Versions Compared

Old Version 71

changes.mady.by.user Murali Reddy

Saved on

compared with

New Version 72

changes.mady.by.user Murali Reddy

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Flows are setup in pipeline processing model as depicted in below diagram, to emulate packet processing on the VPC VR. A default rule with least priority (0) is set in egress ACL's table to drop all packets. Flow rules are added to egress ACL table with high priority (to overrider default rule) to forward packets to lookup table corresponding to egress network ACL's for the tier. Route look up is done in table 1 which is pre populated to resubmit to next level ingress ACL table depending on the destination subnet.  A default rule with least priority (0) is set in ingress ACL's table to drop all ingress traffic to a port. Flow rules are added to ingress ACL table with high priority (to overrider default rule) to permit packets corresponding to ingress network ACL's for the tier.

Note: When VPC VR route's packet to destination subnet, it may raise ARP request to get the MAC address of destination VM. VPC VR then forward's the packet with an ethernet header where source mac is gateway's mac address and destination mac is that of destination VM. With logical router though ARP can not be performed, end result is achieved with a flow to modify both source and destination mac address for the flow. A flow rule is required for each VM's in the subnet.

Assuming tier1, tier 2 and tier3 has subnets 10.1.1.0/24, 10.1.2.0/24 and 10.1.3.0/24 respectively and corresponding bridges for the tiers are connected to logical routers on openflow ports 1,2,3, flow table would look like below with no ingress and egress rules configured.

...

Given the nature of distributed configuration , while eventual consistency can be achieved, required to setup bridges and flow rules on multiple hosts, there will be windows of time where the configuration is not up to date or as expected . Following to reflect correct VPC network topology. While eventual consistency can be achieved, Following principles shall be used to mitigate the impact:

  • sync mechanism to keep the configuration of OVS switches and flow rules are consistent with topology (how it spans the physical hosts) of VPC and ingress/egress ACL's applies applied on the tiers 
  • when wherever possible fall back to data path where packet is sent to VPC VR, so that optimization achieved with distributed routing and network acls is not leveraged but functionality is not lost because VPC VR will perform ACL and routing anyway.

...