[ovs-discuss] Residual IP/ARP entry after a VM is powered off -> OVS passing unwanted pkts

Jesse Gross jesse at nicira.com
Thu Sep 2 20:48:05 UTC 2010

On Thu, Sep 2, 2010 at 9:01 AM, Luiz Henrique Ozaki
<luiz.ozaki at gmail.com> wrote:
> Yeah, I don't know the difficult in changing this but this should be the
> perfect cenario:
> VM is poweroff -> physical switch still have that MAC in a port and sends to
> the host -> OVS should know when a VM poweroff and in the MAC table doesn't
> have that MAC anymore, MAC become incomplete and maybe some arp request
> broadcast should be made (?)... Doing this no packets are sent to any
> virtual ports.
> The packets are going to be sent to that physical port until MAC timeout,
> but OVS will "filter" that packets.
> This case seems like a normal switch and I think this is the idea of OVS,
> isn't it ?

Actually, no, this is not how a physical switch behaves.  You
mentioned that your other switches are flooding packets to all ports -
OVS is doing the same thing.  It is possible to do more with a virtual
switch since it tends to have more information about the connected
devices but that isn't directly implemented as a feature in OVS,
instead the primitives are exposed to a controller.

> Does a controller solve this even with the physical switch sending that
> packets to the Host/OVS ?
> Hmmm... If I create openflow rules for each MAC addresses inside the host,
> does it solve this too ? By the way, is this what the controlles does ?

Yes to all of these questions.

The take away point here is that while switches (physical or virtual)
try not to send packets to ports that are not the intended
destination, this is not guaranteed and is not meant to be a security
feature.  For security purposes you should assume that the switches
are flooding packets to all ports at all times.  If this is not
acceptable behavior you need to enforce that through another mechanism
such as OpenFlow rules, vlans, etc.

More information about the discuss mailing list