[ovs-discuss] vlan isolation issue

Ben Pfaff blp at nicira.com
Mon Jan 14 22:12:45 UTC 2013


Like I said, the problem may be that your VMs can communicate over
eth0, and that the VMs are using that to communicate on the "private"
IP addresses.

On Mon, Jan 14, 2013 at 06:19:10PM -0200, Túlio Gomes wrote:
> Ben, thanks for your response.
> 
> My eth0 nic isn't attached to any vlan. That is, the vlan's id that i had
> cited it's associated only to eth1 nic.
> 
> Do you think could be my image that doesn't have support to vlan?
> 
> 2013/1/14 Ben Pfaff <blp at nicira.com>
> 
> > On Sun, Jan 13, 2013 at 06:44:34PM -0200, Túlio Gomes wrote:
> > > Currently, i'm testing the vlan isolation feature provided by
> > openvswitch,
> > > but it's not working like described in documentation.
> > >
> > > What i'm trying to do is to set two interfaces on each vm (one for data
> > > control and another for tests)
> > >
> > > For example:
> > > I have 4 vm's with the following ips and vlans:
> > > eth0 = data control
> > > eth1 = tests purposes
> > > 1 - eth0: 10.1.1.5; eth1: 10.1.1.33; vlan: 32
> > > 2 - eth0: 10.1.1.6; eth1: 10.1.1.34; vlan: 32
> > > 3 - eth0: 10.1.1.7; eth1: 10.1.1.65; vlan: 64
> > > 4 - eth0: 10.1.1.8; eth1: 10.1.1.66; vlan: 64
> > >
> > > The host has the ip 10.1.1.2 (broadcast 10.1.1.31 and netmask
> > > 255.255.255.224)
> > >
> > > Here's the problem: i can ping from vm 1 to vm 2 (ping 10.1.1.34), but i
> > > also can ping from vm 1 to vm 3 or vm 4 (ping 10.1.1.64 or ping
> > 10.1.1.65)
> > >
> > > That is, VM's 1 and 2 can communicate with each other, but they also can
> > > communicate with vm's 3 and 4.
> >
> > It seems likely that you are running into an often surprising feature
> > of the Linux networking stack: Linux is willing to talk on any
> > assigned IP address on any network interface.  That is, even though
> > you assign IP 10.1.1.5 to eth0 and 10.1.1.33 to eth1, the kernel will
> > accept packets for 10.1.1.33 on eth0 and for 10.1.1.5 on eth1.  So,
> > although you have isolated the eth1 interfaces on VLANs, the VMs are
> > still willing to talk to each other on the "private" IP addresses via
> > the eth0 interfaces.
> >
> 
> 
> 
> -- 
> Atenciosamente,
> Túlio Gomes Barbosa
> br.linkedin.com/in/tuliogomesbarbosa



More information about the discuss mailing list