Juniper Openstack

Do not leak public routes into service RIs for NAT SI

Bug #1562200 reported by Nischal Sheth
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R2.21.x
Won't Fix
High
Sachin Bansal
R3.0
Fix Committed
High
Sachin Bansal
Juniper Openstack r3.0.2.0
Trunk
Fix Committed
High
Sachin Bansal
Juniper Openstack r3.1.0.0-fcs

Bug Description

Consider a service chain where the last instance in the chain has mode
In-Network-NAT. An internal service RI is created for both the left VN
and the right VN (public). The right service RI has a connection to the
primary RI of the public VN.

If there's X such service chains, there will X service RIs connected to
the public VN.
Say that the number of routes in the public VN is Y (this would usually
include the IP addresses assigned to each of the NAT SIs instances above
and the all floating IPs allocated in the system)

Hence there will be X*Y routes in the control nodes. Further, all these
X*Y routes will need to be downloaded to all Z vRouters that have any
SNAT SI. Hence we have X*Y*Z scaling problem.

Technically, the right service RI is not even required for In-Network-NAT
since we do not re-originate routes from the left VN into public. Even if
we create the RI, we shouldn't connect it to the primary RI of public VN.

See original description
Nischal Sheth (nsheth)
description: updated
description: updated
description: updated
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/18866
Submitter: Sachin Bansal (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/18866
Committed: http://github.org/Juniper/contrail-controller/commit/0db0a7186e59b2a2115200a61066ff32a1c92322
Submitter: Zuul
Branch: master

commit 0db0a7186e59b2a2115200a61066ff32a1c92322
Author: Sachin Bansal <email address hidden>
Date: Tue Mar 29 17:17:17 2016 -0700

Do not create right service RI for nat instances

If a service instance is in-network-nat mode, the traffic on the right side
is always routed in the primary RI. The service RI is not used for anything.
However, since all routes from primary RIs will still be copied into it.
With this commit, we won't create the right RI for such instances.

Change-Id: I78c16e0d95f5d3799daaf92765da67c51f25fd50
Closes-Bug: 1562200

Changed in juniperopenstack:
milestone: none → r3.1.0.0-fcs
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R2.21.x

Review in progress for https://review.opencontrail.org/18999
Submitter: Nischal Sheth (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/18999
Committed: http://github.org/Juniper/contrail-controller/commit/6c5d5b925256cab7f2ab473bb2189a46391aa995
Submitter: Zuul
Branch: R2.21.x

commit 6c5d5b925256cab7f2ab473bb2189a46391aa995
Author: Nischal Sheth <email address hidden>
Date: Thu Mar 31 11:53:55 2016 -0700

Temporary workaround for FIP + SNAT scaling problem

Ignore connection links for non-default routing instances of virtual
networks with router-external set. This stops unnecessary import of
routes into non-default instances of external networks and subsequent
download to all vrouters that have FIP or SNAT. The instances are not
used in the forwarding path anyway.

Enable this behavior under control of a new optimize_snat option in
contrail-control.conf.

Proper fix is to not create service chains for SNAT and to not create
these service routing instances for service chains where the last SI
is a NAT (Launchpad bug 1562200).

Change-Id: Ie64bae9a7b2284b36e0b26563da4677eaa7f9157
Partial-Bug: 1554175
Related-Bug: 1562200

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R2.21.x

Review in progress for https://review.opencontrail.org/19022
Submitter: Sachin Bansal (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/19022
Committed: http://github.org/Juniper/contrail-controller/commit/78ec1c86e79a1be018b58f03001cea9fdae79f47
Submitter: Zuul
Branch: R2.21.x

commit 78ec1c86e79a1be018b58f03001cea9fdae79f47
Author: Sachin Bansal <email address hidden>
Date: Sat Apr 2 07:56:42 2016 -0700

Do not set VRF assign rules for right interfaces of nat instances

We are planning not to link service RI with the primary RI of the
right networks of in-network-nat instances. We should also not
set VRF assign rules.

Change-Id: I11ad075a2d91e5da18094612a2c5935366197c94
Partial-Bug: 1554175
Related-Bug: 1562200

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/19073
Submitter: Sachin Bansal (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/19073
Committed: http://github.org/Juniper/contrail-controller/commit/0354c2bd8177d6e15f9d6e7621e58dfebf656cd3
Submitter: Zuul
Branch: master

commit 0354c2bd8177d6e15f9d6e7621e58dfebf656cd3
Author: Sachin Bansal <email address hidden>
Date: Tue Apr 5 10:02:56 2016 -0700

Do not set VRF assign rules for right interfaces of nat instances

We are planning not to link service RI with the primary RI of the
right networks of in-network-nat instances. We should also not
set VRF assign rules.

Change-Id: I11ad075a2d91e5da18094612a2c5935366197c94
Partial-Bug: 1554175
Related-Bug: 1562200

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.0

Review in progress for https://review.opencontrail.org/19178
Submitter: Sachin Bansal (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/19178
Committed: http://github.org/Juniper/contrail-controller/commit/0414ff422c0f1c973ef22f7131cb68bb0c3dc3e9
Submitter: Zuul
Branch: R3.0

commit 0414ff422c0f1c973ef22f7131cb68bb0c3dc3e9
Author: Sachin Bansal <email address hidden>
Date: Tue Mar 29 17:17:17 2016 -0700

Do not create right service RI for nat instances

If a service instance is in-network-nat mode, the traffic on the right side
is always routed in the primary RI. The service RI is not used for anything.
However, since all routes from primary RIs will still be copied into it.
With this commit, we won't create the right RI for such instances.

(cherry picked from commit 0db0a7186e59b2a2115200a61066ff32a1c92322)

Do not set VRF assign rules for right interfaces of nat instances

We are planning not to link service RI with the primary RI of the
right networks of in-network-nat instances. We should also not
set VRF assign rules.

Partial-Bug: 1554175
Closes-Bug: 1562200
(cherry picked from commit 0354c2bd8177d6e15f9d6e7621e58dfebf656cd3)

Change-Id: I3c043fcf8a9b585acac8ea8bcb449ea5c91879d6

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.