[ovs-discuss] Leaking packets from one bridge to another or how can I isolate networks with OVS?

Peter Schmitt p.schmitt.82 at gmx.net
Thu Aug 20 12:21:47 UTC 2015


thanks for adding me to this list. I have a fairly strange problem and I am
not sure if it is a design flaw in my setup or a bug.

I want to use OpenVSwitch and KVMs to create some testnetworks that have
Internet access but are strictly separated otherwise, so that I have VLAN
functionality and packets from different networks do not interfere with each

My setup is as following:

I have one host and I use one instance of ovs 2.3.0 and pox with the
l2_learning module as
controller on every bridge.
I have a bridge br0 that should be used for the access to the outer network.
This bridge has an IP address on the host and also the physical devices
as a bond. Also one interface from a KVM (KVM0) is added to this bridge.

Bridge "br0"
    Controller "tcp:"
        is_connected: true
    Port "tap0"
        Interface "tap0"
    Port "br0"
        Interface "br0"
            type: internal
    Port "bond0"
        Interface "p12p2"
        Interface "p10p1"
        Interface "p12p1"

I have access to the outer network from KVM0. Now I added a second bridge
br1000. This device is not up on the host and only used in ovs. I
start some KVMs and connect the tap devices to this bridge br1000 and
also some
interfaces from KVM0. So basically, KVM0
is connected to br0 and br1000. I use IP forwarding on KVM0 to enable
access for all the other KVMs on br1000. This does also work.

Bridge "br1000"
    Controller "tcp:"
        is_connected: true
    Port "br1000"
        Interface "br1000"
            type: internal
    Port "tap4"
        Interface "tap4"
    Port "tap1"
        Interface "tap1"
    Port "tap3"
        Interface "tap3"
    Port "tap2"
        Interface "tap2"

What happens now is, that I can see ARP requests and other traffic from
the outer network on
br1000, which should (in my understanding) not be visible on br1000. It
only be visible on br0. I can also see this traffic from inside the KVMs
connected to br1000 only.

Some experiments I did:

Removing KVM0's interface tap0 from br0 and adding it to br1000 fixes the
problem that I can see other traffic, but of course, access to the outer
network is not available from all KVMs.
Adding a patch connection between br0 and br1000 of course lets the traffic
appear again on both bridges and I have again internet access.
I cannot see why my KVM0 should forward ARP requests to a different
Layer 3 network?!

Can anyone point me in the right direction on what is going wrong here?
Is the
setup in general ok? How can I achieve that I have isolated networks and
IP forwarding between my outer network and the KVM networks?
If any further information is needed, I am happy to give it to you. I
have this setup
ready and can do tests if needed.

Thank you in advance.

Best regards,

More information about the discuss mailing list