Before launching instances on OpenStack, you need networks for them to connect to. OpenStack Neutron handles all networking: creating virtual networks, assigning subnets, managing DHCP, and connecting instances to physical infrastructure. This guide covers creating both provider (external) and self-service (tenant) networks using the OpenStack CLI.
All commands use the unified openstack CLI. The older neutron commands are deprecated and should not be used in new deployments.
Prerequisites
- A running OpenStack deployment with Neutron networking service
- The OpenStack CLI client installed and configured with admin credentials
- Admin access for provider network creation (regular users can create self-service networks)
Source your credentials file before running any commands:
source admin-openrc.shProvider Networks vs Self-Service Networks
OpenStack supports two network types, and knowing which one to use matters for how instances connect to the outside world.
| Type | Created By | Use Case | Routing |
|---|---|---|---|
| Provider (external) | Admin only | Direct access to physical network | Layer 2 bridging to physical infra |
| Self-service (tenant/private) | Any project | Isolated project networks | Virtual router + NAT for external access |
Provider networks map directly to your physical network (flat or VLAN). Instances get IPs from the same pool as your physical servers. Self-service networks create isolated virtual networks per project, using overlay protocols (VXLAN, GRE, Geneve) and virtual routers for external connectivity.
Create a Provider Network (Flat)
A flat provider network maps directly to a physical network without VLAN tagging. This is the simplest configuration and works when all instances share the same Layer 2 segment as your physical servers.
openstack network create --share --external \
--provider-physical-network provider \
--provider-network-type flat \
provider-netEach flag controls a specific behavior:
--sharemakes the network available to all projects--externalmarks it as an external (provider) network. Use--internalfor private networks--provider-physical-network providermaps to the physical network label defined in your Neutron ML2 config (ml2_conf.ini)--provider-network-type flatspecifies no VLAN tagging (untagged traffic)
The physical network label (provider) must match the flat_networks setting in your ML2 configuration:
[ml2_type_flat]
flat_networks = providerVerify the network was created:
openstack network listCreate a Provider Network (VLAN)
VLAN provider networks tag traffic with a specific VLAN ID, allowing multiple isolated networks over the same physical interface. Use this when your physical switches support 802.1Q trunking.
openstack network create --share --external \
--provider-physical-network provider \
--provider-network-type vlan \
--provider-segment 203 \
provider-vlan203The --provider-segment 203 flag sets the VLAN ID. This must match the VLAN configured on your physical switch trunk ports and compute node interfaces.
Your ML2 config needs the VLAN range defined:
[ml2_type_vlan]
network_vlan_ranges = provider:200:300This allows VLAN IDs 200 through 300 on the provider physical network.
Create Subnets
IPv4 Subnet
Every network needs at least one subnet to assign IPs to instances. Create an IPv4 subnet on the provider network:
openstack subnet create --network provider-net \
--subnet-range 192.168.10.0/24 \
--gateway 192.168.10.1 \
--allocation-pool start=192.168.10.10,end=192.168.10.200 \
--dns-nameserver 8.8.8.8 \
--dns-nameserver 8.8.4.4 \
provider-subnet-v4The allocation pool defines which IPs Neutron’s DHCP service can assign. Keep the gateway and any static infrastructure IPs outside this range. You can add multiple --dns-nameserver flags.
For external subnets where instances get public IPs and you manage DHCP elsewhere, disable Neutron DHCP:
openstack subnet create --network provider-net \
--subnet-range 203.0.113.0/24 \
--gateway 203.0.113.1 \
--allocation-pool start=203.0.113.100,end=203.0.113.200 \
--dns-nameserver 8.8.8.8 \
--no-dhcp \
provider-subnet-publicIPv6 Subnet
Add an IPv6 subnet if your instances need dual-stack connectivity. SLAAC (Stateless Address Autoconfiguration) lets instances configure their own IPv6 addresses:
openstack subnet create --network provider-net \
--subnet-range fd00:203:0:113::/64 \
--gateway fd00:203:0:113::1 \
--ip-version 6 \
--ipv6-address-mode slaac \
--ipv6-ra-mode slaac \
--dns-nameserver 2001:4860:4860::8844 \
provider-subnet-v6The --ipv6-address-mode and --ipv6-ra-mode flags support three modes: slaac (stateless), dhcpv6-stateful, and dhcpv6-stateless.
List all subnets to verify:
openstack subnet listCreate a Self-Service Network
Self-service networks give projects isolated virtual networks. Instances connect to the outside world through a virtual router that performs NAT.
openstack network create project-netNo --external or --provider-* flags needed. Neutron automatically uses the overlay protocol configured in your ML2 plugin (typically VXLAN or Geneve).
Create a subnet for the project network:
openstack subnet create --network project-net \
--subnet-range 172.16.1.0/24 \
--gateway 172.16.1.1 \
--dns-nameserver 8.8.8.8 \
project-subnetConnect to External Network via Router
Self-service networks need a virtual router for external connectivity. Create a router, set its gateway to the provider network, then attach the project subnet:
openstack router create project-routerSet the router’s external gateway:
openstack router set --external-gateway provider-net project-routerAttach the project subnet to the router:
openstack router add subnet project-router project-subnetInstances on project-net can now reach the internet through the router’s NAT.
Launch an Instance on the Network
With the network and subnet in place, launch an instance:
openstack server create \
--flavor m1.small \
--image Ubuntu-24.04 \
--network provider-net \
--security-group default \
--key-name mykey \
test-instanceVerify the instance received an IP from the subnet’s allocation pool:
openstack server show test-instance -c addressesManage Networks and Subnets
Common management commands for day-to-day operations:
| Task | Command |
|---|---|
| List all networks | openstack network list |
| Show network details | openstack network show provider-net |
| List external networks | openstack network list --external |
| List subnets | openstack subnet list |
| Show subnet details | openstack subnet show provider-subnet-v4 |
| Update subnet DNS | openstack subnet set --dns-nameserver 1.1.1.1 provider-subnet-v4 |
| Delete a subnet | openstack subnet delete provider-subnet-v4 |
| Delete a network | openstack network delete provider-net |
| List ports on a network | openstack port list --network provider-net |
| Show router details | openstack router show project-router |
Network Types Reference
| Type | Flag | Use Case |
|---|---|---|
| Flat | --provider-network-type flat | Untagged traffic on a single physical network |
| VLAN | --provider-network-type vlan | 802.1Q tagged, multiple networks per physical NIC |
| VXLAN | --provider-network-type vxlan | Overlay for self-service networks (most common) |
| GRE | --provider-network-type gre | Overlay (legacy, VXLAN preferred) |
| Geneve | --provider-network-type geneve | Next-gen overlay (OVN default) |
| Local | --provider-network-type local | Single-host only, no external connectivity |
For more OpenStack CLI operations, see these related guides:
