[ovs-discuss] OVN vm on vlan network using geneve tunnel for external traffic

Russell Bryant russell at ovn.org
Sat Apr 14 01:22:44 UTC 2018


On Fri, Apr 13, 2018 at 9:01 PM, Russell Bryant <russell at ovn.org> wrote:
> On Fri, Apr 13, 2018 at 5:27 PM, Ben Pfaff <blp at ovn.org> wrote:
>> On Wed, Apr 11, 2018 at 07:44:25PM +0530, Anil Venkata wrote:
>>> vm created on a vlan tenant network is using geneve tunnel(between compute
>>> and gateway nodes) to reach external network. Because of this, we need to
>>> consider tunnelling overhead while assigning MTU for vlan network. Can we
>>> improve OVN to avoid tunnelling in this case.
>>
>> When OVN tunnels packets, the tunnel metadata includes information on
>> the logical network, logical input port, and logical output port.  The
>> logical input port is only used for egress ACLs, so it could be omitted
>> if egress ACLs are constrained not to match on the logical input port.
>> The logical network and logical output port are still needed, though, so
>> to encode that in a VLAN they would have to add up to 12 bits or less.
>> That's pretty constraining.  Do you have some idea for how to do it?
>
> I don't think ACLs are a factor here because it's actually the logical
> router pipeline forwarded the packet over a tunnel.  The only logical
> switches involved are VLAN networks (a switch with a localnet port).
>
> The unexpected behavior here is that despite using all VLAN networks,
> a Geneve tunnel is used when the packet is sent to the L3 gateway node
> that's doing SNAT.  Note that the type of router configured here is
> the hybrid-type, where routing is fully distributed in all cases
> except when NAT is required, then it gets redirected to a central
> point.  That redirect is what we're seeing here.
>
> I've thought of two ways out of this:
>
> 1) In this scenario, if you really don't want any tunneling in use,
> configure a fully centralized router instead.  The downside is that
> East-West routing will be centralized, as well.
>
> 2) Use two routers.  ls1 (VLAN) with all ports for VMs <-> distributed
> east-west router <-> ls2 (VLAN) used just to interconnect the routers
> <-> centralized router for SNAT.  The downside here is that you still
> lose the ability to bind floating IPs directly to compute nodes like
> today.
>
> 3) Figure out a way for OVN to do this redirect to the gateway host
> over a VLAN network.  I suspect this isn't trivial and honestly
> haven't spent the time to figure out what it would take, but this does
> seem like the ideal behavior.
>
> --
> Russell Bryant

After an internal conversation on this topic, I wrote the following
doc to summarize what was observed and to capture ideas for next
steps:

https://docs.google.com/document/d/1JecGIXPH0RAqfGvD0nmtBdEU1zflHACp8WSRnKCFSgg/edit?usp=sharing

-- 
Russell Bryant


More information about the discuss mailing list