Uploaded bylilliput12
PDF, PPTX1,158 views

Open stack advanced_part

The document details the internal architecture and operations of network virtualization technologies used in a cloud environment, specifically focusing on VLANs, packet captures, security groups, and routing during VM creation. It describes components created during VM and router creation, their internal mappings, and the related configurations for firewall rules implemented by security groups. Additionally, it outlines various network configurations such as the creation of provider networks, DHCP functions, and OpenFlow rules for efficient data transmission within virtualized environments.

Embed presentation

Download as PDF, PPTX
Network internals(advancedparts) Giuliano Santandrea–CIRI ICT Universityof Bologna
●Internal-external VLAN translation ●packet captures ●Security groups ●routing
Duringthe VM creationtheseelementsare createdin the compute node: ◦qbrZZZ: LB and itsmgmtinterface ◦qvbZZZ: vethpairconnectedto the LB ◦qvoZZZ: vethpairconnectedto the OVS bridge “br-int” ◦tapZZZ: tapinterface, connectedto the LB ZZZ: first 11 lettersof the Neutron"port" for the VM interface
Subnetcreation(network node): ◦tap-YYY: tapinterfaceconnectedto br-int, inside a network namespace(YYY are the first 11 lettersof the "port" of the DHCP server) Router creation(network node): ◦tap-AAA tapinterfaceconnectedto br-ex, inside a network namespace(AAA are the first 11 lettersof the "port" of the router gateway) ◦tap-BBB tapinterfaceconnectedto br-int, inside a network namespace(BBB are the first 11 lettersof the "port" of the router internalport)
On the physicaldata network manynetwork virtualizationtechnologiesare possibile (VLAN,VXLAN,GRE,..). InternallyOS mapseachvirtualnetwork to an internalVLAN The Cesena cluster usesthe VLANs. The bridgesin the VNI are configuredto do the translationbetweenexternal-internalVLANs Otherexample: GRE encapsulation ◦for packetsdirectedto the data network, the bridgesremoveinternalVLAN tagsand encapsulatethemwith a atunnel_id
public net gateway External net Mgmtnet Data net CPU node 1 Controller Network node br-data br-int linux bridge VM br-data br-int br-ex br-data br-int Internet Untagged internal VLAN tag External VLAN tag untagged
specific routing tables dhcpserver dhcpserver Network namespaces No traffichere
VM eth0 VLAN accessport-based(internalVLAN) Trunkall
Trunkall VLAN accessport-based(internalVLAN)
VM eth0 TCAM (OpenFlowrules): priority=4,in_port=8,dl_vlan=1 actions=mod_vlan_vid:1000,NORMAL priority=2,in_port=8 actions=drop priority=1 actions=NORMAL •For allpacketscomingfrom phy-br-data and tag=1: changetag=1000, thendo classicMAC Learning Switching(MLS) •Discardpacketscomingfrom phy-br-data •OtherwiseMLS (leastpriority) VLAN 1 => 1000
VM eth0 priority=3,in_port=17,dl_vlan=1000 actions=mod_vlan_vid:1,NORMAL priority=2,in_port=17 actions=drop priority=1 actions=NORMAL VLAN 1000 => 1
VM eth0 untagged InternalVLAN tag externalVLAN tag ExternalVLAN tag
InternalVLAN tag externalVLAN tag ExternalVLAN tag No traffichere! untagged
On the VM wesendan Ethernet frame (ARP) in broadcast: ◦sudo arping–bI eth0 10.0.0.9 broadcastallowstobypassMAClearningofthebridges:eachbridgewillforwardtheframetoeveryport! On the cluster node: ◦tcpdump–nnveiinterface Or ifin a netns: ◦sudo ipnetnsexec<netns> bash#enterin the netns ◦tcpdump–nnvleiinterface#flushwith -l
stack@hc01:~/devstack$sudo tcpdump-nnveiqvb71cbe0bd-6f tcpdump: WARNING: qvb71cbe0bd-6f: no IPv4 addressassigned tcpdump: listeningon qvb71cbe0bd-6f, link-typeEN10MB (Ethernet), capturesize65535 bytes 18:44:23.752905 fa:16:3e:e6:9e:f8 > ff:ff:ff:ff:ff:ff, ethertypeARP (0x0806), length42: Ethernet (len6), IPv4 (len4), Requestwho-has10.0.0.9 (ff:ff:ff:ff:ff:ff) tell10.0.0.66, length28 18:44:24.752998 fa:16:3e:e6:9e:f8 > ff:ff:ff:ff:ff:ff, ethertypeARP (0x0806), length42: Ethernet (len6), IPv4 (len4), Requestwho-has10.0.0.9 (ff:ff:ff:ff:ff:ff) tell10.0.0.66, length28 ^C 2 packetscaptured 2 packetsreceivedbyfilter 0 packetsdroppedbykernel NO VLAN TAG!!!
root@hc01:/opt/stack#sudo tcpdump-nnveiint-br-data tcpdump: WARNING: int-br-data: no IPv4 addressassigned tcpdump: listeningon int-br-data, link-typeEN10MB (Ethernet), capturesize65535 bytes 18:46:41.212436 fa:16:3e:e6:9e:f8 > ff:ff:ff:ff:ff:ff, ethertype802.1Q (0x8100), length46: vlan1, p 0, ethertypeARP, Ethernet (len6), IPv4 (len4), Requestwho-has10.0.0.9 (ff:ff:ff:ff:ff:ff) tell10.0.0.66, length28 18:46:42.212633 fa:16:3e:e6:9e:f8 > ff:ff:ff:ff:ff:ff, ethertype802.1Q (0x8100), length46: vlan1, p 0, ethertypeARP, Ethernet (len6), IPv4 (len4), Requestwho-has10.0.0.9 (ff:ff:ff:ff:ff:ff) tell10.0.0.66, length28 ^C 2 packetscaptured 2 packetsreceivedbyfilter 0 packetsdroppedbykernel
root@hc01:/opt/stack#sudo tcpdump-nnveieth0 tcpdump: WARNING: eth0: no IPv4 addressassigned tcpdump: listeningon eth0, link-typeEN10MB (Ethernet), capturesize65535 bytes 18:49:57.241431 fa:16:3e:e6:9e:f8 > ff:ff:ff:ff:ff:ff, ethertype802.1Q (0x8100), length46: vlan1000, p 0, ethertypeARP, Ethernet (len6), IPv4 (len4), Requestwho-has10.0.0.9 (ff:ff:ff:ff:ff:ff) tell10.0.0.66, length28 18:49:58.020910 d0:7e:28:90:d9:4b > 01:80:c2:00:00:00, 802.3, length64: LLC, dsapSTP (0x42) Individual, ssapSTP (0x42) Command, ctrl0x03: STP 802.1w, RapidSTP, Flags[Forward], bridge-id8000.d0:7e:28:90:d9:3d.800d, length47 message-age0.00s, max-age20.00s, hello-time2.00s, forwarding-delay15.00s root-id8000.d0:7e:28:90:d9:3d, root-pathcost0, port-roleDesignated 18:49:58.241620 fa:16:3e:e6:9e:f8 > ff:ff:ff:ff:ff:ff, ethertype802.1Q (0x8100), length46: vlan1000, p 0, ethertypeARP, Ethernet (len6), IPv4 (len4), Requestwho-has10.0.0.9 (ff:ff:ff:ff:ff:ff) tell10.0.0.66, length28 ^C 3 packetscaptured 3 packetsreceivedbyfilter 0 packetsdroppedbykernel
root@hc01:~#tcpdump-nnveitap8356e24c-67 tcpdump: listeningon tap8356e24c-67, link-typeEN10MB (Ethernet), capturesize65535 bytes ^C11:39:28.424480 fa:16:3e:e6:9e:f8 > ff:ff:ff:ff:ff:ff, ethertypeARP (0x0806), length42: Ethernet (len6), IPv4 (len4), Requestwho-has10.0.0.9 (ff:ff:ff:ff:ff:ff) tell10.0.0.66, length28 11:39:29.424638 fa:16:3e:e6:9e:f8 > ff:ff:ff:ff:ff:ff, ethertypeARP (0x0806), length42: Ethernet (len6), IPv4 (len4), Requestwho-has10.0.0.9 (ff:ff:ff:ff:ff:ff) tell10.0.0.66, length28 11:39:30.424733 fa:16:3e:e6:9e:f8 > ff:ff:ff:ff:ff:ff, ethertypeARP (0x0806), length42: Ethernet (len6), IPv4 (len4), Requestwho-has10.0.0.9 (ff:ff:ff:ff:ff:ff) tell10.0.0.66, length28 3 packetscaptured 3 packetsreceivedbyfilter 0 packetsdroppedbykernel NO VLAN TAG!!!
Secgroup: containsfirewall rulesconfiguredby the user (atthe cloudplatformlevel) ◦Duringthe VM creationweassociate oneor more secgroups Itis«default deny», wecan addrulesto allowingresstraffic In the default secgroupthereare alreadyrulesallowingegresstraffic Implementation: iptablesruleson the CPU node Note: it’s implemented by Neutron applying the native kernel filtering functions (netfilter) to bridged tap interfaces, and this works only with LBs.For this reason an additional LB is needed as an intermediate element to interconnect the tap interface to the integration bridge.
Iptables rules (global namespace) on the linux bridge port VM eth0
Wehaveenabledsshand pingin Ingress
For allpacketsenteringthe LB, passingthroughthe tap(outboundVM traffic, EGRESS), use the followingchains(iptablesfiltertablein the global netnsof the compute node): neutron-openvswi-sg-chain neutron-openvswi-oXXX neutron-openvswi-FORWARD FORWARD Source: http://goo.gl/lD30Vl VM eth0
…exitingthe LB (inboundtraffic,INGRESS)…: neutron-openvswi-sg-chain neutron-openvswi-iXXX neutron-openvswi-FORWARD FORWARD Source: http://goo.gl/lD30Vl VM eth0
Weenabledssh(TCP porta 22) and ping(ICMP), wecan seetheserules: -A neutron-openvswi-sg-chain-m physdev--physdev-outtapb5d4535b-8f --physdev- is-bridged-j neutron-openvswi-ib5d4535b-8 -A neutron-openvswi-ib5d4535b-8 -m state --state INVALID -j DROP -A neutron-openvswi-ib5d4535b-8 -m state --state RELATED,ESTABLISHED -j RETURN -A neutron-openvswi-ib5d4535b-8 -p tcp-m tcp--dport22 -j RETURN -A neutron-openvswi-ib5d4535b-8 -p icmp-j RETURN -A neutron-openvswi-ib5d4535b-8 -s 192.168.101.2/32 -p udp-m udp--sport 67 --dport68 -j RETURN -A neutron-openvswi-ib5d4535b-8 -j neutron-openvswi-sg-fallback
The admincreatesa provider network with the allocationpool 10.250.0.50-10.250.0.70 (20 addresses) Itisattachedto a virtualrouter The virtualrouter isattachedto a user private network The router ◦hasan addresson the provider network (10.250.0.50) ◦hasan addresson the user network (192.168.101.1) ◦actsasa NAT
sudoipnetnsexec qrouter-XXX bash ipaddressshow 1: lo: <LOOPBACK,UP,LOWER_UP> mtu65536 qdiscnoqueuestate UNKNOWN link/loopback00:00:00:00:00:00brd00:00:00:00:00:00 inet127.0.0.1/8 scope hostlo inet6 ::1/128 scope host valid_lftforeverpreferred_lftforever 27: qr-8110d0f8-64: <BROADCAST,UP,LOWER_UP> mtu1500 qdiscnoqueuestate UNKNOWN link/etherfa:16:3e:98:f7:ddbrdff:ff:ff:ff:ff:ff inet192.168.101.1/24 brd192.168.101.255 scope global qr-8110d0f8-64 inet6 fe80::f816:3eff:fe98:f7dd/64 scope link valid_lftforeverpreferred_lftforever 29: qg-64643e7a-3e: <BROADCAST,UP,LOWER_UP> mtu1500 qdiscnoqueuestate UNKNOWN link/etherfa:16:3e:e9:46:1a brdff:ff:ff:ff:ff:ff inet10.250.0.50/24brd10.250.0.255 scope global qg-64643e7a-3e inet6 fe80::f816:3eff:fee9:461a/64 scope link valid_lftforeverpreferred_lftforever
iprouteshow default via 10.250.0.3devqg-64643e7a-3e 10.250.0.0/24 devqg-64643e7a-3e proto kernelscope link src10.250.0.50 192.168.101.0/24 devqr-8110d0f8-64 proto kernelscope link src192.168.101.1 sudoiptables-t nat–nvL … Chainneutron-l3-agent-snat (1 references) pktsbytestarget protoptin out source destination 12 882 neutron-l3-agent-float-snat all--* * 0.0.0.0/0 0.0.0.0/0 6 426 SNAT all--* * 192.168.101.0/24 0.0.0.0/0 to:10.250.0.50 …
In some oldOS docs«br-data» iscalled«br- ethX» Using GRE tunnel, bridge br-data iscalledbr- tun
Provider network can be currentlycreatedonlyvia CLI ◦The creationof a provider network requireto specifythe physicalnetwork (mappedto a virtualbridge, connetedto a physicalnetwork) The netns/dhcpserver are notimplementedatthe theirdefinitiontime, butonlywhena VM on thatnetwork iscreated
To ensure connectivity to a VM: ●The tenant user that booted the VM must have enabled the access by inserting the appropriate rules in the secgroupsand then attaching the secgroupto the VM ●neutron-plugin must have inserted the correct OpenFlowrules in the OVS bridges (br-int, br-data, br- ex) ●The “dnsmasq” linuxprocess (managed by neutron- dhcp) must be working properly as DHCP server for the VM

More Related Content

PDF
Understanding Open vSwitch
byYongKi Kim
 
PDF
Openstack Networking Internals - first part
bylilliput12
 
PDF
OpenStack networking
bySim Janghoon
 
PDF
OpenStack Neutron Tutorial
bymestery
 
PDF
Open stack networking_101_part-2_tech_deep_dive
byyfauser
 
PPTX
Training open stack networking -neutron
byHaifeng Yan (颜海峰)
 
PDF
Osdc2014 openstack networking yves_fauser
byyfauser
 
PDF
Open VSwitch .. Use it for your day to day needs
byrranjithrajaram
 
Understanding Open vSwitch
byYongKi Kim
 
Openstack Networking Internals - first part
bylilliput12
 
OpenStack networking
bySim Janghoon
 
OpenStack Neutron Tutorial
bymestery
 
Open stack networking_101_part-2_tech_deep_dive
byyfauser
 
Training open stack networking -neutron
byHaifeng Yan (颜海峰)
 
Osdc2014 openstack networking yves_fauser
byyfauser
 
Open VSwitch .. Use it for your day to day needs
byrranjithrajaram
 

What's hot

PPTX
OpenvSwitch Deep Dive
byrajdeep
 
PPTX
OVN - Basics and deep dive
byTrinath Somanchi
 
PPTX
Demystifying openvswitch
byPrasad Mukhedkar
 
PDF
SDNDS.TW Mininet
byNCTU
 
PPTX
Neutron behind the scenes
byinbroker
 
PPTX
2014 OpenStack Summit - Neutron OVS to LinuxBridge Migration
byJames Denton
 
PDF
Open stack networking vlan, gre
bySim Janghoon
 
PPTX
[OpenStack 하반기 스터디] Interoperability with ML2: LinuxBridge, OVS and SDN
byOpenStack Korea Community
 
PPTX
Openstack Quantum Security Groups Session
byDavid Lapsley
 
PDF
Neutron: br-ex is now deprecated! what is modern way?
byAkihiro Motoki
 
PDF
Open stack networking_101_update_2014
byyfauser
 
PDF
Open stack networking_101_part-1
byyfauser
 
PDF
Tech Talk by Ben Pfaff: Open vSwitch - Part 2
bynvirters
 
PDF
Linux Tag 2014 OpenStack Networking
byyfauser
 
PDF
neutron_icehouse_update
byAkihiro Motoki
 
PDF
Open stack networking_101_update_2014-os-meetups
byyfauser
 
PPTX
OpenStack Networking and Automation
byAdam Johnson
 
PDF
Network virtualization with open stack quantum
byMiguel Lavalle
 
PDF
Introduction to Software Defined Networking and OpenStack Neutron
bySana Khan
 
PDF
An Introduction to OpenStack Networking
byScott Lowe
 
OpenvSwitch Deep Dive
byrajdeep
 
OVN - Basics and deep dive
byTrinath Somanchi
 
Demystifying openvswitch
byPrasad Mukhedkar
 
SDNDS.TW Mininet
byNCTU
 
Neutron behind the scenes
byinbroker
 
2014 OpenStack Summit - Neutron OVS to LinuxBridge Migration
byJames Denton
 
Open stack networking vlan, gre
bySim Janghoon
 
[OpenStack 하반기 스터디] Interoperability with ML2: LinuxBridge, OVS and SDN
byOpenStack Korea Community
 
Openstack Quantum Security Groups Session
byDavid Lapsley
 
Neutron: br-ex is now deprecated! what is modern way?
byAkihiro Motoki
 
Open stack networking_101_update_2014
byyfauser
 
Open stack networking_101_part-1
byyfauser
 
Tech Talk by Ben Pfaff: Open vSwitch - Part 2
bynvirters
 
Linux Tag 2014 OpenStack Networking
byyfauser
 
neutron_icehouse_update
byAkihiro Motoki
 
Open stack networking_101_update_2014-os-meetups
byyfauser
 
OpenStack Networking and Automation
byAdam Johnson
 
Network virtualization with open stack quantum
byMiguel Lavalle
 
Introduction to Software Defined Networking and OpenStack Neutron
bySana Khan
 
An Introduction to OpenStack Networking
byScott Lowe
 

Similar to Open stack advanced_part

PDF
Linux Networking Explained
byThomas Graf
 
PDF
VXLAN BGP EVPN: Technology Building Blocks
byAPNIC
 
PDF
mod4_wired_DF_5-24 QC.pdf gggggggggggggg
bytharunreddy0815
 
PDF
packet traveling (pre cloud)
byiman darabi
 
PPTX
VXLAN Integration with CloudStack Advanced Zone
byYoshikazu Nojima
 
PPTX
Private VLANs
byNetProtocol Xpert
 
PDF
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online
byShapeBlue
 
PDF
9.VLAN+Principle - Network - ruijie.pdf (
byRaihanRamadhan71
 
PDF
Contemporary Linux Networking
byMaximilan Wilhelm
 
PDF
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
byMaximilan Wilhelm
 
ODP
Securing the network for VMs or Containers
byMarian Marinov
 
PDF
Xpress path vxlan_bgp_evpn_appricot2019-v2_
byJide Akintola JNCIE-M&T/SP #496 CCIE-SP#28552
 
PPTX
lab 2 (1)bbbbhbbbvvvvvvccccbbvvvccc.pptx
byBinyamBekeleMoges
 
PDF
欧洲杯比赛投注官网-欧洲杯比赛投注官网网站-欧洲杯比赛投注官网|【​网址​🎉ac123.net🎉​】
byvelosonando62
 
PDF
欧洲杯比赛投注官网-欧洲杯比赛投注官网网站-欧洲杯比赛投注官网|【​网址​🎉ac123.net🎉​】
byahmedendrise81
 
PDF
2024欧洲杯最好的投注软件-2024欧洲杯最好的投注软件网址-2024欧洲杯最好的投注软件|【​网址​🎉ac123.net🎉​】
byakrooshsaleem36
 
PDF
2024欧洲杯平台-2024欧洲杯平台网址-2024欧洲杯平台|【​网址​🎉ac123.net🎉​】
bytalhaaslan625
 
PDF
欧洲杯投注app-欧洲杯投注app推荐-欧洲杯投注app| 立即访问【ac123.net】
byfoismail170
 
PDF
欧洲杯投注网站-欧洲杯投注网站推荐-欧洲杯投注网站| 立即访问【ac123.net】
byfoismail170
 
ODP
Integrating Linux routing with FusionCLI™
byStephen Hemminger
 
Linux Networking Explained
byThomas Graf
 
VXLAN BGP EVPN: Technology Building Blocks
byAPNIC
 
mod4_wired_DF_5-24 QC.pdf gggggggggggggg
bytharunreddy0815
 
packet traveling (pre cloud)
byiman darabi
 
VXLAN Integration with CloudStack Advanced Zone
byYoshikazu Nojima
 
Private VLANs
byNetProtocol Xpert
 
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online
byShapeBlue
 
9.VLAN+Principle - Network - ruijie.pdf (
byRaihanRamadhan71
 
Contemporary Linux Networking
byMaximilan Wilhelm
 
L2/L3 für Fortgeschrittene - Helle und dunkle Magie im Linux-Netzwerkstack
byMaximilan Wilhelm
 
Securing the network for VMs or Containers
byMarian Marinov
 
Xpress path vxlan_bgp_evpn_appricot2019-v2_
byJide Akintola JNCIE-M&T/SP #496 CCIE-SP#28552
 
lab 2 (1)bbbbhbbbvvvvvvccccbbvvvccc.pptx
byBinyamBekeleMoges
 
欧洲杯比赛投注官网-欧洲杯比赛投注官网网站-欧洲杯比赛投注官网|【​网址​🎉ac123.net🎉​】
byvelosonando62
 
欧洲杯比赛投注官网-欧洲杯比赛投注官网网站-欧洲杯比赛投注官网|【​网址​🎉ac123.net🎉​】
byahmedendrise81
 
2024欧洲杯最好的投注软件-2024欧洲杯最好的投注软件网址-2024欧洲杯最好的投注软件|【​网址​🎉ac123.net🎉​】
byakrooshsaleem36
 
2024欧洲杯平台-2024欧洲杯平台网址-2024欧洲杯平台|【​网址​🎉ac123.net🎉​】
bytalhaaslan625
 
欧洲杯投注app-欧洲杯投注app推荐-欧洲杯投注app| 立即访问【ac123.net】
byfoismail170
 
欧洲杯投注网站-欧洲杯投注网站推荐-欧洲杯投注网站| 立即访问【ac123.net】
byfoismail170
 
Integrating Linux routing with FusionCLI™
byStephen Hemminger
 

Recently uploaded

PDF
Web3 - Applications and Architectures - History and Horizons
byGokul Alex
 
PDF
Chapter 3 Cryptography and encryption techniques.pdf
byGetnet Tigabie Askale -(GM)
 
PPTX
Coded Agents – with UiPath SDK + LlamaIndex.pptx
bysuhanisingh58689
 
PPTX
6G and Non-Terrestrial Networks (NTN) Testing.pptx
byXRComm
 
PPTX
Strategic Shelf Planning for the New Year Turning Resolutions into Revenue .pptx
byAnoop Ashok
 
PDF
Safer’s Picks: Recent FME Enhancements with Big Everyday Impact
bySafe Software
 
PPTX
API Gateway Architecture - Technical Report 2026
byPowersoft2026
 
PDF
LUXHUB: a detailed look at 2025...and fast forward to 2026
byalexandrekeilmann1
 
PDF
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
PDF
Certified AI-Native Foundations Professional.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
PDF
How to Build a Crypto Wallet that Excels in 2026.pdf
byimoliviabennett
 
PDF
Enterprise Data Services_ A Development Guide with Use Cases, Trends and Impl...
by2601harsh23
 
PDF
B2SMB SaaS Philosophy Lab: Simplicity vs Options
byAnton Shulke
 
PDF
How the EU Ecolabel's Record Growth Creates ESG Opportunities for CRE
byWastify AI
 
PDF
Ethical AI applied to publishing: Presenting wâsikan kisewâtisiwin, an AI too...
byBookNet Canada
 
PDF
Why Are Cloud Migration Services Essential for Modern Business Growth?
byGeoPITS Global Pvt Ltd
 
DOCX
Best Web to Learn About Buying Verified Skrill Accounts (Los Angeles).docx
byhttps://topsellerit.com/product/buy-verified-binance-accounts/
 
PDF
10 Best AI Tools for Fashion Brands in 2026
bymockitseo
 
PDF
Deploying Windows Clients & Managing Identities
byVICTOR MAESTRE RAMIREZ
 
PPTX
CRM for the Insurance Industry Lessons for Insurance CIOs and Digital Leaders...
byKerry Millar
 
Web3 - Applications and Architectures - History and Horizons
byGokul Alex
 
Chapter 3 Cryptography and encryption techniques.pdf
byGetnet Tigabie Askale -(GM)
 
Coded Agents – with UiPath SDK + LlamaIndex.pptx
bysuhanisingh58689
 
6G and Non-Terrestrial Networks (NTN) Testing.pptx
byXRComm
 
Strategic Shelf Planning for the New Year Turning Resolutions into Revenue .pptx
byAnoop Ashok
 
Safer’s Picks: Recent FME Enhancements with Big Everyday Impact
bySafe Software
 
API Gateway Architecture - Technical Report 2026
byPowersoft2026
 
LUXHUB: a detailed look at 2025...and fast forward to 2026
byalexandrekeilmann1
 
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
Certified AI-Native Foundations Professional.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
How to Build a Crypto Wallet that Excels in 2026.pdf
byimoliviabennett
 
Enterprise Data Services_ A Development Guide with Use Cases, Trends and Impl...
by2601harsh23
 
B2SMB SaaS Philosophy Lab: Simplicity vs Options
byAnton Shulke
 
How the EU Ecolabel's Record Growth Creates ESG Opportunities for CRE
byWastify AI
 
Ethical AI applied to publishing: Presenting wâsikan kisewâtisiwin, an AI too...
byBookNet Canada
 
Why Are Cloud Migration Services Essential for Modern Business Growth?
byGeoPITS Global Pvt Ltd
 
Best Web to Learn About Buying Verified Skrill Accounts (Los Angeles).docx
byhttps://topsellerit.com/product/buy-verified-binance-accounts/
 
10 Best AI Tools for Fashion Brands in 2026
bymockitseo
 
Deploying Windows Clients & Managing Identities
byVICTOR MAESTRE RAMIREZ
 
CRM for the Insurance Industry Lessons for Insurance CIOs and Digital Leaders...
byKerry Millar
 

Open stack advanced_part

  • 1.
    Network internals(advancedparts) GiulianoSantandrea–CIRI ICT Universityof Bologna
  • 2.
    ●Internal-external VLAN translation ●packet captures ●Security groups ●routing
  • 3.
    Duringthe VM creationtheseelementsarecreatedin the compute node: ◦qbrZZZ: LB and itsmgmtinterface ◦qvbZZZ: vethpairconnectedto the LB ◦qvoZZZ: vethpairconnectedto the OVS bridge “br-int” ◦tapZZZ: tapinterface, connectedto the LB ZZZ: first 11 lettersof the Neutron"port" for the VM interface
  • 4.
    Subnetcreation(network node): ◦tap-YYY:tapinterfaceconnectedto br-int, inside a network namespace(YYY are the first 11 lettersof the "port" of the DHCP server) Router creation(network node): ◦tap-AAA tapinterfaceconnectedto br-ex, inside a network namespace(AAA are the first 11 lettersof the "port" of the router gateway) ◦tap-BBB tapinterfaceconnectedto br-int, inside a network namespace(BBB are the first 11 lettersof the "port" of the router internalport)
  • 5.
    On the physicaldatanetwork manynetwork virtualizationtechnologiesare possibile (VLAN,VXLAN,GRE,..). InternallyOS mapseachvirtualnetwork to an internalVLAN The Cesena cluster usesthe VLANs. The bridgesin the VNI are configuredto do the translationbetweenexternal-internalVLANs Otherexample: GRE encapsulation ◦for packetsdirectedto the data network, the bridgesremoveinternalVLAN tagsand encapsulatethemwith a atunnel_id
  • 6.
    public net gateway External net Mgmtnet Data net CPU node 1 Controller Network node br-data br-int linux bridge VM br-data br-int br-ex br-data br-int Internet Untagged internal VLAN tag External VLAN tag untagged
  • 7.
    specific routing tables dhcpserver dhcpserver Network namespaces No traffichere
  • 8.
    VM eth0 VLANaccessport-based(internalVLAN) Trunkall
  • 9.
  • 10.
    VM eth0 TCAM(OpenFlowrules): priority=4,in_port=8,dl_vlan=1 actions=mod_vlan_vid:1000,NORMAL priority=2,in_port=8 actions=drop priority=1 actions=NORMAL •For allpacketscomingfrom phy-br-data and tag=1: changetag=1000, thendo classicMAC Learning Switching(MLS) •Discardpacketscomingfrom phy-br-data •OtherwiseMLS (leastpriority) VLAN 1 => 1000
  • 11.
    VM eth0 priority=3,in_port=17,dl_vlan=1000actions=mod_vlan_vid:1,NORMAL priority=2,in_port=17 actions=drop priority=1 actions=NORMAL VLAN 1000 => 1
  • 13.
    VM eth0 untagged InternalVLAN tag externalVLAN tag ExternalVLAN tag
  • 14.
    InternalVLAN tag externalVLANtag ExternalVLAN tag No traffichere! untagged
  • 15.
    On the VMwesendan Ethernet frame (ARP) in broadcast: ◦sudo arping–bI eth0 10.0.0.9 broadcastallowstobypassMAClearningofthebridges:eachbridgewillforwardtheframetoeveryport! On the cluster node: ◦tcpdump–nnveiinterface Or ifin a netns: ◦sudo ipnetnsexec<netns> bash#enterin the netns ◦tcpdump–nnvleiinterface#flushwith -l
  • 17.
    stack@hc01:~/devstack$sudo tcpdump-nnveiqvb71cbe0bd-6f tcpdump:WARNING: qvb71cbe0bd-6f: no IPv4 addressassigned tcpdump: listeningon qvb71cbe0bd-6f, link-typeEN10MB (Ethernet), capturesize65535 bytes 18:44:23.752905 fa:16:3e:e6:9e:f8 > ff:ff:ff:ff:ff:ff, ethertypeARP (0x0806), length42: Ethernet (len6), IPv4 (len4), Requestwho-has10.0.0.9 (ff:ff:ff:ff:ff:ff) tell10.0.0.66, length28 18:44:24.752998 fa:16:3e:e6:9e:f8 > ff:ff:ff:ff:ff:ff, ethertypeARP (0x0806), length42: Ethernet (len6), IPv4 (len4), Requestwho-has10.0.0.9 (ff:ff:ff:ff:ff:ff) tell10.0.0.66, length28 ^C 2 packetscaptured 2 packetsreceivedbyfilter 0 packetsdroppedbykernel NO VLAN TAG!!!
  • 19.
    root@hc01:/opt/stack#sudo tcpdump-nnveiint-br-data tcpdump:WARNING: int-br-data: no IPv4 addressassigned tcpdump: listeningon int-br-data, link-typeEN10MB (Ethernet), capturesize65535 bytes 18:46:41.212436 fa:16:3e:e6:9e:f8 > ff:ff:ff:ff:ff:ff, ethertype802.1Q (0x8100), length46: vlan1, p 0, ethertypeARP, Ethernet (len6), IPv4 (len4), Requestwho-has10.0.0.9 (ff:ff:ff:ff:ff:ff) tell10.0.0.66, length28 18:46:42.212633 fa:16:3e:e6:9e:f8 > ff:ff:ff:ff:ff:ff, ethertype802.1Q (0x8100), length46: vlan1, p 0, ethertypeARP, Ethernet (len6), IPv4 (len4), Requestwho-has10.0.0.9 (ff:ff:ff:ff:ff:ff) tell10.0.0.66, length28 ^C 2 packetscaptured 2 packetsreceivedbyfilter 0 packetsdroppedbykernel
  • 21.
    root@hc01:/opt/stack#sudo tcpdump-nnveieth0 tcpdump:WARNING: eth0: no IPv4 addressassigned tcpdump: listeningon eth0, link-typeEN10MB (Ethernet), capturesize65535 bytes 18:49:57.241431 fa:16:3e:e6:9e:f8 > ff:ff:ff:ff:ff:ff, ethertype802.1Q (0x8100), length46: vlan1000, p 0, ethertypeARP, Ethernet (len6), IPv4 (len4), Requestwho-has10.0.0.9 (ff:ff:ff:ff:ff:ff) tell10.0.0.66, length28 18:49:58.020910 d0:7e:28:90:d9:4b > 01:80:c2:00:00:00, 802.3, length64: LLC, dsapSTP (0x42) Individual, ssapSTP (0x42) Command, ctrl0x03: STP 802.1w, RapidSTP, Flags[Forward], bridge-id8000.d0:7e:28:90:d9:3d.800d, length47 message-age0.00s, max-age20.00s, hello-time2.00s, forwarding-delay15.00s root-id8000.d0:7e:28:90:d9:3d, root-pathcost0, port-roleDesignated 18:49:58.241620 fa:16:3e:e6:9e:f8 > ff:ff:ff:ff:ff:ff, ethertype802.1Q (0x8100), length46: vlan1000, p 0, ethertypeARP, Ethernet (len6), IPv4 (len4), Requestwho-has10.0.0.9 (ff:ff:ff:ff:ff:ff) tell10.0.0.66, length28 ^C 3 packetscaptured 3 packetsreceivedbyfilter 0 packetsdroppedbykernel
  • 23.
    root@hc01:~#tcpdump-nnveitap8356e24c-67 tcpdump: listeningontap8356e24c-67, link-typeEN10MB (Ethernet), capturesize65535 bytes ^C11:39:28.424480 fa:16:3e:e6:9e:f8 > ff:ff:ff:ff:ff:ff, ethertypeARP (0x0806), length42: Ethernet (len6), IPv4 (len4), Requestwho-has10.0.0.9 (ff:ff:ff:ff:ff:ff) tell10.0.0.66, length28 11:39:29.424638 fa:16:3e:e6:9e:f8 > ff:ff:ff:ff:ff:ff, ethertypeARP (0x0806), length42: Ethernet (len6), IPv4 (len4), Requestwho-has10.0.0.9 (ff:ff:ff:ff:ff:ff) tell10.0.0.66, length28 11:39:30.424733 fa:16:3e:e6:9e:f8 > ff:ff:ff:ff:ff:ff, ethertypeARP (0x0806), length42: Ethernet (len6), IPv4 (len4), Requestwho-has10.0.0.9 (ff:ff:ff:ff:ff:ff) tell10.0.0.66, length28 3 packetscaptured 3 packetsreceivedbyfilter 0 packetsdroppedbykernel NO VLAN TAG!!!
  • 25.
    Secgroup: containsfirewall rulesconfiguredbythe user (atthe cloudplatformlevel) ◦Duringthe VM creationweassociate oneor more secgroups Itis«default deny», wecan addrulesto allowingresstraffic In the default secgroupthereare alreadyrulesallowingegresstraffic Implementation: iptablesruleson the CPU node Note: it’s implemented by Neutron applying the native kernel filtering functions (netfilter) to bridged tap interfaces, and this works only with LBs.For this reason an additional LB is needed as an intermediate element to interconnect the tap interface to the integration bridge.
  • 26.
    Iptables rules (global namespace) on the linux bridge port VM eth0
  • 27.
  • 28.
    For allpacketsenteringthe LB,passingthroughthe tap(outboundVM traffic, EGRESS), use the followingchains(iptablesfiltertablein the global netnsof the compute node): neutron-openvswi-sg-chain neutron-openvswi-oXXX neutron-openvswi-FORWARD FORWARD Source: http://goo.gl/lD30Vl VM eth0
  • 29.
    …exitingthe LB (inboundtraffic,INGRESS)…: neutron-openvswi-sg-chain neutron-openvswi-iXXX neutron-openvswi-FORWARD FORWARD Source: http://goo.gl/lD30Vl VM eth0
  • 30.
    Weenabledssh(TCP porta 22)and ping(ICMP), wecan seetheserules: -A neutron-openvswi-sg-chain-m physdev--physdev-outtapb5d4535b-8f --physdev- is-bridged-j neutron-openvswi-ib5d4535b-8 -A neutron-openvswi-ib5d4535b-8 -m state --state INVALID -j DROP -A neutron-openvswi-ib5d4535b-8 -m state --state RELATED,ESTABLISHED -j RETURN -A neutron-openvswi-ib5d4535b-8 -p tcp-m tcp--dport22 -j RETURN -A neutron-openvswi-ib5d4535b-8 -p icmp-j RETURN -A neutron-openvswi-ib5d4535b-8 -s 192.168.101.2/32 -p udp-m udp--sport 67 --dport68 -j RETURN -A neutron-openvswi-ib5d4535b-8 -j neutron-openvswi-sg-fallback
  • 34.
    The admincreatesa providernetwork with the allocationpool 10.250.0.50-10.250.0.70 (20 addresses) Itisattachedto a virtualrouter The virtualrouter isattachedto a user private network The router ◦hasan addresson the provider network (10.250.0.50) ◦hasan addresson the user network (192.168.101.1) ◦actsasa NAT
  • 38.
    sudoipnetnsexec qrouter-XXX bash ipaddressshow 1: lo: <LOOPBACK,UP,LOWER_UP> mtu65536 qdiscnoqueuestate UNKNOWN link/loopback00:00:00:00:00:00brd00:00:00:00:00:00 inet127.0.0.1/8 scope hostlo inet6 ::1/128 scope host valid_lftforeverpreferred_lftforever 27: qr-8110d0f8-64: <BROADCAST,UP,LOWER_UP> mtu1500 qdiscnoqueuestate UNKNOWN link/etherfa:16:3e:98:f7:ddbrdff:ff:ff:ff:ff:ff inet192.168.101.1/24 brd192.168.101.255 scope global qr-8110d0f8-64 inet6 fe80::f816:3eff:fe98:f7dd/64 scope link valid_lftforeverpreferred_lftforever 29: qg-64643e7a-3e: <BROADCAST,UP,LOWER_UP> mtu1500 qdiscnoqueuestate UNKNOWN link/etherfa:16:3e:e9:46:1a brdff:ff:ff:ff:ff:ff inet10.250.0.50/24brd10.250.0.255 scope global qg-64643e7a-3e inet6 fe80::f816:3eff:fee9:461a/64 scope link valid_lftforeverpreferred_lftforever
  • 39.
    iprouteshow default via10.250.0.3devqg-64643e7a-3e 10.250.0.0/24 devqg-64643e7a-3e proto kernelscope link src10.250.0.50 192.168.101.0/24 devqr-8110d0f8-64 proto kernelscope link src192.168.101.1 sudoiptables-t nat–nvL … Chainneutron-l3-agent-snat (1 references) pktsbytestarget protoptin out source destination 12 882 neutron-l3-agent-float-snat all--* * 0.0.0.0/0 0.0.0.0/0 6 426 SNAT all--* * 192.168.101.0/24 0.0.0.0/0 to:10.250.0.50 …
  • 40.
    In some oldOSdocs«br-data» iscalled«br- ethX» Using GRE tunnel, bridge br-data iscalledbr- tun
  • 41.
    Provider network canbe currentlycreatedonlyvia CLI ◦The creationof a provider network requireto specifythe physicalnetwork (mappedto a virtualbridge, connetedto a physicalnetwork) The netns/dhcpserver are notimplementedatthe theirdefinitiontime, butonlywhena VM on thatnetwork iscreated
  • 42.
    To ensure connectivityto a VM: ●The tenant user that booted the VM must have enabled the access by inserting the appropriate rules in the secgroupsand then attaching the secgroupto the VM ●neutron-plugin must have inserted the correct OpenFlowrules in the OVS bridges (br-int, br-data, br- ex) ●The “dnsmasq” linuxprocess (managed by neutron- dhcp) must be working properly as DHCP server for the VM