[ovs-dev] SFC-Summary: MultiTenant

John McDowall jmcdowall at paloaltonetworks.com
Tue Jun 28 15:54:31 UTC 2016


Ryan,

Putting on my vendor hat for a minute or two....

The way we have solved this is our VNF supports multiple interfaces (I.e. Multiple port-pairs) that can be partitioned into different networks. So a single VNF can act in multiple tenant. I believe most other vendors have similar solutions and perhaps other approaches.

How would you like a VNF to behave to support multi-tenancy?

Regards

John

From: Ryan Moats <rmoats at us.ibm.com<mailto:rmoats at us.ibm.com>>
Date: Monday, June 27, 2016 at 9:26 PM
To: Na Zhu <nazhu at cn.ibm.com<mailto:nazhu at cn.ibm.com>>
Cc: John McDowall <jmcdowall at paloaltonetworks.com<mailto:jmcdowall at paloaltonetworks.com>>, "dev at openvswitch.org<mailto:dev at openvswitch.org>" <dev at openvswitch.org<mailto:dev at openvswitch.org>>
Subject: Re: [ovs-dev] SFC-Summary: MultiTenant


Na Zhu/China/IBM wrote on 06/27/2016 10:21:33 PM:

> From: Na Zhu/China/IBM
> To: John McDowall <jmcdowall at paloaltonetworks.com<mailto:jmcdowall at paloaltonetworks.com>>, Ryan Moats/Omaha/IBM at IBMUS
> Cc: "dev at openvswitch.org<mailto:dev at openvswitch.org>" <dev at openvswitch.org<mailto:dev at openvswitch.org>>
> Date: 06/27/2016 10:21 PM
> Subject: Re: [ovs-dev] SFC-Summary: MultiTenant
>
> Hi Ryan & John,
>
> For multi-tenancy use case, i think it is not allowed to boot VNF in
> openstack that can be used by multiple tenants.
> I am not clear about your concerns, can you clarify?

If I can't support multi-tenant in a particular VNF, then the
solution doesn't scale from a business perspective.

The discussion about here is how does OVN support a multi-tenant
VNF, independent of OpenStack.

I've asked the same question of the networking-sfc spec as part
of the review, because it has to be solved there as well.

Ryan

>
>
> Regards,
> Juno Zhu
> IBM China Development Labs (CDL) Cloud IaaS Lab
> Email: nazhu at cn.ibm.com<mailto:nazhu at cn.ibm.com>
> 5F, Building 10, 399 Keyuan Road, Zhangjiang Hi-Tech Park, Pudong
> New District, Shanghai, China (201203)
>
> From: John McDowall <jmcdowall at paloaltonetworks.com<mailto:jmcdowall at paloaltonetworks.com>>
> To: Ryan Moats <rmoats at us.ibm.com<mailto:rmoats at us.ibm.com>>
> Cc: "dev at openvswitch.org<mailto:dev at openvswitch.org>" <dev at openvswitch.org<mailto:dev at openvswitch.org>>
> Date: 2016/06/28 09:46
> Subject: Re: [ovs-dev] SFC-Summary: MultiTenant
> Sent by: "dev" <dev-bounces at openvswitch.org<mailto:dev-bounces at openvswitch.org>>
>
> Previous thread contents are here: http://openvswitch.org/pipermail/<https://urldefense.proofpoint.com/v2/url?u=http-3A__openvswitch.org_pipermail_&d=CwMFAg&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=vZ6VUDaavDpfOdPQrz1ED54jEjvAE36A8TVJroVlrOQ&m=YJKB1yvAB1J0SXHWVVJj1TNPnCxQRDVbxWk4T2jQDFY&s=EUUKDMIaCcmx3UuLsyYyf99QJwWdHgw4rHDtFkjc_ho&e=>
> dev/2016-June/073836.html
>
> Ryan,
>
> Trying to keep the thread to a single subject so we can knock them off.
>
> There are two cases for multi-tenancy:
>
>
>   1.  The VNF is multi-tenant: This implies that a single VNF can
> exist as a port-pair in multiple logical networks. For this to
> happen the VNF has to support two features:
>      *   Separate management planes so different tenants can manage
> them independently
>      *   Ability to handle overlapping IP-Address ranges in the
> control and data planes.
>   2.  The network can be logically separated into different segments
> with overlapping IP address ranges. This is one of the functions of
> OVS/OVN I thought or do I have a key mis-understanding? If a VNF has
> its logical ports in the namespace of a specific logical switch then
> there should be no barrier to multi-tenant networks - or am I
> missing something fundamental?
>
> I think 1) is a vendor issue and while we can make it easy for them
> they still need to do the work to separate the management/control
> and data planes?
>
> Thoughts?
>
> John
> _______________________________________________
> dev mailing list
> dev at openvswitch.org<mailto:dev at openvswitch.org>
> http://openvswitch.org/mailman/listinfo/dev<https://urldefense.proofpoint.com/v2/url?u=http-3A__openvswitch.org_mailman_listinfo_dev&d=CwMFAg&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=vZ6VUDaavDpfOdPQrz1ED54jEjvAE36A8TVJroVlrOQ&m=YJKB1yvAB1J0SXHWVVJj1TNPnCxQRDVbxWk4T2jQDFY&s=w5CUT860ZsaxtYKUkoX689TazkUc_KkHOaUjhZeR8AM&e=>




More information about the dev mailing list