<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p style='margin-bottom:12.0pt'><font size=4 color=black face="Times New Roman"><span
style='font-size:14.0pt;color:black'>Hi<br>
<br>
<o:p></o:p></span></font></p>
<p style='margin-bottom:12.0pt'><b><u><font size=4 color=black
face="Times New Roman"><span style='font-size:14.0pt;color:black;font-weight:
bold'>Is it possible to port mirror to a vm?<o:p></o:p></span></font></u></b></p>
<p style='margin-bottom:12.0pt'><font size=4 color=black face="Times New Roman"><span
style='font-size:14.0pt;color:black'>I generate traffic from vm1 to vm2, and
I am trying to mirror traffic of vm1 to vm3<br>
I want vm3 to receive traffic that is not destinated for him - not ip and not
mac address<br>
I am trying to do port mirroring between vms created with openstack.<br>
I did it with the openvswitch.<br>
Packet are copied to the mirrored qvo, </span></font><font size=4 color=navy><span
style='font-size:14.0pt;color:navy'>qvb, and qbr but don't reach the tap.<o:p></o:p></span></font></p>
<p style='margin-bottom:12.0pt'><font size=4 color=black face="Times New Roman"><span
style='font-size:14.0pt;color:black'>From iptable output it dosen't seem to be
drop in one of the chain or in fallback.<br>
</span></font><font size=4 color=navy><span style='font-size:14.0pt;color:navy'>T</span></font><font
size=4 color=black><span style='font-size:14.0pt;color:black'>he problem: I do
see the mirrored traffic in qvo,and qvb, qbr (in tcpdump) but it doesn't pass
to the tap<br>
I tried to insert allowed-pairs to the port, but what I really need is define
it in "promiscuous" mode. But even with allowed-pairs, traffic don't reach
vm3.<o:p></o:p></span></font></p>
<p style='margin-bottom:12.0pt'><font size=4 color=black face="Times New Roman"><span
style='font-size:14.0pt;color:black'>I also tried to hairpin but it didn’t
help.<o:p></o:p></span></font></p>
<p style='margin-bottom:12.0pt'><font size=4 color=black face=Tahoma><span
style='font-size:14.0pt;font-family:Tahoma;color:black'>brctl hairpin </span></font><font
size=4 color=black><span style='font-size:14.0pt;color:black'>qbr3ede5b3e</span></font><font
size=4 color=black face=Tahoma><span style='font-size:14.0pt;font-family:Tahoma;
color:black'> </span></font><font size=4 color=black><span style='font-size:
14.0pt;color:black'>tap3ede5b3e on</span></font><font size=4 color=navy><span
style='font-size:14.0pt;color:navy'><o:p></o:p></span></font></p>
<p style='margin-bottom:12.0pt'><font size=4 color=black face="Times New Roman"><span
style='font-size:14.0pt;color:black'><o:p> </o:p></span></font></p>
<p style='margin-bottom:12.0pt'><font size=4 color=black face="Times New Roman"><span
style='font-size:14.0pt;color:black'>Here are some details about my test<o:p></o:p></span></font></p>
<p style='margin-bottom:12.0pt'><font size=4 color=black face="Times New Roman"><span
style='font-size:14.0pt;color:black'>Openstack RDO juno on Centos 7<o:p></o:p></span></font></p>
<p style='margin-bottom:12.0pt'><font size=4 color=black face="Times New Roman"><span
style='font-size:14.0pt;color:black'>Neutron port list<br>
| 3ede5b3e-396e-48a9-b24a-6cb2dc7509fe | |
fa:16:3e:3b:34:de | {"subnet_id":
"f960ee77-77a8-45c1-8eef-e3878f0bea9f", "ip_address":
"10.67.82.2"} |<br>
| 435f35c6-80be-47ee-b30f-8376e1ea78d9 | |
fa:16:3e:41:fd:59 | {"subnet_id":
"f960ee77-77a8-45c1-8eef-e3878f0bea9f", "ip_address":
"10.67.82.5"} |<br>
| bd80bab5-424d-4e5c-8993-b8bb8c6f3e49 | |
fa:16:3e:f7:4f:ea | {"subnet_id":
"f960ee77-77a8-45c1-8eef-e3878f0bea9f", "ip_address":
"10.67.82.3"} |<br>
<br>
<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=4 color=black face="Times New Roman"><span
style='font-size:14.0pt;color:black'>Command that I ran to do the port mirroring<br>
ovs-vsctl -- set Bridge br-int mirrors=@m -- --id=@qvobd80bab5-42 get
Port qvobd80bab5-42 -- --id=@qvo3ede5b3e-39 get Port qvo3ede5b3e-39 --
--id=@m create Mirror name=mymirror select-dst-port=@qvobd80bab5-42
select-src-port=@qvobd80bab5-42 output-port=@qvo3ede5b3e-39<br>
<br>
<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=4 color=black face="Times New Roman"><span
style='font-size:14.0pt;color:black'>This is iptables output filtered, you can
see I added a allowed address pair.<br>
3 3518 919K neutron-openvswi-sg-chain
all -- *
*
0.0.0.0/0
0.0.0.0/0
PHYSDEV match --physdev-out tap3ede5b3e-39 --physdev-is-bridged<br>
4 4 1358
neutron-openvswi-sg-chain all -- *
*
0.0.0.0/0
0.0.0.0/0
PHYSDEV match --physdev-in tap3ede5b3e-39 --physdev-is-bridged<br>
<br>
Chain neutron-openvswi-INPUT (1 references)<br>
--<br>
2 0 0
neutron-openvswi-o3ede5b3e-3 all --
* *
0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in tap3ede5b3e-39 --physdev-is-bridged<br>
3 0 0
neutron-openvswi-o7e200e92-4 all --
* *
0.0.0.0/0
0.0.0.0/0
PHYSDEV match --physdev-in tap7e200e92-44 --physdev-is-bridged<br>
4 0 0
neutron-openvswi-o435f35c6-8 all --
* *
0.0.0.0/0
0.0.0.0/0
PHYSDEV match --physdev-in tap435f35c6-80 --physdev-is-bridged<br>
5 0 0
neutron-openvswi-o6a1bb345-9 all --
* * 0.0.0.0/0
0.0.0.0/0
PHYSDEV match --physdev-in tap6a1bb345-93 --physdev-is-bridged<br>
6 0 0
neutron-openvswi-ofc0a7800-a all --
* *
0.0.0.0/0
0.0.0.0/0
PHYSDEV match --physdev-in tapfc0a7800-a0 --physdev-is-bridged<br>
<br>
Chain neutron-openvswi-OUTPUT (1 references)<br>
num pkts bytes target prot opt
in out
source
destination<br>
<br>
Chain neutron-openvswi-i3ede5b3e-3 (1 references)<br>
num pkts bytes target prot opt
in out source
destination<br>
1 0 0
DROP all --
* *
0.0.0.0/0
0.0.0.0/0
state INVALID<br>
2 91 8550
RETURN all --
* *
0.0.0.0/0
0.0.0.0/0
state RELATED,ESTABLISHED<br>
3 0 0
RETURN udp --
* *
10.67.82.4
0.0.0.0/0 udp
spt:67 dpt:68<br>
4 0 0
RETURN icmp -- *
*
0.0.0.0/0
0.0.0.0/0<br>
5 0 0
RETURN tcp --
* * 0.0.0.0/0
0.0.0.0/0 tcp
multiport dports 1:65535<br>
6 3416 907K RETURN
all -- *
*
0.0.0.0/0
0.0.0.0/0
match-set IPv4ecb94f49-0fdd-4f6f-b src<br>
7 9 3054
neutron-openvswi-sg-fallback all -- *
*
0.0.0.0/0
0.0.0.0/0<br>
<br>
--<br>
Chain neutron-openvswi-o3ede5b3e-3 (2 references)<br>
num pkts bytes target prot opt
in out
source
destination<br>
1 4 1358
RETURN udp --
* *
0.0.0.0/0 0.0.0.0/0
udp spt:68 dpt:67<br>
2 0 0
neutron-openvswi-s3ede5b3e-3 all --
* *
0.0.0.0/0
0.0.0.0/0<br>
3 0 0
DROP udp --
* *
0.0.0.0/0
0.0.0.0/0 udp
spt:67 dpt:68<br>
4 0 0
DROP all --
* *
0.0.0.0/0
0.0.0.0/0
state INVALID<br>
5 0 0
RETURN all --
* *
0.0.0.0/0
0.0.0.0/0
state RELATED,ESTABLISHED<br>
6 0 0
RETURN all --
* *
0.0.0.0/0
0.0.0.0/0<br>
7 0 0
neutron-openvswi-sg-fallback all --
* *
0.0.0.0/0
0.0.0.0/0<br>
<br>
--<br>
Chain neutron-openvswi-s3ede5b3e-3 (1 references)<br>
num pkts bytes target prot opt
in out
source
destination<br>
1 0 0
RETURN all --
* *
10.67.82.0/24 0.0.0.0/0
MAC FA:16:3E:41:FD:59<br>
2 0 0
RETURN all --
* *
10.67.82.2
0.0.0.0/0 MAC
FA:16:3E:3B:34:DE<br>
3 0 0
DROP all --
* *
0.0.0.0/0
0.0.0.0/0<br>
<br>
<br>
--<br>
3 3518 919K neutron-openvswi-i3ede5b3e-3
all -- *
*
0.0.0.0/0
0.0.0.0/0
PHYSDEV match --physdev-out tap3ede5b3e-39 --physdev-is-bridged<br>
4 4 1358
neutron-openvswi-o3ede5b3e-3 all --
* *
0.0.0.0/0
0.0.0.0/0
PHYSDEV match --physdev-in tap3ede5b3e-39 --physdev-is-bridged<br>
.<br>
13 397M 1617G ACCEPT all
-- * *
0.0.0.0/0
0.0.0.0/0<br>
<br>
--<br>
error=`neutron-openvswi-i3ede5b3e-3'<br>
<br>
Entry 63 (19664):<br>
SRC IP: 0.0.0.0/0.0.0.0<br>
DST IP: 0.0.0.0/0.0.0.0<br>
Interface: `'/................to `'/................<br>
Protocol: 0<br>
Flags: 00<br>
Invflags: 00<br>
Counters: 0 packets, 0 bytes<br>
Cache: 00000000<br>
--<br>
error=`neutron-openvswi-o3ede5b3e-3'<br>
<br>
Entry 119 (32280):<br>
SRC IP: 0.0.0.0/0.0.0.0<br>
DST IP: 0.0.0.0/0.0.0.0<br>
Interface: `'/................to `'/................<br>
Protocol: 17<br>
Flags: 00<br>
Invflags: 00<br>
Counters: 4 packets, 1358 bytes<br>
Cache: 00000000<br>
--<br>
error=`neutron-openvswi-s3ede5b3e-3'<br>
<br>
Entry 173 (43608):<br>
SRC IP: 10.67.82.0/255.255.255.0<br>
DST IP: 0.0.0.0/0.0.0.0<br>
Interface: `'/................to `'/................<br>
Protocol: 0<br>
Flags: 00<br>
Invflags: 00<br>
Counters: 0 packets, 0 bytes<br>
Cache: 00000000<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=4 color=black face="Times New Roman"><span
style='font-size:14.0pt;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=4 color=black face="Times New Roman"><span
style='font-size:14.0pt;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=4 color=black face="Times New Roman"><span
style='font-size:14.0pt;color:black'>The tcpdump traces show proper traffic
flow from MAC/IP fa:16:3e:f7:4f:ea/10.67.82.3 to
fa:16:3e:41:fd:59/10.67.82.5 going into a bridge/switch that has a nic with
mac/IP of<br>
fa:16:3e:3b:34:de/10.67.82.2 connected to its other port<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=4 color=black face="Times New Roman"><span
style='font-size:14.0pt;color:black'>I though the allowed address pair I added
will allow this traffic -> you can see it in neutron-openvswi-s3ede5b3e-3 (1
0 0 RETURN all --
* *
10.67.82.0/24 0.0.0.0/0
MAC FA:16:3E:41:FD:59).<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=4 color=black face="Times New Roman"><span
style='font-size:14.0pt;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=4 color=black face="Times New Roman"><span
style='font-size:14.0pt;color:black'>In tcpdump<o:p></o:p></span></font></p>
<p style='margin-bottom:12.0pt'><font size=4 color=black face="Times New Roman"><span
style='font-size:14.0pt;color:black'>tcpdump -e -n -vvv -i qbr3ede5b3e-39 |
more<br>
tcpdump: WARNING: qbr3ede5b3e-39: no IPv4 address assigned<br>
tcpdump: listening on qbr3ede5b3e-39, link-type EN10MB (Ethernet), capture size
65535 bytes<br>
08:20:57.102453 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
(0x0800), length 90: (tos 0x48, ttl 255, id 33035, offset 0, flags [none],
proto UDP (<br>
17), length 76)<br>
10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum ok]
UDP, length 48<br>
08:20:57.103052 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
(0x0800), length 56: (tos 0xb8, ttl 64, id 9181, offset 0, flags [none], proto
UDP (17<br>
), length 42)<br>
10.67.82.3.gtp-control > 10.67.82.5.gtp-control: [udp sum
ok] UDP, length 14<br>
08:20:57.103363 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
(0x0800), length 193: (tos 0x48, ttl 255, id 61276, offset 0, flags [none],
proto UDP<br>
<br>
<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=4 color=black face="Times New Roman"><span
style='font-size:14.0pt;color:black'><br>
tcpdump -e -n -vvv -i qvo3ede5b3e-39 | more<br>
tcpdump: WARNING: qvo3ede5b3e-39: no IPv4 address assigned<br>
tcpdump: listening on qvo3ede5b3e-39, link-type EN10MB (Ethernet), capture size
65535 bytes<br>
08:20:35.852117 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
(0x0800), length 125: (tos 0x48, ttl 255, id 40524, offset 0, flags [none],
proto UDP<br>
(17), length 111)<br>
10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum ok]
UDP, length 83<br>
08:20:35.852323 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
(0x0800), length 626: (tos 0x48, ttl 255, id 13595, offset 0, flags [none],
proto UDP<br>
(17), length 612)<br>
10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum ok]
UDP, length 584<br>
08:20:35.852337 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
(0x0800), length 626: (tos 0x48, ttl 255, id 13596, offset 0, flags [none],
proto UDP<br>
(17), length 612)<br>
<br>
<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=4 color=black face="Times New Roman"><span
style='font-size:14.0pt;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=4 color=black face="Times New Roman"><span
style='font-size:14.0pt;color:black'>tcpdump -e -n -vvv -i qvb3ede5b3e-39 |
more<br>
tcpdump: WARNING: qvb3ede5b3e-39: no IPv4 address assigned<br>
tcpdump: listening on qvb3ede5b3e-39, link-type EN10MB (Ethernet), capture size
65535 bytes<br>
08:19:52.633158 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
(0x0800), length 98: (tos 0x48, ttl 255, id 24950, offset 0, flags [none],
proto UDP (<br>
17), length 84)<br>
10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum ok]
UDP, length 56<br>
08:19:52.633173 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
(0x0800), length 90: (tos 0x48, ttl 255, id 2289, offset 0, flags [none], proto
UDP (1<br>
7), length 76)<br>
10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum ok]
UDP, length 48<br>
08:19:52.633376 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4
(0x0800), length 98: (tos 0x48, ttl 255, id 51798, offset 0, flags [none],
proto UDP (<br>
17), length 84)<br>
<br>
</span></font><font size=4 face=Arial><span style='font-size:14.0pt;font-family:
Arial'><o:p></o:p></span></font></p>
</div>
</body>
</html>