[openstack-dev] OpenStack-dev Digest, Vol 55, Issue 6
Farhad Sunavala
fsbiz at yahoo.com
Wed Nov 2 16:53:20 UTC 2016
If packets are making it to the SF but not making it out, it means the SFC has done its part. Things to check.
1. Check that the SF VM has routing enabled
root at fs-10-145-106-2:~# sysctl net.ipv4.ip_forwardnet.ipv4.ip_forward = 1
2. Check the security group settings for the SF VM.
3. Is port security enabled? If so, you probably need it disabled for the SF VM.
Farhad.
Message: 5
Date: Wed, 2 Nov 2016 13:40:21 +0100
From: Alioune <balioune3 at gmail.com>
To: "OpenStack Development Mailing List (not for usage questions)"
<openstack-dev at lists.openstack.org>
Subject: Re: [openstack-dev] [networking-sfc][devstack][mitaka] Chain
doesn't work
Message-ID:
<CALVLy2cZpOhQ4wPsUULGBK_MgNDcQySG69J2YKEuzpzJJgh8_A at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Any suggestion ?
On Monday, 24 October 2016, Alioune <balioune3 at gmail.com> wrote:
> Hi all,
>
> I'm trying to implement service chain in OpenStack using networking-sfc
> (stable/mitaka) and OVS 2.5.90
>
>
> The following is the architecture I used :
>
> SRC DST
> | |
> ========== br-int ============
> |
> SF1
> SF1: 55.55.55.3
> SRC: 55.55.55.4
> DST: 55.55.55.5
>
> I can create port-pairs, port-pair-group, classifier and chain with these
> commands:
>
> neutron flow-classifier-create --ethertype IPv4 --source-ip-prefix
> 55.55.55.4/32 --logical-source-port 0009034f-4c39-4cbf-be7d-fcf82dad024c
> --protocol icmp FC1
> neutron port-pair-create --ingress=p1 --egress=p1 PP1
> neutron port-pair-group-create --port-pair PP1 PG1
> neutron port-chain-create --port-pair-group PG1 --flow-classifier FC1 PC1
>
> I could ping from SRC to DST before setting the chain, but after the chain
> creating ping doesn't work.
>
> ICMP echo request packets arrive to SF1 port but it doesn't send back the
> packets in order to allow them to get their destination DST (see output
> below).
>
> The Opendaylight/SFC project uses NSH aware service function (SF) that
> send back packets to the chains after analyzing them, I would like to know :
>
> - How networking-sfc configures SF to send back packets to the chain as
> seem in some of your presentation ?
> - What's wrong in my configurations (see commands and ovs-ofctl output
> below) ? I've followed the main steps described in your wiki page.
>
> Best Regards,
>
>
> vagrant at vagrant-ubuntu-trusty-64:~$ neutron port-list
> +--------------------------------------+------+-------------
> ------+-----------------------------------------------------
> ---------------------------------+
> | id | name | mac_address |
> fixed_ips
> |
> +--------------------------------------+------+-------------
> ------+-----------------------------------------------------
> ---------------------------------+
> | 0009034f-4c39-4cbf-be7d-fcf82dad024c | | fa:16:3e:dd:16:f7 |
> {"subnet_id": "8bf8a2e1-ecad-4b4b-beb1-d760a16667bc", "ip_address":
> "55.55.55.4"} |
> | 082e896d-5982-458c-96e7-0dd372d3d7d9 | p1 | fa:16:3e:90:b4:67 |
> {"subnet_id": "8bf8a2e1-ecad-4b4b-beb1-d760a16667bc", "ip_address":
> "55.55.55.3"} |
> | 2ad109e4-42a8-4554-b884-a32344e91036 | | fa:16:3e:74:9a:fa |
> {"subnet_id": "3cf6eb27-7258-4252-8f3d-b6f9d27c948b", "ip_address":
> "192.168.105.2"} |
> | 51f055c0-ff4d-47f4-9328-9a0d7ca204f3 | | fa:16:3e:da:f9:93 |
> {"subnet_id": "8bf8a2e1-ecad-4b4b-beb1-d760a16667bc", "ip_address":
> "55.55.55.1"} |
> | 656ad901-2bc0-407a-a581-da955ecf3b59 | | fa:16:3e:7f:44:01 |
> {"subnet_id": "8bf8a2e1-ecad-4b4b-beb1-d760a16667bc", "ip_address":
> "55.55.55.2"} |
> | b1d14a4f-cde6-4c44-b42e-0f0466dba32a | | fa:16:3e:a6:c6:35 |
> {"subnet_id": "8bf8a2e1-ecad-4b4b-beb1-d760a16667bc", "ip_address":
> "55.55.55.5"} |
> +--------------------------------------+------+-------------
> ------+-----------------------------------------------------
> ---------------------------------+
>
> vagrant at vagrant-ubuntu-trusty-64:~$ ifconfig |grep 082e896d
> qbr082e896d-59 Link encap:Ethernet HWaddr b6:96:27:fa:ab:af
> qvb082e896d-59 Link encap:Ethernet HWaddr b6:96:27:fa:ab:af
> qvo082e896d-59 Link encap:Ethernet HWaddr 7e:1a:7b:7d:09:df
> tap082e896d-59 Link encap:Ethernet HWaddr fe:16:3e:90:b4:67
>
> vagrant at vagrant-ubuntu-trusty-64:~$ sudo tcpdump -i tap082e896d-59 icmp
> tcpdump: WARNING: tap082e896d-59: no IPv4 address assigned
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on tap082e896d-59, link-type EN10MB (Ethernet), capture size
> 65535 bytes
> 10:51:10.229674 IP 55.55.55.4 > 55.55.55.5: ICMP echo request, id 15617,
> seq 61, length 64
> 10:51:11.230318 IP 55.55.55.4 > 55.55.55.5: ICMP echo request, id 15617,
> seq 62, length 64
> 10:51:12.233451 IP 55.55.55.4 > 55.55.55.5: ICMP echo request, id 15617,
> seq 63, length 64
> 10:51:13.234496 IP 55.55.55.4 > 55.55.55.5: ICMP echo request, id 15617,
> seq 64, length 64
> 10:51:14.235583 IP 55.55.55.4 > 55.55.55.5: ICMP echo request, id 15617,
> seq 65, length 64
> 10:51:15.236585 IP 55.55.55.4 > 55.55.55.5: ICMP echo request, id 15617,
> seq 66, length 64
> 10:51:16.237568 IP 55.55.55.4 > 55.55.55.5: ICMP echo request, id 15617,
> seq 67, length 64
> 10:51:17.238974 IP 55.55.55.4 > 55.55.55.5: ICMP echo request, id 15617,
> seq 68, length 64
> 10:51:18.244244 IP 55.55.55.4 > 55.55.55.5: ICMP echo request, id 15617,
> seq 69, length 64
> 10:51:19.245758 IP 55.55.55.4 > 55.55.55.5: ICMP echo request, id 15617,
> seq 70, length 64
> 10:51:20.246521 IP 55.55.55.4 > 55.55.55.5: ICMP echo request, id 15617,
> seq 71, length 64
>
>
>
> vagrant at vagrant-ubuntu-trusty-64:~/openstack_networking/simple-sf$ sudo
> ovs-ofctl dump-flows br-int -O OpenFlow13
>
> 2016-10-24T11:28:43Z|00001|ofp_actions|INFO|OFPAT_SET_MPLS_TTL is
> deprecated in OpenFlow13 (use Set-Field)
> OFPST_FLOW reply (OF1.3) (xid=0x2):
> cookie=0xbbf3cb977f3738c7, duration=2418.957s, table=0, n_packets=2297,
> n_bytes=225106, priority=30,icmp,in_port=5,nw_src=55.55.55.4
> actions=group:1
> cookie=0xbbf3cb977f3738c7, duration=2418.955s, table=0, n_packets=0,
> n_bytes=0, priority=30,icmp,in_port=4,nw_src=55.55.55.4 actions=NORMAL
> cookie=0xbbf3cb977f3738c7, duration=8868.309s, table=0, n_packets=0,
> n_bytes=0, priority=20,mpls actions=resubmit(,10)
> cookie=0xbbf3cb977f3738c7, duration=2882.723s, table=0, n_packets=0,
> n_bytes=0, priority=10,icmp6,in_port=5,icmp_type=136 actions=resubmit(,24)
> cookie=0xbbf3cb977f3738c7, duration=2866.752s, table=0, n_packets=0,
> n_bytes=0, priority=10,icmp6,in_port=6,icmp_type=136 actions=resubmit(,24)
> cookie=0xbbf3cb977f3738c7, duration=2650.698s, table=0, n_packets=0,
> n_bytes=0, priority=10,icmp6,in_port=4,icmp_type=136 actions=resubmit(,24)
> cookie=0xbbf3cb977f3738c7, duration=2882.708s, table=0, n_packets=71,
> n_bytes=2982, priority=10,arp,in_port=5 actions=resubmit(,24)
> cookie=0xbbf3cb977f3738c7, duration=2866.738s, table=0, n_packets=70,
> n_bytes=2940, priority=10,arp,in_port=6 actions=resubmit(,24)
> cookie=0xbbf3cb977f3738c7, duration=2650.684s, table=0, n_packets=4,
> n_bytes=168, priority=10,arp,in_port=4 actions=resubmit(,24)
> cookie=0xbbf3cb977f3738c7, duration=2882.737s, table=0, n_packets=70,
> n_bytes=8378, priority=9,in_port=5 actions=resubmit(,25)
> cookie=0xbbf3cb977f3738c7, duration=2866.767s, table=0, n_packets=22,
> n_bytes=2332, priority=9,in_port=6 actions=resubmit(,25)
> cookie=0xbbf3cb977f3738c7, duration=2650.715s, table=0, n_packets=15,
> n_bytes=1724, priority=9,in_port=4 actions=resubmit(,25)
> cookie=0xbbf3cb977f3738c7, duration=8868.755s, table=0, n_packets=163,
> n_bytes=18908, priority=0 actions=NORMAL
> cookie=0xbbf3cb977f3738c7, duration=2419.054s, table=5, n_packets=2297,
> n_bytes=225106, priority=0,ip,dl_dst=fa:16:3e:90:b4:67
> actions=push_mpls:0x8847,set_field:511->mpls_label,set_
> mpls_ttl(255),push_vlan:0x8100,set_field:4097->vlan_vid,resubmit(,10)
> cookie=0xbbf3cb977f3738c7, duration=2418.916s, table=10, n_packets=2297,
> n_bytes=225106, priority=1,mpls,dl_vlan=1,dl_dst=fa:16:3e:90:b4:67,mpls_label=511
> actions=pop_vlan,pop_mpls:0x0800,output:4
> cookie=0xbbf3cb977f3738c7, duration=8868.303s, table=10, n_packets=0,
> n_bytes=0, priority=0 actions=drop
> cookie=0xbbf3cb977f3738c7, duration=8868.749s, table=23, n_packets=0,
> n_bytes=0, priority=0 actions=drop
> cookie=0xbbf3cb977f3738c7, duration=2882.730s, table=24, n_packets=0,
> n_bytes=0, priority=2,icmp6,in_port=5,icmp_type=136,nd_target=fe80::f816:3eff:fedd:16f7
> actions=NORMAL
> cookie=0xbbf3cb977f3738c7, duration=2866.760s, table=24, n_packets=0,
> n_bytes=0, priority=2,icmp6,in_port=6,icmp_type=136,nd_target=fe80::f816:3eff:fea6:c635
> actions=NORMAL
> cookie=0xbbf3cb977f3738c7, duration=2650.708s, table=24, n_packets=0,
> n_bytes=0, priority=2,icmp6,in_port=4,icmp_type=136,nd_target=fe80::f816:3eff:fe90:b467
> actions=NORMAL
> cookie=0xbbf3cb977f3738c7, duration=2882.715s, table=24, n_packets=68,
> n_bytes=2856, priority=2,arp,in_port=5,arp_spa=55.55.55.4
> actions=resubmit(,25)
> cookie=0xbbf3cb977f3738c7, duration=2866.743s, table=24, n_packets=67,
> n_bytes=2814, priority=2,arp,in_port=6,arp_spa=55.55.55.5
> actions=resubmit(,25)
> cookie=0xbbf3cb977f3738c7, duration=2650.690s, table=24, n_packets=1,
> n_bytes=42, priority=2,arp,in_port=4,arp_spa=55.55.55.3
> actions=resubmit(,25)
> cookie=0xbbf3cb977f3738c7, duration=8868.743s, table=24, n_packets=0,
> n_bytes=0, priority=0 actions=drop
> cookie=0xbbf3cb977f3738c7, duration=2882.753s, table=25, n_packets=138,
> n_bytes=11130, priority=2,in_port=5,dl_src=fa:16:3e:dd:16:f7
> actions=NORMAL
> cookie=0xbbf3cb977f3738c7, duration=2866.783s, table=25, n_packets=87,
> n_bytes=4882, priority=2,in_port=6,dl_src=fa:16:3e:a6:c6:35 actions=NORMAL
> cookie=0xbbf3cb977f3738c7, duration=2650.730s, table=25, n_packets=14,
> n_bytes=1502, priority=2,in_port=4,dl_src=fa:16:3e:90:b4:67 actions=NORMAL
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20161102/fde2af72/attachment.html>
More information about the OpenStack-dev
mailing list