Midokura Gluecon 2014 - Level up your OpenStack Neutron Networking

Gluecon 2014 Adam Johnson @adjohn

Level up your OpenStack Cloud with MidoNet Network Virtualization

Outline

2  

•  OpenStack Intro •  Neutron Overview •  Networking Evolution •  OVS Plugin •  MidoNet Overview •  Q&A

What is OpenStack?

3  

4  

Neutron

5  

OpenStack Networking •  Pluggable Architecture •  Standard API •  Many choices Plugins Available •  OVS Plugin •  Linux Bridges •  Flat DHCP •  VLAN DHCP •  ML2 •  MidoNet •  NSX •  PlumGRID •  Nuage •  Contrail •  Ryu •  …

Evolution of Network Virtualization

6  

Virtual Network Overlays

Decoupling hardware and software •  Cloud-ready agility •  Unlimited scalability •  Open, standards-based •  No impact to physical

network

PROACTIVE SOFTWARE OVERLAY

INNOVATION  IN  NETWORKING  AGILITY  

Reactive End-to-End

Requires programming of flows

•  Limited scalability •  Hard to manage •  Impact to

performance •  Still requires tenant

state in physical network

OPENFLOW REACTIVE APPOACH

VLAN configured on physical switches

•  Static •  Manual •  Complex •  Tenant state

maintained in physical network

Manual End-to-End

VLAN APPROACH

6

OVS Open Source Plugin

7  

Overlay Networking GRE Tunnels Uses Open vSwitch Project

Components: •  Neutron OVS Agent •  Neutron DHCP Agent •  Neutron L3 Agent •  IPTables

Neutron Network Node

Neutron-Server + OVS Plugin

L3 Agent DHCP Agent OVS Agent

NAT /Floating IPs

IP Tables / Routing dnsmasq ovsdb/

vswitchd

Linux Kernel / IP Stack

Compute Node

nova compute

OVS Agent KVM

VM VM

Linux Kernel / IP Stack

ovsdb/vswitchd

IP Tables

Compute Node

nova compute

OVS Agent KVM

VM VM

Linux Kernel / IP Stack

ovsdb/vswitchd

IP Tables

GRE Tunnels

IP UnderlayWAN

security groups security groups

Challenges with OVS Plugin

8  

Neutron Network Node is a SPOF Need to use corosync, etc for active/standby failover. Challenging at Scale Since there’s a single network node, this becomes a bottleneck fairly quickly. Inefficient Networking IPTables, L3 Agent, multiple hops for single flow are causing unnecessary traffic and added latency on your physical network

Level  up  Neutron  with  MidoNet  

9  

10  

v

Any Application

MidoNet  Network  Virtualiza6on  Pla8orm  

Logical  L2  

Any Network Hardware

Any Cloud Management Platform

Logical  Firewall  

Logical  Layer  4  Load  Balancer  

Logical  L3  

Logical  VPN  

Any Hypervisor

Logical Switching – Layer 2 over Layer 3, decoupled from the physical network Logical Routing – Routing between virtual networks without exiting the software container Logical Firewall – Distributed Firewall, Kernel Integrated, High Performance Logical Layer 4 Load Balancer – Application Load Balancing in software Logical VPN – Site-to-Site & Remote Access VPN in software MidoNet API – RESTful API for integration into any Cloud Management Platform

MidoNet  Network  Virtualiza6on  Pla8orm  

Architecture  Overview

Kernel   Kernel  

Kernel  

Logical  Topology  –  Overlay  Networks

How  does  MidoNet  Work?  

13  

Your

Exi

stin

g In

fras

truc

ture

Your Existing Infrastructure

14  

Load    Balancer  

MidoN

et B

orders

MidoN

et G

ateway

Net

wor

k st

ate

data

base

Initial Setup

Then We Add MidoNet Storage and MidoNet Border Nodes

Then we Install the MidoNet

Agent on all the Hypervsior

Nodes

Overlay needs underlay devices connected over IP

Now  we  can  build  your  Logical  Network  

15  

16  

Provider    Router  

Tenant  Router  

Tenant  Network  

192.168.5.2   192.168.5.3  

Let’s Spin up two VMs for a Single Tenant

Subnet  192.168.5.0/24  

Address:  192.168.5.1  Allow  incoming  tcp/22  

NAT  192.168.5.2  <-­‐>  112.140.32.94  

MidoNet  creates  a  Provider  Router  which  connects  to  the  External  Network  

17  

Provider    Router  

Tenant  Router  

Tenant  Network  

192.168.5.2   192.168.5.3  

Let’s Spin up two VMs for a Single Tenant

Subnet  192.168.5.0/24  

Address:  192.168.5.1  Allow  incoming  tcp/22  

NAT  192.168.5.2  <-­‐>  112.140.32.94  

Each  Tenant  can  create  their  own  virtual  Tenant  Router  

18  

Provider    Router  

Tenant  Router  

Tenant  Network  

192.168.5.2   192.168.5.3  

Let’s Spin up two VMs for a Single Tenant

Subnet  192.168.5.0/24  

Address:  192.168.5.1  Allow  incoming  tcp/22  

NAT  192.168.5.2  <-­‐>  112.140.32.94  

Then  the  tenant  can  create  VMs  and  Networks  then  a\ach  those  to  the  Tenant  Router  

19  

Provider    Router  

Tenant  Router  

Tenant  Network  

192.168.5.2   192.168.5.3  

Various  rules  and  subnets  can  be  applied  to  the  virtual  infrastructure  

Let’s Spin up two VMs for a Single Tenant

Subnet  192.168.5.0/24  

Address:  192.168.5.1  Allow  incoming  tcp/22  

NAT  192.168.5.2  <-­‐>  112.140.32.94  

All  of  the  logical  topology  is  stored  in  MidoNet’s  Storage  Nodes  

20  

Provider    Router  

Tenant  Router  

Tenant  Network  

192.168.5.2   192.168.5.3  

Subnet  192.168.5.0/24  

Address:  192.168.5.1  Allow  incoming  tcp/22  

NAT  192.168.5.2  <-­‐>  112.140.32.94  

Your

Exi

stin

g In

fras

truc

ture

MidoN

et G

ateway

Your Existing Infrastructure

Net

wor

k st

ate

data

base

Now  let’s  talk  about  what    happens  when  we  send  traffic  between  the  two  VMs  

21  

First  the  outbound  packet  from  VM1  is  intercepted  by  the  MidoNet  agent  on  the  Hypervisor    

22  

MidoN

et G

ateway

Your Existing Infrastructure

Net

wor

k st

ate

data

base

Yo

ur E

xist

ing

Infr

astr

uctu

re

Provider    Router  

Tenant  Router  

Tenant  Network  

192.168.5.2   192.168.5.3  

Subnet  192.168.5.0/24  

Address:  192.168.5.1  Allow  incoming  tcp/22  

NAT  192.168.5.2  <-­‐>  112.140.32.94  

23  

MidoN

et G

ateway

Your Existing Infrastructure

Net

wor

k st

ate

data

base

Yo

ur E

xist

ing

Infr

astr

uctu

re

Provider    Router  

Tenant  Router  

Tenant  Network  

192.168.5.2   192.168.5.3  

Subnet  192.168.5.0/24  

Address:  192.168.5.1  Allow  incoming  tcp/22  

NAT  192.168.5.2  <-­‐>  112.140.32.94  

Next,  the  MidoNet  Agent  queries  Network  state  database  for  the  virtual  topology  

24  

MidoN

et G

ateway

Your Existing Infrastructure

Net

wor

k st

ate

data

base

Yo

ur E

xist

ing

Infr

astr

uctu

re

Provider    Router  

Tenant  Router  

Tenant  Network  

192.168.5.2   192.168.5.3  

Subnet  192.168.5.0/24  

Address:  192.168.5.1  Allow  incoming  tcp/22  

NAT  192.168.5.2  <-­‐>  112.140.32.94  

Then  the  MidoNet  agent  simulates  the  packet  moving  through  the  virtual  topology  and  ac6ons  that  need  to  be  performed  on  the  packet  

MidoN

et G

ateway

Your Existing Infrastructure

Net

wor

k st

ate

data

base

Yo

ur E

xist

ing

Infr

astr

uctu

re

Now  MidoNet  can  create  a  GRE  tunnel  between  the    required  nodes,  and  send  the  packet  on  its  way    

25  

GRE Tunnel

MidoN

et G

ateway

Your Existing Infrastructure

Net

wor

k st

ate

data

base

Yo

ur E

xist

ing

Infr

astr

uctu

re

26  

GRE Tunnel

Finally,  the  packet  is  received  by  the  target  node  and  delivered  to  the  VM.  

MidoN

et G

ateway

Your Existing Infrastructure

Net

wor

k st

ate

data

base

Yo

ur E

xist

ing

Infr

astr

uctu

re

27  

GRE Tunnel

Subsequent  packets  follow  the  already  established  path,    and  can  travel  at  near-­‐line-­‐speed.  

28  

Why MidoNet?

Single Virtual Hop = Better Performance No SPOF = Production Grade Fully Distributed = Massive Scale

29  

Q&A

Thank You

Adam Johnson @adjohn

30