<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi Mathias,<br>
<br>
the fact that you've seen ARP request-reply says that connectivity
itself is correct. I think the problem with flows configuration
inside bridge, which is controlled by ODL. Unfortunately, I never
had an experience with ODL and can't comment what it do and how. You
can print flows config using command<br>
<br>
ovs-ofctl dump-flows <bridge_name><br>
<br>
and there you can try to find whether some rules block some traffic.<br>
<br>
<div class="moz-cite-prefix">On 2/2/18 4:14 PM, Mathias Strufe
(DFKI) wrote:<br>
</div>
<blockquote type="cite"
cite="mid:084f35e8025cfc8cdab0e0950cf94ef7@projects.dfki.uni-kl.de">Dear
Volodymyr, Benjamin,
<br>
<br>
thanks a lot for your tipps and patience ... but still facing the
same problem :/
<br>
So I need to bother you again ...
<br>
I think its something totally stupid, basic I do wrong ...
<br>
<br>
Let me summarize what I did so far:
<br>
<br>
- Update OpenStack to pike (devstack All in Single VM using
default local.conf)
<br>
[following this
<a class="moz-txt-link-freetext" href="https://docs.openstack.org/devstack/latest/index.html">https://docs.openstack.org/devstack/latest/index.html</a>]
<br>
- Set prevent_arp_spoofing = False in ml2_config.ini
<br>
- Disable Port Security of the TestNFV
<br>
<br>
+-----------------------+------------------------------------------------------------------------------+
<br>
| Field |
Value
|
<br>
+-----------------------+------------------------------------------------------------------------------+
<br>
| admin_state_up |
UP
|
<br>
| allowed_address_pairs
|
|
<br>
| binding_host_id |
None
|
<br>
| binding_profile |
None
|
<br>
| binding_vif_details |
None
|
<br>
| binding_vif_type |
None
|
<br>
| binding_vnic_type |
normal
|
<br>
| created_at |
2018-01-31T07:50:40Z
|
<br>
| data_plane_status |
None
|
<br>
| description
|
|
<br>
| device_id |
97101c9b-c5ea-47f5-aa50-4a6ffa06c2a2
|
<br>
| device_owner |
compute:nova
|
<br>
| dns_assignment |
None
|
<br>
| dns_name |
None
|
<br>
| extra_dhcp_opts
|
|
<br>
| fixed_ips | ip_address='192.168.120.5',
subnet_id='b88f21e0-55ce-482f-8755-87a431f43e52' |
<br>
| id |
5e97ea14-2555-44fc-bbfa-61877e93ae69
|
<br>
| ip_address |
None
|
<br>
| mac_address |
fa:16:3e:55:80:84
|
<br>
| name
|
|
<br>
| network_id |
67572da9-c1e1-4330-84f6-79b64225c070
|
<br>
| option_name |
None
|
<br>
| option_value |
None
|
<br>
| port_security_enabled |
False
|
<br>
| project_id |
ec8680e914a540e59d9d84dec8101ba5
|
<br>
| qos_policy_id |
None
|
<br>
| revision_number |
56
|
<br>
| security_group_ids
|
|
<br>
| status |
ACTIVE
|
<br>
| subnet_id |
None
|
<br>
| tags
|
|
<br>
| trunk_details |
None
|
<br>
| updated_at |
2018-02-02T13:40:26Z
|
<br>
+-----------------------+------------------------------------------------------------------------------+
<br>
<br>
In this state everything works fine and as expected ... I can ping
from VM1 (192.168.120.10) to Test NVF VM (192.168.120.5) and get a
response ... I have access to the outside world ...
<br>
<br>
BUT
<br>
<br>
As soon as I bring the OVS up inside of the Test NVF ... now as
Volodymyr proposed with a "special patch port"
<br>
<br>
Database config:
<br>
59aca356-8f37-4c6f-8c9a-504c66c65648
<br>
Bridge "OVSbr2"
<br>
Controller "tcp:192.168.53.49:6633"
<br>
is_connected: true
<br>
fail_mode: secure
<br>
Port "OVSbr2-patch"
<br>
Interface "OVSbr2-patch"
<br>
type: patch
<br>
options: {peer="OVSbr1-patch"}
<br>
Port "OVSbr2"
<br>
Interface "OVSbr2"
<br>
type: internal
<br>
Port "ens5"
<br>
Interface "ens5"
<br>
Bridge "OVSbr1"
<br>
Controller "tcp:192.168.53.49:6633"
<br>
is_connected: true
<br>
fail_mode: secure
<br>
Port "OVSbr1"
<br>
Interface "OVSbr1"
<br>
type: internal
<br>
Port "OVSbr1-patch"
<br>
Interface "OVSbr1-patch"
<br>
type: patch
<br>
options: {peer="OVSbr2-patch"}
<br>
Port "ens4"
<br>
Interface "ens4"
<br>
ovs_version: "2.5.2"
<br>
<br>
<br>
the ping stops ... and again with tcpdump I can only see ARP
requests on ens4 but not on the OVSbr1 bridge ...
<br>
<br>
But I see now some LLDP packets on the ens4 and OVSbr1 ....
<br>
<br>
Then I tried following ... I stopped the ping from source to
TestNFVVM
<br>
And start pinging from the TestNFV (192.168.120.5) to the Source
(192.168.120.10)
<br>
Again I didnt get any response ...
<br>
And again looked at the tcpdump of OVSbr1 and ens4 ...
<br>
<br>
tcpdump: verbose output suppressed, use -v or -vv for full
protocol decode
<br>
listening on OVSbr1, link-type EN10MB (Ethernet), capture size
262144 bytes
<br>
13:59:18.245528 IP 192.168.120.5 > 192.168.120.10: ICMP echo
request, id 1839, seq 286, length 64
<br>
13:59:19.253513 IP 192.168.120.5 > 192.168.120.10: ICMP echo
request, id 1839, seq 287, length 64
<br>
13:59:20.261487 IP 192.168.120.5 > 192.168.120.10: ICMP echo
request, id 1839, seq 288, length 64
<br>
13:59:21.269499 IP 192.168.120.5 > 192.168.120.10: ICMP echo
request, id 1839, seq 289, length 64
<br>
13:59:21.680458 LLDP, length 110: openflow:214083694506308
<br>
13:59:22.277524 IP 192.168.120.5 > 192.168.120.10: ICMP echo
request, id 1839, seq 290, length 64
<br>
13:59:23.285531 IP 192.168.120.5 > 192.168.120.10: ICMP echo
request, id 1839, seq 291, length 64
<br>
13:59:24.293631 IP 192.168.120.5 > 192.168.120.10: ICMP echo
request, id 1839, seq 292, length 64
<br>
13:59:25.301529 IP 192.168.120.5 > 192.168.120.10: ICMP echo
request, id 1839, seq 293, length 64
<br>
13:59:26.309588 IP 192.168.120.5 > 192.168.120.10: ICMP echo
request, id 1839, seq 294, length 64
<br>
13:59:26.680238 LLDP, length 110: openflow:214083694506308
<br>
13:59:27.317591 IP 192.168.120.5 > 192.168.120.10: ICMP echo
request, id 1839, seq 295, length 64
<br>
13:59:28.325524 IP 192.168.120.5 > 192.168.120.10: ICMP echo
request, id 1839, seq 296, length 64
<br>
13:59:29.333618 IP 192.168.120.5 > 192.168.120.10: ICMP echo
request, id 1839, seq 297, length 64
<br>
13:59:30.341515 IP 192.168.120.5 > 192.168.120.10: ICMP echo
request, id 1839, seq 298, length 64
<br>
<br>
<br>
<br>
tcpdump: verbose output suppressed, use -v or -vv for full
protocol decode
<br>
listening on ens4, link-type EN10MB (Ethernet), capture size
262144 bytes
<br>
13:59:16.680452 LLDP, length 99: openflow:214083694506308
<br>
13:59:21.680791 LLDP, length 99: openflow:214083694506308
<br>
13:59:26.680532 LLDP, length 99: openflow:214083694506308
<br>
13:59:31.680503 LLDP, length 99: openflow:214083694506308
<br>
13:59:36.680681 LLDP, length 99: openflow:214083694506308
<br>
13:59:41.391777 ARP, Request who-has 192.168.120.10 tell
192.168.120.5, length 28
<br>
13:59:41.392345 ARP, Reply 192.168.120.10 is-at fa:16:3e:84:5c:29
(oui Unknown), length 28
<br>
13:59:41.680626 LLDP, length 99: openflow:214083694506308
<br>
13:59:46.680692 LLDP, length 99: openflow:214083694506308
<br>
<br>
<br>
<br>
This is a bit confusing for me ...
<br>
First why does the echo request only appear on the OVSbr1 bridge
and not also on the ens4 ... is this correct behaviour?
<br>
and second why I got suddenly a ARP reply on ens4 which is indeed
the correct mac of the VM1 interface ...
<br>
and why the LLDP packets shown on both interfaces ...
<br>
<br>
Is now something wrong with the FlowController?
<br>
I use ODL with odl-l2switch-all feature enabled ...
<br>
<br>
puhhh ... what do I miss??? I didn't get this ...
<br>
<br>
Thx a lot Mathias.
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
On 2018-02-01 23:49, Volodymyr Litovka wrote:
<br>
<blockquote type="cite">Hi Mathias,
<br>
<br>
I'm not so fluent with OVS, but I would recommend to join
bridges
<br>
using special "ports" like
<br>
<br>
Port ovsbr1-patch
<br>
Interface ovsbr1-patch
<br>
type: patch
<br>
options: {peer=ovsbr2-patch}
<br>
and vice versa, keeping "native" configuration of "port OVSbr1"
and
<br>
"port OVSbr2"
<br>
<br>
And keep in mind that ARP scope is broadcast domain and, if
using
<br>
just ARP (not routing), from VM1 you will be able to ping hosts,
<br>
belonging to OVSbr1, particularly - OVSbr1's IP.
<br>
<br>
On 2/1/18 4:11 PM, Mathias Strufe (DFKI) wrote:
<br>
<br>
<blockquote type="cite">Dear Benjamin, Volodymyr,
<br>
<br>
good question ;) ... I like to experiment with some kind of
<br>
"Firewall NFV" ... but in the first step, I want to build a
Router
<br>
VM between two networks (and later extend it with some flow
rules)
<br>
... OpenStack, in my case, is more a foundation to build a
"test
<br>
environment" for my "own" application ... please find attached
a
<br>
quick sketch of the current network ...
<br>
I did this already before with iptables inside the middle
instance
<br>
... worked quite well ... but know I like to achieve the same
with
<br>
OVS ...
<br>
I didn't expect that it is so much more difficult ;) ...
<br>
<br>
I'm currently checking Volodymyrs answer ... I think first
point is
<br>
now solved ... I "patched" now OVSbr1 and OVSbr2 inside the VM
<br>
together (see OVpatch file)... but I think this is important
later
<br>
when I really like to ping from VM1 to VM2 ... but in the
moment I
<br>
only ping from VM1 to the TestNFV ... but the arp requests
only
<br>
reaches ens4 but not OVSbr1 (according to tcpdump)...
<br>
<br>
May it have to do with port security and the (for OpenStack)
<br>
unknown MAC address of the OVS bridge?
<br>
<br>
Thanks so far ...
<br>
<br>
Mathias.
<br>
<br>
On 2018-02-01 14:28, Benjamin Diaz wrote:
<br>
Dear Mathias,
<br>
<br>
Could you attach a diagram of your network configuration and
of
<br>
what
<br>
you are trying to achieve?
<br>
Are you trying to install OVS inside a VM? If so, why?
<br>
<br>
Greetings,
<br>
Benjamin
<br>
<br>
On Thu, Feb 1, 2018 at 8:30 AM, Volodymyr Litovka
<a class="moz-txt-link-rfc2396E" href="mailto:doka.ua@gmx.com"><doka.ua@gmx.com></a>
<br>
<br>
wrote:
<br>
<br>
Dear Mathias,
<br>
<br>
if I correctly understand your configuration, you're using
bridges
<br>
inside VM and it configuration looks a bit strange:
<br>
<br>
1) you use two different bridges (OVSbr1/192.168.120.x and
<br>
OVSbr2/192.168.110.x) and there is no patch between them so
they're
<br>
<br>
separate
<br>
2) while ARP requests for address in OVSbr1 arrives from
OVSbr2:
<br>
<br>
18:50:58.080478 ARP, Request who-has 192.168.120.10 tell
<br>
192.168.120.6, length 28
<br>
<br>
but on the OVS bridge nothing arrives ...
<br>
<br>
listening on OVSBR2, link-type EN10MB (Ethernet), capture size
<br>
262144 bytes
<br>
<br>
while these bridges are separate, ARP requests and answers
will not
<br>
<br>
be passed between them.
<br>
<br>
Regarding your devstack configuration - unfortunately, I don't
have
<br>
<br>
experience with devstack, so don't know, where it stores
configs.
<br>
In
<br>
Openstack, ml2_conf.ini points to openvswitch in ml2's
<br>
mechanism_drivers parameter, in my case it looks as the
following:
<br>
<br>
[ml2]
<br>
mechanism_drivers = l2population,openvswitch
<br>
<br>
and rest of openvswitch config described in
<br>
/etc/neutron/plugins/ml2/openvswitch_agent.ini
<br>
<br>
Second - I see an ambiguity in your br-tun configuration,
where
<br>
patch_int is the same as patch-int without corresponding
remote
<br>
peer
<br>
config, probably you should check this issue.
<br>
<br>
And third is - note that Mitaka is quite old release and
probably
<br>
you can give a chance for the latest release of devstack? :-)
<br>
<br>
On 1/31/18 10:49 PM, Mathias Strufe (DFKI) wrote:
<br>
Dear Volodymyr, all,
<br>
<br>
thanks for your fast answer ...
<br>
but I'm still facing the same problem, still can't ping the
<br>
instance with configured and up OVS bridge ... may because I'm
<br>
quite
<br>
new to OpenStack and OpenVswitch and didn't see the problem ;)
<br>
<br>
My setup is devstack Mitaka in single machine config ... first
of
<br>
all I didn't find there the openvswitch_agent.ini anymore, I
<br>
remember in previous version it was in the neutron/plugin
folder
<br>
...
<br>
<br>
Is this config now done in the ml2 config file in the [OVS]
<br>
section????
<br>
<br>
I'm really wondering ...
<br>
so I can ping between the 2 instances without any problem. But
as
<br>
soon I bring up the OVS bridge inside the vm the ARP requests
only
<br>
visible at the ens interface but not reaching the OVSbr ...
<br>
<br>
please find attached two files which may help for
troubleshooting.
<br>
One are some network information from inside the Instance that
runs
<br>
<br>
the OVS and one ovs-vsctl info of the OpenStack Host.
<br>
<br>
If you need more info/logs please let me know! Thanks for your
<br>
help!
<br>
<br>
BR Mathias.
<br>
<br>
On 2018-01-27 22:44, Volodymyr Litovka wrote:
<br>
Hi Mathias,
<br>
<br>
whether you have all corresponding bridges and patches between
<br>
them
<br>
as described in openvswitch_agent.ini using
<br>
<br>
integration_bridge
<br>
tunnel_bridge
<br>
int_peer_patch_port
<br>
tun_peer_patch_port
<br>
bridge_mappings
<br>
<br>
parameters? And make sure, that service "neutron-ovs-cleanup"
is
<br>
in
<br>
use during system boot. You can check these bridges and
patches
<br>
using
<br>
"ovs-vsctl show" command.
<br>
<br>
On 1/27/18 9:00 PM, Mathias Strufe (DFKI) wrote:
<br>
<br>
Dear all,
<br>
<br>
I'm quite new to openstack and like to install openVSwtich
inside
<br>
one Instance of our Mitika openstack Lab Enviornment ...
<br>
But it seems that ARP packets got lost between the network
<br>
interface of the instance and the OVS bridge ...
<br>
<br>
With tcpdump on the interface I see the APR packets ...
<br>
<br>
tcpdump: verbose output suppressed, use -v or -vv for full
protocol
<br>
<br>
<br>
decode
<br>
listening on ens6, link-type EN10MB (Ethernet), capture size
262144
<br>
<br>
<br>
bytes
<br>
18:50:58.080478 ARP, Request who-has 192.168.120.10 tell
<br>
192.168.120.6, length 28
<br>
18:50:58.125009 ARP, Request who-has 192.168.120.1 tell
<br>
192.168.120.6, length 28
<br>
18:50:59.077315 ARP, Request who-has 192.168.120.10 tell
<br>
192.168.120.6, length 28
<br>
18:50:59.121369 ARP, Request who-has 192.168.120.1 tell
<br>
192.168.120.6, length 28
<br>
18:51:00.077327 ARP, Request who-has 192.168.120.10 tell
<br>
192.168.120.6, length 28
<br>
18:51:00.121343 ARP, Request who-has 192.168.120.1 tell
<br>
192.168.120.6, length 28
<br>
<br>
but on the OVS bridge nothing arrives ...
<br>
<br>
tcpdump: verbose output suppressed, use -v or -vv for full
protocol
<br>
<br>
<br>
decode
<br>
listening on OVSbr2, link-type EN10MB (Ethernet), capture size
<br>
262144 bytes
<br>
<br>
I disabled port_security and removed the security group but
nothing
<br>
<br>
<br>
changed
<br>
</blockquote>
<br>
+-----------------------+---------------------------------------------------------------------------------------+
<br>
<br>
<br>
<blockquote type="cite">| Field | Value
<br>
|
<br>
</blockquote>
<br>
+-----------------------+---------------------------------------------------------------------------------------+
<br>
<br>
<br>
<blockquote type="cite">| admin_state_up | True
<br>
|
<br>
| allowed_address_pairs |
<br>
|
<br>
| binding:host_id | node11
<br>
|
<br>
| binding:profile | {}
<br>
|
<br>
| binding:vif_details | {"port_filter": true,
"ovs_hybrid_plug":
<br>
true} |
<br>
| binding:vif_type | ovs
<br>
|
<br>
| binding:vnic_type | normal
<br>
|
<br>
| created_at | 2018-01-27T16:45:48Z
<br>
|
<br>
| description |
<br>
|
<br>
| device_id | 74916967-984c-4617-ae33-b847de73de13
<br>
|
<br>
| device_owner | compute:nova
<br>
|
<br>
| extra_dhcp_opts |
<br>
|
<br>
| fixed_ips | {"subnet_id":
<br>
"525db7ff-2bf2-4c64-b41e-1e41570ec358", "ip_address":
<br>
"192.168.120.10"} |
<br>
| id | 74b754d6-0000-4c2e-bfd1-87f640154ac9
<br>
|
<br>
| mac_address | fa:16:3e:af:90:0c
<br>
|
<br>
| name |
<br>
|
<br>
| network_id | 917254cb-9721-4207-99c5-8ead9f95d186
<br>
|
<br>
| port_security_enabled | False
<br>
|
<br>
| project_id | c48457e73b664147a3d2d36d75dcd155
<br>
|
<br>
| revision_number | 27
<br>
|
<br>
| security_groups |
<br>
|
<br>
| status | ACTIVE
<br>
|
<br>
| tenant_id | c48457e73b664147a3d2d36d75dcd155
<br>
|
<br>
| updated_at | 2018-01-27T18:54:24Z
<br>
|
<br>
</blockquote>
<br>
+-----------------------+---------------------------------------------------------------------------------------+
<br>
<br>
<br>
<blockquote type="cite">maybe the port_filter causes still the
problem? But how to disable
<br>
it?
<br>
<br>
Any other idea?
<br>
<br>
Thanks and BR Mathias.
<br>
<br>
_______________________________________________
<br>
Mailing list:
<br>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
[1]
<br>
[1]
<br>
[1]
<br>
Post to : <a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>
<br>
Unsubscribe :
<br>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
[1]
<br>
[1]
<br>
[1]
<br>
<br>
--
<br>
Volodymyr Litovka
<br>
"Vision without Execution is Hallucination." -- Thomas Edison
<br>
<br>
Links:
<br>
------
<br>
[1]
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
<br>
[1]
<br>
[1]
<br>
</blockquote>
<br>
--
<br>
Volodymyr Litovka
<br>
"Vision without Execution is Hallucination." -- Thomas Edison
<br>
<br>
_______________________________________________
<br>
Mailing list:
<br>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
[1] [1]
<br>
<br>
Post to : <a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>
<br>
Unsubscribe :
<br>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
[1] [1]
<br>
<br>
<br>
--
<br>
<br>
BENJAMÍN DÍAZ
<br>
Cloud Computing Engineer
<br>
<br>
<a class="moz-txt-link-abbreviated" href="mailto:bdiaz@whitestack.com">bdiaz@whitestack.com</a>
<br>
<br>
Links:
<br>
------
<br>
[1]
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
[1]
<br>
<br>
<br>
--
<br>
Volodymyr Litovka
<br>
"Vision without Execution is Hallucination." -- Thomas Edison
<br>
<br>
<br>
Links:
<br>
------
<br>
[1]
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
<br>
</blockquote>
<br>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison</pre>
</body>
</html>