Usage of public IP space

[Stavros Konstantaras <s....@uva.nl>]

Hi all,

I have a question regarding the public network on CS 4.6.

Currently, I have a /24 network of public & routable IP addresses. I want to assign the first 30 of them to Cloudstack’s public network for using it in the system VMs while keeping the rest of this space for my instances. 

However, I don’t see it possible as I get the following exception when I register the rest of the space in shared networks: "The IP range with tag: vlan://869 in zone NewZone has overlapped with the subnet. Please specify a different gateway/netmask.”

Does anyone know a trick to make this happen? Thanks in advance

Kind Regards
Stavros Konstantaras

----------------------------
Stavros Konstantaras
Science faculty Research IT support (FEIOG) 
University of Amsterdam, Science Park 904, 1098 XH

Fingerprint: E5E5 9B19 D1CD 88CD 4763  3465 A8DC 7C92 330F D59A

Re: Usage of public IP space

[Stavros Konstantaras <s....@uva.nl>]

Yes, that is correct. The /24 that I have is routable and there are ACLs + Router controlling incoming and outgoing traffic through that space (e.g. a VM in that space can not access other resources of the organisation and vice versa). 

Thus, I want to use the rest of the space to assign it to my VMs and not just assign the full IP space to Cloudstack’s public network.  I do have my own VLAN range so I can do L2 separation of traffic and enforce my own security boundaries, however I am CL is not very flexible on that. 

Cheers
Stavros

> On 20 Jan 2016, at 16:01, Simon Weller <sw...@ena.com> wrote:
> 
> Cloudstack does enforce networking boundaries and in any production setup, that's honestly what you want it to do. 
> 
> Since you're getting delegated a network, it sounds as if your upstream network folks are expecting you to manage and subnet said networks as you see fit.
> 
> I'm assuming the /24 you have is routable public space and not RFC 1918 space, correct?
> 
> If so, what are you doing in terms of protecting assets? Do you have a firewall in front of it that can do layer 3 routing?
> 
> - Si
> ________________________________________
> From: Stavros Konstantaras <s....@uva.nl>
> Sent: Wednesday, January 20, 2016 8:07 AM
> To: users@cloudstack.apache.org
> Subject: Re: Usage of public IP space
> 
> Ok that’s one option. I could use the head node as a router/gateway with some VLAN translation but this will increase the complexity of the setup and will add some administration overhead (we use CS to make our lives simpler, correct? ).
> 
> Shall I assume that there is no other way to solve that easily inside?
> 
> Cheers
> Stavros
> 
>> On 20 Jan 2016, at 14:51, Simon Weller <sw...@ena.com> wrote:
>> 
>> Stavros,
>> 
>> One option you have is to place a linux (or *bsd)  box between your router and Cloudstack and use that to break out your subnets). You could then hand off routed vlans to CS.
>> 
>> - Si
>> 
>> 
>> ________________________________________
>> From: Stavros Konstantaras <s....@uva.nl>
>> Sent: Wednesday, January 20, 2016 7:47 AM
>> To: users@cloudstack.apache.org
>> Subject: Re: Usage of public IP space
>> 
>> Hi Simon,
>> 
>> Thought of it already but I can’t touch the router of my network to make and register subnets on it. So I need to work around CS to make it work.
>> 
>> Regards
>> Stavros
>> 
>>> On 20 Jan 2016, at 14:40, Simon Weller <sw...@ena.com> wrote:
>>> 
>>> Can't you subnet it out to a /27?
>>> 
>>> 
>>> 
>>> ________________________________________
>>> From: Stavros Konstantaras <s....@uva.nl>
>>> Sent: Wednesday, January 20, 2016 7:13 AM
>>> To: users@cloudstack.apache.org
>>> Subject: Usage of public IP space
>>> 
>>> Hi all,
>>> 
>>> I have a question regarding the public network on CS 4.6.
>>> 
>>> Currently, I have a /24 network of public & routable IP addresses. I want to assign the first 30 of them to Cloudstack’s public network for using it in the system VMs while keeping the rest of this space for my instances.
>>> 
>>> However, I don’t see it possible as I get the following exception when I register the rest of the space in shared networks: "The IP range with tag: vlan://869 in zone NewZone has overlapped with the subnet. Please specify a different gateway/netmask.”
>>> 
>>> Does anyone know a trick to make this happen? Thanks in advance
>>> 
>>> Kind Regards
>>> Stavros Konstantaras
>>> 
>>> ----------------------------
>>> Stavros Konstantaras
>>> Science faculty Research IT support (FEIOG)
>>> University of Amsterdam, Science Park 904, 1098 XH
>>> 
>>> Fingerprint: E5E5 9B19 D1CD 88CD 4763  3465 A8DC 7C92 330F D59A
>>> 
>> 
> 

Re: Usage of public IP space

[Simon Weller <sw...@ena.com>]

Cloudstack does enforce networking boundaries and in any production setup, that's honestly what you want it to do. 

Since you're getting delegated a network, it sounds as if your upstream network folks are expecting you to manage and subnet said networks as you see fit.

I'm assuming the /24 you have is routable public space and not RFC 1918 space, correct?

If so, what are you doing in terms of protecting assets? Do you have a firewall in front of it that can do layer 3 routing?

- Si
________________________________________
From: Stavros Konstantaras <s....@uva.nl>
Sent: Wednesday, January 20, 2016 8:07 AM
To: users@cloudstack.apache.org
Subject: Re: Usage of public IP space

Ok that’s one option. I could use the head node as a router/gateway with some VLAN translation but this will increase the complexity of the setup and will add some administration overhead (we use CS to make our lives simpler, correct? ).

Shall I assume that there is no other way to solve that easily inside?

Cheers
Stavros

> On 20 Jan 2016, at 14:51, Simon Weller <sw...@ena.com> wrote:
>
> Stavros,
>
> One option you have is to place a linux (or *bsd)  box between your router and Cloudstack and use that to break out your subnets). You could then hand off routed vlans to CS.
>
> - Si
>
>
> ________________________________________
> From: Stavros Konstantaras <s....@uva.nl>
> Sent: Wednesday, January 20, 2016 7:47 AM
> To: users@cloudstack.apache.org
> Subject: Re: Usage of public IP space
>
> Hi Simon,
>
> Thought of it already but I can’t touch the router of my network to make and register subnets on it. So I need to work around CS to make it work.
>
> Regards
> Stavros
>
>> On 20 Jan 2016, at 14:40, Simon Weller <sw...@ena.com> wrote:
>>
>> Can't you subnet it out to a /27?
>>
>>
>>
>> ________________________________________
>> From: Stavros Konstantaras <s....@uva.nl>
>> Sent: Wednesday, January 20, 2016 7:13 AM
>> To: users@cloudstack.apache.org
>> Subject: Usage of public IP space
>>
>> Hi all,
>>
>> I have a question regarding the public network on CS 4.6.
>>
>> Currently, I have a /24 network of public & routable IP addresses. I want to assign the first 30 of them to Cloudstack’s public network for using it in the system VMs while keeping the rest of this space for my instances.
>>
>> However, I don’t see it possible as I get the following exception when I register the rest of the space in shared networks: "The IP range with tag: vlan://869 in zone NewZone has overlapped with the subnet. Please specify a different gateway/netmask.”
>>
>> Does anyone know a trick to make this happen? Thanks in advance
>>
>> Kind Regards
>> Stavros Konstantaras
>>
>> ----------------------------
>> Stavros Konstantaras
>> Science faculty Research IT support (FEIOG)
>> University of Amsterdam, Science Park 904, 1098 XH
>>
>> Fingerprint: E5E5 9B19 D1CD 88CD 4763  3465 A8DC 7C92 330F D59A
>>
>

Re: Usage of public IP space

[Stavros Konstantaras <s....@uva.nl>]

Ok that’s one option. I could use the head node as a router/gateway with some VLAN translation but this will increase the complexity of the setup and will add some administration overhead (we use CS to make our lives simpler, correct? ).

Shall I assume that there is no other way to solve that easily inside?

Cheers
Stavros

> On 20 Jan 2016, at 14:51, Simon Weller <sw...@ena.com> wrote:
> 
> Stavros,
> 
> One option you have is to place a linux (or *bsd)  box between your router and Cloudstack and use that to break out your subnets). You could then hand off routed vlans to CS.
> 
> - Si
> 
> 
> ________________________________________
> From: Stavros Konstantaras <s....@uva.nl>
> Sent: Wednesday, January 20, 2016 7:47 AM
> To: users@cloudstack.apache.org
> Subject: Re: Usage of public IP space
> 
> Hi Simon,
> 
> Thought of it already but I can’t touch the router of my network to make and register subnets on it. So I need to work around CS to make it work.
> 
> Regards
> Stavros
> 
>> On 20 Jan 2016, at 14:40, Simon Weller <sw...@ena.com> wrote:
>> 
>> Can't you subnet it out to a /27?
>> 
>> 
>> 
>> ________________________________________
>> From: Stavros Konstantaras <s....@uva.nl>
>> Sent: Wednesday, January 20, 2016 7:13 AM
>> To: users@cloudstack.apache.org
>> Subject: Usage of public IP space
>> 
>> Hi all,
>> 
>> I have a question regarding the public network on CS 4.6.
>> 
>> Currently, I have a /24 network of public & routable IP addresses. I want to assign the first 30 of them to Cloudstack’s public network for using it in the system VMs while keeping the rest of this space for my instances.
>> 
>> However, I don’t see it possible as I get the following exception when I register the rest of the space in shared networks: "The IP range with tag: vlan://869 in zone NewZone has overlapped with the subnet. Please specify a different gateway/netmask.”
>> 
>> Does anyone know a trick to make this happen? Thanks in advance
>> 
>> Kind Regards
>> Stavros Konstantaras
>> 
>> ----------------------------
>> Stavros Konstantaras
>> Science faculty Research IT support (FEIOG)
>> University of Amsterdam, Science Park 904, 1098 XH
>> 
>> Fingerprint: E5E5 9B19 D1CD 88CD 4763  3465 A8DC 7C92 330F D59A
>> 
> 

Re: Usage of public IP space

[Simon Weller <sw...@ena.com>]

Stavros,

One option you have is to place a linux (or *bsd)  box between your router and Cloudstack and use that to break out your subnets). You could then hand off routed vlans to CS.

- Si


________________________________________
From: Stavros Konstantaras <s....@uva.nl>
Sent: Wednesday, January 20, 2016 7:47 AM
To: users@cloudstack.apache.org
Subject: Re: Usage of public IP space

Hi Simon,

Thought of it already but I can’t touch the router of my network to make and register subnets on it. So I need to work around CS to make it work.

Regards
Stavros

> On 20 Jan 2016, at 14:40, Simon Weller <sw...@ena.com> wrote:
>
> Can't you subnet it out to a /27?
>
>
>
> ________________________________________
> From: Stavros Konstantaras <s....@uva.nl>
> Sent: Wednesday, January 20, 2016 7:13 AM
> To: users@cloudstack.apache.org
> Subject: Usage of public IP space
>
> Hi all,
>
> I have a question regarding the public network on CS 4.6.
>
> Currently, I have a /24 network of public & routable IP addresses. I want to assign the first 30 of them to Cloudstack’s public network for using it in the system VMs while keeping the rest of this space for my instances.
>
> However, I don’t see it possible as I get the following exception when I register the rest of the space in shared networks: "The IP range with tag: vlan://869 in zone NewZone has overlapped with the subnet. Please specify a different gateway/netmask.”
>
> Does anyone know a trick to make this happen? Thanks in advance
>
> Kind Regards
> Stavros Konstantaras
>
> ----------------------------
> Stavros Konstantaras
> Science faculty Research IT support (FEIOG)
> University of Amsterdam, Science Park 904, 1098 XH
>
> Fingerprint: E5E5 9B19 D1CD 88CD 4763  3465 A8DC 7C92 330F D59A
>

Re: Usage of public IP space

[Stavros Konstantaras <s....@uva.nl>]

Hi Simon, 

Thought of it already but I can’t touch the router of my network to make and register subnets on it. So I need to work around CS to make it work. 

Regards
Stavros

> On 20 Jan 2016, at 14:40, Simon Weller <sw...@ena.com> wrote:
> 
> Can't you subnet it out to a /27?
> 
> 
> 
> ________________________________________
> From: Stavros Konstantaras <s....@uva.nl>
> Sent: Wednesday, January 20, 2016 7:13 AM
> To: users@cloudstack.apache.org
> Subject: Usage of public IP space
> 
> Hi all,
> 
> I have a question regarding the public network on CS 4.6.
> 
> Currently, I have a /24 network of public & routable IP addresses. I want to assign the first 30 of them to Cloudstack’s public network for using it in the system VMs while keeping the rest of this space for my instances.
> 
> However, I don’t see it possible as I get the following exception when I register the rest of the space in shared networks: "The IP range with tag: vlan://869 in zone NewZone has overlapped with the subnet. Please specify a different gateway/netmask.”
> 
> Does anyone know a trick to make this happen? Thanks in advance
> 
> Kind Regards
> Stavros Konstantaras
> 
> ----------------------------
> Stavros Konstantaras
> Science faculty Research IT support (FEIOG)
> University of Amsterdam, Science Park 904, 1098 XH
> 
> Fingerprint: E5E5 9B19 D1CD 88CD 4763  3465 A8DC 7C92 330F D59A
> 

Re: Usage of public IP space

[Simon Weller <sw...@ena.com>]

Can't you subnet it out to a /27?



________________________________________
From: Stavros Konstantaras <s....@uva.nl>
Sent: Wednesday, January 20, 2016 7:13 AM
To: users@cloudstack.apache.org
Subject: Usage of public IP space

Hi all,

I have a question regarding the public network on CS 4.6.

Currently, I have a /24 network of public & routable IP addresses. I want to assign the first 30 of them to Cloudstack’s public network for using it in the system VMs while keeping the rest of this space for my instances.

However, I don’t see it possible as I get the following exception when I register the rest of the space in shared networks: "The IP range with tag: vlan://869 in zone NewZone has overlapped with the subnet. Please specify a different gateway/netmask.”

Does anyone know a trick to make this happen? Thanks in advance

Kind Regards
Stavros Konstantaras

----------------------------
Stavros Konstantaras
Science faculty Research IT support (FEIOG)
University of Amsterdam, Science Park 904, 1098 XH

Fingerprint: E5E5 9B19 D1CD 88CD 4763  3465 A8DC 7C92 330F D59A