VIO limitations with VDS networking

openstack Earlier this month, I shared a post about my experiences with deploying VIO, VMware integrated OpenStack. One of the issues I highlighted was the fact that when I tried to create a network, it failed with a very unhelpful error message. The reason the network creation failed was due to a limitation with using a distributed switch (VDS). Instead I had to create what was known as a “provider network”, which is a special step needed for VDS networking. I am in the midst of an OpenStack training, and I’m trying to relate what I am learning on the training class to my VIO deployment. What I’m finding is that there are a number of limitations when using VIO with a distributed switch, which is making it difficult to try out some of the concepts and lab exercises covered in the training class.

For example, if you deploy VIO with a VDS-based network, tenants (projects) do not have the ability to create their own private L2 networks (as we have already seen). However, with VDS-based networking, you do not have the ability to deliver L3 and higher networking services such as virtual routers, security groups, and floating IPs.

Quickly, it might be worth explaining what a floating IP is. Think of a scenario where there are a bunch of VMs in a private network, but they pass through a router which NATs their IPs to an external IP address so that they can gain access to the external/public network. These external IPs on the NAT/router are referred to as floating IPs. The IP addresses that the VMs have on the private network are referred to as fixed IPs (although they may have been allocated by DHCP). Hopefully the diagram below shows this in a bit more detail.

floating-ipsIf you try to create a router with a VDS based VIO deployment, it will fail as follows with “Error: There was an error submitting the form. Please try again”:

create-router-errorIf you try to create a security group (similar to firewall functionality), it will fail as follows with “Error: Unable to create security group”.

create-security-group-errorAs you can see, VDS networking is quite limiting, and prevents any real-life OpenStack deployment that requires network overlays and additional network services using VIO. However, if you are simply looking to get started with OpenStack, and don’t have any pressing need for network virtualization and overlay networks, VIO with VDS will give you an opportunity to quickly stand-up OpenStack on an existing vSphere environment with a flat network.

For me to continue, it looks like that I’ll need to deploy NSX-V if I want such features in my VMware Integrated OpenStack deployment. I guess that will be my next step.

If you’re wondering how KVM manages to implement these networking features in their OpenStack distribution, they use Open vSwitch. it was actually the Nicira (now NSX) team who initially created Open vSwitch.

7 comments
  1. Hi Cormac,
    Thanks for sharing.
    I think there are many folks looking into this “OpenStack” right now, including the both of us.

    I believe you had a typo when you stated that VDS-based network do “not” have Private L2 network capabilities.
    If that would be true than VDS-based networks would be completely useless. ;D

    Regards,
    JC

    • Hi JC, so I’m not saying that you cannot use VDS. But if you do use VDS, you will have to create what is known as a provider network on its own VLAN. This will allow the instances created on VIO to have network connectivity.

      What I am seeing is that there is no way to create a private network, and have their IP addresses NAT’ed thru a router to an external/public network just like the diagram I have placed in the post. To achieve this, it looks like you will need NSX-V.

  2. Great post. I’m from Brazil and we’re testing VIO on our datacenter. Since we don’t have a NSX server configured, we’re testing VIO with a simple VDS deployment, just to see how it works. Unfortunately, when I try to create a network inside openstack with VDS, an error occurs. You mentioned that with VDS you’re supposed to use a “Provider Network”. How can I configure that? Inside the Openstack deployment or in my vSphere enviroment? Thanks!

Comments are closed.