[ovs-discuss] OVN vm on vlan network using geneve tunnel for external traffic

Russell Bryant russell at ovn.org
Sat Apr 14 01:01:55 UTC 2018

On Fri, Apr 13, 2018 at 5:27 PM, Ben Pfaff <blp at ovn.org> wrote:
> On Wed, Apr 11, 2018 at 07:44:25PM +0530, Anil Venkata wrote:
>> vm created on a vlan tenant network is using geneve tunnel(between compute
>> and gateway nodes) to reach external network. Because of this, we need to
>> consider tunnelling overhead while assigning MTU for vlan network. Can we
>> improve OVN to avoid tunnelling in this case.
> When OVN tunnels packets, the tunnel metadata includes information on
> the logical network, logical input port, and logical output port.  The
> logical input port is only used for egress ACLs, so it could be omitted
> if egress ACLs are constrained not to match on the logical input port.
> The logical network and logical output port are still needed, though, so
> to encode that in a VLAN they would have to add up to 12 bits or less.
> That's pretty constraining.  Do you have some idea for how to do it?

I don't think ACLs are a factor here because it's actually the logical
router pipeline forwarded the packet over a tunnel.  The only logical
switches involved are VLAN networks (a switch with a localnet port).

The unexpected behavior here is that despite using all VLAN networks,
a Geneve tunnel is used when the packet is sent to the L3 gateway node
that's doing SNAT.  Note that the type of router configured here is
the hybrid-type, where routing is fully distributed in all cases
except when NAT is required, then it gets redirected to a central
point.  That redirect is what we're seeing here.

I've thought of two ways out of this:

1) In this scenario, if you really don't want any tunneling in use,
configure a fully centralized router instead.  The downside is that
East-West routing will be centralized, as well.

2) Use two routers.  ls1 (VLAN) with all ports for VMs <-> distributed
east-west router <-> ls2 (VLAN) used just to interconnect the routers
<-> centralized router for SNAT.  The downside here is that you still
lose the ability to bind floating IPs directly to compute nodes like

3) Figure out a way for OVN to do this redirect to the gateway host
over a VLAN network.  I suspect this isn't trivial and honestly
haven't spent the time to figure out what it would take, but this does
seem like the ideal behavior.

Russell Bryant

More information about the discuss mailing list