<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#f4f6f6">
Dear colleagues,<br>
<br>
just faced an issue with Openvswitch, which looks strange for me.
The problem is that any particular VM receives a lot of packets,
which are unicasted:<br>
- from other VMs which reside on the same host (let's name them
"local VMs")<br>
- to other VMs which reside on other hosts (let's name them "remote
VMs")<br>
<br>
Long output from "ovs-ofctl dump-flows br-int" which, as far as I
can narrow, ends there:<br>
<br>
# ovs-ofctl dump-flows br-int |grep " table=94," |egrep
"n_packets=[123456789]"<br>
cookie=0xaf6b1435fe826bdf, duration=2952350.695s, table=94,
n_packets=291494723, n_bytes=40582103074, idle_age=0,
hard_age=65534, priority=1 actions=NORMAL<br>
<br>
coming to normal processing (classic MAC learning). Looking into
br-int MAC-table (ovs-appctl fdb/show br-int) shows, that there are
really no MAC addresses of remote VMs and br-int behaves in the
right way, flooding unknown unicast to all ports in this L2 segment.<br>
<br>
Of course, there is br-tun which connected over vxlan to all other
hosts and to br-int:<br>
<br>
Bridge br-tun<br>
Controller "tcp:127.0.0.1:6633"<br>
is_connected: true<br>
fail_mode: secure<br>
Port "vxlan-0a960008"<br>
Interface "vxlan-0a960008"<br>
type: vxlan<br>
options: {df_default="true", in_key=flow,
local_ip="10.150.0.5", out_key=flow, remote_ip="10.150.0.8"}<br>
[ ... ]<br>
Port br-tun<br>
Interface br-tun<br>
type: internal<br>
Port patch-int<br>
Interface patch-int<br>
type: patch<br>
options: {peer=patch-tun}<br>
<br>
but MAC table on br-tun is empty as well:<br>
<br>
# ovs-appctl fdb/show br-tun<br>
port VLAN MAC Age<br>
#<br>
<br>
Finally, packets get to destination, while being copied to all ports
on source host, which is <span class="tlid-translation translation"
lang="en"><span title="" class="">serious security issue.</span></span><br>
<br>
<span class="tlid-translation translation" lang="en"><span title=""
class="">I do not think so conceived by design</span></span>, I
rather think we missed something in configuration. Can anybody point
me where we're wrong and help with this issue?<br>
<br>
We're using Openstack Rocky and OVS 2.10.0 under Ubuntu 16.04.
Network configuration is:<br>
<br>
@controller:<br>
# cat /etc/neutron/plugins/ml2/ml2_conf.ini |egrep -v "^$|^#"<br>
[DEFAULT]<br>
verbose = true<br>
[ml2]<br>
type_drivers = flat,vxlan<br>
tenant_network_types = vxlan<br>
mechanism_drivers = l2population,openvswitch<br>
extension_drivers = port_security,qos,dns_domain_ports<br>
[ml2_type_flat]<br>
flat_networks = provider<br>
[ml2_type_geneve]<br>
[ml2_type_gre]<br>
[ml2_type_vlan]<br>
[ml2_type_vxlan]<br>
vni_ranges = 400:400000<br>
[securitygroup]<br>
firewall_driver = openvswitch<br>
enable_security_group = true<br>
enable_ipset = true<br>
<br>
@agent:<br>
# cat /etc/neutron/plugins/ml2/openvswitch_agent.ini |egrep -v
"^$|^#"<br>
[DEFAULT]<br>
verbose = true<br>
[agent]<br>
tunnel_types = vxlan<br>
l2_population = true<br>
arp_responder = true<br>
extensions = qos<br>
[ovs]<br>
local_ip = 10.150.0.5<br>
bridge_mappings = provider:br-ex<br>
[securitygroup]<br>
firewall_driver = openvswitch<br>
enable_security_group = true<br>
enable_ipset = true<br>
[xenapi]<br>
<br>
Thank you.<br>
<br>
<pre class="moz-signature" cols="72">--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison</pre>
</body>
</html>