zoukankan      html  css  js  c++  java
  • HowTo Configure Openstack L2 Gateway with Mellanox Spectrum Switch (VTEP)

    This post shows how to configure a OpenStack L2 Gateway setup using Mellanox Spectrum Switch.

    References

    Overview

    L2 Gateway is a service plugin to be added to the OpenStack Networking (Neutron) services. L2 Gateway is an entity or resource which bridges two L2 domains (or networks) to achieve one seamless L2 broadcast domain,

    In the following use case L2 gateway bridges a VXLAN network and a VLAN network as shown in the figure below.

    In the figure we can see the assigned IPs for each component. The L2 Gateway agent will configure the hardware VTEP database located at the switch according to the OpenStack network topology and allocated VMs.

    All the configurations and commands used to setup the network are detailed below.

    Note: The assigned IP for the Bare metal machine is in the same subnet as the IP assigned to the Openstack VMs (10.0.0.x in the example). In addition, the IP assigned to OpenStack compute node port is in the same subnet as the switch port that it is connected to (2.2.2.x in the example).

    The control plan (configuration) is done via OVS DB agent on the switch being address with Jason API from OpenStack Neutron CLI. The Neutron creates Bare Metal (BM) server ports on the switch and attach them to the VM network (over VXLAN), this reaches the switch in Jason API (not CLI configuration). each VXLAN tunnel is mapped to VLAN+port on a switch.

    MAC Address table

    On the one direction from the BM server to the VMs the switch holds the MACs of the VMs and answer upon ARP request. You can think about it as a static configuration of ARP entries for each VM.

    On the other direction from the VMs to the BM server there is a broadcast of the ARP for the VMs to learn (dynamic).

    Presentation1.jpg

    Configuration

    For this setup a Mellanox Spectrum switch was used with image version 3.6.3502 or later, and Openstack Ocata release.

    L2 Gateway installation

    L2 Gateway agent can be installed using PIP or as used here with DevStack. The project is located here: GitHub - openstack/networking-l2gw: API's and implementations to support L2 Gateways in Neutron.

    In order to clone it, add the following line to local.conf file.

    enable_plugin networking-l2gw https://github.com/openstack/networking-l2gw

    Additional information about L2 Gateway background and installation can be found here: https://wiki.openstack.org/wiki/Neutron/L2-GW#Use_Cases

    Switch Configuration

    switch (config) # enable
    switch (config) # configure terminal
    switch (config) # interface loopback 1 ip address 1.1.1.1/32 --> create a loopback device to receive the Vxlan l3 tunneled packet
    switch (config) # ip routing vrf default --> enable ip routing
    switch (config) # protocol nve --> enable nve protocol
    switch (config) # interface nve 1 --> create A nve interface
    switch (config interface nve 1) vxlan source interface loopback 1 --> set the interface to handle vxlan with loopback interface 1
    switch (config) # interface ethernet 1/3 nve mode only force --> Set the BM port to be associated with nve
    switch (config) # interface ethernet 1/4 no switchport force --> Set the vxlan port to be A router port
    switch (config) # interface ethernet 1/4 ip address 2.2.2.1 255.255.255.0 --> assign ip to the vxlan port (same subnet as the vxlan tunnel endpoint)
    switch (config) # ovs ovsdb server --> start ovsdb

    switch (config) # ovs ovsdb server listen tcp port 6640 --> set ovs server listen port
    switch (config) # write memory --> write configuration to memory

    Bare-metal interface configuration

    Create vlan interface and assign an IP interface to the the same subnet as the OpenStack VM:

    # ip link add link eth0 name ens3f0.8 type vlan id 8

    # ip addr add 10.0.0.24/26 dev ens3f0.8

    Openstack configuration

    Configure OpenStack compute interface connected to the switch as follows:
    1. Assign an IP in the same subnet of the IP assigned to the connected switch port we assigned in the previous section and route the loopback IP through the interface connected to the switch.

    # ip addr add 2.2.2.2/24 dev enp3s0f0
    # route add -net 1.1.1.1 netmask 255.255.255.255 gw 2.2.2.1

    2. The following commands update the switch's hardware vtep DB:

    In those commands we create L2 Gateway called vtep0 for the Bare metal server port (eth3) in the switch MLNX-GW-ETH3. In addition, we map the VLAN 8 to the private network of the VMs (VNI).

    # neutron l2-gateway-create --device name="vtep0",interface_names="eth3" MLNX-GW-ETH3
    # neutron l2-gateway-connection-create --default-segmentation-id 8 MLNX-GW-ETH3 private

    3. Add a security group rule allowing ICMP packets to reach the VM:

    # nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0

    local.conf:

    [[local|localrc]]
    RECLONE=false
    LOGFILE=/opt/stack/logs/stack.sh.log

    # Switch to Neutron
    disable_service n-net
    enable_service n-cond
    enable_service q-svc
    enable_service q-dhcp
    enable_service q-l3
    enable_service q-meta
    enable_service neutron

    # enable compute node services
    enable_service n-cpu
    enable_service q-agt

    # Disable cinder/heat/tempest for faster testing
    disable_service c-sch c-api c-vol h-eng h-api h-api-cfn h-api-cw tempest

    # Secrets
    ADMIN_PASSWORD=password
    DATABASE_PASSWORD=$ADMIN_PASSWORD
    RABBIT_PASSWORD=$ADMIN_PASSWORD
    SERVICE_PASSWORD=$ADMIN_PASSWORD
    SERVICE_TOKEN=a682f596-76f3-11e3-b3b2-e716f9080d50

    ## Use ML2 + OVS
    PHYSICAL_NETWORK=default

    # Set ML2 plugin + OVS agent
    Q_PLUGIN=ml2
    Q_AGENT=openvswitch

    # Set ML2 mechanism drivers to OVS
    Q_ML2_PLUGIN_MECHANISM_DRIVERS=openvswitch,l2population

    # Set type drivers
    Q_ML2_PLUGIN_TYPE_DRIVERS=flat,vlan,vxlan

    # Use Neutron security groups
    Q_USE_SECGROUP=True

    # Set possible tenant network types
    Q_ML2_TENANT_NETWORK_TYPE=flat,vlan,vxlan
    HOST_IP=10.209.32.109

    # Simple GRE tunnel configuration -- overrides extra opts
    ENABLE_TENANT_TUNNELS=True

    # L2GW
    enable_plugin networking-l2gw https://github.com/openstack/networking-l2gw
    enable_service l2gw-plugin l2gw-agent
    OVSDB_HOSTS=ovsdb1:10.209.80.33:6640

    mlnx_dev=02:00
    mlnx_port=enp3s0f0
    PUBLIC_INTERFACE=${mlnx_port}
    PHYSICAL_INTERFACE=${mlnx_port}
    OVS_PHYSICAL_BRIDGE=br-$mlnx_port

    [[post-config|/$Q_PLUGIN_CONF_FILE]]
    [vxlan]
    l2_population = True
    enable_vxlan = True
    [agent]
    tunnel_types=vxlan
    l2_population=True
    vxlan_udp_port=4789
    [ovs]
    tunnel_bridge=br-tun
    local_ip = 2.2.2.2
    [[post-config|$NOVA_CONF]]
    [DEFAULT]
    cheduler_available_filters=nova.scheduler.filters.all_filters
    scheduler_default_filters = RetryFilter, AvailabilityZoneFilter, RamFilter, ComputeFilter, ComputeCapabilitiesFilter, ImagePropertiesFilter, PciPassthroughFilter
    pci_passthrough_whitelist ={"'"address"'":"'"*:'"${mlnx_dev}"'.*"'","'"physical_network"'":"'"default"'"}

    How to validate the L2 Gateway installation

    To dump the hardware vteo database run the following command from any machine with network access the the switch:

    # ovsdb-client dump --pretty tcp:<switch_ip>:6640 hardware_vtep

    The output should look similar to the following (depending on the assigned IPs and number of ports):

        

    id acl_entries acl_fault_status acl_name

    ----- ----------- ---------------- --------

    ACL_entry table

    _uuid acle_fault_status action dest_ip dest_mac dest_mask dest_port_max dest_port_min direction ethertype icmp_code icmp_type protocol sequence source_ip source_mac source_mask source_port_max source_port_min tcp_flags tcp_flags_mask

    ----- ----------------- ------ ------- -------- --------- ------------- ------------- --------- --------- --------- --------- -------- -------- --------- ---------- ----------- --------------- --------------- --------- --------------

    Arp_Sources_Local table

    _uuid locator src_mac

    ----- ------- -------

    Arp_Sources_Remote table

    _uuid locator src_mac

    ----- ------- -------

    Global table

    _uuid managers switches

    ------------------------------------ -------- --------------------------------------

    47927954-5124-4a18-9434-049f7f41a5b7 [] [da9f2821-09f9-4c2f-beb9-4174de6fdd3b]

    Logical_Binding_Stats table

    _uuid bytes_from_local bytes_to_local packets_from_local packets_to_local

    ------------------------------------ ---------------- -------------- ------------------ ----------------

    ef1dc78d-ac5c-4804-b3e9-649f2d435e9c 2822346 5709962 20764 88835

    Logical_Router table

    LR_fault_status _uuid acl_binding description name static_routes switch_binding

    --------------- ----- ----------- ----------- ---- ------------- --------------

    Logical_Switch table

    _uuid description name tunnel_key

    ------------------------------------ ----------- -------------------------------------- ----------

    128cf0c6-dfc7-47ce-8d4d-cc29b672ba34 private "6be6cf3b-56c1-4f9e-b9e1-3a2f98e7bf06" 33

    Manager table

    _uuid inactivity_probe is_connected max_backoff other_config status target

    ----- ---------------- ------------ ----------- ------------ ------ ------

    Mcast_Macs_Local table

    MAC _uuid ipaddr locator_set logical_switch

    ----------- ------------------------------------ ------ ------------------------------------ ------------------------------------

    unknown-dst a39cdd30-3817-4a6f-abb9-7627bc0360e8 "" bc94782a-17cd-441e-a7f9-3bca39b49496 128cf0c6-dfc7-47ce-8d4d-cc29b672ba34

    Mcast_Macs_Remote table

    MAC _uuid ipaddr locator_set logical_switch

    ----------- ------------------------------------ ------ ------------------------------------ ------------------------------------

    unknown-dst b098a853-0da3-44ec-8cea-c57b86bce530 "" 1e060e3f-c7b7-4885-94bb-ba5b063ce20d 128cf0c6-dfc7-47ce-8d4d-cc29b672ba34

    Physical_Locator table

    _uuid dst_ip encapsulation_type

    ------------------------------------ --------- ------------------

    e5b3826b-0005-4cfa-8bac-e9f693cc3715 "1.1.1.1" "vxlan_over_ipv4"

    82bcef2f-1a8e-4191-b4b2-3255fdd6849c "2.2.2.2" "vxlan_over_ipv4"

    Physical_Locator_Set table

    _uuid locators

    ------------------------------------ --------------------------------------

    1e060e3f-c7b7-4885-94bb-ba5b063ce20d [82bcef2f-1a8e-4191-b4b2-3255fdd6849c]

    bc94782a-17cd-441e-a7f9-3bca39b49496 [e5b3826b-0005-4cfa-8bac-e9f693cc3715]

    Physical_Port table

    _uuid acl_bindings description name port_fault_status vlan_bindings vlan_stats

    ------------------------------------ ------------ ----------- ------ ----------------- ---------------------------------------- ----------------------------------------

    070e59bc-ed70-4965-9519-dbec59b31033 {} "" "eth3" [] {1=128cf0c6-dfc7-47ce-8d4d-cc29b672ba34} {1=ef1dc78d-ac5c-4804-b3e9-649f2d435e9c}

    Physical_Switch table

    _uuid description management_ips name ports switch_fault_status tunnel_ips tunnels

    ------------------------------------ ------------------- -------------- ------- -------------------------------------- ------------------- ----------- --------------------------------------

    da9f2821-09f9-4c2f-beb9-4174de6fdd3b "OVS VTEP Emulator" [] "vtep0" [070e59bc-ed70-4965-9519-dbec59b31033] [] ["1.1.1.1"] [58c2e509-f2ea-41e5-b12d-7a7c1d22a8eb]

    Tunnel table

    _uuid bfd_config_local bfd_config_remote bfd_params bfd_status local remote

    ------------------------------------ ----------------------------------------------------------- ----------------- ---------- ----------------- ------------------------------------ ------------------------------------

    58c2e509-f2ea-41e5-b12d-7a7c1d22a8eb {bfd_dst_ip="169.254.1.0", bfd_dst_mac="00:23:20:00:00:01"} {} {} {enabled="false"} e5b3826b-0005-4cfa-8bac-e9f693cc3715 82bcef2f-1a8e-4191-b4b2-3255fdd6849c

    Ucast_Macs_Local table

    MAC _uuid ipaddr locator logical_switch

    ------------------- ------------------------------------ ------ ------------------------------------ ------------------------------------

    "7c:fe:90:29:23:36" b5155023-cf6f-45ff-a2e0-3ebba9d5db8b "" e5b3826b-0005-4cfa-8bac-e9f693cc3715 128cf0c6-dfc7-47ce-8d4d-cc29b672ba34

    Ucast_Macs_Remote table

    MAC _uuid ipaddr locator logical_switch

    ------------------- ------------------------------------ ------------------- ------------------------------------ ------------------------------------

    "fa:16:3e:26:96:a7" 91618bd9-3662-45d0-978c-97ed6659b8e6 "fdaa:e376:52b7::1" 82bcef2f-1a8e-4191-b4b2-3255fdd6849c 128cf0c6-dfc7-47ce-8d4d-cc29b672ba34

    "fa:16:3e:77:89:90" 5878f85d-9ddc-428d-84f0-87cc34d0e2cb "10.0.0.9" 82bcef2f-1a8e-4191-b4b2-3255fdd6849c 128cf0c6-dfc7-47ce-8d4d-cc29b672ba34

    "fa:16:3e:57:32:99" 5878f85d-9ddc-428d-84f0-87cc34d0e2cb "10.0.0.8" 82bcef2f-1a8e-4191-b4b2-3255fdd6849c 128cf0c6-dfc7-47ce-8d4d-cc29b672ba34

    "fa:16:3e:79:d2:11" 01e25a76-b403-430e-bdf1-b33c8bdf2bee "10.0.0.1" 82bcef2f-1a8e-4191-b4b2-3255fdd6849c 128cf0c6-dfc7-47ce-8d4d-cc29b672ba34

    "fa:16:3e:94:66:0d" 891cf889-ac79-4dac-99b4-e6ec6611a988 "10.0.0.2" 82bcef2f-1a8e-4191-b4b2-3255fdd6849c 128cf0c6-dfc7-47ce-8d4d-cc29b672ba34

    Get the switch running-config

    switch (config) # enable
    switch (config) # configure terminal
    switch (config) # show running-config

    The expected configuration should look like this:

        

    ##

    ## L3 configuration

    ##

    ip routing vrf default

    interface ethernet 1/4 no switchport force

    interface loopback 1

    interface ethernet 1/4 ip address 2.2.2.1 255.255.255.0

    interface loopback 1 ip address 1.1.1.1 255.255.255.255

    ##

    ## NVE configurations

    ##

    protocol nve

    interface nve 1

    interface nve 1 vxlan source interface loopback 1

    interface ethernet 1/7 nve mode only force

    ovs ovsdb server

    ovs ovsdb server listen tcp

    And finally we check if ping is available from the bare metal to the VMs and vice versa.

    Troubleshooting

    1. Vlan number 0 and 1 cannot be assigned to the bare-metal ports, this limitation is caused from the ARP responder implementation.

  • 相关阅读:
    epoll 实现回射服务器
    select函数的介绍和使用
    期末项目需求分析报告
    Spring AOP Capabilities and Goals
    Domain Logic approaches
    Lamda Expression
    CDI furture
    23种设计模式
    connector for python
    Spring reference
  • 原文地址:https://www.cnblogs.com/dream397/p/13225295.html
Copyright © 2011-2022 走看看