Re: [ovs-discuss] How to filter tagged frames in bridge?

Thu, 08 Aug 2019 05:53:05 -0700 

On 08/08/2019 13:43, Felipe Arturo Polanco wrote:
> The hypervisor is the one that adds the ports to the switch I specify.
> 
> Is there a way to limit vlan tags being delivered to a fake bridge perhaps? I 
> only want untagged traffic in the fake
> bridge. 
> 
> 
> On Wed, Aug 7, 2019, 2:52 AM Matthias May via discuss 
> <ovs-discuss@openvswitch.org <mailto:ovs-discuss@openvswitch.org>>
> wrote:
> 
>     On 06/08/2019 17:12, Felipe Arturo Polanco wrote:
>     > Hello,
>     >
>     > This is for a hosting environment where we are using OVS bridges with 
> KVM.
>     >
>     > I have two interfaces bonded together with LACP and allowing two vlans.
>     > VLAN 500 public and vlan 400 private.
>     > The native vlan for this trunk port is Vlan 500*
>     >
>     > I need to find a way to limit trunk access on the VMs when they are
>     > connected to my bridge.
>     > If I add a tap0 interface to ovsbr0, I can see tagged traffic which is 
> not good.
>     >
>     > I was thinking about adding a second bridge and connect both of them
>     > using a patch port but I still need to find a way to filter tagged
>     > frames and only allow untagged traffic on the second bridge.
>     >
>     > Any ideas how can this be done?
>     >
>     > Thanks,
>     > _______________________________________________
>     > discuss mailing list
>     > disc...@openvswitch.org <mailto:disc...@openvswitch.org>
>     > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>     >
> 
>     When you add the port, set
>     vlan_mode=access
>     tag=500
> 
>     BR
>     Matthias
>     _______________________________________________
>     discuss mailing list
>     disc...@openvswitch.org <mailto:disc...@openvswitch.org>
>     https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
> 

I highly suggest you read the documentation regarding vlan_mode, tag and trunk.

My answer is still to set the vlan_mode to access and set the tag.
It doesn't matter if the hypervisor adds the port or someone else.
You can set a config for a port even if it is not yet part of a bridge.

BR
Matthias
_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

Reply via email to