On Thu, Sep 2, 2010 at 9:01 AM, Luiz Henrique Ozaki <luiz.oz...@gmail.com> wrote: > Yeah, I don't know the difficult in changing this but this should be the > perfect cenario: > VM is poweroff -> physical switch still have that MAC in a port and sends to > the host -> OVS should know when a VM poweroff and in the MAC table doesn't > have that MAC anymore, MAC become incomplete and maybe some arp request > broadcast should be made (?)... Doing this no packets are sent to any > virtual ports. > The packets are going to be sent to that physical port until MAC timeout, > but OVS will "filter" that packets. > This case seems like a normal switch and I think this is the idea of OVS, > isn't it ?
Actually, no, this is not how a physical switch behaves. You mentioned that your other switches are flooding packets to all ports - OVS is doing the same thing. It is possible to do more with a virtual switch since it tends to have more information about the connected devices but that isn't directly implemented as a feature in OVS, instead the primitives are exposed to a controller. > Does a controller solve this even with the physical switch sending that > packets to the Host/OVS ? > Hmmm... If I create openflow rules for each MAC addresses inside the host, > does it solve this too ? By the way, is this what the controlles does ? Yes to all of these questions. The take away point here is that while switches (physical or virtual) try not to send packets to ports that are not the intended destination, this is not guaranteed and is not meant to be a security feature. For security purposes you should assume that the switches are flooding packets to all ports at all times. If this is not acceptable behavior you need to enforce that through another mechanism such as OpenFlow rules, vlans, etc. _______________________________________________ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss_openvswitch.org
