Embed Size (px)
Citation preview
Chandan Dutta Chowdhury Juniper Networks
InStackers Meeting
Network Virtualization with Quantum
Agenda Overview and use case of Network
virtualization
Quantum Overview
Network Isolation at Layer 2 in Quantum
Quantum L3 isolation
Security groups
Overview and use case of Network virtualization
“network virtualization is the process of combining hardware and software network resources and network functionality into a single, software-based administrative entity, a virtual network. Network virtualization involves platform virtualization, often combined with
resource virtualization.” -Wikipedia
Single tier deployment
All VMs connect to a Linux bridge, which is uplinked to the switch using a physical NIC on the server
Physical Server
VM
Bridge NIC
2 tier deployment Use Case We have a web server and a DB server and don’t want to provide direct
access to DB server
Physical Server
Database
WWW
Bridge NIC
Bridge
VMs on multiple Physical servers
Physical Server
Database
Bridge NIC
Bridge
Physical Server
WWW
Bridge NIC
Bridge
NIC NIC
Public Network
Private Network
Multi Tenants VMs on multiple Physical servers
Private Network Physical Server
NIC
VM VM
VM VM
VM
Switch
Physical Server NIC
VM VM
VM VM
VM
Switch
Introduction to Quantum
Features Implementation Provides network as a service to
connect the VMs in the cloud
Self-service API for virtual network creation
It provides features like L2 isolation
L3 isolation
Firewalls
Load Balancer etc.
Supports various networking modes
Exposes REST APIs
provides plug-in based architecture to support different vendor provided networking equipments.
Extensions are supported to add functionality in addition to core APIs
OpenStack big picture
Quantum Architecture
Quantum
Plug-in
Agents
Database
REST API
Network Device
Message Queue
Extensions
Quantum network modes Single Flat Network
Mixed Flat and Private Network
Quantum network modes Provider Router with Private Networks
Quantum Core APIs Network
Create network Update network Delete network List network Show network
Subnet Create Subnet Update Subnet Delete Subnet List Subnet Show Subnet
Port Create Port Update Port Delete Port List Port Show Port
Network. An isolated virtual layer-2 domain. A network can also be a virtual, or logical, switch
Subnet. An IP version 4 or version 6 address block from which IP addresses that are assigned to VMs on a specified network are selected.
Port. A virtual, or logical, switch port on a specified network
Network Isolation at Layer 2 in Quantum
Quantum creates a isolated L2 domain per virtual network
On the backend it uses a combination of the following to provide the isolated l2 domain
VLANs
GRE tunnels
Linux Bridges
OVS
CLI
quantum net-create net1
quantum subnet-create net1 10.0.0.0/24
quantum port-create --fixed-ip subnet_id=<subnet-id>,ip_address=192.168.57.101 <net-id>
Linux Bridge based virtual networks A sub interface is created per virtual network (virtual network being
represented by vlan)
A separate bridge is used to connect the VMs to each other
Nova Compute
Linux Bridge
Linux Bridge
Linux Bridge
NIC
vlan10
vlan20
vlan30
VLAN Sub-Interface
Nova Compute
Linux Bridge
Linux Bridge
Linux Bridge
NIC
vlan10
vlan20
vlan30
OVS based virtual network A vlan is created in OVS per virtual network
Nova Compute
OVS
NIC Vlan 10
Vlan 20
Vlan 30
Nova Compute
OVS
NIC Vlan 10
Vlan 20
Vlan 30
Quantum Plug-in and Extensions
Plug-ins Extensions
Quantum plug-ins are used to configure vendor provided switch for virtual networking.
Extensions are used to provide new/ experimental functionality in quantum.
Extensions provide a way to extend the APIs provided by quantum. E.g. L3 functionality in quantum is provided as extension.
Advanced Networking Concepts
Quantum L3 networking extension
L3 extension allows to creation of routers to connect 2 or more networks
Net1
Router1
Net2 Net3
VM VM VM
Layer 2
Layer 3
NIC
Gateway
Quantum L3 isolation Layer 3 networking :Virtual
Routers
Default implementation of router is done using Linux network namespaces
Router can also be used to provide external connectivity and NAT functionality
Physical Server
Database
WWW
Bridge NIC
Bridge
Router
Quantum L3 CLI CLI
quantum router-create router1
quantum router-interface-add router1 <subnet1-uuid>
quantum router-interface-add router1 <subnet2-uuid>
Security group Security groups and security group rules allows administrators and
tenants the ability to specify the type of traffic and direction (ingress/egress) that is allowed to pass through a port. A Security Group is a named set of rules that get applied to the incoming packets for the instances
By default this group will drop all ingress traffic and allow all egress
Physical Server Database
WWW
Bridge NIC
Bridge
Router
Security Groups CLI quantum security-group-list
quantum security-group-rule-create --direction ingress --protocol tcp --port_range_min 80 --port_range_max 80 <security_group_uuid>
quantum port-create <network_id> --security_groups list=true <security_group_id> <security_group_id>
quantum port-update <port_id> --security_groups=None
quantum security-group-rule-list
quantum security-group-rule-delete <security_group_rule_uuid>
THANK YOU ALL
