Merge pull request #103471 from ShaunaDiaz/OSDOCS-16832

OSDOCS-16832: MNW-1: Multiple Networks Core Concepts and VRF Overview

Author: dfitzmau

_topic_maps/_topic_map.yml

@@ -1557,6 +1557,8 @@ Topics:
   Topics:
   - Name: Understanding multiple networks
     File: understanding-multiple-networks
+  - Name: Use cases for a secondary network
+    File: use-cases-secondary-network
   - Name: Primary networks
     Dir: primary_networks
     Distros: openshift-enterprise, openshift-origin

modules/cnf-about-virtual-routing-and-forwarding.adoc

@@ -6,11 +6,10 @@
 [id="cnf-about-virtual-routing-and-forwarding_{context}"]
 = About virtual routing and forwarding
 
-Virtual routing and forwarding (VRF) devices combined with IP rules provide the ability to create virtual routing and forwarding domains. VRF reduces the number of permissions needed by CNF, and provides increased visibility of the network topology of secondary networks. VRF is used to provide multi-tenancy functionality, for example, where each tenant has its own unique routing tables and requires different default gateways.
+[role="_abstract"]
+You can use virtual routing and forwarding (VRF) to provide multi-tenancy functionality. For example, where each tenant has its own unique routing tables and requires different default gateways.
 
-Processes can bind a socket to the VRF device. Packets through the binded socket use the routing table associated with the VRF device. An important feature of VRF is that it impacts only OSI model layer 3 traffic and above so L2 tools, such as LLDP, are not affected. This allows higher priority IP rules such as policy based routing to take precedence over the VRF device rules directing specific traffic.
+VRF reduces the number of permissions needed by cloud-native network function (CNF), and provides increased visibility of the network topology of secondary networks. VRF devices combined with IP address rules provide the ability to create virtual routing and forwarding domains.
 
-[id="cnf-benefits-secondary-networks-telecommunications-operators_{context}"]
-== Benefits of secondary networks for pods for telecommunications operators
+Processes can bind a socket to the VRF device. Packets through the binded socket use the routing table associated with the VRF device. An important feature of VRF is that it impacts only OSI model layer 3 traffic and above so L2 tools, such as LLDP, are not affected. This allows higher priority IP address rules such as policy-based routing to take precedence over the VRF device rules directing specific traffic.
 
-In telecommunications use cases, each CNF can potentially be connected to multiple different networks sharing the same address space. These secondary networks can potentially conflict with the cluster's main network CIDR. Using the CNI VRF plugin, network functions can be connected to different customers' infrastructure using the same IP address, keeping different customers isolated. IP addresses are overlapped with {product-title} IP space. The CNI VRF plugin also reduces the number of permissions needed by CNF and increases the visibility of network topologies of secondary networks.

modules/cnf-benefits-secondary-networks-telco-ops.adoc

@@ -0,0 +1,14 @@
+// Module included in the following assemblies:
+//
+// networking/multiple_networks/about-virtual-routing-and-forwarding.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="cnf-benefits-secondary-networks-telco-ops_{context}"]
+= Benefits of secondary networks for pods for telecommunications operators
+
+[role="_abstract"]
+You can connect network functions to different customers' infrastructure by using the same IP address with the Container Network Interface (CNI) virtual routing and forwarding (VRF) plugin. Using the CNI VRF plugin keeps different customers isolated.
+
+In telecommunications use cases, each CNF can potentially be connected to many different networks sharing the same address space. These secondary networks can potentially conflict with the cluster's main network CIDR.
+
+With the CNI VRF plugin, IP addresses are overlapped with the {product-title} IP address space. The CNI VRF plugin also reduces the number of permissions needed by CNF and increases the visibility of the network topologies of secondary networks.

modules/nw-about-multicast.adoc

@@ -6,12 +6,14 @@
 [id="nw-about-multicast_{context}"]
 = About multicast
 
+[role="_abstract"]
 With IP multicast, data is broadcast to many IP addresses simultaneously.
 
 [IMPORTANT]
 ====
 * At this time, multicast is best used for low-bandwidth coordination or service discovery and not a high-bandwidth solution.
-* By default, network policies affect all connections in a namespace. However, multicast is unaffected by network policies. If multicast is enabled in the same namespace as your network policies, it is always allowed, even if there is a `deny-all` network policy. Cluster administrators should consider the implications to the exemption of multicast from network policies before enabling it.
+* By default, network policies affect all connections in a namespace. However, multicast is unaffected by network policies. If multicast is enabled in the same namespace as your network policies, it is always allowed, even if there is a `deny-all` network policy.
+* Cluster administrators must consider the implications of the exemption of multicast from network policies before enabling it.
 ====
 
-Multicast traffic between {product-title} pods is disabled by default. If you are using the OVN-Kubernetes network plugin, you can enable multicast on a per-project basis.
+Multicast traffic between {product-title} pods is disabled by default. If you are using the OVN-Kubernetes network plugin, you can enable multicast on a per-project basis.

modules/nw-enabling-multicast.adoc

@@ -15,10 +15,12 @@ endif::[]
 [id="nw-enabling-multicast_{context}"]
 = Enabling multicast between pods
 
+[role="_abstract"]
 You can enable multicast between pods for your project.
 
 .Prerequisites
-* Install the OpenShift CLI (`oc`).
+
+* Install the {oc-first}.
 * You must log in to the cluster with a user that has the `cluster-admin`
 ifdef::openshift-rosa,openshift-dedicated[]
 or the `dedicated-admin`

modules/support-matrix-for-udn-nad.adoc

@@ -1,21 +1,32 @@
 //module included in the following assembly:
 //
-// *networkking/multiple_networks/understanding-user-defined-networks.adoc
+// *networking/multiple_networks/understanding-user-defined-networks.adoc
 
-:_mod-docs-content-type: CONCEPT
+:_mod-docs-content-type: REFERENCE
 [id="support-matrix-for-udn-nad_{context}"]
 = UserDefinedNetwork and NetworkAttachmentDefinition support matrix
 
-The `UserDefinedNetwork` and `NetworkAttachmentDefinition` custom resources (CRs) provide cluster administrators and users the ability to create customizable network configurations and define their own network topologies, ensure network isolation, manage IP addressing for workloads, and configure advanced network features. A third CR, `ClusterUserDefinedNetwork`, is also available, which allows administrators the ability to create and define secondary networks spanning multiple namespaces at the cluster level.
+[role="_abstract"]
+You can use user defined networks and network attachment definitions to define and configure customized networks for your needs.
 
-User-defined networks and network attachment definitions can serve as both the primary and secondary network interface, and each support `layer2` and `layer3` topologies; a third network topology, Localnet, is also supported with network attachment definitions with secondary networks.
+By creating `UserDefinedNetwork` and `NetworkAttachmentDefinition` custom resources (CRs), cluster administrators can complete the following tasks:
+
+* Create customizable network configurations
+* Define their own network topologies
+* Ensure network isolation
+* Manage IP addressing for workloads
+* Configure advanced network features
+
+By creating a `ClusterUserDefinedNetwork` CR, administrators can create and define secondary networks that span multiple namespaces at the cluster level.
+
+User-defined networks and network attachment definitions can serve as both the primary and secondary network interface, and each support `layer2` and `layer3` topologies.
 
 [NOTE]
 ====
-As of {product-title} 4.19, the use of the `Localnet` topology by `ClusterUserDefinedNetwork` CRs is generally available. This configuration is the preferred method for connecting physical networks to virtual networks. Alternatively, the `NetworkAttachmentDefinition` CR can also be used to create secondary networks with `Localnet` topologies.
+As of {product-title} 4.19, the use of the `Localnet` topology by `ClusterUserDefinedNetwork` CRs is generally available. This configuration is the preferred method for connecting physical networks to virtual networks. Or, you can use the `NetworkAttachmentDefinition` CR to create secondary networks with `Localnet` topologies.
 ====
 
-The following section highlights the supported features of the `UserDefinedNetwork` and `NetworkAttachmentDefinition` CRs when they are used as either the primary or secondary network. A separate table for the `ClusterUserDefinedNetwork` CR is also included.
+The following section highlights the supported features of the `UserDefinedNetwork` and `NetworkAttachmentDefinition` CRs when used as either the primary or secondary network. A separate table for the `ClusterUserDefinedNetwork` CR is also included.
 
 .Primary network support matrix for `UserDefinedNetwork` and `NetworkAttachmentDefinition` CRs
 [cols="1a,1a,1a, options="header"]
@@ -46,11 +57,11 @@ The following section highlights the supported features of the `UserDefinedNetwo
 ^| ✓
 ^| ✓
 
-^| Multicast ^[1]^
+^| Multicast
 ^| X
 ^| ✓
 
-^| `NetworkPolicy` resource ^[2]^
+^| `NetworkPolicy` resource
 ^| ✓
 ^| ✓
 
@@ -59,12 +70,16 @@ The following section highlights the supported features of the `UserDefinedNetwo
 ^| X
 
 |===
-1. Multicast must be enabled in the namespace, and it is only available between OVN-Kubernetes network pods. For more information about multicast, see "Enabling multicast for a project".
+where:
+
+Multicast:: Must be enabled in the namespace, and it is only available between OVN-Kubernetes network pods. For more information, see "About multicast".
++
+`NetworkPolicy` resource:: When creating a `ClusterUserDefinedNetwork` CR with a primary network type, network policies must be created _after_ the `UserDefinedNetwork` CR.
 
 .Secondary network support matrix for `UserDefinedNetwork` and `NetworkAttachmentDefinition` CRs
 [cols="1a,1a,1a,1a, options="header"]
 |===
-^| Network feature ^| Layer2 topology ^|Layer3 topology ^|Localnet topology ^[1]^
+^| Network feature ^| Layer2 topology ^|Layer3 topology ^|Localnet topology
 
 ^| east-west traffic
 ^| ✓
@@ -112,7 +127,7 @@ The following section highlights the supported features of the `UserDefinedNetwo
 ^| ✓ (`NetworkAttachmentDefinition` CR only)
 
 |===
-1. The Localnet topology is unavailable for use with the `UserDefinedNetwork` CR. It is only supported on secondary networks for `NetworkAttachmentDefinition` CRs.
+The Localnet topology is unavailable for use with the `UserDefinedNetwork` CR. It is only supported on secondary networks for `NetworkAttachmentDefinition` CRs.
 
 .Support matrix for `ClusterUserDefinedNetwork` CRs
 [cols="1a,1a,1a,1a, options="header"]
@@ -149,7 +164,7 @@ The following section highlights the supported features of the `UserDefinedNetwo
 ^| ✓
 ^|
 
-^| Multicast ^[1]^
+^| Multicast
 ^| X
 ^| ✓
 ^|
@@ -159,11 +174,14 @@ The following section highlights the supported features of the `UserDefinedNetwo
 ^| X
 ^| ✓
 
-^| `NetworkPolicy` resource ^[2]^
+^| `NetworkPolicy` resource
 ^| ✓
 ^| ✓
 ^|
 
 |===
-1. Multicast must be enabled in the namespace, and it is only available between OVN-Kubernetes network pods. For more information, see "About multicast".
-2. When creating a `ClusterUserDefinedNetwork` CR with a primary network type, network policies must be created _after_ the `UserDefinedNetwork` CR.
+where:
+
+Multicast:: must be enabled in the namespace, and it is only available between OVN-Kubernetes network pods. For more information, see "About multicast".
++
+`NetworkPolicy` resource:: When creating a `ClusterUserDefinedNetwork` CR with a primary network type, network policies must be created _after_ the `UserDefinedNetwork` CR.

modules/understanding-multiple-networks-con.adoc

@@ -0,0 +1,34 @@
+//module included in the following assembly:
+//
+// *networking/multiple_networks/understanding-user-defined-networks.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="understanding-multiple-networks-con_{context}"]
+= Multiple networks with the OVN-K CNI
+
+[role="_abstract"]
+By default, OVN-Kubernetes serves as the Container Network Interface (CNI) of an {product-title} cluster. This network interface is what administrators use to create default networks.
+
+Both user-defined networks and Network Attachment Definitions can serve as the following network types:
+
+* *Primary networks*: Act as the primary network for the pod. By default, all traffic passes through the primary network unless you have configured a pod route to send traffic through other networks.
+
+* *Secondary networks*: Act as secondary, non-default networks for a pod. Secondary networks offer separate interfaces dedicated to specific traffic types or purposes. Only pod traffic that you explicitly configure to use a secondary network routes through its interface.
+
+The following diagram shows a cluster that has an existing default network infrastructure that uses a physical network interface, `eth0`, to connect to two namespaces. Pods or virtual machines (VMs) in one namespace run in isolation from pods or VMs in the other namespace. You can create only one primary network. However, you can create multiple secondary networks for each namespace.
+
+.Diagram showing namespaces with multiple secondary UDNs
+image::501_OpenShift_UDN_pri_sec_0925.png[Diagram showing namespaces with multiple secondary UDNs]
+
+During cluster installation, {product-title} administrators can configure alternative default secondary pod networks by leveraging the Multus CNI plugin. With Multus, you can use multiple CNI plugins such as ipvlan, macvlan, or Network Attachment Definitions together to serve as secondary networks for pods.
+
+[IMPORTANT]
+====
+User-defined networks are only supported when OVN-Kubernetes is used as the CNI. UDNs are not supported for use with other CNIs.
+====
+
+You can define an secondary network based on the available CNI plugins and attach one or more of these networks to your pods. You can define more than one secondary network for your cluster depending on your needs. This gives you flexibility when you configure pods that deliver network functionality, such as switching or routing. For more information, see the the links in the Additional resources:
+
+* For a complete list of supported CNI plugins, see "Secondary networks in {product-title}".
+* For information about user-defined networks, see "About user-defined networks (UDNs)".
+* For information about Network Attachment Definitions, "Creating primary networks by using a NetworkAttachmentDefinition".

networking/multiple_networks/about-virtual-routing-and-forwarding.adoc

@@ -7,3 +7,5 @@ include::_attributes/common-attributes.adoc[]
 toc::[]
 
 include::modules/cnf-about-virtual-routing-and-forwarding.adoc[leveloffset=+1]
+
+include::modules/cnf-benefits-secondary-networks-telco-ops.adoc[leveloffset=+2]