXLAN | 21:53 |
| admin1 | 90% of cases = vxlan | 21:53 |
| admin1 | 10% of cases = vlan | 21:53 |
| admin1 | not all clouds are public or made for public workload | 21:53 |
| admin1 | so there might be direct "cloud-connect" type of situations where router, traffic management, dhcp servers, load balancer etc plug into the underlying network directly | 21:54 |
| admin1 | in those cases, the router of openstack is not even used | 21:54 |
| rawtaz | makes sense | 21:55 |
| rawtaz | ok so in summary, i now better understand why theres networks, and i will for my needs (just regular servers separated onto various subnets) just focus on subnets. but since they all have to route through a router, and theres no point so far to create my own router using an instance, would i create one network per subnet, or just out several subnets into the same network? | 21:55 |
| admin1 | its entirely upto you | 21:55 |
| rawtaz | unless im mistaken, if i put several subnets on the same network, then an instance directly put on the network would be able to read both subnets' traffic, so that might be a reason to stick to a 1:1 relationship between networks and subnets. | 21:55 |
| rawtaz | (not that anyone would create such an instance for snooping, but because theres no point having the possibility) | 21:56 |
| admin1 | unless you disable port security ( which is enabled by default ) .. openstack will create ebtable rules which will prevent leaks from other mac addresses | 21:56 |
| admin1 | so you cannot tcpdump and expect to see other people's traffic | 21:56 |
| admin1 | unless you have a reason, just create 1 network and one subnet .. or create a big subnet so that you won't run out of ips | 21:57 |
| admin1 | and should be good to go | 21:57 |
| rawtaz | yeah, with the rationale that security groups will control my traffic, so even if i have e.g. two sets of servers that dont have any business with each other, they would still not be able to reach each other as long as i create proper secrity groups for them | 21:58 |
| rawtaz | then again it wouldnt hurt to create two different networks for htem, just to keep the design a bit clearer schematic wise | 21:59 |
| admin1 | security groups are firewalls | 21:59 |
| admin1 | there is an extra layer of protection on the layer2 to prevent instances from seeing each other traffic | 21:59 |
| admin1 | i have to run now .. but hang around .. we can discuss tomorrow .. | 22:00 |
| rawtaz | yeah. but i mean if i have some public service 1 and service 2 that are completley differnet sites and systems having nothing to do with each other, then it kind feels a bit wrong to have both of their servers on the same subnet. | 22:00 |
| rawtaz | cheers, youve been extremely kind, thanks a lot! | 22:00 |
| rawtaz | ill stick around | 22:00 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!