[ovs-discuss] Simulate PVLAN(isolated secondary vlan) using OVS

Sheng Yang sheng at yasker.org
Mon Apr 22 02:40:46 UTC 2013 

On Sun, Apr 21, 2013 at 5:06 PM, Ben Pfaff <blp at nicira.com> wrote:

> On Sun, Apr 21, 2013 at 04:52:00PM -0700, Sheng Yang wrote:
> > I think openflow 1.1 should be able to deal with it, by putting rule 1
> and
> > rule 2 into different flow tables.
> >
> > But with openflow 1.0, I am struggling to find a better solution for it.
>
> You can use multiple flow tables with Open vSwitch with the "resubmit"
> action.  "resubmit" is documented in ovs-ofctl(8).
>

Hi Ben,

"resubmit" is really helpful!

However, I still got some troubles to get expected result.

If I do something like this:

1: priority=50,vlan_tci=0x0000,dl_src=<I-port VM MAC>
actions=mod_vlan_vid:<Secondary VLAN>,resubmit:1
2a: priority=150,dl_vlan=<Secondary VLAN>,dl_dst=<P-port VM's MAC>
actions=mod_vlan_vid:<Primary VLAN>,NORMAL
2b: priority=150,dl_vlan=<Secondary VLAN>,dl_dst=<P-port VM's MAC>
actions=strip_vlan,NORMAL

Situation:

A: If both VMs are in the same host, the rule 2a won't work, and the
traffic won't reach <P-port VM>. I suppose it due to they're configured as
same VLAN, so the communication are expected without VLAN tag(which is
inside OVS). So after processed the flow-table, OVS don't know what to do
with this vlan-tagged traffic. In this situation, rule 2b works, instead of
rule 2a.

B: If the rule 1's VM's host(connect to the different OVS) is different
from rule 2's VM's, the rule 2a would work, but rule 2b won't work. I guess
it's due to OVS identify the traffic, then stripped the VLAN for P-port VM,
after processed the flow-table?

I cannot have two contradicted rules(2a and 2b) here, so I am still trying
to work out a rule that always working, but haven't found more information
on how openflow would handle the packets.

(BTW, these two VMs are connected to OVS port which configured as <Primary
VLAN> tagged port).

Another question is, if rule 1 is the only rule on the host where <I-port
VM> is running, OVS would only tagged the traffic, but won't send the
traffic out(I need to add another rule to send it out of OVS). I thought it
probably because we didn't configure trunk ports on OVS, but after I
checked the setup of ports, there is no ports configured as trunk. So
what's the reason of OVS decided to do nothing about the packet with
<secondary VLAN> tag? I guess the vlan tag of the ports related to it?

Thanks in advance!

--Sheng
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20130421/30fe52aa/attachment.html>

More information about the discuss mailing list