Packet flow in openstack

1. Packet flow on Compute
The following steps involve compute node .
1. The instance 1 tap interface (1) forwards the packet to the Linux bridge qbr. The packet contains destination MAC
address TG because the destination resides on another network.
2. Security group rules (2) on the Linux bridge qbr handle firewalling and state tracking for the packet.
3. The Linux bridge qbr forwards the packet to the Open vSwitch integration bridge br-int.
4. The Open vSwitch integration bridge br-int adds the internal tag for the provider network.
5. The Open vSwitch integration bridge br-int forwards the packet to the Open vSwitch provider bridge br-provider.
6. The Open vSwitch provider bridge br-provider replaces the internal tag with the actual VLAN tag (segmentation ID)
of the provider network.
7. The Open vSwitch provider bridge br-provider forwards the packet to the physical network via the provider network
interface.
.

2. Physical N/W Infra
The following steps involve the physical network infrastructure:
1.A switch (3) handles any VLAN tag operations between
provider network 1 and the router (4).
2.A router (4) routes the packet from provider network 1 to the
external network.
3.A switch (3) handles any VLAN tag operations between the
router (4) and the external network.
4.A switch (3) forwards the packet to the external network

3. Abbrevations :-
- qvo: veth pair openvswitch side
- qvb: veth pair bridge side
- qbr: bridge
• Tap InterfaceQBRBR-INT-----OVS-TAGGING--OVS-BR-Provider
Physical NIC via provider N/w Interface.
• BR-INT add internal tag for provider network.
• OVS-BR-Provider replace OVS tag with VLAN Tag

5. North South Flow:-

6. Instances on different N/W :-

7. Instances on same N/w:-

9. Packet walk@compute :-
•To find the tap interface associated to this VM NIC, the only way that i know is by using
classic Libvirt virsh command on that particular VM instance.
•From the previous step, we know that the VM instance id is “instance-0000000”
compute01# virsh dumpxml instance-00000003 | egrep "mac|tap" <mac
address='fa:16:3e:3b:53:26'/> <target dev='tapf7eae624-34'/>
•First, we know that VM is connected to the host via TAP interface. This TAP interface will be
used to send the outgoing traffic from the VM. So, we need to find which TAP interface is
connected to this VM.
OK, now we know that VM “c-private” is connected via tapf7eae624-34.
According to the compute node network diagram in the beginning of this slide, this TAP interface
should be connected to a linux bride first for firewall policy and/or QoS policy implementation
before actually connected to Openvswitch.

10. Let’s check linux bridge table on compute:-
The above output shows “tapf7eae624-34” is connected to a linux bridge name qbrf7eae624-
34 and this qbrf7eae624-34 bridge has another virtual interface named qvbf7eae624-34.

11. Now, we check openvswitch configuration
and check how this tap interface is connected

12. • What can we get from above output
• virtual interface qvof7eae624-34 is connected to openvswitch br-int bridge
and have internal tag=2 assigned by OVS.
• after that, the packet will be forwarded to br-tun bridge via patch interface.
• This means, untagged packet coming from the VM is received
via *qvof7eae624-34 and then sent out to to br-tun bridge with additional
internal tag.

13. Useful OVS Commands :-
• dump the mac address table on the compute node ovs :-
ovs-appctl fdb/show br-tun
• list the ovs port : ovs-ofctl show br-tun
• OVS flow table: ovs-ofctl dump-flows br-tun