summaryrefslogtreecommitdiffhomepage
path: root/doc/source/how_l2_segregation_works.rst
blob: 4b0d2b9dcefc39760426311f3bfc2dd5e2c21250 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

.. _how_it_works:

****************************
How Ryu L2 segregation works
****************************
This section describes how Ryu L2 segregation works.

tenant/network id creation
==========================
When tenant(= network id) is created, Quantum server tells it to Ryu.
Ryu remembers the network id.

  .. image:: /images/network-creation.png


association OVS port to network id
==================================
#. When VM instance is created, the network port is created in OVS and
   it is associated to network id that VM belongs to.

#. quantum OVS agent tells the associated (network id, ovs port) to Ryu.
   Ryu remembers (network id, ovs port) relationship.

#. quantum OVS agent also tells to Ryu which OVS port is not managed by
   nova/quantum, but is connected to external ether cable.
   We call it external OVS port or that the port is external.


  .. image:: /images/assoc-ovs-port.png


mac learing
===========
When VM sends packets, Ryu determins network id from OVS port and then
associates src mac address to network id.

   .. image:: /images/mac-learning.png


packet filtering(L2 unicast case)
=================================
* When VM sending L2-unicast packet, Ryu checks if the destination mac
  address belongs to the same netowrk id of the source mac address which
  is same to the network id that the OVS port is associated to.
* If no, the packet is dropped.
* If yes, send the packet is sent to ports which belongs to the same
  network id and external port.

   .. image:: /images/filtering-outgoing.png
   .. image:: /images/filtering-incoming.png


packet filtering(L2 broadcast case)
===================================
* When VM sending L2-broadcast/multicaset packet, Ryu checks if the source
  mac address.
* send the packet to all external ports and all OVS ports that belongs
  to the same network id of the source mac address.
* When receiving broacast/multicast packet from the external ports,
  Ryu checks if the source mac address belongs to known network id.

   * If yes, send the packet to the external ports except incoming one
     and the all OVS ports that belongs to the network id
   * if no, drop the packet.

   .. image:: /images/filtering-broadcast.png
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-12 00:05:51 +0000