1 .. contents:: Table of Contents
4 =====================================
5 Dual Stack VM support in OpenDaylight
6 =====================================
8 https://git.opendaylight.org/gerrit/#/q/topic:l3vpn-dual-stack-vms
10 In this specification we will introduce a support of basic L3 forwarding for
11 dualstack VMs connectivity over L3 in NetVirt. Dualstack VM is a virtual machine
12 that has at least two IP addresses with different ethertypes: IPv4 address and
15 In addition to this, the specification ensures initial support of dualstack VMs
16 inside L3 BGPVPN. L3 forwarding for dualstack VMs connectivity inside L3 BGPVPN
17 will be provided for the following variations of L3 BGPVPN:
19 A. L3 BGPVPN constructed purely using networks;
20 B. L3 BGPVPN constructed purely using a router;
21 C. L3 BGPVPN constructed using multiple networks and a router.
26 As a dualstack VM, we assume a VM which has one Neutron Port, i.e. one VNIC,
27 that inherits two IPs addresses with different ethertypes: one IPv4 address and
28 one IPv6 address. We also will use in this document a term singlestack VM to
29 describe a VM, which VNIC possesses either IPv4 or IPv6 address, but not both
32 So, dualstack VM has two IP addresses with different ethertypes. This could be
35 1. VM was initially created with one VNIC, i.e. one Neutron Port from network
36 with IPv4 subnet. Second VNIC, corresponded to a Neutron Port from another
37 network with IPv6 subnet, was added to this machine after its creation.
39 2. VM has one Neutron Port from a network, which contains 2 subnets: IPv4 subnet
42 OpenDaylight has already provided a support for the first way, so this use-case
43 is not in the scope of the specification. For the second way the specification
44 doesn't intend to cover a use-case when, Neutron Port will possess several IPv4
45 and several IPv6 addresses. More specifically this specification covers only the
46 use-case, when Neutron Port has only one IPv4 and one IPv6 address.
48 Since there are more and more services that use IPv6 by default, support of
49 dualstack VMs is important. Usage of IPv6 GUA addresses has increased during the
50 last couple years. Administrators want to deploy services, which will be
51 accessible from traditional IPv4 infrastructures and from new IPv6 networks as
54 Dualstack VM should be able to connect to other VMs, be they are of IPv4 (or)
56 So in this document we can handle following use cases:
58 - Intra DC, Inter-Subnet basic L3 Forwarding support for dualstack VMs;
60 - Intra DC, Inter-Subnet L3 Forwarding support for dualstack VMs within L3 BGPVPN.
62 Current L3 BGPVPN allocation scheme picks up only the first IP address of
63 dualstack VM Neutron Port. That means that the L3 BGPVPN allocation scheme will
64 not apply both IPv4 and IPv6 network configurations for a port. For example, if
65 the first allocated IP address is IPv4 address, then L3 BGPVPN allocation scheme
66 will only apply to IPv4 network configuration. The second IPv6 address will be
69 Separate VPN connectivity for singlestack VMs within IPv4 subnetworks and within
70 IPv6 subnetworks is already achieved by using distinct L3 BGPVPN instances. What
71 we want is to support a case, when the same L3 BGPVPN instance will handle both
72 IPV4 and IPv6 VM connectivity.
74 Regarding the problem description above, we would propose to implement in
75 OpenDaylight two following solutions, applying to two setups
77 1. **two-router** setup solution
79 One router belongs to IPv4 subnetwork, another one belongs to IPv6 subnetwork.
80 This setup brings flexibility to manage access to external networks. More
81 specifically, by having two routers, where one is holding IPv4 subnet and
82 another is holding IPv6 subnet, customer can tear-down access to external
83 network for IPv4 subnet ONLY or for IPv6 subnet ONLY by doing a
84 router-gateway-clear on a respective router.
86 Now this kind of orchestration step entail us to put a Single VPN Interface
87 (representing the VNIC of DualStack VM) in two different Internal-VPNs, where
88 each VPN represents one of the routers. To achive this we will use L3 BGPVPN
89 concept. We will extend existing L3 BGPVPN instance implementation to give it an
90 ability to be associated with two routers. As consequence, IPv4 and IPv6
91 subnetworks, added as ports in associated routers and, hence, IPv4 and IPv6 FIB
92 entries, would be gathered in one L3 BGPVPN instance.
94 L3 BGPVPN concept is the easiest solution to federate two routers in a single L3
95 BGPVPN entity. From the orchestration point of view and from the networking
96 point of view, there is no any reason to provide IPv4 L3VPN and IPv6 L3VPN
97 access separately for dualstack VMs. It makes sense to have the same L3 BGPVPN
98 entity that can handle both IPv4 and IPv6 subnetworks.
100 The external network connectivity using L3 BGPVPN is not in scope of this
101 specification. Please, find more details about this in [6]. Right now, this
102 configuration will be useful for inter-subnet and intra-dc routing.
104 2. **dualstack-router** setup solution
106 The router with 2 ports (one port for IPv4 subnet and another one for IPv6
107 subnet) is attached to a L3 BGPVPN instance.
109 The external network connectivity using L3 BGPVPN is not in the scope of this
115 Following drawing could help :
119 +---------------------+
120 | +-----------------+ |
122 | | Subnet C::4/64 | | |
123 | | Subnet a.b.c.1/i| | |
124 | +-----------------+ |OVS|
125 | +-----------------+ | A |
127 | | Subnet C::5/64 | | |
128 | | Subnet a.b.c.2/i| +-+-+
129 | +-----------------+ | | +------+
130 +---------------------+ | | |
131 | +-MPLSoGRE tunnel for IPv4/IPv6-+ |
136 +---------------------+ +-MPLSoGRE tunnel for IPv4/IPV6-+ |
137 | +-----------------+ | | | |
138 | |VM3 | +-+-+ +------+
139 | | Subnet C::6/64 | | |
140 | | Subnet a.b.c.3/i| | |
141 | +-----------------+ |OVS|
142 | +-----------------+ | B |
144 | | Subnet C::7/64 | | |
145 | | Subnet a.b.c.4/i| +---+
146 | +-----------------+ |
147 +---------------------+
149 We identify there 2 subnets:
150 - IPv4 subnet: a.b.c.x/i
151 - IPv6 subnet: C::x/64
153 Each VM will receive IPs from these two defined subnets.
155 Following schemes stand for conceptual representation of used neutron
156 configurations for each proposed solution.
160 setup 1: two singlestack routers, associated with one BGPVPN
161 ("two-router" solution)
166 +-----+ +---------------+ | Subnet C IPv4 |
167 | VM1 |-----| Network N | +---------------+
169 | +---------------+ +---------------+
170 | | Subnet A IPv4 |----| Router 1 |-----+
171 | +---------------+ +---------------+ |
172 | | Subnet B IPv6 | | | +--------+
173 | +---------------+ +---------------+ | | |
174 | | | Subnet E IPv4 | |---+ BGPVPN |
175 | | +---------------+ | | |
176 | | | Network N2 | | +--------+
177 | | +---------------+ |
178 | +---------------+ |
179 | | Router 2 |--------------------------+
180 +-----+ | +---------------+
182 +-----+ +---------------+
188 Network N gathers 2 subnetworks, subnet A IPv4 and subnet B IPv6. This makes
189 possible to create Neutron Ports, which will have 2 IP addresses and whose
190 attributes will inherit information (extraroutes, etc) from these 2 subnets A
193 Router1 and Router2 are connected to Subnet A and Subnet B respectively and will
194 be attached to a same L3 BGPVPN instance. Routers 1 and 2 can also have other
195 ports, but they always should stay singlestack routers, otherwise this
196 configuration will not be still supported. See the chapter "Configuration
197 impact" for more details.
201 setup 2: one dualstack router associated with one BGPVPN
202 ("dualstack-router" solution)
204 +-----+ +---------------+
205 | VM1 |-----| Network N |
207 | +---------------+ +----------+ +--------+
208 | | Subnet A IPv4 |---------| | | |
209 | +---------------+ | Router 1 |---+ BGPVPN |
210 | | Subnet B IPv6 |---------| | | |
211 | +---------------+ +----------+ +--------+
216 Network N gathers 2 subnetworks, subnet A IPv4 and subnet B IPv6. This makes
217 possible to create Neutron Ports, which will have 2 IP addresses and whose
218 attributes will inherit information (extraroutes, etc) from these 2 subnets A
221 Router 1 is connected to Subnet A and Subnet B, and it will be attached to a L3
222 BGPVPN instance X. Other subnets can be added to Router 1, but this
223 configurations will not be still supported. See the chapter "Configuration
224 impact" for more details.
228 setup 3: networks associated with one BGPVPN
230 +-----+ +------------------+ +--------+
231 | VM1 |-----| Network N1 |------| BGPVPN |
233 | +------------------+ +--------+
234 | | Subnet A IPv4 (1)| |
235 +-----+ | +------------------+ |
236 | VM2 |--+ | Subnet B IPv6 (2)| |
237 +-----+ +------------------+ |
240 +-----+ +------------------+ |
241 | VM3 |-----+ Network N2 |----------+
249 Network N1 gathers 2 subnets, subnet A with IPv4 ethertype and subnet B with
250 IPv6 ethertype. When Neutron Port was created in the network N1, it has 1 IPv4
251 address and 1 IPv6 address. If user lately will add others subnets to the
252 Network N1 and will create the second Neutron Port, anyway the second VPN port,
253 constructed for a new Neutron Port will keep only IP addresses from subnets (1)
254 and (2). So valid network configuration in this case is a network with only 2
255 subnets: IPv4 and IPv6. See the chapter "Configuration impact" for more details.
256 Second dualstack network N2 can be added to the same L3 BGPVPN instance.
258 It is valid for all schemes: in dependency of chosen ODL configuration, either
259 ODL, or Neutron Dhcp Agent will provide IPv4 addresses for launched VMs. Please
260 note, that currently DHCPv6 is supported only by Neutron Dhcp Agent. ODL
261 provides only SLAAC GUA IPv6 address allocation for VMs launched in IPv6 private
262 subnets attached to a Neutron router.
264 It is to be noted that today, setup 3 can not be executed for VPNv6 with the above
265 allocation scheme previously illustrated. Indeed, only a neutron router is able to
266 send router advertisements, which is the corner stone for DHCPv6 allocation. Either
267 IPv6 fixed IPs will have to be used for this setup, or an extra enhancement for providing
268 router advertisements for such a configuration will have to be done. The setup 3 will be
274 Currently, from Openstack-based Opendaylight Bgpvpn driver point-of-view, there
275 is a check, where it does not allow more than one router to be associated to a
276 single L3 BGPVPN. This was done in Openstack, because actually entire ODL
277 modeling and enforcement supported only one router per L3 BGPVPN by design.
279 From Netvirt point of view, there are some limitations as well:
281 - We can not associate VPN port with both IPv4 and IPv6 Neutron Port addresses
282 at the same time. Currently, any first Neutron Port IP address is using to
283 create a VPN interface. If a Neutron Port possesses multiple IP Addresses,
284 regardless of ethertype, this port might not work properly with ODL.
286 - It is not possible to associate a single L3 BGPVPN instance with two different
292 There is no change in the use cases described in [6] and [7], except that the
293 single L3 BGPVPN instance serves both IPv4 and IPv6 subnets.
298 1. **two-router** solution
300 IPv4 subnet Subnet A is added as a port in Router 1, IPv6 subnet Subnet B is
301 added as a port in Router 2. The same L3 BGPVPN instance will be associated with
302 both Router 1 and Router 2.
304 The L3 BGPVPN instance will distinguish ethertype of router ports and will
305 create appropriate FIB entries associated to its own VPN entry, so IPv4 and IPv6
306 enries will be gathered in the same L3 BGPVPN.
308 2. **dualstack-router** solution
310 IPv4 subnet Subnet A is added as a port in Router 1, IPv6 subnet Subnet B is
311 added as a port in Router 1 as well. L3 BGPVPN instance will be associated with
314 The L3 BGPVPN instance will distinguish ethertype of routers ports and will
315 create appropriate FIB entries associated to its own VPN entry as well.
316 Appropriate BGP VRF context for IPv4 or IPv6 subnets will be also created.
318 External Internet Connectivity
319 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
321 External Internet Connectivity is not in the scope of this specification.
326 All changes we can split in two main parts.
329 1. Distinguish IPv4 and IPv6 VRF tables with the same RD/iRT/eRT
331 1.1 Changes in neutronvpn
333 To support a pair of IPv4 and IPv6 prefixes for each launched dualstack VM we
334 need to obtain information about subnets, where dualstack VM was spawned and
335 information about extraroutes, enabled for these subnets. Obtained information
336 will be stored in vmAdj and erAdjList objects respectively. These objects are
337 attributes of created for new dualstack VM VPN interface. Created VPN port
338 instance will be stored as part of already existed L3 BGPVPN node instance in
341 When we update L3 BGPVPN instance node (associate/dissociated router or
342 network), we need to provide information about ethertype of new
343 attached/detached subnets, hence, Neutron Ports. New argument flags **ipv4On**
344 and **ipv6On** will be introduced for that in **NeutronvpnManager** function
345 API, called to update current L3 BGPVPN instance (*updateVpnInstanceNode()*
346 method). *UpdateVpnInstanceNode()* method is also called, when we create a new
347 L3 BGPVPN instance. So, to provide appropriate values for **ipv4On**, **ipv6On**
348 flags we need to parse subnets list. Then in dependency of these flags values we
349 will set either **Ipv4Family** attribute for the new L3 BGPVPN instance or
350 **Ipv6Family** attribute, or both attributes. **Ipv4Family**, **Ipv6Family**
351 attributes allow to create ipv4 or/and ipv6 VRF context for underlayed
352 vpnmanager and bgpmanager APIs.
354 1.2. Changes in vpnmanager
356 When L3 BGPVPN instance is created or updated, VRF tables must be created for
357 QBGP as well. What we want, is to introduce separate VRF tables, created
358 according to **IPv4Family/IPv6Family** VPN attributes, i.e. we want to
359 distinguish IPv4 and IPv6 VRF tables, because this will bring flexibility in
360 QBGP. For example, if QBGP receives an entry IPv6 MPLSVPN on a router, which is
361 expecting to receive only IPv4 entries, this entry will be ignored. The same for
362 IPv4 MPLSVPN entries respectively.
364 So, for creating **VrfEntry** objects, we need to provide information about L3
365 BGPVPN instance ethertype (**Ipv4Family/Ipv6Family** attribute), route
366 distinguishers list, route imports list and route exports lists
367 (**RD/iRT/eRT**). **RD/iRT/eRT** lists will be simply obtained from subnetworks,
368 attached to the chosen L3 BGPVPN. Presence of **IPv4Family**, **IPv6Family** in
369 VPN will be translated in following VpnInstanceListener class attributes:
370 **afiIpv4**, **afiIpv6**, **safiMplsVpn**, **safiEvpn**, which will be passed to
371 *addVrf()* and *deleteVrf()* bgpmanager methods for creating/deleting either
372 **IPv4 VrfEntry** or **IPv6 VrfEntry** objects.
374 **RD/iRT/eRT** lists will be the same for both **IPv4 VrfEntry** and **IPv6
375 VrfEntry** in case, when IPv4 and IPv6 subnetworks are attached to the same L3
378 1.3 Changes in bgpmanager
380 In bgpmanager we need to change signatures of *addVrf()* and *deleteVrf()*
381 methods, which will trigger signature changes of underlying API methods
382 *addVrf()* and *delVrf()* from *BgpConfigurationManager* class.
384 This allows *BgpConfigurationManager* class to create needed IPv4 VrfEntry and
385 IPv6 VrfEntry objects with appropriate **AFI** and **SAFI** values and finally
386 pass this appropriate **AFI** and **SAFI** values to *BgpRouter*.
388 *BgpRouter* represents client interface for thrift API and will create needed
389 IPv4 and IPv6 VRF tables in QBGP.
391 1.4 Changes in yang model
393 To support new attributes **AFI** and **SAFI** in bgpmanager classes, it should
394 be added in ebgp.yang model:
398 list address-families {
410 1.5 Changes in QBGP thrift interface
412 To support separate IPv4 and IPv6 VRF tables in QBGP we need to change
413 signatures of underlying methods *addvrf()* and *delvrf()* in thrift API as
414 well. They must include the address family and subsequent address families
424 i32 addVrf(1:layer_type l_type, 2:string rd, 3:list<string> irts, 4:list<string> erts,
425 5:af_afi afi, 6:af_safi afi),
426 i32 delVrf(1:string rd, 2:af_afi afi, 3:af_safi safi)
429 2. Support of two routers, attached to the same L3 BGPVPN
431 2.1 Changes in neutronvpn
433 **two-router** solution assumes, that all methods, which are using to create,
434 update, delete VPN interface or/and VPN instance must be adapted to a case, when
435 we have a list of subnetworks and/or list of router IDs to attach. Due to this,
436 appropriate changes need to be done in nvpnManager method APIs.
438 To support **two-router** solution properly, we also should check, that we do
439 not try to associate to L2 BGPVPN a router, that was already associated to that
440 VPN instance. Attached to L3 BGPVPN router list must contain maximum 2 router
441 IDs. Routers, which IDs are in the list must be only singlestack routers. More
442 information about supported router configurations is available below in chapter
443 "Configuration Impact".
445 For each created in dualstack network Neutron Port we take only the last
446 received IPv4 address and the last received IPv6 address. So we also limit a
447 length of subnets list, which could be attached to a L3 BGPVPN instance, to two
448 elements. (More detailed information about supported network configurations is
449 available below in chapter "Configuration Impact".) Two corresponding
450 **Subnetmap** objects will be created in *NeutronPortChangeListener* class for
451 attached subnets. A list with created subnetmaps will be passed as argument,
452 when *createVpnInterface* method will be called.
454 2.2 Changes in vpnmanager
456 *VpnMap* structure must be changed to support a list with router IDs. This
457 change triggers modifications in all methods, which retry router ID from
460 *VpnInterfaceManager* structure must be also changed, to support a list of VPN
461 instance name. So all methods, which gives VPN router ID from *VpnInterfaceManager*
462 should be modified as well.
464 As consequence, in operDS, a *VpnInterfaceOpDataEntry* structure is created, inherited
465 from *VpnInterface* in configDS. While the latter structure has a list of VPN instance
466 name, the former will be instantiated in operDS as many times as there are VPN instances.
467 The services that were handling *VPNInterface* in operDS, will be changed to handle
468 *VPNInterfaceOpDataEntry*. That structure will be indexed by InterfaceName and by VPNName.
469 The services include natservice, fibmanager, vpnmanager, cloud service chain.
471 Also, an augment structure will be done for *VPNInterfaceOpDataEntry* to contain the list
472 of operational adjacencies. As for *VpnInterfaceOpDataEntry*, the new *AdjacenciesOp*
473 structure will replace Adjacencies that are in operDS. Similarly, the services will be
476 Also, *VPNInterfaceOpDataEntry* will contain a *VPNInterfaceState* that stands for the
477 state of the VPN Interface. Code change will be done to reflect the state of the interface.
478 For instance, if VPNInstance is not ready, associated VPNInterfaceOpDataEntries will have
479 the state changed to INACTIVE. Reversely, the state will be changed to ACTIVE.
481 2.3 Changes in yang model
483 To provide change in *VpnMap* and in *VpnInterfaceManager* structures, described
484 above, we need to modify following yang files.
486 2.3.1 neutronvpn.yang
488 - Currently, container *vpnMap* holds one router-id for each L3 BGPVPN instance ID. A
489 change consists in replacing one router-id leaf by a leaf-list of router-ids.
490 Obviously, no more than two router-ids will be used.
492 - Container *vpnMaps* is used internally for describing a L3 BGPVPN. Change router-id
493 leaf by router-ids leaf-list in this container is also necessary.
497 --- a/vpnservice/neutronvpn/neutronvpn-api/src/main/yang/neutronvpn.yang
498 +++ b/vpnservice/neutronvpn/neutronvpn-api/src/main/yang/neutronvpn.yang
503 namespace "urn:opendaylight:netvirt:neutronvpn";
504 @@ -120,7 +119,7 @@ module neutronvpn {
505 Format is ASN:nn or IP-address:nn.";
509 + leaf-list router-ids {
511 description "UUID router list";
513 @@ -173,7 +172,7 @@ module neutronvpn {
514 description "The UUID of the tenant that will own the subnet.";
518 + leaf-list router_ids {
520 description "UUID router list";
525 - Currently, list vpn-interface holds a leaf vpn-instance-name, which is a
526 container for VPN router ID. A change consists in replacing leaf
527 vpn-instance-name by a leaf-list of VPN router IDs, because L3 BGPVPN instance can
528 be associated with two routers.
529 Obviously, no more than two VPN router-IDs will be stored in leaf-list
534 --- a/vpnservice/vpnmanager/vpnmanager-api/src/main/yang/l3vpn.yang
535 +++ b/vpnservice/vpnmanager/vpnmanager-api/src/main/yang/l3vpn.yang
536 @@ -795,21 +795,21 @@
540 max-elements "unbounded";
544 path "/if:interfaces/if:interface/if:name";
547 - leaf vpn-instance-name {
548 + leaf-list vpn-instance-name {
556 leaf scheduled-for-remove {
564 augment "/odl-l3vpn:vpn-interface-op-data/odl-l3vpn:vpn-interface-op-data-entry" {
565 ext:augment-identifier "adjacencies-op";
569 container vpn-interface-op-data {
571 list vpn-interface-op-data-entry {
572 key "name vpn-instance-name";
575 path "/if:interfaces/if:interface/if:name";
578 leaf vpn-instance-name {
583 max-elements "unbounded";
588 leaf scheduled-for-remove {
591 leaf router-interface {
594 leaf vpn-interface-state {
596 "This flag indicates the state of this interface in the VPN identified by vpn-name.
597 ACTIVE state indicates that this vpn-interface is currently associated to vpn-name
598 available as one of the keys.
599 INACTIVE state indicates that this vpn-interface has already been dis-associated
600 from vpn-name available as one of the keys.";
622 There is no change in the pipeline, regarding the changes already done in [6]
625 Traffic from DC-Gateway to Local DPN (SYMMETRIC IRB)
626 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
628 The DC-GW has the information, that permits to detect an underlay destination IP
629 and MPLS label for a packet coming from the Internet or from anotherr DC-GW.
632 | Classifier Table (0) =>
633 | LFIB Table (20) ``match: tun-id=mpls_label set vpn-id=l3vpn-id, pop_mpls label, set output to nexthopgroup-dst-vm`` =>
634 | NextHopGroup-dst-vm: ``set-eth-dst dst-mac-vm, reg6=dst-vm-lport-tag`` =>
635 | Lport Egress Table (220) ``Output to dst vm port``
638 Traffic from Local DPN to DC-Gateway (SYMMETRIC IRB)
639 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
641 | Classifier Table (0) =>
642 | Lport Dispatcher Table (17) ``match: LportTag l3vpn service: set vpn-id=l3vpn-id`` =>
643 | DMAC Service Filter (19) ``match: dst-mac=router-internal-interface-mac l3vpn service: set vpn-id=l3vpn-id`` =>
644 | L3 FIB Table (21) ``match: vpn-id=l3vpn-id, nw-dst=ext-ipv4-address set tun-id=mpls_label output to MPLSoGRE tunnel port`` =>
645 | L3 FIB Table (21) ``match: vpn-id=l3vpn-id, nw-dst=ext-ipv6-address set tun-id=mpls_label output to MPLSoGRE tunnel port`` =>
647 Please, note that ``router-internal-interface-mac`` stands for MAC address of
648 the internal subnet gateway router port.
653 1. Limitations for router configurations
655 1.1 Maximum number of singlestack routers that can be associated to a
656 L3BGPVPN is limited to 2. Maximum number of dualstack routers that can be
657 associated with a BGPVPN is limited to 1.
659 1.2 If a L3 BGPVPN has already associated with a one singlestack router and we
660 try to associate this VPN instance again with a dualstack router, exception will
661 not be raised. But this configuration will not be valid.
663 1.3 If a singlestack router is already associated to a L3 BGPVPN instance, and
664 it has more than one port and we try to add a port to this router with another
665 ethertype, i.e. we try to make this router dualstack, exception will not be
666 raised. But this configuration will not be valid and supported.
668 1.4 When a different ethertype port is added to a singlestack router, which already
669 has only one port and which is already associated to a L3 BGPVPN instance,
670 singlestack router in this case becomes dualstack router with only two ports.
671 This router configuration is allowed by current specification.
673 2. Limitations for subnetworks configurations
675 2.1 Maximum numbers of different ethertype subnetworks associated to a one L3
676 BGPVPN instance is limited to two. If a network contains more than two different
677 ethertype subnetworks, exception won't be raised, but this configuration isn't
680 2.2 When we associate a network with a L3 BGPVPN instance, we do not care if
681 subnetworks from this network are ports in some routers and these routers were
682 associated with other VPNs. This configuration is not considered as supported as
685 3. Limitations for number of IP addresses for a Neutron Port
687 The specification only targets dual-stack networks, that is to say with 1 IPv4 address and
688 one IPv6 address only.
689 For other cases, that is to say, adding subnetworks IPv4 or IPv6, will lead to undefined or
690 untested use cases. The multiple subnets test case would be handled in a future spec.
695 ECMP - Equal Cost multiple path.
697 ECMP feature is currently provided for Neutron BGPVPN networks and described in
698 the specification [10]. 3 cases have been cornered to use ECMP feature for
701 - ECMP of traffic from DC-GW to OVS (inter-DC case)
702 - ECMP of traffic from OVS to DC-GW (inter-DC case)
703 - ECMP of traffic from OVS to OVS (intra-DC case)
705 In each case, traffic begins either at DC-GW or OVS node. Then it is sprayed to
706 end either at OVS node or DC-GW.
708 ECMP feature for Neutron BGPVPN networks was successfully (OK) tested with IPv4
709 L3 BGPVPN and IPv6 L3 BGPVPN (OK). the dual stack VM connectivity should embrace
712 We've included this chapter to remind, that code changes for supporting
713 dualstack VMs should be tested against ECMP scenario as well.
715 Clustering considerations
716 =========================
719 Other Infra considerations
720 ==========================
723 Security considerations
724 =======================
727 Scale and Performance Impact
728 ============================
742 Assume, that in the same provider network we have OpenStack installed with 1
743 controller and 2 compute nodes, DC-GW node and OpenDaylight node.
745 * create private tenant networks and subnetworks
748 - declare Subnet A IPv4 for Network N;
749 - declare Subnet B IPv6 for Network N;
750 - create two ports in Network N;
751 - each port will inherit a dual IP configuration.
755 - **two-router** solution
756 + create two routers A and B, each router will be respectively connected to IPv4 and IPv6 subnets;
757 + add subnet A as a port to router A;
758 + add subnet B as a port to router B.
760 - **dualstack-router** solution
762 + add subnet A as a port to router A;
763 + add subnet B as a port to router A.
765 * Create MPLSoGRE tunnel between DPN and DCGW
769 POST /restconf/operations/itm-rpc:add-external-tunnel-endpoint
772 "itm-rpc:destination-ip": "dcgw_ip",
773 "itm-rpc:tunnel-type": "odl-interface:tunnel-type-mpls-over-gre"
777 * create the DC-GW VPN settings
779 - Create a L3 BGPVPN context. This context will have the same settings as in
780 [7].In dualstack case both IPv4 and IPv6 prefixes will be injected in the same
783 * create the ODL L3 BGPVPN settings
785 - Create a BGP context. This step permits to start QBGP module depicted in [8]
786 and [9]. ODL has an API, that permits interfacing with that external software.
787 The BGP creation context handles the following:
789 + start of BGP protocol;
790 + declaration of remote BGP neighbor with the AFI/SAFI affinities. In our
791 case, VPNv4 and VPNv6 address families will be used.
793 - Create a L3 BGPVPN, this L3 BGPVPN will have a name and will contain VRF
796 * associate created L3 BGPVPN to router
798 + **two-router** solution: associate routers A and B with a created L3 BGPVPN;
799 + **dualstack-router** solution: associate router A with a created L3 BGPVPN.
801 * Spawn a VM in a created tenant network:
803 The VM will possess IPv4 and IPv6 addresses from subnets A and B.
805 * Observation: dump ODL BGP FIB entries
807 At ODL node, we can dump ODL BGP FIB entries and we should see entries for
808 both IPv4 and IPv6 subnets prefixes:
812 GET /restconf/config/odl-fib:fibEntries
817 "routeDistinguisher": <rd-uuid>
820 "routeDistinguisher": <rd>,
823 "destPrefix": <IPv6_VM1/128>,
825 "nextHopAddressList": [
839 odl-netvirt-openstack
847 A new option ``--afi`` and ``--safi`` will be added to command ``odl:bgp-vrf``:
851 odl:bgp-vrf --rd <> --import-rt <> --export-rt <> --afi <1|2> --safi <value> add|del
860 Philippe Guibert <philippe.guibert@6wind.com>
863 - Valentina Krasnobaeva <valentina.krasnobaeva@6wind.com>
864 - Noel de Prandieres <prandieres@6wind.com>
878 Quagga from 6WIND is available at the following urls:
880 * https://github.com/6WIND/quagga
881 * https://github.com/6WIND/zrpcd
888 Some L3 BGPVPN testing may have be done.
889 Complementary specification for other tests will be done.
898 Basically, IPv4 and IPv6 vpnservice functionality have to be validated by
899 regression tests with a single BGPVRF.
901 CSIT specific testing will be done to check dualstack VMs connectivity with
902 network configurations for **two-router** and **dualstack-router** solutions.
904 **Two-router** solution test suite:
906 1. Create 2 Neutron Networks NET_1_2RT and NET_2_2RT.
908 1.1 Query ODL restconf API to check that both Neutron Network objects were
909 successfully created in ODL.
911 1.2 Update NET_1_2RT with a new description attribute.
913 2. In each Neutron Network create one Subnet IPv4 and one Subnet IPv6:
914 SUBNET_V4_1_2RT, SUBNET_V6_1_2RT, SUBNET_V4_2_2RT, SUBNET_V6_2_2RT,
917 2.1 Query ODL restconf API to check that all Subnetwork objects were
918 successfully created in ODL.
920 2.2 Update SUBNET_V4_2RT, SUBNET_V6_2RT with a new description attribute.
922 3. Create 2 Routers: ROUTER_1 and ROUTER_2.
924 3.1 Query ODL restconf API to check that all Router objects were successfully
927 4. Add SUBNET_V4_1_2RT, SUBNET_V4_2_2RT to ROUTER_1 and SUBNET_V6_1_2RT,
928 SUBNET_V6_2_2RT to ROUTER_2.
930 5. Create 2 security-groups: SG6_2RT and SG4_2RT. Add appropriate rules to allow
931 IPv6 and IPv4 traffic from/to created subnets, respectively.
933 6. In network NET_1_2RT create Neutron Ports: PORT_11_2RT, PORT_12_2RT, attached
934 with security groups SG6_2RT and SG4_2RT; in network NET_2_2RT: PORT_21_2RT,
935 PORT_22_2RT, attached with security groups SG6_2RT and SG4_2RT.
937 6.1 Query ODL restconf API to check, that all Neutron Port objects were
938 successfully created in ODL.
940 6.2 Update Name attribute of PORT_11_2RT.
942 7. Use each created Neutron Port to launch a VM with it, so we should have 4 VM
943 instances: VM_11_2RT, VM_12_2RT, VM_21_2RT, VM_22_2RT.
945 7.1 Connect to NET_1_2RT and NET_2_2RT dhcp-namespaces, check that subnet
946 routes were successfully propagated.
948 7.2 Check that all VMs have: one IPv4 address and one IPv6 addresses.
950 8. Check IPv4 and IPv6 VMs connectivity within NET_1_2RT and NET_2_2RT.
952 9. Check IPv4 and IPv6 VMs connectivity across NET_1_2RT and NET_2_2RT with
953 ROUTER_1 and ROUTER_2.
955 9.1 Check that FIB entries were created for spawned Neutron Ports.
957 9.2 Check that all needed tables (19, 17, 81, 21) are presented in OVS
958 pipelines and VMs IPs, gateways MAC and IP addresses are taken in account.
960 10. Connect to VM_11_2RT and VM_21_2RT and add extraroutes to other IPv4 and
963 10.1 Check other IPv4 and IPv6 subnets reachability from VM_11_2RT and
966 11. Delete created extraroutes.
968 12. Delete and recreate extraroutes and check its reachability again.
970 13. Create L3VPN and check with ODL REST API, that it was successfully created.
972 14. Associate ROUTER_1 and ROUTER_2 with created L3VPN and check the presence of
973 router IDs in VPN instance with ODL REST API.
975 15. Check IPv4 and IPv6 connectivity accross NET_1_2RT and NET_2_2RT with
976 associated to L3VPN routers.
978 15.1 Check with ODL REST API, that VMs IP addresses are presented in VPN
981 15.2 Verify OVS pipelines at compute nodes.
983 15.3 Check the presence of VMs IP addresses in vrfTables objects with
986 16. Dissociate L3VPN from ROUTER_1 and ROUTER_2.
988 17. Delete ROUTER_1 and ROUTER_2 and its interfaces from L3VPN.
990 18. Try to delete router with NonExistentRouter name.
992 19. Associate L3VPN to NET_1_2RT.
994 20. Dissociate L3VPN from NET_1_2RT.
998 22. Create multiple L3VPN.
1000 23. Delete multiple L3VPN.
1002 Documentation Impact
1003 ====================
1005 Necessary documentation would be added if needed.
1010 [1] `OpenDaylight Documentation Guide <http://docs.opendaylight.org/en/latest/documentation.html>`__
1012 [2] https://specs.openstack.org/openstack/nova-specs/specs/kilo/template.html
1014 [3] http://docs.openstack.org/developer/networking-bgpvpn/overview.html
1016 [4] `Spec to support IPv6 North-South support for Flat/VLAN Provider Network.
1017 <https://git.opendaylight.org/gerrit/#/q/topic:ipv6-cvr-north-south>`_
1019 [5] `BGP-MPLS IP Virtual Private Network (VPN) Extension for IPv6 VPN
1020 <https://tools.ietf.org/html/rfc4659>`_
1022 [6] `Spec to support IPv6 DC to Internet L3VPN connectivity using BGPVPN
1023 <https://git.opendaylight.org/gerrit/#/c/54050/>`_
1025 [7] `Spec to support IPv6 Inter DC L3VPN connectivity using BGPVPN
1026 <https://git.opendaylight.org/gerrit/#/c/50359/>`_
1028 [8] `Zebra Remote Procedure Call
1029 <https://github.com/6WIND/zrpcd/>`_
1031 [9] `Quagga BGP protocol
1032 <https://github.com/6WIND/zrpcd/>`_