[ovs-discuss] OVN vm on vlan network using geneve tunnel for external traffic
Russell Bryant
russell at ovn.org
Sat Apr 14 01:01:55 UTC 2018
On Fri, Apr 13, 2018 at 5:27 PM, Ben Pfaff <blp at ovn.org> wrote:
> On Wed, Apr 11, 2018 at 07:44:25PM +0530, Anil Venkata wrote:
>> vm created on a vlan tenant network is using geneve tunnel(between compute
>> and gateway nodes) to reach external network. Because of this, we need to
>> consider tunnelling overhead while assigning MTU for vlan network. Can we
>> improve OVN to avoid tunnelling in this case.
>
> When OVN tunnels packets, the tunnel metadata includes information on
> the logical network, logical input port, and logical output port. The
> logical input port is only used for egress ACLs, so it could be omitted
> if egress ACLs are constrained not to match on the logical input port.
> The logical network and logical output port are still needed, though, so
> to encode that in a VLAN they would have to add up to 12 bits or less.
> That's pretty constraining. Do you have some idea for how to do it?
I don't think ACLs are a factor here because it's actually the logical
router pipeline forwarded the packet over a tunnel. The only logical
switches involved are VLAN networks (a switch with a localnet port).
The unexpected behavior here is that despite using all VLAN networks,
a Geneve tunnel is used when the packet is sent to the L3 gateway node
that's doing SNAT. Note that the type of router configured here is
the hybrid-type, where routing is fully distributed in all cases
except when NAT is required, then it gets redirected to a central
point. That redirect is what we're seeing here.
I've thought of two ways out of this:
1) In this scenario, if you really don't want any tunneling in use,
configure a fully centralized router instead. The downside is that
East-West routing will be centralized, as well.
2) Use two routers. ls1 (VLAN) with all ports for VMs <-> distributed
east-west router <-> ls2 (VLAN) used just to interconnect the routers
<-> centralized router for SNAT. The downside here is that you still
lose the ability to bind floating IPs directly to compute nodes like
today.
3) Figure out a way for OVN to do this redirect to the gateway host
over a VLAN network. I suspect this isn't trivial and honestly
haven't spent the time to figure out what it would take, but this does
seem like the ideal behavior.
--
Russell Bryant
More information about the discuss
mailing list