[ovs-discuss] VM isolation with OVS on XCP

Todd Deshane deshantm at gmail.com
Wed Apr 28 23:07:07 UTC 2010

Hi Matt,

Comments inline.

On Wed, Apr 28, 2010 at 7:01 PM, Matthew Law <matt at webcontracts.co.uk> wrote:
> Hi,
> I've joined the list in the hope that someone might be able to answer a
> couple of questions I have regarding OVS in conjunction with Xen Cloud
> Platform.
> With previous versions of Xen using the conventional linux bridging
> support we have had to take some steps to prevent untrusted domUs from
> spoofing IP addresses.  In the past we have done this with iptables and
> ebtables rules added at the point that we create the virtual interface and
> attach it to the bridge.  Does the default OVS setup in XCP prevent domUs
> from seeing traffic not intended for them?

There is a very recent thread on this topic:

> Also, is there any way to ensure DHCP requests from booting domUs are
> answered by the appropriate DHCP server and not a domU?

The fact that you can restrict flows based on MAC address and port should
be enough to make sure that the appropriate DHCP server answers. Again,
see that previous thread. It references documentation on creating flows.

Hope that helps.


Todd Deshane

> Thanks in advance,
> Matt.

More information about the discuss mailing list