network virtualization with quantum

Chandan Dutta Chowdhury Juniper Networks

InStackers Meeting

Network Virtualization with Quantum

Agenda Overview and use case of Network

virtualization

Quantum Overview

Network Isolation at Layer 2 in Quantum

Quantum L3 isolation

Security groups

Overview and use case of Network virtualization

“network virtualization is the process of combining hardware and software network resources and network functionality into a single, software-based administrative entity, a virtual network. Network virtualization involves platform virtualization, often combined with

resource virtualization.” -Wikipedia

Single tier deployment

All VMs connect to a Linux bridge, which is uplinked to the switch using a physical NIC on the server

Physical Server

VM

Bridge NIC

2 tier deployment Use Case We have a web server and a DB server and don’t want to provide direct

access to DB server

Physical Server

Database

WWW

Bridge NIC

Bridge

VMs on multiple Physical servers

Physical Server

Database

Bridge NIC

Bridge

Physical Server

WWW

Bridge NIC

Bridge

NIC NIC

Public Network

Private Network

Multi Tenants VMs on multiple Physical servers

Private Network Physical Server

NIC

VM VM

VM VM

VM

Switch

Physical Server NIC

VM VM

VM VM

VM

Switch

Introduction to Quantum

Features Implementation Provides network as a service to

connect the VMs in the cloud

Self-service API for virtual network creation

It provides features like L2 isolation

L3 isolation

Firewalls

Load Balancer etc.

Supports various networking modes

Exposes REST APIs

provides plug-in based architecture to support different vendor provided networking equipments.

Extensions are supported to add functionality in addition to core APIs

OpenStack big picture

Quantum Architecture

Quantum

Plug-in

Agents

Database

REST API

Network Device

Message Queue

Extensions

Quantum network modes Single Flat Network

Mixed Flat and Private Network

Quantum network modes Provider Router with Private Networks

Quantum Core APIs Network

Create network Update network Delete network List network Show network

Subnet Create Subnet Update Subnet Delete Subnet List Subnet Show Subnet

Port Create Port Update Port Delete Port List Port Show Port

Network. An isolated virtual layer-2 domain. A network can also be a virtual, or logical, switch

Subnet. An IP version 4 or version 6 address block from which IP addresses that are assigned to VMs on a specified network are selected.

Port. A virtual, or logical, switch port on a specified network

Network Isolation at Layer 2 in Quantum

Quantum creates a isolated L2 domain per virtual network

On the backend it uses a combination of the following to provide the isolated l2 domain

VLANs

GRE tunnels

Linux Bridges

OVS

CLI

quantum net-create net1

quantum subnet-create net1 10.0.0.0/24

quantum port-create --fixed-ip subnet_id=<subnet-id>,ip_address=192.168.57.101 <net-id>

Linux Bridge based virtual networks A sub interface is created per virtual network (virtual network being

represented by vlan)

A separate bridge is used to connect the VMs to each other

Nova Compute

Linux Bridge

Linux Bridge

Linux Bridge

NIC

vlan10

vlan20

vlan30

VLAN Sub-Interface

Nova Compute

Linux Bridge

Linux Bridge

Linux Bridge

NIC

vlan10

vlan20

vlan30

OVS based virtual network A vlan is created in OVS per virtual network

Nova Compute

OVS

NIC Vlan 10

Vlan 20

Vlan 30

Nova Compute

OVS

NIC Vlan 10

Vlan 20

Vlan 30

Quantum Plug-in and Extensions

Plug-ins Extensions

Quantum plug-ins are used to configure vendor provided switch for virtual networking.

Extensions are used to provide new/ experimental functionality in quantum.

Extensions provide a way to extend the APIs provided by quantum. E.g. L3 functionality in quantum is provided as extension.

Advanced Networking Concepts

Quantum L3 networking extension

L3 extension allows to creation of routers to connect 2 or more networks

Net1

Router1

Net2 Net3

VM VM VM

Layer 2

Layer 3

NIC

Gateway

Quantum L3 isolation Layer 3 networking :Virtual

Routers

Default implementation of router is done using Linux network namespaces

Router can also be used to provide external connectivity and NAT functionality

Physical Server

Database

WWW

Bridge NIC

Bridge

Router

Quantum L3 CLI CLI

quantum router-create router1

quantum router-interface-add router1 <subnet1-uuid>

quantum router-interface-add router1 <subnet2-uuid>

Security group Security groups and security group rules allows administrators and

tenants the ability to specify the type of traffic and direction (ingress/egress) that is allowed to pass through a port. A Security Group is a named set of rules that get applied to the incoming packets for the instances

By default this group will drop all ingress traffic and allow all egress

Physical Server Database

WWW

Bridge NIC

Bridge

Router

Security Groups CLI quantum security-group-list

quantum security-group-rule-create --direction ingress --protocol tcp --port_range_min 80 --port_range_max 80 <security_group_uuid>

quantum port-create <network_id> --security_groups list=true <security_group_id> <security_group_id>

quantum port-update <port_id> --security_groups=None

quantum security-group-rule-list

quantum security-group-rule-delete <security_group_rule_uuid>

THANK YOU ALL