On Thu, Jul 5, 2018 at 3:15 PM, Daniel Alvarez <dalva...@redhat.com> wrote:
>
>
> On 5 Jul 2018, at 23:34, Han Zhou <zhou...@gmail.com> wrote:
>
>
>
> On Thu, Jul 5, 2018 at 6:00 AM, Daniel Alvarez Sanchez <
> dalva...@redhat.com> wrote:
> >
> > Hi Han, all
> >
> > While implementing Port Groups in OpenStack I have noticed that we are
> duplicating the lflows for the DHCP now with the current code. Seeking for
> advice here:
> >
> > When we create a Neutron subnet, I'm creating a Port Group with the ACL
> for the DHCP:
> >
> > _uuid : 7f2b64eb-090b-4bb4-85fd-09576329c21b
> > action : allow
> > direction : from-lport
> > external_ids : {}
> > log : false
> > match : "inport == @pg_12070130_e7f0_47a7_aee2_cde2064e7a28
> && ip4 && ip4.dst == {255.255.255.255, 192.168.1.0/24} && udp && udp.src
> == 68 && udp.dst == 67"
> > name : []
> > priority : 1002
> > severity : []
> >
> >
> > This generates the proper lflow in the Logical_Flow table:
> >
> > _uuid : a2a970ec-82ee-4474-bf0e-43f1cdedd7ed
> > actions : "next;"
> > external_ids : {source="ovn-northd.c:3192",
> stage-hint="7f2b64eb", stage-name=ls_in_acl}
> > logical_datapath : e1bdb553-5bbf-4b76-a19d-cf385612a3ff
> > match : "inport == @pg_12070130_e7f0_47a7_aee2_cde2064e7a28
> && ip4 && ip4.dst == {255.255.255.255, 192.168.1.0/24} && udp && udp.src
> == 68 && udp.dst == 67"
> > pipeline : ingress
> > priority : 2002
> > table_id : 6
> > hash : 0
> >
> >
> > However, all the ports belonging in that subnet also have a lflow for
> DHCP (different stages though)
> >
> > _uuid : f159803f-6b8d-4c8a-9339-b89ee267c2eb
> > actions : "next;"
> > external_ids : {source="ovn-northd.c:2579",
> stage-name=ls_in_port_sec_ip}
> > logical_datapath : 2b3126db-74d4-48a1-9e81-192066748de6
> > match : "inport == \"240edf21-5a9c-4edd-98b5-8dadc343b9de\"
> && eth.src == fa:16:3e:07:85:91 && ip4.src == 0.0.0.0 && ip4.dst ==
> 255.255.255.255 && udp.src == 68 && udp.dst == 67"
> > pipeline : ingress
> > priority : 90
> > table_id : 1
> > hash : 0
> >
> >
> > My questions are:
> >
> > 1) Do I really need to create the Port Group for every subnet just to
> take care of the DHCP?
>
> Yes, I think it is the right way to do in networking-ovn. Otherwise, we
> will have to create per-port ACL to allow DHCP. The example you gave above
> are NOT redundant flows, as you mentioned they are in different stages (for
> different purposes), and they will end up as ovs flows in different ovs
> flow tables.
>
> > 2) We have per-port DHCP lflows, is it worth to implement port groups
> around them too?
>
> For the per-port DHCP flows in port-security stage, they can't be
> "grouped" because eth.src is in match condition, which is different for
> each port.
>
> Oh absolutely! For my 1K ports test using 6 security group rules, the
> number of ACLs when down from 9000 to 197 while the number of lflows went
> down from 34000 to 22000.
> The time to create a port in OVN went down from 0.35-0.40 to 0.1-0.15
> seconds.
>
That's a 60 ~ 70% improvement. Sounds great and thanks for sharing!
Did we get the benefit of conjuncture with less OVS flows, too?
Still neutron ML2 is the bottleneck in the Openstack case.
>
> Thanks Han! My bad for not realizing, sorry
>
> >
> > Thanks!
> > Daniel
> >
>
>
_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
