ML2 Mechanism Driver for the Cisco APIC¶
Launchpad blueprint:
https://blueprints.launchpad.net/neutron/+spec/ml2-cisco-apic-mechanism-driver
This blueprint is to introduce the Cisco APIC to OpenStack Neutron. The plugin is implemented as an ML2 mechanism driver.
Problem description¶
The APIC (Application Policy Infrastructure Controller) together with Cisco Nexus 9000 switches provides programmable, policy-driven network control.
The mechanism driver proposed here will interact with the APIC to dynamically manage networking for OpenStack instances. The APIC will intelligently configure the hardware layer and manage VXLAN overlays for networks. VXLAN gateways will be implemented by the controller at the top of rack layer to reduce encapsulation latency in the software switch layer.
Use Cases:
- Application centric policy based networking
- External controller managed network fabric
- VXLAN Overlay networks
Proposed change¶
The diagram below provides a high level overview of how the APIC plugin will integrate into a working environment consisting of multiple hosts with virtual switches connected by a fabric of Nexus 9000 switches. The APIC Mechanism Driver for ML2 communicated with the APIC via its REST API.
Flows:
+–––––––––––––––––––––––––+
| |
| Neutron Server |
| with ML2 Plugin |
| |
| +–––––––––––+ |
+–––––––+ | APIC | |
| | | Mechanism | | +–––––––––––––––––+
| | | Driver | | | |
| +––––+ +––+–––––––––––+––+ REST API | Cisco |
| | | | APIC Client +––––––––––––––––––+ APIC |
| | +–––––––+–––––––––––––––––+ | |
| | | |
| | +–––+–––+–––––––––+
| | +–––––––––––+––––––––––––––+ | |
| +––––+ L2 Agent | Open vSwitch +–––––+ | |
| +–––––––––––+––––––––––––––+ | | |
| | | | | |
| | HOST 1 | | | |
| | | | +––––––––+–––|––––––+
| +––––––––––––––––––––––––––+ | | | |
| +––––––+ +–––––––––+––––––+––+
| | | |
| +––––––––––+–––––––––––––––+ | | Cisco |
+–––––––+ L2 Agent | Open vSwitch +––––––––––––+ | Nexus 9000 |
+––––––––––+–––––––––––––––+ | | Switches |
| | +––+ |
| HOST 2 | | |
| | +–––––––––––––––––––+
+––––––––––––––––––––––––––+
The APIC mechanism driver updates the APIC with port, network and subnet changes from Neutron. The APIC configures the physical switch fabric.
The APIC mechanism driver is designed to operate together with the OVS mechanism driver for handling network operations and port binding on the compute nodes.
The APIC mechanism driver implements the following Neutron events:
- Port create/update for compute instances. (Note: the driver does not handle port binding – that is left to the OVS driver.)
- Network create/delete.
- Subnet create.
Alternatives¶
An alternative solution would be to develop a monolithic plugin. The biggest advantage of using the ML2 mechanism driver approach is that it allows us to easily use the existing OVS agent for virtual switching.
Data model impact¶
Three new models are created by this driver. These models are specific to this driver and are used for keeping in sync with the APIC.
- NetworkEPG: Tracks network to End Point Group mapping in the APIC.
- PortProfile: Tracks hardware switch/module/port configuration.
- TenantContract: Tracks contracts and filters created on the APIC.
A database migration is included to create the tables for these models.
No existing models are changed.
REST API impact¶
None.
Security impact¶
None.
Notifications impact¶
None.
Other end user impact¶
None.
Performance Impact¶
The performance of ML2 when configured with the APIC driver will be dependent on the performance of the link between Neutron and the APIC, and on the responsiveness of the APIC itself.
Other deployer impact¶
The deployer must configure the installation to use the APIC with the following configuration variables:
- IP address and port number of the APIC.
- Username and password to login as administrator to the APIC.
- VLAN namespace and ranges to be used for OpenStack.
- Node, entity and function profiles describing the switch fabric infrastructure.
- Switch-to-host mappings for the compute nodes.
Additionally, the deployer must configure the ML2 plugin to include the openvswitch mechanism driver before the APIC mechanism driver:
[ml2]
mechanism_drivers = openvswitch,cisco_apic
Developer impact¶
None.
Implementation¶
Work Items¶
The work is split up into two parts:
- APIC Client, models, configuration, unit tests.
- The APIC Client is a REST Client to the APIC. It maps requests to the “Managed Object” model of the APIC. Only the subset of the full APIC model needed by the driver is provided.
- APIC mechanism driver and supporting code.
- The mechanism driver implements the port, network and subnet methods that affect the APIC. It maps Neutron operations into operations for the APIC.
- Supporting code consists of an APIC manager that ensures the APIC state is in sync with Neutron.
Dependencies¶
There are no new library requirements. The following third party library is used:
- requests
Testing¶
Complete unit test coverage of the code is included.
For tempest test coverage, third party testing is provided. The Cisco CI reports on all changes affecting this driver. The testing is run in a setup with an OpenStack deployment (devstack) connected to a live APIC and a Cisco Nexus 9000 physical switch.
Documentation Impact¶
Configuration details.
References¶
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.