neutron/doc/source/admin/config-dvr-ha-snat.rst

Distributed Virtual Routing with VRRP

deploy-ovs-ha-dvr supports augmentation using Virtual Router Redundancy Protocol (VRRP). Using this configuration, virtual routers support both the --distributed and --ha options.

Similar to legacy HA routers, DVR/SNAT HA routers provide a quick fail over of the SNAT service to a backup DVR/SNAT router on an l3-agent running on a different node.

SNAT high availability is implemented in a manner similar to the deploy-lb-ha-vrrp and deploy-ovs-ha-vrrp examples where keepalived uses VRRP to provide quick failover of SNAT services.

During normal operation, the master router periodically transmits heartbeat packets over a hidden project network that connects all HA routers for a particular project.

If the DVR/SNAT backup router stops receiving these packets, it assumes failure of the master DVR/SNAT router and promotes itself to master router by configuring IP addresses on the interfaces in the snat namespace. In environments with more than one backup router, the rules of VRRP are followed to select a new master router.

Warning

There is a known bug with keepalived v1.2.15 and earlier which can cause packet loss when max_l3_agents_per_router is set to 3 or more. Therefore, we recommend that you upgrade to keepalived v1.2.16 or greater when using this feature.

Note

Experimental feature or incomplete documentation.

Configuration example

The basic deployment model consists of one controller node, two or more network nodes, and multiple computes nodes.

Controller node configuration

1. Add the following to /etc/neutron/neutron.conf:

   [DEFAULT]
   core_plugin = ml2
   service_plugins = router
   allow_overlapping_ips = True
   router_distributed = True
   l3_ha = True
   l3_ha_net_cidr = 169.254.192.0/18
   max_l3_agents_per_router = 3

   When the router_distributed = True flag is configured, routers created by all users are distributed. Without it, only privileged users can create distributed routers by using --distributed True.

   Similarly, when the l3_ha = True flag is configured, routers created by all users default to HA.

   It follows that with these two flags set to True in the configuration file, routers created by all users will default to distributed HA routers (DVR HA).

   The same can explicitly be accomplished by a user with administrative credentials setting the flags in the neutron router-create command:

   $ neutron router-create name-of-router --distributed=True --ha=True

   Note

   The max_l3_agents_per_router determine the number of backup DVR/SNAT routers which will be instantiated.

2. Add the following to /etc/neutron/plugins/ml2/ml2_conf.ini:

   [ml2]
   type_drivers = flat,vxlan
   tenant_network_types = vxlan
   mechanism_drivers = openvswitch,l2population
   extension_drivers = port_security
   
   [ml2_type_flat]
   flat_networks = external
   
   [ml2_type_vxlan]
   vni_ranges = MIN_VXLAN_ID:MAX_VXLAN_ID

   Replace MIN_VXLAN_ID and MAX_VXLAN_ID with VXLAN ID minimum and maximum values suitable for your environment.

   Note

   The first value in the tenant_network_types option becomes the default project network type when a regular user creates a network.

Network nodes

1. Configure the Open vSwitch agent. Add the following to /etc/neutron/plugins/ml2/openvswitch_agent.ini:

   [ovs]
   local_ip = TUNNEL_INTERFACE_IP_ADDRESS
   bridge_mappings = external:br-ex
   
   [agent]
   enable_distributed_routing = True
   tunnel_types = vxlan
   l2_population = True

   Replace TUNNEL_INTERFACE_IP_ADDRESS with the IP address of the interface that handles VXLAN project networks.

2. Configure the L3 agent. Add the following to /etc/neutron/l3_agent.ini:

   [DEFAULT]
   ha_vrrp_auth_password = password
   interface_driver = openvswitch
   external_network_bridge =
   agent_mode = dvr_snat

   Note

   The external_network_bridge option intentionally contains no value.

Compute nodes

1. Configure the Open vSwitch agent. Add the following to /etc/neutron/plugins/ml2/openvswitch_agent.ini:

   [ovs]
   local_ip = TUNNEL_INTERFACE_IP_ADDRESS
   bridge_mappings = external:br-ex
   
   [agent]
   enable_distributed_routing = True
   tunnel_types = vxlan
   l2_population = True
   
   [securitygroup]
   firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver

2. Configure the L3 agent. Add the following to /etc/neutron/l3_agent.ini:

   [DEFAULT]
   interface_driver = openvswitch
   external_network_bridge =
   agent_mode = dvr

   Replace TUNNEL_INTERFACE_IP_ADDRESS with the IP address of the interface that handles VXLAN project networks.

Keepalived VRRP health check

Known limitations

• Migrating a router from distributed only, HA only, or legacy to distributed HA is not supported at this time. The router must be created as distributed HA. The reverse direction is also not supported. You cannot reconfigure a distributed HA router to be only distributed, only HA, or legacy.
• There are certain scenarios where l2pop and distributed HA routers do not interact in an expected manner. These situations are the same that affect HA only routers and l2pop.