[ovs-discuss] Sflow packet samples in Openstack environment on OVS bridge

harsh jain harshjain32 at gmail.com
Fri Apr 24 11:53:56 UTC 2015


Hi Peter,

I tried with sflow enabled on both port and i am able to get samples of
both direction. Thanks.

Openstack uses Linux Bridge to apply iptables security rules.Refer diagram
below

https://ask.openstack.org/en/question/58638/does-neutron-br-int-accepts-nova-instances-sending-vlan-tagged-traffic/


Regards
Harsh Jain



Regards
harsh Jain

On Thu, Apr 23, 2015 at 7:41 PM, Peter Phaal <peter.phaal at inmon.com> wrote:

> I am unfamiliar with this configuration. I wasn’t aware that you could
> create a patch link between the Linux bridge and OVS. I thought patch links
> were internal to OVS. Why are you using the Linux bridge? Why not connect
> VMs directly to OVS?
>
> Normally the traffic from a VM would enter br-int through a veth port and
> be sampled. In the reverse direction traffic enters through a network
> adapter attached to br-tun and would be sampled (provided you enable sFlow
> on br-tun).
>
> On Apr 23, 2015, at 12:54 AM, harsh jain <harshjain32 at gmail.com> wrote:
>
> Hi Peter,
>
> 1 confusion If Patch ports are ignored then How br-int captures the
> samples of outgoing packet from VM br-int as it is connected via patch
> ports on both ends.
>
>
> Linux Bridge-->Patch port --> br-int(Sflow enabled) --> patch-port -->
> br-tun
>
>
> Regards
> Harsh Jain
>
>
>
> On Thu, Apr 23, 2015 at 11:26 AM, Peter Phaal <peter.phaal at inmon.com>
> wrote:
>
>> Ingress means that packets are captured as they are received on a
>> physical or virtual bridge ports. Patch ports are ignored.
>>
>> In stand alone mode you typically define a single bridge. However,
>> OpenStack defines a pair of bridges (br-in and br-ex) and to get full
>> coverage, you need to enable sFlow on both bridges.
>>
>> Why is it a problem that the sFlow sample contains the GRE header? An
>> sFlow analyzer should be able to decode tenant packet encapsulated by GRE.
>> There is currently work underway to add support for the sFlow tunnel spec
>> to OVS which should further improve visibility into underlay / overlay in
>> virtual networks:
>>
>> http://sflow.org/sflow_tunnels.txt
>>
>> Peter
>>
>>
>> On Apr 22, 2015, at 10:31 PM, harsh jain <harshjain32 at gmail.com> wrote:
>>
>> Hi Peter,
>>
>> Thanks for reply.
>>
>> What is the difference in vSwitch configuration in Openstack environment
>>  and in standalone use. if i try to enable sflow on OVS-bridge having
>> following setup. It captures packet in both direction. I think I am not
>> able to understand exactly what ingress means.
>>
>> In PC
>> eth0--> br0-->tap0 (mktun command) --> Passed the tap device to qemu to
>> launch VM.
>>
>> In compute node
>> VM-->tap-->Linux Bridge --veth pair-->br-int(sflow enabled)-veth
>> pair->br-tun
>>
>>
>> Actually We can not use br-ex to enable flow because sflow sample contain
>> GRE header.
>>
>>
>> Thanks & Regards
>> Harsh Jain
>>
>>
>>
>> On Wed, Apr 22, 2015 at 8:00 PM, Peter Phaal <peter.phaal at inmon.com>
>> wrote:
>>
>>> The sFlow implementation in OVS applies ingress sampling. To get full
>>> coverage into all traffic paths you need to enable sFlow on all bridges.
>>> For OpenStack, enabling sFlow on br-ex should give you visibility into the
>>> traffic destined to VMs.
>>>
>>> You may also want to take a look at the Host sFlow agent (
>>> http://host-sflow.sourceforge.net/). It can automatically manage the
>>> OVS sFlow settings and will also export hypervisor and VM CPU, memory, disk
>>> and network IO stats.
>>>
>>> On Apr 22, 2015, at 12:46 AM, harsh jain <harshjain32 at gmail.com> wrote:
>>>
>>> Hi,
>>>
>>> I tried to collect sflow packet on OVS switch in Openstack. But captured
>>> paackets contain only traffic coming out from the VM i.e samples contain
>>> Raw Packet of VM to external network direction only.following command is
>>> used to enable
>>>
>>> export COLLECTOR_IP=10.3.5.112
>>> export COLLECTOR_PORT=6343
>>> export AGENT_IP=eth1
>>> export HEADER_BYTES=256
>>> export SAMPLING_N=1
>>> export POLLING_SECS=10
>>>
>>> ovs-vsctl -- --id=@sflow create sflow agent=${AGENT_IP}
>>> target=\"${COLLECTOR_IP}:${COLLECTOR_PORT}\" header=${HEADER_BYTES}
>>> sampling=${SAMPLING_N} polling=${POLLING_SECS} -- set bridge br-int
>>> sflow=@sflow
>>>
>>> Connection is
>>> VM ->tap device->br-int(sflow enabled)-----veth-pair----->br-data-eth.
>>>
>>> Why packets are colected for 1 direction only?
>>>
>>>
>>> Thanks & Regards
>>> Harsh Jain
>>> _______________________________________________
>>> discuss mailing list
>>> discuss at openvswitch.org
>>> http://openvswitch.org/mailman/listinfo/discuss
>>>
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20150424/95faed5f/attachment-0002.html>


More information about the discuss mailing list