[ovs-discuss] Residual IP/ARP entry after a VM is powered off -> OVS passing unwanted pkts
Luiz Henrique Ozaki
luiz.ozaki at gmail.com
Thu Sep 2 21:38:52 UTC 2010
But the physical switch is sending those packets to all ports because of a *
problem*... Thats not a common behavior, it doesn't make much sense.
Look at this scenario:
Some MAC into switch A is comunicating with a MAC in switch B, when MAC at
switch B is shutdown, the switch will send that packets to all ports in
switch B and if the switch C is connected to switch B, the packets will go
thought all ports in C too and switch D is connected to C, D to E =
broadcast to all switches ! When a port is disconnected, the switch know
that the port state changed and make the MAC address entry goes incomplete
for that MAC and no packets are sent, maybe an arp request but not the
As far as I know, the switch have MAC address table relation MACs to ports
and those packets are sent only when this relation is valid always or try to
do so. Seems a primary function since without this a "broadcast of death"
can be easy to make.
As you said, I should assume a switch flooding broadcast packets and if the
switch doesn't have that check, all your network in the same VLAN will crash
since that packet of death will go all over the switches.
OVS, I think already do that MAC -> ports check, since all packets are not
sent to all VMs just needed when a packets comes and OVS doesn't have that
MAC, it doesn't broadcast that. And since OVS will not be connected directly
to another switch, doesn't need even an arp request to be sent.
Well, gonna try openflow rules then...
I'm not an expert in networking so if this is not making sense, please tell
On Thu, Sep 2, 2010 at 5:48 PM, Jesse Gross <jesse at nicira.com> wrote:
> On Thu, Sep 2, 2010 at 9:01 AM, Luiz Henrique Ozaki
> <luiz.ozaki at gmail.com> wrote:
> > Yeah, I don't know the difficult in changing this but this should be the
> > perfect cenario:
> > VM is poweroff -> physical switch still have that MAC in a port and sends
> > the host -> OVS should know when a VM poweroff and in the MAC table
> > have that MAC anymore, MAC become incomplete and maybe some arp request
> > broadcast should be made (?)... Doing this no packets are sent to any
> > virtual ports.
> > The packets are going to be sent to that physical port until MAC timeout,
> > but OVS will "filter" that packets.
> > This case seems like a normal switch and I think this is the idea of OVS,
> > isn't it ?
> Actually, no, this is not how a physical switch behaves. You
> mentioned that your other switches are flooding packets to all ports -
> OVS is doing the same thing. It is possible to do more with a virtual
> switch since it tends to have more information about the connected
> devices but that isn't directly implemented as a feature in OVS,
> instead the primitives are exposed to a controller.
> > Does a controller solve this even with the physical switch sending that
> > packets to the Host/OVS ?
> > Hmmm... If I create openflow rules for each MAC addresses inside the
> > does it solve this too ? By the way, is this what the controlles does ?
> Yes to all of these questions.
> The take away point here is that while switches (physical or virtual)
> try not to send packets to ports that are not the intended
> destination, this is not guaranteed and is not meant to be a security
> feature. For security purposes you should assume that the switches
> are flooding packets to all ports at all times. If this is not
> acceptable behavior you need to enforce that through another mechanism
> such as OpenFlow rules, vlans, etc.
Luiz Henrique Ozaki
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the discuss