[ovs-discuss] Doing port mirroring for KVM guests

C. L. Martinez carlopmart at gmail.com
Mon Apr 3 13:54:49 UTC 2017


On Mon, Apr 03, 2017 at 10:43:48AM +0000, C. L. Martinez wrote:
> Hi all,
> 
>  I have installed Openvswitch 2.5.2 in a RHEL 7.3 KVM host fully patched. I need to implement port mirroring for some kvm guests (not all). According to openvswitch's docs this can be done using the following command:
> 
> ovs-vsctl -- --id=@m create mirror name=tapmirror -- add bridge idsbr0 mirrors @m -- --id=@oneguest0 get port oneguest0 -- set mirror tapmirror select_src_port=@oneguest0 select_dst_port=@oneguest0 -- --id=@idsguest0 get port idsguest0 -- set mirror tapmirror output-port=@idsguest0
> 
>  where oneguest0 interface is the kvm guest virtual interface, idsguest0 is the interface where I will receive mirrored traffic and idsbr0 is the openvswitch bridge where idsguest0 is assigned.
> 
>  Is it correct this command?.
> 
>  Then, I have the following questions:
> 
>  a/ Is it possible to use full openvswitches switche as a src_port and dst_port (and output-port) instead of every virtual interface (oneguest0, oneguest1, etc.) that I want to monitor?
> 
>  b/ If "no" is the answer to question a/, do I need to execute previous command for every virtual interface that I need to monitor?
> 
>  c/ Do I need to create idsbr0 bridge before to launch previous command?
> 
>  d/ Last question, do I need to run the previous command every time that kvm host starts?
> 
> Many thanks for your attention.
>  
I have done some tests, and it seems previous command returns a syntax. I have launched this one:

ovs-vsctl -- set Bridge idsif mirrors=@m \
		-- --id=@fwprod0 get Port fwprod0 \
		-- --id=@fwdmz0 get Port fwdmz0 \
		-- --id=@fwvpn0 get Port fwvpn0 \
		-- --id=@fwenc0 get Port fwenc0 \
		-- --id=@fwmgmtif0 get Port fwmgmtif0 \
		-- --id=@idsif0 get Port idsif0 \
		-- --id=@m create Mirror name=tapmirror select-dst-port=@fwprod0, at fwdmz0, at fwvpn0, at fwenc0, at fwmgmtif0 \
		select-src-port=@fwprod0, at fwdmz0, at fwvpn0, at fwenc0, at fwmgmtif0 output-port=@idsif0

 ... but nothing is mirrored ... What am I doing wrong??

Thanks

-- 
Greetings,
C. L. Martinez


More information about the discuss mailing list