OVN
Generated by GPT-5-miniExpansion Funnel Raw 45 → Dedup 0 → NER 0 → Enqueued 0
| OVN | |
|---|---|
| Name | OVN |
| Developer | Open vSwitch |
| Initial release | 2013 |
| License | Apache License |
| Repository | GitHub |
| Operating system | Linux |
OVN
OVN is a system for virtual networking that provides logical networking abstractions for hypervisors and container platforms. It was developed alongside Open vSwitch to provide software-defined networking primitives such as logical switches, logical routers, NAT, and ACLs that integrate with orchestration systems like OpenStack, Kubernetes, and CloudStack. OVN is used in production by organizations deploying large-scale virtualized and containerized workloads on infrastructures managed by Red Hat, Canonical, and cloud providers.
Overview
OVN implements a distributed control plane that decouples logical network state from physical network hardware, enabling features similar to those in commercial network appliances from vendors such as Cisco Systems, Juniper Networks, and Arista Networks. It uses a centralized northbound database for intent and a distributed southbound database to program datapaths on hosts running Open vSwitch. OVN integrates with orchestration projects like Neutron in OpenStack and network plugins in Kubernetes such as Multus CNI and OVN-Kubernetes to deliver L2 and L3 services, load balancing, and security groups.
Architecture
The OVN architecture separates logical topology definition from local forwarding implementation. The northbound database stores logical entities such as logical switches, logical routers, logical ports, and ACLs; the southbound database contains chassis, ports, and bindings that map logical entities to physical hosts. OVN components include a central controller often running on controller nodes in OpenStack deployments and per-host agents that program the local Linux kernel datapath via Open vSwitch flow tables. The architecture supports integration with HAProxy for load balancing, and routing interaction with projects like FRRouting for BGP/OSPF export in data center fabric scenarios.
Components
Key components include the OVN northbound database, OVN southbound database, the OVN central daemon (ovn-northd), and the per-host OVN controller (ovn-controller). The northbound DB expresses intent for logical switches, logical routers, logical ports, NATs, and ACLs; the southbound DB records chassis and binding state and stores the translated flows and port bindings. ovn-northd compiles northbound intent into southbound state and distributes it to ovn-controller processes on hosts. Per-host ovn-controller programs Open vSwitch and interacts with kernel datapaths, eBPF where supported, and user-space components. Integrations also include the OVN southbound plugin for orchestration systems and the ovnnbdb/ovnsbdb schema definitions.
Deployment and Configuration
Deploying OVN typically involves installing Open vSwitch with OVN support on hypervisors or container nodes, deploying ovn-northd on controller nodes, and configuring northbound intent via CLI tools or orchestration plugins such as Neutron ML2 or the Kubernetes API server with the OVN CNI. Configuration tasks include creating logical networks, assigning MAC and IP addresses, configuring DHCP via OVN’s DHCPv4/DHCPv6 support, and defining ACLs and NAT rules. High-availability is achieved by running multiple ovn-northd instances with leader election and replicating southbound state using etcd or DB clustering features in Open vSwitch. Integration with identity and policy systems like Keystone or RBAC features in Kubernetes is common in enterprise deployments.
Use Cases and Integrations
OVN is used to implement tenant isolation and multi-tenancy in cloud platforms such as OpenStack Nova/Neutron, to provide CNI-based networking for Kubernetes clusters via OVN-Kubernetes, and to create overlay networks over physical fabrics using VXLAN or Geneve encapsulation supported by Open vSwitch. Enterprises use OVN to provide service chaining with virtual appliances like Firewalls from Palo Alto Networks or iptables-based services, to integrate with SDN controllers such as ONOS or OpenDaylight for cross-domain orchestration, and to interconnect with physical routers from Cisco and Juniper for hybrid cloud scenarios. OVN also supports network function virtualization (NFV) use cases in telco stacks including integration with Open Platform for NFV reference implementations.
Performance and Scalability
OVN scales by distributing forwarding rules to hosts via ovn-controller and by leveraging hardware offloads when available in switches from Broadcom and Intel. Performance characteristics depend on datapath implementation (kernel vs. userspace), encapsulation choice (VXLAN, Geneve), and host CPU resources. Large deployments from vendors like Red Hat and service providers have validated OVN in clusters with thousands of tenants and tens of thousands of logical ports by combining DB clustering, efficient flow translation in ovn-northd, and incremental update propagation. Tuning involves optimizing Open vSwitch flow table sizes, enabling datapath offloads, and using multiqueue networking in conjunction with SR-IOV capable NICs from manufacturers such as Mellanox and Intel.
Security and Management Practices
Security practices include enforcing ACLs and security groups expressed in the northbound DB, using secure management channels such as TLS between components, and integrating with identity providers like Keystone or OAuth-backed IAM systems in cloud platforms. Operational management relies on logging and telemetry from ovn-northd, ovn-controller, and Open vSwitch, along with monitoring systems such as Prometheus and Grafana for metrics, and alerting via PagerDuty or Nagios. Best practices include regular schema migrations, backup of northbound and southbound DBs, role-based access control in orchestration layers, and isolating control-plane traffic using dedicated management networks in data centers designed by vendors like Arista Networks and Cisco Systems.