[ovs-discuss] Enabling IPFIX in OpenVSwitch breaks VXLAN tunneling

Ben Pfaff blp at ovn.org
Mon Jul 4 14:59:32 UTC 2016


100% sampling isn't a problem in itself, but if the IPFIX packets
themselves get sampled it could cause a loop.  Do you have evidence of
that?

Please don't start multiple identical threads.

On Mon, Jul 04, 2016 at 09:49:33AM +0200, Lluís Gifre wrote:
> Dear Ben,
> 
> I agree with you that sampling 100% of packets could be risky in scenarios
> with several hosts. However, I was monitoring a ping between 2 VMs, i.e., 2
> ICMP + 2 ARP packet per second plus VXLAN overhead.
> I think it should work even when sampling 100% of traffic.
> 
> BTW, I started a parallel thread with subject "Bug OpenVSwitch 2.5.0 -
> Enabling IPFIX in OpenVSwitch breaks VXLAN tunneling". They are both the
> same, except that I added "Bug OpenVSwitch 2.5.0" just to emphasize that the
> problem is in the newest LTS version of OVS. We could continue this
> discussion on that thread.
> 
> Best,
> Lluis
> 
> 
> On 02/07/16 02:47, Ben Pfaff wrote:
> >On Tue, Jun 28, 2016 at 05:03:20PM +0200, Lluís Gifre wrote:
> >>I'm experiencing a problem when enabling IPFIX on an OpenVSwitch where VXLAN
> >>tunnels are configured to interconnect 2 VMs (Virtual Box).
> >>
> >>I'm running the setup on Ubuntu v16.04 using the repo OpenVSwitch v2.5.0 and
> >>VirtualBox v5.0.22.
> >>
> >>My setup is as follows:
> >>2 bridges, each with a TAP interface connected to a VBox VM
> >>
> >>The commands I used for setting up this environment are:
> >>
> >># Create bridges
> >>sudo ovs-vsctl add-br br1
> >>sudo ovs-vsctl add-br br2
> >>
> >># Create tap interfaces
> >>sudo ip tuntap add mode tap tap1
> >>sudo ip tuntap add mode tap tap2
> >>
> >># Bring up tap interfaces
> >>sudo ip link set tap1 up
> >>sudo ip link set tap2 up
> >>
> >># Add interfaces to bridge br0
> >>sudo ovs-vsctl add-port br1 tap1
> >>sudo ovs-vsctl add-port br2 tap2
> >>
> >># Bring up bridges
> >>sudo ifconfig br1 up
> >>sudo ifconfig br2 up
> >>
> >># Set IP address on bridges
> >>sudo ifconfig br1 10.254.254.1/24
> >>sudo ifconfig br2 10.254.254.2/24
> >>
> >># Configure VXLAN tunnels
> >>sudo ovs-vsctl add-port br1 vxlan12 -- set interface vxlan12 type=vxlan
> >>options:local_ip=10.254.254.1 options:remote_ip=10.254.254.2
> >>options:in_key=flow options:out_key=flow
> >>sudo ovs-vsctl add-port br2 vxlan21 -- set interface vxlan21 type=vxlan
> >>options:local_ip=10.254.254.2 options:remote_ip=10.254.254.1
> >>options:in_key=flow options:out_key=flow
> >>
> >>Until that point, VMs can ping one to the other.
> >>
> >>Then, without disabling the "pings" I enabled IPFIX in both bridges:
> >>
> >># Enable IPFIX on bridges
> >>#   Data Collector IP = 172.26.37.124
> >>#   Data Collector Port = 4739 (UDP)
> >>#   Packets per sample = 1
> >>
> >>sudo ovs-vsctl -- set bridge br1 ipfix=@ipfix -- --id=@ipfix create IPFIX \
> >>     targets=\"172.26.37.124:4739\" \
> >>     obs_domain_id=1 obs_point_id=1 \
> >>     sampling=1 cache_active_timeout=60\
> >>     other_config:enable-tunnel-sampling=true
> >>
> >>sudo ovs-vsctl -- set bridge br2 ipfix=@ipfix -- --id=@ipfix create IPFIX \
> >>     targets=\"172.26.37.124:4739\" \
> >>     obs_domain_id=1 obs_point_id=2 \
> >>     sampling=1 cache_active_timeout=60\
> >>     other_config:enable-tunnel-sampling=true
> >>
> >>Just after enabling IPFIX the connectivity between VMs is interrupted.
> >A sampling rate of 1 (meaning sample 100% of packets) could be risky if
> >the target is on an OVS bridge, because it could essentially cause a
> >loop by causing every IPFIX packet to be sampled.  Try a lower sample
> >rate?
> 



More information about the discuss mailing list