[ovs-discuss] vlan isolation issue

Túlio Gomes tulio.gomesbarbosa at gmail.com
Wed Jan 16 01:26:45 UTC 2013


Hi again Ben,

here's the output (portuguese ubuntu version):

Tabela de Roteamento IP do Kernel
Destino         Roteador        MáscaraGen.    Opções   MSS Janela  irtt
Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG        0 0          0 br0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 br0
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 br0

I changed my network configuration to something like that:

control network: 192.168.0.0
test network 1: 192.168.2.0 (vlan id = 2)
test network 2: 192.168.3.0 (vlan id =3)

Now the vlan isolation seems to work.

VM's at test network 1 can ping from one to another, but can't ping to vm's
in test network 2. Also, vm's in test network 1 or test network 2 can ping
to my host, that is, the control network.

But i don't really know the reason that my first configuration doesn't work.

2013/1/15 Iben Rodriguez <iben.rodriguez at gmail.com>

> Would you please list the route table on your hypervisor?
>
> Run this command...
>
> netstat -r -n
>
> I b e n
> +14087824726
> Skype: ibenrodriguez
>
>
> On Mon, Jan 14, 2013 at 5:11 PM, Túlio Gomes <tulio.gomesbarbosa at gmail.com
> > wrote:
>
>> Ok Ben,
>> i'll do some tests and return soon.
>>
>> Thank you very much
>>
>> 2013/1/14 Ben Pfaff <blp at nicira.com>
>>
>>> Like I said, the problem may be that your VMs can communicate over
>>> eth0, and that the VMs are using that to communicate on the "private"
>>> IP addresses.
>>>
>>> On Mon, Jan 14, 2013 at 06:19:10PM -0200, Túlio Gomes wrote:
>>> > Ben, thanks for your response.
>>> >
>>> > My eth0 nic isn't attached to any vlan. That is, the vlan's id that i
>>> had
>>> > cited it's associated only to eth1 nic.
>>> >
>>> > Do you think could be my image that doesn't have support to vlan?
>>> >
>>> > 2013/1/14 Ben Pfaff <blp at nicira.com>
>>> >
>>> > > On Sun, Jan 13, 2013 at 06:44:34PM -0200, Túlio Gomes wrote:
>>> > > > Currently, i'm testing the vlan isolation feature provided by
>>> > > openvswitch,
>>> > > > but it's not working like described in documentation.
>>> > > >
>>> > > > What i'm trying to do is to set two interfaces on each vm (one for
>>> data
>>> > > > control and another for tests)
>>> > > >
>>> > > > For example:
>>> > > > I have 4 vm's with the following ips and vlans:
>>> > > > eth0 = data control
>>> > > > eth1 = tests purposes
>>> > > > 1 - eth0: 10.1.1.5; eth1: 10.1.1.33; vlan: 32
>>> > > > 2 - eth0: 10.1.1.6; eth1: 10.1.1.34; vlan: 32
>>> > > > 3 - eth0: 10.1.1.7; eth1: 10.1.1.65; vlan: 64
>>> > > > 4 - eth0: 10.1.1.8; eth1: 10.1.1.66; vlan: 64
>>> > > >
>>> > > > The host has the ip 10.1.1.2 (broadcast 10.1.1.31 and netmask
>>> > > > 255.255.255.224)
>>> > > >
>>> > > > Here's the problem: i can ping from vm 1 to vm 2 (ping 10.1.1.34),
>>> but i
>>> > > > also can ping from vm 1 to vm 3 or vm 4 (ping 10.1.1.64 or ping
>>> > > 10.1.1.65)
>>> > > >
>>> > > > That is, VM's 1 and 2 can communicate with each other, but they
>>> also can
>>> > > > communicate with vm's 3 and 4.
>>> > >
>>> > > It seems likely that you are running into an often surprising feature
>>> > > of the Linux networking stack: Linux is willing to talk on any
>>> > > assigned IP address on any network interface.  That is, even though
>>> > > you assign IP 10.1.1.5 to eth0 and 10.1.1.33 to eth1, the kernel will
>>> > > accept packets for 10.1.1.33 on eth0 and for 10.1.1.5 on eth1.  So,
>>> > > although you have isolated the eth1 interfaces on VLANs, the VMs are
>>> > > still willing to talk to each other on the "private" IP addresses via
>>> > > the eth0 interfaces.
>>> > >
>>> >
>>> >
>>> >
>>> > --
>>> > Atenciosamente,
>>> > Túlio Gomes Barbosa
>>> > br.linkedin.com/in/tuliogomesbarbosa
>>>
>>
>>
>>
>> --
>> Atenciosamente,
>> Túlio Gomes Barbosa
>> br.linkedin.com/in/tuliogomesbarbosa
>>
>>
>> _______________________________________________
>> discuss mailing list
>> discuss at openvswitch.org
>> http://openvswitch.org/mailman/listinfo/discuss
>>
>>
>


-- 
Atenciosamente,
Túlio Gomes Barbosa
br.linkedin.com/in/tuliogomesbarbosa
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20130115/23105e06/attachment.html>


More information about the discuss mailing list