A typical architecture for an ACI fabric with an OpenStack deployment consists of a Nexus 9000 Spine/Leaf topology, an APIC cluster, and a group of servers to run the various control and compute components of OpenStack. OpenStack can be deployed in many ways, but a very basic test architecture would consist of at least one OpenStack Controller server which is also acting as the Neutron network node, and two or more OpenStack compute nodes to host Virtual Machine (VM) instances. An ACI External Routed Network connection as a Layer 3 connection outside of the fabric can be used to provide connectivity outside the OpenStack cloud.

Note

The configurations validated for this deployment guide utilized Cisco UCS C-Series rack mount servers in standalone mode. Third-party standalone rack servers running OpenStack can also be supported. Support for systems running UCS Manager with Fabric Interconnects attached to the ACI fabric is planned for a future release. Figure 1. Example ACI with OpenStack Physical Topology

The Modular Layer 2 framework in OpenStack allows integration of networking services based on TypeDrivers, and MechanismDrivers. Common networking type drivers include local, flat, vlan, vxlan, etc. OpFlex is added as a new network type through ML2, with an actual packet encapsulation of either VXLAN or VLAN on the host defined in the OpFlex configuration. A mechanism driver is enabled to communicate networking requirements from the Neutron server(s) to the Cisco APIC cluster. The APIC mechanism driver translates Neutron networking elements such as a network (segment), subnet, router, or external network into APIC constructs within the ACI Policy Model.

The OpFlex ML2 software stack also currently utilizes a modified Open vSwitch Package, and local software agents on each OpenStack compute host that communicate with the Neutron server(s) and OVS. An OpFlex proxy from the ACI leaf switch exchanges policy information with the Agent-OVS instance in each compute host, effectively extending the ACI switch fabric and policy model into the virtual switch. This results in a cohesive system that can apply networking policy anywhere in the combined virtual and physical switching fabric starting from the virtual port where a VM instance attaches to the network.The Figure below illustrates the interaction of the OpFlex ML2 APIC Driver with the ACI Fabric, and the extension of the OpFlex proxy down into the Agent-OVS service on the compute host.

Note

The OpFlex ML2 APIC Driver for integration into Neutron runs on the server running the neutron-server service. This server may be a controller node running other OpenStack software elements, or be dedicated to the Neutron function. High Availability configurations with multiple Neutron servers are also supported.

Figure 2. OpenStack with ACI architecture with OpFlex ML2

On the compute node, the neutron-opflex-agent service receives information about OpenStack endpoints from the ML2 Driver software on the Neutron server. This information is stored locally in the endpoint files located in /var/lib/opflex-agent-ovs/endpoints. The agent-ovs service uses the endpoint information to resolve policy for the endpoints through the OpFlex Proxy on the connected ACI leaf switch. The agent-ovs then programs policy on OVS using Open Flow for policies that can be enforced locally. Non-local policies are enforced on the upstream leaf switch. The Figure below illustrates the interaction between the Opflex modules running on the compute node, and OVS.

Figure 3. OpFlex Agent Architecture on the Compute Host

OpenStack defines multiple network connection requirements for the server nodes providing cloud services. Communication paths need to be defined and provided for Management traffic, Tenant Data, and External networking requirements, as well as API communication between the various OpenStack services. Deployments may also dedicate a network segment for storage traffic or other specific needs. An ACI switching fabric is able to provide networking services to meet all of these requirements. Server connectivity can consist of either separate physical interfaces, virtualized network adapters such as the Cisco VIC, or a managed blade server system such as Cisco UCS B-Series.

• Management and API Network(s)—This network segment is for administrative secure shell access to OpenStack servers, as well as API communication directly to the servers and between OpenStack functions. The Management and API functions may also be broken out into different network segments, the example configurations in this guide use a single network segment for both.

• External Network—With an ACI fabric integrated with OpFlex, the External Network path is provided by an External Routed Network configuration in the APIC. An External network in a system running the Neutron L3-Agent is a network on the outside of a software-based routing function. An External Network utilizes NAT services to allow hidden and overlapping IPv4 address space to be used by Tenants.

• Tenant Data Network—A Tenant network in OpenStack can be dynamically created by a Tenant to provide connectivity between VM instances in the cloud, and also to connect to cloud-based routing services to other Tenant or External networks. The segment ID's assigned to Tenant networks with OpFlex are tracked by the ACI fabric, and consist of VXLAN between leaf switches, with either VXLAN or VLAN between leaf switch and server.

Cisco ACI uses a policy model to enable network connectivity between endpoints attached to the fabric. OpenStack Neutron uses more traditional Layer 2 and Layer 3 networking concepts to define networking configuration. The OpFlex ML2 driver translates the Neutron networking requirements into the necessary ACI policy model constructs to achieve the desired connectivity. The Table below illustrates OpenStack Neutron constructs, and the corresponding APIC policy objects that will be configured when they are created.

By default, the OpFlex ML2 Driver associates an entire instance of OpenStack Neutron to a single ACI tenant, and names this tenant according to the apic_system_id setting in the /etc/neutron/plugins/ml2/ml2_conf_cisco_apic.ini file. This allows the ACI administrator to manage each cloud instance connected to the fabric as a single entity, and not generate a large number of ACI tenants in the APIC for a fabric that is being used for multiple systems. In this mode, separate OpenStack tenants are defined in the APIC as different Application Profiles.

There is an alternative option that can be configured at installation time in the ml2_conf_cisco_apic.ini file using the setting single_tenant_mode = False which tells the system to create a new ACI Tenant for each OpenStack tenant. This results in a 1:1 correlation between OpenStack tenant and ACI tenant, and generates ACI tenants named according to the convention_<apic_system_id>_<openstack tenant name> for each OpenStack tenant. If multi-tenant mode is used the value apic_name_mapping = use_uuid should also be set in the ml2_conf_cisco_apic.ini file for proper system function.

The OpFlex ML2 Driver software brings the capability to support Network Address Translation (NAT) functions in a distributed manner using the local OVS instance on each OpenStack compute node. This distributed approach increases the availability of the overall solution, and offloads the central processing of NAT from the Neutron server L3-agent used in the reference implementation.

The OpFlex ML2 Driver software stack provides optimized traffic flow and distributed processing to provide DHCP and Metadata Proxy services for VM instances. These services are designed to keep as much processing and packet traffic local to the compute host. The distributed elements communicate with centralized functions to ensure system consistency.

Cisco ACI supports integration with multiple Virtual Machine Manager (VMM) systems, including OpenStack. This integration provides direct APIC visibility to the OpenStack compute nodes, including a detailed listing of all of the VM instances on each node along with the virtual interface information for each learned port. An example VM Networking view of OpenStack hypervisors is shown in the Figure below.

Figure 8. APIC VM Networking Hypervisors View

The VM Networking section of the APIC web interface also provides a view by Distributed Virtual Switch (DVS). Each DVS corresponds to an OpenStack network, which may be distributed across multiple compute nodes. The listing includes details of where each compute node and ACI leaf each VM instance is connected. This listing is instrumented with sort and filtering capabilities to locate any VM by IP or MAC address. An example VM Networking view of OpenStack DVS instances is shown in the Figure below.

Figure 9. APIC VM Networking DVS View