Mailing List Archive

Re: [netvirt-dev] VM as a router with ODL/OpenStack
Hi Aswin

From a “ovs-dpctl dump-flows” I see this:

recirc_id(0),in_port(5),eth(src=a0:36:9f:f6:f9:98,dst=fa:16:3e:f1:8e:3d),eth_type(0x0800),ipv4(src=16.0.0.0/240.0.0.0,dst=48.0.0.0/255.0.0.0,frag=no), packets:1438, bytes:105356, used:0.005s, flags:S, actions:drop


The src MAC address is the traffic generator. The dst is the MAC address of the floating IP.

David

From: Aswin Suryanarayanan [mailto:asuryana@redhat.com]
Sent: 20 July 2018 10:45
To: Lake D Mr (PG/R - Elec Electronic Eng) <d.lake@surrey.ac.uk>
Cc: odl netvirt dev <netvirt-dev@lists.opendaylight.org>; openstack@lists.openstack.org; Ge C Dr (Elec Electronic Eng) <c.ge@surrey.ac.uk>
Subject: Re: [netvirt-dev] VM as a router with ODL/OpenStack



On Fri, Jul 20, 2018 at 1:02 PM, <d.lake@surrey.ac.uk<mailto:d.lake@surrey.ac.uk>> wrote:
Hello

I’m trying to use a VM as a router in an OpenStack + ODL installation.

I have the VM set up with two internal addresses - 10.10.5.21 and 10.10.6.21. They are allocated floating public addresses of 10.201.81.21 and 10.201.82.21 respectively.

I am using a TREx load generator which sources from 16.0.0.0/8<http://16.0.0.0/8> and sinks to 48.0.0.0/8<http://48.0.0.0/8>.

I have added routes both ways on the routers between the floating and private addresses.

I have read that I need to disable “port security” on the VM ports to allow IP spoofing - does this also include the router ports?

Router ports have port security disabled by default , no need to do that explicitly.

Also, when I start a test session generating traffic from 16.0.0.0 -> 48.0.0.0. I see a flow in OVS which matches but has an action of “drop.”

Which table exactly is the packet dropped?

How do I overcome this?

Thanks in advance

David

Sent from my iPhone

_______________________________________________
netvirt-dev mailing list
netvirt-dev@lists.opendaylight.org<mailto:netvirt-dev@lists.opendaylight.org>
https://lists.opendaylight.org/mailman/listinfo/netvirt-dev
Re: [netvirt-dev] VM as a router with ODL/OpenStack [ In reply to ]
Hi Aswin

I’ve just noticed that I don’t think the packet is ever actually making it through to OVS.

If I do a “ovs-dpctl dump-flows” then I see the immediate drop on ingress port 5.

But if I extend that to “ovs-ofctl -O OpenFlow13 dump-flows br-int” the only entry I see is:

cookie=0x8000003, duration=3823.308s, table=21, n_packets=0, n_bytes=0, priority=18,ip,metadata=0x30d40/0xfffffe,nw_dst=48.0.0.0/8 actions=group:150007

I’ve just checked the port names and “Port 5” is:

name : "br-prov2-patch"
ofport : 5


David

From: Aswin Suryanarayanan [mailto:asuryana@redhat.com]
Sent: 20 July 2018 10:45
To: Lake D Mr (PG/R - Elec Electronic Eng) <d.lake@surrey.ac.uk>
Cc: odl netvirt dev <netvirt-dev@lists.opendaylight.org>; openstack@lists.openstack.org; Ge C Dr (Elec Electronic Eng) <c.ge@surrey.ac.uk>
Subject: Re: [netvirt-dev] VM as a router with ODL/OpenStack



On Fri, Jul 20, 2018 at 1:02 PM, <d.lake@surrey.ac.uk<mailto:d.lake@surrey.ac.uk>> wrote:
Hello

I’m trying to use a VM as a router in an OpenStack + ODL installation.

I have the VM set up with two internal addresses - 10.10.5.21 and 10.10.6.21. They are allocated floating public addresses of 10.201.81.21 and 10.201.82.21 respectively.

I am using a TREx load generator which sources from 16.0.0.0/8<http://16.0.0.0/8> and sinks to 48.0.0.0/8<http://48.0.0.0/8>.

I have added routes both ways on the routers between the floating and private addresses.

I have read that I need to disable “port security” on the VM ports to allow IP spoofing - does this also include the router ports?

Router ports have port security disabled by default , no need to do that explicitly.

Also, when I start a test session generating traffic from 16.0.0.0 -> 48.0.0.0. I see a flow in OVS which matches but has an action of “drop.”

Which table exactly is the packet dropped?

How do I overcome this?

Thanks in advance

David

Sent from my iPhone

_______________________________________________
netvirt-dev mailing list
netvirt-dev@lists.opendaylight.org<mailto:netvirt-dev@lists.opendaylight.org>
https://lists.opendaylight.org/mailman/listinfo/netvirt-dev
Re: [netvirt-dev] VM as a router with ODL/OpenStack [ In reply to ]
With “ovs-ofctl -O OpenFlow13 dump-flows br-int” I don’t see ANY entries for packets to 48.0.0.0/8 or 16.0.0.0/8

Only this one entry (which I think is a static route which I have in the router between the floating network and the private network).

David

From: Aswin Suryanarayanan [mailto:asuryana@redhat.com]
Sent: 20 July 2018 12:28
To: Lake D Mr (PG/R - Elec Electronic Eng) <d.lake@surrey.ac.uk>
Cc: odl netvirt dev <netvirt-dev@lists.opendaylight.org>; openstack@lists.openstack.org; Ge C Dr (Elec Electronic Eng) <c.ge@surrey.ac.uk>
Subject: Re: [netvirt-dev] VM as a router with ODL/OpenStack



On Fri, Jul 20, 2018 at 4:32 PM, <d.lake@surrey.ac.uk<mailto:d.lake@surrey.ac.uk>> wrote:
Hi Aswin

I’ve just noticed that I don’t think the packet is ever actually making it through to OVS.

If I do a “ovs-dpctl dump-flows” then I see the immediate drop on ingress port 5.

But if I extend that to “ovs-ofctl -O OpenFlow13 dump-flows br-int” the only entry I see is:

cookie=0x8000003, duration=3823.308s, table=21, n_packets=0, n_bytes=0, priority=18,ip,metadata=0x30d40/0xfffffe,nw_dst=48.0.0.0/8 actions=group:150007

Oh I think it is hard to understand the reason from this flow. Were you able to identify where the packet is dropped from “ovs-ofctl -O OpenFlow13 dump-flows br-int” ?

I’ve just checked the port names and “Port 5” is:

name : "br-prov2-patch"
ofport : 5


David

From: Aswin Suryanarayanan [mailto:asuryana@redhat.com<mailto:asuryana@redhat.com>]
Sent: 20 July 2018 10:45
To: Lake D Mr (PG/R - Elec Electronic Eng) <d.lake@surrey.ac.uk<mailto:d.lake@surrey.ac.uk>>
Cc: odl netvirt dev <netvirt-dev@lists.opendaylight.org<mailto:netvirt-dev@lists.opendaylight.org>>; openstack@lists.openstack.org<mailto:openstack@lists.openstack.org>; Ge C Dr (Elec Electronic Eng) <c.ge@surrey.ac.uk<mailto:c.ge@surrey.ac.uk>>
Subject: Re: [netvirt-dev] VM as a router with ODL/OpenStack



On Fri, Jul 20, 2018 at 1:02 PM, <d.lake@surrey.ac.uk<mailto:d.lake@surrey.ac.uk>> wrote:
Hello

I’m trying to use a VM as a router in an OpenStack + ODL installation.

I have the VM set up with two internal addresses - 10.10.5.21 and 10.10.6.21. They are allocated floating public addresses of 10.201.81.21 and 10.201.82.21 respectively.

I am using a TREx load generator which sources from 16.0.0.0/8<http://16.0.0.0/8> and sinks to 48.0.0.0/8<http://48.0.0.0/8>.

I have added routes both ways on the routers between the floating and private addresses.

I have read that I need to disable “port security” on the VM ports to allow IP spoofing - does this also include the router ports?

Router ports have port security disabled by default , no need to do that explicitly.

Also, when I start a test session generating traffic from 16.0.0.0 -> 48.0.0.0. I see a flow in OVS which matches but has an action of “drop.”

Which table exactly is the packet dropped?

How do I overcome this?

Thanks in advance

David

Sent from my iPhone

_______________________________________________
netvirt-dev mailing list
netvirt-dev@lists.opendaylight.org<mailto:netvirt-dev@lists.opendaylight.org>
https://lists.opendaylight.org/mailman/listinfo/netvirt-dev
Re: [netvirt-dev] VM as a router with ODL/OpenStack [ In reply to ]
Hi Jaime

Thank you - I will try this and see how it works.

David

-----Original Message-----
From: Jaime Caamaño Ruiz [mailto:jcaamano@suse.de]
Sent: 20 July 2018 14:23
To: Lake D Mr (PG/R - Elec Electronic Eng) <d.lake@surrey.ac.uk>; netvirt-dev@lists.opendaylight.org; openstack@lists.openstack.org
Cc: Ge C Dr (Elec Electronic Eng) <c.ge@surrey.ac.uk>
Subject: Re: [netvirt-dev] VM as a router with ODL/OpenStack

Hello David

On the router VM, you would probably dedicate a port for management with a floating ip assigned.

The you would have extra ports for as many nets the router is servicing, two in the case of trex simple setup. These ports would have port security disabled:

openstack port set <port> --no-security-group --disable-port-security

If running trex in the cloud vm, more less the same. Have one port for management. Then two other ports for trex traffic. On these ports, add allowed address pairs for 16.0.0.0/8 and 48.0.0.0/8 respectively

openstack port set <port> --allowed-address ip-address=16.0.0.0/8

If you have any routers in the middle, add static routes.

Not actually tried with ODL, but this works with neutron ovs driver.

BR
Jaime.

-----Original Message-----
From: d.lake@surrey.ac.uk
To: netvirt-dev@lists.opendaylight.org, openstack@lists.openstack.org, jcaamano@suse.de
Cc: c.ge@surrey.ac.uk
Subject: [netvirt-dev] VM as a router with ODL/OpenStack
Date: Fri, 20 Jul 2018 07:32:49 +0000

Hello

I’m trying to use a VM as a router in an OpenStack + ODL installation.

I have the VM set up with two internal addresses - 10.10.5.21 and
10.10.6.21. They are allocated floating public addresses of
10.201.81.21 and 10.201.82.21 respectively.

I am using a TREx load generator which sources from 16.0.0.0/8 and
sinks to 48.0.0.0/8.

I have added routes both ways on the routers between the floating and private addresses.

I have read that I need to disable “port security” on the VM ports to allow IP spoofing - does this also include the router ports?

Also, when I start a test session generating traffic from 16.0.0.0 -> 48.0.0.0. I see a flow in OVS which matches but has an action of “drop.”

How do I overcome this?

Thanks in advance

David

Sent from my iPhone
_______________________________________________
netvirt-dev mailing list
netvirt-dev@lists.opendaylight.org
https://lists.opendaylight.org/mailman/listinfo/netvirt-dev
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack