Hello Rodolfo,

For DC router, yes, I mean datacenter router, in this case not managed by neutron.
We are communicating to external resources through said router.
It looks like this:
{HV1, HV2, HV3} - switch - router (- end user device, e.g. laptop1).
In the hypervisor/ovs: {tap,...} - br-int - patchport - br-eth0 - eth0
There is no OVN router involved in the external network.

The hypervisors and the router are in the same subnet, which is configured in neutron as one subnet.
The laptop would be outside of neutron scope, while the router IP is configured as the gateway IP of the subnet.

Best,
Daniel
From: Rodolfo Alonso Hernandez <ralonsoh@redhat.com>
Sent: Thursday, February 8, 2024 16:24
To: Daniel Failing <daniel.failing@cern.ch>
Cc: openstack-discuss@lists.openstack.org <openstack-discuss@lists.openstack.org>
Subject: Re: [Neutron][OVN] Flat routed provider network has external traffic broadcasted to all VMs
 
Hello Daniel:

* I'm not very good with acronyms: what is DC router? Datacenter I guess, right?
* How are you communicating to external resources? Are you using an OVN router and an external network?

Regards.

On Thu, Feb 8, 2024 at 10:28 AM Daniel Failing <daniel.failing@cern.ch> wrote:
Dear all,

I'm currently debugging a (testing) deployment with neutron/OVN, currently most ports in external flat network.
So far I'm happy everything can communicate, but we see a strong performance degradation with increasing number of VMs/ports hosted on a hypervisor.
The setup is similar to the one described in the routed provider networks docs [1].
For routing between the different segments, we have physical routers, that are not managed by neutron.

Debugging the issue showed traffic originating from the DC router to VMs go perfectly as unicast traffic through OVN.
Communicating from the VM to other networks via the DC router, however, will broadcast the traffic to all attached ports on the internal bridge.

Is there a way to tell neutron/OVN to use a specific MAC address for the router and forward the traffic through the patch port instead of broadcasting it?
I could not find any documentation of whether I am missing a neutron port or some other configuration on the hypervisor.

Just to make sure: The VM and DC routers have the right ARP information of itself, the traffic that is duplicated is from VM to router/external network. (via default route to router)
As far as I could see, this issue does not appear with private networks, since all MAC addresses are known to OVN/Neutron.

Versions:
Nova/Neutron: Yoga
ovs-vswitchd (Open vSwitch) 3.1.4
ovn-northd 22.12.1
kernel 5.14.0-284.30.1.el9_2.x86_64

Best,
Daniel