[ovs-discuss] Question on distributing snat traffic with OVN

[Francois]

Hi Open vSwitch
I am running an OVN stack with a dozen chassis, all of them able to
act as gateways.
I have many VMs without floating IPs on the same logical switch, doing
a lot of external traffic. Today, this traffic has to go through the
tunnel towards the unique chassis claiming the gateway to perform the
snat natting and send the traffic outside the stack.

With this current design, I see a lot of BFD traffic, and a clear
bottleneck and spof with that single chassis doing the snat. A
workaround is to add floating IPs on each VM, but this means the end
user has to put the floating IP themself, it also means if a single
chassis runs 10 VMs, we need one floating IP per VM just for the snat,
while we could instead use a single IP per chassis for that.

I was thinking of adding a "br-snat" bridge on each ovs, adding to it
one interface with a fixed IP, and (with some minimal development in
ovn northd) have the snat traffic of all its ports going out of that
interface instead of going through the tunnel towards the gateway.
Ideally the IP used today for the tunnel could be used too for the
snat traffic, but this seems less trivial to achieve.

Before looking at the details of ddlog and the syntax of flows, I
would love to get some feedback on the idea, maybe there is something
fundamentally broken with my design, or maybe there is a smarter way
to achieve this?

Thanks
Francois