On Tue, Mar 05, 2013 at 08:21:15PM +0800, Kris zhang wrote:
> First I create a bridge br0, and then i create a fake bridge (tag=100) on
> br0, next i create two VMs and connect to the fake bridge br100. last i add
> a flow entry into the br0:
>
> ovs-ofctl
> add-flow priority=1000,tcp,dl_vlan=100,nw_dst=20.1.64.5,tp_dst=23,action=drop
>
> The purpose of this flow entry that don't allow one VM telnet another VM.
> But this flow doesn't work, so please help me!
>
> I draw a picture to explain it, please see the below.
>
> [image: Inline image 2]
>
> But if the VM are not on the same host, then this flow works. i don't know
> why?
Sounds like this FAQ:
Q: My OpenFlow controller doesn't see the VLANs that I expect.
A: The configuration for VLANs in the Open vSwitch database (e.g. via
ovs-vsctl) only affects traffic that goes through Open vSwitch's
implementation of the OpenFlow "normal switching" action. By
default, when Open vSwitch isn't connected to a controller and
nothing has been manually configured in the flow table, all traffic
goes through the "normal switching" action. But, if you set up
OpenFlow flows on your own, through a controller or using ovs-ofctl
or through other means, then you have to implement VLAN handling
yourself.
You can use "normal switching" as a component of your OpenFlow
actions, e.g. by putting "normal" into the lists of actions on
ovs-ofctl or by outputting to OFPP_NORMAL from an OpenFlow
controller. In situations where this is not suitable, you can
implement VLAN handling yourself, e.g.:
- If a packet comes in on an access port, and the flow table
needs to send it out on a trunk port, then the flow can add
the appropriate VLAN tag with the "mod_vlan_vid" action.
- If a packet comes in on a trunk port, and the flow table
needs to send it out on an access port, then the flow can
strip the VLAN tag with the "strip_vlan" action.
_______________________________________________
discuss mailing list
discuss@openvswitch.org
http://openvswitch.org/mailman/listinfo/discuss
