[ovs-discuss] vlan isolation issue
Ben Pfaff
blp at nicira.com
Mon Jan 14 19:21:21 UTC 2013
On Sun, Jan 13, 2013 at 06:44:34PM -0200, Túlio Gomes wrote:
> Currently, i'm testing the vlan isolation feature provided by openvswitch,
> but it's not working like described in documentation.
>
> What i'm trying to do is to set two interfaces on each vm (one for data
> control and another for tests)
>
> For example:
> I have 4 vm's with the following ips and vlans:
> eth0 = data control
> eth1 = tests purposes
> 1 - eth0: 10.1.1.5; eth1: 10.1.1.33; vlan: 32
> 2 - eth0: 10.1.1.6; eth1: 10.1.1.34; vlan: 32
> 3 - eth0: 10.1.1.7; eth1: 10.1.1.65; vlan: 64
> 4 - eth0: 10.1.1.8; eth1: 10.1.1.66; vlan: 64
>
> The host has the ip 10.1.1.2 (broadcast 10.1.1.31 and netmask
> 255.255.255.224)
>
> Here's the problem: i can ping from vm 1 to vm 2 (ping 10.1.1.34), but i
> also can ping from vm 1 to vm 3 or vm 4 (ping 10.1.1.64 or ping 10.1.1.65)
>
> That is, VM's 1 and 2 can communicate with each other, but they also can
> communicate with vm's 3 and 4.
It seems likely that you are running into an often surprising feature
of the Linux networking stack: Linux is willing to talk on any
assigned IP address on any network interface. That is, even though
you assign IP 10.1.1.5 to eth0 and 10.1.1.33 to eth1, the kernel will
accept packets for 10.1.1.33 on eth0 and for 10.1.1.5 on eth1. So,
although you have isolated the eth1 interfaces on VLANs, the VMs are
still willing to talk to each other on the "private" IP addresses via
the eth0 interfaces.
More information about the discuss
mailing list