OpenStack NetworkingHands-On Tutorial

Kyle Mestery (@mestery)Mark McClain (@gtwmm)

● Quick OpenStack and Neutron Overview● Neutron Deployment Overview● Hands-On With Neutron

○ Networks and Subnets○ Routers and L3 constructs○ LBaaS○ VPNaaS

Agenda

OpenStack and Neutron Overview

About OpenStack● Open Source project founded in 2010● 1,786 Unique Developers during Kilo● A growing ecosystem of projects

○ With a new governance model!● Production Ready● Latest Release 2015.1 - Kilo (11th Release)● Apache 2 Licensed

OpenStack

What does the user see?

What is Neutron?● Provides “networking as a service”● Provides Rich Topologies● Technology Agnostic● Extensible● Advanced Services Support

○ LBaaS, VPNaaS, FWaaS

Neutron Design Goals● Unified API● Small Core● Pluggable Open Architecture● Extensible● Growing ecosystem (Neutron as a platform)

Abstractions

Basic Deployment

Neutron Installation Tips

Types of Network Traffic● Management

○ Internal communication between services● API

○ Exposes OpenStack APIs to users of the cloud● Guest

○ A network dedicated to instance traffic● External

○ Provides Neutron routers with network access

Single NIC Setup

VMVMVM

br-int

br-tun

br-eth0 eth0

overlay networks

mgmt and API

external

Multi-Nic Setup

VMVMVM

br-int

br-tun

br-eth1 eth1

overlay networks

mgmt and API

external

eth0 eth0

Bonded NIC Setup

VMVMVM

br-int

br-tun

br-bond0

eth1overlay networks

mgmt and API

external

eth0

bond0

What Type Of Neutron Network To Use

Neutron Provider Network Setup

Compute Host

Compute Host

Compute Host

Provider VLAN 100

Provider VLAN 200

When To Use Provider Networks?

● Mapping Neutron install into existing network environment

● Small number of tenants● Want to perform routing with existing

routers (physical or virtual)● Little or no interest in floating IPs

Neutron With Overlays (and L2 gateways!)

Compute Host

Compute Host

Compute Host

Network Node

Underlay Network

L2 Gateway Node

L2 Gateway node handles translating between overlay networks to VLAN networks

Network node handles L3 routing N/S, and SNAT when used with DVR

DVR routes E/W traffic and performs DNAT locally

When To Use Neutron With Overlays?

● Large number of tenant networks● Floating IPs central to installation

Neutron Tutorial

Thank you to our sponsor!

● Two options for gaining access to provided VMs○ Join “tutorial” wifi network (password openstackneutron)○ OR○ ssh into the jumphost as “onug@67.205.58.120”

● Username/password for VMs: onug / ONUG2015

Components used in the tutorial

All-In-One Control/Compute Node (Ubuntu 14.04.1)

nova

glance

keystone

neutron

neutron l2

neutron l3

metadata

dhcp

Open vSwitch

rabbitmq

Tutorial Assumptions● You are using a devstack install on a cloud

VM provided by Dreamhost● The Tutorial uses the Kilo release of

OpenStack

Neutron Networks and Subnets

In this section, we’ll cover basic Neutron operations around networks, ports and subnets

Neutron Network Types● local networks● provider networks● overlay networks

Neutron local networks● local networks are created locally on the host

○ traffic is local on the node it is created on● DHCP and metadata may not work with local

networks● Useful for complex technologies where you

want to keep some traffic local to a small number of VMs on a host

Create a local networkneutron net-create --provider:network_type=local onug_local

Neutron provider networks● Useful when using a small number of tenants

and you want to share networks created by the admin

● Assumes L3 routing handled in existing infrastructure

Creating a provider networkneutron net-create --provider:network_type=vlan --provider:physical_network=physnet1 --provider:segmentation_id=200 --shared onug_vlan_network

Tenant overlay networks● Useful for installations with a large number

of tenants● Allows tenants to create rich network layouts● Allows for overlapping, shared IP address

spaces● Can utilize floating IPs for remote access● Utilize L2 gateways to bridge to VLAN

networks

Create an overlay networkneutron net-create onug_overlay

Neutron subnets● Subnets are the main L3 resource in Neutron● Subnets can be IPv4 or IPv6● Planning ahead for your subnets is

important○ Note: Pluggable IPAM will be available in Liberty,

and allow for integration with existing IPAM solutions you may have

Creating a subnetneutron subnet-create onug_overlay 192.168.100.0/24 --name onug_overlay_subnet --ip-version=4 --gateway=192.168.100.1 --allocation-pool start=192.168.100.2,end=192.168.100.254 --dns-nameservers 8.8.8.8 8.8.4.4

Quick Detour: Neutron PortsPort created for DHCP agent from previous port

Neutron Ports and Namespaces

The DHCP port created previously looks like this on the host itself

Neutron RoutersWe’ll cover Neutron routers, floating IPs, and building complex topologies with them

Neutron Routers: Overview● Neutron routers are per-tenant

○ Admin can create routers for tenants● Neutron routers support both IPv4 and IPv6● Neutron routers can route traffic between

internal and external networks● Neutron routers can also route traffic

between internal networks

Neutron With Routers

Create a routerneutron router-create onug_router

Neutron router ports

Neutron router

Internal interface

Gateway interfaceThis interface is

attached to a local subnet

This interface is attached to an upstream device to provide external connectivity

Distributed Routers!

Neutron With Distributed Routers!

Attaching router ports● Attach the internal router port

○ neutron router-interface-add 87e8ca5c-7446-40d2-9973-b57c6a9f1b0a 68f34192-72d7-4e4d-82ae-b87410113a9a

● Attach the gateway port○ neutron router-gateway-set 87e8ca5c-7446-40d2-9973-b57c6a9f1b0a

dab3f1f7-7015-4439-b393-0ad75d2de536

Verify your router portsneutron router-port-list 87e8ca5c-7446-40d2-9973-b57c6a9f1b0a

Launch An InstanceFind your image UUID and flavor ID

Launch an Instance (cont.)Boot the instance attaching to your tenant created network

Verify the Instance Is UpNote: We added a security group rule to allow ICMP packets.

Neutron NAT● Neutron supports two types of NAT

○ one-to-one (with floating IPs)○ one-to-many (without floating IPs)

● NAT and DVR○ DVR supports decentralized DNAT but requires

centralized SNAT

Create And Add a Floating IP

Neutron subnetpools● Allow for creation of a range of address to be

allocated to a pool● Subnet allocation can now happen out of

that range● Instead of requiring specific addressing, can

now utilize dynamic addressing from the pool

subnetpool: create network

subnetpool: create subnetpool

subnetpool: create subnet using pool

Neutron LBaaSWe’ll walk through Neutron Load Balancing as a Service here, creating LBaaS constructs using the new for Kilo LBaaS V2 API

Neutron LBaaS V2● Neutron LBaaS V2 is new in Kilo

○ New API with different objects and attributes○ http://developer.openstack.org/api-ref-networking-

v2-ext.html#lbaas-v2.0● Lets give it a try!

Neutron LBaas V2 Tutorial● Create 2 nova instances on onug_overlay

network● Setup security group rules to allow port 80● Run simple HTTP servers in those servers● Create LBaaS constructs to balance HTTP

requests across servers

Create 2 Nova Instances

Add security group rules

Spinup simple web servers

Create some loadbalancers

Create the listener

Create the pool

Add members

Verify it’s working

Debugging Neutron

Neutron Open Source Backends

Open Source Options● Dragonflow● OpenContrail● OpenDaylight● OVN● Announced today: Akanda

Dragonflow● A fully distributed virtual router using

OpenFlow and Open vSwitch● Removes the use of namespaces on the host

for DVR○ Implementation utilizes straight OpenFlow

Dragonflow Architecture

OpenContrail● Extensible networking system designed for

cloud networking and NFV● Consists of two components: Controller and

vRouter○ Controller is logically centralized by physically

distributed SDN controller○ vRouter is a forwarding plane which runs in the

hypervisor

OpenContrail Architecture

OpenStack

NovaOpenContrail

Neutron Plugin

Compute Node

OpenStack Nova Agent

vRouter Agent

Contrail Node

Configuration Node

OpenDaylight● A community led, industry supported open

source platform to support the adoption of SDN and NFV

● A platform to allow for many different APIs on both the north and south side

OpenDaylight Architecture

OpenStack

Nova OpenDaylight ML2 Driver

Compute Node

OpenStack Nova Agent

Open vSwitchCompute Node

OpenStack Nova Agent

Open vSwitch

Open Virtual Networking (OVN)

● Compliments OVS by adding native support for virtual networking abstractions○ L2 and L3 overlays, security groups, etc.

● Not a general purpose SDN controller○ Focuses on L2/L3 networking

● Tight integration with OpenStack

OVNOpenStack

OVN NB Database

OVN ML2 Driver

ovn-nbd

OVN DB

ovn-controller

ovs-vswitchd ovsdb-server

ovn-controller

ovs-vswitchd ovsdb-server