[ovs-discuss] How to filter tagged frames in bridge?

Matthias May matthias.may at neratec.com
Thu Aug 8 12:51:57 UTC 2019


On 08/08/2019 13:43, Felipe Arturo Polanco wrote:
> The hypervisor is the one that adds the ports to the switch I specify.
> 
> Is there a way to limit vlan tags being delivered to a fake bridge perhaps? I only want untagged traffic in the fake
> bridge. 
> 
> 
> On Wed, Aug 7, 2019, 2:52 AM Matthias May via discuss <ovs-discuss at openvswitch.org <mailto:ovs-discuss at openvswitch.org>>
> wrote:
> 
>     On 06/08/2019 17:12, Felipe Arturo Polanco wrote:
>     > Hello,
>     >
>     > This is for a hosting environment where we are using OVS bridges with KVM.
>     >
>     > I have two interfaces bonded together with LACP and allowing two vlans.
>     > VLAN 500 public and vlan 400 private.
>     > The native vlan for this trunk port is Vlan 500*
>     >
>     > I need to find a way to limit trunk access on the VMs when they are
>     > connected to my bridge.
>     > If I add a tap0 interface to ovsbr0, I can see tagged traffic which is not good.
>     >
>     > I was thinking about adding a second bridge and connect both of them
>     > using a patch port but I still need to find a way to filter tagged
>     > frames and only allow untagged traffic on the second bridge.
>     >
>     > Any ideas how can this be done?
>     >
>     > Thanks,
>     > _______________________________________________
>     > discuss mailing list
>     > discuss at openvswitch.org <mailto:discuss at openvswitch.org>
>     > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>     >
> 
>     When you add the port, set
>     vlan_mode=access
>     tag=500
> 
>     BR
>     Matthias
>     _______________________________________________
>     discuss mailing list
>     discuss at openvswitch.org <mailto:discuss at openvswitch.org>
>     https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
> 

I highly suggest you read the documentation regarding vlan_mode, tag and trunk.

My answer is still to set the vlan_mode to access and set the tag.
It doesn't matter if the hypervisor adds the port or someone else.
You can set a config for a port even if it is not yet part of a bridge.

BR
Matthias


More information about the discuss mailing list