Chapter 2. Networking In-Depth
2.1. How Basic Networking Works
Networking consists of moving information from one computer to another. At the most basic level, this is performed by running a cable between two machines, each with a network interface card (NIC) installed. If you ever studied the OSI networking model, this is layer 1.
When you want to involve more than two computers in the conversation, you need to scale out this configuration by adding a device called a switch. Switches are dedicated devices with multiple Ethernet ports to which you connect additional machines. This configuration is called a Local Area Network (LAN).
Switches move up the OSI model to layer 2 and apply more intelligence than the lower layer 1. Each NIC has a unique MAC address that is assigned to the hardware, and this number allows machines that are plugged in to the same switch find each other.
The switch maintains a list of which MAC addresses are plugged into which ports, so that when one computer attempts to send data to another computer, the switch knows where each NIC is located and adjusts the circuitry to direct the network traffic to the correct destination.
2.1.1. Connecting multiple LANs
If you use two LANs on two separate switches, you can connect them to share information with each other in the following ways:
- Trunk cable
- You can connect the two switches directly with a physical cable, called a trunk cable. In this configuration, you plug each end of the trunk cable into a port on each switch, and then define these ports as trunk ports. Now the two switches act as one big logical switch, and the connected computers can successfully find each other. This option is not very scalable, and overhead becomes an issue the more switches you link directly.
You can use a device called a router to plug in cables from each switch. As a result, the router is aware of the networks that are configured on both switches. Each switch that you plug into the router becomes an interface and is assigned an IP address, known as the default gateway for that network. The "default" in default gateway means that this is the destination where traffic will be sent if it is clear that the destination computer is not on the same LAN as the source of the data transfer.
After you set this default gateway on each of your computers, they do not need to be aware of all of the other computers on the other networks to send traffic to them. The traffic is just sent to the default gateway and the router handles it from there. Since the router is aware of which networks reside on which interface, it can send the packets on to their intended destinations. Routing works at layer 3 of the OSI model, and utilizes familiar concepts like IP addresses and subnets.
This concept is how the Internet itself works. Many separate networks run by different organizations are all inter-connected using switches and routers. Keep following the correct default gateways and your traffic will eventually get to where it needs to go.
Virtual Local Area Networks (VLANs) allow you to segment network traffic for computers that run on the same switch. You can logically divide your switch by configuring the ports to be members of different networks. This configuration turns the ports into mini-LANs that allow you to separate traffic for security purposes.
For example, if your switch has 24 ports, you can define ports 1-6 to belong to VLAN200, and ports 7-18 belong to VLAN201. Computers that are plugged into VLAN200 are completely separate from computers on VLAN201, and they can no longer communicate directly. All traffic between the two VLANs must now pass through the router as if they were two separate physical switches. You can also enhance the security with firewalls to determine which VLANs can communicate with each other.
Firewalls operate at the same OSI layer as IP routing. They are often located in the same network segments as the routers, where they govern the traffic between all the networks. Firewalls use a predefined set of rules that prescribe which traffic can or cannot enter a network. These rules can be very granular. For example, you can define a rule where servers on VLAN 200 can only communicate with computers on VLAN201, and only on a Thursday afternoon, and only if the traffic is Web (HTTP) and moves in one direction.
To help enforce these rules, some firewalls also perform Stateful Packet Inspection (SPI), where they examine the contents of packets to ensure that they are what they claim to be. Hackers are known to exfiltrate data by sending traffic that masquerades as something else, and SPI is one method that can help mitigate that threat.
Network bridges are switches that operate at the same level 2 of the OSI model, but their only function is to connect separate networks together, similar to routers.
2.2. Networking in OpenStack
All of the basic networking concepts in an OpenStack cloud, except that they are defined by services and configuration. This is known as Software-Defined Networking (SDN). Virtual switches (Open vSwitch) and routers (l3-agent) allow your instances to communicate with each other, and allow them to communicate externally using the physical network. The Open vSwitch bridge allocates virtual ports to instances and spans across to the physical network to allow incoming and outgoing traffic.
2.3. Choosing a Network Backend
Red Hat OpenStack Platform offers two distinctly different networking backends: Nova networking (nova-network) and OpenStack Networking (neutron).
Nova networking was deprecated in the OpenStack technology roadmap, but is still available. OpenStack Networking is considered the core software-defined networking (SDN) component of the OpenStack forward-looking roadmap and it is in active development.
There is no migration path between Nova networking and OpenStack Networking. Therefore, if you plan to deploy Nova networking and migrate to OpenStack Networking in the future, you must manually migrate all networks and configurations. This migration is likely to lead to network outage.
2.3.1. When to choose OpenStack Networking (neutron)
- If you require an overlay network solution. OpenStack Networking supports GRE or VXLAN tunneling for virtual machine traffic isolation. With GRE or VXLAN, no VLAN configuration is required on the network fabric and the only requirement from the physical network is to provide IP connectivity between the nodes. Furthermore, VXLAN or GRE allows a theoretical scale limit of 16 million unique IDs which is much greater than the 4094 limitation of 802.1q VLAN ID. By comparison, Nova networking bases the network segregation on 802.1q VLANs and does not support tunneling with GRE or VXLAN.
- If you require overlapping IP addresses between tenants. OpenStack Networking uses the network namespace capabilities of the Linux kernel, which allows different tenants to use the same subnet range, such as 192.168.100/24, on the same Compute node without any risk of overlap or interference. This is recommended for large multi-tenancy deployments. By comparison, Nova networking supports only flat topologies that must remain mindful of subnets that are used by all tenants.
If you require a Red Hat-certified third-party OpenStack Networking plug-in. By default, Red Hat Enterprise Linux OpenStack Platform 5 and later use the open source ML2 core plug-in with the Open vSwitch (OVS) mechanism driver. Based on the physical network fabric and other network requirements, third-party OpenStack Networking plug-ins can be deployed instead of the default ML2/Open vSwitch driver.Note
Red Hat is constantly working to enhance our Partner Certification Program to certify more OpenStack Networking plugins against Red Hat OpenStack Platform. You can learn more about our Certification Program and the certified OpenStack Networking plug-ins at http://marketplace.redhat.com
- If you require VPN-as-a-service (VPNaaS), Firewall-as-a-service (FWaaS), or Load-Balancing-as-a-service (LBaaS). These network services are only available in OpenStack Networking and are not available in Nova networking. The dashboard allows tenants to manage these services without administrator intervention.
2.3.2. When to choose Nova networking (nova-network)
- If your deployment requires flat (untagged) or VLAN (802.1q tagged) networking. This type of deployment implies scalabilty requirements, since the theoretical scale limit of 4094 VLAN IDs is typically higher than the limit of physical switches, as well as management and provisioning requirements. Specific configuration is necessary on the physical network to trunk the required set of VLANs between the nodes.
- If your deployment does not require overlapping IP addresses between tenants. This is usually recommended only for small, private deployments.
- If you do not need a software-defined networking (SDN) solution, or the ability to interact with the physical network fabric.
- If you do not need self-service VPN, firewall, or load-balancing services.
2.4. Advanced OpenStack Networking Concepts
2.4.1. Layer 3 High Availability
OpenStack Networking hosts virtual routers on a centralized Network node, which is a physical server that is dedicated to the function of hosting the virtual networking components. These virtual routers direct traffic to and from virtual machines, and are vital to the continued connectivity of your environment. Since physical servers might experience outages due to many reasons, your virtual machines might be vulnerable to outages when the Network node becomes unavailable.
OpenStack Networking uses Layer 3 High Availability to help mitigate this vulnerability, implementing the industry standard VRRP to protect virtual routers and floating IP addresses. With Layer 3 High Availability, the virtual routers of the tenant are randomly distributed across multiple physical Network nodes, with one router designated as the active router, and the other routers on standby, ready to take over if the Network node that hosts the active router experiences an outage.
"Layer 3" refers to the section of the OSI model where this feature functions, and means that it can protect routing and IP addressing.
For more information, see the "Layer 3 High Availability" section in the Networking Guide.
2.4.2. Load Balancing-as-a-Service (LBaaS)
Load Balancing-as-a-Service (LBaaS) enables OpenStack Networking to distribute incoming network requests equally between designated instances. This distribution ensures the workload is shared among instances and helps to use system resources more effectively. Incoming requests are distributed using one of the following load balancing methods:
- Round robin
- Rotates requests evenly between multiple instances.
- Source IP
- Requests from a unique source IP address are always directed to the same instance.
- Least connections
- Allocates requests to the instance with the lowest number of active connections.
For more information, see the "Configuring Load Balancing-as-a-Service" section in the Networking Guide.
OpenStack Networking supports IPv6 addresses in tenant networks, so you can dynamically assign IPv6 addresses to virtual machines. OpenStack Networking can also integrate with SLAAC on your physical routers, so that virtual machines can receive IPv6 addresses from your existing DHCP infrastructure.
For more information, see the "IPv6" section in the Networking Guide.