Hi All,
To continue our discussion about chassis internal connectivity for accessing chassis-db..
Option A: Using NAT rule in HOST
In every LC, using NAT to expose <240.127.1.1, 6380> endpoint that is hosted in the supervisor card. From each LC netns, treats 240.127.1.1, 6380 as local database but because of NAT, it all goes to supervisor card.
# iptables -t nat -A POSTROUTING -d <supervisor-card-ip> -s 240.127.1.0/24 -p tcp --dport 6380 -j SNAT --to <internal-slot-ip>
Pros: Simple enough.
Cons: NAT rules shouldnt be affected SONIC services. Can it be configured via SONIC services that handles this NAT table.
Option B: Using IPVLAN concept
Lets create new/reuse(leave it platform vendor to decide) VLAN over midplane. Each NS(aka asic0, asic1, etc) will get an unique IP address that is reachable over midplane.
# ip link add name ceth2 link eth2 type ipvlan mode l2
# ip link set dev ceth2 netns asic0
ceth2 is chassis interface (chassis-eth2) that gets created by platform and moved to NS. As such IP addresses are assigned by platform, only discovery is done by the SONiC upper layer. This gives flexibility/optimization to the platform vendor in terms of address assignment.
Pros: Doesn't get affected by any SONIC upper layer service like NATmgr because its IP address is isolated.
Cons: anything?
Option C: Using MACVLAN concept
MACVLAN and IPVLAN are very similar. Just that IPVLAN uses a different IP addressing scheme, MACVLAN uses different MAC addresses for demux.
# ip link add macvlan1 link eth0 type macvlan mode bridge
# ip link add macvlan2 link eth0 type macvlan mode bridge
# ip link set macvlan1 netns asic0
# ip link set macvlan2 netns asicN
Below link explains when to pick IPVLAN vs MACVLAN
6. What to choose (macvlan vs. ipvlan)?
These two devices are very similar in many regards and the specific use case could very well define which device to choose. If one of the following situations defines your use case then you can choose to use ipvlan -
(a) The Linux host that is connected to the external switch / router has a policy configured that allows only one mac per port.
(b) No virtual devices created on a master exceed the mac capacity and puts the NIC in promiscuous mode and degraded performance is a concern.
(c) If the slave device is to be put into the hostile / untrusted network namespace where L2 on the slave could be changed / misused.
Thanks,
Suresh