<font size=2 face="sans-serif">Hi MartinX,</font><br><br><font size=2 face="sans-serif">I think you can move p2 to net1 and
p3 to net4, or you can put p1, p2, p3 and p4 in the same network.</font><br><font size=2 face="sans-serif"><br><br><br>Regards,<br>Juno Zhu<br>IBM China Development Labs (CDL) Cloud IaaS Lab<br>Email: nazhu@cn.ibm.com<br>5F, Building 10, 399 Keyuan Road, Zhangjiang Hi-Tech Park, Pudong New District,
Shanghai, China (201203)</font><br><br><br><br><font size=1 color=#5f5f5f face="sans-serif">From:
</font><font size=1 face="sans-serif">Cathy Zhang <Cathy.H.Zhang@huawei.com></font><br><font size=1 color=#5f5f5f face="sans-serif">To:
</font><font size=1 face="sans-serif">"OpenStack Development
Mailing List (not for usage questions)" <openstack-dev@lists.openstack.org>,
"martinx.banszel@intel.com" <martinx.banszel@intel.com></font><br><font size=1 color=#5f5f5f face="sans-serif">Date:
</font><font size=1 face="sans-serif">2016/06/22 02:36</font><br><font size=1 color=#5f5f5f face="sans-serif">Subject:
</font><font size=1 face="sans-serif">Re: [openstack-dev]
networking-sfc: unable to use SFC (ovs driver) with multiple networks</font><br><hr noshade><br><br><br><tt><font size=2>Hi MartinX,<br><br>I sent you a reply on 6/14. <br><br>Cathy<br><br>-----Original Message-----<br>From: Banszel, MartinX [</font></tt><a href=mailto:martinx.banszel@intel.com><tt><font size=2>mailto:martinx.banszel@intel.com</font></tt></a><tt><font size=2>]
<br>Sent: Thursday, June 16, 2016 4:49 AM<br>To: 'openstack-dev@lists.openstack.org'<br>Subject: [openstack-dev] networking-sfc: unable to use SFC (ovs driver)
with multiple networks<br><br>Hello,<br><br>I'd need some help with using the SFC implementation in openstack.<br><br>I use liberty version of devstack + liberty branch of networking-sfc.<br><br>It's not clear to me if the SFC instance and it's networks should be separated
from the remaining virtual network topology or if it should be connected
to it.<br><br>E.g. consider the following topology, where SFC and its networks net2 and
net3 (one for ingress port, one for egress port) are connected to the tenants
networks. I know that all three instances can share one network but a use
case I am trying to implement requires that every instance has it's separated
network and there is a different network for ingress and egress port of
the SF.<br><br> +-------+
+---------+
+-------+<br> | VMSRC |
| VMSFC |
| VMDST |<br> +---+---+
+--+---+--+
+---+---+<br> | p1 (1.1.1.1)
p2| |p3
|p4 (4.4.4.4)<br> |
| |
|<br>-----+--------+------- net1 | |
--+---+--------- net4<br> |
| |
|<br> |
---+-----+---)---- net2
|<br> |
---)--+------+---- net3
|<br> |
| |
|<br> |
+--+--+--+
|<br> +----------+ ROUTER +------------------------+<br>
+--------+<br><br><br>All networks are connected to a single router ROUTER. I created a flow
classifier that matches all traffic going from VMSRC to VMDST (--logical-source-port
p1 --source-ip-prefix=1.1.1.1/32 --destination-ip-prefix=4.4.4.4/32), port
pair p2,p3, a port pair group containing this port pair and a port chain
containing this port pair group and flow classifier.<br><br>If I try to ping from VMSRC the 5.4.4.4 address, it is correctly steered
through the VMSFC (where just the ip_forwarding is set to 1) and forwarded
back through the p3 port to the ROUTER. The router finds out that
there are packets with source address 1.1.1.1 coming from port where is
should not (the router expects those packets from the net1 interface),
they don't pass the reverse path filter and the router drops them.<br><br>It works when I set the rp_filter off via sysctl command in the router
namespace on the controller. But I don't want to do this -- I expect the
sfc to work without such changes.<br><br>Is such topology supported? What should the topology look like?<br><br>I have noticed, that when I disconnect the net2 and net3 from the ROUTER,
and add new routers ROUTER2 and ROUTER3 to the net2 and net3 networks respectivelly
and don't connect them anyhow to the ROUTER nor the rest of the topology,
the OVS is able to send the traffic to the p2 port on the ingress side.
However, on the egress side the packet is routed to the ROUTER3 which drops
it as it doesn't have any route for it.<br><br>Thanks for any hints!<br><br>Best regards<br>Martin Banszel<br>--------------------------------------------------------------<br>Intel Research and Development Ireland Limited Registered in Ireland Registered
Office: Collinstown Industrial Park, Leixlip, County Kildare Registered
Number: 308263<br><br><br>This e-mail and any attachments may contain confidential material for the
sole use of the intended recipient(s). Any review or distribution by others
is strictly prohibited. If you are not the intended recipient, please contact
the sender and delete all copies.<br><br><br>__________________________________________________________________________<br>OpenStack Development Mailing List (not for usage questions)<br>Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe<br></font></tt><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"><tt><font size=2>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</font></tt></a><tt><font size=2><br></font></tt><font size=2 color=#800080 face="sans-serif"><br>----- Message from Cathy Zhang <Cathy.H.Zhang@huawei.com> on Wed,
15 Jun 2016 00:58:33 +0000 -----</font><table width=862 style="border-collapse:collapse;"><tr height=8><td width=73 style="border-style:none none none none;border-color:#000000;border-width:0px 0px 0px 0px;padding:1px 1px;"><div align=right><font size=3><b>To:</b></font></div><td width=785 style="border-style:none none none none;border-color:#000000;border-width:0px 0px 0px 0px;padding:1px 1px;"><font size=3>"OpenStack
Development Mailing List (not for usage questions)" <openstack-dev@lists.openstack.org></font><tr height=8><td width=73 style="border-style:none none none none;border-color:#000000;border-width:0px 0px 0px 0px;padding:1px 1px;"><div align=right><font size=3><b>cc:</b></font></div><td width=785 style="border-style:none none none none;border-color:#000000;border-width:0px 0px 0px 0px;padding:1px 1px;"><font size=3>Cathy
Zhang <Cathy.H.Zhang@huawei.com></font><tr height=8><td width=73 style="border-style:none none none none;border-color:#000000;border-width:0px 0px 0px 0px;padding:1px 1px;"><div align=right><font size=3><b>Subject:</b></font></div><td width=785 style="border-style:none none none none;border-color:#000000;border-width:0px 0px 0px 0px;padding:1px 1px;"><font size=3>RE:
networking-sfc: unable to use SFC (ovs driver) with multiple networks</font></table><br><tt><font size=2>Hi Banszel,<br><br>Please see inline. <br><br>Thanks,<br>Cathy <br><br>-----Original Message-----<br>From: Banszel, MartinX [</font></tt><a href=mailto:martinx.banszel@intel.com><tt><font size=2>mailto:martinx.banszel@intel.com</font></tt></a><tt><font size=2>]
<br>Sent: Tuesday, June 14, 2016 9:07 AM<br>To: openstack-dev@lists.openstack.org<br>Subject: [openstack-dev] networking-sfc: unable to use SFC (ovs driver)
with multiple networks<br><br>Hello,<br><br>I'd need some help with using the SFC implementation in openstack.<br><br>I use liberty version of devstack + liberty branch of networking-sfc.<br><br>It's not clear to me if the SFC instance and it's networks should be separated
from the remaining virtual network topology or if it should be connected
to it.<br><br>E.g. consider the following topology, where SFC and its networks net2 and
net3 (one for ingress port, one for egress port) are connected to the tenants
networks. I know that all three instances can share one network but a use
case I am trying to implement requires that every instance has it's separated
network and there is a different network for ingress and egress port of
the SF.<br><br> +-------+
+---------+
+-------+<br> | VMSRC |
| VMSFC |
| VMDST |<br> +---+---+
+--+---+--+
+---+---+<br> | p1 (1.1.1.1)
p2| |p3
|p4 (4.4.4.4)<br> |
| |
|<br>-----+--------+------- net1 | |
--+---+--------- net4<br> |
| |
|<br> |
---+-----+---)---- net2
|<br> |
---)--+------+---- net3
|<br> |
| |
|<br> |
+--+--+--+
|<br> +----------+ ROUTER +------------------------+<br>
+--------+<br><br><br>All networks are connected to a single router ROUTER. I created a flow
classifier that matches all traffic going from VMSRC to VMDST (--logical-source-port
p1 --source-ip-prefix=1.1.1.1/32 --destination-ip-prefix=4.4.4.4/32), port
pair p2,p3, a port pair group containing this port pair and a port chain
containing this port pair group and flow classifier.<br><br>If I try to ping from VMSRC the 5.4.4.4 address, it is correctly steered
through the VMSFC (where just the ip_forwarding is set to 1) and forwarded
back through the p3 port to the ROUTER. The router finds out that
there are packets with source address 1.1.1.1 coming from port where is
should not (the router expects those packets from the net1 interface),
they don't pass the reverse path filter and the router drops them.<br><br>It works when I set the rp_filter off via sysctl command in the router
namespace on the controller. But I don't want to do this -- I expect the
sfc to work without such changes.<br><br>Is such topology supported? What should the topology look like?<br><br>Cathy> No, current networking-sfc does not support this topology. <br><br>I have noticed, that when I disconnect the net2 and net3 from the ROUTER,
and add new routers ROUTER2 and ROUTER3 to the net2 and net3 networks respectivelly
and don't connect them anyhow to the ROUTER nor the rest of the topology,
the OVS is able to send the traffic to the p2 port on the ingress side.
However, on the egress side the packet is routed to the ROUTER3 which drops
it as it doesn't have any route for it.<br>Cathy> Router3 will not have any rule to forward the packet since networking-sfc
does not install any new forwarding rules into a Router, that is why it
is dropped. Anyway the current implementation does not have proper support
for chain across multiple subnets. If you put VMSRC and VMSFC in the same
subnet and VMDST in another subnet, it should work. <br><br>Thanks for any hints!<br><br>Best regards<br>Martin Banszel<br>--------------------------------------------------------------<br>Intel Research and Development Ireland Limited Registered in Ireland Registered
Office: Collinstown Industrial Park, Leixlip, County Kildare Registered
Number: 308263<br><br><br>This e-mail and any attachments may contain confidential material for the
sole use of the intended recipient(s). Any review or distribution by others
is strictly prohibited. If you are not the intended recipient, please contact
the sender and delete all copies.<br><br><br>__________________________________________________________________________<br>OpenStack Development Mailing List (not for usage questions)<br>Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe<br></font></tt><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"><tt><font size=2>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</font></tt></a><tt><font size=2><br>__________________________________________________________________________<br>OpenStack Development Mailing List (not for usage questions)<br>Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe<br></font></tt><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"><tt><font size=2>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</font></tt></a><tt><font size=2><br></font></tt><br><BR>