[ovs-discuss] Enabling IPFIX in OpenVSwitch breaks VXLAN tunneling

Ben Pfaff blp at ovn.org
Sat Jul 2 00:47:02 UTC 2016 

On Tue, Jun 28, 2016 at 05:03:20PM +0200, Lluís Gifre wrote:
> I'm experiencing a problem when enabling IPFIX on an OpenVSwitch where VXLAN
> tunnels are configured to interconnect 2 VMs (Virtual Box).
> 
> I'm running the setup on Ubuntu v16.04 using the repo OpenVSwitch v2.5.0 and
> VirtualBox v5.0.22.
> 
> My setup is as follows:
> 2 bridges, each with a TAP interface connected to a VBox VM
> 
> The commands I used for setting up this environment are:
> 
> # Create bridges
> sudo ovs-vsctl add-br br1
> sudo ovs-vsctl add-br br2
> 
> # Create tap interfaces
> sudo ip tuntap add mode tap tap1
> sudo ip tuntap add mode tap tap2
> 
> # Bring up tap interfaces
> sudo ip link set tap1 up
> sudo ip link set tap2 up
> 
> # Add interfaces to bridge br0
> sudo ovs-vsctl add-port br1 tap1
> sudo ovs-vsctl add-port br2 tap2
> 
> # Bring up bridges
> sudo ifconfig br1 up
> sudo ifconfig br2 up
> 
> # Set IP address on bridges
> sudo ifconfig br1 10.254.254.1/24
> sudo ifconfig br2 10.254.254.2/24
> 
> # Configure VXLAN tunnels
> sudo ovs-vsctl add-port br1 vxlan12 -- set interface vxlan12 type=vxlan
> options:local_ip=10.254.254.1 options:remote_ip=10.254.254.2
> options:in_key=flow options:out_key=flow
> sudo ovs-vsctl add-port br2 vxlan21 -- set interface vxlan21 type=vxlan
> options:local_ip=10.254.254.2 options:remote_ip=10.254.254.1
> options:in_key=flow options:out_key=flow
> 
> Until that point, VMs can ping one to the other.
> 
> Then, without disabling the "pings" I enabled IPFIX in both bridges:
> 
> # Enable IPFIX on bridges
> #   Data Collector IP = 172.26.37.124
> #   Data Collector Port = 4739 (UDP)
> #   Packets per sample = 1
> 
> sudo ovs-vsctl -- set bridge br1 ipfix=@ipfix -- --id=@ipfix create IPFIX \
>     targets=\"172.26.37.124:4739\" \
>     obs_domain_id=1 obs_point_id=1 \
>     sampling=1 cache_active_timeout=60\
>     other_config:enable-tunnel-sampling=true
> 
> sudo ovs-vsctl -- set bridge br2 ipfix=@ipfix -- --id=@ipfix create IPFIX \
>     targets=\"172.26.37.124:4739\" \
>     obs_domain_id=1 obs_point_id=2 \
>     sampling=1 cache_active_timeout=60\
>     other_config:enable-tunnel-sampling=true
> 
> Just after enabling IPFIX the connectivity between VMs is interrupted.

A sampling rate of 1 (meaning sample 100% of packets) could be risky if
the target is on an OVS bridge, because it could essentially cause a
loop by causing every IPFIX packet to be sampled.  Try a lower sample
rate?

More information about the discuss mailing list