On Mon, Aug 23, 2021 at 11:22 AM Vladislav Odintsov <odiv...@gmail.com> wrote: > > Hi, > > we’ve faced an issue where asymmetric-routed traffic is used. Please help > understand what options do we have to allow such traffic. > > Topology is next: > > client lsp (10.0.0.1/24) > | > ls-external > / \ > lsp router vm1 eth0: 10.0.0.2/24 lsp router vm2 eth0: 10.0.0.3/24 > lsp router vm1 eth1: 192.168.0.1/24 lsp router vm2 eth1: 192.168.0.2/24 > \ / > ls-internal > | > server lsp (192.168.0.10/24) > > > All LSPs have port_security configured with "<mac> 0.0.0.0/0 ::/0" and belong > to port group pg1. > > There are two ACLs within this PG: > from-lport 0.0.0.0/0 allow-related > to-lport 0.0.0.0/0 allow-related > > The problem is when traffic from client to server goes through router vm1 and > returns through router vm2, there is no connectivity. I see reply traffic on > the server interface, which is going to router vm2 mac address, but I don't > see it on the router vm2 interface. > I guess the reason for this is that conntrack first time sees packet for the > connection and ACK+SYN flags are set and treats this packet as invalid, right?
I think so. > > If yes, is there any option how to use asymmetric-routed topologies inside > OVN with stateful ACLs? > I found there is an ability to replace ct.inv field check: > https://github.com/ovn-org/ovn/commit/3bb91366a6b0d60df5ce8f9c7f6427f7d37dfdd4 > Is it good idea to use this option to solve the issue or this is intended > specifically to use with smart NICs without invalid state support and can be > removed in future? > I do not understand your use case completely. I'm not quite clear from the diagram which all resources are external and which all are part of OVN. Have you tried using the ECMP routes feature ? Regarding the ct.inv flag, does it work when you disable the usage of ct.inv ? Thanks Numan If these routes are configured in the logical router, then > Thanks. > > Regards, > Vladislav Odintsov > > _______________________________________________ > discuss mailing list > disc...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss _______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
