Hi all,
I have done some works for neutron with ovn. And I found dnat_and_snat with
external mac is not available for vms those attached the same logical router.
How to reduce it:
Topo likes:
Logical switch: sw1---------logical router: r1—————logical switch: sw2
Scene 1:
vm1: attached sw1 and resides on node1 ( fixed_ip: 66.66.66.101—FIP:
172.90.0.100/fa:16:3e:e3:a1:f5 ) .
vm2: attached sw1 and resides on node2 ( fixed_ip: 66.66.66.45).
router gateway: resides on node3 (172.90.0.102).
1.1) vm2 ping FIP of vm1 is unsuccessful.
There is no SNAT for the request packet, vm1 considers it as same segment
packet and replied. vm2 drops the reply packet from vm1 because src-ip is not
established.
tcpdump for nic of node2:
9a:63:53:54:e5:4f > fa:16:3e:e3:a1:f5, ethertype 802.1Q (0x8100), length 102:
vlan 2901, p 0, ethertype IPv4, 66.66.66.45 > 172.90.0.100: ICMP echo request,
id 28673, seq 54240, length 64
fa:16:3e:c1:0b:f7 > fa:16:3e:85:e1:85, ethertype 802.1Q (0x8100), length 102:
vlan 1147, p 0, ethertype IPv4, 66.66.66.101 > 66.66.66.45: ICMP echo reply, id
28673, seq 54240, length 64
tcpdump for nic of node1:
9a:63:53:54:e5:4f > fa:16:3e:e3:a1:f5, ethertype 802.1Q (0x8100), length 102:
vlan 2901, p 0, ethertype IPv4, 66.66.66.45 > 172.90.0.100: ICMP echo request,
id 28673, seq 54132, length 64fa:16:3e:c1:0b:f7 >
fa:16:3e:85:e1:85, ethertype 802.1Q (0x8100), length 102: vlan 1147, p 0,
ethertype IPv4, 66.66.66.101 > 66.66.66.45: ICMP echo reply, id 28673, seq
54132, length 64
1.2) live-migrate vm2 to node3 where gateway resides, vm2 ping FIP of vm1 is
successful.
Scene 2:
vm1: attached sw1 and resides on node1 ( fixed_ip: 66.66.66.101—FIP:
172.90.0.100/fa:16:3e:e3:a1:f5 ) .
vm3: attached sw2 and resides on node2 ( fixed_ip: 77.77.77.64).
router gateway: resides on node3 (172.90.0.102).
2.1) vm3 ping FIP of vm1 is unsuccessful.
tcpdump for nic od node2:
9a:63:53:54:e5:4f > fa:16:3e:e3:a1:f5, ethertype 802.1Q (0x8100), length 102:
vlan 2901, p 0, ethertype IPv4, 77.77.77.64 > 172.90.0.100: ICMP echo request,
id 28673, seq 358, length 64
tcpdump for nic od node1:
ce:05:16:96:4d:43 > fa:16:3e:3e:97:67, ethertype 802.1Q (0x8100), length 102:
vlan 1150, p 0, ethertype IPv4, 66.66.66.101 > 77.77.77.64: ICMP echo reply, id
28673, seq 87, length 64
2.2) live-migrate vm3 to node3 where gateway resides, let vm3 ping FIP of vm1
is successful.
I found two logical-flows in r1:
lr_in_arp_resolve in Ingress: if next-hop is fip, mod the dst-mac to external
mac of FIP :
table=14(lr_in_arp_resolve ), priority=100 , match=(outport ==
"lrp-85ac07a7-d9d7-4ddf-923b-59298d76d968" && reg0 == 172.90.0.100),
action=(eth.dst = fa:16:3e:e3:a1:f5; next)
lr_out_snat in egress: snat for subnet should be done on the node where
gateway resides:
table=1 (lr_out_snat ), priority=153 , match=(ip && ip4.src == 66.66.66.0/24
&& outport == "lrp-85ac07a7-d9d7-4ddf-923b-59298d76d968" &&
is_chassis_resident("cr-lrp-85ac07a7-d9d7-4ddf-923b-5929 8d76d968")),
action=(ct_snat(172.90.0.102))
Summarize:
If two vms are reachable for each other in east-west under a router, and the
source vm not on the node which gateway resides, dnat_and_snat with external
mac of destination vm is not available for source vm. Because there is no
SNAT conversion for the request packet, the reply message is processed
according to east-west traffic.
_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
