Please read the mail content and not only the title This is what I tried to do, Thank you for your answer
________________________________ From: George Shuklin [mailto:george.shuk...@gmail.com] Sent: Sunday, February 15, 2015 9:13 PM To: openstack-operators@lists.openstack.org Subject: Re: [Openstack-operators] Is it possible to port mirror to a vm? The answer is 'yes' and 'no'. No, openstack (neutron/nova-networks) have no such abstraction. Yes, you can do it with openvswitch at the compute host manually (until VM reboot). Quote from ovs-vsctl manpage: Port Mirroring Mirror all packets received or sent on eth0 or eth1 onto eth2, assuming that all of those ports exist on bridge br0 (as a side-effect this causes any packets received on eth2 to be ignored): ovs-vsctl -- set Bridge br0 mirrors=@m \ -- --id=@eth0 get Port eth0 \ -- --id=@eth1 get Port eth1 \ -- --id=@eth2 get Port eth2 \ -- --id=@m create Mirror name=mymirror select-dst- port=@eth0,@eth1 select-src-port=@eth0,@eth1 output-port=@eth2 On 02/15/2015 07:34 PM, Yaron Illouz wrote: Hi Is it possible to port mirror to a vm? I generate traffic from vm1 to vm2, and I am trying to mirror traffic of vm1 to vm3 I want vm3 to receive traffic that is not destinated for him - not ip and not mac address I am trying to do port mirroring between vms created with openstack. I did it with the openvswitch. Packet are copied to the mirrored qvo, qvb, and qbr but don't reach the tap. From iptable output it dosen't seem to be drop in one of the chain or in fallback. The problem: I do see the mirrored traffic in qvo,and qvb, qbr (in tcpdump) but it doesn't pass to the tap I tried to insert allowed-pairs to the port, but what I really need is define it in "promiscuous" mode. But even with allowed-pairs, traffic don't reach vm3. I also tried to hairpin but it didn't help. brctl hairpin qbr3ede5b3e tap3ede5b3e on Here are some details about my test Openstack RDO juno on Centos 7 Neutron port list | 3ede5b3e-396e-48a9-b24a-6cb2dc7509fe | | fa:16:3e:3b:34:de | {"subnet_id": "f960ee77-77a8-45c1-8eef-e3878f0bea9f", "ip_address": "10.67.82.2"} | | 435f35c6-80be-47ee-b30f-8376e1ea78d9 | | fa:16:3e:41:fd:59 | {"subnet_id": "f960ee77-77a8-45c1-8eef-e3878f0bea9f", "ip_address": "10.67.82.5"} | | bd80bab5-424d-4e5c-8993-b8bb8c6f3e49 | | fa:16:3e:f7:4f:ea | {"subnet_id": "f960ee77-77a8-45c1-8eef-e3878f0bea9f", "ip_address": "10.67.82.3"} | Command that I ran to do the port mirroring ovs-vsctl -- set Bridge br-int mirrors=@m -- --id=@qvobd80bab5-42 get Port qvobd80bab5-42 -- --id=@qvo3ede5b3e-39 get Port qvo3ede5b3e-39 -- --id=@m create Mirror name=mymirror select-dst-port=@qvobd80bab5-42 select-src-port=@qvobd80bab5-42 output-port=@qvo3ede5b3e-39 This is iptables output filtered, you can see I added a allowed address pair. 3 3518 919K neutron-openvswi-sg-chain all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out tap3ede5b3e-39 --physdev-is-bridged 4 4 1358 neutron-openvswi-sg-chain all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap3ede5b3e-39 --physdev-is-bridged Chain neutron-openvswi-INPUT (1 references) -- 2 0 0 neutron-openvswi-o3ede5b3e-3 all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap3ede5b3e-39 --physdev-is-bridged 3 0 0 neutron-openvswi-o7e200e92-4 all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap7e200e92-44 --physdev-is-bridged 4 0 0 neutron-openvswi-o435f35c6-8 all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap435f35c6-80 --physdev-is-bridged 5 0 0 neutron-openvswi-o6a1bb345-9 all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap6a1bb345-93 --physdev-is-bridged 6 0 0 neutron-openvswi-ofc0a7800-a all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tapfc0a7800-a0 --physdev-is-bridged Chain neutron-openvswi-OUTPUT (1 references) num pkts bytes target prot opt in out source destination Chain neutron-openvswi-i3ede5b3e-3 (1 references) num pkts bytes target prot opt in out source destination 1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 2 91 8550 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 3 0 0 RETURN udp -- * * 10.67.82.4 0.0.0.0/0 udp spt:67 dpt:68 4 0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 5 0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp multiport dports 1:65535 6 3416 907K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set IPv4ecb94f49-0fdd-4f6f-b src 7 9 3054 neutron-openvswi-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0 -- Chain neutron-openvswi-o3ede5b3e-3 (2 references) num pkts bytes target prot opt in out source destination 1 4 1358 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67 2 0 0 neutron-openvswi-s3ede5b3e-3 all -- * * 0.0.0.0/0 0.0.0.0/0 3 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 4 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 5 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 6 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 7 0 0 neutron-openvswi-sg-fallback all -- * * 0.0.0.0/0 0.0.0.0/0 -- Chain neutron-openvswi-s3ede5b3e-3 (1 references) num pkts bytes target prot opt in out source destination 1 0 0 RETURN all -- * * 10.67.82.0/24 0.0.0.0/0 MAC FA:16:3E:41:FD:59 2 0 0 RETURN all -- * * 10.67.82.2 0.0.0.0/0 MAC FA:16:3E:3B:34:DE 3 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 -- 3 3518 919K neutron-openvswi-i3ede5b3e-3 all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out tap3ede5b3e-39 --physdev-is-bridged 4 4 1358 neutron-openvswi-o3ede5b3e-3 all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in tap3ede5b3e-39 --physdev-is-bridged . 13 397M 1617G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 -- error=`neutron-openvswi-i3ede5b3e-3' Entry 63 (19664): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `'/................ Protocol: 0 Flags: 00 Invflags: 00 Counters: 0 packets, 0 bytes Cache: 00000000 -- error=`neutron-openvswi-o3ede5b3e-3' Entry 119 (32280): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `'/................ Protocol: 17 Flags: 00 Invflags: 00 Counters: 4 packets, 1358 bytes Cache: 00000000 -- error=`neutron-openvswi-s3ede5b3e-3' Entry 173 (43608): SRC IP: 10.67.82.0/255.255.255.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/................to `'/................ Protocol: 0 Flags: 00 Invflags: 00 Counters: 0 packets, 0 bytes Cache: 00000000 The tcpdump traces show proper traffic flow from MAC/IP fa:16:3e:f7:4f:ea/10.67.82.3 to fa:16:3e:41:fd:59/10.67.82.5 going into a bridge/switch that has a nic with mac/IP of fa:16:3e:3b:34:de/10.67.82.2 connected to its other port I though the allowed address pair I added will allow this traffic -> you can see it in neutron-openvswi-s3ede5b3e-3 (1 0 0 RETURN all -- * * 10.67.82.0/24 0.0.0.0/0 MAC FA:16:3E:41:FD:59). In tcpdump tcpdump -e -n -vvv -i qbr3ede5b3e-39 | more tcpdump: WARNING: qbr3ede5b3e-39: no IPv4 address assigned tcpdump: listening on qbr3ede5b3e-39, link-type EN10MB (Ethernet), capture size 65535 bytes 08:20:57.102453 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4 (0x0800), length 90: (tos 0x48, ttl 255, id 33035, offset 0, flags [none], proto UDP ( 17), length 76) 10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum ok] UDP, length 48 08:20:57.103052 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4 (0x0800), length 56: (tos 0xb8, ttl 64, id 9181, offset 0, flags [none], proto UDP (17 ), length 42) 10.67.82.3.gtp-control > 10.67.82.5.gtp-control: [udp sum ok] UDP, length 14 08:20:57.103363 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4 (0x0800), length 193: (tos 0x48, ttl 255, id 61276, offset 0, flags [none], proto UDP tcpdump -e -n -vvv -i qvo3ede5b3e-39 | more tcpdump: WARNING: qvo3ede5b3e-39: no IPv4 address assigned tcpdump: listening on qvo3ede5b3e-39, link-type EN10MB (Ethernet), capture size 65535 bytes 08:20:35.852117 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4 (0x0800), length 125: (tos 0x48, ttl 255, id 40524, offset 0, flags [none], proto UDP (17), length 111) 10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum ok] UDP, length 83 08:20:35.852323 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4 (0x0800), length 626: (tos 0x48, ttl 255, id 13595, offset 0, flags [none], proto UDP (17), length 612) 10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum ok] UDP, length 584 08:20:35.852337 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4 (0x0800), length 626: (tos 0x48, ttl 255, id 13596, offset 0, flags [none], proto UDP (17), length 612) tcpdump -e -n -vvv -i qvb3ede5b3e-39 | more tcpdump: WARNING: qvb3ede5b3e-39: no IPv4 address assigned tcpdump: listening on qvb3ede5b3e-39, link-type EN10MB (Ethernet), capture size 65535 bytes 08:19:52.633158 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4 (0x0800), length 98: (tos 0x48, ttl 255, id 24950, offset 0, flags [none], proto UDP ( 17), length 84) 10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum ok] UDP, length 56 08:19:52.633173 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4 (0x0800), length 90: (tos 0x48, ttl 255, id 2289, offset 0, flags [none], proto UDP (1 7), length 76) 10.67.82.3.brdptc > 10.67.82.5.gtp-user: [udp sum ok] UDP, length 48 08:19:52.633376 fa:16:3e:f7:4f:ea > fa:16:3e:41:fd:59, ethertype IPv4 (0x0800), length 98: (tos 0x48, ttl 255, id 51798, offset 0, flags [none], proto UDP ( 17), length 84) _______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
_______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators