Re: [ovs-discuss] OVN interconnection and NAT

Vladislav Odintsov via discuss Wed, 15 Mar 2023 10:06:16 -0700

Hi,

since you’ve configured multiple LRPs with GW chassis, you must supply 
logical_port for NAT rule. Did you configure it?
You should see appropriate message in ovn-northd logfile.


       logical_port: optional string
              The name of the logical port where the logical_ip resides.

              This is only used on distributed routers. This must be specified 
in order for the NAT rule to be pro‐
              cessed  in a distributed manner on all chassis. If this is not 
specified for a NAT rule on a distrib‐
              uted router, then this NAT rule will be processed  in  a  
centralized  manner  on  the  gateway  port
              instance on the gateway chassis.

> On 15 Mar 2023, at 19:22, Tiago Pires via discuss 
> <ovs-discuss@openvswitch.org> wrote:
> 
> Hi,
> 
> In an OVN Interconnection environment (OVN 22.03) with a few AZs, I noticed 
> that when the OVN router has a SNAT enabled or DNAT_AND_SNAT,
> the traffic between the AZs is nated.
> When checking the OVN router's logical flows, it is possible to see the LSP 
> that is connected into the transit switch with NAT enabled:
> 
> Scenario:
> 
> OVN Global database:
> # ovn-ic-sbctl show
> availability-zone az1
>     gateway ovn-central-1
>         hostname: ovn-central-1
>         type: geneve
>             ip: 192.168.40.50
>         port ts1-r1-az1
>             transit switch: ts1
>             address: ["aa:aa:aa:aa:aa:10 169.254.100.10/24 
> <http://169.254.100.10/24>"]
> availability-zone az2
>     gateway ovn-central-2
>         hostname: ovn-central-2
>         type: geneve
>             ip: 192.168.40.221
>         port ts1-r1-az2
>             transit switch: ts1
>             address: ["aa:aa:aa:aa:aa:20 169.254.100.20/24 
> <http://169.254.100.20/24>"]
> availability-zone az3
>     gateway ovn-central-3
>         hostname: ovn-central-3
>         type: geneve
>             ip: 192.168.40.247
>         port ts1-r1-az3
>             transit switch: ts1
>             address: ["aa:aa:aa:aa:aa:30 169.254.100.30/24 
> <http://169.254.100.30/24>"]
> 
> OVN Central (az1)
> 
> # ovn-nbctl show r1
> router 3e80e81a-58b5-41b1-9600-5bfc917c4ace (r1)
>     port r1-ts1-az1
>         mac: "aa:aa:aa:aa:aa:10"
>         networks: ["169.254.100.10/24 <http://169.254.100.10/24>"]
>         gateway chassis: [ovn-central-1]
>     port r1_s1
>         mac: "00:de:ad:fe:0:1"
>         networks: ["10.0.1.1/24 <http://10.0.1.1/24>"]
>     port r1_public
>         mac: "00:de:ad:ff:0:1"
>         networks: ["200.10.0.1/24 <http://200.10.0.1/24>"]
>         gateway chassis: [ovn-central-1]
>     nat df2b79d3-1334-4af3-8f61-5a46490f8a9c
>         external ip: "200.10.0.101"
>         logical ip: "10.0.1.2"
>         type: "dnat_and_snat"
> 
> OVN Logical Flows:
> table=3 (lr_out_snat        ), priority=161  , match=(ip && ip4.src == 
> 10.0.1.2 && outport == "r1-ts1-az1" && is_chassis_resident("cr-r1-ts1-az1")), 
> action=(ct_snat_in_czone(200.10.0.101);)
> 
> The datapath flows into OVS shows that the traffic is being nated and sent to 
> the remote chassi gateway in AZ2:
> 
> recirc_id(0x14),in_port(3),eth(src=aa:aa:aa:aa:aa:10,dst=aa:aa:aa:aa:aa:20),eth_type(0x0800),ipv4(dst=200.16.0.0/255.240.0.0,tos=0/0x3,frag=no
>  <http://200.16.0.0/255.240.0.0,tos=0/0x3,frag=no>), packets:3, bytes:294, 
> used:0.888s, 
> actions:ct_clear,set(tunnel(tun_id=0xff0002,dst=192.168.40.221,ttl=64,tp_dst=6081,geneve({class=0x102,type=0x80,len=4,0x10002}),flags(df|csum|key))),2
> recirc_id(0x13),in_port(3),eth(),eth_type(0x0800),ipv4(src=10.0.1.2,frag=no), 
> packets:3, bytes:294, used:0.888s, 
> actions:ct(commit,zone=2,nat(src=200.10.0.101)),recirc(0x14)
> recirc_id(0),in_port(3),eth(src=00:de:ad:01:00:01,dst=00:de:ad:fe:00:01),eth_type(0x0800),ipv4(src=10.0.1.2,dst=200.20.0.0/255.255.255.0,ttl=64,frag=no
>  <http://200.20.0.0/255.255.255.0,ttl=64,frag=no>), packets:3, bytes:294, 
> used:0.888s, actions:set(e
> th(src=aa:aa:aa:aa:aa:10,dst=aa:aa:aa:aa:aa:20)),set(ipv4(ttl=63)),ct(zone=2,nat),recirc(0x13)
> 
> Is this behavior expected by design or is it a bug? In my use case, I would 
> like for the traffic between AZs to be routed instead of nated.
> 
> Tiago Pires
> 
> 
> ‘Esta mensagem é direcionada apenas para os endereços constantes no cabeçalho 
> inicial. Se você não está listado nos endereços constantes no cabeçalho, 
> pedimos-lhe que desconsidere completamente o conteúdo dessa mensagem e cuja 
> cópia, encaminhamento e/ou execução das ações citadas estão imediatamente 
> anuladas e proibidas’.
>  ‘Apesar do Magazine Luiza tomar todas as precauções razoáveis para assegurar 
> que nenhum vírus esteja presente nesse e-mail, a empresa não poderá aceitar a 
> responsabilidade por quaisquer perdas ou danos causados por esse e-mail ou 
> por seus anexos’.
> 
> _______________________________________________
> discuss mailing list
> disc...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss


Regards,
Vladislav Odintsov

_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

Re: [ovs-discuss] OVN interconnection and NAT

Reply via email to