-
Story
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
None
-
False
-
-
False
-
-
rhel-9
-
None
-
rhel-net-ovn
-
-
It appears that OVN is not able to handle multiple patch ports from localnet ports with different tags. All the traffic on the br-ex physical interface will be duplicated for each tag.
Here is ovn-nbctl show. Notice that this single OVN switch has two localnet ports with tags 101 and tag 201. From CMS(Neutron) I associated subnet 172.24.4.0/24 under segment 1 (VLAN101) and subnet 172.24.5.0/24 with segment 2 (VLAN 201).
switch 4e0b4cb2-24e0-4a42-b608-9601aeee53f3 (neutron-4e0b4cb2-24e0-4a42-b608-9601aeee53f3) (aka public_multiseg) port provnet-b8d7f657-cca2-4c1a-b371-f3350ce04ce7 type: localnet tag: 201 addresses: ["unknown"] port 34068430-96b2-4649-880a-5d6797ab051f (aka port_sub_seg1_1) addresses: ["fa:16:3e:66:e0:07 172.24.4.111"] port provnet-3d9c4ee5-030b-409d-bf25-bf2197b32c69 type: localnet tag: 101 addresses: ["unknown"] port b4891b06-8127-4b4f-b0ef-78a0caf0af6f (aka port_sub1_seg2_2) addresses: ["fa:16:3e:6b:78:0f 172.24.5.11"] port 70400a35-00ce-4294-8686-2316bf1f5779 (aka port_sub1_seg2_1) addresses: ["fa:16:3e:80:13:95 172.24.5.10"] port 08cafa9e-8394-43b1-a957-dc87711ed193 type: localport addresses: ["fa:16:3e:c3:e7:06 172.24.4.2 172.24.5.2"] port c21914ff-09bf-42df-aa43-c9ebd791a3f2 (aka port_sub_seg1_2) addresses: ["fa:16:3e:d1:1f:7e 172.24.4.130"]
This deplyment has two OVN chassis (called central and worker). I then created two VMs under segment1 (vlan 101) and two VMs under segment2(vlan 201). In the ovn nb db output above VM ports start with`port_sub*` name. Lastly, I deployed one VM from each segment to each chassis. This is to make sure that any traffic directed to the other VM on the same segment(vlan ID) is on the other OVN chassis, thus forcing the traffic to leave br-ex physical NIC.
When I deploy a VM from two different segment on a OVN chassis I get two patch ports from br-int to br-ex. This is expected, here is the ovs-vsctl show output from one chassis(other is identical)
7d9c54cf-71d6-4f18-b3e4-3a0933ad6ba2
Manager "ptcp:6640:127.0.0.1"
is_connected: true
Bridge br-ex
Port br-ex
Interface br-ex
type: internal
Port eth2
Interface eth2
Port patch-provnet-b8d7f657-cca2-4c1a-b371-f3350ce04ce7-to-br-int
Interface patch-provnet-b8d7f657-cca2-4c1a-b371-f3350ce04ce7-to-br-int
type: patch
options: {peer=patch-br-int-to-provnet-b8d7f657-cca2-4c1a-b371-f3350ce04ce7}
Port patch-provnet-3d9c4ee5-030b-409d-bf25-bf2197b32c69-to-br-int
Interface patch-provnet-3d9c4ee5-030b-409d-bf25-bf2197b32c69-to-br-int
type: patch
options: {peer=patch-br-int-to-provnet-3d9c4ee5-030b-409d-bf25-bf2197b32c69}
Bridge br-int
fail_mode: secure
datapath_type: system
Port tap4e0b4cb2-20
Interface tap4e0b4cb2-20
Port tap70400a35-00
Interface tap70400a35-00
Port br-int
Interface br-int
type: internal
Port tap34068430-96
Interface tap34068430-96
Port ovn-8571bb-0
Interface ovn-8571bb-0
type: geneve
options: {csum="true", key=flow, remote_ip="192.168.150.100"}
Port patch-br-int-to-provnet-3d9c4ee5-030b-409d-bf25-bf2197b32c69
Interface patch-br-int-to-provnet-3d9c4ee5-030b-409d-bf25-bf2197b32c69
type: patch
options: {peer=patch-provnet-3d9c4ee5-030b-409d-bf25-bf2197b32c69-to-br-int}
Port patch-br-int-to-provnet-b8d7f657-cca2-4c1a-b371-f3350ce04ce7
Interface patch-br-int-to-provnet-b8d7f657-cca2-4c1a-b371-f3350ce04ce7
type: patch
options: {peer=patch-provnet-b8d7f657-cca2-4c1a-b371-f3350ce04ce7-to-br-int}
When I do tcpdump on the eth2 interface(br-ex interface) on that chassis I see that traffic is getting replicated for each VLAN ID.
For example here is ARP request coming from VM with IP 10.24.4.111
19:42:29.834734 fa:16:3e:66:e0:07 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 101, p 0, ethertype ARP (0x0806), Request who-has 172.24.4.1 tell 172.24.4.111, length 28 19:42:29.834740 fa:16:3e:66:e0:07 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 201, p 0, ethertype ARP (0x0806), Request who-has 172.24.4.1 tell 172.24.4.111, length 28
And basically any type of traffic (icmp, .etc) behaves the same, all packets get tagged with both VLANs. I would expect OVN to keep separation of vlan tagging in respect to localnet port.
I am attaching my OVN DBs and OVS db
_-------------- Original bug description, it is still applicable but I want to make sure there is separation, since information bellow came from a more complex enviroment, description above this line is more consolidated------------------------------------------------------------------------------- _
I am filing this is as a bug but I can see this being handled as a feature as well.
Background:
In openstack, a user is able to present a multi-segmented layer3 network as a single entity in neutron. This is called routed provider network. Link . For example, customers can create a single network, lets call it "public" from within which they can have multiple subnets associated with different VLANs. They would group subnets under a segment and that segment would be tagged under some VLAN ID.
- is depended on by
-
OSPRH-5632 Multiple routed provider segments per host for ML2-OVN
-
- In Progress
-