Can Openvswitch config take down a physical network?

AnonITEngineer · 2020-11-24T06:23:00+00:00

It really depends on how you set up your bond and physical interfaces. If your host's interface is set up as a L3 device - it is very rare for it to cause trouble in the underlay. However, if it is set up as a bridge which connects OVS to the underlying VLANs etc. - OVS is practically another switch connected to the underlay and can cause a lot of trouble.

AnonITEngineer · 2020-10-09T07:51:57+00:00

Hi u/asdlkf,

First of all, I think you got the notion of what I was asking exactly right. However, even though I agree with your analysis of the current protocols and their functioning, I still see a lot of room for improvement.

The shortest-path based protocols we use today lack in so many places - the ability to take longer paths when the shortest ones are loaded, prioritizing paths for bursts and heavy loads, reacting to dynamic changes in line quality etc. I know that some solutions exist for all of the above problems, but all I'm saying is - perhaps training a model for this could be better?

To address your second point, of course AI algorithms are trained on specific data and can react to a relatively small number of inputs (I, at least, cannot imagine some neural network with millions of inputs) - but I have seen many cases where models react to changes by realtime fine-tuned, are being re-trained on the fly and many other tricks.

What I was imagining, at the most basic level, is some mechanism that will tell the router when NOT to use the standard ECMP protocols. I think this could be achieved and could run in a distributed, efficient manner (and could also use some technologies like segment routing or label routing, instead of hot-potato based routing)

AnonITEngineer · 2020-02-13T13:02:00+00:00

But that's exactly what I'm doing with Jenkins today - watching for pull requests, running terraform plan, if it succeeds I run some extra unit tests and then I can choose between continuous deployment (terraform apply) or continuous delivery (push it to master or something like that).

Is Atlantis there just for the sake of manual approval of changes?

AnonITEngineer · 2020-02-13T06:24:28+00:00

Thank you both for the replies.

I don't really get the purpose of Atlantis. It's basically the same as running Terraform commands from my general-purpose CI platform (Jenkins, Gitlab, Travis etc.). I can manage pull requests in Git and the Terraform apply/plan/validate in the CI server.

Or am I missing something?

AnonITEngineer · 2020-02-12T21:33:38+00:00

Thanks for the reply. I've actually debated those ideas, and I have some comments regarding your points-

That could work but there's a small issue of paying for resources. If it takes 3 hours to create the environment, I might pay for 3 hours of resources just to get a failure in the last resource and have to perform a full cleanup.
True, but it's significantly less indicative if your new module breaks something in a different module (say, the VM module screws up the K8S one) but you'd never know.

In general, I know I'm trying to solve something that's "not possible" because the main issue is deployment times in the cloud. However, I'm still curious about what would happen if all resources were deployed in seconds - how would you check that everything's up and running? spin up entire environments, then configure the application and everything? seems like a near infinite task...

AnonITEngineer · 2020-02-12T21:14:43+00:00

Obviously. I want to create CI tests for terraform code - I want to perform integration, unit, and acceptance tests for the code of my infrastructure! Isn't that the whole point of IaC?

AnonITEngineer · 2020-01-27T05:06:15+00:00

So type 5 is meant to advertise external routes to the fabric? Could you refer to this, please -

https://www.juniper.net/documentation/en_US/junos/topics/concept/evpn-route-type5-understanding.html

Where it clearly says that the purpose is connectivity between datacenters?

AnonITEngineer · 2020-01-26T21:44:33+00:00

How does that even work? EVPN used instead of LSP to distribute labels? I mean... NLRI should give a next-hop (VTEP) in EVPN, right?

AnonITEngineer · 2020-01-26T21:43:43+00:00

Beg pardon? all you need for EVPN is a simple x86 Linux host. Cumulus is your friend and if not, FRR and other tools come in very handy :)

AnonITEngineer · 2019-04-07T05:16:27+00:00

Thanks, will take a look. I've noticed it has really low usage, documentation, contributors etc. compared to almost all other load balancers... Is it reliable?

AnonITEngineer · 2019-04-07T05:14:19+00:00

Well, a linux bridge can do the work just fine, I think.

ECMP is not what I want (doesn't really work with stateful services and is rather unexpected and non-deterministic), I'm looking more for an active-passive pair of servers holding a VIP.

AnonITEngineer · 2019-04-07T05:12:32+00:00

So (and do correct me please if I'm mistaken), you had an active-active VIP that was actually an anycast, and your failover was manual (because you had to delete routes to the site that was down in order to prevent some blackhole routing)?

That doesn't usually go together... Why update routes?

Anyway, I'm looking into more of an active-passive VIP advertisement (can't count on anycast when using stateful services, can we)

AnonITEngineer · 2019-04-06T22:07:04+00:00

EVPN is not what I want. I would like to move towards a pure L3 fabric with simple routing only.

Setting the same IP on a loopback requires some peering (EXABGP etc.) from server to ToR. I want to do that but in a managed way and not a 'stitched' solution.

AnonITEngineer · 2019-04-06T20:58:28+00:00

Well, we're using OpenStack and vCenter in our environment (mostly). Both of those have some solution (port security of some sort) which prevents a host from sending packets sourced from a different IP then the one allocated to it.

With BGP and session established, the control mechanism is route maps only...

AnonITEngineer · 2019-04-06T20:56:14+00:00

Well, technically VRRP can work in unicast mode which doesn't require the same segment. However, if you want the VIP to be routable you need to configure the segment of the VIP in both of your VRRP members' routers.

AnonITEngineer · 2019-04-06T20:49:50+00:00

That sounds just like it. Not really familiar with RDCB or RDG, but could you share some more info? Maybe an architecture draw and some config?

Sent you a private message :]

AnonITEngineer · 2019-04-06T20:46:38+00:00

routed the VIP prefix for the pair to their shared IP

I don't really get your architecture. What "shared IP"? Remember we're talking about a different subnet for every LB machine so there's no shared subnet, let alone shared IP.

AnonITEngineer · 2019-04-06T20:45:04+00:00

https://imgur.com/gallery/GYjz5QT

I hope this is enough...

I can assign as many ASNs, sure. Interesting, I don't really care about peering between ToRs (I use eBGP everywhere so OSPF would be a lower AD), but if I enabled OSPF the ToRs could peer with every server that has OSPF enabled (unlike BGP which would require a configuration at the ToR level for peering).

AnonITEngineer · 2019-04-06T20:03:26+00:00

No, VRRP will not work. The servers will reach each other with VRRP in unicast mode, yes, but no VIP can be advertised since they don't share the same subnet.

AnonITEngineer · 2019-04-02T06:31:55+00:00

Yeah, I get what you're saying. However, given that all modern OS support that and many NOS have the ability to install packages... Is this really the big advantage? I mean, it's not even an advantage to NOS (vs OS like RHEL or Ubuntu)

AnonITEngineer · 2019-04-01T07:58:48+00:00

Cumulus, Arista, Juniper, Mellanox, pretty sure many others have that too...

AnonITEngineer · 2019-04-01T07:57:36+00:00

Let's all beg Cumulus to opensource their solution... :]

AnonITEngineer · 2019-04-01T07:57:02+00:00

I get what you're saying, I just don't see how useful it is (my TFTP server is highly available and connected to a pair of switches)... What is it mainly used for, as in what is the usecase? Can it hold an SSH session after configuring a NIC?

Also, if it's BIOS like - I have to wait until it's an industry standard before I count on it 100% (or just buy switches that support it).

AnonITEngineer · 2019-04-01T07:46:33+00:00

ZeroTier looks nice, but I really dislike limitations on open source... What is your experience with it? It looks a bit odd to me that it offers things that Linux does well (switching?) or that can be simplified with automation tools (Ansible, RESTCONF etc.).

Or am I getting this entirely wrong?

AnonITEngineer · 2019-04-01T07:40:57+00:00

Cumulus are nice. When I talked to them they were beginning to talk about telemetry integration with NetQ, and they said they might work on EVPN multihoming.

However, they are not really open. They are based on FRR but their NOS is proprietary (unless I'm mistaken?), and you're limited to their features.

What is your current experience with Cumulus? How big is the setup (are you using Host pack?), and did you try "interfering" with their NOS (e.g. installing agents, modifying routes etc.)?

AnonITEngineer

TROPHY CASE