[ovs-discuss] OpenVswitch

Grant Taylor gtaylor at tnetconsulting.net
Sun Feb 25 20:01:58 UTC 2018

On 02/25/2018 07:54 AM, Chris Boley wrote:
> Sorry Grant, I think I replied directly to you the first time around. I 
> forgot the Reply All.

Things happen.

> Correct, *INLINE_IPS* filtering and dropping traffic. To the IPS VM it 
> would look like two ethernet interfaces that were members of a 
> transparent bridge.

Well, /almost/ transparent bridge.  ;-)

> Here goes.. apologies for the lengthy explanation:
> It all comes down to port count..I don’t want to run any more hardware 
> than necessary.


I think I was assuming that you would be bringing a physical port in, 
adding it to a bridge, which would then have another port connected to 
the VM.  Thus the inquiry about bypassing the bridging and just 
connecting the physical port to the VM directly.

…continuing to read your reply…

> I’m trying to do a concept build for an All in 1 kind of thing. It 
> hinges around virtualization of a couple OS’s.  This is meant for a 
> SOHO environment with 25-50 users where load wouldn’t likely be much 
> of an issue at all.


> HOST: I’m running a supermicro server with Ubuntu 16.04 / libvirt 
> based hypervisor, an 8 core Atom based proc, 32 gigs of ram 4 built in 
> Intel nic’s onboard.

I'd like to know more details about the Supermicro server as it may fit 
desires that I have.  ;-)

> GUESTS: 5 VM’s were planned to run as guests on this hardware. One 
> Ubuntu guest running LogAnalyzer/syslog server, one Ubuntu guest running 
> NFSEN, one vyOS router, and a Suricata based IPS porting it’s logs 
> out via Syslog to the LogAnalyzer instance. Lastly a tiny instance 
> of Ubuntu running Arpwatch to detect / log new hosts plugging into a 
> customer network.

Okay.  I think I track most of that.  I'm having trouble placing NFSEN 
at the moment.  I want to say I ran across it while messing with NetFlow 
years ago.


> There are 4 intel nic’s that come onboard with the server. (My desire 
> is to avoid adding NIC’s.)


> There would be 2 OVS logical bridges vbridge0 and vbridge1
> One nic was to go to the mgmt of the host. 2 nics were to be bridged / 
> linked to separate trunk ports on a Cisco 48 port 3750G to handle all 
> traffic going to the guests I mentioned and internal user traffic 
> connected to the vbridge1. The 3750g would handle access layer for 
> physical computers running on the LAN.

Unless I'm missing something, that's three ports and vbridge1.

I'm not seeing the 4th port or vbridge0 yet.


> The internal VM guests including the IPS would have nics that would be 
> tap interfaces. Like this: ovs-vsctl add-port vswitch0 vnic0 tag=10 -- 
> ovs-vsctl set interface vnic0 type=internal (vnic0 being the tap IF).


Aside:  Do you need the second ovs-vsctl?  I thought you could run all 
of that as one command with the double dash separating commands to 
ovs-vsctl.  (Maybe that's what you're doing and it didn't translate well 
to email.)

> The IPS will be a transparent bridge between the Logical OVS bridges. (a 
> bridge within a bridge within a bridge ;D ) <== I might run into hiccups 
> here as I don't know how OVS will react to a VM bridging two logical 
> bridges??

I'm still not seeing vbirdge0 connected to anything other than the 
output of the IPS VM.

I don't feel like we've gone quite as far as Inception.  Maybe we need 
to give the switch stack a kick.  ;-)

> Tap interfaces comes up via the /etc/network/interfaces   on the host. 
> (the ones coming into the IPS would be tuned the same for the driver 
> manipulation and the rest would be basic) (I’d also have to do the same 
> for the virtio nics in the IPS VM to get continuity of nic behavior in 
> all areas of the connectivity)


> The last host port was planned to be bridged directly to the WAN interface 
> meant for the WAN side of the vyOS router so I could plug it into the 
> WAN directly for sake of ease.

Is this where vbridge0 comes into play?

If vbridge0 is just to connect eth0 to the VyOS guest VM, i.e. the 
following ASCII diagram, this is where I'm suggesting foregoing the bridge.


I'd be inclined to remove the bridge and just do this directly:


Why does [vbridge0] need to be there?  Is it doing anything other than 
enabling what is effectively a point-to-point connection between eth0 
and VyOS?

Are you wanting to leverage other features of OVS, i.e. insturmentation, 
of the data flowing between eth0 and VyOS?

> My concept is my own hair brained idea but I think it can be done without 
> too much headache. Once perfected it would just be an install process. 
> I just want to make sure that as traffic comes into the host, that 
> the host nic driver isn’t modifying the packets before they hit 
> the IPS. This may not even work but if it does, I could potentially 
> save a bunch of money in discreet server costs and cut down on power 
> use immensely. A single supermicro server like this with 6 terabytes 
> of raid 5 space is less than 1500 USD. A cisco 3750G is cheap these 
> days. Or upgrade to a 2960-X which is a defacto standard Cisco Access 
> layer switch these days.
> I could hand off an entire fully capable enterprise class router/traffic 
> shaper/vpn capable/ips capable/netflow capable network server for a couple 
> of thousand and sell maintenance / monitoring of said systems monthly. So 
> that’s the WHY in this whole thing. Small office environments are my 
> target market.  Sorry….. too much information??

I hear you.  I've done some similar things in the past.

No, it's not too much information.

One thing that I don't have a good mental picture of yet is how the 
various VMs are going to be interconnected.  I believe this is the VM 
list extracted from above.

1)  One Ubuntu guest running LogAnalyzer/syslog server
2)  one Ubuntu guest running NFSEN
3)  one vyOS router
4)  Suricata based IPS
5)  a tiny instance of Ubuntu running Arpwatch

IMHO #1, #2, and #5 are management / housekeeping type function VMs that 
don't actually impact traffic flow, read out of the data path. 
Conversely, #3 and #4 are actually in your data path and controlling 

Based on other context of this thread, it sounds like you will have an 
architecture that resembles something like this:

[eth0]---[vbridge0]---[VyOS]---[IPS]---[vbridge1]---[VM #1]
[eth1]---------------------------------[        ]---[VM #2]
[eth2]---------------------------------[        ]---[VM #5]
[eth3]---[Ubuntu VM host]

Assuming that this is even remotely correct, I still feel like vbridge0 
is unnecessary.

[eth0]----------------[VyOS]---[IPS]---[vbridge1]---[VM #1]
[eth1]---------------------------------[        ]---[VM #2]
[eth2]---------------------------------[        ]---[VM #5]
[eth3]---[Ubuntu VM host]

Here's how crazy I'd be inclined to do things if I were building this:

Bond all four of the ports together with LACP (802.3ad) and then carry 
VLAN tags (802.1q) across said bond and create sub-interfaces bond0.$VID.

That would:
  - Ensure that you don't fail on the single WAN link (eth0) failing.
  - Enable you to support multiple WAN links via VLAN tagged 
sub-interfaces.  Thus enabling connections to multiple ISPs.
  - Means that all of the ports on the server are the same.  No need to 
  - Management could be untagged / native or a specific VLAN.

I'd also do some playing with bonding to see if there's a way to get 
connectivity even when LACP (802.3ad) is not active.  -  I don't know if 
this is possible per say or if it would take some other special magic.

[eth1]---[     ]---[vlan2]---------------[    ]   [     ]
[eth2]---[     ]---[vlan3]---------------[    ]   [     ]
[eth3]---[     ]---[vlan4]---[bridge0]---[IPS]----[     ]
          [     ]             [       ]---[VM #1]
          [     ]---[admin]   [       ]---[VM #2]
                              [       ]---[VM #5]

Note:  I would use a vEth between VyOS and the IPS as they are 
purportedly slightly faster than kernel or OVS bridges.  -  You may 
prefer to use an additional VLAN in OVS.

> https://www.opencloudblog.com/?p=240
> https://bugs.launchpad.net/ubuntu/+source/openvswitch/+bug/1448254
> After reviewing those two links I came to mostly the same conclusion 
> albeit I haven’t had a chance to put that theory to the test.

Fair.  I could have easily been wrong and you correct in that you needed 
to account for more issues.

> I’ll have to set this up and do the testing to be sure even for myself. 
> Thanks again for your input!

You're welcome.  Good luck!

Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3982 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20180225/bbe51373/attachment.p7s>

More information about the discuss mailing list