[ovs-discuss] Anti-spoof rules with vlans on XCP (XENSERVER)...

Kristoffer Egefelt dr.fersken at gmail.com
Tue May 17 10:17:56 UTC 2011

Great - the rules works alot better after running ovs-vsctl del-controller
xapi5 ;-)
It looks like everything works now.

The rules for the XCP VMs to prevent mac/ip spoofing (although allowing
dhcp) are then:

/usr/bin/ovs-ofctl add-flow xapi5 "in_port=15 priority=39500 dl_type=udp
tp_dst=67 dl_src=a6:1e:29:3d:69:51 idle_timeout=0 action=normal"

/usr/bin/ovs-ofctl add-flow xapi5 "in_port=15 priority=39000 dl_type=0x0800
nw_src= dl_src=a6:1e:29:3d:69:51 idle_timeout=0 action=normal"

/usr/bin/ovs-ofctl add-flow xapi5 "in_port=15 priority=38500 dl_type=0x0806
dl_src=a6:1e:29:3d:69:51 idle_timeout=0 action=normal"

/usr/bin/ovs-ofctl add-flow xapi5 "in_port=15 priority=38000 idle_timeout=0

If something could be improved, security/performance, I would be happy to
know about it! ;-)

Thanks for your help!


On Thu, May 5, 2011 at 5:39 PM, Justin Pettit <jpettit at nicira.com> wrote:

> On May 5, 2011, at 4:03 AM, Kristoffer Egefelt wrote:
> > From the pool master i get:
> >
> > #ovs-vsctl get-controller xapi5
> > ssl:
> >
> > Probably because I tried the Citrix controller at some point - should it
> work if I delete it with:
> >
> > #ovs-vsctl del-controller xapi5
> >
> > is it safe?
> Yes.
> I assume by the Citrix controller, you mean their DVS (Distributed Virtual
> Switch).  If you don't want to run it anymore, you're likely going to want
> to have OVS stop trying to connect to it over the management channel.  You
> may want to see if the DVS User Manual indicates a way to no longer
> associate your switch with that controller.  If not, we can share a script
> with you that will remove the configuration from XAPI.
> > Running:
> > ovs-vsctl get-fail-mode xapi5
> > returns nothing...
> That means you are using the default, which is standalone (fail-open).  If
> you don't need the controller connection, I'd recommend removing that rather
> than messing with the fail-mode.
> --Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20110517/8f57a5d7/attachment-0001.html>

More information about the discuss mailing list