[openstack-dev] [neutron] Does neutron support QinQ(vlan transparent) ?
Frank Wang
wangpeihuixyz at 126.com
Wed Aug 8 02:59:21 UTC 2018
Thanks for your detail explanation, Sean. Actually, I'm more concern how ovs l2 agent use vlans for tenant isolation on the br-int.
I wanna discuss it deeper here
Please correct me if I understanding something wrong, Is there any way to make ovs l2agent to support QinQ?
for example, I believe QinQ also is a kind of tunnel encapsulation, like vxlan, gre.
and I think we can implement it using Hierarchical Port Binding technique
It would need two level bindings(of course, need two mechanism drivers).
the top-level binding service vlan, lower-level binding customer vlan.
The br-int is responsible for customer vlan, the br-tun is responsible for service vlan,
Is it feasible? please feel free to leave you any idea.
Thanks
At 2018-08-07 19:32:44, "Sean Mooney" <work at seanmooney.info> wrote:
>TL;DR
>it wont work with the ovs agent but "should" work with linux bridge.
>see full message below for details.
>regards
>sean.
>
>the linux bridge agent supports the vlan_transparent option only when
>createing networks with an l3 segmentation type e.g. vxlan,gre...
>
>ovs using the neutron l2 agnet does not supprot vlan_transparent
>netwroks because of how that agent use vlans for tenant isolation on
>the br-int.
>
>it is possible to use achive vlan transparancy with ovs usign an sdn
>controller such as odl or ovn but that was not what you asked in your
>question so i wont expand on that futher.
>
>if you deploy openstack with linux bridge networking and then create a
>tenant network of type vxlan with vlan_transparancy set to true and
>your tenants
>generate QinQ traffic with an mtu reduced so that it will fix within
>the vxlan tunnel unfragmented then yes it should be possibly however
>you may need to disable port_security/security groups on the port as
>im not sure if the ip tables firewall driver will correctly handel
>this case.
>
>an alternive to disabling security groups would be to add an explicit
>rule that matched on the etehrnet type and allowed QinQ traffic on
>ingress and egress from the vm.
>
>as far as i am aware this is not tested in the gate so while it should
>work the lack of documentation and test coverage means you will
>likely be one of the first to test it if you
>choose to do so and it may fail for many reasons.
>
>
>On 7 August 2018 at 09:15, Frank Wang <wangpeihuixyz at 126.com> wrote:
>> Hello folks,
>>
>> I noted that the API already has the vlan_transparent attribute in the
>> network, Do neutron-agents(linux-bridge, openvswitch) support QinQ? I
>> didn't find any reference materials that could guide me on how to use or
>> configure it.
>>
>> Thank for your time reading this, Any comments would be appreciated.
>>
>>
>>
>>
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
>__________________________________________________________________________
>OpenStack Development Mailing List (not for usage questions)
>Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180808/c24d1ab8/attachment.html>
More information about the OpenStack-dev
mailing list