[ovs-discuss] OVN on a non-OpenStack and non-sandbox environment.

Scott Lowe scott.lowe at scottlowe.org
Fri Dec 23 17:53:43 UTC 2016

On 12/23/2016 03:45 AM, pranab boruah wrote:
> Hello Everyone,
> We are trying to experiment OVN ACLs on a native setup.(non-OpenStack
> and non-sandbox). We couldn't find any blog posts or documentation on
> how to do this.
> *Gerhard Stenzel*  has posted in this thread somewhat similar to what I
> need :
> https://mail.openvswitch.org/pipermail/ovs-discuss/2016-July/041871.html
> But my requirements are different. Also the ovn architecture document
> specifically mentions that we shouldn't add physical ports to br-int*:**
> C**h**a**s**s**i**s* *S**e**t**u**p *section in
> http://openvswitch.org/support/dist-docs/ovn-architecture.7.html.
> Setup Configurations :
> Physical Host 1:
>       - ovs 2.6 installed.
>       - launched a VM with MacVTap(macvtap0) to em1(physical NIC).
>       - VM's nic ip :
> Physical Host 2:
>       - em1(Physical NIC) with IP
> I can ping from My question is how do I
> set-up ACL rules for the traffic that are to be allowed/not-allowed to
> this VM. The constraints are :
> 1) Should work in non-OpenStack and non-sandbox environment.
> 2) VM's interface attached either through MacVTap or SRIOV modes only.

To echo what Ben said already, you can't use MacVTAP or SRIOV interfaces 
with OVN, as both of these types of interfaces bypass OVS (and OVS is 
where the ACLs are enforced).

Using "normal" TAP interfaces for your VMs would work, though, even in 
non-OpenStack environments.

Best of luck,


More information about the discuss mailing list