<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
The answer is 'yes' and 'no'. <br>
<br>
No, openstack (neutron/nova-networks) have no such abstraction. <br>
Yes, you can do it with openvswitch at the compute host manually
(until VM reboot).<br>
<br>
Quote from ovs-vsctl manpage:<br>
<br>
<pre> <b>Port</b> <b>Mirroring</b>
Mirror all packets received or sent on <b>eth0</b> or <b>eth1</b> onto <b>eth2</b>, assuming
that all of those ports exist on bridge <b>br0</b> (as a side-effect this
causes any packets received on <b>eth2</b> to be ignored):
<b>ovs-vsctl</b> <b>--</b> <b>set</b> <b>Bridge</b> <b>br0</b> <b>mirrors=@m</b> <b>\</b>
<b>--</b> <b>--id=@eth0</b> <b>get</b> <b>Port</b> <b>eth0</b> <b>\</b>
<b>--</b> <b>--id=@eth1</b> <b>get</b> <b>Port</b> <b>eth1</b> <b>\</b>
<b>--</b> <b>--id=@eth2</b> <b>get</b> <b>Port</b> <b>eth2</b> <b>\</b>
<b>--</b> <b>--id=@m</b> <b>create</b> <b>Mirror</b> <b>name=mymirror</b> <b>select-dst-</b>
<b>port=@eth0,@eth1</b> <b>select-src-port=@eth0,@eth1</b> <b>output-port=@eth2</b>
</pre>
<br>
<br>
<div class="moz-cite-prefix">On 02/15/2015 07:34 PM, Yaron Illouz
wrote:<br>
</div>
<blockquote
cite="mid:1A791056FCD70F458405B58B79F5C2F706D20A40@rad-w2ksrv11"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 11 (filtered
medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
<div class="Section1">
<p style="margin-bottom:12.0pt"><font color="black" face="Times
New Roman" size="4"><span
style="font-size:14.0pt;color:black">Hi<br>
<br>
<o:p></o:p></span></font></p>
<p style="margin-bottom:12.0pt"><b><u><font color="black"
face="Times New Roman" size="4"><span
style="font-size:14.0pt;color:black;font-weight:
bold">Is it possible to port mirror to a vm?<o:p></o:p></span></font></u></b></p>
<p style="margin-bottom:12.0pt"><font color="black" face="Times
New Roman" size="4"><span
style="font-size:14.0pt;color:black">I generate traffic
from vm1 to vm2, and
I am trying to mirror traffic of vm1 to vm3<br>
I want vm3 to receive traffic that is not destinated for
him - not ip and not
mac address<br>
I am trying to do port mirroring between vms created with
openstack.<br>
I did it with the openvswitch.<br>
Packet are copied to the mirrored qvo, </span></font><font
color="navy" size="4"><span
style="font-size:14.0pt;color:navy">qvb, and qbr but don't
reach the tap.<o:p></o:p></span></font></p>
<p style="margin-bottom:12.0pt"><font color="black" face="Times
New Roman" size="4"><span
style="font-size:14.0pt;color:black">From iptable output
it dosen't seem to be
drop in one of the chain or in fallback.<br>
</span></font><font color="navy" size="4"><span
style="font-size:14.0pt;color:navy">T</span></font><font
color="black" size="4"><span
style="font-size:14.0pt;color:black">he problem: I do
see the mirrored traffic in qvo,and qvb, qbr (in tcpdump)
but it doesn't pass
to the tap<br>
I tried to insert allowed-pairs to the port, but what I
really need is define
it in "promiscuous" mode. But even with allowed-pairs,
traffic don't reach
vm3.<o:p></o:p></span></font></p>
<p style="margin-bottom:12.0pt"><font color="black" face="Times
New Roman" size="4"><span
style="font-size:14.0pt;color:black">I also tried to
hairpin but it didn’t
help.<o:p></o:p></span></font></p>
<p style="margin-bottom:12.0pt"><font color="black"
face="Tahoma" size="4"><span
style="font-size:14.0pt;font-family:Tahoma;color:black">brctl
hairpin </span></font><font color="black" size="4"><span
style="font-size:14.0pt;color:black">qbr3ede5b3e</span></font><font
color="black" face="Tahoma" size="4"><span
style="font-size:14.0pt;font-family:Tahoma;
color:black"> </span></font><font color="black" size="4"><span
style="font-size:
14.0pt;color:black">tap3ede5b3e on</span></font><font
color="navy" size="4"><span
style="font-size:14.0pt;color:navy"><o:p></o:p></span></font></p>
<p style="margin-bottom:12.0pt"><font color="black" face="Times
New Roman" size="4"><span
style="font-size:14.0pt;color:black"><o:p> </o:p></span></font></p>
<p style="margin-bottom:12.0pt"><font color="black" face="Times
New Roman" size="4"><span
style="font-size:14.0pt;color:black">Here are some details
about my test<o:p></o:p></span></font></p>
<p style="margin-bottom:12.0pt"><font color="black" face="Times
New Roman" size="4"><span
style="font-size:14.0pt;color:black">Openstack RDO juno on
Centos 7<o:p></o:p></span></font></p>
<p style="margin-bottom:12.0pt"><font color="black" face="Times
New Roman" size="4"><span
style="font-size:14.0pt;color:black">Neutron port list<br>
| 3ede5b3e-396e-48a9-b24a-6cb2dc7509fe | |
fa:16:3e:3b:34:de | {"subnet_id":
"f960ee77-77a8-45c1-8eef-e3878f0bea9f", "ip_address":
"10.67.82.2"} |<br>
| 435f35c6-80be-47ee-b30f-8376e1ea78d9 | |
fa:16:3e:41:fd:59 | {"subnet_id":
"f960ee77-77a8-45c1-8eef-e3878f0bea9f", "ip_address":
"10.67.82.5"} |<br>
| bd80bab5-424d-4e5c-8993-b8bb8c6f3e49 | |
fa:16:3e:f7:4f:ea | {"subnet_id":
"f960ee77-77a8-45c1-8eef-e3878f0bea9f", "ip_address":
"10.67.82.3"} |<br>
<br>
<o:p></o:p></span></font></p>
<p class="MsoNormal"><font color="black" face="Times New Roman"
size="4"><span style="font-size:14.0pt;color:black">Command
that I ran to do the port mirroring<br>
ovs-vsctl -- set Bridge br-int mirrors=@m --
--id=@qvobd80bab5-42 get
Port qvobd80bab5-42 -- --id=@qvo3ede5b3e-39 get Port
qvo3ede5b3e-39 --
--id=@m create Mirror name=mymirror
select-dst-port=@qvobd80bab5-42
select-src-port=@qvobd80bab5-42
output-port=@qvo3ede5b3e-39<br>
<br>
<o:p></o:p></span></font></p>
<p class="MsoNormal"><font color="black" face="Times New Roman"
size="4"><span style="font-size:14.0pt;color:black">This is
iptables output filtered, you can
see I added a allowed address pair.<br>
3 3518 919K neutron-openvswi-sg-chain
all -- *
*
0.0.0.0/0
0.0.0.0/0
PHYSDEV match --physdev-out tap3ede5b3e-39
--physdev-is-bridged<br>
4 4 1358
neutron-openvswi-sg-chain all -- *
*
0.0.0.0/0
0.0.0.0/0
PHYSDEV match --physdev-in tap3ede5b3e-39
--physdev-is-bridged<br>
<br>
Chain neutron-openvswi-INPUT (1 references)<br>
--<br>
2 0 0
neutron-openvswi-o3ede5b3e-3 all --
* *
0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in tap3ede5b3e-39
--physdev-is-bridged<br>
3 0 0
neutron-openvswi-o7e200e92-4 all --
* *
0.0.0.0/0
0.0.0.0/0
PHYSDEV match --physdev-in tap7e200e92-44
--physdev-is-bridged<br>
4 0 0
neutron-openvswi-o435f35c6-8 all --
* *
0.0.0.0/0
0.0.0.0/0
PHYSDEV match --physdev-in tap435f35c6-80
--physdev-is-bridged<br>
5 0 0
neutron-openvswi-o6a1bb345-9 all --
* * 0.0.0.0/0
0.0.0.0/0
PHYSDEV match --physdev-in tap6a1bb345-93
--physdev-is-bridged<br>
6 0 0
neutron-openvswi-ofc0a7800-a all --
* *
0.0.0.0/0
0.0.0.0/0
PHYSDEV match --physdev-in tapfc0a7800-a0
--physdev-is-bridged<br>
<br>
Chain neutron-openvswi-OUTPUT (1 references)<br>
num pkts bytes target prot opt
in out
source
destination<br>
<br>
Chain neutron-openvswi-i3ede5b3e-3 (1 references)<br>
num pkts bytes target prot opt
in out source
destination<br>
1 0 0
DROP all --
* *
0.0.0.0/0
0.0.0.0/0
state INVALID<br>
2 91 8550
RETURN all --
* *
0.0.0.0/0
0.0.0.0/0
state RELATED,ESTABLISHED<br>
3 0 0
RETURN udp --
* *
10.67.82.4
0.0.0.0/0 udp
spt:67 dpt:68<br>
4 0 0
RETURN icmp -- *
*
0.0.0.0/0
0.0.0.0/0<br>
5 0 0
RETURN tcp --
* * 0.0.0.0/0
0.0.0.0/0 tcp
multiport dports 1:65535<br>
6 3416 907K RETURN
all -- *
*
0.0.0.0/0
0.0.0.0/0
match-set IPv4ecb94f49-0fdd-4f6f-b src<br>
7 9 3054
neutron-openvswi-sg-fallback all -- *
*
0.0.0.0/0
0.0.0.0/0<br>
<br>
--<br>
Chain neutron-openvswi-o3ede5b3e-3 (2 references)<br>
num pkts bytes target prot opt
in out
source
destination<br>
1 4 1358
RETURN udp --
* *
0.0.0.0/0 0.0.0.0/0
udp spt:68 dpt:67<br>
2 0 0
neutron-openvswi-s3ede5b3e-3 all --
* *
0.0.0.0/0
0.0.0.0/0<br>
3 0 0
DROP udp --
* *
0.0.0.0/0
0.0.0.0/0 udp
spt:67 dpt:68<br>
4 0 0
DROP all --
* *
0.0.0.0/0
0.0.0.0/0
state INVALID<br>
5 0 0
RETURN all --
* *
0.0.0.0/0
0.0.0.0/0
state RELATED,ESTABLISHED<br>
6 0 0
RETURN all --
* *
0.0.0.0/0
0.0.0.0/0<br>
7 0 0
neutron-openvswi-sg-fallback all --
* *
0.0.0.0/0
0.0.0.0/0<br>
<br>
--<br>
Chain neutron-openvswi-s3ede5b3e-3 (1 references)<br>
num pkts bytes target prot opt
in out
source
destination<br>
1 0 0
RETURN all --
* *
10.67.82.0/24 0.0.0.0/0
MAC FA:16:3E:41:FD:59<br>
2 0 0
RETURN all --
* *
10.67.82.2
0.0.0.0/0 MAC
FA:16:3E:3B:34:DE<br>
3 0 0
DROP all --
* *
0.0.0.0/0
0.0.0.0/0<br>
<br>
<br>
--<br>
3 3518 919K neutron-openvswi-i3ede5b3e-3
all -- *
*
0.0.0.0/0
0.0.0.0/0
PHYSDEV match --physdev-out tap3ede5b3e-39
--physdev-is-bridged<br>
4 4 1358
neutron-openvswi-o3ede5b3e-3 all --
* *
0.0.0.0/0
0.0.0.0/0
PHYSDEV match --physdev-in tap3ede5b3e-39
--physdev-is-bridged<br>
.<br>
13 397M 1617G ACCEPT all
-- * *
0.0.0.0/0
0.0.0.0/0<br>
<br>
--<br>
error=`neutron-openvswi-i3ede5b3e-3'<br>
<br>
Entry 63 (19664):<br>
SRC IP: 0.0.0.0/0.0.0.0<br>
DST IP: 0.0.0.0/0.0.0.0<br>
Interface: `'/................to `'/................<br>
Protocol: 0<br>
Flags: 00<br>
Invflags: 00<br>
Counters: 0 packets, 0 bytes<br>
Cache: 00000000<br>
--<br>
error=`neutron-openvswi-o3ede5b3e-3'<br>
<br>
Entry 119 (32280):<br>
SRC IP: 0.0.0.0/0.0.0.0<br>
DST IP: 0.0.0.0/0.0.0.0<br>
Interface: `'/................to `'/................<br>
Protocol: 17<br>
Flags: 00<br>
Invflags: 00<br>
Counters: 4 packets, 1358 bytes<br>
Cache: 00000000<br>
--<br>
error=`neutron-openvswi-s3ede5b3e-3'<br>
<br>
Entry 173 (43608):<br>
SRC IP: 10.67.82.0/255.255.255.0<br>
DST IP: 0.0.0.0/0.0.0.0<br>
Interface: `'/................to `'/................<br>
Protocol: 0<br>
Flags: 00<br>
Invflags: 00<br>
Counters: 0 packets, 0 bytes<br>
Cache: 00000000<o:p></o:p></span></font></p>
<p class="MsoNormal"><font color="black" face="Times New Roman"
size="4"><span style="font-size:14.0pt;color:black"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font color="black" face="Times New Roman"
size="4"><span style="font-size:14.0pt;color:black"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font color="black" face="Times New Roman"
size="4"><span style="font-size:14.0pt;color:black">The
tcpdump traces show proper traffic
flow from MAC/IP fa:16:3e:f7:4f:ea/10.67.82.3 to
fa:16:3e:41:fd:59/10.67.82.5 going into a bridge/switch
that has a nic with
mac/IP of<br>
fa:16:3e:3b:34:de/10.67.82.2 connected to its other port<o:p></o:p></span></font></p>
<p class="MsoNormal"><font color="black" face="Times New Roman"
size="4"><span style="font-size:14.0pt;color:black">I though
the allowed address pair I added
will allow this traffic -> you can see it in
neutron-openvswi-s3ede5b3e-3 (1
0 0 RETURN all --
* *
10.67.82.0/24 0.0.0.0/0
MAC FA:16:3E:41:FD:59).<o:p></o:p></span></font></p>
<p class="MsoNormal"><font color="black" face="Times New Roman"
size="4"><span style="font-size:14.0pt;color:black"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font color="black" face="Times New Roman"
size="4"><span style="font-size:14.0pt;color:black">In
tcpdump<o:p></o:p></span></font></p>
<p style="margin-bottom:12.0pt"><font color="black" face="Times
New Roman" size="4"><span
style="font-size:14.0pt;color:black">tcpdump -e -n -vvv -i
qbr3ede5b3e-39 |
more<br>
tcpdump: WARNING: qbr3ede5b3e-39: no IPv4 address assigned<br>
tcpdump: listening on qbr3ede5b3e-39, link-type EN10MB
(Ethernet), capture size
65535 bytes<br>
08:20:57.102453 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59,
ethertype IPv4
(0x0800), length 90: (tos 0x48, ttl 255, id 33035, offset
0, flags [none],
proto UDP (<br>
17), length 76)<br>
10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum
ok]
UDP, length 48<br>
08:20:57.103052 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59,
ethertype IPv4
(0x0800), length 56: (tos 0xb8, ttl 64, id 9181, offset 0,
flags [none], proto
UDP (17<br>
), length 42)<br>
10.67.82.3.gtp-control > 10.67.82.5.gtp-control:
[udp sum
ok] UDP, length 14<br>
08:20:57.103363 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59,
ethertype IPv4
(0x0800), length 193: (tos 0x48, ttl 255, id 61276, offset
0, flags [none],
proto UDP<br>
<br>
<o:p></o:p></span></font></p>
<p class="MsoNormal"><font color="black" face="Times New Roman"
size="4"><span style="font-size:14.0pt;color:black"><br>
tcpdump -e -n -vvv -i qvo3ede5b3e-39 | more<br>
tcpdump: WARNING: qvo3ede5b3e-39: no IPv4 address assigned<br>
tcpdump: listening on qvo3ede5b3e-39, link-type EN10MB
(Ethernet), capture size
65535 bytes<br>
08:20:35.852117 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59,
ethertype IPv4
(0x0800), length 125: (tos 0x48, ttl 255, id 40524, offset
0, flags [none],
proto UDP<br>
(17), length 111)<br>
10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum
ok]
UDP, length 83<br>
08:20:35.852323 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59,
ethertype IPv4
(0x0800), length 626: (tos 0x48, ttl 255, id 13595, offset
0, flags [none],
proto UDP<br>
(17), length 612)<br>
10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum
ok]
UDP, length 584<br>
08:20:35.852337 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59,
ethertype IPv4
(0x0800), length 626: (tos 0x48, ttl 255, id 13596, offset
0, flags [none],
proto UDP<br>
(17), length 612)<br>
<br>
<o:p></o:p></span></font></p>
<p class="MsoNormal"><font color="black" face="Times New Roman"
size="4"><span style="font-size:14.0pt;color:black"><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font color="black" face="Times New Roman"
size="4"><span style="font-size:14.0pt;color:black">tcpdump
-e -n -vvv -i qvb3ede5b3e-39 |
more<br>
tcpdump: WARNING: qvb3ede5b3e-39: no IPv4 address assigned<br>
tcpdump: listening on qvb3ede5b3e-39, link-type EN10MB
(Ethernet), capture size
65535 bytes<br>
08:19:52.633158 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59,
ethertype IPv4
(0x0800), length 98: (tos 0x48, ttl 255, id 24950, offset
0, flags [none],
proto UDP (<br>
17), length 84)<br>
10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum
ok]
UDP, length 56<br>
08:19:52.633173 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59,
ethertype IPv4
(0x0800), length 90: (tos 0x48, ttl 255, id 2289, offset
0, flags [none], proto
UDP (1<br>
7), length 76)<br>
10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum
ok]
UDP, length 48<br>
08:19:52.633376 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59,
ethertype IPv4
(0x0800), length 98: (tos 0x48, ttl 255, id 51798, offset
0, flags [none],
proto UDP (<br>
17), length 84)<br>
<br>
</span></font><font face="Arial" size="4"><span
style="font-size:14.0pt;font-family:
Arial"><o:p></o:p></span></font></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
OpenStack-operators mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OpenStack-operators@lists.openstack.org">OpenStack-operators@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a>
</pre>
</blockquote>
<br>
</body>
</html>