On Wed, Aug 17, 2016 at 10:31:34PM +0200, Bolesław Tokarski wrote:
> Hello,
>
> I have a couple of physical machines on the Internet, connected together
> with IPsec-GRE tunnels. The tunnels are executed from my OpenVSwitch bridge
> 'tunnels', on which I have a dedicated port '1' that connects local
> machines (VMs sitting on another ovs bridge actually, but it's out of scope
> of the problem).
>
> The bridge configuration looks like this:
> Bridge tunnels
> Port "patch0"
> Interface "patch0"
> type: patch
> options: {peer="patch1"}
> Port "gre6"
> Interface "gre6"
> type: ipsec_gre
> options: {psk="secret", remote_ip="1.1.1.1"}
> Port "gre4"
> Interface "gre4"
> type: ipsec_gre
> options: {psk="secret", remote_ip="2.2.2.2"}
> Port tunnels
> Interface tunnels
> type: internal
>
> As each of the tunnels link to the other physical machine "directly"
> through the Internet, forming a full-mesh logical topology, I have no use
> of Spanning-Tree - this would make all traffic pass through a single
> physical machine elected as the root bridge. So, what I did was:
>
> ovs-ofctl del-flows tunnels
> ovs-ofctl add-flow tunnels "in_port=1 actions=normal"
> ovs-ofctl add-flow tunnels "actions=output:1"
>
> In my view this was supposed to handle my specific use case - when traffic
> comes from my local network, it is passed along normal MAC-learning port,
> so flooding the tunnels with ARP request, response would get through one of
> the tunnel-ports, and would be directed to the local network (port 1).
> Traffic following it would be directed to the appropriate port, since the
> bridge would learn on which port the MAC address sits.
>
> However, it seems that when actions=output:1 is specified, the bridge does
> not learn the MAC address of the incoming frame, and all the traffic from
> port 1 is always flooding all the tunnels.
>
> I found the very good set of examples in the provided "Tutorial.md" file,
> which seems to cover this case, but it seems to require very complex rule
> definition for something that seems pretty easy - just tell the switch to
> learn the MAC before putting it through.
>
> Is it possible to make NORMAL action learn source MAC addresses and tell it
> which port to direct the traffic at the same time? Something like:
>
> ovs-ofctl add-flow tunnels "actions=learn(src_mac),1"
>
> If this setup does require re-writing the NORMAL action, is it possible to
> display the flow rules that govern the NORMAL action internally?
OVS doesn't have that kind of a feature yet. It's been suggested once
or twice but no one has come forward with an implementation.
_______________________________________________
discuss mailing list
discuss@openvswitch.org
http://openvswitch.org/mailman/listinfo/discuss
