Ask Your Question
0

How does a network host route packets to different network namespaces?

asked 2015-01-17 09:26:10 -0500

l2edzl3oy gravatar image

Hi, I have been reading up on Neutron networking on this webpage: http://docs.openstack.org/admin-guide-cloud/content/under_the_hood_openvswitch.html (http://docs.openstack.org/admin-guide...) .

I am wondering how a network host routes packets to different OVS internal ports with the same IP address in different network namespaces. To better illustrate my question, here is an example picture from the webpage: http://imgur.com/eelU5gX . Sorry that I can't upload the picture directly into this question as I don't have enough points yet.

Consider that there are 2 OVS internal ports, each in its own separate network namespace, on br-int: tapXXX (in qdhcp-aaaa) and tapWWW (in qdhcp-cccc). One dnsmasq process is attached to each port for 2 different tenants (and thus 2 different Neutron networks). Suppose that both tenants define the same Neutron subnet range of 192.168.1.0/24, and that both the tapXXX and tapWWW have the same IP address of 192.168.1.1.

Now, given that each tenant has VMs running on separate hosts that are the compute nodes, how does the network host route a received packet with IP address 192.168.1.1?

In the webpage, it seems that the VM data network is segmented by VLAN, and I understand how br-int (and other virtual bridges) modify the VLAN tag for incoming and outgoing traffic according to each tenant's VMs. But I am not too sure how network namespaces fit into the whole neutron networking logic.

It would be best if someone could explain the path taken by a packet starting from eth0 of the VM of each tenant and ending at their own respective dnsmasq processes. Thanks!

edit retag flag offensive close merge delete
add a comment

1 answer

Sort by ยป oldest newest most voted
2

answered 2015-01-17 12:34:09 -0500

dbaxps gravatar image

updated 2015-01-18 02:29:09 -0500

You wrote :-

One dnsmasq process is attached to each port for 2 different tenants (and thus 2 different Neutron networks)

Mistake is here . Every tenants private network is served by it's own copy of dnsmasq daemon. As soon as tenant start VM on particular private subnet corresponding qdhcp-namespace will be created.  Each private net will have it's own tap-interface attached to br-int and will get it's own vlan tag .

Per http://docs.openstack.org/security-gu...

VLANs are realized as packets on a specific physical network containing IEEE 802.1Q headers with a specific VLAN ID (VID) field value. VLAN networks sharing the same physical network are isolated from each other at L2, and can even have overlapping IP address spaces. Each distinct physical network supporting VLAN networks is treated as a separate VLAN trunk, with a distinct space of VID values. Valid VID values are 1 through 4094.

View also :- https://blogs.oracle.com/ronen/entry/...
Section "About network isolation" and bellow. This link is actually the most detailed explanation answering your question and at the same time the most hard to understand 

OpenStack supports creation of multiple isolated networks and can use several mechanisms to isolate the networks from one another. The isolation mechanism can be VLANs, VxLANs or GRE tunnels, this is configured as part of the initial setup in our deployment we use VLANs. When using VLAN tagging as an isolation mechanism a VLAN tag is allocated by Neutron from a pre-defined VLAN tags pool and assigned to the newly created network. By provisioning VLAN tags to the networks Neutron allows creation of multiple isolated networks on the same physical link.  The big difference between this and other platforms is that the user does not have to deal with allocating and managing VLANs to networks. The VLAN allocation and provisioning is handled by Neutron which keeps track of the VLAN tags, and responsible for allocating and reclaiming VLAN tags. In the example above net1 has the VLAN tag 1000, this means that whenever a VM is created and connected to this network the packets from that VM will have to be tagged with VLAN tag 1000 to go on this particular network. This is true for namespace as well, if we would like to connect a namespace to a particular network we have to make sure that the packets to and from the namespace are correctly tagged when they reach the VM network
edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2015-01-17 09:26:10 -0500

Seen: 840 times

Last updated: Jan 18 '15

Related questions

neutron/ovs intermittent network failures

How many ports are there (can be created) in an OVS switch?

Network tab not visible in Dashboard

OpenStack-Anisble and OVS

Lbaas in Kilo error

Neutron br-int LINK-DOWN on compute node

neutron-openvswitch-agent not starting up on compute node

how to quota for specific subnet!

tenant and external network vlan mapping

Cannot get ip from DHCP server