Creating physical compute networks
Physical networks can host multiple IPv4, IPv6, and dual-stack subnets. IPv6 subnets support three IP address assignment modes: Stateless Address Autoconfiguration (SLAAC), DHCPv6 stateless, and DHCPv6 stateful. The modes are explained in the following table:
IPv6 address mode | VM address assignment | External router configuration | DHCP server configuration |
---|---|---|---|
SLAAC | A VM obtains an IPv6 address, the default gateway, and the subnet prefix via Router Advertisements (RA) from an external router. DNS servers and a hostname are not automatically configured. | An external router should send RA messages without the M (Managed address configuration) and O (Other configuration) flags. | The built-in DHCPv6 server is automatically disabled. |
DHCPv6 stateless | A VM obtains an IPv6 address and the default gateway via RA messages from an external router and other information (the subnet prefix, DNS servers, a hostname) from the built-in DHCPv6 server. | An external router should send RA messages with the O flag. | The built-in DHCPv6 server is automatically enabled. |
DHCPv6 stateful | A VM obtains an IPv6 address and other information (the subnet prefix, DNS servers, a hostname) from the built-in DHCPv6 server. The default gateway is received via RA messages from an external router. | An external router should send RA messages with the M flag. | The built-in DHCPv6 server is automatically enabled. |
IPv6 address assignment inside a virtual machine also depends on the network settings of a guest operating system.
Limitations
- You can create only one untagged physical network over an infrastructure network.
- When providing network access to an entire domain, it is configured only for the existing projects within this domain. Newly created projects will not have access to the network.
- You cannot connect IPv6 subnets to routers. Therefore, floating IPv6 addresses are not supported.
- IPv6 addresses are not supported for Kubernetes clusters.
- A VM that is connected to a dual-stack network always receives an IPv6 address, if the IPv6 subnet is in the SLAAC or DHCPv6 stateless mode.
- To be able to work in a SLAAC-enabled IPv6 subnet by using cloud-init, a VM guest operating system must have cloud-init version 19.4 or newer.
- A physical network MTU cannot exceed that of the underlying network interface.
Prerequisites
- A clear understanding of the compute architecture, which is explained in Compute network architecture.
- For VLAN-based networks, a virtual switch is connected to the trunk network interface, as described in Connecting virtual switches to trunk interfaces.
To add a physical compute network
Admin panel
- On the Compute > Network > Networks tab, click Create network.
-
On the Network configuration step:
-
Enable or disable IP address management:
- With IP address management enabled, VMs connected to the network will automatically be assigned IP addresses from allocation pools by the built-in DHCP server and use custom DNS servers. Additionally, spoofing protection will be enabled for all VM network ports by default. Each VM network interface will be able to accept and send IP packets only if it has IP and MAC addresses assigned. You can disable spoofing protection manually for a VM interface, if required.
- With IP address management disabled, VMs connected to the network will obtain IP addresses from the DHCP servers in that network, if any. Also, spoofing protection will be disabled for all VM network ports, and you cannot enable it manually. This means that each VM network interface, with or without assigned IP and MAC addresses, will be able to accept and send IP packets.
In any case, you will be able to manually assign static IP addresses from inside the VMs.
- Select the Physical network type.
-
Specify a network name, and then select an infrastructure network with the VM public traffic type.
- To create a VLAN-based network, select VLAN and specify a VLAN ID. To create a flat physical network, select Untagged.
- The network MTU is set to 1500 by default. If required, you can adjust this value according to the MTU of the underlying network interface.
- Click Next.
-
-
If you enabled IP address management, you will move on to the IP address management step, where you can add IPv4 and IPv6 subnets:
-
To add an IPv4 subnet
- In the Subnets section, click Add and select IPv4 subnet.
- In the Add IPv4 subnet window, specify the network’s IPv4 address range and, optionally, specify a gateway. If you leave the Gateway field blank, the gateway will be omitted from network settings.
-
Enable or disable the built-in DHCP server:
-
With the DHCP server enabled, VM network interfaces will automatically be assigned IP addresses: either from allocation pools or, if there are no pools, from the network’s entire IP range. The DHCP server will receive the first two IP addresses from the IP pool. For example:
- In a subnet with CIDR 192.168.128.0/24 and without a gateway, the DHCP server will be assigned the IP addresses 192.168.128.1 and 192.168.128.2.
- In a subnet with CIDR 192.168.128.0/24 and the gateway IP address set to 192.168.128.1, the DHCP server will be assigned the IP addresses 192.168.128.2 and 192.168.128.3.
- With the DHCP server disabled, VM network interfaces will still get IP addresses, but you will have to manually assign them inside VMs.
The virtual DHCP service will work only within the current network and will not be exposed to other networks.
-
- Specify one or more allocation pools (ranges of IP addresses that will be automatically assigned to VMs).
- Specify DNS servers that will be used by virtual machines. These servers can be delivered to VMs via the built-in DHCP server or by using the cloud-init network configuration (if cloud-init is installed in the VM).
- Click Add.
-
To add an IPv6 subnet
- In the Subnets section, click Add and select IPv6 subnet.
- In the Add IPv6 subnet window, specify the network’s IPv6 address range and, optionally, specify a gateway. If you leave the Gateway field blank, the gateway will be omitted from network settings.
- Select the desired IPv6 address mode, referring to the table above.
-
If you have selected the IPv6 address mode None, enable or disable the built-in DHCP server:
- With the DHCP server enabled, a VM will automatically obtain an IPv6 address.
- With the DHCP server disabled, you will need to assign an IPv6 address for a VM manually.
- Specify one or more allocation pools (ranges of IP addresses that will be automatically assigned to VMs).
- If you have selected the IPv6 address mode DHCPv6 stateless or DHCPv6 stateful, specify DNS servers that will be send to virtual machines via the built-in DHCP server.
- Click Add.
-
-
On the Network access step, you can configure the network access:
-
Select projects to provide network access to:
- If you want the network to be accessed from all existing and new projects, select All projects.
- If you want the network to be accessed from all existing projects within a domain, select Select projects, and then select the check box next to the required domain.
- If you want the network to be accessed from a particular project within a domain, select Select projects, click the domain name, and then select the required project.
- If you do not want to share the network, skip this step by clicking Next.
-
Select the access type:
- By providing full access, you allow virtual machines in the selected projects to communicate with this network either directly or via virtual routers.
- By providing routed access, you allow virtual machines in the selected projects to communicate with this network only via virtual routers.
- By providing direct access, you only allow a direct connection of virtual machines in the selected projects to this network.
- Click Next.
-
- On the Summary step, review the configuration, and then click Add network.
Command-line interface
Use the following command:
vinfra service compute network create [--dhcp | --no-dhcp] [--dns-nameserver <dns-nameserver>] [--allocation-pool <allocation-pool>] [--gateway <gateway> | --no-gateway] [--rbac-policies <rbac-policies>] [--physical-network <physical-network>] [--vlan-network <vlan-network>] [--vlan <vlan>] [--mtu <mtu>] [--cidr <cidr>] [--ipv6-address-mode <ipv6-address-mode>] <network-name>
--dhcp
- Enable DHCP.
--no-dhcp
- Disable DHCP.
--dns-nameserver <dns-nameserver>
- DNS server IP address. This option can be used multiple times.
--allocation-pool <allocation-pool>
- Allocation pool to create inside the network in the format:
ip_addr_start-ip_addr_end
. This option can be used multiple times. --gateway <gateway>
- Gateway IP address
--no-gateway
- Do not configure a gateway for this network.
--rbac-policies <rbac-policies>
-
Comma-separated list of RBAC policies in the format:
<target>:<target_id>:<action> | none
. Valid targets:project
,domain
. Valid actions:direct
,full
,routed
. ‘*’ is validtarget_id
for all targets. Passnone
to clear out all existing policies.Example:
domain:default:routed,project:uuid1:full
--physical-network <physical-network>
- An infrastructure network to link to a physical network
--vlan-network <vlan-network>
- A VLAN network to link
--vlan <vlan>
- Virtual network VLAN ID
--mtu <mtu>
- Custom MTU value
--cidr <cidr>
- Subnet range in CIDR notation
--ipv6-address-mode <ipv6-address-mode>
- IPv6 address mode:
dhcpv6-stateful
,dhcpv6-stateless
,slaac
<network-name>
- Network name
Example 1. To create an untagged physical network over the Public
infrastructure network, with enabled IP management, the specified network parameters, and full network access between all the projects within the specified domain, run:
# vinfra service compute network create mypubnet --physical-network Public \ --cidr 10.136.16.0/22 --gateway 10.136.16.1 --dns-nameserver 10.35.11.7 \ --allocation-pool 10.136.18.141-10.136.18.148 \ --rbac-policies domain:cd421db9f3e84e3e8cd2c932c1f7a698:full
Example 2. To create a VLAN-based physical network over the Public
infrastructure network, with the VLAN ID 10, enabled IP management, the specified network parameters, and direct network access between all the projects in the infrastructure, run:
# vinfra service compute network create mypubnet_vlan --vlan 10 \ --physical-network Public --cidr 10.136.16.0/22 --gateway 10.136.16.1 \ --dns-nameserver 10.35.11.7 --allocation-pool 10.136.18.131-10.136.18.138 \
--rbac-policies project:*:direct
The new compute network will appear in the vinfra service compute network list
output:
# vinfra service compute network list -c id -c name -c cidr -c allocation_pools +----------------+---------------+------------------+-------------------------------+ | id | name | cidr | allocation_pools | +----------------+---------------+------------------+-------------------------------+ | 22674f9d-<...> | mypubnet | 10.136.16.0/22 | - 10.136.18.141-10.136.18.148 | | 8f0dc747-<...> | mypubnet_vlan | 10.136.16.0/22 | - 10.136.18.131-10.136.18.138 | | a0019b43-<...> | myprivnet | 192.168.128.0/24 | - 192.168.128.2-192.168.128.254 | +----------------+---------------+------------------+-------------------------------+