Hi Andy, Assuming the “controller” configures the fw via apis and only interacts with the apps (not session/transport layers in vpp) for session setup/teardown, it should be possible. Or, in other words, session layer cannot wait for a decision to be made by some remote enforcement point. It does however handle applications’ refusal to accept new sessions.
Regards, Florin > On Sep 30, 2021, at 11:39 PM, Andy Ye <andy...@gmail.com> wrote: > > Hi Florin, > > Thank you for your reply! > > "For instance, running apps within the vms that attach to their respective > vpps via vcl and then report their connections to a central point, over the > network (so potentially over vcl), should be possible." > > This is partially of the intention. To be clearer, what those vpps on > different vms do, can be just all process network packets (setup/teardown > sessions) applying some firewall rules, behind a load balancer, the central > managed "controller" will host the one big session table with certain network > resources (i.e. IPs) under single policy across all the vpps over different > vms. > > Hope this helps you understand better, is that feasible? > > Best, > --Andy > > On Thu, Sep 30, 2021, 6:01 PM Florin Coras <fcoras.li...@gmail.com > <mailto:fcoras.li...@gmail.com>> wrote: > Hi Andy, > > Let me check if I understood your question correctly: you want sessions > within multiple vpps, running in separate vms, to be centrally managed? > > If that’s so, it depends what “centrally managed” means. For instance, > running apps within the vms that attach to their respective vpps via vcl and > then report their connections to a central point, over the network (so > potentially over vcl), should be possible. Within such a setup, the > “controller” can then control the behavior of the apps, i.e., sessions they > accept and connect. On the other hand, if the controller wants a unified view > of all session/transport layer state in all vpps, that doesn’t sound feasible > as it is too much information and too dynamic. > > Out of curiosity, why would you want to do that? > > Regards, > Florin > > > On Sep 30, 2021, at 4:37 PM, andy...@gmail.com <mailto:andy...@gmail.com> > > wrote: > > > > Hi, > > > > Want to check the feasibility of using vpp vnet/session VCL frameworks to > > centrally manage sessions across multiple vm/hosts' vpps (dataplanes). > > multiple vpps on the same vm/host session management is straightforward, we > > can just use shm to do so. But for across vm/hosts vpps to share the same > > session table, will vpp vnet/session and VCL help to make session table a > > server-side app? > > > > Thanks, > > --Andy > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#20271): https://lists.fd.io/g/vpp-dev/message/20271 Mute This Topic: https://lists.fd.io/mt/85987392/21656 Mute #vpp-hoststack:https://lists.fd.io/g/vpp-dev/mutehashtag/vpp-hoststack Mute #vpp-dev:https://lists.fd.io/g/vpp-dev/mutehashtag/vpp-dev Mute #control_and_data_plane_together:https://lists.fd.io/g/vpp-dev/mutehashtag/control_and_data_plane_together Mute #vppctl:https://lists.fd.io/g/vpp-dev/mutehashtag/vppctl Mute #shm:https://lists.fd.io/g/vpp-dev/mutehashtag/shm Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-