[ovs-discuss] Anti-spoof rules with vlans on XCP (XENSERVER)...
dr.fersken at gmail.com
Tue May 17 10:17:56 UTC 2011
Great - the rules works alot better after running ovs-vsctl del-controller
It looks like everything works now.
The rules for the XCP VMs to prevent mac/ip spoofing (although allowing
dhcp) are then:
/usr/bin/ovs-ofctl add-flow xapi5 "in_port=15 priority=39500 dl_type=udp
tp_dst=67 dl_src=a6:1e:29:3d:69:51 idle_timeout=0 action=normal"
/usr/bin/ovs-ofctl add-flow xapi5 "in_port=15 priority=39000 dl_type=0x0800
nw_src=10.10.8.73 dl_src=a6:1e:29:3d:69:51 idle_timeout=0 action=normal"
/usr/bin/ovs-ofctl add-flow xapi5 "in_port=15 priority=38500 dl_type=0x0806
dl_src=a6:1e:29:3d:69:51 idle_timeout=0 action=normal"
/usr/bin/ovs-ofctl add-flow xapi5 "in_port=15 priority=38000 idle_timeout=0
If something could be improved, security/performance, I would be happy to
know about it! ;-)
Thanks for your help!
On Thu, May 5, 2011 at 5:39 PM, Justin Pettit <jpettit at nicira.com> wrote:
> On May 5, 2011, at 4:03 AM, Kristoffer Egefelt wrote:
> > From the pool master i get:
> > #ovs-vsctl get-controller xapi5
> > ssl:10.10.3.250:6633
> > Probably because I tried the Citrix controller at some point - should it
> work if I delete it with:
> > #ovs-vsctl del-controller xapi5
> > is it safe?
> I assume by the Citrix controller, you mean their DVS (Distributed Virtual
> Switch). If you don't want to run it anymore, you're likely going to want
> to have OVS stop trying to connect to it over the management channel. You
> may want to see if the DVS User Manual indicates a way to no longer
> associate your switch with that controller. If not, we can share a script
> with you that will remove the configuration from XAPI.
> > Running:
> > ovs-vsctl get-fail-mode xapi5
> > returns nothing...
> That means you are using the default, which is standalone (fail-open). If
> you don't need the controller connection, I'd recommend removing that rather
> than messing with the fail-mode.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the discuss