Having previously covered the architecture of Neutron, this article will now explain in detail the architecture of Neutron when using the Linux Bridge and OVS plugins, as well as how traffic flows. First, we'll start with an overview of Linux Bridge with Provider Network.

VLAN sub-interface port (4) on the bridge

Provider network architecture uses VLAN (802.1q) tagging to provide Layer 2 connectivity between instances and the underlying physical network. It supports one untagged (flat) network and up to 4,095 tagged (VLAN) networks. The actual number of VLAN networks is determined by the physical network infrastructure.

Architecture

The diagram above shows the complete architecture of Linux Bridge – Provider Networks, clearly indicating which components run on the controller node and which run on the compute node.

This diagram illustrates how elements are connected within a single provider network. In this example, the instance and DHCP agent are on the same host, but in real-world deployments, the DHCP agent may be located on a different compute node.

In scenarios with multiple provider networks, each provider network creates a corresponding Linux bridge on every compute node, using VLAN tagging to isolate networks. Instances on the controller node connect their network interfaces to the respective Linux bridge.

Instance 2 on compute node 2

This section will explain how packets actually flow through the architecture in various scenarios.

Architecture Setup

The following is our assumed architecture: two provider networks using VLAN tagging, each with one instance.

• Provider Network 1 (VLAN)
  • VLAN ID 101 (Tagged)
  • IP Address Range 203.0.113.0/24
  • Gateway (on the actual network)
    • IP 203.0.113.1
• Provider network 2 (VLAN)
  • VLAN ID 102 (tagged)
  • IP Address Range 192.0.2.0/24
  • Gateway
    • IP 192.0.2.1
• Instance 1
  • IP 203.0.113.101
• Instance 2
  • IP 192.0.2.101

North-South Traffic

• Instance on compute node 1
• Instance forwarding packets to external network

• Instance network interface (1) through veth pair (2) sends packets to the instance port on the provider bridge
• On the provider bridge, iptables (3) handles firewall rules and connection tracking
• Provider bridge 上的 VLAN sub-interface port (4) 會將封包送往實體網路介面 (5)
• 實體網路介面將封包加上 VLAN tag 101 並且送往實體網路設施中的交換器 (6)

The subsequent section is similar to general networking. Packets are forwarded to the router for outbound routing, and the return path follows the same route in reverse.

East-West Traffic 1: Instances on the same network

• Instance 1 在 compute node 1 上
• Instance 2 在 compute node 2 上
• Instance 1 sends the packet to Instance 2

The previous scenario is entirely consistent.

• Instance network interface (1) through veth pair (2) sends packets to the instance port on the provider bridge
• On the provider bridge, iptables (3) handles firewall rules and connection tracking
• Provider bridge 上的 VLAN sub-interface port (4) 會將封包送往實體網路介面 (5)
• 實體網路介面將封包加上 VLAN tag 101 並且送往實體網路設施中的交換器 (6)

In actual physical network infrastructure:

• 交換器將封包從 compute node 1 送往 compute node 2

Packet transmission to compute node 2:

• The physical network interface (8) strips VLAN tag 101 and forwards it to the VLAN sub-interface port (9) on the provider bridge
• On the provider bridge, iptables (10) handles firewall rules and connection tracking
• The instance port (11) on the provider bridge uses a veth pair to forward packets to the network interface (12) of instance 2

East-West Traffic 2: Instances on different networks

• Instance 1 is on compute node 1 and uses provider network 1
• Instance 2 is on compute node 1 and uses provider network 2
• Instance 1 sends the packet to Instance 2

The packet forwarding process is identical to the initial flow.

• Instance network interface (1) through veth pair (2) sends packets to the instance port on the provider bridge
• On the provider bridge, iptables (3) handles firewall rules and connection tracking
• Provider bridge 上的 VLAN sub-interface port (4) 會將封包送往實體網路介面 (5)
• 實體網路介面將封包加上 VLAN tag 101 並且送往實體網路設施中的交換器 (6)

In actual physical network infrastructure:

• Switch removes VLAN tag 101 and forwards the packet to the router (7)
• Router forwards the packet from provider network 1 (8) to provider network 2 (9)
• Router forwards the packet to the switch (10)
• The switch will strip VLAN tag 102 and forward it to compute node 1 (11)

Packet return to compute node 1:

• The physical network interface (12) will strip VLAN tag 102 and forward it to the VLAN sub-interface port on the provider bridge (13)
• iptables on the provider bridge (14) will handle firewall rules and connection tracking
• The instance port on the provider bridge (15) will forward the packet via veth pair to the network interface of instance 2 (16)

The above details the packet flow under various conditions for Linux Bridge Provider Networks.

Summary

This article describes the architecture and packet flow in Linux Bridge - Provider Network, giving you a better understanding of how network packets travel, which will help you debug network connectivity issues more effectively. The next article will cover the architecture and packet flow using Linux Bridge - self-service network.

---

Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless otherwise stated.