[ovs-discuss] OVN on a non-OpenStack and non-sandbox environment.
scott.lowe at scottlowe.org
Fri Dec 23 17:53:43 UTC 2016
On 12/23/2016 03:45 AM, pranab boruah wrote:
> Hello Everyone,
> We are trying to experiment OVN ACLs on a native setup.(non-OpenStack
> and non-sandbox). We couldn't find any blog posts or documentation on
> how to do this.
> *Gerhard Stenzel* has posted in this thread somewhat similar to what I
> need :
> But my requirements are different. Also the ovn architecture document
> specifically mentions that we shouldn't add physical ports to br-int*:**
> C**h**a**s**s**i**s* *S**e**t**u**p *section in
> Setup Configurations :
> Physical Host 1:
> - ovs 2.6 installed.
> - launched a VM with MacVTap(macvtap0) to em1(physical NIC).
> - VM's nic ip : 172.16.10.50
> Physical Host 2:
> - em1(Physical NIC) with IP 172.16.10.10
> I can ping 172.16.10.50 from 172.16.10.10. My question is how do I
> set-up ACL rules for the traffic that are to be allowed/not-allowed to
> this VM. The constraints are :
> 1) Should work in non-OpenStack and non-sandbox environment.
> 2) VM's interface attached either through MacVTap or SRIOV modes only.
To echo what Ben said already, you can't use MacVTAP or SRIOV interfaces
with OVN, as both of these types of interfaces bypass OVS (and OVS is
where the ACLs are enforced).
Using "normal" TAP interfaces for your VMs would work, though, even in
Best of luck,
More information about the discuss