|
| 1 | +# Table of content |
| 2 | + |
| 3 | +1. [Objectives](#objectives) |
| 4 | +2. [Requirements](#requirements) |
| 5 | +3. [Automation](#automation) |
| 6 | +4. [Test Suites](#test-suites) |
| 7 | + - [Outbound VNET routing](#outbound-vnet-routing) |
| 8 | + - [Inbound VNET routing](#inbound-vnet-routing) |
| 9 | + - [Integration](#integration) |
| 10 | + - [Negative](#negative) |
| 11 | + - [Scaling & Performance](#scaling--performance) |
| 12 | + - [To clarify / Future](#to-clarify--future) |
| 13 | + |
| 14 | +--- |
| 15 | + |
| 16 | +# Objectives |
| 17 | + |
| 18 | +The VNET-to-VNET scenario is the starting point to design, implement and test the core DASH mechanisms in VM to VM communication in VNET, using an Appliance for rules and routing offload. |
| 19 | + |
| 20 | +The scenario allows the following: |
| 21 | +- Route/LPM support |
| 22 | +- Underlay IPv4 and IPv6 |
| 23 | +- Stateful ACL support |
| 24 | +- TCP state tracking on flows |
| 25 | +- Telemetry and Monitoring |
| 26 | + |
| 27 | +## Requirements |
| 28 | + |
| 29 | +### Scale |
| 30 | +| Item | Expected value |
| 31 | +|---|--- |
| 32 | +| VNETs | 1024 |
| 33 | +| ENI per card | 64 |
| 34 | +| Routes per ENI | 100k (**to clarify** in some md docs it is 200k) |
| 35 | +| NSGs per ENI | 6 |
| 36 | +| ACLs per ENI | 6x100K prefixes |
| 37 | +| ACLs per ENI | 6x10K SRC/DST ports |
| 38 | +| CA-PA Mappings | 10M |
| 39 | +| Active Connections/ENI | 1M (Bidirectional) |
| 40 | + |
| 41 | +### Performance |
| 42 | +| Item | Expected value |
| 43 | +|---|--- |
| 44 | +| CPS per card | 4M+ |
| 45 | +| Flows per ENI | 1M |
| 46 | +| Flows per card | 16M per 200G |
| 47 | + |
| 48 | + |
| 49 | +### Other |
| 50 | + |
| 51 | +1. Bulk update of LPM and CA-PA Mapping tables. |
| 52 | +1. Mapping updates can occur as much as 100 mappings/sec |
| 53 | +1. ACL operations (rules adding/deleting) per group for a stage must be handled atomically. |
| 54 | +1. Support ability to get all ACL rules/groups based on guid. |
| 55 | +1. During VNET or ENI delete, implementation must support ability to delete all mappings or routes in a single API call. |
| 56 | +1. Add and Delete APIs are idempotent. |
| 57 | +1. During a delete operation, if there is a dependency, implementation shall return error and shall not perform any force-deletions or delete dependencies implicitly. |
| 58 | +1. During a bulk operation, if any part/subset of API fails, implementation shall return error for the entire API. |
| 59 | +1. Implementation must have flexible memory allocation for ENI and not reserve max scale during initial create (e.g 100k routes). This is to allow oversubscription. |
| 60 | +1. Implementation must not have silent failures for APIs. |
| 61 | + |
| 62 | +More details may be found in [DASH SONiC HLD](https://github.com/Azure/DASH/blob/main/documentation/general/design/dash-sonic-hld.md#15-design-considerations). |
| 63 | + |
| 64 | + |
| 65 | +# Automation |
| 66 | + |
| 67 | +Test cases are automated using SAI PTF test framework, except scale and performance tests. |
| 68 | + |
| 69 | +# Test suites |
| 70 | + |
| 71 | +**NOTE**: Each test has to send multiple traffic types: |
| 72 | +- Traffic that matches applied configuration (positive case) |
| 73 | +- Traffic that doesn't match applied configuration for each applied attribute (negative case). |
| 74 | + |
| 75 | +### **Outbound VNET routing** |
| 76 | +| # | Test case | Test Class.Method |
| 77 | +| --- | --- | --- |
| 78 | +| 1 | Route action ROUTE_VNET | - |
| 79 | +| 2 | Route action ROUTE_VNET_DIRECT | Vnet2VnetInboundTest.<br>Vnet2VnetOutboundRouteVnetDirectTest |
| 80 | +| 3 | Route action ROUTE_DIRECT | Vnet2VnetOutboundTest.<br>Vnet2VnetOutboundRouteDirectTest |
| 81 | +| 4 | dst_vnet_id True/False in OUTBOUND_CA_TO_PA_ENTRY | - |
| 82 | +| 5 | Use same CA prefixes in different outbound routing tables (different ENIs) | - |
| 83 | +| 6 | Use multiple overlapping routing prefixes in the same outbound routing table. | - |
| 84 | +| 7 | Use same prefixes in CA and PA networks. | - |
| 85 | + |
| 86 | +Original table [link](https://github.com/Azure/DASH/blob/main/documentation/general/design/sdn-features-packet-transforms.md#routing-routes-and-route-action). |
| 87 | + |
| 88 | +### **Inbound VNET routing** |
| 89 | + |
| 90 | +| # | Test case | Test Class.Method |
| 91 | +| --- | --- | --- |
| 92 | +| 1 | VNET2VNET routing with PA validation entry PERMIT.<br>SAI_INBOUND_ROUTING_ENTRY_ACTION_VXLAN_DECAP_PA_VALIDATE<br>SAI_PA_VALIDATION_ENTRY_ACTION_PERMIT| Vnet2VnetInboundTest.<br>vnet2VnetInboundPaValidatePermitTest |
| 93 | +| 2 | Direction lookup DENY action | Vnet2VnetInboundTest.<br/>vnet2VnetInboundDenyVniTest |
| 94 | +| 3 | Drop if CA DMAC does not match | Vnet2VnetInboundTest.<br/>vnet2VnetInboundInvalidEniMacTest |
| 95 | +| 4 | Drop if PA SIP does not match on PA validation | Vnet2VnetInboundTest.<br/>vnet2VnetInboundInvalidPaSrcIpTest |
| 96 | +| 5 | VNET2VNET routing without PA validation entry<br>SAI_INBOUND_ROUTING_ENTRY_ACTION_VXLAN_DECAP | - |
| 97 | + |
| 98 | + |
| 99 | +### **Integration** |
| 100 | + |
| 101 | +| # | Test case | Test Class.Method |
| 102 | +| --- | --- | --- |
| 103 | +| 1 |Multiple inbound and outbound configurations at the same time. Send multiple allowed and forbidden traffic types. | - |
| 104 | +| 2 |Send non VXLAN traffic. (**to clarify** underlay routing?) | VnetRouteTest |
| 105 | +| 3 |Use multiple VIPs | - |
| 106 | + |
| 107 | +### **Negative** |
| 108 | + |
| 109 | +| # | Test case | Test Class.Method |
| 110 | +| --- | --- | --- |
| 111 | +| 1 | Traffic with invalid VIP (Inbound and Outbound) | - |
| 112 | +| 2 | Traffic with valid VNI but no match to any ENI MAC | - |
| 113 | +| 3 | Invalid configurations:<br>- Multiple MACs for same ENI<br>- All different VNIs in ENI, direction lookup, vnet configuration.<br>- Add same VNI for different direction lookup entries. | - |
| 114 | + |
| 115 | +### **Scaling & Performance** |
| 116 | + |
| 117 | +To be defined. |
| 118 | + |
| 119 | + |
| 120 | +### **To clarify / Future** |
| 121 | + |
| 122 | +1. What is relation between vm_vni and vnet_id in ENI create? |
| 123 | +1. The lookup table is per ENI, but could be Global, or multiple Global lookup tables per ENIs. How to configure global lookup? Multiple lookups? |
| 124 | +1. In Encap and Decap rules we have: |
| 125 | + - static rule |
| 126 | + - based on mapping lookup |
| 127 | + - inner packet SRC/DEST IP calculated based on part of outer packet SRC/DEST IP<br> |
| 128 | +Question: What is static rule nad calculated values? |
| 129 | +1. How to test - Inbound (priority) route rules processing: |
| 130 | + - Most Outer Source IP Prefix |
| 131 | + - Most Outer Destination IP Prefix |
| 132 | + - VXLAN/GRE key |
| 133 | +1. Need examples: Transpositions. |
| 134 | + - Direct traffic – pass thru with static SNAT/DNAT (IP, IP+Port) |
| 135 | + - Packet upcasting (IPv4 -> IPv6 packet transformation) |
| 136 | + - Packet downcasting (IPv6 -> IPv4 packet transformation) |
| 137 | +1. Need example: Up to 3 level of routing transforms (example: decap + decap + transpose). |
| 138 | +1. LB on outbound VNET scenario (different PAs) |
| 139 | +1. TODO: Example: Lookup between CA (inside Cx own VNET) and PA (Provider Address) using lookup table (overwrite destination IP and MAC before encap) |
0 commit comments