Avi Vantage and VMware Integrated OpenStack Integration

This article covers key points in the configuration of the Avi Vantage Controller in a VMware-supported OpenStack distribution. It provides insights into the underlying interoperation and capabilities from a high level about both the products. Avi Vantage features discussed herein are valid as of release 17.1.7 and have been verified on VMware Integrated OpenStack version 4.0.

What is VMware Integrated OpenStack (VIO)?

VMware Integrated OpenStack is a VMware-supported OpenStack distribution (distro) that makes it easier for IT to run a production-grade OpenStack-based deployment on top of their existing VMware infrastructure. Building on their existing expertise, VMware administrators can foster innovation and agility by providing their developers with simple vendor-neutral OpenStack APIs on top of VMware’s best-of-breed software-defined data center (SDDC) infrastructure. Key administrative capabilities, including install, upgrade, troubleshooting, and cost-visibility are provided via deep integration with already familiar VMware management tools, enabling fast time to innovation and lower total cost of ownership.

VMware Integrated OpenStack Architecture
Figure 1. VMware Integrated OpenStack Architecture

Configuration Steps

Install VIO Plug-in into VMware NSX

Once the plug-in has been successfully installed, the VIO icon will appear in the Inventories section of the vSphere Web Client home page as shown below.

vSphere Web Client home page
Figure 2. vSphere Web Client Home Page

Avi Vantage Configuration for VIO

1. Cloud Configuration

Log into the Avi Controller to configure the OpenStack cloud. Select VMware ESX Hypervisor in the Hypervisor Type field and VMDK in the Service Engine Image Format field.

vSphere Web Client home page
Figure 3. Avi UI Cloud Editor

The shell equivalent to configure these options follows:


hypervisor vmware_esx
img_format os_img_fmt_vmdk
save
save

Note: VIO supports both VMDK and flat disk formats for the Avi SE image.

2. Verify Supported Neutron Extensions

On the OpenStack Controller, use the neutron ext-list command to

  • Check if port-security is supported.
  • Check if allowed-address-pair is supported.

Below is an example.

output of the neutron ext-list command
Figure 4. Output of the neutron ext-list command

3. Verify VIPs

Try VIPs using port_security enabled in the Avi Vantage cloud config (with se_tunnel_mode always ON, i.e., set to 1). Note that when port_security is enabled, security_groups and allowed_address_pairs are automatically unused by Avi Vantage.

The below excerpt from a show command reveals current OpenStack security settings:


show cloud myos
+---------------------------+--------------------------------------------+
| Field                     | Value                                      |
+---------------------------+--------------------------------------------+
| uuid                      | cloud-7895da70-4689-4855-bfd2-ae1f139c1de5 |
| name                      | myos                                       |
| vtype                     | CLOUD_OPENSTACK                            |
| openstack_configuration   |                                            |
|   port_security           | True                                       |
|   security_groups         | True                                       |
|   allowed_address_pairs   | True                                       |
...

4. When port_security doesn’t apply

If port_security doesn’t work or is not unsupported, then disable the port_security option and use the allowed_address_pair option.

  • Disable the virtual service(s), delete any existing SEs
  • Disable port_security and enable allowed_address_pairs in the Avi cloud config (with se_tunnel_mode ON)
  • Re-enable the virtual service(s)

The below excerpt from a show command reveals successful optioning:


show cloud myos
+---------------------------+--------------------------------------------+
| Field                     | Value                                      |
+---------------------------+--------------------------------------------+
| uuid                      | cloud-7895da70-4689-4855-bfd2-ae1f139c1de5 |
| name                      | myos                                       |
| vtype                     | CLOUD_OPENSTACK                            |
| openstack_configuration   |                                            |
|   port_security           | False                                      |
|   security_groups         | True                                       |
|   allowed_address_pairs   | True                                       |
...

5. If scale out or active-active HA fails

If scale out or active-active HA doesn’t work for any reason with (3) or (4) above, try IP encapsulation instead of MAC-in-MAC tunneling between the SEs. Take these steps:

  • Disable the virtual service(s(), delete any existing SEs
  • Enable se_ip_encap_ipc (=1) tunneling always instead of layer-2 MAC-in-MAC. Refer to the commands in the below example.
  • Re-enable the virtual service(s)

The CLI commands to enable tunneling follow:


configure serviceengineproperties
se_bootup_properties
se_ip_encap_ipc 1
save
save

6. If port_security works, try se_tunnel_mode with port_security enabled.

  • Disable the virtual service(s), delete any existing SEs
  • Turn on SE tunnel mode (set the option to 2, i.e., always OFF)
  • Re-enable the virtual service(s)

Set the option on an SE-group basis:


configure serviceenginegroup Default-Group
se_tunnel_mode 2
save

Known Issues With VIO

VIO 4 with Ocata has a known issue handling the dynamic interface-detach of ports with port_security=False. Contact VMware to get the fix.

Symptom: If all networks have been provisioned as port_security=False, then detach doesn’t cause an issue. If any of the management or data networks are set to port_security=True, then any detach (of any vNIC) seems to disrupt the traffic to the vNIC on the network with port_security=True.

Updated: 2017-12-15 14:07:09 +0000