An API to allow for a Quantum port to connect to multiple networks

One possible use case can be a firewall service VM needs to connect to multiple networks and wants to use vlan to save limited VNIC(physical interface) resources

Can you elaborate how the guest VM sees packets from such neutron ports?
I'm not sure how VM sees/distinguishes packets from such ports.

mestery: The VM will see packets with VLAN tags on them for these ports. The underlying vSwitch will be expected to pass tagged packets into the VM. Think of it as if the VM is connected to a trunk port on a ToR switch.

Copied from the discussion at https://docs.google.com/document/d/1pwFVV8UavvQkBz92bT-BweBAiIZoMJP0NPAO4-60XFY/edit?pli=1#

-->-->-->---> starts here
isaku yamahata
VLAN trunking
With VLAN trunking, what kind of patcket will the service VM see?
i.e. the service VM sees VLAN tagged packets and needs to understand which VLAN id correcponds to which service/tenants?

Yi Sun
I think the VM should see the vlan traffic. For example,there are many firewalls can support trunk port. Internally, the firewall can map the vlan into different logical interfaces
11:00 AM Today

bob.melander
In an implementation we've made at Cisco the service VM will get VLAN tagged packets. Then inside the VM a logical sub interface is created for each such VLAN. The logical sub interface is what the Neutron ports for the service instance is bound to.
4:52 PM Today

bob.melander
Here is a link to a blueprint for VLAN trunking.
https://blueprints.launchpad.net/neutron/+spec/quantum-network-bundle-api
4:53 PM Today

isaku yamahata
Hi Bob.
Can you please clarify it more on 'inside the VM" and "sub interface"?
 Probably this discussion should be continued in the VLAN blueprint, though.

Currently neutron ports correspond to vif connected to VM. Agent or nova vif driver(or libvirtd) creates those ports.
Since "sub interface" lives in the service VM according to your description, in order to create "sub inerface", neutron (via agent) needs to talk to the service VM somehow.(probably via management interface)
Right?
5:43 PM Today

bob.melander
Exactly, in our implementation we let Nova create the VM with VIFs on Neutron Ports we (well, the plugin) first creates. Then (on a router-interface-add event) the agent creates a logical VLAN subinterface inside the VM for the VLAN used for the Neutron Network. The plugin will at the same time trunk the that VLAN on the Neutron Port of the service VM interface in question. That completes the attachment of the service instance (in this case Neutron Router) to the Neutron Network/Subnet.
6:15 PM Today

bob.melander
I agree, the details of this is probably more suited for the bundle blueprint. But the mechanism is very useful for service VMs.
6:16 PM Today

isaku yamahata
Thanks for clarification. Now I'm seeing what VLAN trunking in this context means.
6:36 PM Today (edited 6:39 PM Today)
--<--<--<--< ends here

So this makes sense then? And I think, as Bob indicates, this makes more sense to implement inside this blueprint as I see the VLAN trunk port portion of the service VM framework discussions as separate and useful outside of that scope.

Yes, makes sense and I agreed.
So the point would be to define abstract model of communication channel between neutron and
the VM. it would be called management interface or something.
Yamahata

@Yamahata
By "management interface" are you talking about the logic vlan port/trunk interface or the BP implementation?
@Kely, agree with you
Yi

Yi, Here is my brain dump. I hope the slide helps
https://docs.google.com/presentation/d/1hXCngPbnJYomQBL1WJ-cG-KnK6-LpjAfb5rM1mwKF-Y/edit?usp=sharing
Kyle, can you please check it?
Yamahata

FYI-- here is another BP, even there are no much of detail, from title, it maybe something similar
https://blueprints.launchpad.net/neutron/+spec/vlan-aware-vms

This BP describes about only VLAN. How about other protocol? for example VXLAN, GRE.
Furthermore it can be extended. mix of VLAN and untagged VXLAN.
Yamahata