Juniper Openstack

public FIP prefixes are reoriginated into SNAT VRF

Bug #1554175 reported by Sanju Abraham on 2016-03-07

This bug affects 2 people

	Status	Importance	Assigned to	Milestone
Juniper Openstack	Status tracked in Trunk
R2.20	Fix Committed	High	Suresh Balineni	Juniper Openstack r2.23 "r2.23"
R2.20.x	Won't Fix	High	Suresh Balineni
R2.21.x	Fix Committed	High	Suresh Balineni	Juniper Openstack r2.21.2
R2.22.x	Fix Committed	High	Suresh Balineni	Juniper Openstack r2.22.2
R3.0	Fix Committed	High	Suresh Balineni	Juniper Openstack r3.0.2.0
Trunk	Fix Committed	High	Suresh Balineni	Juniper Openstack r3.1.0.0-fcs

Bug Description

SNAT VRF has the public FIP (Floating IP) prefixes as they are re-originated because of the way SNAT is implemented as service chain.

To reproduce:
=============

1-> Create a public VN and make it external and shared.
2-> Use the public VN to associate FIP to VM
3-> Create neutron LR and assign public VN as the external gateway to LR
4-> SNAT instance and SNAT VRF gets created
5-> SNAT VRF will have public FIP routes in addtion to the public SNAT IP and the default route.

Problems:
=========

There are 2 related issues in this scenario:

1. Each SNAT VRF has all public FIP routes. If the number of LR/SNATs is
X and total number of public FIPs is Y, there are X*Y routes across all
SNAT VRFs. Each such route needs to be sent to 2 vRouters (active/backup).
Hence there's a 2*X*Y scaling issue.

Note that all these routes may also get advertised to the SDN GW if family
route-target is not enabled on the bgp sessions between CNs and GW.

2. The SNAT VRF mentioned above is actually the "left" VRF. There's also a
"right" VRF that gets created for the each SNAT. This VRF belongs to the
public VN and has a "connection" to the default VRF of the public VN. Thus
each such right VRF imports all public FIP routes. Further, since all such
right VRFs belong to the public VN, all routes in these VRFs are sent to
all Z vRouters that have either a public floating IP or active/backup SNAT
instance. Hence there's a X*Y*Z scaling issue.

Note that these routes don't get advertised to the SDN GW since they are
just copies of the original routes in the primary VRF of public VN.

Expectation:
============

SNAT left VRF should not have public FIP routes
SNAT right VRF should not have public FIP routes

Temporary Fix:
==============

Ignore the "connection" between the SNAT right VRF and the default VRF of
public VN. This addresses problem 2 above. Further, do not set VRF assign
rule for right interfaces of SNAT instance. This lets SNAT work properly
even though all the right VRFs are empty.

Solution:
=========

Do not create left/right VRFs for SNAT i.e. do not use service chaining
to implement SNAT.

Related Bugs:
=============

Also see the following:

Bug 1567752
Bug 1562200

See original description

Tags:

Nischal Sheth (nsheth) on 2016-03-07

tags:	added: config service-chain snat
information type:	Proprietary → Public

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-03-16: [Review update] master

Review in progress for https://review.opencontrail.org/18497
Submitter: Suresh Balineni (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-03-18: A change has been merged

Reviewed: https://review.opencontrail.org/18497
Committed: http://github.org/Juniper/contrail-controller/commit/4c1fe2abb622b817d1e45e8863e21194381f9af7
Submitter: Zuul
Branch: master

commit 4c1fe2abb622b817d1e45e8863e21194381f9af7
Author: Suresh Balineni <email address hidden>
Date: Sat Mar 12 13:45:24 2016 +0000

ST: Configure Service Instances routes in primary RI of left vn/SC

This enhancement will eliminate the case of duplicate routes getting populated in routers.

Change-Id: Ib79032841004444160c9e4766588ae749a05147a
Closes-Bug: #1554175

Changed in juniperopenstack:
milestone:	none → r3.1.0.0-fcs

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-03-18: [Review update] R3.0

#11

Review in progress for https://review.opencontrail.org/18538
Submitter: Suresh Balineni (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-03-24:

#13

Review in progress for https://review.opencontrail.org/18750
Submitter: Suresh Balineni (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-03-30: [Review update] R2.21.x

#17

Review in progress for https://review.opencontrail.org/18892
Submitter: Suresh Balineni (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-04-01:

#23

Review in progress for https://review.opencontrail.org/18999
Submitter: Nischal Sheth (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-04-02: A change has been merged

#24

Reviewed: https://review.opencontrail.org/18999
Committed: http://github.org/Juniper/contrail-controller/commit/6c5d5b925256cab7f2ab473bb2189a46391aa995
Submitter: Zuul
Branch: R2.21.x

commit 6c5d5b925256cab7f2ab473bb2189a46391aa995
Author: Nischal Sheth <email address hidden>
Date: Thu Mar 31 11:53:55 2016 -0700

Temporary workaround for FIP + SNAT scaling problem

Ignore connection links for non-default routing instances of virtual
networks with router-external set. This stops unnecessary import of
routes into non-default instances of external networks and subsequent
download to all vrouters that have FIP or SNAT. The instances are not
used in the forwarding path anyway.

Enable this behavior under control of a new optimize_snat option in
contrail-control.conf.

Proper fix is to not create service chains for SNAT and to not create
these service routing instances for service chains where the last SI
is a NAT (Launchpad bug 1562200).

Change-Id: Ie64bae9a7b2284b36e0b26563da4677eaa7f9157
Partial-Bug: 1554175
Related-Bug: 1562200

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-04-02: [Review update] R2.21.x

#25

Review in progress for https://review.opencontrail.org/19022
Submitter: Sachin Bansal (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-04-02: A change has been merged

#27

Reviewed: https://review.opencontrail.org/19022
Committed: http://github.org/Juniper/contrail-controller/commit/78ec1c86e79a1be018b58f03001cea9fdae79f47
Submitter: Zuul
Branch: R2.21.x

commit 78ec1c86e79a1be018b58f03001cea9fdae79f47
Author: Sachin Bansal <email address hidden>
Date: Sat Apr 2 07:56:42 2016 -0700

Do not set VRF assign rules for right interfaces of nat instances

We are planning not to link service RI with the primary RI of the
right networks of in-network-nat instances. We should also not
set VRF assign rules.

Change-Id: I11ad075a2d91e5da18094612a2c5935366197c94
Partial-Bug: 1554175
Related-Bug: 1562200

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-04-05: [Review update] R2.21.x

#28

Review in progress for https://review.opencontrail.org/18892
Submitter: Suresh Balineni (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-04-05: [Review update] master

#30

Review in progress for https://review.opencontrail.org/19073
Submitter: Sachin Bansal (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-04-05: [Review update] R2.20.x

#31

Review in progress for https://review.opencontrail.org/19075
Submitter: Suresh Balineni (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-04-05: [Review update] R2.20

#33

Review in progress for https://review.opencontrail.org/19076
Submitter: Suresh Balineni (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-04-05: [Review update] R2.22.x

#35

Review in progress for https://review.opencontrail.org/19077
Submitter: Suresh Balineni (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-04-05: [Review update] master

#37

Review in progress for https://review.opencontrail.org/19073
Submitter: Sachin Bansal (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-04-06: A change has been merged

#39

Reviewed: https://review.opencontrail.org/19076
Committed: http://github.org/Juniper/contrail-controller/commit/e5eaa8349b71ac668c43948171292b54dbd61af3
Submitter: Zuul
Branch: R2.20

commit e5eaa8349b71ac668c43948171292b54dbd61af3
Author: Suresh Balineni <email address hidden>
Date: Wed Mar 30 18:00:50 2016 +0000

ST: Configure Service Instances routes in primary RI of left vn/SC

This enhancement will eliminate the case of duplicate routes getting populated in routers.

Change-Id: Ieac76fd1f0d417832efeaebb893888eeed896b90
Closes-Bug: #1554175

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-04-06:

#40

Reviewed: https://review.opencontrail.org/19073
Committed: http://github.org/Juniper/contrail-controller/commit/0354c2bd8177d6e15f9d6e7621e58dfebf656cd3
Submitter: Zuul
Branch: master

commit 0354c2bd8177d6e15f9d6e7621e58dfebf656cd3
Author: Sachin Bansal <email address hidden>
Date: Tue Apr 5 10:02:56 2016 -0700

Do not set VRF assign rules for right interfaces of nat instances

We are planning not to link service RI with the primary RI of the
right networks of in-network-nat instances. We should also not
set VRF assign rules.

Change-Id: I11ad075a2d91e5da18094612a2c5935366197c94
Partial-Bug: 1554175
Related-Bug: 1562200

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-04-07:

#41

Reviewed: https://review.opencontrail.org/19077
Committed: http://github.org/Juniper/contrail-controller/commit/2243b9801967f7a13cd4018cbae410cfc6a20445
Submitter: Zuul
Branch: R2.22.x

commit 2243b9801967f7a13cd4018cbae410cfc6a20445
Author: Suresh Balineni <email address hidden>
Date: Wed Mar 30 18:00:50 2016 +0000

ST: Configure Service Instances routes in primary RI of left vn/SC

This enhancement will eliminate the case of duplicate routes getting populated in routers.

Change-Id: I775f8cf538c1364a7a073bac3852f880302d9f0d
Closes-Bug: #1554175

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-04-07:

#42

Reviewed: https://review.opencontrail.org/18750
Committed: http://github.org/Juniper/contrail-controller/commit/9f7b2ebaec4a306c8f5101505447ab0ee1c2acfb
Submitter: Zuul
Branch: R3.0

commit 9f7b2ebaec4a306c8f5101505447ab0ee1c2acfb
Author: Suresh Balineni <email address hidden>
Date: Thu Mar 24 22:18:33 2016 +0000

ST: Configure Service Instances routes in primary RI of left vn/SC

This enhancement will eliminate the case of duplicate routes getting populated in routers.

Change-Id: I67815290b01ddc909fee8bc59e00546723cb0510
Closes-Bug: #1554175

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-04-07: [Review update] R2.21.x

#44

Review in progress for https://review.opencontrail.org/18892
Submitter: Suresh Balineni (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-04-08: [Review update] R3.0

#48

Review in progress for https://review.opencontrail.org/19178
Submitter: Sachin Bansal (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-04-08: [Review update] R2.22.x

#49

Review in progress for https://review.opencontrail.org/19183
Submitter: Suresh Balineni (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-04-08: [Review update] R2.20

#51

Review in progress for https://review.opencontrail.org/19184
Submitter: Suresh Balineni (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-04-09: A change has been merged

#53

Reviewed: https://review.opencontrail.org/19184
Committed: http://github.org/Juniper/contrail-controller/commit/17dd6f91feb2767cc29012b79d6a4a6c7904f1b4
Submitter: Zuul
Branch: R2.20

commit 17dd6f91feb2767cc29012b79d6a4a6c7904f1b4
Author: Suresh Balineni <email address hidden>
Date: Wed Mar 30 18:00:50 2016 +0000

ST: Configure Service Instances routes in primary RI of left vn/SC

This enhancement will eliminate the case of duplicate routes getting populated in routers.
This fix will also remove any existing service ris already created by the old software.

Change-Id: I8e62f6d91580a0805efaa844cc2b7fc01952129c
Closes-Bug: #1554175

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-04-12:

#54

Reviewed: https://review.opencontrail.org/19178
Committed: http://github.org/Juniper/contrail-controller/commit/0414ff422c0f1c973ef22f7131cb68bb0c3dc3e9
Submitter: Zuul
Branch: R3.0

commit 0414ff422c0f1c973ef22f7131cb68bb0c3dc3e9
Author: Sachin Bansal <email address hidden>
Date: Tue Mar 29 17:17:17 2016 -0700

Do not create right service RI for nat instances

If a service instance is in-network-nat mode, the traffic on the right side
is always routed in the primary RI. The service RI is not used for anything.
However, since all routes from primary RIs will still be copied into it.
With this commit, we won't create the right RI for such instances.

(cherry picked from commit 0db0a7186e59b2a2115200a61066ff32a1c92322)

Do not set VRF assign rules for right interfaces of nat instances

We are planning not to link service RI with the primary RI of the
right networks of in-network-nat instances. We should also not
set VRF assign rules.

Partial-Bug: 1554175
Closes-Bug: 1562200
(cherry picked from commit 0354c2bd8177d6e15f9d6e7621e58dfebf656cd3)

Change-Id: I3c043fcf8a9b585acac8ea8bcb449ea5c91879d6

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-04-12:

#56

Reviewed: https://review.opencontrail.org/19183
Committed: http://github.org/Juniper/contrail-controller/commit/83e6a6279e78b3386381893d3abddae167408392
Submitter: Zuul
Branch: R2.22.x

commit 83e6a6279e78b3386381893d3abddae167408392
Author: Suresh Balineni <email address hidden>
Date: Wed Mar 30 18:00:50 2016 +0000

ST: Configure Service Instances routes in primary RI of left vn/SC

This enhancement will eliminate the case of duplicate routes getting populated in routers.
This fix will also remove any existing service ris already created by the old software.

Change-Id: I8e62f6d91580a0805efaa844cc2b7fc01952129c
Closes-Bug: #1554175

Nischal Sheth (nsheth) on 2016-04-17

description:

updated

Nischal Sheth (nsheth) on 2016-04-17

description:

updated

Nischal Sheth (nsheth) on 2016-04-17

description:	updated
description:	updated

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-04-18: [Review update] master

#57

Review in progress for https://review.opencontrail.org/19406
Submitter: Nischal Sheth (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-04-18: [Review update] R3.0

#58

Review in progress for https://review.opencontrail.org/19407
Submitter: Nischal Sheth (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-04-18: [Review update] R2.20

#59

Review in progress for https://review.opencontrail.org/19408
Submitter: Nischal Sheth (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-04-18: [Review update] R2.22.x

#60

Review in progress for https://review.opencontrail.org/19409
Submitter: Nischal Sheth (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-04-20: A change has been merged

#61

Reviewed: https://review.opencontrail.org/19406
Committed: http://github.org/Juniper/contrail-controller/commit/9b5856efb0860240ae5021df0261999a0ea7ec85
Submitter: Zuul
Branch: master

commit 9b5856efb0860240ae5021df0261999a0ea7ec85
Author: Nischal Sheth <email address hidden>
Date: Mon Apr 18 13:28:56 2016 -0700

Parse optimize_snat for backward comptibility with R2.21.x

Change-Id: Ib230746eb4690bef77234a21c13661b21a1a6a8b
Partial-Bug: 1554175

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-04-21:

#62

Reviewed: https://review.opencontrail.org/19409
Committed: http://github.org/Juniper/contrail-controller/commit/a1108b7032b43e6590b1e371363adf4f55cb3e92
Submitter: Zuul
Branch: R2.22.x

commit a1108b7032b43e6590b1e371363adf4f55cb3e92
Author: Nischal Sheth <email address hidden>
Date: Mon Apr 18 13:28:56 2016 -0700

Parse optimize_snat for backward comptibility with R2.21.x

Change-Id: Ib230746eb4690bef77234a21c13661b21a1a6a8b
Partial-Bug: 1554175

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-04-21:

#63

Reviewed: https://review.opencontrail.org/19408
Committed: http://github.org/Juniper/contrail-controller/commit/866f9e0c7ccbf05324454e0dafc4b488678df0f5
Submitter: Zuul
Branch: R2.20

commit 866f9e0c7ccbf05324454e0dafc4b488678df0f5
Author: Nischal Sheth <email address hidden>
Date: Mon Apr 18 13:28:56 2016 -0700

Parse optimize_snat for backward comptibility with R2.21.x

Change-Id: Ib230746eb4690bef77234a21c13661b21a1a6a8b
Partial-Bug: 1554175

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-04-21:

#64

Reviewed: https://review.opencontrail.org/19407
Committed: http://github.org/Juniper/contrail-controller/commit/8cac2aef38c122fdc8cb22f1de275c8ade6fed9c
Submitter: Zuul
Branch: R3.0

commit 8cac2aef38c122fdc8cb22f1de275c8ade6fed9c
Author: Nischal Sheth <email address hidden>
Date: Mon Apr 18 13:28:56 2016 -0700

Parse optimize_snat for backward comptibility with R2.21.x

Change-Id: Ib230746eb4690bef77234a21c13661b21a1a6a8b
Partial-Bug: 1554175

Revision history for this message

Nischal Sheth (nsheth) wrote on 2016-04-21:

#65

Note that a complete fix, wherein we do not create a
service chain, has been committed to R2.0, R2.22.x,
R3.0 and master.

A partial fix, which provides most of the benefits of
the complete fix, has been committed to 2.21.x.

Revision history for this message

eon (eon-5) wrote on 2016-04-21:

#66

Nishal, R2.21.x will only get the partial fix ?

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-05-25:

#67

Reviewed: https://review.opencontrail.org/18892
Committed: http://github.org/Juniper/contrail-controller/commit/a5d230672f14daf7f07c1046bf5b18cde735c89a
Submitter: Zuul
Branch: R2.21.x

commit a5d230672f14daf7f07c1046bf5b18cde735c89a
Author: Suresh Balineni <email address hidden>
Date: Wed Mar 30 18:00:50 2016 +0000

ST: Configure Service Instances routes in primary RI of left vn/SC

This enhancement will eliminate the case of duplicate routes getting populated in routers.
This fix will also remove any existing service ris already created by the old software.

Change-Id: I86bd6de851e76c0605395c55c82b15de64108fc7
Closes-Bug: #1554175

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-05-25: [Review update] R2.21.x

#68

Review in progress for https://review.opencontrail.org/20633
Submitter: Suresh Balineni (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-05-26: A change has been merged

#70

Reviewed: https://review.opencontrail.org/20633
Committed: http://github.org/Juniper/contrail-controller/commit/722c68cecec36502d5ec28ad5642e14ce1ef8033
Submitter: Zuul
Branch: R2.21.x

commit 722c68cecec36502d5ec28ad5642e14ce1ef8033
Author: Suresh Balineni <email address hidden>
Date: Wed May 25 18:30:54 2016 +0000

[ST]: Reverting SNAT enhancement from R221x

Enahcenement described in bug-id 1554175 is not planned to support in R2.21.x and hence reverting it.

Change-Id: Ic379264e6053b2800bf410b2715ad43679be3f46
Closes-Bug: #1554175

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.