[ovs-discuss] Anti-spoof rules with vlans on XCP (XENSERVER)...
Kristoffer Egefelt
dr.fersken at gmail.com
Tue May 17 10:17:56 UTC 2011
Great - the rules works alot better after running ovs-vsctl del-controller
xapi5 ;-)
It looks like everything works now.
The rules for the XCP VMs to prevent mac/ip spoofing (although allowing
dhcp) are then:
/usr/bin/ovs-ofctl add-flow xapi5 "in_port=15 priority=39500 dl_type=udp
tp_dst=67 dl_src=a6:1e:29:3d:69:51 idle_timeout=0 action=normal"
/usr/bin/ovs-ofctl add-flow xapi5 "in_port=15 priority=39000 dl_type=0x0800
nw_src=10.10.8.73 dl_src=a6:1e:29:3d:69:51 idle_timeout=0 action=normal"
/usr/bin/ovs-ofctl add-flow xapi5 "in_port=15 priority=38500 dl_type=0x0806
dl_src=a6:1e:29:3d:69:51 idle_timeout=0 action=normal"
/usr/bin/ovs-ofctl add-flow xapi5 "in_port=15 priority=38000 idle_timeout=0
action=drop"
If something could be improved, security/performance, I would be happy to
know about it! ;-)
Thanks for your help!
Regards
Kristoffer
On Thu, May 5, 2011 at 5:39 PM, Justin Pettit <jpettit at nicira.com> wrote:
>
> On May 5, 2011, at 4:03 AM, Kristoffer Egefelt wrote:
>
> > From the pool master i get:
> >
> > #ovs-vsctl get-controller xapi5
> > ssl:10.10.3.250:6633
> >
> > Probably because I tried the Citrix controller at some point - should it
> work if I delete it with:
> >
> > #ovs-vsctl del-controller xapi5
> >
> > is it safe?
>
> Yes.
>
> I assume by the Citrix controller, you mean their DVS (Distributed Virtual
> Switch). If you don't want to run it anymore, you're likely going to want
> to have OVS stop trying to connect to it over the management channel. You
> may want to see if the DVS User Manual indicates a way to no longer
> associate your switch with that controller. If not, we can share a script
> with you that will remove the configuration from XAPI.
>
> > Running:
> > ovs-vsctl get-fail-mode xapi5
> > returns nothing...
>
> That means you are using the default, which is standalone (fail-open). If
> you don't need the controller connection, I'd recommend removing that rather
> than messing with the fail-mode.
>
> --Justin
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20110517/8f57a5d7/attachment-0001.html>
More information about the discuss
mailing list