Skip to content

Minutes for TSC 7_9_2017

Jump to bottom Edit New page
Arvind Nadendla edited this page Nov 30, 2017 · 2 revisions

OSC TSC - September 7, 2017

10:05 – 11:00 AM PT https://global.gotomeeting.com/join/391503685

Minutes

Opens

Minutes/agenda, store in GitHub, Determine upload process May need to adjust time to accommodate Huawei >> Manish followed up w/ email to Jeff and Scott with suggested meeting times

Policy Mapping

Objectives:

  • Confirmation on direction/methods
  • How can a security appliance decide what policy(s) tags to apply for traffic
IP/MAC Method

Issue: Multi-Tenancy and IP overlaps

If OSC is multiple tenant support, security manager and virtualization platform needs to align. Appliances comprehends multi tenancy, but still cannot handle duplicate IP, Similar to namespace.

In theory, tenants can have different namespaces and still function. Tenants can be mapped into VXLAN (inefficient, not limited to routing, more extensive lookup), linux namespaces, etc.

Issue: Duplicate IP and MAC/Duplicate IP (more likely)

How do you handle IP conflicts in the same tenant?

Typically tenants will be segmented, where tenant will have multiple VXLANs.

Limitations:

  • Single tenant overlapping IP is not supported
  • Sharing appliances across multiple tenants will not be supported

Vnf pod is in the same namespace (subnet) as the workload When creating deployment spec on OSC can assert namespace L3 will work, but not sure if it will work with virtual wire. Remi to confirm Is L3 mode enough for the appliance, but if L2 is needed then we may have limitations From Remi’s investigation, in a hybrid env (K8S and OpenStack) VirtualWire will not work with Nuage. Traffic Steering: For large deployments prefer VirtualWire over L3 Policy is independent of VWire, policy per control channel---just looking at packet for source/destination and apply policy. Completely independent of the network transport layer, L3 on Nuage and VWire on appliance, then it will not work---need to configure both the same

Actions

  • Don’t use MAC for policy mapping, For Policy mode – IP is sufficient
  • We are going with out of band (vs. inline) method for November release
  • Discussion to be continued, no decision made today
  • Manish will work w/ Jeff on decision mechanism
Add a custom footer
Add a custom sidebar
Clone this wiki locally