Hi John,
So I add a sub-interface to a BD 0, the vlan frame is received, but it is also
received and processed frames with not local MAC address.
vpp# show interface address
GigabitEthernet0/4/0 (up):
GigabitEthernet0/4/0.10 (up):
GigabitEthernet0/4/0.1 (dn):
l2 bridge bd_id 0 shg 0
GigabitEthernet0/5/0 (up):
192.168.1.1/24
GigabitEthernet0/6/0 (dn):
GigabitEthernet0/7/0 (dn):
local0 (dn):
I added neighbor entry to arp table and sent packet
sendp(iface='ens6', x=Ether(src='02:00:00:00:00:02',
dst='02:00:00:00:00:01')/IP(src='10.0.0.1', dst='192.168.1.2'))
00:25:12:769772: dpdk-input
GigabitEthernet0/4/0 rx queue 0
buffer 0x4ddc: current data 0, length 34, free-list 0, totlen-nifb 0, trace
0x1
PKT MBUF: port 0, nb_segs 1, pkt_len 34
buf_len 2176, data_len 34, ol_flags 0x0, data_off 128, phys_addr 0x54133600
packet_type 0x0
IP4: 02:00:00:00:00:02 -> 02:00:00:00:00:01
IP6_HOP_BY_HOP_OPTIONS: 10.0.0.1 -> 192.168.1.2
tos 0x00, ttl 64, length 20, checksum 0xaf3e
fragment id 0x0001
00:25:12:769783: ethernet-input
IP4: 02:00:00:00:00:02 -> 02:00:00:00:00:01
00:25:12:769790: ip4-input
IP6_HOP_BY_HOP_OPTIONS: 10.0.0.1 -> 192.168.1.2
tos 0x00, ttl 64, length 20, checksum 0xaf3e
fragment id 0x0001
00:25:12:769792: ip4-lookup
fib 0 dpo-idx 2 flow hash: 0x00000000
IP6_HOP_BY_HOP_OPTIONS: 10.0.0.1 -> 192.168.1.2
tos 0x00, ttl 64, length 20, checksum 0xaf3e
fragment id 0x0001
00:25:12:769798: ip4-rewrite
tx_sw_if_index 2 dpo-idx 2 : ipv4 via 192.168.1.2 GigabitEthernet0/5/0: IP4:
fa:16:3e:16:91:49 -> 02:11:22:33:44:02 flow hash: 0x00000000
IP4: fa:16:3e:16:91:49 -> 02:11:22:33:44:02
IP6_HOP_BY_HOP_OPTIONS: 10.0.0.1 -> 192.168.1.2
tos 0x00, ttl 63, length 20, checksum 0xb03e
fragment id 0x0001
00:25:12:769800: GigabitEthernet0/5/0-output
GigabitEthernet0/5/0
IP4: fa:16:3e:16:91:49 -> 02:11:22:33:44:02
IP6_HOP_BY_HOP_OPTIONS: 10.0.0.1 -> 192.168.1.2
tos 0x00, ttl 63, length 20, checksum 0xb03e
fragment id 0x0001
00:25:12:769804: GigabitEthernet0/5/0-tx
GigabitEthernet0/5/0 tx queue 0
buffer 0x4ddc: current data 0, length 34, free-list 0, totlen-nifb 0, trace
0x1
IP4: fa:16:3e:16:91:49 -> 02:11:22:33:44:02
IP6_HOP_BY_HOP_OPTIONS: 10.0.0.1 -> 192.168.1.2
tos 0x00, ttl 63, length 20, checksum 0xb03e
fragment id 0x0001
The L3 interface without an IP address processes and forwards packets. Isn’t it
a security issue?
I was unable to set a MAC address to sub-if.
On
http://dpdk.org/doc/guides/nics/virtio.html#features-and-limitations-of-virtio-pmd
It says Features of mac/vlan filter are supported, so shouldn’t be driver
configured in create_vlan_subif command?
Or could we set vlan filter off/on in startup.conf similarly as with
vlan-offload?
Thanks,
Matej.
From: John Lo (loj)
Sent: 9. marca 2017 16:33
To: Matej Klotton -X (mklotton - PANTHEON TECHNOLOGIES at Cisco)
<mklot...@cisco.com>; vpp-dev@lists.fd.io
Cc: csit-...@lists.fd.io
Subject: RE: [vpp-dev] [csit-dev] VPP receive no tagged packet on Virtio
interface
Hi Matej,
There is no VPP nor VAT CLI to put an interface into promiscuous mode. It is
done automatically by VPP if either the main interface or more than 1 of the
sub-interface is put in L2 mode. That’s why I was suggesting create a dummy
sub-interface and put it into a BD. You can safely put this interface into BD 0
which is an always existing BD where incoming packet will always be drooped.
There is a Jira ticket VPP-507 which ask for setting MAC on a sub-interface
with some discussion there. With NICs I have used in the past, main and
sub-interface will share the same set of MACs on the interface. But it seems
there may be a way to specify specific MAC for a VLAN sub-interface. Ray
Kinsella commented this can be done with virtual functions. I wonder if the
virtio driver may need explicit config to accept VLAN packets with a specific
MAC in non-promiscuous mode.
Regards,
John
_______________________________________________
vpp-dev mailing list
vpp-dev@lists.fd.io
https://lists.fd.io/mailman/listinfo/vpp-dev
