[Openstack] Please help!!!!Openvswitch attacked by ICMP!!!!!!!

Sam Stoelinga sammiestoel at gmail.com
Fri Sep 18 04:21:45 UTC 2015


You should not use dhcp on br-ex. OpenStack will setup the ip for you when
you create the neutron provider network and neutron router. I am in the
same campus as you and can share you how to setup the network later face to
face if you want.

Following document will be helpful to understand this scenario:
http://docs.openstack.org/networking-guide/scenario_provider_ovs.html

Sam
On Sep 18, 2015 10:27 AM, "applyhhj" <applyhhj at 163.com> wrote:

> Thank you for your reply. One more thing, I actually use "dhclient br-ex"
> to get ip from dhcp server of our campus network. Is it ok to do so?
> Because some people think I should not assign IP to the br-ex bridge. But
> in this case, the whole openstack network is not able to access to the
> outside internet.
>
> Regards
> hjh
>
> 2015-09-18
> ------------------------------
> applyhhj
> ------------------------------
> *发件人:*Erdősi Péter <fazy at niif.hu>
> *发送时间:*2015-09-18 02:05
> *主题:*Re: [Openstack] Please help!!!!Openvswitch attacked by ICMP!!!!!!!
> *收件人:*"applyhhj"<applyhhj at 163.com>,"openstack"<
> openstack at lists.openstack.org>
> *抄送:*
>
> 2015.09.17. 17:55 keltezéssel, applyhhj írta:
>
> I am using ubuntu 15.04 and I am following Guidance for ubuntu 14.04.
> Configuration for eth2 is:
>
> # external network interface
> auto eth2
> iface eth2 inet manual
>         up ip link set dev $IFACE up
>         down ip link set dev $IFACE down
> By the way ther is no ip in eth2 after bridging it to br-ex.
>
> It's totally normal... you do not need IP to br-ex, or eth2...
> Try to imagine this:
>
> You have a (virtual) switch, and you have ports on that...
> Your goal is, give internet access to machines, which "plugged" on this
> ports in the switch...
>
> In the real life, you have to use an "uplink" port, where packet goes,
> when the other machine is not directly connected to switch...
>
> The eth2 - br-ex situation is all the same... You have a switch, and your
> uplink connection will be the eth2 interface the port is the br-ex, and you
> put it togather, which does not require any layer 3 setup, only the L2...
> (port is up, and capable to forward ethernet frames)
> That's why you only pull up the interface without IP address, cause nobody
> never needs direct connection from eth2 to neutron host (you possibly have
> management network for that)
>
> Overall, i think, your configuration is good with eth2 and br-ex, without
> IP...
>
> If I were you, I start to check traffic on all interface (on network node,
> and qrouters also) and figure out, how this packet came from, and what they
> want to reach... (not based on IP, only follow the ICMP traffic path with
> tcpdump)
>
> For example:
> If your packets goes from/to Internet from/to any VM, you must see traffic
> on eth2 and br-ex, and that traffic also can be found in one of the
> qrouters, and somewhere beetween compute and neutron node (based on
> isolation, what you choosen before)
>
> Start a few tcpdump, and track it down :)
>
> Regards,
>  Peter
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20150918/0f1e6576/attachment.html>


More information about the Openstack mailing list