[ovirt-users] OVN routing and firewalling in oVirt

[Gianluca Cecchi]

On Thu, Feb 16, 2017 at 2:26 PM, Simone Tiraboschi <stirabos at redhat.com>
wrote:

>
>
> On Thu, Feb 16, 2017 at 2:20 PM, Gianluca Cecchi <
> gianluca.cecchi at gmail.com> wrote:
>
>> Hello,
>> how do we manage routing between different OVN networks in oVirt?
>> And between OVN networks and physical ones?
>>
>
> Take a look at this blog post:
> http://blog.spinhirne.com/2016/09/the-ovn-gateway-router.html
>

Great!
Actually using the previous blog post of the series:
http://blog.spinhirne.com/2016/09/an-introduction-to-ovn-routing.html

I was able to complete routing between two different oVirt subnets:

In oVirt I have previously created:

ovn_net1 network with subnet subn1 (defined as 172.16.10.0/24 with gw
172.16.10.1)
so that ip usable range is from 172.16.10.1 to 172.16.10.254

ovn_net2 network with subnet subn2 (defined as 192.168.10.0/24 with gw
192.168.10.1)
so that ip usable range is from 192.168.10.1 to 192.168.10.254

I have to VMs defined on the two subnets:
vm1 172.16.10.2
vm2 192.168.10.101

on central server (that is my engine)
# define the new logical switches
# no, already created from inside oVirt: they are ovn_net1 and ovn_net2

# add the router
ovn-nbctl lr-add net1net2

# create router port for the connection to net1
ovn-nbctl lrp-add net1net2 net1 02:ac:10:ff:01:29 172.16.10.1/24

# create the net1 switch port for connection to net1net2
ovn-nbctl lsp-add ovn_net1 net1-net1net2
ovn-nbctl lsp-set-type net1-net1net2 router
ovn-nbctl lsp-set-addresses net1-net1net2 02:ac:10:ff:01:29
ovn-nbctl lsp-set-options net1-net1net2 router-port=net1

# create router port for the connection to net2
ovn-nbctl lrp-add net1net2 net2 02:ac:10:ff:01:93 192.168.10.1/24

# create the net2 switch port for connection to net1net2
ovn-nbctl lsp-add ovn_net2 net2-net1net2
ovn-nbctl lsp-set-type net2-net1net2 router
ovn-nbctl lsp-set-addresses net2-net1net2 02:ac:10:ff:01:93
ovn-nbctl lsp-set-options net2-net1net2 router-port=net2

# show config
ovn-nbctl show

[root at ractorshe ~]# ovn-nbctl show
    switch 38cca50c-e8b2-43fe-b585-2ee815191939 (ovn_net1)
        port 5562d95d-060f-4c64-b535-0e460ae6aa5a
            addresses: ["00:1a:4a:16:01:52 dynamic"]
        port 87fea70a-583b-4484-b72b-030e2f175aa6
            addresses: ["00:1a:4a:16:01:53 dynamic"]
        port net1-net1net2
            addresses: ["02:ac:10:ff:01:29"]
        port 99f619fc-29d2-4d40-8c28-4ce9291eb97a
            addresses: ["00:1a:4a:16:01:51 dynamic"]
    switch 6a0e7a92-8edc-44dd-970a-2b1f5c07647d (ovn_net2)
        port net2-net1net2
            addresses: ["02:ac:10:ff:01:93"]
        port 9b7a79a3-aa38-43b1-abd4-58370171755e
            addresses: ["00:1a:4a:16:01:54 dynamic"]
    router 59d79312-a434-4150-be46-285a9f37df8d (net1net2)
        port net2
            mac: "02:ac:10:ff:01:93"
            networks: ["192.168.10.1/24"]
        port net1
            mac: "02:ac:10:ff:01:29"
            networks: ["172.16.10.1/24"]
[root at ractorshe ~]#

And now vm1 is able to ping both the gateways ip on subn1 and subn2 and to
ssh into vm2
It remains a sort of spof the fact of the central ovn server, where the
logical router lives... but for initial testing it is ok

Thanks again,
Gianluca
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20170216/122df244/attachment.html>