From Edge to Cloud: OpenStack Neutron Introduction — OVS Provider Networks

Posted on by Gene Kuo
從裸機到雲端:OpenStack Neutron 介紹 — OVS Provider Networks

The previous article introduced Neutron's use of the Linux Bridge plugin in different scenarios and its architecture and traffic flow. Next, we'll discuss the architecture and traffic flow of the OVS plugin. First, this article will introduce Open vSwitch with Provider Network.

Open vSwitch: Provider Networks

Architecture

The diagram above shows the complete architecture of Linux Bridge – Provider Networks, clearly indicating which components run on the controller node and which run on the compute node.

This diagram illustrates how components on a compute node are connected under a single provider network (untagged/flat). In this example, the instance and the DHCP agent are on the same host, but in reality, the DHCP agent may be on another compute node.

In scenarios with multiple provider networks, each provider network uses the same OVS provider bridge and integration bridge, but different internal VLANs for isolation. Internal VLANs usually differ from Neutron's network VLANs.

Traffic Flow

This section will explain how packets actually flow through the architecture in various scenarios.

Architecture Setup

The following is our assumed architecture: two provider networks using VLAN tagging, each with one instance.

  • Provider Network 1 (VLAN)
    • VLAN ID 101 (Tagged)
    • IP Address Range 203.0.113.0/24
    • Gateway (on the actual network)
      • IP 203.0.113.1
  • Provider network 2 (VLAN)
    • VLAN ID 102 (tagged)
    • IP Address Range 192.0.2.0/24
    • Gateway
      • IP 192.0.2.1
  • Instance 1
    • IP 203.0.113.101
  • Instance 2
    • IP 192.0.2.101

North-South Traffic

  • Instance 在 compute node 1 上並且用 provider network 1
  • Instance forwarding packets to external network

  • Instance 的網路介面 (1) 透過 veth pair (2) 將封包送往 linux bridge 的 instance port
  • 在 linux bridge 上 iptables (3) 會處理防火牆跟 connection tracking
  • Linux bridge 上的 ovs 介 (4) 面透過 veth pair 將封包送往 OVS integration bridge security group 介面 (5)
  • OVS integration bridge 將封包加上 internal VLAN tag
  • OVS integration bridge int-br-provider patch 介面 (6) 將封包送往 OVS provider bridge phy-br-provider patch 介面 (7)
  • OVS Provider bridge 將 internal VLAN tag 換成實際 provider network 的 VLAN tag 101
  • Provider network interface (8) on OVS provider bridge will forward packets to physical network interface (9)
  • Physical network interface will forward packets to the switch (10) in the physical network setup

The subsequent section is similar to general networking. Packets are forwarded to the router for outbound routing, and the return path follows the same route in reverse.

East-West Traffic 1: Instances on the same network

  • Instance 1 on compute node 1 and using provider network 1
  • Instance 2 on compute node 2 and using provider network 1
  • Instance 1 sends the packet to Instance 2

The previous scenario is entirely consistent.

  • Instance 的網路介面 (1) 透過 veth pair (2) 將封包送往 linux bridge 的 instance port
  • 在 linux bridge 上 iptables (3) 會處理防火牆跟 connection tracking
  • OVS interface (4) on Linux bridge forwards packets via veth pair to OVS integration bridge security group interface (5)
  • OVS integration bridge 將封包加上 internal VLAN tag
  • OVS integration bridge int-br-provider patch 介面 (6) 將封包送往 OVS provider bridge phy-br-provider patch 介面 (7)
  • OVS Provider bridge 將 internal VLAN tag 換成實際 provider network 的 VLAN tag 101
  • Provider network interface (8) on OVS provider bridge will forward packets to physical network interface (9)
  • Physical network interface will forward packets to the switch (10) in the physical network setup

In actual physical network infrastructure:

  • The bridge will forward the packet from compute node 1 to compute node 2 (11)

Packet transmission to compute node 2:

  • The physical network interface (12) will forward the packet to the provider network port on the OVS provider bridge (13)
  • The phy-br-provider patch port (14) on the OVS provider bridge will forward the packet to the int-br-provider patch port (15) on the OVS integration bridge
  • OVS integration bridge converts VLAN tag 101 to internal VLAN tag
  • OVS integration bridge security group interface (16) forwards packets to OVS interface (17) on Linux bridge
  • On Linux bridge, iptables (18) handles firewall and connection tracking
  • Linux bridge instance port (19) uses veth pair to forward packets to instance network interface (20)

East-West Traffic 2: Instances on different networks

  • Instance 1 on compute node 1 and using provider network 1
  • Instance 2 is on compute node 1 and uses provider network 2
  • Instance 1 sends the packet to Instance 2

The packet forwarding process is identical to the initial flow.

  • Instance 的網路介面 (1) 透過 veth pair (2) 將封包送往 linux bridge 的 instance port
  • 在 linux bridge 上 iptables (3) 會處理防火牆跟 connection tracking
  • OVS interface (4) on Linux bridge forwards packets via veth pair to OVS integration bridge security group interface (5)
  • OVS integration bridge 將封包加上 internal VLAN tag
  • OVS integration bridge int-br-provider patch 介面 (6) 將封包送往 OVS provider bridge phy-br-provider patch 介面 (7)
  • OVS Provider bridge 將 internal VLAN tag 換成實際 provider network 的 VLAN tag 101
  • Provider network interface (8) on OVS provider bridge will forward packets to physical network interface (9)
  • Physical network interface will forward packets to the switch (10) in the physical network setup

In actual physical network infrastructure:

  • Switch removes VLAN tag 101 and forwards packets to router (11)
  • Router forwards packets from provider network 1 (12) to provider network 2 (13)
  • Router forwards packets to switch (14)
  • Switch removes VLAN tag 102 and forwards packets to compute node 1 (15)

Packet return to compute node 1:

  • Physical network interface (16) forwards packets to provider network port (17) on OVS provider bridge
  • On OVS provider bridge, patch port phy-br-provider (18) forwards packets to patch port int-br-provider (19) on OVS integration bridge
  • OVS integration bridge converts VLAN tag 102 to internal VLAN tag
  • OVS integration bridge security group interface (20) forwards packets to OVS interface (21) on Linux bridge
  • On Linux bridge, iptables (22) handles firewall and connection tracking
  • Linux bridge instance port (23) uses veth pair to forward packets to instance network interface (24)

Apart from differences in actual network routing, the packet flows between instances on the same provider network are very similar. The above discussion covers packet flows under various Open vSwitch Provider Network configurations.

Summary

This article explains the architecture and packet flow under Open vSwitch – Provider Network. It can be seen that the overall concept is very similar to Linux Bridge – Provider Network, except that an additional OVS integration/provider bridge is involved. The next article will discuss the architecture and packet flow under Open vSwitch – self-service network.

Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless otherwise stated.

No comments yet

Leave a Reply