[ovs-discuss] Mirroring between two host through VxLAN Tunnel, same packet copied 6 times

Benoît benoit at neviani.fr
Sat Oct 28 19:01:07 UTC 2017


Hi,

ovs-vsctl --version
ovs-vsctl (Open vSwitch) 2.6.2
DB Schema 7.14.0

Architecture:

My objective is to use two VxLAN tunnels, one (VNI 888) for VM connectivity
between 2 Hosts, one (VNI 777) to send the monitored traffic from one
host to the other host.

Configuration:
Host1: (IP:B.B.B.B)
ovs-vsctl add-port brvx vxlan0 -- set Interface vxlan0 type=vxlan options:remote_ip=A.A.A.A options:key=777
ovs-vsctl add-port brad vxlan1 -- set Interface vxlan1 type=vxlan options:remote_ip=A.A.A.A options:key=888

Host2: (IP:A.A.A.A)
ovs-vsctl add-port brvx vxlan0 -- set Interface vxlan0 type=vxlan options:remote_ip=B.B.B.B options:key=777
ovs-vsctl add-port brad vxlan1 -- set Interface vxlan1 type=vxlan options:remote_ip=B.B.B.B options:key=888

Connectivity is tested and ok through the VxLAN tunnels.
3x bridges on each host:
-brad : VM connectivity
-brext: External access (IP Public Address)
-brvx: act like a Remote SPAN bridge (connected to the bridges through patches)

Only one Ethernet card (eno1) per Host (the same is used to send traffic thought the VxLAN tunnels)

Bridges: (same for Host1 & Host2):
    Bridge brad
        Port brad
            Interface brad
                type: internal
        Port "vxlan1"
            Interface "vxlan1"
                type: vxlan
                options: {key="888", remote_ip="A.A.A.A"}
        Port span_ad
            Interface span_ad
                type: patch
                options: {peer=rspan_ad}
    Bridge brvx
        Port "vxlan0"
            Interface "vxlan0"
                type: vxlan
                options: {key="777", remote_ip="A.A.A.A"}
        Port rspan_ad
            Interface rspan_ad
                type: patch
                options: {peer=span_ad}
        Port brvx
            Interface brvx
                type: internal
        Port rspan_ext
            Interface rspan_ext
                type: patch
                options: {peer=span_ext}
    Bridge brext
        Port span_ext
            Interface span_ext
                type: patch
                options: {peer=rspan_ext}
        Port brext
            Interface brext
                type: internal
        Port "eno1"
            Interface "eno1"

Mirror:
One mirroring per Bridge is set to copy local bridge interface traffic and send to
span_ad/ext port, thanks to Patches ports on Bridge brvx the traffic is copied and
an openflow rule take the traffic from rspan_xx and direct flow to
vxlan0 to send the traffic through the tunnel.

One mirror is using eno1 as source because as I need to monitor the
traffic, the mirrored traffic is sent to vwlan0 (VxLAN Tunnel) passing
through the same physical interface eno1.

As eno1 is also the source of my mirroring then the traffic is copied
again and again 6 times, each time one Vx Layer is added...

Mirror configuration:
sourceext=eno1
destinationext=span_ext
ovs-vsctl --id=@m create mirror name=spanext -- add bridge brext mirrors @m
ovs-vsctl -- --id=@$sourceext get port $sourceext -- set mirror spanext select_src_port=@$sourceext select_dst_port=@$sourceext      
ovs-vsctl -- --id=@$destinationext get port $destinationext -- set mirror spanext output-port=@$destinationext

rspan_sourceext_port=$(ovs-vsctl get Interface rspan_ext ofport)
rspan_destination_port=$(ovs-vsctl get Interface vxlan0 ofport)
ovs-ofctl del-flows brvx
ovs-ofctl add-flow brvx priority=500,in_port=$rspan_sourceext_port,actions=pop_vlan,mod_vlan_vid=22,output:$rspan_destination_port

I add a VLAN layer here Vid 22 only for troubleshooting purposes.
When I ping between host, one ICMP Echo Request is resulting to 6 packets!
-ICMP Request VM @ Host A to VM @ Host B -> expected, original traffic
-Same Packet, VNI 888 -> expected, traffic passing trought Admin Tunnel
-Same Packet, VNI 888 / VNI 777 -> expected as the Mirrored traffic is using eno1 as well
-Same Packet, VNI 888 / VNI 777 / VNI 777 -> non expected
-Same Packet, VNI 777 / VNI 777 -> non expected
-Same Packet, VNI 777 / VNI 777 / VNI 777 -> non expected

The last 3 packets are already mirrored packets which are mirrored
again...

Is there a way to avoid copying the already mirrored traffic passing
through the same interface (eno1) but capture all the rest?

I thought about filtering during the mirroring but I don't find an
option..

I also thought about tweaking the when I add the flow to copy the
traffic to vxlan0.

If any of you have any idea..
Many thanks :)

Many thanks!

-- 
belette
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20171028/ed3e3bcd/attachment.sig>


More information about the discuss mailing list