But the physical switch is sending those packets to all ports because of a * problem*... Thats not a common behavior, it doesn't make much sense.
Look at this scenario: Some MAC into switch A is comunicating with a MAC in switch B, when MAC at switch B is shutdown, the switch will send that packets to all ports in switch B and if the switch C is connected to switch B, the packets will go thought all ports in C too and switch D is connected to C, D to E = broadcast to all switches ! When a port is disconnected, the switch know that the port state changed and make the MAC address entry goes incomplete for that MAC and no packets are sent, maybe an arp request but not the packet broadcast. As far as I know, the switch have MAC address table relation MACs to ports and those packets are sent only when this relation is valid always or try to do so. Seems a primary function since without this a "broadcast of death" can be easy to make. As you said, I should assume a switch flooding broadcast packets and if the switch doesn't have that check, all your network in the same VLAN will crash since that packet of death will go all over the switches. OVS, I think already do that MAC -> ports check, since all packets are not sent to all VMs just needed when a packets comes and OVS doesn't have that MAC, it doesn't broadcast that. And since OVS will not be connected directly to another switch, doesn't need even an arp request to be sent. Well, gonna try openflow rules then... I'm not an expert in networking so if this is not making sense, please tell me guys... On Thu, Sep 2, 2010 at 5:48 PM, Jesse Gross <je...@nicira.com> wrote: > On Thu, Sep 2, 2010 at 9:01 AM, Luiz Henrique Ozaki > <luiz.oz...@gmail.com> wrote: > > Yeah, I don't know the difficult in changing this but this should be the > > perfect cenario: > > VM is poweroff -> physical switch still have that MAC in a port and sends > to > > the host -> OVS should know when a VM poweroff and in the MAC table > doesn't > > have that MAC anymore, MAC become incomplete and maybe some arp request > > broadcast should be made (?)... Doing this no packets are sent to any > > virtual ports. > > The packets are going to be sent to that physical port until MAC timeout, > > but OVS will "filter" that packets. > > This case seems like a normal switch and I think this is the idea of OVS, > > isn't it ? > > Actually, no, this is not how a physical switch behaves. You > mentioned that your other switches are flooding packets to all ports - > OVS is doing the same thing. It is possible to do more with a virtual > switch since it tends to have more information about the connected > devices but that isn't directly implemented as a feature in OVS, > instead the primitives are exposed to a controller. > > > Does a controller solve this even with the physical switch sending that > > packets to the Host/OVS ? > > Hmmm... If I create openflow rules for each MAC addresses inside the > host, > > does it solve this too ? By the way, is this what the controlles does ? > > Yes to all of these questions. > > The take away point here is that while switches (physical or virtual) > try not to send packets to ports that are not the intended > destination, this is not guaranteed and is not meant to be a security > feature. For security purposes you should assume that the switches > are flooding packets to all ports at all times. If this is not > acceptable behavior you need to enforce that through another mechanism > such as OpenFlow rules, vlans, etc. > -- []'s Luiz Henrique Ozaki
_______________________________________________ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss_openvswitch.org
