Neutron Understanding (2): Using open VSwitch + VLAN networking [Netruon Open vSwitch + VLAN virutal Network]

Learn Neutron Series articles:

(1) Virtualization network implemented by Neutron

(2) Neutron Openvswitch + VLAN Virtual network

(3) Neutron Openvswitch + Gre/vxlan Network

(4) Neutron L3 Agent

(5) TBD

1. L2 Basic Knowledge 1.1 VLAN Basics

The LAN represents the local area network, which is usually used by the Hub and Switch to connect to the computer on the LAN. In general, when you connect two computers to the same Hub or Switch, they are on the same LAN. Similarly, if you connect two Switch, they are also on a LAN. A LAN represents a broadcast domain, which means that all members of a LAN will receive a broadcast packet from a member of the LAN. Visible, the boundaries of the LAN are on routers or similar 3-tier devices.

The VLAN represents the Virutal LAN. A switch with VLAN capability can be in multiple LANs at the same time. In the simplest sense, VLANs are a way of dividing a switch into multiple switches. For example, you have two sets of machines, Group A and B, you want to configure the machines in Group A to access each other, machines in B can also access each other, but the machines in Group A cannot access the machines in Group B. You can use two switches, and two groups are connected to one switch. If you have only one switch, you can use VLANs to achieve the same effect. You assign the ports for the machines on the switch that configure connection groups A and B to VLAN access ports. The switch will only forward packets between ports on the same VLAN.

(Fig. 1)

The IEEE 802.1Q standard defines the format of the VLAN Header. It adds 4bytes of VLAN tag/header data, including the VLAN ID of the 12-bits, after the SA (src addr) of the normal Ethernet frame structure. The VLAN ID maximum value is 4096, but the valid value range is 1-4094.

(Fig. 2)

The ports of a switch with VLANs are divided into two categories:

• Access Port: These ports are tagged with VLAN Tag. The access port that leaves the switch does not have VLAN Tag in the Ethernet frame of the computer, which means that the machine connected to access ports does not perceive the presence of the VLAN. Data frames leaving the computer to enter these ports are tagged with VLAN tags.
• Trunk Port: When there are multiple switches, some of the machines in Group A are connected to switch 1 and another part of the machine is connected to switch 2. To make these machines accessible to each other, you need to connect two switches. To avoid connecting two ports per VLAN with one cable, we can configure a VLAN trunk port on each switch. Trunk port sends and receives packets with a VLAN header, which indicates that the packet belongs to that VLAN. Therefore, only one trunk port that connects two switches is required to forward all the packets. In general, only trunk port is used to connect two switches instead of connecting machines and switches because the machine does not want to see the packets they receive with a VLAN Header.

(Fig. 3)

Lack of VLANs:

1. VLANs use the VLAN ID of 12-bit, so the first disadvantage of VLANs is that it supports up to 4,096 VLAN networks (and of course, a few reservations), which is not enough for large data centers.
2. VLANs are based on L2, so it is difficult to cross the boundaries of L2, which limits the flexibility of the network to a large extent.
3. VLAN operations require more manual intervention, which is unacceptable for administrators who manage thousands of machines.

1.2 Basic knowledge of two layer switching1.2. The basic function of the 12 layer switch

The most basic features of a two-tier switch include:

• mac Address learning: When the switch accepts a data frame from its port, it saves the port ID and the destination MAC address of the frame to its internal Mac table.
• data frame forwarding: The switch makes some logical judgments before it will receive a data frame from a port and then forward it from a port:
  • If the destination MAC address of the frame is a broadcast or multicast address, it is forwarded from all ports on the switch (in addition to the incoming port).
  • If the destination MAC address of the frame can find the corresponding output port in its internal MAC table, forward it from that port.
  • forwards it from all ports on the switch (in addition to the incoming port) for other cases.
• plus VLAN tags/go VLAN tags:
  • frame processing: Depending on the forwarding process described above Out of the port.

By default, all ports in the switch are in VLAN 1, which is equivalent to not configuring VLANs. The mechanism illustrates the following:

(Fig. 4)

1. PC A sends a frame to the 1 port of the switch, whose destination MAC address is PC B's Mac.
2. The switch compares its destination MAC address and its internal Mac table, discovering that it does not exist (the table is empty at this time). Before deciding flooding, it saves the MAC address of Port 1 and PC A into its Mac Table.
3. The switch sends multiple copies of the frames from 2 and 3 ports respectively.
4. When PC B receives the frame, it discovers that its destination MAC address is the same as his own MAC address. It emits a reply frame into port 3.
5. The switch will have PC B's MAC address and Port 3 present in its Mac table.
6. Because the frame's destination address is PC A's MAC address, it's already in the Mac table, and the switch forwards it directly to Port 1, which reaches PC a.

This mechanism is similar to the VLAN-configured switch, except:

(1) Each row in the MAC table has a different VLAN ID. When comparing, compare the destination MAC address and VLAN ID of the incoming frame with the row data in this table. If they are the same, select their Ports as the forwarding egress port.

(Fig. 5)

(2) If there are no matching table entries, this frame is forwarded from all Access ports and Trunk ports with the same VLAN ID.

1.2.2 Address Resolution Protocol (ARP) principle

A two-tier network uses MAC (media access control address) addresses as a unique identifier for the hardware. The TCP/IP protocol-based software uses ARP to convert IP addresses to MAC addresses.

1. Destination IP address on the same network segment

(Fig. 6)

In this example, Host A and B are in the same network segment. The IP address of a is 10.0.0.99,B IP address is 10.0.0.100. When a wants to communicate with B, a needs to know the MAC address of B. The process takes the following steps: (1) The IP stack on a is aware that the IP address via B can reach B directly. A check its local ARP cache to see if B's MAC address already exists. (2) If a does not find the MAC address of B, it sends an ARP broadcast request to ask "What is the MAC address of the 10.0.0.100?" ", the packet:

SRC mac:a macdst MAC:FF:FF:FF:FF:FF:FFSRA ip:a ipdst ip:b IP

(3) All computers in the network segment will receive the package and will check that the DST IP is the same as its own IP. If it is different, the package is discarded. Host B discovers that its IP address is the same as the DST IP, and it joins the Ip/map address of a to its own ARP cache. (4) B sends an ARP reply message

SRC mac:b macdst mac:a macsra ip:b Ipdst's IP

(5) The switch directly gives the packet to host A. When A is received, the MAC/IP address of B is cached in the ARP cache. (6) A use B's Mac as the destination MAC address to issue IP packets. 2. The destination IP address is not in the same network segment (Figure 7) In this example, the address of A is 10.0.0.99, and the address of B is 192.168.0.99. Router Interface 1 and a are in the same network segment with IP addresses of 10.0.0.1;interface 2 and B in the same network segment with an IP address of 192.168.0.1. A use the following steps to get the MAC address of the Router interface 1. (1) According to its routing table, the IP protocol on a knows that it needs the gateway 10.0.0.1 configured on it to reach to B. After the steps in the example above, A will get the MAC address of the 10.0.0.1. (2) When a receives the MAC address of Router interface 1, a sends a packet to B:

Interface 1 the MAC address of the IPDST ip:b IP of the SRA ip:a

(3) After the Interface1 of the router receives the packet, according to its routing table, first through the same ARP process, the router obtains its MAC address via ARP based on the IP address of B, and then sends the packet to it.

Interface 2 macdst mac:b macsra ip:a ipdst ip:b IP

2. Using Open VSwitch (OVS) + VLAN Networking

The Neutron VLAN-based tenant network, like the provider network, must use the physical VLAN networks.

2.1 Physical VLAN Network configuration

In this example, three VLAN zones are divided on the switch:

1. Manage the network for communication between OpenStack nodes, assuming a VLAN ID range of 50-99.
2. Data networks, which are used for communication between virtual machines. Because the tenant-established network has a separate VLAN ID in VLAN mode, it is necessary to set the switch port of the server connecting the VM to Trunk mode and set the allowed Vlan ID range, such as 100~300.
3. An external network for connecting to an external network. Plus the VLAN ID range is 1000-1010.
   

(Fig. 8)

About routing between network segments:

• If the physical switch is connected to a physical router and configured accordingly, the data network can use this physical router without the need to use the Neutron virtual router.
• If you do not use a physical router, you can configure the virtual router on the network node.

2.2 Neutron Configuration 2.2.1 configuration is performed

On the control node:

# vim/etc/neutron/plugins/ml2/=
Tenant_network_types = VLAN
Mechanism_drivers = Openvswitch

[Ml2_type_flat]
Flat_networks = External

= Physnet1:£ º

On the network node:

#为连接物理交换机的网卡 eth2 and Eth3 build OVS physical bridge, where eth2 is used for data networks, ETH3 for external networks OVS-vsctl add-br br-eth2
Ovs-vsctl add-br Br-exovs-vsctl add-port br-eth2 eth2
/etc/neutron/plugins/ml2/
= Flat,vlan
Tenant_network_types = VLAN
Mechanism_drivers = Openvswitch

[Ml2_type_flat]
Flat_networks = External

physnet1:100:300,external:1000:1010


= Physnet1:br-eth2,external:br-ex

On the COMPUTE node:

#为连接物理交换机的网卡 Eth2 established OVS physical bridgeovs-vsctl add-br br-eth2ovs-vsctl add-port br-eth2 eth2# vim/etc/neutron/ plugins/ml2/
[m12]type_drivers = VLAN
Tenant_network_types = VLAN
Mechanism_drivers = Openvswitch

Network_vlan_ranges = physnet1:100:300


bridge_mappings = Physnet1:br-eth2 

Attention:

• The VLAN ID in the network_vlan_ranges must match the VLAN ID interval on the physical switch.
• The bridge specified in Bridge_mappings needs to be consistent with OVS Bridge, which is manually created on a node.

Then restart the appropriate Neutron service.

2.2.2 Configuration Effective process

When the Neutron L2 agent (OVS agent or Linux Bridge agent) is started on the compute and network nodes, it creates various Bridge types on the nodes based on various configurations. Taking OVS Agent as an example,

(1) Create Intergration brige (default is Br-int), if enable_tunneling = False, create tunnel bridge (default is Br-tun).

(2) According to Bridge_mappings, configure the pre-created OVS bridge for each VLAN and physical network interface used by Flat networks.

(3) All the VIF of the virtual machine are connected to integration bridge. VM VIF on the same virtual network shares a native VLAN (local VLAN). The Local VLAN ID is mapped to the segmentation_id of the physical network corresponding to the virtual network.

(4) For GRE-type virtual networks, use LSI (Logical Switch identifier) to differentiate tenant network traffic (tenant traffic) within the tunnel (tunnel). Both ends of the tunnel are tunneling bridge on each physical server. Use Patch port to connect Br-int and Br-tun.

(5) for each VLAN or Flat type of network, use a veth or a patch port pair to connect br-int and physical bridges, and add flow rules.

(6) Finally, the Neutron L2 Agent will run an RPC loop task to handle port additions, deletions, and modifications when it is started. The administrator can specify the execution interval for the RPC looping task through the configuration item polling_interval, which defaults to 2 seconds.

2.3 Create a virtual network and subnet 2.3.1 Create command

[Email protected]:~$ neutron net-create net1 (or Admin user running neutron net-create net1--provider:network_type VLAN--provide R:physical_network Physnet1--provider:segmentation_id101. Same effect) Created aNewNetwork:+---------------------------+--------------------------------------+| Field | Value |+---------------------------+--------------------------------------+| admin_state_up | True | | ID | dfc74f44-a9f2-4497-a53d-1723804a49a8 | | name | Net1 | | Provider:network_type | VLAN | | Provider:physical_network | Physnet1 | | provider:segmentation_id |101|| router:external | False | | Shared | False | | Status | ACTIVE | |                                      Subnets | || tenant_id | 74c8ada23a3449f888d9e19b76d13aab |+---------------------------+--------------------------------------+[email protected]:~$ Neutron subnet-create Subnet110.0.0.0/ ---name Net1

2.3.2 Neutron Code Implementation

After completing the above steps, the user can boot the virtual machine on the subnet.

In the process of boot virtual machine, Nova will:

(1) Call the Neutron REST API to request one or more ports. Neutron is allocated based on the configuration in the database.

(2) On the compute node, Nova calls the OVS-VSCTL command to plug the VM's VIF to Br-int.

(3) Start the virtual machine.

The Neutron L2 Agent cycles every two seconds, in turn:

(1) Call the "Ovs-vsctl list-ports" command to get to port on Br-int, and then generate a list of all change ports (including added, updated, deleted ports) based on the last saved historical data. Like what:

{' Current ': Set ([u ' 04646b21-78a0-429e-85be-3167042b77be ', U ' 592740b0-0768-4e57-870d-6495e6c22135 ']), ' removed ': Set ([]), ' added ': Set ([u ' 04646b21-78a0-429e-85be-3167042b77be ', U ' 592740b0-0768-4e57-870d-6495e6c22135 ')}

(2) For each pending port, obtain its details from DB based on its ID. Like what:

{u ' profile ': {}, U ' admin_state_up ': True, U ' network_id ': U ' e2022937-ec2a-467a-8cf1-f642a3f777b6 ', U ' segmentation_id ' : 4, U ' device_owner ': U ' Compute:nova ', U ' physical_network ': phynet1, U ' mac_address ': U ' fa:16:3e:fd:ed:22 ', U ' device ': u ' 592740b0-0768-4e57-870d-6495e6c22135 ', U ' port_id ': U ' 592740b0-0768-4e57-870d-6495e6c22135 ', U ' fixed_ips ': [{u ' subnet_id ': U ' 13888749-12b3-462e-9afe-c527bd0a297e ', U ' ip_address ': U ' 91.1.180.4 '}], U ' network_type ': U ' VLAN '}

(3) Set the local VLAN Tag for each added or changed port, call the "ovs-ofctl mod-flows" command to set the flow rules for Br-tun or physical bridge, and set its status to up in db.

(4) For each deleted port, set its status to down in db.

2.4 Neutron Virtual Network

(1) A network instance on a compute node

The network configuration It reflects is as follows:

1. Neutron use Open vsiwtch.
2. A physical server, NIC eth1 Access physical switch, pre-configured bridge br-eth1.
3. Two neutron VLAN network were created, using VLAN IDs 101 and 102, respectively.
4. The server runs three virtual machines, virtual machines 1 and 2 have a network card access network 1 respectively, virtual machine 2 and 3 have a network card access Network 2.

(Fig. 9)

What Neutron does on this compute node:

• Created the OVS Integration Bridge br-int. Its four access ports, two on the internal Tag 1, connected to the network 1 of the two network cards, and the other two ports VLAN Tag 2.
• Created a pair of patch ports, connecting Br-int and Br-eth1.
• Set the flow rules in Br-int. To the data frame entered from Access ports, add the corresponding VLAN Tag, forward to patch port, the data frame entered from patch port, change VLAN ID 101 to 1, 102 to 2, and then forward to the appropriate access por Ts.
• Set the flow rules in br-eth1. The data frame entered from patch port, the internal VLAN ID 1 is modified to 101, the internal VLAN ID 2 is modified to 102, and then emitted from the eth1 port. The data frames entered from the eth1 are treated in the opposite way.

(2) plus another server connected to the same physical switch (plus the neutron network uses a VLAN ID of 100, the physical Brige is Br-eth0):

(Fig. 10)

The Neutron implements a physical VLAN switch-based two-tier virtual network across physical servers.

(3) The case of a network node connected to the same physical switch

(Fig. 11)

(4) Network flow

• Virtual machines on different physical servers, if VM1 and VM2 belong to the same subnet of the same tenant network, then the communication between the two is carried out directly through the physical switch and does not need to be a network node. As shown in 10.
• Virtual machines on the same physical server, if VM1 and VM2 belong to the same subnet of the same tenant network, then the communication between the two is directly br-int.
• The data exchange between the other virtual machines is counted as the data flow across the subnet, and the IP packets are routed through the Router in the network node. (You can also use the physical router that connects the physical switch directly).
  

More detailed network flow analysis can refer to my other articles:

• Explore OpenStack (8): Neutron in-depth exploration of OVS + GRE's complete network process
• Explore OpenStack (7): Neutron in-depth exploration of the Open VSwitch (OVS) + GRE Neutron node Chapter
• Learning OpenStack (6): Neutron deep learning OVS + GRE Compute node

Note: All the pictures in this article come from the Internet.

Neutron Understanding (2): Using open VSwitch + VLAN networking [Netruon Open vSwitch + VLAN virutal Network]