Adding Aswin and Venkat. On Feb 2, 2017 4:37 AM, "Juan Manuel Fernandez" < juan.manuel.fernan...@ericsson.com> wrote:
> Hi, > > > > Some of the people working for OPNFV in Madrid are involved in the ETSI > NFV Plugtest where interoperability among different MANO orchestrators, > NFVis and VNFs is being tested. There we have brought an OPNFV Colorado > environment configured to deploy Service Chaining (including Openstack + > Openstack Tacker + ODL Boron), however most of the requirements are related > to basic connectivity to be provided by ODL as a Neutron backend. In our > case, and given we are using SFC module the Neutron back-end is old > Netvirt, since integration with new Netvirt is not finished. > > > > I don’t know how the final results of the Plugtest will be published by > ETSI, but in general I would say tests have gone quite well for OPNFV, but > we have found some issues we have not been able to solve and we wonder if > you guys are thinking on solving them (or are already solved) in new > Netvirt or maybe we have done something wrong and not taken something into > account: > > > > 1. Attach to flat provider network: > > > > We are not completely sure, whether this is provided by ODL, but it seems > not to be provided by Networking ODL in Openstack yet. Please, see the > following proposed change in Networking ODL (not approved yet): > https://review.openstack.org/#/c/425246/ > > > > 2. Some VNFs were working as a pure bump in the wire, re-injecting > traffic received from a user, including a MAC/IP different than the VM’s > (i.e. not doing MAC re-writing). In these situations, Openstack port > security was preventing from what it is considering an anti-spoofing > attack. In that sense we considered three different options: > > > > - Disable completely port security in > /etc/neutron/plugins/ml2/ml2_conf.ini, by setting port_security_enabled > to false. This solution is too wide and unsecure, so we did not apply it. > On the other hand, we already had some other VMs running with security > groups associated, so we were not sure if that might be a problem. > > - Disable port security in the network to be used. > Unfortunately, this possibility that is available from Mitaka (included in > August) was not still available in the Mirantis Openstack version ( > https://review.openstack.org/#/c/306470/) we were using, but *we wonder > if this is supported by ODL-Netvirt (old and new).* The neutron command > would be the following: > > o neutron net-create <whatever_network> *--port_security_enabled=False* > > - Finally, the last option we saw, was disabling port security > and security groups in each and every port. The VM is attached to a network > without disabling security groups, but as a next step, port security is > disabled in the port using the following commands: > > o neutron port-update --no-security-groups PORT_ID > > o neutron port-update --port-security-enabled=False > > This option was crashing in ODL throwing a java exception, is that > supported in new Netvirt? > > > > So, to sum up, are you aware of these issues in old Netvirt? Are they > really issues? Is there a workaround? And the most important thing, in case > they are real issues, are they already solved in new netvirt or will they > be solved? > > > > My apologies if you have received this e-mail twice, I already sent it > some minutes ago, but I’m not sure if was properly sent > > > > Thanks and best regards, > > > > Juanma > > > > [image: Ericsson] <http://www.ericsson.com/> > > *JUAN MANUEL FERNANDEZ * > SDN System Engineer > > > *Ericsson* > Via de los Poblados 13 > 28043, Spain > Phone +34 913392408 <+34%20913%2039%2024%2008> > Mobile +34 618837205 <+34%20618%2083%2072%2005> > Office 8402408 > juan.manuel.fernan...@ericsson.com > www.ericsson.com > > > > > > Legal entity: Ericsson España, S.A., registered office in Madrid. This > Communication is Confidential. We only send and receive email on the basis > of the terms set out at www.ericsson.com/email_disclaimer > > > > _______________________________________________ > sfc-dev mailing list > sfc-...@lists.opendaylight.org > https://lists.opendaylight.org/mailman/listinfo/sfc-dev > >
_______________________________________________ opnfv-tech-discuss mailing list opnfv-tech-discuss@lists.opnfv.org https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
