SlideShare a Scribd company logo
What’s new in
Neutron
for Havana
Neutron developers at Cisco Systems
Boxborough office

Brian Bowen, Henry Gessau, Dane LeBlanc,
Paul Michali, Abishek Subramanian, et. al.
Agenda

•
•
•
•
•
•
•
•

Modular Layer 2 plugin (ML2)
ML2 demo with Cisco Nexus driver
FireWall as a Service (FWaaS)
FWaaS demo
VPN as a Service (VPNaaS)
VPNaaS demo
Cisco plugin with N1000V
Demo of Dashboard to control N1000V
Modular Layer 2 in
OpenStack Neutron
Robert Kukura, Red Hat
Kyle Mestery, Cisco
Motivations For a
Modular Layer 2 Plugin
Before Modular Layer 2 ...

Neutron Server

Neutron Server

OR
Open vSwitch Plugin

OR ...
Linuxbridge Plugin
Before Modular Layer 2 ...
Neutron Server

Compute node
Cisco Plugin
Open vSwitch agent
Open vSwitch
Sub-Plugin

Nexus
Sub-Plugin
Cisco Nexus switch
ML2 Architecture Diagram
Neutron Server

API Extensions
ML2 Plugin

Mechanism Manager
Type Manager

Tail-F NCS
Open
vSwitch
Linuxbridge
L2
Population
Hyper-V
Cisco Nexus
Arista

VXLAN
TypeDriver

VLAN
TypeDriver

GRE
TypeDriver
TypeDrivers in Havana
The following are supported segmentation
types in ML2 for the Havana release:
● local
● flat
● VLAN
● GRE
● VXLAN
MechanismDrivers in Havana
The following ML2 MechanismDrivers exist in
Havana:
●
●
●
●
●
●
●

Arista
Cisco Nexus
Hyper-V
L2 Population
Linuxbridge
Open vSwitch
Tail-f NCS
ML2 Futures: Deprecation Items

•

The future of the Open vSwitch and
Linuxbridge plugins
o
o
o

These are planned for deprecation in Icehouse
ML2 supports all their functionality
ML2 works with the existing OVS and Linuxbrige
agents
ML2 With Current Agents
● ML2 Plugin works with existing
agents

Neutron Server

ML2
Plugin

● Separate agents for Linuxbridge
and Open vSwitch
● Can also use physical switches
from different vendors
API Network

Host A

Linuxbridge
Agent

Host B

Linuxbridge
Agent

Host C

Open vSwitch
Agent

Host D

Open vSwitch
Agent
ML2 demo, showing ...
● ML2 running with multiple MechanismDrivers
��
○

openvswitch
cisco_nexus

● Booting multiple VMs on multiple compute
hosts
● Configuration of VLANs across both virtual
and physical infrastructure
Cisco Nexus ML2
Mechanism Driver
Demonstration
Cisco Nexus ML2 Mechanism
Driver
• Manages VLAN creation/removal on Cisco Nexus 3K/5K/7K switches as instances are
launched, migrated, or terminated
• Works with Open vSwitch (OVS) mechanism driver

 OVS: virtual switching
 Cisco Nexus: physical switching
• Ported from original Cisco Nexus OpenStack Plugin
• Available in Havana release
Topology
Management Network

Controller /
Network Node

Compute Host 1
VM 1

VM 2

Compute Host 2

VM 3

VM 4

External
Network

eth1/1

eth1/2

eth1/3

VLAN 810
mgmt

VLAN 812

Nexus 3K

Data
Network
DevStack Configuration
Add to localrc File:
Q_PLUGIN=ml2
Q_ML2_PLUGIN_MECHANISM_DRIVERS=openvswitch,
cisco_nexus
Q_ML2_PLUGIN_TYPE_DRIVERS=vlan
Q_PLUGIN_EXTRA_CONF_PATH=(/home/leblancd/devstack)
Q_PLUGIN_EXTRA_CONF_FILES=(ml2_conf_cisco.ini)
ML2_VLAN_RANGES=physnet1:810:819
ENABLE_TENANT_VLANS=True
PHYSICAL_NETWORK=physnet1
OVS_PHYSICAL_BRIDGE=br-eth1
Cisco Mechanism Driver Config

• Create a file, e.g. “ml2_conf_cisco.ini”:

•

o[ml2_mech_cisco_nexus:10.86.1.118]
oComputeHost-1=1/2
oComputeHost-2=1/3
ossh_port=22
ousername=admin
opassword=MyPassword

File name and path are arbitrary, but these
configs in localrc must point to it:
 Q_PLUGIN_EXTRA_CONF_PATH
Q_PLUGIN_EXTRA_CONF_FILES

• Template in Neutron branch:
o
Neutron Server Startup Command
cd /opt/stack/neutron && pyth /usr/local/bin/neutronserver --config-file /etc/neutron/neutron.conf --configfile /etc/neutron/plugins/ml2/ml2_conf.ini --config-file
//home/leblancd/devstack/ml2_conf_cisco.ini || echo
"q-svc failed to start" | tee "/opt/stack/status/stack/qsvc.failure"
Demo
Resources
•

README files:
o /opt/stack/neutron/neutron/plugins/ml2/README

•

o /opt/stack/neutron/neutron/plugins/ml2/drivers/cisco/README

Template .ini Files:
o /opt/stack/neutron/etc/neutron/plugins/ml2/ml2_conf.ini

•

o /opt/stack/neutron/etc/neutron/plugins/ml2/ml2_conf_cisco.ini

Wiki Pages:
o https://wiki.openstack.org/wiki/Neutron/ML2

•

o https://wiki.openstack.org/wiki/Neutron/ML2/MechCiscoNexus

Google Doc:
o https://docs.google.com/document/d/1FXo0Hlc5c0myvBk99Bw51yOdHmEXHS
aFKUhEGNEuDo4
Virtual Private Networking
as a Service
Havana Release
Paul Michali
MAIL pcm@cisco.com
IRC pcm_ (irc.freenode.net)
TW @pmichali
Virtual Private Network as a
Service
• Initial Release Goals
•
•
•
•

Site to site VPN (~AWS).
Considered “experimental” w/limited functionality.
Only Pre-Shared Keys, no certificates.
Future releases to address other use cases.
•
•
•

SSL-VPN, MPLS/BGP
Certificate support
Service insertion/chaining
OpenSwan Driver
• OpenSwan: open source VPN process
•

•
•

Supports several encryption/auth algorithms, modes of
operation (Remote Access, Site2Site, Host2Host).
Designed to support a single connection.
Uses configuration files to control operation
•

/opt/stack/data/neutron/ipsec/<router-UUID>/…
Current Status
•
•
•
•

Reference implementation released
Horizon dashboard access released
CLI and REST APIs available
API reference documentation published
• http://docs.openstack.org/api/openstack-network/2.0/content/vpnaas_ext.html

• Feature documentation in progress
• Ongoing: bug fixes & enhancements (Icehouse)
Site to Site VPN

VM

VM
VM
10.1.0.4

Router

10.1.0.5

10.2.0.4

10.1.0.1

Router
172.24.4.21

172.24.4.11

East
Private: 10.1.0.0/24
Br-ex: 172.24.4.11

10.2.0.1

VPN
172.24.4.0/24

West
Private: 10.2.0.0/24
Br-ex: 172.24.4.21
Site to Site VPN (physical)
Host
Private: 10.2.0.0/24

Private: 10.1.0.0/24

Ubuntu 12.04 (VM)

Ubuntu 12.04 (VM)

Br-ex: 172.24.4.10
eth1

Br-ex: 172.24.4.20
eth0

eth0
NAT/host
Admin Network

Internal Network
Public Network (172.24.4.222/28)

eth1
Reference Info
•

How To:

https://wiki.openstack.org/wiki/Neutron/VPNaaS/HowToInstall
•

Main page (API is in OS doc wiki):

http://docs.openstack.org/api/openstack-network/2.0/content/vpnaas_ext.html
https://wiki.openstack.org/wiki/Neutron/VPNaaS
•

OpenSwan & StrongSwan:
https://github.com/xelerance/Openswan/wiki
http://www.strongswan.org/ and http://wiki.strongswan.org/projects/strongswan
Backup Slides
Site to Site VPN (physical)
Private: 10.1.0.0/24

Private: 10.2.0.0/24

Devstack-32 (UCS)

Devstack-33 (UCS)

Br-ex: 172.24.4.225
eth1

Br-ex: 172.24.4.232
eth2

14.0.3.32

14.0.3.33
Switch

Admin Network (14.0.3.0/24)

C6500
Public Network (172.24.4.222/28)

eth4

eth3
172.24.4.225
Multi-node DevStack
• To do site-to-site VPN, needed to share the
public net.
• Solution: Config DevStack (localrc) GW IP to be
specified. Also added naming for easier config.
devstack-32
enable_service q-vpn
PUBLIC_SUBNET_NAME=yoursubnet
PRIVATE_SUBNET_NAME=mysubnet
PUBLIC_NETWORK_GATEWAY=172.24.4.225
Q_FLOATING_ALLOCATION_POOL=“start=172.24.4.226,
end=172.24.4.231”
Q_USE_SECGROUP=False

devstack-33
enable_service q-vpn
PUBLIC_SUBNET_NAME=yoursubnet
PRIVATE_SUBNET_NAME=mysubnet
PUBLIC_NETWORK_GATEWAY=172.24.4.232
Q_FLOATING_ALLOCATION_POOL="start=172.24.4.233,
end=172.24.4.238”
Q_USE_SECGROUP=False

FIXED_RANGE=10.1.0.0/24
NETWORK_GATEWAY=10.1.0.1

FIXED_RANGE=10.2.0.0/24
NETWORK_GATEWAY=10.2.0.1
Modifications for VPNaaS
•
•
•
•

Make localrc modifications as shown on previous page.
Connect two systems with a switch (L2) for public net.
Manually bring up eth# used for public network link.
Add br-ex and add eth# to br-ex.
Object Diagram
IPSec Policy

IKE Policy

1

1
used by

used by
N

N
1

Service

IPSec Site
Connection

N
establishes

1

1

is associated with
is associated with
1

Subnet

1

Router

Note: all of these are associated with a single tenant
VPN Archtecture
IPSec
Rest API
VPN
Extension

Common API
IPSec
VPN
Adv Srv
Plugin

Core

DB

Schedulers (not
implemented)
NameSpaceDevice

IPSec
VPN
Agent BP2

strong-swan driver

VMDevice
HardWareDevice
RPC API (Create VPN
Service1/2)
User

Neutron

IpSecDriver

create vpn service
Select driver using type
Set status BUILDING
Ensure Add interface to the
router
create vpn service
create Ike policy

Noop (do nothing)
Store policy

create ipsec policy

Store policy

create vpn connection

create vpn connection

Agent

StrongSwan
DeviceDriver

Namespace
Device
RPC API (Create VPN Service
2/2)
User

Neutron

IpSecDriver

Agent

StrongSwan
DeviceDriver

Namespace
Device

fetch router host of
associated router

vpn-service-updated
sync
this sync will be
done pediolically,
and boot time also
sync
sync
vpn connection info with related
infos

compair local state

ensure_conf_file

ensure_process_running
RPC API (Update VPN
Service)
User

Neutron

IpSecDriver

Agent

StrongSwan
DeviceDriver

Update VPN or Update
Serivce/IKE policy/IPSec or
CUD of vpn connections

Select driver using type

vpn-service-updated
vpn-service-updated

sync
sync

Namespace
Device
RPC API (Update VPN
Service)
User

Neutron

IpSecDriver

Agent

StrongSwan
DeviceDriver

Update or DeleteVPN
Serivce/IKE policy/IPSec or
CRUD of vpn connections

Select driver using type
Remove interface

vpn-service-updated
vpn-service-updated

sync
sync

Namespace
Device
RPC API (Update VPN
Service)
User

Neutron

IpSecDriver

Agent

StrongSwan
DeviceDriver

Update VPN or Update
Serivce/IKE policy/IPSec or
CUD of vpn connections

Select driver using type

vpn-service-updated
vpn-service-updated

sync
sync

Namespace
Device
RPC API (Update VPN
Service)
User

Neutron

IpSecDriver

Agent

StrongSwan
DeviceDriver

Update or DeleteVPN
Serivce/IKE policy/IPSec or
CRUD of vpn connections

Select driver using type
Remove interface

vpn-service-updated
vpn-service-updated

sync
sync

Namespace
Device
Proposed IP Sec Object
Model
Amazon Object Model
Cisco Object Model
FWaaS
in OpenStack Havana
Contributors

• BigSwitch Sumit N, KC Wang
• Cisco Sridar K
• Dell Rajesh M
• PayPal Ravi C
Initial reference implementation
How: Service Plugin + Agent + Driver
Where: L3 only -- iptables rules on routers

Why:

Complements security groups

What next? Vendor drivers
Whats new in neutron for open stack havana
Entity Relationships
Firewall Rules
Firewall A

Firewall B

Tenant B

Firewall C

Allow ICMP

Tenant A

Tenant C

Firewall Policy
X

...
Allow TCP 80

...
Firewall Policy
Y

...

Ordered

(Routers)
Command Line Interface
Rules

Policies

firewall-rule-create

(CRUD)

firewall-policy-create

firewall-rule-list
firewall-rule-show
firewall-rule-update
firewall-rule-delete

firewall-policy-list
firewall-policy-show
firewall-policy-update
firewall-policy-insert-rule
firewall-policy-remove-rule
firewall-policy-delete

Firewalls
firewall-create
firewall-list
firewall-show

firewall-update
firewall-delete
Demo
Dashboard Interface
and CLI

More Related Content

Whats new in neutron for open stack havana

  • 1. What’s new in Neutron for Havana Neutron developers at Cisco Systems Boxborough office Brian Bowen, Henry Gessau, Dane LeBlanc, Paul Michali, Abishek Subramanian, et. al.
  • 2. Agenda • • • • • • • • Modular Layer 2 plugin (ML2) ML2 demo with Cisco Nexus driver FireWall as a Service (FWaaS) FWaaS demo VPN as a Service (VPNaaS) VPNaaS demo Cisco plugin with N1000V Demo of Dashboard to control N1000V
  • 3. Modular Layer 2 in OpenStack Neutron Robert Kukura, Red Hat Kyle Mestery, Cisco
  • 4. Motivations For a Modular Layer 2 Plugin
  • 5. Before Modular Layer 2 ... Neutron Server Neutron Server OR Open vSwitch Plugin OR ... Linuxbridge Plugin
  • 6. Before Modular Layer 2 ... Neutron Server Compute node Cisco Plugin Open vSwitch agent Open vSwitch Sub-Plugin Nexus Sub-Plugin Cisco Nexus switch
  • 7. ML2 Architecture Diagram Neutron Server API Extensions ML2 Plugin Mechanism Manager Type Manager Tail-F NCS Open vSwitch Linuxbridge L2 Population Hyper-V Cisco Nexus Arista VXLAN TypeDriver VLAN TypeDriver GRE TypeDriver
  • 8. TypeDrivers in Havana The following are supported segmentation types in ML2 for the Havana release: ● local ● flat ● VLAN ● GRE ● VXLAN
  • 9. MechanismDrivers in Havana The following ML2 MechanismDrivers exist in Havana: ● ● ● ● ● ● ● Arista Cisco Nexus Hyper-V L2 Population Linuxbridge Open vSwitch Tail-f NCS
  • 10. ML2 Futures: Deprecation Items • The future of the Open vSwitch and Linuxbridge plugins o o o These are planned for deprecation in Icehouse ML2 supports all their functionality ML2 works with the existing OVS and Linuxbrige agents
  • 11. ML2 With Current Agents ● ML2 Plugin works with existing agents Neutron Server ML2 Plugin ● Separate agents for Linuxbridge and Open vSwitch ● Can also use physical switches from different vendors API Network Host A Linuxbridge Agent Host B Linuxbridge Agent Host C Open vSwitch Agent Host D Open vSwitch Agent
  • 12. ML2 demo, showing ... ● ML2 running with multiple MechanismDrivers ○ ○ openvswitch cisco_nexus ● Booting multiple VMs on multiple compute hosts ● Configuration of VLANs across both virtual and physical infrastructure
  • 13. Cisco Nexus ML2 Mechanism Driver Demonstration
  • 14. Cisco Nexus ML2 Mechanism Driver • Manages VLAN creation/removal on Cisco Nexus 3K/5K/7K switches as instances are launched, migrated, or terminated • Works with Open vSwitch (OVS) mechanism driver  OVS: virtual switching  Cisco Nexus: physical switching • Ported from original Cisco Nexus OpenStack Plugin • Available in Havana release
  • 15. Topology Management Network Controller / Network Node Compute Host 1 VM 1 VM 2 Compute Host 2 VM 3 VM 4 External Network eth1/1 eth1/2 eth1/3 VLAN 810 mgmt VLAN 812 Nexus 3K Data Network
  • 16. DevStack Configuration Add to localrc File: Q_PLUGIN=ml2 Q_ML2_PLUGIN_MECHANISM_DRIVERS=openvswitch, cisco_nexus Q_ML2_PLUGIN_TYPE_DRIVERS=vlan Q_PLUGIN_EXTRA_CONF_PATH=(/home/leblancd/devstack) Q_PLUGIN_EXTRA_CONF_FILES=(ml2_conf_cisco.ini) ML2_VLAN_RANGES=physnet1:810:819 ENABLE_TENANT_VLANS=True PHYSICAL_NETWORK=physnet1 OVS_PHYSICAL_BRIDGE=br-eth1
  • 17. Cisco Mechanism Driver Config • Create a file, e.g. “ml2_conf_cisco.ini”: • o[ml2_mech_cisco_nexus:10.86.1.118] oComputeHost-1=1/2 oComputeHost-2=1/3 ossh_port=22 ousername=admin opassword=MyPassword File name and path are arbitrary, but these configs in localrc must point to it:  Q_PLUGIN_EXTRA_CONF_PATH Q_PLUGIN_EXTRA_CONF_FILES • Template in Neutron branch: o
  • 18. Neutron Server Startup Command cd /opt/stack/neutron && pyth /usr/local/bin/neutronserver --config-file /etc/neutron/neutron.conf --configfile /etc/neutron/plugins/ml2/ml2_conf.ini --config-file //home/leblancd/devstack/ml2_conf_cisco.ini || echo "q-svc failed to start" | tee "/opt/stack/status/stack/qsvc.failure"
  • 19. Demo
  • 20. Resources • README files: o /opt/stack/neutron/neutron/plugins/ml2/README • o /opt/stack/neutron/neutron/plugins/ml2/drivers/cisco/README Template .ini Files: o /opt/stack/neutron/etc/neutron/plugins/ml2/ml2_conf.ini • o /opt/stack/neutron/etc/neutron/plugins/ml2/ml2_conf_cisco.ini Wiki Pages: o https://wiki.openstack.org/wiki/Neutron/ML2 • o https://wiki.openstack.org/wiki/Neutron/ML2/MechCiscoNexus Google Doc: o https://docs.google.com/document/d/1FXo0Hlc5c0myvBk99Bw51yOdHmEXHS aFKUhEGNEuDo4
  • 21. Virtual Private Networking as a Service Havana Release Paul Michali MAIL pcm@cisco.com IRC pcm_ (irc.freenode.net) TW @pmichali
  • 22. Virtual Private Network as a Service • Initial Release Goals • • • • Site to site VPN (~AWS). Considered “experimental” w/limited functionality. Only Pre-Shared Keys, no certificates. Future releases to address other use cases. • • • SSL-VPN, MPLS/BGP Certificate support Service insertion/chaining
  • 23. OpenSwan Driver • OpenSwan: open source VPN process • • • Supports several encryption/auth algorithms, modes of operation (Remote Access, Site2Site, Host2Host). Designed to support a single connection. Uses configuration files to control operation • /opt/stack/data/neutron/ipsec/<router-UUID>/…
  • 24. Current Status • • • • Reference implementation released Horizon dashboard access released CLI and REST APIs available API reference documentation published • http://docs.openstack.org/api/openstack-network/2.0/content/vpnaas_ext.html • Feature documentation in progress • Ongoing: bug fixes & enhancements (Icehouse)
  • 25. Site to Site VPN VM VM VM 10.1.0.4 Router 10.1.0.5 10.2.0.4 10.1.0.1 Router 172.24.4.21 172.24.4.11 East Private: 10.1.0.0/24 Br-ex: 172.24.4.11 10.2.0.1 VPN 172.24.4.0/24 West Private: 10.2.0.0/24 Br-ex: 172.24.4.21
  • 26. Site to Site VPN (physical) Host Private: 10.2.0.0/24 Private: 10.1.0.0/24 Ubuntu 12.04 (VM) Ubuntu 12.04 (VM) Br-ex: 172.24.4.10 eth1 Br-ex: 172.24.4.20 eth0 eth0 NAT/host Admin Network Internal Network Public Network (172.24.4.222/28) eth1
  • 27. Reference Info • How To: https://wiki.openstack.org/wiki/Neutron/VPNaaS/HowToInstall • Main page (API is in OS doc wiki): http://docs.openstack.org/api/openstack-network/2.0/content/vpnaas_ext.html https://wiki.openstack.org/wiki/Neutron/VPNaaS • OpenSwan & StrongSwan: https://github.com/xelerance/Openswan/wiki http://www.strongswan.org/ and http://wiki.strongswan.org/projects/strongswan
  • 29. Site to Site VPN (physical) Private: 10.1.0.0/24 Private: 10.2.0.0/24 Devstack-32 (UCS) Devstack-33 (UCS) Br-ex: 172.24.4.225 eth1 Br-ex: 172.24.4.232 eth2 14.0.3.32 14.0.3.33 Switch Admin Network (14.0.3.0/24) C6500 Public Network (172.24.4.222/28) eth4 eth3 172.24.4.225
  • 30. Multi-node DevStack • To do site-to-site VPN, needed to share the public net. • Solution: Config DevStack (localrc) GW IP to be specified. Also added naming for easier config. devstack-32 enable_service q-vpn PUBLIC_SUBNET_NAME=yoursubnet PRIVATE_SUBNET_NAME=mysubnet PUBLIC_NETWORK_GATEWAY=172.24.4.225 Q_FLOATING_ALLOCATION_POOL=“start=172.24.4.226, end=172.24.4.231” Q_USE_SECGROUP=False devstack-33 enable_service q-vpn PUBLIC_SUBNET_NAME=yoursubnet PRIVATE_SUBNET_NAME=mysubnet PUBLIC_NETWORK_GATEWAY=172.24.4.232 Q_FLOATING_ALLOCATION_POOL="start=172.24.4.233, end=172.24.4.238” Q_USE_SECGROUP=False FIXED_RANGE=10.1.0.0/24 NETWORK_GATEWAY=10.1.0.1 FIXED_RANGE=10.2.0.0/24 NETWORK_GATEWAY=10.2.0.1
  • 31. Modifications for VPNaaS • • • • Make localrc modifications as shown on previous page. Connect two systems with a switch (L2) for public net. Manually bring up eth# used for public network link. Add br-ex and add eth# to br-ex.
  • 32. Object Diagram IPSec Policy IKE Policy 1 1 used by used by N N 1 Service IPSec Site Connection N establishes 1 1 is associated with is associated with 1 Subnet 1 Router Note: all of these are associated with a single tenant
  • 33. VPN Archtecture IPSec Rest API VPN Extension Common API IPSec VPN Adv Srv Plugin Core DB Schedulers (not implemented) NameSpaceDevice IPSec VPN Agent BP2 strong-swan driver VMDevice HardWareDevice
  • 34. RPC API (Create VPN Service1/2) User Neutron IpSecDriver create vpn service Select driver using type Set status BUILDING Ensure Add interface to the router create vpn service create Ike policy Noop (do nothing) Store policy create ipsec policy Store policy create vpn connection create vpn connection Agent StrongSwan DeviceDriver Namespace Device
  • 35. RPC API (Create VPN Service 2/2) User Neutron IpSecDriver Agent StrongSwan DeviceDriver Namespace Device fetch router host of associated router vpn-service-updated sync this sync will be done pediolically, and boot time also sync sync vpn connection info with related infos compair local state ensure_conf_file ensure_process_running
  • 36. RPC API (Update VPN Service) User Neutron IpSecDriver Agent StrongSwan DeviceDriver Update VPN or Update Serivce/IKE policy/IPSec or CUD of vpn connections Select driver using type vpn-service-updated vpn-service-updated sync sync Namespace Device
  • 37. RPC API (Update VPN Service) User Neutron IpSecDriver Agent StrongSwan DeviceDriver Update or DeleteVPN Serivce/IKE policy/IPSec or CRUD of vpn connections Select driver using type Remove interface vpn-service-updated vpn-service-updated sync sync Namespace Device
  • 38. RPC API (Update VPN Service) User Neutron IpSecDriver Agent StrongSwan DeviceDriver Update VPN or Update Serivce/IKE policy/IPSec or CUD of vpn connections Select driver using type vpn-service-updated vpn-service-updated sync sync Namespace Device
  • 39. RPC API (Update VPN Service) User Neutron IpSecDriver Agent StrongSwan DeviceDriver Update or DeleteVPN Serivce/IKE policy/IPSec or CRUD of vpn connections Select driver using type Remove interface vpn-service-updated vpn-service-updated sync sync Namespace Device
  • 40. Proposed IP Sec Object Model
  • 44. Contributors • BigSwitch Sumit N, KC Wang • Cisco Sridar K • Dell Rajesh M • PayPal Ravi C
  • 45. Initial reference implementation How: Service Plugin + Agent + Driver Where: L3 only -- iptables rules on routers Why: Complements security groups What next? Vendor drivers
  • 47. Entity Relationships Firewall Rules Firewall A Firewall B Tenant B Firewall C Allow ICMP Tenant A Tenant C Firewall Policy X ... Allow TCP 80 ... Firewall Policy Y ... Ordered (Routers)