[ovs-discuss] L2 Isolation
Trebor Forban
trebor.forban at gmail.com
Mon Apr 22 13:45:23 UTC 2013
Hello,
what is the recommended way to achieve L2 isolation with VMs and ovs?
I have multiple VMs that are identical and hence have identical MAC
addresses.
I've been using qemus "-net user" (slirp), but the performance is poor.
I've tried ovs tagged vlans, but am having trouble getting dnsmasq/dhcp to
work with the tagged vlans.
Should I possibly be trying GRE tunnels?
This is what I've been doing for a single VM "hidden" behind nat; is there
any way to achieve the same with multiple identical VMs on the same host?
/etc/network/interfaces:
auto natvbr0
iface natvbr0 inet static
address 10.0.2.2
netmask 255.255.255.0
metric 1
up /usr/sbin/dnsmasq --interface=${IFACE} --except-interface=lo
--bind-interfaces --user=nobody \
--dhcp-range=natvbr0,10.0.2.15,10.0.2.15,255.255.255.0,10.0.2.255,72h \
--domain=localnet --pid-file=/var/run/${IFACE}_dnsmasq.pid
--conf-file
up echo 1 > /proc/sys/net/ipv4/ip_forward
up iptables -A FORWARD -s 10.0.2.0/24 -j ACCEPT
up iptables -A FORWARD -d 10.0.2.0/24 -j ACCEPT
post-up echo 600 > /proc/sys/net/ipv4/tcp_keepalive_time
post-up echo 50 > /proc/sys/net/ipv4/tcp_keepalive_probes
post-up echo 10 > /proc/sys/net/ipv4/tcp_keepalive_intvl
down iptables -D FORWARD -s 10.0.2.0/24 -j ACCEPT
down iptables -D FORWARD -d 10.0.2.0/24 -j ACCEPT
# up masq is done in /etc/network/if-up.d
down iptables -t nat -D POSTROUTING -o "$(route -n | grep ^0 | grep
-o [^[:space:]]*$)" -j MASQUERADE
post-down kill -s TERM $(cat /var/run/${IFACE}_dnsmasq.pid) && rm
-f /var/run/${IFACE}_dnsmasq.pid
/etc/qemu/natvbr0-ifup:
#!/bin/bash
switch='natvbr0'
/sbin/ifconfig $1 0.0.0.0 up
ovs-vsctl add-port ${switch} $1
iptables -t nat -A POSTROUTING -o "$(route -n | grep ^0 | grep -o
[^[:space:]]*$)" -j MASQUERADE
Any help would be much appreciated.
Regards,
TF
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20130422/c7204ec2/attachment.html>
More information about the discuss
mailing list