Hi,
I have a discussion about port security setting.
The recommended sequence of operations:
1. Create a neutron port (with port security disabled).
2. Launch the monitoring VM and attach it to this port.
3. Create a tap-service instance whose destination port
is the monitoring VM's port.
But, a monitoring VM can receive mirrored packets without
disabling port security in our site.
What I found:
1) In case of port security is enabled, entries to enforce
anti IP spoofing are set into iptables of a linux bridge
when a VM is launched.
It looks like this:
INPUT:
Chain neutron-openvswi-s12345678-9 (1 references)
RETURN all -- 192.168.1.10 anywhere MAC aa:bb:cc:dd:ee:ff /*
Allow traffic from defined IP/MAC pairs. */
DROP all -- anywhere anywhere /* Drop traffic without
an IP/MAC allow rule. */
Note that these entries are effective for only egress
direction from the VM.
2) On the other hand, mac learning mechanism will drop
ingress packets if destination mac address doesn't match
the monitoring VM.
During tap-service creation process, mac address learning
is disabled (at line 251 in
neutron_taas/services/taas/drivers/linux/ovs_taas.py).
Therefore, a monitoring VM can receive mirrored packets
from source VMs.
As a result, I think the 1st operation (disabling port security)
is not required for a monitoring VM to receive mirrored packets.
Is my understand right?
Regards,
Soichi Shigeta
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
