[ovs-discuss] Enabling IPFIX in OpenVSwitch breaks VXLAN tunneling

Lluís Gifre lgifre at ac.upc.edu
Mon Jul 4 07:49:33 UTC 2016 

Dear Ben,

I agree with you that sampling 100% of packets could be risky in 
scenarios with several hosts. However, I was monitoring a ping between 2 
VMs, i.e., 2 ICMP + 2 ARP packet per second plus VXLAN overhead.
I think it should work even when sampling 100% of traffic.

BTW, I started a parallel thread with subject "Bug OpenVSwitch 2.5.0 - 
Enabling IPFIX in OpenVSwitch breaks VXLAN tunneling". They are both the 
same, except that I added "Bug OpenVSwitch 2.5.0" just to emphasize that 
the problem is in the newest LTS version of OVS. We could continue this 
discussion on that thread.

Best,
Lluis


On 02/07/16 02:47, Ben Pfaff wrote:
> On Tue, Jun 28, 2016 at 05:03:20PM +0200, Lluís Gifre wrote:
>> I'm experiencing a problem when enabling IPFIX on an OpenVSwitch where VXLAN
>> tunnels are configured to interconnect 2 VMs (Virtual Box).
>>
>> I'm running the setup on Ubuntu v16.04 using the repo OpenVSwitch v2.5.0 and
>> VirtualBox v5.0.22.
>>
>> My setup is as follows:
>> 2 bridges, each with a TAP interface connected to a VBox VM
>>
>> The commands I used for setting up this environment are:
>>
>> # Create bridges
>> sudo ovs-vsctl add-br br1
>> sudo ovs-vsctl add-br br2
>>
>> # Create tap interfaces
>> sudo ip tuntap add mode tap tap1
>> sudo ip tuntap add mode tap tap2
>>
>> # Bring up tap interfaces
>> sudo ip link set tap1 up
>> sudo ip link set tap2 up
>>
>> # Add interfaces to bridge br0
>> sudo ovs-vsctl add-port br1 tap1
>> sudo ovs-vsctl add-port br2 tap2
>>
>> # Bring up bridges
>> sudo ifconfig br1 up
>> sudo ifconfig br2 up
>>
>> # Set IP address on bridges
>> sudo ifconfig br1 10.254.254.1/24
>> sudo ifconfig br2 10.254.254.2/24
>>
>> # Configure VXLAN tunnels
>> sudo ovs-vsctl add-port br1 vxlan12 -- set interface vxlan12 type=vxlan
>> options:local_ip=10.254.254.1 options:remote_ip=10.254.254.2
>> options:in_key=flow options:out_key=flow
>> sudo ovs-vsctl add-port br2 vxlan21 -- set interface vxlan21 type=vxlan
>> options:local_ip=10.254.254.2 options:remote_ip=10.254.254.1
>> options:in_key=flow options:out_key=flow
>>
>> Until that point, VMs can ping one to the other.
>>
>> Then, without disabling the "pings" I enabled IPFIX in both bridges:
>>
>> # Enable IPFIX on bridges
>> #   Data Collector IP = 172.26.37.124
>> #   Data Collector Port = 4739 (UDP)
>> #   Packets per sample = 1
>>
>> sudo ovs-vsctl -- set bridge br1 ipfix=@ipfix -- --id=@ipfix create IPFIX \
>>      targets=\"172.26.37.124:4739\" \
>>      obs_domain_id=1 obs_point_id=1 \
>>      sampling=1 cache_active_timeout=60\
>>      other_config:enable-tunnel-sampling=true
>>
>> sudo ovs-vsctl -- set bridge br2 ipfix=@ipfix -- --id=@ipfix create IPFIX \
>>      targets=\"172.26.37.124:4739\" \
>>      obs_domain_id=1 obs_point_id=2 \
>>      sampling=1 cache_active_timeout=60\
>>      other_config:enable-tunnel-sampling=true
>>
>> Just after enabling IPFIX the connectivity between VMs is interrupted.
> A sampling rate of 1 (meaning sample 100% of packets) could be risky if
> the target is on an OVS bridge, because it could essentially cause a
> loop by causing every IPFIX packet to be sampled.  Try a lower sample
> rate?

More information about the discuss mailing list