Transcript Neutron - Meetup

Neutron
What’s new in Havana?
Arvind Somya
Software Engineer
Cisco Systems Inc.
Modular Layer 2 (ML2)
Driver Based
Combines OVS and Linuxbridge
VXLAN Support
L3 Separation
L2 Population
Vendor Drivers Available
Original Goal:
The Modular Layer 2 (ML2) Plugin is a framework
allowing OpenStack Networking to simultaneously utilize
the variety of layer 2 networking technologies found in
complex real-world datacenters.
ML2 was designed to ease the burden of adding new L2 networking technologies into
OpenStack Networking.
ML2 will deprecate the Open vSwitch, LinuxBridge, and Hyper-V monolithic Neutron
Plugins
It works with each of their existing L2 agents
simultaneously
ML2 exposes two different types of drivers: “Type” and “Mechanism”
ML2 TypeDrivers:
Maintain type-specific state
Provide tenant network allocation
Validate provider networks
Current TypeDrivers:
local, flat, VLAN, GRE, and VXLAN
ML2 MechanismDrivers:
Responsible for taking information supplied by
TypeDrivers and ensuring it is properly applied given the
Maintain type-specific state
Provide tenant network allocation
Validate provider networks
Current TypeDrivers:
local, flat, VLAN, GRE, and VXLAN
Responsible for taking information supplied by TypeDrivers and ensuring it is properly
applied given the specific networking mechanisms which have been enabled
Current MechanismDrivers:
Arista, Cisco Nexus, Hyper-V, L2 Population,
LinuxBridge, Open vSwitch, Tail-F NCS
MechanismDrivers can work with many different technologies:
Agent based MechanismDrivers (Hyper-V, LinuxBridge,
and OVS)
Controller based MechanismDrivers (Tail-F NCS and
OpenDaylight)
ToR switch MechanismDrivers (Arista and Cisco Nexus)
Neutron Server
ML2 Plugin
API Extensions
Type Manager
Mechanism Manager
Tail-F NCS
OVS/LinuxB
ridge
L2
Population
Hyper-V
Cisco Nexus
Arista
VXLAN
TypeDriver
GRE
TypeDriver
VLAN
TypeDriver
Load Balancing as a Service
Multiple Network Node
Driver Based
OpenSource - HAProxy
Vendor Drivers Available (Nicira Service
Plugin)
Agent based solution
Horizon Integrated
Lbaas Simple Workflow
Can load
balance using:
• Round Robin
• Least
Connections
• Source IP
Create a Pool of VIP’s
from a Neutron Subnet
Optionally associate
monitors with Pools
Monitors check the backend members of a VIP
Can use Ping, TCP, HTTP, HTTPS for health checks
Can specify the delay, timeout, retries, url and expected
codesfor each monitor
Add VIP to the Pool
(One per pool)
Add Member instances to
the Pool
Specify a weight for
added members
and a port number.
VPN as a Service
Site-to-Site
IPSec Pre-Shared Key
Multiple Node Support
OpenSource based on OpenSwan
Under development: MPLS VPN, BGP MPLS VPN
Horizon Integrated
VPN as a Service Simple Workflow
Create a VPN Service
• Tenant
• Subnet
• Router
Create IKE Policy
Auth algorithm: Sha1
•
Tenant
•
Name
Encryption Algorithm: aes-128 (aes 3des, aes256, aes-192)
Phase 1 negotiation mode: Main Mode
(Aggressive mode)
PFS: Group5 (group2, group5, or group14)
IKE Version: v1 (v2)
Create IPSec Policy
•
Tenant
•
Name
Transform protocol: ESP (AH, AH-ESP)
Encapsulation mode: tunnel (transport)
Auth algorithm: sha1
Encryption Algorithm: aes-128 (aes 3des,
aes-256, aes-192)
PFS: Group5 (group2, group5, or group14)
Create IPSec site connection
• Tenant
• Peer Id
• Peer CIDR(s)
• Peer Address
• Psk
• IKE Policy
• IPSec Policy
• VPN Service Id
Firewall as a Service
Stateless Filtering at the Edge
Vendor Drivers
Preview Available in Havana
Agent Based
Horizon Integrated
Firewall as a Service Simple Workflow
Can specify
Audited
attribute
Create a Firewall
Policy
Create a Tenant
Firewall
Add Firewall
Rules
Source, dest IP,
port etc.
Strict Ordering
Additional New Features
Improved Horizon Integration
• Panels for Load Balancer, Firewall and
VPN as a service.
DHCP Per Port Options
Plugin Improvements
Looking ahead to Icehouse...
Parity with nova-network
Improved IPv6 Support
L3 High Availability
Plugins and Drivers
External Testing
New Plugins and Drivers
Icehouse Advanced Services
Load Balancing as a Service
Multiple pools per VIP
VPN as a Service
SSL VPN API
Firewall as a Service
Revised API