John McDowall <jmcdow...@paloaltonetworks.com> wrote on 07/17/2016 11:23:17 PM:
> From: John McDowall <jmcdow...@paloaltonetworks.com> > To: Ryan Moats/Omaha/IBM@IBMUS > Cc: "dev@openvswitch.org" <dev@openvswitch.org> > Date: 07/17/2016 11:23 PM > Subject: Re: SFC: How about stages in both pipelines? > > Ryan, > > We see this use case a lot – essentially a FW between logical > network segments, and one could be the internet. It is not so much a > chain but a link in a chain :-0. The complexity is using load- > balancers to scale the firewall to support the scale of the > application load. Which ends up looking a like this (excuse my ascii art). > > | — App > |——FW —- | | — App > Internet -> LB1-- |——FW --- |— LB2—--- | — App > |——FW —- | | — App > | — App > > Now if OSVS/OVN can do the load balancing the picture becomes > simpler and more interesting. > > Thoughts? > > j First, you've jumped way ahead of me here with your example above as I'm still trying to crawl :) Still, the important concept is the fact that you are doing this at network borders... You did see that Guru landed a set of patches that added native LB capabilities into OVS/OVN itself? I admit that I've not looked at them in any great detail to date, but they are there... Ryan > From: Ryan Moats <rmo...@us.ibm.com> > Date: Sunday, July 17, 2016 at 7:02 PM > To: John McDowall <jmcdow...@paloaltonetworks.com> > Cc: "dev@openvswitch.org" <dev@openvswitch.org> > Subject: Re: SFC: How about stages in both pipelines? > > John McDowall <jmcdow...@paloaltonetworks.com> wrote on 07/17/2016 > 08:18:48 PM: > > > From: John McDowall <jmcdow...@paloaltonetworks.com> > > To: Ryan Moats/Omaha/IBM@IBMUS > > Cc: "dev@openvswitch.org" <dev@openvswitch.org> > > Date: 07/17/2016 08:18 PM > > Subject: Re: SFC: How about stages in both pipelines? > > > > Ryan, > > > > I assume you are thinking about L3 VNF support? > > > > If so yes I need to think this through – any ideas would be appreciated > > > > Regards > > > > John > > > > From: Ryan Moats <rmo...@us.ibm.com> > > Date: Sunday, July 17, 2016 at 6:15 PM > > To: John McDowall <jmcdow...@paloaltonetworks.com> > > Cc: "dev@openvswitch.org" <dev@openvswitch.org> > > Subject: SFC: How about stages in both pipelines? > > > > John- > > > > To date, I think we've talked about adding an > > SFC stage to the ingress pipeline for logical > > switch datapaths and how to enable that via > > OpenStack/Neutron. Since OVN doesn't have to > > assume OpenStack as the CMS, I think we should > > also be adding that stage to the ingress > > pipeline of the logical router datapath. > > > > > > Ryan > > I don't think I'm talking about L3 VNF support (at least > not that way I've heard the term used previously). > > Rather, I'm thinking of how I might support VNFs that work > at network edges or boundaries (for example, an IDS/IPS for > traffic from the Internet). Since such VNFs would be > looking at inter-network traffic only, I don't think it > makes since to shoehorn them into the logical datapath > associated with a logical switch as that would require > making the ACLs more complex to ensure they don't have to > handle intra-network traffic. Since inter-network traffic > will pass through at least one logical datapath associated > with a logical router, I'm thinking adding an SFC stage > to the logical router's ingress pipeline would support > this scenario fairly cleanly at the OVN level. > > I admit that I've no ideas yet on how to set up > networking-sfc to support such a scenario, but that > doesn't mean we can't add the code to OVN to support it. > > Ryan _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
