Hi,
thank you for the answer. Yes I saw that, but that does not explain why
I see
ARP requests from the host network on br1000. Maybe I did not explain
this quite well.
Assume I have my normal home network here being 192.168.0.0/24. All my hosts
are connected to this network, and also the KVM host machine.
Now I start ovs, pox and some KVMs on the KVM host machine.
The br0 on ovs is also in the network 192.168.0.0/24. The network between
my KVM machines is 10.0.0.0/24 on br1000. With the setup described below,
I can see ARP requests from two different hosts in the 192.168.0.0/24
network (not the IP address of the KVM host) on my KVM appliances in the
10.0.0.0/24 network.
That would (in my understanding) mean, that the KVM forwards ARP requests
for some reason to the second bridge or there is anything fishy with
ovs. I don't
have any bridges or anything configured on the KVM host.
The strange thing is that if I remove the interface of my KVM from the
br0 in ovs,
the ARP requests disappear on br1000.
I hope this got a little bit clearer now. I don't think this might be
related to the ES Model,
or am I wrong here?
Best regards,
Peter
On 20.08.2015 19:07, Ben Pfaff wrote:
> On Thu, Aug 20, 2015 at 02:21:47PM +0200, Peter Schmitt wrote:
>> Hi,
>>
>> thanks for adding me to this list. I have a fairly strange problem and I am
>> not sure if it is a design flaw in my setup or a bug.
>>
>> I want to use OpenVSwitch and KVMs to create some testnetworks that have
>> Internet access but are strictly separated otherwise, so that I have VLAN
>> functionality and packets from different networks do not interfere with each
>> other.
>>
>> My setup is as following:
>>
>> I have one host and I use one instance of ovs 2.3.0 and pox with the
>> l2_learning module as
>> controller on every bridge.
>> I have a bridge br0 that should be used for the access to the outer network.
>> This bridge has an IP address on the host and also the physical devices
>> added
>> as a bond. Also one interface from a KVM (KVM0) is added to this bridge.
>>
>> Bridge "br0"
>> Controller "tcp:127.0.0.1:6633"
>> is_connected: true
>> Port "tap0"
>> Interface "tap0"
>> Port "br0"
>> Interface "br0"
>> type: internal
>> Port "bond0"
>> Interface "p12p2"
>> Interface "p10p1"
>> Interface "p12p1"
>>
>> I have access to the outer network from KVM0. Now I added a second bridge
>> br1000. This device is not up on the host and only used in ovs. I
>> start some KVMs and connect the tap devices to this bridge br1000 and
>> also some
>> interfaces from KVM0. So basically, KVM0
>> is connected to br0 and br1000. I use IP forwarding on KVM0 to enable
>> access for all the other KVMs on br1000. This does also work.
>>
>> Bridge "br1000"
>> Controller "tcp:127.0.0.1:6633"
>> is_connected: true
>> Port "br1000"
>> Interface "br1000"
>> type: internal
>> Port "tap4"
>> Interface "tap4"
>> Port "tap1"
>> Interface "tap1"
>> Port "tap3"
>> Interface "tap3"
>> Port "tap2"
>> Interface "tap2"
>>
>> What happens now is, that I can see ARP requests and other traffic from
>> the outer network on
>> br1000, which should (in my understanding) not be visible on br1000. It
>> should
>> only be visible on br0. I can also see this traffic from inside the KVMs
>> connected to br1000 only.
>>
>> Some experiments I did:
>>
>> Removing KVM0's interface tap0 from br0 and adding it to br1000 fixes the
>> problem that I can see other traffic, but of course, access to the outer
>> network is not available from all KVMs.
>> Adding a patch connection between br0 and br1000 of course lets the traffic
>> appear again on both bridges and I have again internet access.
>> I cannot see why my KVM0 should forward ARP requests to a different
>> Layer 3 network?!
>>
>> Can anyone point me in the right direction on what is going wrong here?
>> Is the
>> setup in general ok? How can I achieve that I have isolated networks and
>> only
>> IP forwarding between my outer network and the KVM networks?
>> If any further information is needed, I am happy to give it to you. I
>> have this setup
>> ready and can do tests if needed.
> Did you see this question in the FAQ?
>
> ### Q: I configured one IP address on VLAN 0 and another on VLAN 9, like
> this:
>
> ovs-vsctl add-br br0
> ovs-vsctl add-port br0 eth0
> ifconfig br0 192.168.0.5
> ovs-vsctl add-port br0 vlan9 tag=9 -- set interface vlan9 type=internal
> ifconfig vlan9 192.168.0.9
>
> but other hosts that are only on VLAN 0 can reach the IP address
> configured on VLAN 9. What's going on?
>
> A: RFC 1122 section 3.3.4.2 "Multihoming Requirements" describes two
> approaches to IP address handling in Internet hosts:
>
> - In the "Strong ES Model", where an ES is a host ("End
> System"), an IP address is primarily associated with a
> particular interface. The host discards packets that arrive
> on interface A if they are destined for an IP address that is
> configured on interface B. The host never sends packets from
> interface A using a source address configured on interface B.
>
> - In the "Weak ES Model", an IP address is primarily associated
> with a host. The host accepts packets that arrive on any
> interface if they are destined for any of the host's IP
> addresses, even if the address is configured on some
> interface other than the one on which it arrived. The host
> does not restrict itself to sending packets from an IP
> address associated with the originating interface.
>
> Linux uses the weak ES model. That means that when packets
> destined to the VLAN 9 IP address arrive on eth0 and are bridged to
> br0, the kernel IP stack accepts them there for the VLAN 9 IP
> address, even though they were not received on vlan9, the network
> device for vlan9.
>
> To simulate the strong ES model on Linux, one may add iptables rule
> to filter packets based on source and destination address and
> adjust ARP configuration with sysctls.
>
> BSD uses the strong ES model.
_______________________________________________
discuss mailing list
discuss@openvswitch.org
http://openvswitch.org/mailman/listinfo/discuss
