[ovs-discuss] OVS [vlan] Fake Bridge

Ben Pfaff blp at nicira.com
Wed May 27 01:33:44 UTC 2015

On Wed, May 20, 2015 at 03:56:19PM -0400, Sean McCully wrote:
> I am having a problem configuring open vswitch with my vlan configuration,
> I am running Ubuntu 15.04 (3.16.0-37).
> The following with ip/kernel configuration works,
> $ ip link add link eth1 name eth1.120 type vlan id 120
> $ ip add add dev eth1.120
> $ ip link set up dev eth1.120
> $ route add default gw eth1.120
> $ ping -c 2
> I am under the impression the following should work with ovs to establish
> the same results, but does not.
> $ ip link set promisc on dev eth1
> $ ovs-vsctl --version
>   ovs-vsctl (Open vSwitch) 2.3.1
>   DB Schema 7.6.2
> $ ovs-vsctl add-br br1
> $ ovs-vsctl add-port br1 eth1
> $ ovs-vsctl add-br vlan120 br1 120 # Create Fake Bridge with vlan 120
> $ ovs-vsctl add-port vlan120 vif120 -- set interface vif120 type=internal
> $ ifconfig vif120 up
> $ route add default gw
> $ ping -c 2
> Loss of packets, have a missed something? How should I achieve same ip
> stack configuration with ovs as shown above?

The usual way to do this with an OVS "fake bridge" would be to configure
the VLAN IP on br1 rather than vlan120.  We used to test with this
pretty routinely under XenServer, for example.  I don't know why adding
the additional interface interface would make a difference but it at
least distinguishes this configuration from what I'm used to seeing.

You might also want to read the VLAN section of the FAQ, particularly
these two Q&A:

### Q: Can I configure an IP address on a VLAN?

A: Yes.  Use an "internal port" configured as an access port.  For
   example, the following configures IP address on VLAN 9.
   That is, OVS will forward packets from eth0 to only if
   they have an 802.1Q header with VLAN 9.  Conversely, traffic
   forwarded from to eth0 will be tagged with an 802.1Q
   header with VLAN 9:

       ovs-vsctl add-br br0
       ovs-vsctl add-port br0 eth0
       ovs-vsctl add-port br0 vlan9 tag=9 -- set interface vlan9 type=internal
       ifconfig vlan9

   See also the following question.

### Q: I configured one IP address on VLAN 0 and another on VLAN 9, like

       ovs-vsctl add-br br0
       ovs-vsctl add-port br0 eth0
       ifconfig br0
       ovs-vsctl add-port br0 vlan9 tag=9 -- set interface vlan9 type=internal
       ifconfig vlan9

   but other hosts that are only on VLAN 0 can reach the IP address
   configured on VLAN 9.  What's going on?

A: RFC 1122 section "Multihoming Requirements" describes two
   approaches to IP address handling in Internet hosts:

   - In the "Strong ES Model", where an ES is a host ("End
     System"), an IP address is primarily associated with a
     particular interface.  The host discards packets that arrive
     on interface A if they are destined for an IP address that is
     configured on interface B.  The host never sends packets from
     interface A using a source address configured on interface B.

   - In the "Weak ES Model", an IP address is primarily associated
     with a host.  The host accepts packets that arrive on any
     interface if they are destined for any of the host's IP
     addresses, even if the address is configured on some
     interface other than the one on which it arrived.  The host
     does not restrict itself to sending packets from an IP
     address associated with the originating interface.

   Linux uses the weak ES model.  That means that when packets
   destined to the VLAN 9 IP address arrive on eth0 and are bridged to
   br0, the kernel IP stack accepts them there for the VLAN 9 IP
   address, even though they were not received on vlan9, the network
   device for vlan9.

   To simulate the strong ES model on Linux, one may add iptables rule
   to filter packets based on source and destination address and
   adjust ARP configuration with sysctls.

   BSD uses the strong ES model.

More information about the discuss mailing list