Table of Contents
https://git.opendaylight.org/gerrit/#/q/topic:hairpinning
This feature enables VM instances connected to the same router to communicate with each other using their floating ip addresses directly without traversing via the external gateway.
Local and East/West communication between VMs using floating ips for flat/VLAN provider types is not handled internally by the pipeline currently. As a result, this type of traffic is mistakenly classified as North/South and routed to the external network gateway.
Today, SNATted traffic to flat/VLAN network is routed directly to the external gateway after traversing the SNAT/outbound NAPT pipeline using OF group per external network subnet. The group itself sets the destination mac as the mac address of the external gw associated with the floating ip/ router gw and output to the provider network port via the egress table. This workflow would be changed to align with the VxLAN provider type and direct SNATted traffic back to the FIB where the destination can then resolved to be floating ip on local or remote compute node.
odl-nat:subnets-networks
.
This model will be filled only for external flat/VLAN provider networks and will take precedence over
odl-nat:external-networks
model for selection of vpn-id. BGPVPN use cases won’t be affected by these
changes as this model will not be applicable for these scenarios.For Pre SNAT, SNAT, FIB tables the vpn-id will be based on the subnet-id of the floating ip
Packets from SNAT table resubmitted back to the FIB rather than straight to the external network subnet-id group. In the FIB table it should be matched against a new flow with lower priority than any other flow containing dst-ip match. Traffic will be redirected based on the vpn-id of the floating ip subnet to the external network subnet-id group.
l3vpn service: set vpn-id=router-id
=>match: vpn-id=router-id,dst-mac=router-interface-mac
=>match: vpn-id=router-id
=>match: vpn-id=router-id,src-ip=vm-ip set vpn-id=fip-subnet-id,src-ip=fip
=>match: vpn-id=fip-subnet-id,src-ip=fip set src-mac=fip-mac
=>match: vpn-id=fip-subnet-id
=>set dst-mac=ext-subnet-gw-mac, reg6=provider-lport-tag
=>For GW MAC, FIB table the vpn-id will be based on the subnet-id of the floating ip
l3vpn service: set vpn-id=ext-net-id
=>match: vpn-id=ext-net-id,dst-mac=floating-ip-mac set vpn-id=fip-subnet-id
=>match: vpn-id=fip-subnet-id,dst-ip=fip
=>match: dst-ip=fip set vpn-id=router-id,dst-ip=vm-ip
=>match: vpn-id=router-id,dst-ip=vm-ip
=>match: vpn-id=router-id,dst-ip=vm-ip
=>set dst-mac=vm-mac, reg6=vm-lport-tag
=>For Outbound NAPT, NAPT PFIB and FIB tables the vpn-id will be based on the subnet-id of the router gateway
Packets from NAPT PFIB table resubmitted back to the FIB rather than straight to the external network subnet-id group. In the FIB table it should be matched against a new flow with lower priority than any other flow containing dst-ip match. Traffic will be redirected based on the vpn-id of the router gateway subnet to the external network subnet-id group.
l3vpn service: set vpn-id=router-id
=>match: vpn-id=router-id,dst-mac=router-interface-mac
=>match: vpn-id=router-id
=>match: vpn-id=router-id
=>match: src-ip=vm-ip,port=int-port set src-ip=router-gw-ip,vpn-id=router-gw-subnet-id,port=ext-port
=>match: vpn-id=router-gw-subnet-id
=>match: vpn-id=router-gw-subnet-id
=>set dst-mac=ext-subnet-gw-mac, reg6=provider-lport-tag
=>For FIB table the vpn-id will be based on the subnet-id of the router gateway
l3vpn service: set vpn-id=ext-net-id
=>match vpn-id=ext-net-id,dst-mac=router-gw mac
=>match: vpn-id=ext-net-id,dst-ip=router-gw set vpn-id=router-gw-subnet-id
=>match: dst-ip=router-gw,port=ext-port set dst-ip=vm-ip,vpn-id=router-id,port=int-port
=>match: vpn-id=router-id
=>match: vpn-id=router-id,dst-ip=vm-ip
=>set dst-mac=vm-mac,reg6=vm-lport-tag
=>For Pre SNAT, SNAT, FIB tables the vpn-id will be based on the subnet-id of the floating ips
l3vpn service: set vpn-id=router-id
=>match: vpn-id=router-id,dst-mac=router-interface-mac
=>match: vpn-id=router-id
=>match: vpn-id=router-id,src-ip=src-vm-ip set vpn-id=fip-subnet-id,src-ip=src-fip
=>match: vpn-id=fip-subnet-id,src-ip=src-fip set src-mac=src-fip-mac
=>match: vpn-id=fip-subnet-id,dst-ip=dst-fip
=>match: dst-ip=dst-fip set vpn-id=router-id,dst-ip=dst-vm-ip
=>match: vpn-id=router-id,dst-ip=dst-vm-ip
=>match: vpn-id=router-id,dst-ip=dst-vm-ip
=>set dst-mac=dst-vm-mac,reg6=dst-vm-lport-tag
=>For Pre SNAT, SNAT, FIB tables the vpn-id will be based on the subnet-id of the floating ip
The destination mac is updated by the FIB table to be the floating ip mac. Traffic is sent to the egress DPN over the port of the flat/VLAN provider network.
l3vpn service: set vpn-id=router-id
=>match: vpn-id=router-id,dst-mac=router-interface-mac
=>match: vpn-id=router-id
=>match: vpn-id=router-id,src-ip=src-vm-ip set vpn-id=fip-subnet-id,src-ip=src-fip
=>match: vpn-id=fip-subnet-id,src-ip=src-fip set src-mac=src-fip-mac
=>match: vpn-id=fip-subnet-id,dst-ip=dst-fip set dst-mac=dst-fip-mac, reg6=provider-lport-tag
=>For GW MAC, FIB table the vpn-id will be based on the subnet-id of the floating ip
l3vpn service: set vpn-id=ext-net-id
=>match: vpn-id=ext-net-id,dst-mac=dst-fip-mac set vpn-id=fip-subnet-id
=>match: vpn-id=fip-subnet-id,dst-ip=dst-fip
=>match: dst-ip=dst-fip set vpn-id=router-id,dst-ip=dst-vm-ip
=>match: vpn-id=router-id,dst-ip=dst-vm-ip
=>match: vpn-id=router-id,dst-ip=dst-vm-ip
=>set dst-mac=dst-vm-mac,lport-tag=dst-vm-lport-tag
=>No flow changes required. Traffic will be directed to NAPT switch and directed to the outbound NAPT table straight from the internal tunnel table
l3vpn service: set vpn-id=router-id
=>match: vpn-id=router-id,dst-mac=router-interface-mac
=>match: vpn-id=router-id
=>match: vpn-id=router-id
=>output to tunnel port of NAPT switch
=>For Outbound NAPT, NAPT PFIB, Pre DNAT, DNAT and FIB tables the vpn-id will be based on the common subnet-id of the router gateway and the floating-ip.
Packets from NAPT PFIB table resubmitted back to the FIB where they will be matched against the destnation floating ip.
The destination mac is updated by the FIB table to be the floating ip mac. Traffic is sent to the egress DPN over the port of the flat/VLAN provider network.
l3vpn service: set vpn-id=router-id
=>match: vpn-id=router-id,dst-mac=router-interface-mac
=>match: vpn-id=router-id
=>match: vpn-id=router-id
=>match: src-ip=vm-ip,port=int-port set src-ip=router-gw-ip,vpn-id=router-gw-subnet-id,port=ext-port
=>match: vpn-id=router-gw-subnet-id
=>match: vpn-id=router-gw-subnet-id dst-ip=dst-fip set dst-mac=dst-fip-mac, reg6=provider-lport-tag
=>For GW MAC, FIB table the vpn-id will be based on the subnet-id of the floating ip
l3vpn service: set vpn-id=ext-net-id
=>match: vpn-id=ext-net-id,dst-mac=dst-fip-mac set vpn-id=fip-subnet-id
=>match: vpn-id=fip-subnet-id,dst-ip=dst-fip
=>match: dst-ip=dst-fip set vpn-id=router-id,dst-ip=dst-vm-ip
=>match: vpn-id=router-id,dst-ip=dst-vm-ip
=>match: vpn-id=router-id,dst-ip=dst-vm-ip
=>set dst-mac=dst-vm-mac,lport-tag=dst-vm-lport-tag
=>odl-nat module will be enhanced with the following container
container external-subnets {
list subnets {
key id;
leaf id {
type yang:uuid;
}
leaf vpnid {
type yang:uuid;
}
leaf-list router-ids {
type yang:uuid;
}
leaf external-network-id {
type yang:uuid;
}
}
}
This model will be filled out only for flat/VLAN external network provider types.
If this model is missing, vpn-id will be taken from odl-nat:external-networks
model
to maintain compatibility with BGPVPN models.
odl-nat:ext-routers
container will be enhanced with the list of the external subnet-ids
associated with the router.
container ext-routers {
list routers {
key router-name;
leaf router-name {
type string;
}
...
leaf-list external-subnet-id {
type yang:uuid; }
}
}
}
Carbon
None
neutron net-create public-net -- --router:external --is-default --provider:network_type=flat
--provider:physical_network=physnet1
neutron subnet-create --ip_version 4 --gateway 10.64.0.1 --name public-subnet1 <public-net-uuid> 10.64.0.0/16
-- --enable_dhcp=False
neutron subnet-create --ip_version 4 --gateway 10.65.0.1 --name public-subnet2 <public-net-uuid> 10.65.0.0/16
-- --enable_dhcp=False
neutron net-create private-net1
neutron subnet-create --ip_version 4 --gateway 10.0.123.1 --name private-subnet1 <private-net1-uuid>
10.0.123.0/24
neutron net-create private-net2
neutron subnet-create --ip_version 4 --gateway 10.0.124.1 --name private-subnet2 <private-net2-uuid>
10.0.124.0/24
neutron net-create private-net3
neutron subnet-create --ip_version 4 --gateway 10.0.125.1 --name private-subnet3 <private-net3-uuid>
10.0.125.0/24
neutron net-create private-net4
neutron subnet-create --ip_version 4 --gateway 10.0.126.1 --name private-subnet4 <private-net4-uuid>
10.0.126.0/24
neutron router-create router1
neutron router-interface-add <router1-uuid> <private-subnet1-uuid>
neutron router-gateway-set --fixed-ip subnet_id=<public-subnet1-uuid> <router1-uuid> <public-net-uuid>
neutron router-create router2
neutron router-interface-add <router2-uuid> <private-subnet2-uuid>
neutron router-gateway-set --fixed-ip subnet_id=<public-subnet2-uuid> <router2-uuid> <public-net-uuid>
neutron router-create router3
neutron router-interface-add <router3-uuid> <private-subnet3-uuid>
neutron router-interface-add <router3-uuid> <private-subnet4-uuid>
neutron router-gateway-set --fixed-ip subnet_id=<public-subnet1-uuid> --fixed-ip subnet_id=<public-subnet2-uuid>
<router3-uuid> <public-net-uuid>
neutron floatingip-create --subnet <public-subnet1-uuid> public-net
neutron floatingip-create --subnet <public-subnet1-uuid> public-net
neutron floatingip-create --subnet <public-subnet2-uuid> public-net
nova boot --image <image-id> --flavor <flavor-id> --nic net-id=<private-net1-uuid> VM1
nova floating-ip-associate VM1 <fip1-public-subnet1>
nova boot --image <image-id> --flavor <flavor-id> --nic net-id=<private-net1-uuid> VM2
nova floating-ip-associate VM2 <fip2-public-subnet1>
nova boot --image <image-id> --flavor <flavor-id> --nic net-id=<private-net2-uuid> VM3
nova floating-ip-associate VM3 <fip1-public-subnet2>
nova boot --image <image-id> --flavor <flavor-id> --nic net-id=<private-net2-uuid> VM4
nova boot --image <image-id> --flavor <flavor-id> --nic net-id=<private-net3-uuid> VM5
nova boot --image <image-id> --flavor <flavor-id> --nic net-id=<private-net4-uuid> VM6
VM1
and VM2
will route traffic through external gateway 10.64.0.1
VM3
and VM4
route traffic through external gateway 10.65.0.1.VM5
and VM6
. Each connection will be routed to different external gateway
with the corresponding subnet router-gateway ip.VM1
and VM2
using their floating ips.VM4
to VM3
using floating ip.
Since VM4
has no associated floating ip a NAPT entry will be allocated using the router-gateway ip.odl-netvirt-openstack
https://trello.com/c/uDcQw95v/104-pipeline-changes-fip-w-multiple-subnets-in-ext-net-hairpinning
None