The Open vSwitch plug-in is one of the most popular core
plug-ins. Open vSwitch configurations consists of bridges and
ports. Ports represent connections to other things, such as
physical interfaces and patch cables. Packets from any given
port on a bridge are shared with all other ports on that bridge.
Bridges can be connected through Open vSwitch virtual patch
cables or through Linux virtual Ethernet cables
(veth). Additionally, bridges appear as
network interfaces to Linux, so you can assign IP addresses to
them.
In Neutron, the integration bridge, called
br-int, connects directly to the VMs and
associated services. The external bridge, called
br-ex, connects to the external network.
Finally, the VLAN configuration of the Open vSwitch plug-in uses
bridges associated with each physical network.
In addition to defining bridges, Open vSwitch has OpenFlow, which enables you to define networking flow rules. Certain configurations use these rules to transfer packets between VLANs.
Finally, some configurations of Open vSwitch use network namespaces that enable Linux to group adapters into unique namespaces that are not visible to other namespaces, which allows the same network node to manage multiple Neutron routers.
With Open vSwitch, you can use two different technologies to create the virtual networks: GRE or VLANs.
Generic Routing Encapsulation (GRE) is the technology used in many VPNs. It wraps IP packets to create entirely new packets with different routing information. When the new packet reaches its destination, it is unwrapped, and the underlying packet is routed. To use GRE with Open vSwitch, Neutron creates GRE tunnels. These tunnels are ports on a bridge and enable bridges on different systems to act as though they were one bridge, which allows the compute and network nodes to act as one for the purposes of routing.
Virtual LANs (VLANs), on the other hand, use a special modification to the Ethernet header. They add a 4-byte VLAN tag that ranges from 1 to 4094 (the 0 tag is special, and the 4095 tag, made of all ones, is equivalent to an untagged packet). Special NICs, switches, and routers know how to interpret the VLAN tags, as does Open vSwitch. Packets tagged for one VLAN are only shared with other devices configured to be on that VLAN, even through all devices are on the same physical network.
The most common security group driver used with Open vSwitch is the Hybrid IPTables/Open vSwitch plug-in. It uses a combination for IPTables and OpenFlow rules. Use the IPTables tool to create firewalls and set up NATs on Linux. This tool uses a complex rule system and chains of rules to accommodate the complex rules required by Neutron security groups.
