# What's the difference between flat, gre and vlan Neutron network types?

Neutron documentation tells me that:

The ml2 plugin currently includes drivers for the local, flat, vlan, gre and vxlan network types.

When reading about Neutron I found out that there are several types of networks. But where can I find documentation telling difference between these types. After hours of Googling and reading Openstack guides I still don't know the difference between flat, gre and vlan.

edit retag close merge delete

Sort by » oldest newest most voted

Some additional comments to add to what larsks answered - In a flat network, everyone shares the same network segment. For example, say 2 tenants are sharing the cluster, and this segment is 10.4.128.0/20 - VM1 from tenant 1 might get assigned 10.4.128.3, VM1 from tenant 2 might get 10.4.128.4, and so on. This means that tenant 1 can see the traffic from tenant 2. Not a good thing in most cases.

In a VLAN network, tenants are separated because each is assigned to a VLAN. In OpenVSwitch plugin (or ML2 with OVS driver), OVS will in the virtual switches allocate an internal VLAN for each tenant. If you mix in a hardware plugin like the Cisco Nexus plugin, it will be asked to allocate VLANs as well. These VLANs provide separation amongst the tenants (as VLANs are designed to do). It also means that tenants can specify the same subnet and overlap in that subnet range - VM1 from tenant 1 can get assigned IP 10.4.128.3 and VM1 from tenant 2 can also get 10.4.128.3, without conflict. This makes life easier for administrators because they don't have to worry about tenants that want the same subnet and address allocations, because the VLANs keep them separate.

GRE segmenation (and VXLAN) also provides separation among tenants, and also allows overlapping subnets and IP ranges. It does this by encapsulating tenant traffic in tunnels. Say your tenant has VMs running on compute nodes A, B, and C. Neutron (along with OVS) will build a fully connected mesh of tunnels between all of these machines, and create a tunnel bridge on each of these nodes that is used to direct traffic from VMs into and out of these tunnels. If a VM on machine A wants to send packets to a VM on machine B, machine A will encapsulate the IP packets coming out of the VM using a segmentation ID that is generated for the tenant by OpenStack, and the receiving machine (B) will decapsulate the packets and route them to the destination VM using the addressing information in the ethernet frame.

GRE and VXLAN scale better than VLAN, and while VLAN based networking probably has its applications (you might be integrating with a infrastructure that is VLAN-based to begin with), I have found GRE/VXLAN based OVS setups to be easier to deploy and debug than VLAN based setups (one reason is you can use a dumb switch to connect all the physical hosts), and so my feeling is you want to start there if you have a deployment scenario that involves multiple tenants and you want to allow for overlapping network segments and IP address ranges in your tenants.

more

What is the limitation of GRE segementation ID ? where 4096 and 6Million are for Vlan and VxLAN respectivelly .

( 2015-03-04 04:31:25 -0600 )edit

thanks for such a wonderful and simple explanation

( 2016-03-03 11:15:53 -0600 )edit

Slogan:

VLANs do provide Layer2 segmentation, but not L3. Yes, you can assign the same subnet IP address for 2 VLANs but you're going to have a problem routing. Imagine tenant 3 wants to communicate with 10.4.128.3 on tenant 2...what then? You need another layer of abstraction, like a VRF...

( 2016-04-11 18:33:30 -0600 )edit

In 3rd paragraph of the answer, the GRE tunnel will encapsulated IP packet or frame?. Is this GRE tunnel over IP or over Ethernet? Could you clarify the packet structure?

( 2016-04-26 04:20:28 -0600 )edit

After hours of Googling and reading Openstack guides I still don't know the difference between flat, gre and vlan.

A local network is a network that can only be realized on a single host. This is only used in proof-of-concept or development environments, because just about any other OpenStack environment will have multiple compute hosts and/or a separate network host.

A flat network is a network that does not provide any segmentation options. A traditional L2 ethernet network is a "flat" network. Any servers attached to this network are able to see the same broadcast traffic and can contact each other without requiring a router. flat networks are often used to attach Nova servers to an existing L2 network (this is called a "provider network").

A vlan network is one that uses VLANs for segmentation. When you create a new network in Neutron, it will be assigned a VLAN ID from the range you have configured in your Neutron configuration. Using vlan networks requires that any switches in your environment are configured to trunk the corresponding VLANs.

gre and vxlan networks are very similar. They are both "overylay" networks that work by encapsulating network traffic. Like vlan networks, each network you create receives a unique tunnel id. Unlike vlan networks, an overlay network does not require that you synchronize your OpenStack configuration with your L2 switch configuration.

more

You wrote : Do I need to create an additional port on the br-ex, for each vlan on my switch?
Each of your vlans has a tap-interface at br-int on Network Node and is supposed to be an internal interface at corresponding neutron router(X). Neutron routing tables from each of qdhcp-private-net-id namespace to qrouter-router(X)-id namespace should be viewed via :-

  ip netns exec qrouter-router(X)-id iptables -S -t nat


No additional ports at br-ex are needed.
Compare ouputs of :

ip netns exec qrouter-router(X)-id ifconfig
ip netns exec qdhcp-private-net-id route -n


which is an internal interface at router(X)

more

This not an answer Thanks to both of you, the answer is informative & confusing at the same time It help me understand the traffic in regards of tenant and vm (internal to the stack), but it confuse me when I try to relate this to the external network traffic.

Perhaps you can enlighten me, by helping me to sort out this picture? (I'm a visual guy)

my environment has 4 continuos class 'C' which are broken in subnets and vlans

xxx.xxx.208.0/24      vlan 208
xxx.xxx.209.0/24      vlan 209
xxx.xxx.210.0/25      vlan 2101
xxx.xxx.210.128/25    vlan 2102
xxx.xxx.211.0/26      vlan 2111
xxx.xxx.211.64/26     vlan 2112
xxx.xxx.211.128/26    vlan 2113
xxx.xxx.211.192/26    vlan 2114


On the switch I have all the vlan tagged to the port (fully managed switch, but does not support openFlow)

On the network-node the external interface is eno1 (previously known as eth0) (2 other nic's for the data tunel and the management)

I create a network bridge bridge to which I will attach the interface by adding a port

ovs-vsctl add-br br-ex


then i add a port to attach the interface

ovs-vsctl add-port br-ex eno1


Do I need to create an additional port on the br-ex, for each vlan on my switch?

if so, how do I tell neutron when I create the subnet?

more

look at that if you're visual ^^

( 2014-12-02 12:55:05 -0600 )edit

Thanks,

It would be an good link to add to Chapter 6. Add a networking component of OPENSTACK INSTALLATION GUIDE FOR RED HAT ENTERPRISE LINUX 7, CENTOS 7, AND FEDORA 20 - JUNO

It's bookmarked now

( 2014-12-03 06:55:42 -0600 )edit

Flat Mode: Flat mode is the simplest networking mode. Each instance receives a fixed IP from the pool. All instances are attached to the same bridge(br100) by default. The bridge must be configured manually. The networking configuration is injected into the instance before it is booted. And there is no floating IP feature in this mode.

VLAN Network Mode: It is the default mode for Nova. It provides a private network segment for each project's instance that can be accessed via a dedicated VPN connection from the internet.

In this mode, each project gets its own VLAN, Linux networking bridge, and subnet. The subnets are specified by the network administrator, and are assigned dynamically to a project where required. A DHCP server is started for each VLAN to pass out IP addresses to VM instances from the subnet assigned to the project. All instances belonging to one project are bridged into the same VLAN for that project.

GRE: GRE tunnels encapsulate isolated layer 2 network traffic in IP packets that are routed between compute and networking nodes using the hosts' network connectivity and routing tables. Using GRE tunnels as tenant networks in Neutron avoids the need for a network interface connected to a switch configured to trunk a range of VLANs.

more