Query on East-West traffic


Ravi Shankar S
 

Hi All,

     

     I have a query on East-West traffic and how it is handled by OVSDB and openstack. There are 2 possible cases in East West traffic.

 

  Case 1 - Tenants having different network:

 

     Consider the below case,

     Tenant 1 with network 2.0.0.0/24

     Tenant 2 with network 1.0.0.0/24

 

     Tenant 1 tries to ping to tenant 2. In this case a tuple of [tunnel_id/vxlan_id, des_ip] will be used by openvswitch to identify and switch packet to the destination tenant network.           

 

 

Flow Rules for reaching different tenant (Ref: Flavio’s how-to-odl-with-openstack-part2.html blog):

 

cookie=0x0, duration=9662.085s, table=60, n_packets=122, n_bytes=11222, priority=2048,ip,tun_id=0x3e9,nw_dst=2.0.0.0/24 actions=set_field:fa:16:3e:cb:14:47->eth_src,dec_ttl,set_field:0x3ea->tun_id,goto_table:70

cookie=0x0, duration=9661.045s, table=60, n_packets=4, n_bytes=392, priority=2048,ip,tun_id=0x3ea,nw_dst=1.0.0.0/24 actions=set_field:fa:16:3e:69:5a:42->eth_src,dec_ttl,set_field:0x3e9->tun_id,goto_table:70

              I have verified in my local setup that East – West traffic is working fine with tenants with different networks.

 Case 2 – Two or more tenants having same network:

 

     Consider the below case,

     Tenant 1 with network 1.0.0.0/24

     Tenant 2 with network 1.0.0.0/24

 

             How does the openvswitch create rules to reach tenant 2, when tenant 1 tries to ping ? The ping  binary does not seem to provide any option for tunnel_id/segmentation ID.

 

Legacy behavior:

In the legacy network, we can have the same network in different Virtual routing and forwarding (VRF). The ping binary has options to ping to a specific VRF id and destination IP.

 

              So, there are 2 options

1.       Have Vxlan ID/tunnel ID as part of ping/application. By this way the openvswitch can form a unique tuple of [tunnel_id/vxlan_id, des_ip]. Please give your comment on this.

2.       Use floating IP option and assign

a.       Static floating IP to each of the VM’s in the tenant network

a.       In a large scale deployment we might run out of floating IP’s. This might not be an ideal solution.

b.      Assign floating IP per compute node or each tenant network in the deployment

a.       In this case ODL has to internally maintain which ports to reach for a particular floating IP.   

 

               Is the IP overlap use case possible in current scenario with ODL + openstack?

I hope it is a valid use case from deployment perspective? Please correct me if I am wrong and give your valid inputs.

               

 

Regards,

Ravi

 


Sam Hague
 

Ravi,

for 2 I think we normally just ping from the dhcp namespace which is similar to a vrf. The namespace is also tenant specific so that will match the right flows. All traffic coming from certain ports will have the segId/tenant info tagged to it to identify it.

Sam

On Tue, Aug 18, 2015 at 4:01 AM, <Ravi_Sabapathy@...> wrote:

Hi All,

     

     I have a query on East-West traffic and how it is handled by OVSDB and openstack. There are 2 possible cases in East West traffic.

 

  Case 1 - Tenants having different network:

 

     Consider the below case,

     Tenant 1 with network 2.0.0.0/24

     Tenant 2 with network 1.0.0.0/24

 

     Tenant 1 tries to ping to tenant 2. In this case a tuple of [tunnel_id/vxlan_id, des_ip] will be used by openvswitch to identify and switch packet to the destination tenant network.           

 

 

Flow Rules for reaching different tenant (Ref: Flavio’s how-to-odl-with-openstack-part2.html blog):

 

cookie=0x0, duration=9662.085s, table=60, n_packets=122, n_bytes=11222, priority=2048,ip,tun_id=0x3e9,nw_dst=2.0.0.0/24 actions=set_field:fa:16:3e:cb:14:47->eth_src,dec_ttl,set_field:0x3ea->tun_id,goto_table:70

cookie=0x0, duration=9661.045s, table=60, n_packets=4, n_bytes=392, priority=2048,ip,tun_id=0x3ea,nw_dst=1.0.0.0/24 actions=set_field:fa:16:3e:69:5a:42->eth_src,dec_ttl,set_field:0x3e9->tun_id,goto_table:70

              I have verified in my local setup that East – West traffic is working fine with tenants with different networks.

 Case 2 – Two or more tenants having same network:

 

     Consider the below case,

     Tenant 1 with network 1.0.0.0/24

     Tenant 2 with network 1.0.0.0/24

 

             How does the openvswitch create rules to reach tenant 2, when tenant 1 tries to ping ? The ping  binary does not seem to provide any option for tunnel_id/segmentation ID.

 

Legacy behavior:

In the legacy network, we can have the same network in different Virtual routing and forwarding (VRF). The ping binary has options to ping to a specific VRF id and destination IP.

 

              So, there are 2 options

1.       Have Vxlan ID/tunnel ID as part of ping/application. By this way the openvswitch can form a unique tuple of [tunnel_id/vxlan_id, des_ip]. Please give your comment on this.

2.       Use floating IP option and assign

a.       Static floating IP to each of the VM’s in the tenant network

a.       In a large scale deployment we might run out of floating IP’s. This might not be an ideal solution.

b.      Assign floating IP per compute node or each tenant network in the deployment

a.       In this case ODL has to internally maintain which ports to reach for a particular floating IP.   

 

               Is the IP overlap use case possible in current scenario with ODL + openstack?

I hope it is a valid use case from deployment perspective? Please correct me if I am wrong and give your valid inputs.

               

 

Regards,

Ravi

 


_______________________________________________
ovsdb-dev mailing list
ovsdb-dev@...
https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev



Anil Vishnoi
 

Ravi, if you need more details about it, look at following awesome blogs by flavio


Thanks
Anil

On Tue, Aug 18, 2015 at 5:45 PM, Sam Hague <shague@...> wrote:
Ravi,

for 2 I think we normally just ping from the dhcp namespace which is similar to a vrf. The namespace is also tenant specific so that will match the right flows. All traffic coming from certain ports will have the segId/tenant info tagged to it to identify it.

Sam

On Tue, Aug 18, 2015 at 4:01 AM, <Ravi_Sabapathy@...> wrote:

Hi All,

     

     I have a query on East-West traffic and how it is handled by OVSDB and openstack. There are 2 possible cases in East West traffic.

 

  Case 1 - Tenants having different network:

 

     Consider the below case,

     Tenant 1 with network 2.0.0.0/24

     Tenant 2 with network 1.0.0.0/24

 

     Tenant 1 tries to ping to tenant 2. In this case a tuple of [tunnel_id/vxlan_id, des_ip] will be used by openvswitch to identify and switch packet to the destination tenant network.           

 

 

Flow Rules for reaching different tenant (Ref: Flavio’s how-to-odl-with-openstack-part2.html blog):

 

cookie=0x0, duration=9662.085s, table=60, n_packets=122, n_bytes=11222, priority=2048,ip,tun_id=0x3e9,nw_dst=2.0.0.0/24 actions=set_field:fa:16:3e:cb:14:47->eth_src,dec_ttl,set_field:0x3ea->tun_id,goto_table:70

cookie=0x0, duration=9661.045s, table=60, n_packets=4, n_bytes=392, priority=2048,ip,tun_id=0x3ea,nw_dst=1.0.0.0/24 actions=set_field:fa:16:3e:69:5a:42->eth_src,dec_ttl,set_field:0x3e9->tun_id,goto_table:70

              I have verified in my local setup that East – West traffic is working fine with tenants with different networks.

 Case 2 – Two or more tenants having same network:

 

     Consider the below case,

     Tenant 1 with network 1.0.0.0/24

     Tenant 2 with network 1.0.0.0/24

 

             How does the openvswitch create rules to reach tenant 2, when tenant 1 tries to ping ? The ping  binary does not seem to provide any option for tunnel_id/segmentation ID.

 

Legacy behavior:

In the legacy network, we can have the same network in different Virtual routing and forwarding (VRF). The ping binary has options to ping to a specific VRF id and destination IP.

 

              So, there are 2 options

1.       Have Vxlan ID/tunnel ID as part of ping/application. By this way the openvswitch can form a unique tuple of [tunnel_id/vxlan_id, des_ip]. Please give your comment on this.

2.       Use floating IP option and assign

a.       Static floating IP to each of the VM’s in the tenant network

a.       In a large scale deployment we might run out of floating IP’s. This might not be an ideal solution.

b.      Assign floating IP per compute node or each tenant network in the deployment

a.       In this case ODL has to internally maintain which ports to reach for a particular floating IP.   

 

               Is the IP overlap use case possible in current scenario with ODL + openstack?

I hope it is a valid use case from deployment perspective? Please correct me if I am wrong and give your valid inputs.

               

 

Regards,

Ravi

 


_______________________________________________
ovsdb-dev mailing list
ovsdb-dev@...
https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev



_______________________________________________
ovsdb-dev mailing list
ovsdb-dev@...
https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev




--
Thanks
Anil


Ravi Shankar S
 

Hi Anil/Sam,

I have looked into Flavio's link (part1 and part2) and those demo's were working perfectly fine.

My Query is very specific to the use case, where two or more tenant's have same network and there is East West communication between these tenants.

For example,
1. Tenant 1 has the network 2.0.0.0/24 and has 2 VM's with IP 2.0.0.2 and 2.0.0.3
2. Tenant 2 has network 2.0.0.0/24 and has 2 VM's with IP 2.0.0.2 and 2.0.0.3

Now Tenant 1's VM with IP 2.0.0.2 wants to communicate with Tenant 2's VM with IP 2.0.0.3.

The above communication is not possible, since the ovs switch has no way to identify that the packet is destined for tenant 2's VM with IP 2.0.0.3. In the current scenario, the communication will be destined for Tenant 1's VM with IP 2.0.0.3.

We can address this use case by the below options,
1. Have destination Vxlan ID/tunnel ID as part of ping/application. By this way the openvswitch can form a unique tuple of [destination tunnel_id/vxlan_id, des_ip]. This also needs support in ovs switch for processing of the destination tunnel ID.
2. Use floating IP for the VM's so that they can be uniquely identified.

In a typical public cloud provider environment, there can be multiple tenants with same network (IP overlap). Please correct me if I am wrong and also tell me if the above use case is valid or not.

Sam,

for 2 I think we normally just ping from the dhcp namespace which is similar to a vrf. The namespace is also tenant specific so that will match the right flows. All traffic coming from certain ports will have the segId/tenant info tagged to it to identify it.
<Ravi> If we try in tenant 1's DHCP namespace and ping 2.0.0.3, then the destination will be tenant 1's VM with IP 2.0.0.3. This is how namespaces work. My use case is I want to ping to another tenant with same IP.

Regards,
Ravi
________________________________________
From: Anil Vishnoi [vishnoianil@...]
Sent: Wednesday, August 19, 2015 5:33 PM
To: Sam Hague
Cc: Sabapathy, Ravi; ovsdb-dev@...; Venkataraghavan, C; Viswanatha, Badrinath
Subject: Re: [ovsdb-dev] Query on East-West traffic

Ravi, if you need more details about it, look at following awesome blogs by flavio

http://www.flaviof.com/blog/work/how-to-odl-with-openstack-part1.html
http://www.flaviof.com/blog/work/how-to-odl-with-openstack-part2.html

Thanks
Anil

On Tue, Aug 18, 2015 at 5:45 PM, Sam Hague <shague@...<mailto:shague@...>> wrote:
Ravi,

for 2 I think we normally just ping from the dhcp namespace which is similar to a vrf. The namespace is also tenant specific so that will match the right flows. All traffic coming from certain ports will have the segId/tenant info tagged to it to identify it.

Sam

On Tue, Aug 18, 2015 at 4:01 AM, <Ravi_Sabapathy@...<mailto:Ravi_Sabapathy@...>> wrote:

Hi All,



I have a query on East-West traffic and how it is handled by OVSDB and openstack. There are 2 possible cases in East West traffic.



Case 1 - Tenants having different network:



Consider the below case,

Tenant 1 with network 2.0.0.0/24<http://2.0.0.0/24>

Tenant 2 with network 1.0.0.0/24<http://1.0.0.0/24>



Tenant 1 tries to ping to tenant 2. In this case a tuple of [tunnel_id/vxlan_id, des_ip] will be used by openvswitch to identify and switch packet to the destination tenant network.





Flow Rules for reaching different tenant (Ref: Flavio’s how-to-odl-with-openstack-part2.html blog):



cookie=0x0, duration=9662.085s, table=60, n_packets=122, n_bytes=11222, priority=2048,ip,tun_id=0x3e9,nw_dst=2.0.0.0/24<http://2.0.0.0/24> actions=set_field:fa:16:3e:cb:14:47->eth_src,dec_ttl,set_field:0x3ea->tun_id,goto_table:70

cookie=0x0, duration=9661.045s, table=60, n_packets=4, n_bytes=392, priority=2048,ip,tun_id=0x3ea,nw_dst=1.0.0.0/24<http://1.0.0.0/24> actions=set_field:fa:16:3e:69:5a:42->eth_src,dec_ttl,set_field:0x3e9->tun_id,goto_table:70

I have verified in my local setup that East – West traffic is working fine with tenants with different networks.

Case 2 – Two or more tenants having same network:



Consider the below case,

Tenant 1 with network 1.0.0.0/24<http://1.0.0.0/24>

Tenant 2 with network 1.0.0.0/24<http://1.0.0.0/24>



How does the openvswitch create rules to reach tenant 2, when tenant 1 tries to ping ? The ping binary does not seem to provide any option for tunnel_id/segmentation ID.



Legacy behavior:

In the legacy network, we can have the same network in different Virtual routing and forwarding (VRF). The ping binary has options to ping to a specific VRF id and destination IP.



So, there are 2 options

1. Have Vxlan ID/tunnel ID as part of ping/application. By this way the openvswitch can form a unique tuple of [tunnel_id/vxlan_id, des_ip]. Please give your comment on this.

2. Use floating IP option and assign

a. Static floating IP to each of the VM’s in the tenant network

a. In a large scale deployment we might run out of floating IP’s. This might not be an ideal solution.

b. Assign floating IP per compute node or each tenant network in the deployment

a. In this case ODL has to internally maintain which ports to reach for a particular floating IP.



Is the IP overlap use case possible in current scenario with ODL + openstack?

I hope it is a valid use case from deployment perspective? Please correct me if I am wrong and give your valid inputs.





Regards,

Ravi


_______________________________________________
ovsdb-dev mailing list
ovsdb-dev@...<mailto:ovsdb-dev@...>
https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev



_______________________________________________
ovsdb-dev mailing list
ovsdb-dev@...<mailto:ovsdb-dev@...>
https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev




--
Thanks
Anil


Vishal Thapar <vishal.thapar@...>
 

Hi Ravi,

As per my experience, the use case you're mentioning is not really a valid use case. VMs in two different tenant networks are to be treated like external network for each of those tenants. To enable such a use case you need to use floating IPs on both of those VMs, as you yourself pointed out.

Regards,
Vishal.

-----Original Message-----
From: ovsdb-dev-bounces@... [mailto:ovsdb-dev-bounces@...] On Behalf Of Ravi_Sabapathy@...
Sent: 19 August 2015 18:15
To: vishnoianil@...; shague@...
Cc: ovsdb-dev@...; C_Venkataraghavan@...; Badrinath_Viswanatha@...
Subject: Re: [ovsdb-dev] Query on East-West traffic

Hi Anil/Sam,

I have looked into Flavio's link (part1 and part2) and those demo's were working perfectly fine.

My Query is very specific to the use case, where two or more tenant's have same network and there is East West communication between these tenants.

For example,
1. Tenant 1 has the network 2.0.0.0/24 and has 2 VM's with IP 2.0.0.2 and 2.0.0.3
2. Tenant 2 has network 2.0.0.0/24 and has 2 VM's with IP 2.0.0.2 and 2.0.0.3

Now Tenant 1's VM with IP 2.0.0.2 wants to communicate with Tenant 2's VM with IP 2.0.0.3.

The above communication is not possible, since the ovs switch has no way to identify that the packet is destined for tenant 2's VM with IP 2.0.0.3. In the current scenario, the communication will be destined for Tenant 1's VM with IP 2.0.0.3.

We can address this use case by the below options,
1. Have destination Vxlan ID/tunnel ID as part of ping/application. By this way the openvswitch can form a unique tuple of [destination tunnel_id/vxlan_id, des_ip]. This also needs support in ovs switch for processing of the destination tunnel ID.
2. Use floating IP for the VM's so that they can be uniquely identified.

In a typical public cloud provider environment, there can be multiple tenants with same network (IP overlap). Please correct me if I am wrong and also tell me if the above use case is valid or not.

Sam,

for 2 I think we normally just ping from the dhcp namespace which is similar to a vrf. The namespace is also tenant specific so that will match the right flows. All traffic coming from certain ports will have the segId/tenant info tagged to it to identify it.
<Ravi> If we try in tenant 1's DHCP namespace and ping 2.0.0.3, then the destination will be tenant 1's VM with IP 2.0.0.3. This is how namespaces work. My use case is I want to ping to another tenant with same IP.

Regards,
Ravi
________________________________________
From: Anil Vishnoi [vishnoianil@...]
Sent: Wednesday, August 19, 2015 5:33 PM
To: Sam Hague
Cc: Sabapathy, Ravi; ovsdb-dev@...; Venkataraghavan, C; Viswanatha, Badrinath
Subject: Re: [ovsdb-dev] Query on East-West traffic

Ravi, if you need more details about it, look at following awesome blogs by flavio

http://www.flaviof.com/blog/work/how-to-odl-with-openstack-part1.html
http://www.flaviof.com/blog/work/how-to-odl-with-openstack-part2.html

Thanks
Anil

On Tue, Aug 18, 2015 at 5:45 PM, Sam Hague <shague@...<mailto:shague@...>> wrote:
Ravi,

for 2 I think we normally just ping from the dhcp namespace which is similar to a vrf. The namespace is also tenant specific so that will match the right flows. All traffic coming from certain ports will have the segId/tenant info tagged to it to identify it.

Sam

On Tue, Aug 18, 2015 at 4:01 AM, <Ravi_Sabapathy@...<mailto:Ravi_Sabapathy@...>> wrote:

Hi All,



I have a query on East-West traffic and how it is handled by OVSDB and openstack. There are 2 possible cases in East West traffic.



Case 1 - Tenants having different network:



Consider the below case,

Tenant 1 with network 2.0.0.0/24<http://2.0.0.0/24>

Tenant 2 with network 1.0.0.0/24<http://1.0.0.0/24>



Tenant 1 tries to ping to tenant 2. In this case a tuple of [tunnel_id/vxlan_id, des_ip] will be used by openvswitch to identify and switch packet to the destination tenant network.





Flow Rules for reaching different tenant (Ref: Flavio's how-to-odl-with-openstack-part2.html blog):



cookie=0x0, duration=9662.085s, table=60, n_packets=122, n_bytes=11222, priority=2048,ip,tun_id=0x3e9,nw_dst=2.0.0.0/24<http://2.0.0.0/24> actions=set_field:fa:16:3e:cb:14:47->eth_src,dec_ttl,set_field:0x3ea->tun_id,goto_table:70

cookie=0x0, duration=9661.045s, table=60, n_packets=4, n_bytes=392, priority=2048,ip,tun_id=0x3ea,nw_dst=1.0.0.0/24<http://1.0.0.0/24> actions=set_field:fa:16:3e:69:5a:42->eth_src,dec_ttl,set_field:0x3e9->tun_id,goto_table:70

I have verified in my local setup that East - West traffic is working fine with tenants with different networks.

Case 2 - Two or more tenants having same network:



Consider the below case,

Tenant 1 with network 1.0.0.0/24<http://1.0.0.0/24>

Tenant 2 with network 1.0.0.0/24<http://1.0.0.0/24>



How does the openvswitch create rules to reach tenant 2, when tenant 1 tries to ping ? The ping binary does not seem to provide any option for tunnel_id/segmentation ID.



Legacy behavior:

In the legacy network, we can have the same network in different Virtual routing and forwarding (VRF). The ping binary has options to ping to a specific VRF id and destination IP.



So, there are 2 options

1. Have Vxlan ID/tunnel ID as part of ping/application. By this way the openvswitch can form a unique tuple of [tunnel_id/vxlan_id, des_ip]. Please give your comment on this.

2. Use floating IP option and assign

a. Static floating IP to each of the VM's in the tenant network

a. In a large scale deployment we might run out of floating IP's. This might not be an ideal solution.

b. Assign floating IP per compute node or each tenant network in the deployment

a. In this case ODL has to internally maintain which ports to reach for a particular floating IP.



Is the IP overlap use case possible in current scenario with ODL + openstack?

I hope it is a valid use case from deployment perspective? Please correct me if I am wrong and give your valid inputs.





Regards,

Ravi


_______________________________________________
ovsdb-dev mailing list
ovsdb-dev@...<mailto:ovsdb-dev@...>
https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev



_______________________________________________
ovsdb-dev mailing list
ovsdb-dev@...<mailto:ovsdb-dev@...>
https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev




--
Thanks
Anil
_______________________________________________
ovsdb-dev mailing list
ovsdb-dev@...
https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev