<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    Hi Mathias,<br>
    <br>
    I'm not so fluent with OVS, but I would recommend to join bridges
    using special "ports" like<br>
    <pre wrap="">Port ovsbr1-patch
    Interface ovsbr1-patch
        type: patch
        options: {peer=ovsbr2-patch}</pre>
    and vice versa, keeping "native" configuration of "port OVSbr1" and
    "port OVSbr2"<br>
    <br>
    And keep in mind that ARP scope is broadcast domain and, if using
    just ARP (not routing), from VM1 you will be able to ping hosts,
    belonging to OVSbr1, particularly - OVSbr1's IP.<br>
    <br>
    <div class="moz-cite-prefix">On 2/1/18 4:11 PM, Mathias Strufe
      (DFKI) wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:1b307fff14ee05267a5dad10216c3d04@projects.dfki.uni-kl.de">Dear
      Benjamin, Volodymyr,
      <br>
      <br>
      good question ;) ... I like to experiment with some kind of
      "Firewall NFV" ... but in the first step, I want to build a Router
      VM between two networks (and later extend it with some flow rules)
      ... OpenStack, in my case, is more a foundation to build a "test
      environment" for my "own" application ... please find attached a
      quick sketch of the current network ...
      <br>
      I did this already before with iptables inside the middle instance
      ... worked quite well ... but know I like to achieve the same with
      OVS ...
      <br>
      I didn't expect that it is so much more difficult ;) ...
      <br>
      <br>
      I'm currently checking Volodymyrs answer ... I think first point
      is now solved ... I "patched" now OVSbr1 and OVSbr2 inside the VM
      together (see OVpatch file)... but I think this is important later
      when I really like to ping from VM1 to VM2 ... but in the moment I
      only ping from VM1 to the TestNFV ... but the arp requests only
      reaches ens4 but not OVSbr1 (according to tcpdump)...
      <br>
      <br>
      May it have to do with port security and the (for OpenStack)
      unknown MAC address of the OVS bridge?
      <br>
      <br>
      Thanks so far ...
      <br>
      <br>
      Mathias.
      <br>
      <br>
      <br>
      <br>
      <br>
      <br>
      On 2018-02-01 14:28, Benjamin Diaz wrote:
      <br>
      <blockquote type="cite">Dear Mathias,
        <br>
        <br>
        Could you attach a diagram of your network configuration and of
        what
        <br>
        you are trying to achieve?
        <br>
        Are you trying to install OVS inside a VM? If so, why?
        <br>
        <br>
        Greetings,
        <br>
        Benjamin
        <br>
        <br>
        On Thu, Feb 1, 2018 at 8:30 AM, Volodymyr Litovka
        <a class="moz-txt-link-rfc2396E" href="mailto:doka.ua@gmx.com"><doka.ua@gmx.com></a>
        <br>
        wrote:
        <br>
        <br>
        <blockquote type="cite">Dear Mathias,
          <br>
          <br>
          if I correctly understand your configuration, you're using
          bridges
          <br>
          inside VM and it configuration looks a bit strange:
          <br>
          <br>
          1) you use two different bridges (OVSbr1/192.168.120.x and
          <br>
          OVSbr2/192.168.110.x) and there is no patch between them so
          they're
          <br>
          separate
          <br>
          2) while ARP requests for address in OVSbr1 arrives from
          OVSbr2:
          <br>
          <br>
          <blockquote type="cite">18:50:58.080478 ARP, Request who-has
            192.168.120.10 tell
            <br>
          </blockquote>
          192.168.120.6, length 28
          <br>
          <blockquote type="cite">
            <br>
            but on the OVS bridge nothing arrives ...
            <br>
            <br>
            listening on OVSBR2, link-type EN10MB (Ethernet), capture
            size
            <br>
            262144 bytes
            <br>
          </blockquote>
          <br>
          while these bridges are separate, ARP requests and answers
          will not
          <br>
          be passed between them.
          <br>
          <br>
          Regarding your devstack configuration - unfortunately, I don't
          have
          <br>
          experience with devstack, so don't know, where it stores
          configs. In
          <br>
          Openstack, ml2_conf.ini points to openvswitch in ml2's
          <br>
          mechanism_drivers parameter, in my case it looks as the
          following:
          <br>
          <br>
          [ml2]
          <br>
          mechanism_drivers = l2population,openvswitch
          <br>
          <br>
          and rest of openvswitch config described in
          <br>
          /etc/neutron/plugins/ml2/openvswitch_agent.ini
          <br>
          <br>
          Second - I see an ambiguity in your br-tun configuration,
          where
          <br>
          patch_int is the same as patch-int without corresponding
          remote peer
          <br>
          config, probably you should check this issue.
          <br>
          <br>
          And third is - note that Mitaka is quite old release and
          probably
          <br>
          you can give a chance for the latest release of devstack? :-)
          <br>
          <br>
          On 1/31/18 10:49 PM, Mathias Strufe (DFKI) wrote:
          <br>
          Dear Volodymyr, all,
          <br>
          <br>
          thanks for your fast answer ...
          <br>
          but I'm still facing the same problem, still can't ping the
          <br>
          instance with configured and up OVS bridge ... may because I'm
          quite
          <br>
          new to OpenStack and OpenVswitch and didn't see the problem ;)
          <br>
          <br>
          My setup is devstack Mitaka in single machine config ... first
          of
          <br>
          all I didn't find there the openvswitch_agent.ini anymore, I
          <br>
          remember in previous version it was in the neutron/plugin
          folder ...
          <br>
          <br>
          Is this config now done in the ml2 config file in the [OVS]
          <br>
          section????
          <br>
          <br>
          I'm really wondering ...
          <br>
          so I can ping between the 2 instances without any problem. But
          as
          <br>
          soon I bring up the OVS bridge inside the vm the ARP requests
          only
          <br>
          visible at the ens interface but not reaching the OVSbr ...
          <br>
          <br>
          please find attached two files which may help for
          troubleshooting.
          <br>
          One are some network information from inside the Instance that
          runs
          <br>
          the OVS and one ovs-vsctl info of the OpenStack Host.
          <br>
          <br>
          If you need more info/logs please let me know! Thanks for your
          <br>
          help!
          <br>
          <br>
          BR Mathias.
          <br>
          <br>
          On 2018-01-27 22:44, Volodymyr Litovka wrote:
          <br>
          Hi Mathias,
          <br>
          <br>
          whether you have all corresponding bridges and patches between
          <br>
          them
          <br>
          as described in openvswitch_agent.ini using
          <br>
          <br>
          integration_bridge
          <br>
          tunnel_bridge
          <br>
          int_peer_patch_port
          <br>
          tun_peer_patch_port
          <br>
          bridge_mappings
          <br>
          <br>
          parameters? And make sure, that service "neutron-ovs-cleanup"
          is
          <br>
          in
          <br>
          use during system boot. You can check these bridges and
          patches
          <br>
          using
          <br>
          "ovs-vsctl show" command.
          <br>
          <br>
          On 1/27/18 9:00 PM, Mathias Strufe (DFKI) wrote:
          <br>
          <br>
          Dear all,
          <br>
          <br>
          I'm quite new to openstack and like to install openVSwtich
          inside
          <br>
          one Instance of our Mitika openstack Lab Enviornment ...
          <br>
          But it seems that ARP packets got lost between the network
          <br>
          interface of the instance and the OVS bridge ...
          <br>
          <br>
          With tcpdump on the interface I see the APR packets ...
          <br>
          <br>
          tcpdump: verbose output suppressed, use -v or -vv for full
          protocol
          <br>
          <br>
          decode
          <br>
          listening on ens6, link-type EN10MB (Ethernet), capture size
          262144
          <br>
          <br>
          bytes
          <br>
          18:50:58.080478 ARP, Request who-has 192.168.120.10 tell
          <br>
          192.168.120.6, length 28
          <br>
          18:50:58.125009 ARP, Request who-has 192.168.120.1 tell
          <br>
          192.168.120.6, length 28
          <br>
          18:50:59.077315 ARP, Request who-has 192.168.120.10 tell
          <br>
          192.168.120.6, length 28
          <br>
          18:50:59.121369 ARP, Request who-has 192.168.120.1 tell
          <br>
          192.168.120.6, length 28
          <br>
          18:51:00.077327 ARP, Request who-has 192.168.120.10 tell
          <br>
          192.168.120.6, length 28
          <br>
          18:51:00.121343 ARP, Request who-has 192.168.120.1 tell
          <br>
          192.168.120.6, length 28
          <br>
          <br>
          but on the OVS bridge nothing arrives ...
          <br>
          <br>
          tcpdump: verbose output suppressed, use -v or -vv for full
          protocol
          <br>
          <br>
          decode
          <br>
          listening on OVSbr2, link-type EN10MB (Ethernet), capture size
          <br>
          262144 bytes
          <br>
          <br>
          I disabled port_security and removed the security group but
          nothing
          <br>
          <br>
          changed
          <br>
          <br>
          <br>
        </blockquote>
+-----------------------+---------------------------------------------------------------------------------------+
        <br>
        <blockquote type="cite">
          <br>
          <br>
          | Field | Value
          <br>
          |
          <br>
          <br>
          <br>
        </blockquote>
+-----------------------+---------------------------------------------------------------------------------------+
        <br>
        <blockquote type="cite">
          <br>
          <br>
          | admin_state_up | True
          <br>
          |
          <br>
          | allowed_address_pairs |
          <br>
          |
          <br>
          | binding:host_id | node11
          <br>
          |
          <br>
          | binding:profile | {}
          <br>
          |
          <br>
          | binding:vif_details | {"port_filter": true,
          "ovs_hybrid_plug":
          <br>
          true} |
          <br>
          | binding:vif_type | ovs
          <br>
          |
          <br>
          | binding:vnic_type | normal
          <br>
          |
          <br>
          | created_at | 2018-01-27T16:45:48Z
          <br>
          |
          <br>
          | description |
          <br>
          |
          <br>
          | device_id | 74916967-984c-4617-ae33-b847de73de13
          <br>
          |
          <br>
          | device_owner | compute:nova
          <br>
          |
          <br>
          | extra_dhcp_opts |
          <br>
          |
          <br>
          | fixed_ips | {"subnet_id":
          <br>
          "525db7ff-2bf2-4c64-b41e-1e41570ec358", "ip_address":
          <br>
          "192.168.120.10"} |
          <br>
          | id | 74b754d6-0000-4c2e-bfd1-87f640154ac9
          <br>
          |
          <br>
          | mac_address | fa:16:3e:af:90:0c
          <br>
          |
          <br>
          | name |
          <br>
          |
          <br>
          | network_id | 917254cb-9721-4207-99c5-8ead9f95d186
          <br>
          |
          <br>
          | port_security_enabled | False
          <br>
          |
          <br>
          | project_id | c48457e73b664147a3d2d36d75dcd155
          <br>
          |
          <br>
          | revision_number | 27
          <br>
          |
          <br>
          | security_groups |
          <br>
          |
          <br>
          | status | ACTIVE
          <br>
          |
          <br>
          | tenant_id | c48457e73b664147a3d2d36d75dcd155
          <br>
          |
          <br>
          | updated_at | 2018-01-27T18:54:24Z
          <br>
          |
          <br>
          <br>
          <br>
        </blockquote>
+-----------------------+---------------------------------------------------------------------------------------+
        <br>
        <blockquote type="cite">
          <br>
          <br>
          maybe the port_filter causes still the problem? But how to
          disable
          <br>
          it?
          <br>
          <br>
          Any other idea?
          <br>
          <br>
          Thanks and BR Mathias.
          <br>
          <br>
          _______________________________________________
          <br>
          Mailing list:
          <br>
          <a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
          [1]
          <br>
          [1]
          <br>
          Post to : <a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>
          <br>
          Unsubscribe :
          <br>
          <a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
          [1]
          <br>
          [1]
          <br>
          <br>
          --
          <br>
          Volodymyr Litovka
          <br>
          "Vision without Execution is Hallucination." -- Thomas Edison
          <br>
          <br>
          Links:
          <br>
          ------
          <br>
          [1]
          <a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
          <br>
          [1]
          <br>
        </blockquote>
        <br>
        --
        <br>
        Volodymyr Litovka
        <br>
         "Vision without Execution is Hallucination." -- Thomas Edison
        <br>
        <br>
        _______________________________________________
        <br>
         Mailing list:
        <br>
        <a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
        [1]
        <br>
         Post to     : <a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>
        <br>
         Unsubscribe :
        <br>
        <a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
        [1]
        <br>
        <br>
        --
        <br>
        <br>
        BENJAMÍN DÍAZ
        <br>
        Cloud Computing Engineer
        <br>
        <br>
         <a class="moz-txt-link-abbreviated" href="mailto:bdiaz@whitestack.com">bdiaz@whitestack.com</a>
        <br>
        <br>
        Links:
        <br>
        ------
        <br>
        [1]
        <a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
        <br>
      </blockquote>
      <br>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="72">-- 
Volodymyr Litovka
  "Vision without Execution is Hallucination." -- Thomas Edison</pre>
  </body>
</html>