Re: [openstack-dev] [neutron] Does neutron support QinQ(vlan transparent) ?
Awesome! Thanks, I'll take some time to review this patch. we can discuss it deeper during the review At 2018-08-08 14:59:21, "Bence Romsics" wrote: >Hi, > >Just about a week ago Li Zhouzhou pushed a change for review to >support vlan transparency with ovs too (building on the relatively new >QinQ support in ovs): > >https://review.openstack.org/576687 > >I did not get time to look into the patch deeper yet, but I guess >reviews are always welcome. I also cc-ed this mail so he/she can chime >in. > >Cheers, >Bence Romsics >On Tue, Aug 7, 2018 at 1:32 PM Sean Mooney wrote: >> >> TL;DR >> it wont work with the ovs agent but "should" work with linux bridge. >> see full message below for details. >> regards >> sean. >> >> the linux bridge agent supports the vlan_transparent option only when >> createing networks with an l3 segmentation type e.g. vxlan,gre... >> >> ovs using the neutron l2 agnet does not supprot vlan_transparent >> netwroks because of how that agent use vlans for tenant isolation on >> the br-int. >> >> it is possible to use achive vlan transparancy with ovs usign an sdn >> controller such as odl or ovn but that was not what you asked in your >> question so i wont expand on that futher. >> >> if you deploy openstack with linux bridge networking and then create a >> tenant network of type vxlan with vlan_transparancy set to true and >> your tenants >> generate QinQ traffic with an mtu reduced so that it will fix within >> the vxlan tunnel unfragmented then yes it should be possibly however >> you may need to disable port_security/security groups on the port as >> im not sure if the ip tables firewall driver will correctly handel >> this case. >> >> an alternive to disabling security groups would be to add an explicit >> rule that matched on the etehrnet type and allowed QinQ traffic on >> ingress and egress from the vm. >> >> as far as i am aware this is not tested in the gate so while it should >> work the lack of documentation and test coverage means you will >> likely be one of the first to test it if you >> choose to do so and it may fail for many reasons. >> >> >> On 7 August 2018 at 09:15, Frank Wang wrote: >> > Hello folks, >> > >> > I noted that the API already has the vlan_transparent attribute in the >> > network, Do neutron-agents(linux-bridge, openvswitch) support QinQ? I >> > didn't find any reference materials that could guide me on how to use or >> > configure it. >> > >> > Thank for your time reading this, Any comments would be appreciated. >> > >> > >> > >> > >> > >> > __ >> > OpenStack Development Mailing List (not for usage questions) >> > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > >> >> __ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >__ >OpenStack Development Mailing List (not for usage questions) >Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron] Does neutron support QinQ(vlan transparent) ?
Hi, Just about a week ago Li Zhouzhou pushed a change for review to support vlan transparency with ovs too (building on the relatively new QinQ support in ovs): https://review.openstack.org/576687 I did not get time to look into the patch deeper yet, but I guess reviews are always welcome. I also cc-ed this mail so he/she can chime in. Cheers, Bence Romsics On Tue, Aug 7, 2018 at 1:32 PM Sean Mooney wrote: > > TL;DR > it wont work with the ovs agent but "should" work with linux bridge. > see full message below for details. > regards > sean. > > the linux bridge agent supports the vlan_transparent option only when > createing networks with an l3 segmentation type e.g. vxlan,gre... > > ovs using the neutron l2 agnet does not supprot vlan_transparent > netwroks because of how that agent use vlans for tenant isolation on > the br-int. > > it is possible to use achive vlan transparancy with ovs usign an sdn > controller such as odl or ovn but that was not what you asked in your > question so i wont expand on that futher. > > if you deploy openstack with linux bridge networking and then create a > tenant network of type vxlan with vlan_transparancy set to true and > your tenants > generate QinQ traffic with an mtu reduced so that it will fix within > the vxlan tunnel unfragmented then yes it should be possibly however > you may need to disable port_security/security groups on the port as > im not sure if the ip tables firewall driver will correctly handel > this case. > > an alternive to disabling security groups would be to add an explicit > rule that matched on the etehrnet type and allowed QinQ traffic on > ingress and egress from the vm. > > as far as i am aware this is not tested in the gate so while it should > work the lack of documentation and test coverage means you will > likely be one of the first to test it if you > choose to do so and it may fail for many reasons. > > > On 7 August 2018 at 09:15, Frank Wang wrote: > > Hello folks, > > > > I noted that the API already has the vlan_transparent attribute in the > > network, Do neutron-agents(linux-bridge, openvswitch) support QinQ? I > > didn't find any reference materials that could guide me on how to use or > > configure it. > > > > Thank for your time reading this, Any comments would be appreciated. > > > > > > > > > > > > __ > > OpenStack Development Mailing List (not for usage questions) > > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron] Does neutron support QinQ(vlan transparent) ?
Thanks for your detail explanation, Sean. Actually, I'm more concern how ovs l2 agent use vlans for tenant isolation on the br-int. I wanna discuss it deeper here Please correct me if I understanding something wrong, Is there any way to make ovs l2agent to support QinQ? for example, I believe QinQ also is a kind of tunnel encapsulation, like vxlan, gre. and I think we can implement it using Hierarchical Port Binding technique It would need two level bindings(of course, need two mechanism drivers). the top-level binding service vlan, lower-level binding customer vlan. The br-int is responsible for customer vlan, the br-tun is responsible for service vlan, Is it feasible? please feel free to leave you any idea. Thanks At 2018-08-07 19:32:44, "Sean Mooney" wrote: >TL;DR >it wont work with the ovs agent but "should" work with linux bridge. >see full message below for details. >regards >sean. > >the linux bridge agent supports the vlan_transparent option only when >createing networks with an l3 segmentation type e.g. vxlan,gre... > >ovs using the neutron l2 agnet does not supprot vlan_transparent >netwroks because of how that agent use vlans for tenant isolation on >the br-int. > >it is possible to use achive vlan transparancy with ovs usign an sdn >controller such as odl or ovn but that was not what you asked in your >question so i wont expand on that futher. > >if you deploy openstack with linux bridge networking and then create a >tenant network of type vxlan with vlan_transparancy set to true and >your tenants >generate QinQ traffic with an mtu reduced so that it will fix within >the vxlan tunnel unfragmented then yes it should be possibly however >you may need to disable port_security/security groups on the port as >im not sure if the ip tables firewall driver will correctly handel >this case. > >an alternive to disabling security groups would be to add an explicit >rule that matched on the etehrnet type and allowed QinQ traffic on >ingress and egress from the vm. > >as far as i am aware this is not tested in the gate so while it should >work the lack of documentation and test coverage means you will >likely be one of the first to test it if you >choose to do so and it may fail for many reasons. > > >On 7 August 2018 at 09:15, Frank Wang wrote: >> Hello folks, >> >> I noted that the API already has the vlan_transparent attribute in the >> network, Do neutron-agents(linux-bridge, openvswitch) support QinQ? I >> didn't find any reference materials that could guide me on how to use or >> configure it. >> >> Thank for your time reading this, Any comments would be appreciated. >> >> >> >> >> >> __ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > >__ >OpenStack Development Mailing List (not for usage questions) >Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron] Does neutron support QinQ(vlan transparent) ?
TL;DR it wont work with the ovs agent but "should" work with linux bridge. see full message below for details. regards sean. the linux bridge agent supports the vlan_transparent option only when createing networks with an l3 segmentation type e.g. vxlan,gre... ovs using the neutron l2 agnet does not supprot vlan_transparent netwroks because of how that agent use vlans for tenant isolation on the br-int. it is possible to use achive vlan transparancy with ovs usign an sdn controller such as odl or ovn but that was not what you asked in your question so i wont expand on that futher. if you deploy openstack with linux bridge networking and then create a tenant network of type vxlan with vlan_transparancy set to true and your tenants generate QinQ traffic with an mtu reduced so that it will fix within the vxlan tunnel unfragmented then yes it should be possibly however you may need to disable port_security/security groups on the port as im not sure if the ip tables firewall driver will correctly handel this case. an alternive to disabling security groups would be to add an explicit rule that matched on the etehrnet type and allowed QinQ traffic on ingress and egress from the vm. as far as i am aware this is not tested in the gate so while it should work the lack of documentation and test coverage means you will likely be one of the first to test it if you choose to do so and it may fail for many reasons. On 7 August 2018 at 09:15, Frank Wang wrote: > Hello folks, > > I noted that the API already has the vlan_transparent attribute in the > network, Do neutron-agents(linux-bridge, openvswitch) support QinQ? I > didn't find any reference materials that could guide me on how to use or > configure it. > > Thank for your time reading this, Any comments would be appreciated. > > > > > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [neutron] Does neutron support QinQ(vlan transparent) ?
Hello folks, I noted that the API already has the vlan_transparent attribute in the network, Do neutron-agents(linux-bridge, openvswitch) support QinQ? I didn't find any reference materials that could guide me on how to use or configure it. Thank for your time reading this, Any comments would be appreciated. __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
