3:34 a.m.
Hi,
I have a simple single nic bare metal set up much like this -
https://answers.launchpad.net/neutron/+question/228376
Tenant networks are VLANs, and the external network a VLAN provider network.
This enables me to have one bridge which allows the VLAN overlays to
pass between nodes/physical switches, and importantly allows external
access via floating ip through the external provider network VLAN.
This was all working fine, but I wanted to install DVR. I saw that DVR
functionality had relatively recently been added for VLAN overlays (Kilo
and beyond)
https://blueprints.launchpad.net/neutron/+spec/neutron-ovs-dvr-vlan
So I enabled DVR, noting that for VLAN overlays l2population is not
required.
I created two instances, two tenant networks one with a normal router
(non DVR) and one with a DVR router.
I first tested SNAT on both. Worked fine (I could ping externally from
the instances)
I then applied a FIP to the non DVR routed instance. I could ping the
instance from the external network, so all working fine.
I then applied a FIP to the DVR routed instance. This is where the
problems began. I could not ping externally from the instance, and I
could not ping the instance from the external network.
I looked at the traffic flow schematic outlined here for North/South FIP
(allowing for the fact I am not using tunneling) -
http://docs.openstack.org/liberty/networking-guide/scenario_dvr_ovs.html
I noticed that the fg interface from the FIP namespace in my compute
node was NOT attached to br-int as in the guide, but was attached to my
VLAN bridge. This seemed odd.
I thought that maybe this would have an effect on the tagging, so tried
manually adding the tag for the external provider network VLAN to the fg
port on the VLAN bridge
ovs-vsctl set port fg-15df2853-c2 tag=1041
Suddenly it all started working. I could now ping externally from the
DVR routed instance, and I could ping the instance from the external
network.
Please can someone explain why I am seeing this behavior?
Thanks
Charles
--
Charles Short
Cloud Engineer
Virtualization and Cloud Team
European Bioinformatics Institute (EMBL-EBI)
Tel: +44 (0)1223 494205
5:20 a.m.
An update on this -
My issue was having to manually add the external VLAN tag to the fg
interface everytime a new FIP namespace was created (FIP namespaces are
deleted when there are no more instances on a compute node with floating
ips)
I discovered that you can create a virtual bridge within a bridge with a
default VLAN tag. So when a port is dynamically created in this new
bridge it automatically get the external VLAN tag.
sudo ovs-vsctl add-br br-vlan1041 br-ex 1041
This solves the issue. I just point the neutron config to the new
external bridge and the fg ports get created on the new virtual bridge
tagged with 1041
Charles
On 02/03/2016 09:34, Charles Short wrote:
Hi,
I have a simple single nic bare metal set up much like this -
https://answers.launchpad.net/neutron/+question/228376
Tenant networks are VLANs, and the external network a VLAN provider
network.
This enables me to have one bridge which allows the VLAN overlays to
pass between nodes/physical switches, and importantly allows external
access via floating ip through the external provider network VLAN.
This was all working fine, but I wanted to install DVR. I saw that DVR
functionality had relatively recently been added for VLAN overlays
(Kilo and beyond)
https://blueprints.launchpad.net/neutron/+spec/neutron-ovs-dvr-vlan
So I enabled DVR, noting that for VLAN overlays l2population is not
required.
I created two instances, two tenant networks one with a normal router
(non DVR) and one with a DVR router.
I first tested SNAT on both. Worked fine (I could ping externally from
the instances)
I then applied a FIP to the non DVR routed instance. I could ping the
instance from the external network, so all working fine.
I then applied a FIP to the DVR routed instance. This is where the
problems began. I could not ping externally from the instance, and I
could not ping the instance from the external network.
I looked at the traffic flow schematic outlined here for North/South
FIP (allowing for the fact I am not using tunneling) -
http://docs.openstack.org/liberty/networking-guide/scenario_dvr_ovs.html
I noticed that the fg interface from the FIP namespace in my compute
node was NOT attached to br-int as in the guide, but was attached to
my VLAN bridge. This seemed odd.
I thought that maybe this would have an effect on the tagging, so
tried manually adding the tag for the external provider network VLAN
to the fg port on the VLAN bridge
ovs-vsctl set port fg-15df2853-c2 tag=1041
Suddenly it all started working. I could now ping externally from the
DVR routed instance, and I could ping the instance from the external
network.
Please can someone explain why I am seeing this behavior?
Thanks
Charles
--
Charles Short
Cloud Engineer
Virtualization and Cloud Team
European Bioinformatics Institute (EMBL-EBI)
Tel: +44 (0)1223 494205
9:25 a.m.
And finally...
I have worked out why I am seeing this behavior in the first place -
I was setting NeutronExternalNetworkBridge: "''" on my overcloud
deployment, which was correctly setting 'external_network_bridge = '
(unset) in my controllers enabling VLAN provider networks to work.
But when you enable DVR the setting also becomes relevant on the compute
nodes, and by default 'external_network_bridge = br-ex' was set on my
compute nodes ( I found NeutronExternalNetworkBridge: "''" does not have
any impact on compute nodes). This bound the fg interfaces directly to
br-ex and not br-int, forcing me to apply the workaround of ovs fake
bridges.
So all I needed to do was unset 'external_network_bridge = ' on the
compute nodes and the fg interfaces bound to br-int and all worked.
Charles
On 21/03/2016 10:20, Charles Short wrote:
An update on this -
My issue was having to manually add the external VLAN tag to the fg
interface everytime a new FIP namespace was created (FIP namespaces
are deleted when there are no more instances on a compute node with
floating ips)
I discovered that you can create a virtual bridge within a bridge with
a default VLAN tag. So when a port is dynamically created in this new
bridge it automatically get the external VLAN tag.
sudo ovs-vsctl add-br br-vlan1041 br-ex 1041
This solves the issue. I just point the neutron config to the new
external bridge and the fg ports get created on the new virtual bridge
tagged with 1041
Charles
On 02/03/2016 09:34, Charles Short wrote:
> Hi,
>
> I have a simple single nic bare metal set up much like this -
>
> https://answers.launchpad.net/neutron/+question/228376
>
> Tenant networks are VLANs, and the external network a VLAN provider
> network.
> This enables me to have one bridge which allows the VLAN overlays to
> pass between nodes/physical switches, and importantly allows external
> access via floating ip through the external provider network VLAN.
>
> This was all working fine, but I wanted to install DVR. I saw that
> DVR functionality had relatively recently been added for VLAN
> overlays (Kilo and beyond)
>
> https://blueprints.launchpad.net/neutron/+spec/neutron-ovs-dvr-vlan
>
> So I enabled DVR, noting that for VLAN overlays l2population is not
> required.
> I created two instances, two tenant networks one with a normal router
> (non DVR) and one with a DVR router.
>
> I first tested SNAT on both. Worked fine (I could ping externally
> from the instances)
> I then applied a FIP to the non DVR routed instance. I could ping the
> instance from the external network, so all working fine.
>
> I then applied a FIP to the DVR routed instance. This is where the
> problems began. I could not ping externally from the instance, and I
> could not ping the instance from the external network.
> I looked at the traffic flow schematic outlined here for North/South
> FIP (allowing for the fact I am not using tunneling) -
>
> http://docs.openstack.org/liberty/networking-guide/scenario_dvr_ovs.html
>
> I noticed that the fg interface from the FIP namespace in my compute
> node was NOT attached to br-int as in the guide, but was attached to
> my VLAN bridge. This seemed odd.
> I thought that maybe this would have an effect on the tagging, so
> tried manually adding the tag for the external provider network VLAN
> to the fg port on the VLAN bridge
>
> ovs-vsctl set port fg-15df2853-c2 tag=1041
>
> Suddenly it all started working. I could now ping externally from
> the DVR routed instance, and I could ping the instance from the
> external network.
>
>
> Please can someone explain why I am seeing this behavior?
>
> Thanks
>
> Charles
>
--
Charles Short
Cloud Engineer
Virtualization and Cloud Team
European Bioinformatics Institute (EMBL-EBI)
Tel: +44 (0)1223 494205
3167
days inactive
3186
days old
2 comments
1 participants
participants (1)
-
Charles Short