Pushing Packets - How do the ML2 Mechanism Drivers Stack Up

James Denton – Network Architect
Twitter: @jimmdenton
Open Infrastructure Summit
Jonathan Almaleh – Network Architect
Twitter: @ckent99999
Denver, Colorado 2019
Pushing Packets:
How do the ML2 Drivers Stack Up

What is ML2
Mechanism Drivers
Comparisons
Summary
Agenda

In the beginning, there was the monolithic
plugin.
Using a monolithic plugin, operators were
limited to a single virtual networking
technology within a given cloud.
Writing new plugins was difficult, and often
resulted in duplicate code and efforts.
What is ML2

Around the Havana release, the Modular
Layer 2 (ML2) plugin was introduced.
By using the ML2 plugin and related
drivers, operators were no longer limited to
a single virtual networking technology
within a given cloud.
With the modular approach, developers
could focus on developing drivers for their
respective L2 mechanisms without having
to reimplement other components.
What is ML2

Type drivers:
Define how an OpenStack network is
realized. Examples are VLAN, VXLAN,
GENEVE, Flat, etc.
Mechanism drivers:
Are responsible for implementing the
network. Examples include Open
vSwitch, Linux Bridge, SR-IOV, etc.
What is ML2

What is ML2
Mechanism Drivers
Comparisons
Summary

Test Environment
iPerf Server (VM) / DUT
CPU 8-core Intel Xeon E5-2678 v3 @ 2.5 Ghz
Memory 16 GB
Operating System Ubuntu 18.04.2 LTS 4.15.0-47-generic
Mechanism Driver Network Driver (in VM)
Linux Bridge vhost_net
Open vSwitch +/- DPDK vhost_net
SR-IOV (Direct) mlx5_core
SR-IOV (Indirect) vhost_net
Open vSwitch + ASAP mlx5_core
VPP vhost_net
Compute Node Specs
CPU 2x 12-core Intel Xeon E5-2678 v3 @ 2.5 Ghz
Memory 64 GB
NIC Mellanox ConnectX-4 Lx EN (10/25)
Mellanox ConnectX-5 Ex (40/100)
Kernel Parameters GRUB_CMDLINE_LINUX="intel_iommu=on iommu=pt”
OpenStack Release Stein
iPerf Client / T-Rex Specs
CPU 2x 8-core Intel Xeon E5-2667 v2 @ 3.3 Ghz
Memory 128 GB
NIC Mellanox ConnectX-4 Lx EN (10/25)
Mellanox ConnectX-5 Ex (40/100)
Kernel Parameters GRUB_CMDLINE_LINUX="intel_iommu=on
iommu=pt”

Mechanism Drivers
Linux Bridge
Open vSwitch
Open vSwitch + DPDK
SR-IOV (Direct Mode)
SR-IOV (Indirect Mode)
Open vSwitch + ASAP2
Vector Packet Processing (VPP)

Linux Bridge
The Linux Bridge driver implements a single
Linux bridge per network on a given compute
node.
A bridge can be connected to a physical
interface, vlan interface, or vxlan interface,
depending on the network type.
brq0
Instance Instance

Linux Bridge
Requirements:
One or more network interfaces to be associated with provider
network(s)
An IP address to be used for overlay traffic (if applicable)
Mechanism Driver linuxbridge
Agent neutron-linuxbridge-agent
Communication AMQP (RabbitMQ)
Provider Network Mapping
10g 10g:ens1f0
25g 25g:ens1f1
40g 40g:ens3f0
100g 100g:ens3f1

Linux Bridge
brq10G brq25G brq40G brq100G
Instance
(iPerf Server)
Standalone Node
(iPerf Client)
Compute Node
9.93
18.7
20.4
21.9
9.91
23.9
38.3
69.8
0
25
50
75
100
10 Gbps 25 Gbps 40 Gbps 100 Gbps
Realized Throughput vs Baremetal
LXB Baremetal

Advantages Disadvantages
Supports overlay networking (VXLAN)
Easy to troubleshoot using well-known tools
Supports highly-available routers using VRRP
Supports bonding / LAG
Widely used / documented / supported
Kernel datapath
Iptables is likely in-path, even with port security disabled
Does not support distributed virtual routers
Does not support advanced services such as TaaS,
FWaaS v2, and others
Usually lags in new features compared to OVS
Linux Bridge

Open vSwitch
Open vSwitch is an open-source
virtual switch that connects virtual
network resources to the physical
network infrastructure.
The openvswitch mechanism
driver implements multiple OVS-
based virtual switches and uses
them for various purposes.
The integration bridge connects virtual
machine instances to local Layer 2 networks.
The tunnel bridge connects
Layer 2 networks between
compute nodes using
overlay networks such as
VXLAN or GRE.
The provider bridge
connects local Layer 2
networks to the physical
network infrastructure.
br-int
br-tun br-provider

Open vSwitch
Requirements:
network(s)
Packages not included with base install (e.g. openvswitch-
common, openvswitch-switch)
Mechanism Driver openvswitch
Agent neutron-openvswitch-agent
10g 10g:br-10g
25g 25g:br-25g
40g 40g:br-40g
100g 100g:br-100g

Open vSwitch
br-10G br-25G br-40G br-100G
Instance
(iPerf Server)
Standalone Node
(iPerf Client)
Compute Node
br-int
9.84
18.2 20.4
22.19.91
23.9
38.3
69.8
0
25
50
75
100
Realized Throughput vs Baremetal (iperf - P 4)
OVS Baremetal

Supports overlay networking (VXLAN, GRE)
Supports highly-available routers using VRRP, as well
as distributed virtual routers for better fault tolerance
Supports a more efficient openflow-based firewall in lieu
of Iptables
Supports advanced services such as TaaS, FWaaS v2,
etc.
Supports bonding / LAG
Widely used / documented / supported
Split Userspace/Kernel datapath
Uses a more convoluted command set
Interfaces may not be accessible using traditional tools
such as tcpdump, ifconfig, etc.
Open vSwitch

Open vSwitch + DPDK
Data Plane Development Kit, or DPDK, provides a
framework for applications to directly interact with
network hardware, bypassing the kernel and related
interrupts, system calls, and context switching.
Developers can create applications using DPDK, or
in the case of OpenStack Neutron, Open vSwitch is
the application leveraging DPDK – no user
interaction needed*.
* Ok, that’s not really true.
Image credit: https://blog.selectel.com/introduction-dpdk-architecture-principles/

Open vSwitch + DPDK
Requirements:
network(s)
Hugepage memory allocations and related flavors
Compatible network interface card (NIC)
NUMA awareness
OVS Binary with DPDK support (e.g. openvswitch-switch-dpdk)
10g 10g:br-10g
25g 25g:br-25g
40g 40g:br-40g
100g 100g:br-100g

Open vSwitch + DPDK
br-10G br-25G br-40G br-100G
Instance
(iPerf Server)
Standalone Node
(iPerf Client)
Compute Node
br-int
9.88
22
27.9 27.9
9.84
18.2 20.4 22.1
9.91
23.9
38.3
69.8
0
25
50
75
100
Realized Throughout vs Baremetal (iperf –P 4)
OVS + DPDK Vanilla OVS Baremetal

Supports overlay networking
Userspace datapath
Better performance compared to vanilla OVS
Uses a more convoluted command set
Interfaces may not be accessible using traditional tools
such as tcpdump, ifconfig, etc.
Non-instance ports are not performant, including those
used by DVR, FWaaS, and LBaaS
Hugepages required
Knowledge of NUMA topology required
One or more cores tied up for poll-mode drivers (PMDs)
OpenStack flavors require hugepages and CPU pinning
for best results
Open vSwitch + DPDK

SR-IOV allows a PCI device to separate
access to its resources, resulting in:
• Single pNIC / Physical Function (PF)
• Multiple vNICs / Virtual Function(s) (VF)
Mechanism Driver sriovnicswitch
Agent neutron-sriov-nic-agent
10g 10g:ens1f0
25g 25g:ens1f1
40g 40g:ens3f0
100g 100g:ens3f1

Instance
(iPerf Server)
Standalone Node
(iPerf Client)
Compute Node
VF
PF
9.91
23.9
37
70.3
9.91
23.9
38.3
69.8
0
25
50
75
100
Realized Throughput vs Baremetal (iperf –P 4)
SRIOV Baremetal

Traffic does not traverse kernel (direct to
instance)
Near line-rate performance
Live migration not supported (Work being done here)
Interfaces may not be accessible using traditional tools such
as tcpdump, ifconfig, etc. on the host
Only supports instance ports
Bonding / LAG not supported (Work being done here, too)
Port security / security groups not supported
Changes to workflow to create port ahead of instance (e.g.
vnic_type=direct)
Interface hotplugging not supported

SR-IOV (indirect mode) uses an intermediary device,
such as macvtap*, to provide connectivity to
instances. Rather than attaching the VF directly to
an instance, the VF is attached to a macvtap
interface which is then attached to the instance.
Mechanism Driver sriovnicswitch
Agent neutron-sriov-nic-agent
Image courtesy of https://www.fir3net.com/UNIX/Linux/what-is-macvtap.html
* NOT to be confused with the actual, ya know, macvtap mechanism driver.
10g 10g:ens1f0
25g 25g:ens1f1
40g 40g:ens3f0
100g 100g:ens3f1

Instance
(iPerf Server)
Standalone Node
(iPerf Client)
Compute Node
VF
PF
macvtap macvtap macvtap macvtap
9.9
16.5
20.9
19.6
9.91
23.9
38.3
69.8
0
25
50
75
100
Macvtap Baremetal

Live migration
Traffic visible via macvtap interface on
compute node
No additional setup beyond SR-IOV
Poor performance > 10G in tests
Changes to workflow to create port ahead
of instance (e.g. vnic_type=macvtap)
Performance benefits of SR-IOV lost

ASAP2 is a feature of certain Mellanox NICs, including
ConnectX-5 and some ConnectX-4 models, that offloads
Open vSwitch data-plane processing onto NIC hardware
using switchdev API.
ASAP2 leverages SR-IOV, iproute2, tc, and Open vSwitch to
provide this functionality.
10g 10g:br-10g
25g 25g:br-25g
40g 40g:br-40g
100g 100g:br-100g

Instance
(iPerf Server)
Standalone Node
(iPerf Client)
Compute Node
VF
PF
br-100G
HW eSwitch HW eSwitch HW eSwitch HW eSwitch
br-int
VF
Representor
9.91
24
35.7
73.6
9.91
23.9
38.3
69.8
0
25
50
75
100
OVS + ASAP Baremetal

Supports LAG / bonding at vSwitch level
Supports traffic mirroring via standard OVS
procedures (vs SRIOV Direct)
Majority of packet processing done in
hardware
Not officially supported on non-RHEL based
operating systems
The use of security groups / port security
means packet processing is NOT offloaded
(addressed in future updates)

Mechanism Drivers
Linux Bridge
Open vSwitch
Open vSwitch + DPDK
Macvtap (Indirect Mode)
Vector Packet Processing (VPP)

FD.io VPP
VPP is a software switch that works with DPDK to provide
very fast packet processing.
The networking-vpp project is responsible for providing
the mechanism driver to interface with the FD.io VPP
software switch.
Project URL:
https://wiki.openstack.org/wiki/Networking-vpp
Mechanism Driver vpp
Agent neutron-vpp-agent
Communication etcd
10g 10g:TwentyFiveGigabitEthernet4/0/0
25g 25g:TwentyFiveGigabitEthernet4/0/1
40g 40g:HundredGigabitEthernet8/0/0
100g 100g:HundredGigabitEthernet8/0/1

FD.io VPP
Instance
(iPerf Server)
Standalone Node
(iPerf Client)
Compute Node
VPP vSwitch
9.87
24.5
16.6 16.5
9.91
23.9 38.3
69.8
0
25
50
75
100
VPP Baremetal

Accelerated dataplane vs LXB and vanilla
OVS (Up thru 25G)
May still be considered experimental for the
greater community
May require recompile of DPDK + VPP to
support certain NICs, including Mellanox
Advanced services may not be supported
May require OFED, and particular versions
of DPDK and OVS
FD.io VPP

iPerf - 10 Gbps
0
2
4
6
8
10
VPPASAPMacvtapSRIOVDPDKOVSLXBBaremetal
Gbps
10 Gbps

iPerf - 25 Gbps
0
5
10
15
20
25
Gbps
25 Gbps

iPerf - 40 Gbps
0
5
10
15
20
25
30
35
40
Gbps
40 Gbps

iPerf - 100 Gbps
0
10
20
30
40
50
60
70
80
90
100
Gbps
100 Gbps

T-Rex
THE GOAL:
Pump as much traffic as we can to see how the respective
vSwitch performs compared to baremetal.

T-Rex – 10G
THE TEST:
• T-Rex sfr_delay_10_1G x 10
• 120 second total duration
• Initiates roughly 40,000 cps
• Pumps roughly 2,000,000 pps
DUT:
• Virtual Machine
• Ubuntu 18.04.2 LTS
• 8 cores
• 16 GB RAM
• Mellanox ConnectX-4 Lx EN
95.60% 94.15%
40.21%
0.89%
80.97%
0.88%
24.50%
0.00%
0%
25%
50%
75%
100%
LXB OVS DPDK SR-IOV Macvtap ASAP VPP Baremetal
PercentageDropped
(ShorterisBetter)
T-Rex – Packet Loss at 10G

T-Rex – 25G
THE TEST:
DUT:
• Virtual Machine
• 8 cores
• 16 GB RAM
• Mellanox ConnectX-4 Lx EN
99.31% 99.36%
76.32%
21.93%
93.28%
18.34%
67.37%
0.00%
0%
25%
50%
75%
100%
PercentageDropped
(ShorterisBetter)
T-Rex - Packet Loss at 25G

T-Rex – 40G
THE TEST:
DUT:
• Virtual Machine Instance
• 8 cores
• 16 GB RAM
• Mellanox ConnectX-5 Ex
98.77% 98.07%
82.09%
40.25%
96.58%
35.37%
80.24%
4.62%
0%
25%
50%
75%
100%
PercentageDropped
(ShorterisBetter)

T-Rex – 100G
THE TEST:
DUT:
• Virtual Machine Instance
• 8 cores
• 16 GB RAM
• Mellanox ConnectX-5 Ex
99.20% 98.73%
86.97%
54.13%
96.24%
53.56%
86.67%
22.48%
0%
25%
50%
75%
100%
PercentageDropped
(ShorterisBetter)

Summary
Performance isn’t everything
Operators who deploy OpenStack should consider many harder-to-quantify attributes of a given
mechanism driver and related technology, including:
Upstream support
Bug fix completion rate
Community adoption
Feature completeness
Hardware compatibility
Ease-of-support
LinuxBridge
Open vSwitch
SR-IOV (Direct)
SR-IOV (Indirect)
Open vSwitch + DPDK
Open vSwitch + ASAP
VPP

Summary
Tuning is almost always required
Parameter tuning can often lead to increases in performance for a given virtual switch, but:
Each vSwitch requires its own tweaks
Different workloads may need different settings
You can’t squeeze water from a stone

Summary
Hardware makes a difference
Newer generations of processors required for best performance
PCIe 4.0 to maximize 100G+ networking

Summary
The road less travelled can be a bumpy one
Less experience means you’re on your own
Testing is even more important

Summary
For best performance: For best support:
Open vSwitch + Hardware Offloading (e.g.
ASAP2)
Linux Bridge
Open vSwitch

Resources
DPDK: https://docs.openstack.org/neutron/stein/admin/config-ovs-dpdk.html
DPDK: https://doc.dpdk.org/guides/linux_gsg/index.html
OVS: https://superuser.openstack.org/articles/openvswitch-openstack-sdn/
T-Rex: https://trex-tgn.cisco.com/trex/doc/trex_manual.html
Offload: https://docs.openstack.org/neutron/stein/admin/config-ovs-offload.html
VPP: https://fd.io/wp-content/uploads/sites/34/2017/07/FDioVPPwhitepaperJuly2017.pdf
Acceleration: https://www.metaswitch.com/blog/accelerating-the-nfv-data-plane
ASAP: http://www.mellanox.com/related-docs/whitepapers/WP_SDNsolution.pdf
ASAP: https://www.mellanox.com/related-docs/prod_software/ASAP2_Hardware_Offloading_for_vSwitches_User_Manual_v4.4.pdf

Pushing Packets - How do the ML2 Mechanism Drivers Stack Up

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Pushing Packets - How do the ML2 Mechanism Drivers Stack Up

Similar to Pushing Packets - How do the ML2 Mechanism Drivers Stack Up (20)

Recently uploaded

Recently uploaded (20)

Pushing Packets - How do the ML2 Mechanism Drivers Stack Up

Editor's Notes