[ovs-discuss] L2 Isolation

Trebor Forban trebor.forban at gmail.com
Mon Apr 22 13:45:23 UTC 2013 

Hello,

what is the recommended way to achieve L2 isolation with VMs and ovs?

I have multiple VMs that are identical and hence have identical MAC
addresses.

I've been using qemus "-net user" (slirp), but the performance is poor.

I've tried ovs tagged vlans, but am having trouble getting dnsmasq/dhcp to
work with the tagged vlans.

Should I possibly be trying GRE tunnels?

This is what I've been doing for a single VM "hidden" behind nat; is there
any way to achieve the same with multiple identical VMs on the same host?

/etc/network/interfaces:

auto natvbr0
iface natvbr0 inet static
        address 10.0.2.2
        netmask 255.255.255.0
        metric 1

        up /usr/sbin/dnsmasq --interface=${IFACE}  --except-interface=lo
--bind-interfaces --user=nobody \

--dhcp-range=natvbr0,10.0.2.15,10.0.2.15,255.255.255.0,10.0.2.255,72h \
        --domain=localnet --pid-file=/var/run/${IFACE}_dnsmasq.pid
--conf-file

        up echo 1 > /proc/sys/net/ipv4/ip_forward
        up iptables -A FORWARD -s 10.0.2.0/24 -j ACCEPT
        up iptables -A FORWARD -d 10.0.2.0/24 -j ACCEPT
        post-up echo 600 > /proc/sys/net/ipv4/tcp_keepalive_time
        post-up echo 50 > /proc/sys/net/ipv4/tcp_keepalive_probes
        post-up echo 10 > /proc/sys/net/ipv4/tcp_keepalive_intvl
        down iptables -D FORWARD -s 10.0.2.0/24 -j ACCEPT
        down iptables -D FORWARD -d 10.0.2.0/24 -j ACCEPT
        # up masq is done in /etc/network/if-up.d
        down iptables -t nat -D POSTROUTING -o "$(route -n | grep ^0 | grep
-o [^[:space:]]*$)" -j MASQUERADE
        post-down kill -s TERM $(cat /var/run/${IFACE}_dnsmasq.pid) && rm
-f /var/run/${IFACE}_dnsmasq.pid

/etc/qemu/natvbr0-ifup:

#!/bin/bash
switch='natvbr0'
/sbin/ifconfig $1 0.0.0.0 up
ovs-vsctl add-port ${switch} $1
iptables -t nat -A POSTROUTING -o "$(route -n | grep ^0 | grep -o
[^[:space:]]*$)" -j MASQUERADE



Any help would be much appreciated.

Regards,
TF
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20130422/c7204ec2/attachment.html>

More information about the discuss mailing list