How to configure OVN router?

How to configure OVN router?

Overview

Based on the experimental environment in my previous article, I will now add the three-layer network infrastructure to OVN. The final result will be a pair of logical switches connected by a logical router. In addition, the router will be configured to provide IP addresses through the built-in DHCP service in OVN.

Refactoring logic components

As the setup starts to get more complex, we will restructure the network architecture. The new logical network topology is as follows:

  • 2 logical switches: “dmz” and “inside”
  • Logical router "tenant1" which connects two logical switches
  • IP network “dmz”: 172.16.255.128/26
  • IP network “inside”: 172.16.255.192/26
  • Each logical switch has a pair of "virtual machines"

The new logical network is shown in the figure below

Understanding Routing

In this lab, we will create an OVN router, a "distributed logical router" (DLR). DLR is different from a traditional router because it is not a physical device, but a logical architecture (unlike a logical switch). DLR exists only as a function in OVS: in other words, each OVS instance can simulate a three-layer router locally before forwarding traffic on the overlay network.

Creating Logical Switches and Logical Routers

Define the logical switch on ubuntu1:

  1.  ovn-nbctl ls- add inside
  2.  ovn-nbctl ls- add dmz

Add the logical router and its associated router and switch ports:

  1.  # Add router tenant1
  2.  ovn-nbctl lr- add tenant1 
  3.   
  4.  # Create a port for the router tenant1 to connect to the DMZ switch
  5.  ovn-nbctl lrp- add tenant1 tenant1-dmz 02:ac:10:ff:01:29 172.16.255.129/26 
  6.   
  7.  # Create port dmz-tenant1 for the dmz switch to connect to the router tenant1
  8.  ovn-nbctl lsp- add dmz dmz-tenant1
  9.  ovn-nbctl lsp- set -type dmz-tenant1 router
  10.  ovn-nbctl lsp -set -addresses dmz-tenant1 02:ac:10:ff:01:29
  11.  ovn-nbctl lsp- set -options dmz-tenant1 router-port=tenant1-dmz 
  12.   
  13.  #Create a port for the router tenant1 to connect to the inside switch
  14.  ovn-nbctl lrp- add tenant1 tenant1-inside 02:ac:10:ff:01:93 172.16.255.193/26 
  15.   
  16.  #Create port inside-tenant1 for the inside switch to connect to the router tenant1
  17.  ovn-nbctl lsp- add inside inside-tenant1
  18.  ovn-nbctl lsp- set -type inside-tenant1 router
  19.  ovn-nbctl lsp- set -addresses inside-tenant1 02:ac:10:ff:01:93
  20.  ovn-nbctl lsp- set -options inside-tenant1 router-port=tenant1-inside 
  21.   
  22.  ovn-nbctl show

Add DHCP

DHCP in OVN is a bit different than most solutions. Most people assume that the administrator will:

  1. Defines a set of DHCP options for a given subnet
  2. Create a logical switch port and define the MAC address and IP address for the port
  3. Assign DHCP options to this port.
  4. Set port security to allow only assigned addresses

Next, we will configure logical ports for the four virtual machines.

On ubuntu1:

  1.  ovn-nbctl lsp- add dmz dmz-vm1
  2.  ovn-nbctl lsp- set -addresses dmz-vm1 "02:ac:10:ff:01:30 172.16.255.130"  
  3.  ovn-nbctl lsp- set -port-security dmz-vm1 "02:ac:10:ff:01:30 172.16.255.130"   
  4.   
  5.  ovn-nbctl lsp- add dmz dmz-vm2
  6.  ovn-nbctl lsp- set -addresses dmz-vm2 "02:ac:10:ff:01:31 172.16.255.131"  
  7.  ovn-nbctl lsp- set -port-security dmz-vm2 "02:ac:10:ff:01:31 172.16.255.131"   
  8.   
  9.  ovn-nbctl lsp- add inside inside-vm3
  10.  ovn-nbctl lsp- set -addresses inside-vm3 "02:ac:10:ff:01:94 172.16.255.194"  
  11.  ovn-nbctl lsp- set -port-security inside-vm3 "02:ac:10:ff:01:94 172.16.255.194"   
  12.   
  13.  ovn-nbctl lsp- add inside inside-vm4
  14.  ovn-nbctl lsp- set -addresses inside-vm4 "02:ac:10:ff:01:95 172.16.255.195"  
  15.  ovn-nbctl lsp- set -port-security inside-vm4 "02:ac:10:ff:01:95 172.16.255.195"   
  16.   
  17.  ovn-nbctl show

You may have noticed that, unlike the previous experiment, now we can define the mac and IP address with one command. The IP address definition achieves our two goals:

  1. It implements ARP suppression by having OVN locally answer ARP requests for IP/MACs it knows about.
  2. The IP address will be assigned from the interface on which the DHCP request is received. This is how DHCP is implemented.

Next, we need to define the DHCP options and assign them to the logical ports. The process here will be a little different than what we have seen before, as we will be interacting directly with the OVN NB database. The reason for doing this is that we need to capture the UUIDs in the DHCP_Options so that we can assign UUIDs to switch ports. To do this, we will output the captured results of the ovn-nbctl command into a pair of bash variables.

  1.  dmzDhcp="$(ovn-nbctl create DHCP_Options cidr=172.16.255.128/26 \
  2.  options= "\"server_id\"=\"172.16.255.129\" \"server_mac\"=\"02:ac:10:ff:01:29\" \
  3.  \ "lease_time\"=\"3600\" \"router\"=\"172.16.255.129\"" )"
  4.  echo $dmzDhcp 
  5.   
  6.  insideDhcp="$(ovn-nbctl create DHCP_Options cidr=172.16.255.192/26 \
  7.  options= "\"server_id\"=\"172.16.255.193\" \"server_mac\"=\"02:ac:10:ff:01:93\" \
  8.  \ "lease_time\"=\"3600\" \"router\"=\"172.16.255.193\"" )"
  9.  echo $insideDhcp 
  10.   
  11.  ovn-nbctl dhcp-options-list

If you want to learn more about the OVN NB database, see the ovn-nb manual.

Now, we will assign DHCP_Options to the logical switch port using the UUID stored in the variable.

  1.  ovn-nbctl lsp- set -dhcpv4-options dmz-vm1 $dmzDhcp
  2.  ovn-nbctl lsp-get-dhcpv4-options dmz-vm1 
  3.   
  4.  ovn-nbctl lsp- set -dhcpv4-options dmz-vm2 $dmzDhcp
  5.  ovn-nbctl lsp-get-dhcpv4-options dmz-vm2 
  6.   
  7.  ovn-nbctl lsp- set -dhcpv4-options inside-vm3 $insideDhcp
  8.  ovn-nbctl lsp-get-dhcpv4-options inside-vm3 
  9.   
  10.  ovn-nbctl lsp- set -dhcpv4-options inside-vm4 $insideDhcp
  11.  ovn-nbctl lsp-get-dhcpv4-options inside-vm4

Configuring the virtual machine

As in the previous experiment, we will use the "pseudo virtual machine" built using the OVS internal ports and network namespace. The difference now is that we will use DHCP for address allocation.

Next we will set up the virtual machine.

On Ubuntu 2:

  1.  ip netns add vm1
  2.  ovs-vsctl add -port br- int vm1 -- set interface vm1 type=internal  
  3.  ip link set vm1 address 02:ac:10:ff:01:30
  4.  ip link set vm1 netns vm1
  5.  ovs-vsctl set Interface vm1 external_ids:iface-id=dmz-vm1
  6.  ip netns exec vm1 dhclient vm1
  7.  ip netns exec vm1 ip addr show vm1
  8.  ip netns exec vm1 ip route show 
  9.   
  10.  ip netns add vm3
  11.  ovs-vsctl add -port br- int vm3 -- set interface vm3 type=internal  
  12.  ip link set vm3 address 02:ac:10:ff:01:94
  13.  ip link set vm3 netns vm3
  14.  ovs-vsctl set Interface vm3 external_ids:iface-id=inside-vm3
  15.  ip netns exec vm3 dhclient vm3
  16.  ip netns exec vm3 ip addr show vm3
  17.  ip netns exec vm3 ip route show

On Ubuntu 3:

  1.  ip netns add vm2
  2.  ovs-vsctl add -port br- int vm2 -- set interface vm2 type=internal  
  3.  ip link set vm2 address 02:ac:10:ff:01:31
  4.  ip link set vm2 netns vm2
  5.  ovs-vsctl set Interface vm2 external_ids:iface-id=dmz-vm2
  6.  ip netns exec vm2 dhclient vm2
  7.  ip netns exec vm2 ip addr show vm2
  8.  ip netns exec vm2 ip route show 
  9.   
  10.  ip netns add vm4
  11.  ovs-vsctl add -port br- int vm4 -- set interface vm4 type=internal  
  12.  ip link set vm4 address 02:ac:10:ff:01:95
  13.  ip link set vm4 netns vm4
  14.  ovs-vsctl set Interface vm4 external_ids:iface-id=inside-vm4
  15.  ip netns exec vm4 dhclient vm4
  16.  ip netns exec vm4 ip addr show vm4
  17.  ip netns exec vm4 ip route show

Testing network connectivity

On ubuntu2, test network connectivity from vm1:

  1.  # ping vm1's default gateway
  2.  root@ubuntu2:~# ip netns exec vm1 ping 172.16.255.129
  3.  PING 172.16.255.129 (172.16.255.129) 56(84) bytes of data.
  4.  64 bytes from 172.16.255.129: icmp_seq=1 ttl=254 time =0.689 ms
  5.  64 bytes from 172.16.255.129: icmp_seq=2 ttl=254 time =0.393 ms
  6.  64 bytes from 172.16.255.129: icmp_seq=3 ttl=254 time =0.483 ms   
  7.  # Ping vm2 from the overlay network (across tenant1)
  8.  root@ubuntu2:~# ip netns exec vm1 ping 172.16.255.131
  9.  PING 172.16.255.131 (172.16.255.131) 56(84) bytes of data.
  10.  64 bytes from 172.16.255.131: icmp_seq=1 ttl=64 time =2.16 ms
  11.  64 bytes from 172.16.255.131: icmp_seq=2 ttl=64 time =0.573 ms
  12.  64 bytes from 172.16.255.131: icmp_seq=3 ttl=64 time =0.446 ms   
  13.  # Ping vm3 through the router (across the entire overlay network)
  14.  root@ubuntu2:~# ip netns exec vm1 ping 172.16.255.194
  15.  PING 172.16.255.194 (172.16.255.194) 56(84) bytes of data.
  16.  64 bytes from 172.16.255.194: icmp_seq=1 ttl=63 time =1.37 ms
  17.  64 bytes from 172.16.255.194: icmp_seq=2 ttl=63 time =0.077 ms
  18.  64 bytes from 172.16.255.194: icmp_seq=3 ttl=63 time =0.076 ms   
  19.  # Ping vm4 through the router (across the entire overlay network)
  20.  root@ubuntu2:~# ip netns exec vm1 ping 172.16.255.195
  21.  PING 172.16.255.195 (172.16.255.195) 56(84) bytes of data.
  22.  64 bytes from 172.16.255.195: icmp_seq=1 ttl=63 time =1.79 ms
  23.  64 bytes from 172.16.255.195: icmp_seq=2 ttl=63 time =0.605 ms
  24.  64 bytes from 172.16.255.195: icmp_seq=3 ttl=63 time =0.503 ms

Conclusion

OVN makes layer 3 overlay networks easy to deploy and manage. In addition, the way services like DHCP are built directly into the system helps reduce the number of external components required to build an effective SDN solution. In the next article, we will discuss how to connect our (currently isolated) overlay network to the outside world.

Translator profile: Zheng Minxian works for Nooyun Systems (Shanghai) Co., Ltd. He works at Nooyun R&D Center in Nanjing as a solution engineer.

<<:  Let government affairs walk in the "cloud" - Huawei's practice of government affairs cloud

>>:  Analyzing the core technology behind 5G: beamforming

Blog    

Recommend

Satellite communication networks will also need to be accelerated in the 5G era

Although it will take several years for 5G to be ...

[Black Friday] spinservers: Dallas/San Jose dedicated servers starting from $59/month, E3-1280v5/32G/1TB NVMe/10Gbps bandwidth

spinservers has launched a promotion during Black...

It’s time to issue 5G private network frequency licenses

The Ministry of Industry and Information Technolo...

Deloitte: 86% of network executives said 5G and Wi-Fi 6 will change the industry within 3 years

Deloitte's "Study of Advanced Wireless A...

Research and Markets: Global 5G system integration market size will reach US$45.5 billion in 2027

On April 20, according to foreign media reports, ...

What is Software Defined Networking (SDN)?

SDN is the abbreviation of software defined netwo...

SIM card swap attacks: an inevitable battle as 5G wave arrives

The infrastructure of mobile phone operators is u...

CloudSilk: Hong Kong Triple Network CMI Line High Bandwidth VPS Annual Payment Starting from 288 Yuan

CloudSilk is the original idc.best. The blog shar...

Education takes off with 5G smart technology

Education is the foundation of a country, and 5G ...

Network security knowledge: Understanding Voice over Internet Protocol (VoIP)

[[442039]] What is Voice over Internet Protocol (...

...

Review of eight hot spots in the optical communication industry in 2021: Highlights frequently emerge under the halo of 5G

In 2021, digitalization has become the focus, and...

A brief talk about link aggregation, have you learned it?

Speaking of airport expressways, people often use...

Friendhosting Summer Promotion: All VPSs are as low as 55% off, and unlimited traffic for 10 data centers for half a year starts from 8 euros

Friendhosting sent a promotional email yesterday ...

Modernizing Configuration Management to Address Network Complexity

The expansion of network infrastructure to multip...