Red Hat Training

A Red Hat training course is available for Red Hat OpenStack Platform

Chapter 2. Networking In-Depth

2.1. How Basic Networking Works

Networking consists of moving information from one computer to another. At the most basic level, this is performed by running a cable between two machines, each with a network interface card (NIC) installed. If you ever studied the OSI networking model, this is layer 1.

When you want to involve more than two computers in the conversation, you need to scale out this configuration by adding a device called a switch. Switches are dedicated devices with multiple Ethernet ports to which you connect additional machines. This configuration is called a Local Area Network (LAN).

Switches move up the OSI model to layer 2 and apply more intelligence than the lower layer 1. Each NIC has a unique MAC address that is assigned to the hardware, and this number allows machines that are plugged in to the same switch find each other.

The switch maintains a list of which MAC addresses are plugged into which ports, so that when one computer attempts to send data to another computer, the switch knows where each NIC is located and adjusts the circuitry to direct the network traffic to the correct destination.

2.1.1. Connecting multiple LANs

If you use two LANs on two separate switches, you can connect them to share information with each other in the following ways:

Trunk cable
You can connect the two switches directly with a physical cable, called a trunk cable. In this configuration, you plug each end of the trunk cable into a port on each switch, and then define these ports as trunk ports. Now the two switches act as one big logical switch, and the connected computers can successfully find each other. This option is not very scalable, and overhead becomes an issue the more switches you link directly.

You can use a device called a router to plug in cables from each switch. As a result, the router is aware of the networks that are configured on both switches. Each switch that you plug into the router becomes an interface and is assigned an IP address, known as the default gateway for that network. The "default" in default gateway means that this is the destination where traffic will be sent if it is clear that the destination computer is not on the same LAN as the source of the data transfer.

After you set this default gateway on each of your computers, they do not need to be aware of all of the other computers on the other networks to send traffic to them. The traffic is just sent to the default gateway and the router handles it from there. Since the router is aware of which networks reside on which interface, it can send the packets on to their intended destinations. Routing works at layer 3 of the OSI model, and utilizes familiar concepts like IP addresses and subnets.


This concept is how the Internet itself works. Many separate networks run by different organizations are all inter-connected using switches and routers. Keep following the correct default gateways and your traffic will eventually get to where it needs to go.

2.1.2. VLANs

Virtual Local Area Networks (VLANs) allow you to segment network traffic for computers that run on the same switch. You can logically divide your switch by configuring the ports to be members of different networks. This configuration turns the ports into mini-LANs that allow you to separate traffic for security purposes.

For example, if your switch has 24 ports, you can define ports 1-6 to belong to VLAN200, and ports 7-18 belong to VLAN201. Computers that are plugged into VLAN200 are completely separate from computers on VLAN201, and they can no longer communicate directly. All traffic between the two VLANs must now pass through the router as if they were two separate physical switches. You can also enhance the security with firewalls to determine which VLANs can communicate with each other.

2.1.3. Firewalls

Firewalls operate at the same OSI layer as IP routing. They are often located in the same network segments as the routers, where they govern the traffic between all the networks. Firewalls use a predefined set of rules that prescribe which traffic can or cannot enter a network. These rules can be very granular. For example, you can define a rule where servers on VLAN 200 can only communicate with computers on VLAN201, and only on a Thursday afternoon, and only if the traffic is Web (HTTP) and moves in one direction.

To help enforce these rules, some firewalls also perform Stateful Packet Inspection (SPI), where they examine the contents of packets to ensure that they are what they claim to be. Hackers are known to exfiltrate data by sending traffic that masquerades as something else, and SPI is one method that can help mitigate that threat.

2.1.4. Bridges

Network bridges are switches that operate at the same level 2 of the OSI model, but their only function is to connect separate networks together, similar to routers.

2.2. Networking in OpenStack

All of the basic networking concepts in an OpenStack cloud, except that they are defined by services and configuration. This is known as Software-Defined Networking (SDN). Virtual switches (Open vSwitch) and routers (l3-agent) allow your instances to communicate with each other, and allow them to communicate externally using the physical network. The Open vSwitch bridge allocates virtual ports to instances and spans across to the physical network to allow incoming and outgoing traffic.

2.3. Advanced OpenStack Networking Concepts

2.3.1. Layer 3 High Availability

OpenStack Networking hosts virtual routers on a centralized Network node, which is a physical server that is dedicated to the function of hosting the virtual networking components. These virtual routers direct traffic to and from virtual machines, and are vital to the continued connectivity of your environment. Since physical servers might experience outages due to many reasons, your virtual machines might be vulnerable to outages when the Network node becomes unavailable.

OpenStack Networking uses Layer 3 High Availability to help mitigate this vulnerability, implementing the industry standard VRRP to protect virtual routers and floating IP addresses. With Layer 3 High Availability, the virtual routers of the tenant are randomly distributed across multiple physical Network nodes, with one router designated as the active router, and the other routers on standby, ready to take over if the Network node that hosts the active router experiences an outage.


"Layer 3" refers to the section of the OSI model where this feature functions, and means that it can protect routing and IP addressing.

For more information, see the "Layer 3 High Availability" section in the Networking Guide.

2.3.2. Load Balancing-as-a-Service (LBaaS)

Load Balancing-as-a-Service (LBaaS) enables OpenStack Networking to distribute incoming network requests equally between designated instances. This distribution ensures the workload is shared among instances and helps to use system resources more effectively. Incoming requests are distributed using one of the following load balancing methods:

Round robin
Rotates requests evenly between multiple instances.
Source IP
Requests from a unique source IP address are always directed to the same instance.
Least connections
Allocates requests to the instance with the lowest number of active connections.

For more information, see the "Configuring Load Balancing-as-a-Service" section in the Networking Guide.

2.3.3. IPv6

OpenStack Networking supports IPv6 addresses in tenant networks, so you can dynamically assign IPv6 addresses to virtual machines. OpenStack Networking can also integrate with SLAAC on your physical routers, so that virtual machines can receive IPv6 addresses from your existing DHCP infrastructure.

For more information, see the "IPv6" section in the Networking Guide.