These are the slides from the webinar "OpenStack networking (Neutron)", which covered the topics: - OpenStack Networking: the Neutron project (NaaS); - Main features of Neutron; - Advanced networking functionalities in OpenStack.

1. OpenStack
Networking
Giuseppe Cossu
Research Engineer
Webinar on October 5th, 2015 - 15:00 CET

2. Hello!
I am Giuseppe Cossu
I am an enthusiastic OpenStack user.
I work at Create-Net as Research
Engineer. Mainly involved on Cloud
Computing and Networking.
Contacts:
gcossu@create-net.org
http://it.linkedin.com/in/giuseppecossu/en

3. Agenda
■ Introduction
OpenStack Overview
■ Neutron
Overview
Main features with Live Demo
■ Networking Architecture
Main Components
Neutron server and agents
Modular Layer 2 (ML2) plugin
Type Driver, Mechanism Driver
DVR (Distributed Virtual Router)
L3 services on Compute Nodes
Advanced Services: FWaaS, LBaaS, VPNaaS

4. Introduction
OpenStack is a free and open-source cloud-computing
software platform

5. OpenStack Logical Architecture

6. Network as a Service

7. Openstack Networking Architecture
Management network
■ Used for internal OpenStack
communications
■ Connects all OpenStack
Components
Data network
■ Used for VMs data communication
External network
■ Used to provide VMs with Internet
access in some deployment
scenarios
■ The IP addresses on this network
should be reachable by anyone on
the Internet
API network
■ Exposes all OpenStack APIs to
tenants
■ The IP addresses on this network
should be reachable by anyone on
the Internet

8. What is Neutron?
“Neutron is an OpenStack project to provide Networking
as a Service (NaaS) between interface devices managed by
other Openstack services”

9. History: from nova-network to Neutron
■ nova-network is the original OpenStack networking
implementation
still available (but is going to be deprecated)
managed by administrator
Tenant can not create/manage networks
Limitations:
lack of API for networking services
basic model of performing isolation through Linux VLANs
and IP tables
limited networking technology (e.g. no L2-in-L3 tunneling,
no OpenFlow)
■ The OpenStack Neutron was called “Quantum”
renamed to “Neutron” for trademark issues

10. Neutron
■ Provides REST APIs to create and manage virtual
networks and network resources
■ Allows tenants having multiple private networks and
to choose their own IP addressing scheme
■ Enables advanced cloud networking use cases
e.g., multi-tiered web applications
■ Pluggable Architecture
a plugin is a back-end implementation of the Networking API
flexibility to choose different network virtualization
technologies (e.g. VLAN, GRE, VxLAN)
■ Plugins available (ML2 Mechanism Drivers):
Open vSwitch, Cisco (UCS/Nexus), Juniper (Opencontrail),
VMware NSX, OpenDaylight, Midonet, PLUMgrid, etc.

11. Live Demo
■ Live Demo using the
OpenStack Dashboard
graphical interface to
access, provision and
automate cloud-based
resources
■ The demo provides an
overview on the main
Neutron features

12. Neutron: networking resources & L2 functionalities (I)
■ Each tenant can create L2 private networks
Network: an isolated virtual layer-2 broadcast domain
It is reserved for the tenant who created it
■ ...and associate a sub-network to each network
Subnet: an IP address block (CIDR) that can be used to assign IP
addresses to virtual instances
It is possible to configure DNS, gateway and enable DHCP

13. Neutron: networking resources & L2 functionalities (II)
Virtual instances attach their VIF (Virtual network
InterFace) into ports:
■ Port: a virtual switch port on a logical network switch
Defines the MAC&IP addresses to be assigned to the interfaces
plugged into them
Typically a virtual network interface belonging to a VM
■ Each instance receive a Fixed IP on creation
Stay the same until the instance is explicitly terminated

14. Neutron: networking resources & L2 functionalities (III)
■ Each tenant can configure rich network topologies by
creating and configuring networks and subnets
having multiple private networks
choosing their own IP addressing scheme (even if those IP
addresses overlap with those used by other tenants)
■ Admin can create shared networks
The network resources can be accessed by any tenant

15. Neutron: networking resources & L3 functionalities (I)
In order to provide inbound/outbound Internet connectivity to VMs,
Neutron provides L3 functionality by means of:
■ External Network: a “virtual” network, that typically maps public
IP ranges available in the DC network
managed by admin
can be used as external gateway for internal tenant network or
create floating IPs and associate them with ports
■ Router: a logical entity used to:
interconnect subnets and forward traffic among them
NATing tenant network traffic to external networks
■ Floating IPs: IP addresses on an external network, typically
public, that can be dynamically associated with an instance
A Floating IP allows access to an instance on a private network
from an external network

16. Neutron: networking resources & L3 functionalities (II)
Scenario 1: Create an External Network and a Router
■ The router connects the private to the external network, offering
NAT functionality
■ Associate a floating IP to an internal port (e.g. access instances
from Internet)

17. Neutron: networking resources & L3 functionalities (III)
Scenario 2: Connect two private networks
■ The router connects private networks forwarding traffic among
them

18. Networking
Architecture
Neutron under the hood

19. Neutron Server and agents
■ Neutron-Server exposes the
Networking API and enable
administration of the
configured plug-in
The agents interact with the
main neutron process
through RPC or API
Neutron agents:

20. Neutron features
■ Modular Layer 2 (ML2) plugin
Core Plugin: it is bundled with OpenStack
allows to simultaneously utilize the variety of
layer 2 networking technologies
■ DVR (Distributed Virtual Router)
L3 forwarding and NAT are distributed to the
compute nodes
solves single points of failures and scalability
problems of the Network Node
■ Advanced Services, implemented as
service plugins
Load Balancer as a Service (LBaaS)
Virtual Private Network as a Service (VPNaaS)
Firewall as a Service (FWaaS)
L2
Connectivity
L3
Connectivity
L4-L7
Services

21. Neutron features
L2
Connectivity

22. Modular Layer 2 (ML2)
■ ML2 plugin is a framework allowing OpenStack Networking to
simultaneously utilize the variety of layer 2 networking technologies
The Type Driver maintains any needed type-specific network state, and
perform provider network validation and tenant network allocation
The Mechanism Driver is responsible for taking the information established by
the Type Driver and ensuring that it is properly applied given the specific
networking mechanisms that have been enabled

23. Network Segments (Type Driver)
■ Flat
all instances reside on the same network, which can also be shared
with the hosts
■ VLAN
allows users to create multiple networks using VLAN IDs (802.1Q) that
correspond to VLANs present in the physical network
■ VxLAN or GRE
network overlays to support private communication between
instances
each network receives a unique tunnel ID (up to 16 million logical
networks)

24. ML2 with Open vSwitch (OVS) Mechanism Driver
■ Open vSwitch (L2) agent:
communicates with the Neutron server over RPC
communicates directly with the local Open vSwitch instance to
configure flows to implement the logical data model
gathers the configuration and mappings from the database
applies Security Group rules
GRE Tunnels

25. Neutron features
L2
Connectivity
L3
Connectivity

26. Legacy Routing in Neutron
■ Network node IP forwarding:
Inter-subnet (east-west) traffic between VMs
Floating IP (north-south) traffic between VM and external network
Default SNAT (north-south) traffic from VM to external network
■ Issues:
Performance bottleneck
Scalability limitations
Single Point of Failure
Network Node Compute Node Compute Node
Internet
External Network
Data Network
VM1 VM2
Tenant Network

27. Distributed Virtual Router (DVR)
■ IP forwarding provided (also) by Compute nodes for local VMs
Inter-subnet (east-west) traffic between VMs
Floating IP (north-south) traffic between external and VM
■ Advantages:
Bypass network node improves performance
Scales with size of compute farm
Limited failure domain (per compute node)
■ Limitations:
Default SNAT function is still centralized
Network Node Compute Node Compute Node
Internet
External Network
Data Network
VM1 VM2
Tenant Network

28. Neutron features
L2
Connectivity
L3
Connectivity
L4-L7
Services

29. Load-Balancer-as-a-Service (LBaaS)
■ The LBaaS enable tenants to manage load balancers for their VMs
load-balance incoming traffic by distributing workloads to application
services running on VMs
LBaaS V2 API is experimental (stable on Liberty Release)
■ Load balancing methods to distribute incoming requests:
Round robin: rotates requests evenly between multiple instances
Source IP: requests from a unique source IP address are consistently
directed to the same instance
Least connections: allocates requests to the instance with the least
number of active connections

30. Firewall-as-a-Service (FWaaS)
■ FWaaS adds firewall management to Networking
operates at the perimeter to filter traffic at the neutron router
uses iptables to apply firewall policy to all routers within a project
supports one firewall policy and logical firewall instance per project
■ NOTE: Security Groups operate at the instance-level

31. Virtual-Private-Network-as-a-Service (VPNaaS)
■ The VPNaaS extension enables OpenStack tenants to extend
private networks across the internet:
Relates the VPN with a specific subnet and router for a tenant
Multiple VPN connections per tenant
Site-to-site VPN that connects two private networks
■ Configuration:
An IKE Policy is used for phase one and phase two negotiation of the
VPN connection
support with 3des, aes-128, aes-256, or aes-192 encryption
An IPsec Policy is used to specify the encryption algorithm, transform
protocol, and mode (tunnel/transport) for the VPN connection
support with 3des, aes-128, aes-192, or aes-256 encryption, sha1
authentication, ESP, AH, or AH-ESP transform protocol, and tunnel or
transport mode encapsulation

32. OpenStack Bootcamp
The main topics covered are:
Overview on OpenStack and its
architecture,
OpenStack networking;
Swift;
Ceilometer and its architecture,
Heat Overview;
OpenStack deployment.
At the end of the Bootcamp each
student will be able to:
Describe the architecture of an
OpenStack deployment;
Discuss the main functionalities of
OpenStack;
Deploy, configure and use the
Openstack services;
Create and manage VMs and
Virtual Networks;
Create and manage, suers, roles,
and quotas;
Use the OpenStack CLI and
Dashboard.
In partnership with Mirantis
For further information:
http://openstack.create-net.org
openstack@create-net.org

33. ■ OpenStack Cloud Administrator Guide http://docs.openstack.org/admin-guide-
cloud/content/index.html
■ OpenStack Networking API v2.0 Reference
http://docs.openstack.org/api/openstack-network/2.0/content/index.html
■ OpenStack Training Guides http://docs.openstack.org/training-
guides/content/index.html
■ OpenStackHowto: Quantum https://wiki.debian.org/OpenStackHowto/Quantum
■ Mirantis Reference Architectures http://docs.mirantis.com/openstack/fuel/fuel-
6.0/reference-architecture.html
■ OpenStack Networking Introduction - Yves Fauser, VMware NSBU
■ http://www.slideshare.net/vivekkonnect/openstack-
kilosummitdvrarchitecture20140506mastergroup
References

34. Thanks!
Any questions?
You can find me at: gcossu@create-net.org
Follow-up email will include the link to slides and recording.