[ovs-discuss] Help with network loop between two trunked OVS instances

Bryan T. Richardson bryan at activeshadow.com
Thu Mar 25 18:42:21 UTC 2021 

Hello-

I'm trying to mirror traffic using a GRE tunnel between two OVS instances
running on separate servers that are trunked via a managed physical switch, but
doing so results in a network loop. My goal is to mirror traffic to/from VMs on
one server to a target VM on the other server.

The two servers each have two NICs, eth0 and eth1. eth0 is connected to a
separate switch that allows for cluster management, and has an IP address. eth1
is connected to a managed switch port configured for trunking, doesn't have an
IP address assigned, and is added to the OVS bridge so OVS VLANs are extended
across both servers via the trunk.

I have two VMs, X and Y, running on server A, and one VM, Z, running on server
B. I want to mirror packets between VMs X and Y to VM Z. The way I'm attempting
to do this now is as follows:

VMs X and Y have ports tapX and tapY on the OVS switch on Server A tagged with
VLAN 101, and can ping each other.

VM Z has port tapZ on the OVS switch on Server B tagged with VLAN 201.

Server A and Server B have an addressed internal port on their OVS switch tagged
with VLAN 301 so each host can talk to each other over the trunk.

Server B has a GRE port and OpenFlow rule configured as follows:

ovs-vsctl add-port br0 gre0 \
  -- set interface gre0 type=gre options:remote_ip=flow options:key=1234567890

ovs-ofctl add-flow br0 "in_port=gre0 actions=tapZ"

Server A has a GRE port and mirror configured as follows:

ovs-vsctl add-port br0 gre0 \
  -- set interface gre0 type=gre options:remote_ip=<Server B IP> options:key=1234567890

ovs-vsctl \
  -- --id=@p0 get port tapX \
  -- --id=@p1 get port tapY \
  -- --id=@g0 get port gre0 \
  -- --id=@m create mirror name=m0 select-dst-port at p0, at p1 output-port=@g0 \
  -- set bridge br0 mirrors=@m

The GRE tunnels can be up and no loop seems to be present because VMs X and Y
can continue to ping each other. As soon as I create the mirror on Server A, I
can see the pings via tcpdump on VM Z, so the mirror and OpenFlow configs are
working, but the pings between VMs X and Y begin to degrade and eventually stop.
As soon as I clear the mirror on Server A the pings start up again.

My rationale behind using the OpenFlow rule on Server B was to try and avoid the
mirrored packets coming in over the GRE tunnel from being flooded to all the
ports on the bridge, especially the trunked eth1 port.

My rationale for being selective about what source ports are mirrored on Server
A was similar, in that I was trying to avoid any mirrored packets showing up on
the trunked eth1 port from being sent into the GRE tunnel again.

Any ideas why I'm still getting a network loop? I'm sure it's something obvious
and I'm just being an idiot, but I'm currently at a loss.

Please advise. Thanks in advance!

-V/R, Bryan

More information about the discuss mailing list