whats new in neutron for open stack havana

Neutron developers at Cisco Systems

Boxborough office

Brian Bowen, Henry Gessau, Dane LeBlanc,

Paul Michali, Abishek Subramanian, et. al.

What’s new in

Neutron

for Havana

• Modular Layer 2 plugin (ML2)

• ML2 demo with Cisco Nexus driver

• FireWall as a Service (FWaaS)

• FWaaS demo

• VPN as a Service (VPNaaS)

• VPNaaS demo

• Cisco plugin with N1000V

• Demo of Dashboard to control N1000V

Agenda

Modular Layer 2 in

OpenStack Neutron

Robert Kukura, Red Hat

Kyle Mestery, Cisco

Motivations For a

Modular Layer 2 Plugin

Before Modular Layer 2 ...

Neutron Server

Open vSwitch Plugin

OR

Neutron Server

Linuxbridge Plugin

OR ...

Before Modular Layer 2 ...

Neutron Server

Cisco Plugin

Open vSwitch

Sub-Plugin

Nexus

Sub-Plugin

Compute node

Open vSwitch agent

Cisco Nexus switch

ML2 Architecture Diagram

Neutron Server

ML2 Plugin

Type Manager Mechanism Manager

API Extensions

GR

E

Typ

eD

rive

r

Aris

ta

VL

AN

Typ

eD

rive

r

VX

LA

N

Typ

eD

rive

r

Cis

co

Ne

xu

s

Hyp

er-V

L2

Po

pu

latio

n

Lin

uxb

ridg

e

Open

vS

witc

h

Ta

il-F N

CS

TypeDrivers in Havana

The following are supported segmentation

types in ML2 for the Havana release:

● local

● flat

● VLAN

● GRE

● VXLAN

MechanismDrivers in Havana

The following ML2 MechanismDrivers exist in

Havana:

● Arista

● Cisco Nexus

● Hyper-V

● L2 Population

● Linuxbridge

● Open vSwitch

● Tail-f NCS

ML2 Futures: Deprecation Items

• The future of the Open vSwitch and

Linuxbridge plugins o These are planned for deprecation in Icehouse

o ML2 supports all their functionality

o ML2 works with the existing OVS and Linuxbrige

agents

ML2 With Current Agents

Neutron Server

ML2

Plugin

Host A

Linuxbridge

Agent

Host B

Linuxbridge

Agent

Host C

Open vSwitch

Agent

Host D

Open vSwitch

Agent

API Network

● ML2 Plugin works with existing

agents

● Separate agents for Linuxbridge

and Open vSwitch

● Can also use physical switches

from different vendors

ML2 demo, showing ...

● ML2 running with multiple MechanismDrivers ○ openvswitch

○ cisco_nexus

● Booting multiple VMs on multiple compute

hosts

● Configuration of VLANs across both virtual

and physical infrastructure

Cisco Nexus ML2

Mechanism Driver

Demonstration

Cisco Nexus ML2 Mechanism

Driver

• Manages VLAN creation/removal on Cisco Nexus 3K/5K/7K switches as instances are launched, migrated, or terminated

• Works with Open vSwitch (OVS) mechanism driver

OVS: virtual switching

Cisco Nexus: physical switching

• Ported from original Cisco Nexus OpenStack Plugin

• Available in Havana release

Topology

Controller /

Network Node Compute Host 1 Compute Host 2

VM 1 VM 4 VM 2 VM 3

VLAN 810

VLAN 812

Management Network

eth1/1 eth1/2 eth1/3

Nexus 3K

mgmt

External

Network Data

Network

DevStack Configuration

Add to localrc File:

Q_PLUGIN=ml2

Q_ML2_PLUGIN_MECHANISM_DRIVERS=openvswitch,

cisco_nexus

Q_ML2_PLUGIN_TYPE_DRIVERS=vlan

Q_PLUGIN_EXTRA_CONF_PATH=(/home/leblancd/devstack)

Q_PLUGIN_EXTRA_CONF_FILES=(ml2_conf_cisco.ini)

ML2_VLAN_RANGES=physnet1:810:819

ENABLE_TENANT_VLANS=True

PHYSICAL_NETWORK=physnet1

OVS_PHYSICAL_BRIDGE=br-eth1

Cisco Mechanism Driver Config

• Create a file, e.g. “ml2_conf_cisco.ini”: o[ml2_mech_cisco_nexus:10.86.1.118]

oComputeHost-1=1/2

oComputeHost-2=1/3

ossh_port=22

ousername=admin

opassword=MyPassword

• File name and path are arbitrary, but these

configs in localrc must point to it: Q_PLUGIN_EXTRA_CONF_PATH

Q_PLUGIN_EXTRA_CONF_FILES

• Template in Neutron branch: o

/opt/stack/neutron/etc/neutron/plugins/ml2/ml2_conf

_cisco.ini

Neutron Server Startup Command

cd /opt/stack/neutron && pyth /usr/local/bin/neutron-

server --config-file /etc/neutron/neutron.conf --config-

file /etc/neutron/plugins/ml2/ml2_conf.ini --config-file

//home/leblancd/devstack/ml2_conf_cisco.ini || echo

"q-svc failed to start" | tee "/opt/stack/status/stack/q-

svc.failure"

Demo

Resources

• README files:

o /opt/stack/neutron/neutron/plugins/ml2/README

o /opt/stack/neutron/neutron/plugins/ml2/drivers/cisco/README

• Template .ini Files:

o /opt/stack/neutron/etc/neutron/plugins/ml2/ml2_conf.ini

o /opt/stack/neutron/etc/neutron/plugins/ml2/ml2_conf_cisco.ini

• Wiki Pages:

o https://wiki.openstack.org/wiki/Neutron/ML2

o https://wiki.openstack.org/wiki/Neutron/ML2/MechCiscoNexus

• Google Doc:

o https://docs.google.com/document/d/1FXo0Hlc5c0myvBk99Bw51yOdHmEXHS

aFKUhEGNEuDo4

Virtual Private Networking as a Service

Havana Release

Paul Michali MAIL pcm@cisco.com IRC pcm_ (irc.freenode.net) TW @pmichali

Virtual Private Network as a Service

• Initial Release Goals

• Site to site VPN (~AWS).

• Considered “experimental” w/limited functionality.

• Only Pre-Shared Keys, no certificates.

• Future releases to address other use cases.

• SSL-VPN, MPLS/BGP

• Certificate support

• Service insertion/chaining

OpenSwan Driver

• OpenSwan: open source VPN process

• Supports several encryption/auth algorithms, modes of operation (Remote Access, Site2Site, Host2Host).

• Designed to support a single connection.

• Uses configuration files to control operation • /opt/stack/data/neutron/ipsec/<router-UUID>/…

Current Status

• Reference implementation released

• Horizon dashboard access released

• CLI and REST APIs available

• API reference documentation published • http://docs.openstack.org/api/openstack-network/2.0/content/vpnaas_ext.html

• Feature documentation in progress

• Ongoing: bug fixes & enhancements (Icehouse)

Site to Site VPN

West Private: 10.2.0.0/24 Br-ex: 172.24.4.21

East Private: 10.1.0.0/24 Br-ex: 172.24.4.11

Router 10.2.0.1

172.24.4.21

10.1.0.5 10.1.0.4

10.1.0.1

172.24.4.11

VM VM VM

Router

10.2.0.4

VPN

172.24.4.0/24

Ubuntu 12.04 (VM) Ubuntu 12.04 (VM)

Site to Site VPN (physical)

Private: 10.2.0.0/24 Private: 10.1.0.0/24

Internal Network

Br-ex: 172.24.4.20

Admin Network

Public Network (172.24.4.222/28)

NAT/host

Br-ex: 172.24.4.10

eth1 eth1 eth0 eth0

Host

Reference Info

• How To:

https://wiki.openstack.org/wiki/Neutron/VPNaaS/HowToInstall

• Main page (API is in OS doc wiki):

http://docs.openstack.org/api/openstack-network/2.0/content/vpnaas_ext.html

https://wiki.openstack.org/wiki/Neutron/VPNaaS

• OpenSwan & StrongSwan:

https://github.com/xelerance/Openswan/wiki

http://www.strongswan.org/ and http://wiki.strongswan.org/projects/strongswan

Blueprint

Backup Slides

Devstack-32 (UCS) Devstack-33 (UCS)

Site to Site VPN (physical)

Private: 10.2.0.0/24 Private: 10.1.0.0/24

C6500

172.24.4.225

Br-ex: 172.24.4.232

Admin Network (14.0.3.0/24)

14.0.3.32 14.0.3.33

Public Network (172.24.4.222/28)

Switch

Br-ex: 172.24.4.225

eth1 eth3 eth2 eth4

Multi-node DevStack

• To do site-to-site VPN, needed to share the public net.

• Solution: Config DevStack (localrc) GW IP to be specified. Also added naming for easier config.

devstack-33 enable_service q-vpn PUBLIC_SUBNET_NAME=yoursubnet PRIVATE_SUBNET_NAME=mysubnet PUBLIC_NETWORK_GATEWAY=172.24.4.232 Q_FLOATING_ALLOCATION_POOL="start=172.24.4.233,end=172.24.4.238” Q_USE_SECGROUP=False FIXED_RANGE=10.2.0.0/24 NETWORK_GATEWAY=10.2.0.1

devstack-32 enable_service q-vpn PUBLIC_SUBNET_NAME=yoursubnet PRIVATE_SUBNET_NAME=mysubnet PUBLIC_NETWORK_GATEWAY=172.24.4.225 Q_FLOATING_ALLOCATION_POOL=“start=172.24.4.226,end=172.24.4.231” Q_USE_SECGROUP=False FIXED_RANGE=10.1.0.0/24 NETWORK_GATEWAY=10.1.0.1

Modifications for VPNaaS

• Make localrc modifications as shown on previous page. • Connect two systems with a switch (L2) for public net. • Manually bring up eth# used for public network link. • Add br-ex and add eth# to br-ex.

Object Diagram

Service

IPSec Policy

Router

IPSec Site Connection

IKE Policy

Subnet

1

1

1

1

1 N

N

1

N

1

used by used by

is associated with

is associated with

establishes

Note: all of these are associated with a single tenant

VPN Archtecture

IPSec VPN Extension

Rest API

IPSec VPN Adv Srv Plugin

Common API

Core

Schedulers (not implemented)

DB

IPSec VPN Agent BP2

strong-swan driver

NameSpaceDevice

VMDevice

HardWareDevice

RPC API (Create VPN

Service1/2)

create vpn service

Select driver using type

create vpn service

create Ike policy

Store policy

create ipsec policy

Store policy

create vpn connection

create vpn connection

Ensure Add interface to the router

Set status BUILDING

Noop (do nothing)

User Neutron Agent Namespace Device IpSecDriver

StrongSwan DeviceDriver

RPC API (Create VPN Service

2/2)

fetch router host of associated router

vpn-service-updated

sync

sync

vpn connection info with related infos

sync

ensure_conf_file

ensure_process_running

this sync will be done pediolically, and boot time also

compair local state

User Neutron Agent Namespace Device IpSecDriver

StrongSwan DeviceDriver

RPC API (Update VPN

Service)

Update VPN or Update Serivce/IKE policy/IPSec or CUD of vpn connections

Select driver using type

vpn-service-updated

vpn-service-updated

sync sync

User Neutron Agent Namespace Device IpSecDriver

StrongSwan DeviceDriver

RPC API (Update VPN

Service)

Update or DeleteVPN Serivce/IKE policy/IPSec or CRUD of vpn connections

Select driver using type

vpn-service-updated

vpn-service-updated

sync sync

Remove interface

User Neutron Agent Namespace Device IpSecDriver

StrongSwan DeviceDriver

RPC API (Update VPN

Service)

Update VPN or Update Serivce/IKE policy/IPSec or CUD of vpn connections

Select driver using type

vpn-service-updated

vpn-service-updated

sync sync

User Neutron Agent Namespace Device IpSecDriver

StrongSwan DeviceDriver

RPC API (Update VPN

Service) User Neutron Agent

Namespace Device IpSecDriver

StrongSwan DeviceDriver

Update or DeleteVPN Serivce/IKE policy/IPSec or CRUD of vpn connections

Select driver using type

vpn-service-updated

vpn-service-updated

sync sync

Remove interface

Proposed IP Sec Object

Model

Amazon Object Model

Cisco Object Model

FWaaS

in OpenStack Havana

Contributors

• BigSwitch Sumit N, KC Wang

• Cisco Sridar K

• Dell Rajesh M

• PayPal Ravi C

Initial reference implementation

How: Service Plugin + Agent + Driver

Where: L3 only -- iptables rules on routers

Why: Complements security groups

What next? Vendor drivers

Entity Relationships

Tenant A

Tenant C

Firewall A

Tenant B Firewall B

Firewall C

Firewall Policy

X

Firewall Policy

Y

Allow ICMP

...

Allow TCP 80

...

...

Firewall Rules

Ordered (Routers)

Command Line Interface (CRUD)

Rules

firewall-rule-create

firewall-rule-list

firewall-rule-show

firewall-rule-update

firewall-rule-delete

Policies

firewall-policy-create

firewall-policy-list

firewall-policy-show

firewall-policy-update

firewall-policy-insert-rule

firewall-policy-remove-rule

firewall-policy-delete

Firewalls

firewall-create

firewall-list

firewall-show

firewall-update

firewall-delete

Demo Dashboard Interface

and CLI