The Havana release of OpenStack, came out in October 2013, contains several significant changes and new features in the networking component. OpenStack Networking has changed name from 'quantum' to 'neutron'. It lays the foundation for supporting heterogeneous network components with the introduction of the ML2 (modular layer 2) plugin. The first implementations of FireWall as a Service (FWaaS) and VPN as a Service (VPNaaS) are now included. These features were demonstrated by Cisco developers at the OpenStack meetup in Boston in Oct 2013.
Handwritten Text Recognition for manuscripts and early printed texts
Whats new in neutron for open stack havana
1. What’s new in
Neutron
for Havana
Neutron developers at Cisco Systems
Boxborough office
Brian Bowen, Henry Gessau, Dane LeBlanc,
Paul Michali, Abishek Subramanian, et. al.
2. Agenda
•
•
•
•
•
•
•
•
Modular Layer 2 plugin (ML2)
ML2 demo with Cisco Nexus driver
FireWall as a Service (FWaaS)
FWaaS demo
VPN as a Service (VPNaaS)
VPNaaS demo
Cisco plugin with N1000V
Demo of Dashboard to control N1000V
3. Modular Layer 2 in
OpenStack Neutron
Robert Kukura, Red Hat
Kyle Mestery, Cisco
5. Before Modular Layer 2 ...
Neutron Server
Neutron Server
OR
Open vSwitch Plugin
OR ...
Linuxbridge Plugin
6. Before Modular Layer 2 ...
Neutron Server
Compute node
Cisco Plugin
Open vSwitch agent
Open vSwitch
Sub-Plugin
Nexus
Sub-Plugin
Cisco Nexus switch
7. ML2 Architecture Diagram
Neutron Server
API Extensions
ML2 Plugin
Mechanism Manager
Type Manager
Tail-F NCS
Open
vSwitch
Linuxbridge
L2
Population
Hyper-V
Cisco Nexus
Arista
VXLAN
TypeDriver
VLAN
TypeDriver
GRE
TypeDriver
8. TypeDrivers in Havana
The following are supported segmentation
types in ML2 for the Havana release:
● local
● flat
● VLAN
● GRE
● VXLAN
9. MechanismDrivers in Havana
The following ML2 MechanismDrivers exist in
Havana:
●
●
●
●
●
●
●
Arista
Cisco Nexus
Hyper-V
L2 Population
Linuxbridge
Open vSwitch
Tail-f NCS
10. ML2 Futures: Deprecation Items
•
The future of the Open vSwitch and
Linuxbridge plugins
o
o
o
These are planned for deprecation in Icehouse
ML2 supports all their functionality
ML2 works with the existing OVS and Linuxbrige
agents
11. ML2 With Current Agents
● ML2 Plugin works with existing
agents
Neutron Server
ML2
Plugin
● Separate agents for Linuxbridge
and Open vSwitch
● Can also use physical switches
from different vendors
API Network
Host A
Linuxbridge
Agent
Host B
Linuxbridge
Agent
Host C
Open vSwitch
Agent
Host D
Open vSwitch
Agent
12. ML2 demo, showing ...
● ML2 running with multiple MechanismDrivers
○
○
openvswitch
cisco_nexus
● Booting multiple VMs on multiple compute
hosts
● Configuration of VLANs across both virtual
and physical infrastructure
14. Cisco Nexus ML2 Mechanism
Driver
• Manages VLAN creation/removal on Cisco Nexus 3K/5K/7K switches as instances are
launched, migrated, or terminated
• Works with Open vSwitch (OVS) mechanism driver
OVS: virtual switching
Cisco Nexus: physical switching
• Ported from original Cisco Nexus OpenStack Plugin
• Available in Havana release
17. Cisco Mechanism Driver Config
• Create a file, e.g. “ml2_conf_cisco.ini”:
•
o[ml2_mech_cisco_nexus:10.86.1.118]
oComputeHost-1=1/2
oComputeHost-2=1/3
ossh_port=22
ousername=admin
opassword=MyPassword
File name and path are arbitrary, but these
configs in localrc must point to it:
Q_PLUGIN_EXTRA_CONF_PATH
Q_PLUGIN_EXTRA_CONF_FILES
• Template in Neutron branch:
o
18. Neutron Server Startup Command
cd /opt/stack/neutron && pyth /usr/local/bin/neutronserver --config-file /etc/neutron/neutron.conf --configfile /etc/neutron/plugins/ml2/ml2_conf.ini --config-file
//home/leblancd/devstack/ml2_conf_cisco.ini || echo
"q-svc failed to start" | tee "/opt/stack/status/stack/qsvc.failure"
20. Resources
•
README files:
o /opt/stack/neutron/neutron/plugins/ml2/README
•
o /opt/stack/neutron/neutron/plugins/ml2/drivers/cisco/README
Template .ini Files:
o /opt/stack/neutron/etc/neutron/plugins/ml2/ml2_conf.ini
•
o /opt/stack/neutron/etc/neutron/plugins/ml2/ml2_conf_cisco.ini
Wiki Pages:
o https://wiki.openstack.org/wiki/Neutron/ML2
•
o https://wiki.openstack.org/wiki/Neutron/ML2/MechCiscoNexus
Google Doc:
o https://docs.google.com/document/d/1FXo0Hlc5c0myvBk99Bw51yOdHmEXHS
aFKUhEGNEuDo4
21. Virtual Private Networking
as a Service
Havana Release
Paul Michali
MAIL pcm@cisco.com
IRC pcm_ (irc.freenode.net)
TW @pmichali
22. Virtual Private Network as a
Service
• Initial Release Goals
•
•
•
•
Site to site VPN (~AWS).
Considered “experimental” w/limited functionality.
Only Pre-Shared Keys, no certificates.
Future releases to address other use cases.
•
•
•
SSL-VPN, MPLS/BGP
Certificate support
Service insertion/chaining
23. OpenSwan Driver
• OpenSwan: open source VPN process
•
•
•
Supports several encryption/auth algorithms, modes of
operation (Remote Access, Site2Site, Host2Host).
Designed to support a single connection.
Uses configuration files to control operation
•
/opt/stack/data/neutron/ipsec/<router-UUID>/…
24. Current Status
•
•
•
•
Reference implementation released
Horizon dashboard access released
CLI and REST APIs available
API reference documentation published
• http://docs.openstack.org/api/openstack-network/2.0/content/vpnaas_ext.html
• Feature documentation in progress
• Ongoing: bug fixes & enhancements (Icehouse)
25. Site to Site VPN
VM
VM
VM
10.1.0.4
Router
10.1.0.5
10.2.0.4
10.1.0.1
Router
172.24.4.21
172.24.4.11
East
Private: 10.1.0.0/24
Br-ex: 172.24.4.11
10.2.0.1
VPN
172.24.4.0/24
West
Private: 10.2.0.0/24
Br-ex: 172.24.4.21
26. Site to Site VPN (physical)
Host
Private: 10.2.0.0/24
Private: 10.1.0.0/24
Ubuntu 12.04 (VM)
Ubuntu 12.04 (VM)
Br-ex: 172.24.4.10
eth1
Br-ex: 172.24.4.20
eth0
eth0
NAT/host
Admin Network
Internal Network
Public Network (172.24.4.222/28)
eth1
27. Reference Info
•
How To:
https://wiki.openstack.org/wiki/Neutron/VPNaaS/HowToInstall
•
Main page (API is in OS doc wiki):
http://docs.openstack.org/api/openstack-network/2.0/content/vpnaas_ext.html
https://wiki.openstack.org/wiki/Neutron/VPNaaS
•
OpenSwan & StrongSwan:
https://github.com/xelerance/Openswan/wiki
http://www.strongswan.org/ and http://wiki.strongswan.org/projects/strongswan
29. Site to Site VPN (physical)
Private: 10.1.0.0/24
Private: 10.2.0.0/24
Devstack-32 (UCS)
Devstack-33 (UCS)
Br-ex: 172.24.4.225
eth1
Br-ex: 172.24.4.232
eth2
14.0.3.32
14.0.3.33
Switch
Admin Network (14.0.3.0/24)
C6500
Public Network (172.24.4.222/28)
eth4
eth3
172.24.4.225
30. Multi-node DevStack
• To do site-to-site VPN, needed to share the
public net.
• Solution: Config DevStack (localrc) GW IP to be
specified. Also added naming for easier config.
devstack-32
enable_service q-vpn
PUBLIC_SUBNET_NAME=yoursubnet
PRIVATE_SUBNET_NAME=mysubnet
PUBLIC_NETWORK_GATEWAY=172.24.4.225
Q_FLOATING_ALLOCATION_POOL=“start=172.24.4.226,
end=172.24.4.231”
Q_USE_SECGROUP=False
devstack-33
enable_service q-vpn
PUBLIC_SUBNET_NAME=yoursubnet
PRIVATE_SUBNET_NAME=mysubnet
PUBLIC_NETWORK_GATEWAY=172.24.4.232
Q_FLOATING_ALLOCATION_POOL="start=172.24.4.233,
end=172.24.4.238”
Q_USE_SECGROUP=False
FIXED_RANGE=10.1.0.0/24
NETWORK_GATEWAY=10.1.0.1
FIXED_RANGE=10.2.0.0/24
NETWORK_GATEWAY=10.2.0.1
31. Modifications for VPNaaS
•
•
•
•
Make localrc modifications as shown on previous page.
Connect two systems with a switch (L2) for public net.
Manually bring up eth# used for public network link.
Add br-ex and add eth# to br-ex.
32. Object Diagram
IPSec Policy
IKE Policy
1
1
used by
used by
N
N
1
Service
IPSec Site
Connection
N
establishes
1
1
is associated with
is associated with
1
Subnet
1
Router
Note: all of these are associated with a single tenant
34. RPC API (Create VPN
Service1/2)
User
Neutron
IpSecDriver
create vpn service
Select driver using type
Set status BUILDING
Ensure Add interface to the
router
create vpn service
create Ike policy
Noop (do nothing)
Store policy
create ipsec policy
Store policy
create vpn connection
create vpn connection
Agent
StrongSwan
DeviceDriver
Namespace
Device
35. RPC API (Create VPN Service
2/2)
User
Neutron
IpSecDriver
Agent
StrongSwan
DeviceDriver
Namespace
Device
fetch router host of
associated router
vpn-service-updated
sync
this sync will be
done pediolically,
and boot time also
sync
sync
vpn connection info with related
infos
compair local state
ensure_conf_file
ensure_process_running
36. RPC API (Update VPN
Service)
User
Neutron
IpSecDriver
Agent
StrongSwan
DeviceDriver
Update VPN or Update
Serivce/IKE policy/IPSec or
CUD of vpn connections
Select driver using type
vpn-service-updated
vpn-service-updated
sync
sync
Namespace
Device
37. RPC API (Update VPN
Service)
User
Neutron
IpSecDriver
Agent
StrongSwan
DeviceDriver
Update or DeleteVPN
Serivce/IKE policy/IPSec or
CRUD of vpn connections
Select driver using type
Remove interface
vpn-service-updated
vpn-service-updated
sync
sync
Namespace
Device
38. RPC API (Update VPN
Service)
User
Neutron
IpSecDriver
Agent
StrongSwan
DeviceDriver
Update VPN or Update
Serivce/IKE policy/IPSec or
CUD of vpn connections
Select driver using type
vpn-service-updated
vpn-service-updated
sync
sync
Namespace
Device
39. RPC API (Update VPN
Service)
User
Neutron
IpSecDriver
Agent
StrongSwan
DeviceDriver
Update or DeleteVPN
Serivce/IKE policy/IPSec or
CRUD of vpn connections
Select driver using type
Remove interface
vpn-service-updated
vpn-service-updated
sync
sync
Namespace
Device
45. Initial reference implementation
How: Service Plugin + Agent + Driver
Where: L3 only -- iptables rules on routers
Why:
Complements security groups
What next? Vendor drivers
46.
47. Entity Relationships
Firewall Rules
Firewall A
Firewall B
Tenant B
Firewall C
Allow ICMP
Tenant A
Tenant C
Firewall Policy
X
...
Allow TCP 80
...
Firewall Policy
Y
...
Ordered
(Routers)