OPENSTACK FOR VSPECIALISTS

MODULE 8: OPENSTACK NETWORKING (NEUTRON)

EMC CONFIDENTIAL—INTERNAL USE ONLY 1

MODULE 8: OPENSTACK NETWORKING (NEUTRON)

Upon completion of this module, you should be able

to:
• Describe the network abstractions defined by the
Neutron service
• Understand the plugin-driven architecture of Neutron
• Explain the relationship of Neutron to general SDN
solutions

EMC CONFIDENTIAL—INTERNAL USE ONLY 2

THE NEUTRON NETWORK SERVICE
• Neutron provides networking as a service for
interface devices managed by other OpenStack
services (e.g. Nova instances)
• Project started as Quantum project to improve on
and replace native Nova networking (nova-network),
where network configuration is admin-only
• Provides API for managing IP connectivity and
addressing, provided by a back-end plugin
implementation
• Also includes a set of advanced services which are
being decoupled from the main project
– Firewall aaS, Loadbalancer aaS, VPN aaS …
Image source: Wikipedia
EMC CONFIDENTIAL—INTERNAL USE ONLY 3
BASIC CONCEPTS: NETWORKS
• Neutron network represents an isolated L2
segment, roughly analogous to a VLAN
– Networks may be private or shared
– Admins can create external provider
networks to allow tenants to connect out

• Network may have one or more subnets

associated with it
– L3 network with IPv4 or IPv6 address range
– Can specify IP address pools, gateway IP,
DNS servers, and special host routes per
subnet
– Subnet can have DHCP enabled or disabled

• Kilo supports creation of subnetpools, to

allow an admin or user to create large
address pool with default subnet size
EMC CONFIDENTIAL—INTERNAL USE ONLY 4
BASIC CONCEPTS: PORTS
• Ports represent individual connection points,
such as
– Connection between a network and the virtual interface
of an instance
– Connection between a virtual router and a network

• Port assigned MAC address and fixed IPv4 or

IPv6 address from a subnet on the network
• Port address assignment is typically handled
by the Neutron DHCP service, enabled on
subnets by default
• Users can create ports with specific fixed IPs if
required, and then attach a VM virtual
interface to the preconfigured port
• Security groups associated with ports
EMC CONFIDENTIAL—INTERNAL USE ONLY 5
BASIC CONCEPTS: ROUTERS
• Routers (Neutron extension) are virtual L3
routers created by tenants to route between
local networks
• Routers can also be used to connect to
external networks and provide external
connectivity
– Supports 1-to-1 NAT between public IP’s and selected
attached subnet addresses
– Support SNAT for outbound traffic

• External networks are always shared and

visible to all users
– Admins can configure pool of public addresses available
for NAT, aka floating IP’s
– NAT established by allocating and associating floating
IP with target port

EMC CONFIDENTIAL—INTERNAL USE ONLY 6

TYING BACK: VM IP ADDRESSES
• Under Neutron, a VM can have multiple
Local External interfaces on multiple user-specified networks
domain network
• The Neutron DHCP agent will assign a fixed
IP or private IP to each port on a network
• Floating IP’s can be assigned by routers as a
Private Floating IP: 1-to-1 mapping of public IP to fixed IP for a
IP: 192.168.2.8
10.0.12.8
port
VIF
• Typically, private IPs used for communication
VM between VM’s in the same L2 domain provided
by a virtual switch
KVM
• Floating IPs used for accessing an instance
from a public network, via routed traffic
Compute Node
EMC CONFIDENTIAL—INTERNAL USE ONLY 7
BASIC CONCEPT: SECURITY GROUPS
• Every instance in Nova is associated with at
least one project security group (default if
none specified, called ‘default’)
• When using Neutron networking, Neutron
actually controls the security groups, but
management is also proxied through the Nova
API
– /etc/nova/nova.conf: security_group_api=neutron

• Security group is a collection of rules dictating

what traffic can ingress (and egress) a port
– Default Nova security groups filter ingress only

• Default security group drops all ingress traffic

and allows all egress (outbound) traffic
– User can change rules in project’s default group
– User can add other security groups
EMC CONFIDENTIAL—INTERNAL USE ONLY 8
KEY SERVICE OPERATIONS: NETWORKS
• CRUD on networks, including $ neutron net-create …
– Network admin state (UP/DOWN) $ neutron net-list …
– External networks (admin only) $ neutron net-show …
$ neutron net-update …
$ neutron net-delete …

$ neutron subnet-create …
• CRUD on subnets and subnetpools
$ neutron subnet-list …
• How you might use a subnetpool: $ neutron subnet-show …
– neutron net-create webapp $ neutron subnet-update …
– neutron subnetpool-create –default- $ neutron subnet-delete …
prefixlen 24 –pool-prefix 10.10.0.0/16
webpool
$ neutron subnetpool-* …
– neutron subnet-create –subnetpool
webpool mywebsubnet
EMC CONFIDENTIAL—INTERNAL USE ONLY 9
KEY OPERATIONS: ROUTERS & PORTS
• CRUD on routers, including $ neutron router-create …
– Network admin state (UP/DOWN) $ neutron router-list …
– Distributed or HA (depending on $ neutron router-show …
deployment configuration) $ neutron router-update …
$ neutron router-delete …

• List or add ports on a given router $ neutron router-port-list …

• CRUD on ports, including $ neutron router-interface-
– Port admin state (UP/DOWN) add…
– Desired subnet and fixed IP for this port
– Desired MAC address for port $ neutron port-create …
– Extra DHCP options $ neutron port-list …
$ neutron port-show …
• Port creation can also be driven from
$ neutron port-update
options on Nova instance boot
EMC CONFIDENTIAL—INTERNAL USE ONLY
$ neutron port-delete 10
KEY OPERATIONS: IP’s & SEC GROUPS
• CRUD on floating IP’s allocate to $ neutron floatingip-create …
a project, including $ neutron floatingip-delete …
– Addition and removal of floating IP $ neutron floatingip-associate …
from project from shared public $ neutron floatingip-dissociate…
network
$ neutron floatingip-list …
– Association and dissociation of a
floating IP from a particular fixed IP $ neutron floatingip-show …
on a port
$ neutron security-group-create
• CRUD on security groups and
$ neutron security-group-update
security group rules
$ neutron security-group-delete
– Project’s default security group is
editable by user $ neutron security-group-list
$ neutron security-group-show
$ neutron security-group-rule-*

EMC CONFIDENTIAL—INTERNAL USE ONLY 11

KEY SERVICE OPERATIONS: ADMINS

• CRUD commands for active neutron agents

– neutron agent-*

EMC CONFIDENTIAL—INTERNAL USE ONLY 12

KEY SERVICE OPERATIONS: ADMINS
• Core Neutron abstraction model
is very lean, with many
extensions
• Query Neutron for all extensions
with neutron ext-list and ext-
show
• CLI commands options are
extensive, but many require
specific extensions to function
• Extension configuration
managed via config file settings
in /etc/neutron

EMC CONFIDENTIAL—INTERNAL USE ONLY 13

KEY OPERATIONS: QUOTAS
• CRUD on tenant quotas for $ neutron quota-delete …
networking resources $ neutron quota-list …
– Update quotas for particular projects $ neutron quota-update …
– List projects with non-default quotas $ neutron quota- show …
• Default quotas set via config
parameters in
/etc/neutron/neutron.conf

EMC CONFIDENTIAL—INTERNAL USE ONLY 14

 NEUTRON ARCHITECTURE
• Neutron implementation defined by
Horizon Nova selection of core plugin - default

HTTP SDN • Neutron ML2 driver replaces monolithic

Controller L2 drivers with flexible pluggable model
neutron-
server • Depending on plugin, Neutron may
integrate with existing SDN controller,
Core
plugin neutron- e.g. OpenDaylight
metadata-
agent L2-agent

neutron-
l3-agent

Neutron
neutron- Local
DB
dhcp-agent
vSwitches
SQL
AMQP
Nova queues
Control Node Neutron queues Compute Node
EMC CONFIDENTIAL—INTERNAL USE ONLY 15
 NEUTRON ARCHITECTURE: L2
• Plugin-specific L2 agents run on compute
Horizon Nova nodes to control local virtual switch
configurations for instances (e.g. neutron-
HTTP SDN
openvswitch-agent)

Controller • Neutron DHCP agents provide IP assignments

neutron- to new ports from configured subnets –
server reference implementation is dnsmasq
Core
plugin neutron-
metadata-
agent L2-agent

neutron-
l3-agent

Neutron
neutron- Local
DB
dhcp-agent
vSwitches
SQL
AMQP
Nova queues
Control Node Neutron queues Compute Node
EMC CONFIDENTIAL—INTERNAL USE ONLY 16
 NEUTRON ARCHITECTURE: L3
• neutron-l3-agent supports virtual
Horizon Nova router functionality extensions (L2
interconnects, floating IP’s) – service
HTTP SDN not needed by every core plugin
Controller
neutron- • Extensions for distributed L3 agents,
server and scheduling of routers among
Core multiple L3 agent instances
plugin neutron-
metadata-
agent L2-agent

neutron-
l3-agent

Neutron
neutron- Local
DB
dhcp-agent
vSwitches
SQL
AMQP
Nova queues
Control Node Neutron queues Compute Node
EMC CONFIDENTIAL—INTERNAL USE ONLY 17
 NEUTRON ARCHITECTURE: METADATA
• Neutron exposes Nova metadata
Horizon Nova service to instances via a metadata
agent that proxies nova-api
SDN
Controller • Neutron-metadata-agent can also have
neutron- HTTP its own front-end proxy: neutron-ns-
server metadata-proxy
Core
plugin neutron-
metadata-
agent L2-agent

neutron-
l3-agent

Neutron
neutron- Local
DB
dhcp-agent
vSwitches
SQL
AMQP
Nova queues
Control Node Neutron queues Compute Node
EMC CONFIDENTIAL—INTERNAL USE ONLY 18
WHAT NETWORK DRIVERS ARE USED?

• OVS is the predominant implementation being

used with Neutron
• ML2 is default core plugin introduced in Havana
– Supports OVS and other L2 technologies
– Can support multiple network types simultaneously

• Decreasing proportion of deployments using

nova-network

Source: OpenStack User Survey, October 2015

EMC CONFIDENTIAL—INTERNAL USE ONLY 19

DRIVERS FOR CLOUDS >1000 CORES

• OVS still significant

at largest scales

Source: OpenStack User Survey, October 2015

EMC CONFIDENTIAL—INTERNAL USE ONLY 20

MODULAR L2 (ML2) CORE PLUGIN
• Current default standard core plugin, introduced in Havana
• Abstracts network types from specific L2 implementation mechanisms
• Plugin driven: can manage multiple network types in a single region

Image source: AQORN: Understanding the OpenStack Neutron ML2 Plugin

EMC CONFIDENTIAL—INTERNAL USE ONLY 21

OPEN vSWITCH (OVS)
• Production-quality virtual multilayer
switch, similar to VMware vSwitch
or Cisco Nexus 1000V
• Per VM traffic policing, QoS control,
STP
• Standard 802.1Q VLAN model with
trunking, multiple tunnelling
protocols (GRE, VXLAN,…)
• OpenFlow protocol support, with
virtualization extensions
• Kernel- and user-space forwarding
Image source: openvswitch.org engine options
EMC CONFIDENTIAL—INTERNAL USE ONLY 22
GENERAL ARCHITECTURE: OVS
Control
cluster • ovsdb-server is a database that
holds switch-level configuration
OpenFlow • OVSDB management protocol is
OVSDB JSON-RPC to manager and ovs-
protocol
vswitchd
ovs-
ovsdb-server
vswitchd • ovs-vswitchd is core component
managing flow table via netlink
netlink communications to kernel
User module and communicating
Kernel externally via OpenFlow
OVS kernel
module
• OVS kernel module handles
switching and tunneling
EMC CONFIDENTIAL—INTERNAL USE ONLY 23
OVS AND NEUTRON SCENARIO

All instances
colocated on
same
compute
host

Image source: OpenStack Cloud Administrator Guide

EMC CONFIDENTIAL—INTERNAL USE ONLY 24

OPEN vSWITCH ON A COMPUTE HOST

Image source: OpenStack Cloud Administrator Guide

EMC CONFIDENTIAL—INTERNAL USE ONLY 25

OPEN VSWITCH ON NETWORK HOST

Image source: OpenStack Cloud Administrator Guide

EMC CONFIDENTIAL—INTERNAL USE ONLY 26

NEUTRON ADVANCED SERVICES
• Advanced L4-L7 services splitting off from the main Neutron
project, but follow plugin-driven model
• Loadbalancer aaS: default implementation is HAProxy
• Firewall aaS: reference implementation extends security
groups with L3 with iptables
• VPN aaS: reference implementation with OpenSwan IPSec VPN
• Many other ‘core’ Neutron features are technically extensions
– DHCP
– L3 Routing and NAT (virtual routers)
– Access Control Lists (security groups)
– Quotas, etc.
EMC CONFIDENTIAL—INTERNAL USE ONLY 27