subject:"\[ovs\-discuss\] Port Groups and DHCP lflows"

Re: [ovs-discuss] Port Groups and DHCP lflows

2018-07-05 Thread Han Zhou

On Thu, Jul 5, 2018 at 3:15 PM, Daniel Alvarez  wrote:

>
>
> On 5 Jul 2018, at 23:34, Han Zhou  wrote:
>
>
>
> On Thu, Jul 5, 2018 at 6:00 AM, Daniel Alvarez Sanchez <
> dalva...@redhat.com> wrote:
> >
> > Hi Han, all
> >
> > While implementing Port Groups in OpenStack I have noticed that we are
> duplicating the lflows for the DHCP now with the current code. Seeking for
> advice here:
> >
> > When we create a Neutron subnet, I'm creating a Port Group with the ACL
> for the DHCP:
> >
> > _uuid   : 7f2b64eb-090b-4bb4-85fd-09576329c21b
> > action  : allow
> > direction   : from-lport
> > external_ids: {}
> > log : false
> > match   : "inport == @pg_12070130_e7f0_47a7_aee2_cde2064e7a28
> && ip4 && ip4.dst == {255.255.255.255, 192.168.1.0/24} && udp && udp.src
> == 68 && udp.dst == 67"
> > name: []
> > priority: 1002
> > severity: []
> >
> >
> > This generates the proper lflow in the Logical_Flow table:
> >
> > _uuid   : a2a970ec-82ee-4474-bf0e-43f1cdedd7ed
> > actions : "next;"
> > external_ids: {source="ovn-northd.c:3192",
> stage-hint="7f2b64eb", stage-name=ls_in_acl}
> > logical_datapath: e1bdb553-5bbf-4b76-a19d-cf385612a3ff
> > match   : "inport == @pg_12070130_e7f0_47a7_aee2_cde2064e7a28
> && ip4 && ip4.dst == {255.255.255.255, 192.168.1.0/24} && udp && udp.src
> == 68 && udp.dst == 67"
> > pipeline: ingress
> > priority: 2002
> > table_id: 6
> > hash: 0
> >
> >
> > However, all the ports belonging in that subnet also have a lflow for
> DHCP (different stages though)
> >
> > _uuid   : f159803f-6b8d-4c8a-9339-b89ee267c2eb
> > actions : "next;"
> > external_ids: {source="ovn-northd.c:2579",
> stage-name=ls_in_port_sec_ip}
> > logical_datapath: 2b3126db-74d4-48a1-9e81-192066748de6
> > match   : "inport == \"240edf21-5a9c-4edd-98b5-8dadc343b9de\"
> && eth.src == fa:16:3e:07:85:91 && ip4.src == 0.0.0.0 && ip4.dst ==
> 255.255.255.255 && udp.src == 68 && udp.dst == 67"
> > pipeline: ingress
> > priority: 90
> > table_id: 1
> > hash: 0
> >
> >
> > My questions are:
> >
> > 1) Do I really need to create the Port Group for every subnet just to
> take care of the DHCP?
>
> Yes, I think it is the right way to do in networking-ovn. Otherwise, we
> will have to create per-port ACL to allow DHCP. The example you gave above
> are NOT redundant flows, as you mentioned they are in different stages (for
> different purposes), and they will end up as ovs flows in different ovs
> flow tables.
>
> > 2) We have per-port DHCP lflows, is it worth to implement port groups
> around them too?
>
> For the per-port DHCP flows in port-security stage, they can't be
> "grouped" because eth.src is in match condition, which is different for
> each port.
>
> Oh absolutely! For my 1K ports test using 6 security group rules, the
> number of ACLs when down from 9000 to 197 while the number of lflows went
> down from 34000 to 22000.
> The time to create a port in OVN went down from 0.35-0.40 to 0.1-0.15
> seconds.
>

That's a 60 ~ 70% improvement. Sounds great and thanks for sharing!
Did we get the benefit of conjuncture with less OVS flows, too?

Still neutron ML2 is the bottleneck in the Openstack case.
>
> Thanks Han! My bad for not realizing, sorry
>
> >
> > Thanks!
> > Daniel
> >
>
>
___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

Re: [ovs-discuss] Port Groups and DHCP lflows

2018-07-05 Thread Daniel Alvarez



> On 5 Jul 2018, at 23:34, Han Zhou  wrote:
> 
> 
> 
> On Thu, Jul 5, 2018 at 6:00 AM, Daniel Alvarez Sanchez  
> wrote:
> >
> > Hi Han, all
> >
> > While implementing Port Groups in OpenStack I have noticed that we are 
> > duplicating the lflows for the DHCP now with the current code. Seeking for 
> > advice here:
> >
> > When we create a Neutron subnet, I'm creating a Port Group with the ACL for 
> > the DHCP:
> >
> > _uuid   : 7f2b64eb-090b-4bb4-85fd-09576329c21b
> > action  : allow
> > direction   : from-lport
> > external_ids: {}
> > log : false
> > match   : "inport == @pg_12070130_e7f0_47a7_aee2_cde2064e7a28 
> > && ip4 && ip4.dst == {255.255.255.255, 192.168.1.0/24} && udp && udp.src == 
> > 68 && udp.dst == 67"
> > name: []
> > priority: 1002
> > severity: []
> >
> >
> > This generates the proper lflow in the Logical_Flow table:
> >
> > _uuid   : a2a970ec-82ee-4474-bf0e-43f1cdedd7ed
> > actions : "next;"
> > external_ids: {source="ovn-northd.c:3192", stage-hint="7f2b64eb", 
> > stage-name=ls_in_acl}
> > logical_datapath: e1bdb553-5bbf-4b76-a19d-cf385612a3ff
> > match   : "inport == @pg_12070130_e7f0_47a7_aee2_cde2064e7a28 
> > && ip4 && ip4.dst == {255.255.255.255, 192.168.1.0/24} && udp && udp.src == 
> > 68 && udp.dst == 67"
> > pipeline: ingress
> > priority: 2002
> > table_id: 6
> > hash: 0
> >
> >
> > However, all the ports belonging in that subnet also have a lflow for DHCP 
> > (different stages though)
> >
> > _uuid   : f159803f-6b8d-4c8a-9339-b89ee267c2eb
> > actions : "next;"
> > external_ids: {source="ovn-northd.c:2579", 
> > stage-name=ls_in_port_sec_ip}
> > logical_datapath: 2b3126db-74d4-48a1-9e81-192066748de6
> > match   : "inport == \"240edf21-5a9c-4edd-98b5-8dadc343b9de\" 
> > && eth.src == fa:16:3e:07:85:91 && ip4.src == 0.0.0.0 && ip4.dst == 
> > 255.255.255.255 && udp.src == 68 && udp.dst == 67"
> > pipeline: ingress
> > priority: 90
> > table_id: 1
> > hash: 0
> >
> >
> > My questions are:
> >
> > 1) Do I really need to create the Port Group for every subnet just to take 
> > care of the DHCP?
> 
> Yes, I think it is the right way to do in networking-ovn. Otherwise, we will 
> have to create per-port ACL to allow DHCP. The example you gave above are NOT 
> redundant flows, as you mentioned they are in different stages (for different 
> purposes), and they will end up as ovs flows in different ovs flow tables.
> 
> > 2) We have per-port DHCP lflows, is it worth to implement port groups 
> > around them too?
> 
> For the per-port DHCP flows in port-security stage, they can't be "grouped" 
> because eth.src is in match condition, which is different for each port.
> 
Oh absolutely! For my 1K ports test using 6 security group rules, the number of 
ACLs when down from 9000 to 197 while the number of lflows went down from 34000 
to 22000.
The time to create a port in OVN went down from 0.35-0.40 to 0.1-0.15 seconds.
Still neutron ML2 is the bottleneck in the Openstack case.

Thanks Han! My bad for not realizing, sorry 
> >
> > Thanks!
> > Daniel
> >
___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

Re: [ovs-discuss] Port Groups and DHCP lflows

2018-07-05 Thread Han Zhou

On Thu, Jul 5, 2018 at 6:00 AM, Daniel Alvarez Sanchez 
wrote:
>
> Hi Han, all
>
> While implementing Port Groups in OpenStack I have noticed that we are
duplicating the lflows for the DHCP now with the current code. Seeking for
advice here:
>
> When we create a Neutron subnet, I'm creating a Port Group with the ACL
for the DHCP:
>
> _uuid   : 7f2b64eb-090b-4bb4-85fd-09576329c21b
> action  : allow
> direction   : from-lport
> external_ids: {}
> log : false
> match   : "inport == @pg_12070130_e7f0_47a7_aee2_cde2064e7a28
&& ip4 && ip4.dst == {255.255.255.255, 192.168.1.0/24} && udp && udp.src ==
68 && udp.dst == 67"
> name: []
> priority: 1002
> severity: []
>
>
> This generates the proper lflow in the Logical_Flow table:
>
> _uuid   : a2a970ec-82ee-4474-bf0e-43f1cdedd7ed
> actions : "next;"
> external_ids: {source="ovn-northd.c:3192", stage-hint="7f2b64eb",
stage-name=ls_in_acl}
> logical_datapath: e1bdb553-5bbf-4b76-a19d-cf385612a3ff
> match   : "inport == @pg_12070130_e7f0_47a7_aee2_cde2064e7a28
&& ip4 && ip4.dst == {255.255.255.255, 192.168.1.0/24} && udp && udp.src ==
68 && udp.dst == 67"
> pipeline: ingress
> priority: 2002
> table_id: 6
> hash: 0
>
>
> However, all the ports belonging in that subnet also have a lflow for
DHCP (different stages though)
>
> _uuid   : f159803f-6b8d-4c8a-9339-b89ee267c2eb
> actions : "next;"
> external_ids: {source="ovn-northd.c:2579",
stage-name=ls_in_port_sec_ip}
> logical_datapath: 2b3126db-74d4-48a1-9e81-192066748de6
> match   : "inport == \"240edf21-5a9c-4edd-98b5-8dadc343b9de\"
&& eth.src == fa:16:3e:07:85:91 && ip4.src == 0.0.0.0 && ip4.dst ==
255.255.255.255 && udp.src == 68 && udp.dst == 67"
> pipeline: ingress
> priority: 90
> table_id: 1
> hash: 0
>
>
> My questions are:
>
> 1) Do I really need to create the Port Group for every subnet just to
take care of the DHCP?

Yes, I think it is the right way to do in networking-ovn. Otherwise, we
will have to create per-port ACL to allow DHCP. The example you gave above
are NOT redundant flows, as you mentioned they are in different stages (for
different purposes), and they will end up as ovs flows in different ovs
flow tables.

> 2) We have per-port DHCP lflows, is it worth to implement port groups
around them too?

For the per-port DHCP flows in port-security stage, they can't be "grouped"
because eth.src is in match condition, which is different for each port.

>
> Thanks!
> Daniel
>
___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

[ovs-discuss] Port Groups and DHCP lflows

2018-07-05 Thread Daniel Alvarez Sanchez

Hi Han, all

While implementing Port Groups in OpenStack I have noticed that we are
duplicating the lflows for the DHCP now with the current code. Seeking for
advice here:

When we create a Neutron subnet, I'm creating a Port Group with the ACL for
the DHCP:

_uuid   : 7f2b64eb-090b-4bb4-85fd-09576329c21b
action  : allow
direction   : from-lport
external_ids: {}
log : false
match   : "inport == @pg_12070130_e7f0_47a7_aee2_cde2064e7a28
&& ip4 && ip4.dst == {255.255.255.255, 192.168.1.0/24} && udp && udp.src ==
68 && udp.dst == 67"
name: []
priority: 1002
severity: []


This generates the proper lflow in the Logical_Flow table:

_uuid   : a2a970ec-82ee-4474-bf0e-43f1cdedd7ed
actions : "next;"
external_ids: {source="ovn-northd.c:3192", stage-hint="7f2b64eb",
stage-name=ls_in_acl}
logical_datapath: e1bdb553-5bbf-4b76-a19d-cf385612a3ff
match   : "inport == @pg_12070130_e7f0_47a7_aee2_cde2064e7a28
&& ip4 && ip4.dst == {255.255.255.255, 192.168.1.0/24} && udp && udp.src ==
68 && udp.dst == 67"
pipeline: ingress
priority: 2002
table_id: 6
hash: 0


However, all the ports belonging in that subnet also have a lflow for DHCP
(different stages though)

_uuid   : f159803f-6b8d-4c8a-9339-b89ee267c2eb
actions : "next;"
external_ids: {source="ovn-northd.c:2579",
stage-name=ls_in_port_sec_ip}
logical_datapath: 2b3126db-74d4-48a1-9e81-192066748de6
match   : "inport == \"240edf21-5a9c-4edd-98b5-8dadc343b9de\"
&& eth.src == fa:16:3e:07:85:91 && ip4.src == 0.0.0.0 && ip4.dst ==
255.255.255.255 && udp.src == 68 && udp.dst == 67"
pipeline: ingress
priority: 90
table_id: 1
hash: 0


My questions are:

1) Do I really need to create the Port Group for every subnet just to take
care of the DHCP?
2) We have per-port DHCP lflows, is it worth to implement port groups
around them too?

Thanks!
Daniel
___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

Re: [ovs-discuss] Port Groups and DHCP lflows

Re: [ovs-discuss] Port Groups and DHCP lflows

Re: [ovs-discuss] Port Groups and DHCP lflows

[ovs-discuss] Port Groups and DHCP lflows

4 matches

Site Navigation

Mail list logo

Footer information