[ovs-discuss] OVN/OVS tunnel to public cloud provider

[Gavin McKee via discuss]

Hi ,

Is it possible to connect an IPSEC tunnel from a Public cloud provider such
as Azure, AWS / GCP to an OVN logical router ?

I need to be able to route between a subnet in Azure / GCP and a subnet in
OVN?

Has anyone been able to achieve this , and if so can you provide an example
configuration ?

Gav

Disclaimer

The information contained in this communication from the sender is 
confidential. It is intended solely for use by the recipient and others 
authorized to receive it. If you are not the recipient, you are hereby notified 
that any disclosure, copying, distribution or taking action in relation of the 
contents of this information is strictly prohibited and may be unlawful.

This email has been scanned for viruses and malware, and may have been 
automatically archived by Mimecast, a leader in email security and cyber 
resilience. Mimecast integrates email defenses with brand protection, security 
awareness training, web security, compliance and other essential capabilities. 
Mimecast helps protect large and small organizations from malicious activity, 
human error and technology failure; and to lead the movement toward building a 
more resilient world. To find out more, visit our website.
___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

[ovs-discuss] OVSIntPort not responsing to ARP

[andre--- via discuss]

Hello,

A configured OVSIntPort with IP address is not responding to ARP, if RSTP is 
enabled.
Without RSTP everything is working fine.

When I add RSTP, the OVSIntPort is not responding to ARP requests any more. I 
can only initiate connections from the host to the other destinations.

OVS version 2.15 (default debian package)

regards
André___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

[ovs-discuss] Tunnel interface was deleted and recreated during ovs-vswitchd starts up

[张祖建 via discuss]

Hi all,
I'm investigating packet drop during ovs restart/upgrade and found that the
Gevene interface genev_sys_6082 was deleted and recreated during ovs-vswitchd
starts up:


root@node1:/root# ip -c a show genev_sys_6081
17: genev_sys_6081:  mtu 65000 qdisc
noqueue master ovs-system state UNKNOWN group default qlen 1000
link/ether fa:1e:c7:a8:da:49 brd ff:ff:ff:ff:ff:ff
root@node1:/root# ip monitor dev genev_sys_6081
17: genev_sys_6081:  mtu 65000 qdisc
noqueue state UNKNOWN group default
link/ether fa:1e:c7:a8:da:49 brd ff:ff:ff:ff:ff:ff
17: genev_sys_6081:  mtu 65000 qdisc
noqueue state UNKNOWN group default
link/ether fa:1e:c7:a8:da:49 brd ff:ff:ff:ff:ff:ff
17: genev_sys_6081:  mtu 65000 qdisc noqueue
state DOWN group default
link/ether fa:1e:c7:a8:da:49 brd ff:ff:ff:ff:ff:ff
Deleted 17: genev_sys_6081:  mtu 65000 qdisc noop
state DOWN group default
link/ether fa:1e:c7:a8:da:49 brd ff:ff:ff:ff:ff:ff
^C
root@node1:/root# ip -c a show genev_sys_6081
18: genev_sys_6081:  mtu 65000 qdisc
noqueue master ovs-system state UNKNOWN group default qlen 1000
link/ether 7a:b4:13:b8:c0:4f brd ff:ff:ff:ff:ff:ff


Is this behavior by design? How can I avoid tunnel interface recreation?
___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

Re: [ovs-discuss] openvswitch: ovs-system: deferred action limit reached, drop recirc action

[Satish Patel via discuss]

Any thoughts here?

On Fri, Feb 10, 2023 at 11:08 AM Satish Patel  wrote:

> Hi Frode,
>
> This is my OVN version.
>
> (ovn-northd)[root@ctrl3 /]# dpkg -l | grep ovn
> ii  ovn-central22.09.0-0ubuntu1~cloud0
> amd64OVN central components
> ii  ovn-common 22.09.0-0ubuntu1~cloud0
> amd64OVN common components
>
> On Fri, Feb 10, 2023 at 3:42 AM Frode Nordahl 
> wrote:
>
>> On Fri, Feb 10, 2023 at 4:47 AM Satish Patel via discuss
>>  wrote:
>> >
>> > Folks,
>> >
>> > I am running the openstack Zed release using kolla and using OVN for
>> networking. I have noticed the following error in dmesg very frequently.
>> Does it indicate any bug or save to ignore. Even if there is a loop then
>> how do I detect or troubleshoot? I saw similar thread but no solution
>> https://www.mail-archive.com/ovs-discuss@openvswitch.org/msg08578.html
>> >
>> > [Fri Feb 10 03:34:57 2023] openvswitch: ovs-system: deferred action
>> limit reached, drop recirc action
>> > [Fri Feb 10 03:34:57 2023] openvswitch: ovs-system: deferred action
>> limit reached, drop recirc action
>> > [Fri Feb 10 03:35:07 2023] openvswitch: ovs-system: deferred action
>> limit reached, drop recirc action
>> >
>> >
>> > (openvswitch-vswitchd)[root@ctrl1 /]# ovs-vsctl --version
>> > ovs-vsctl (Open vSwitch) 3.0.1
>> > DB Schema 8.3.0
>> >
>> > (openvswitch-vswitchd)[root@ctrl1 /]# ovs-vswitchd --version
>> > ovs-vswitchd (Open vSwitch) 3.0.1
>>
>> What version of OVN are you using? I believe this issue has been fixed
>> on the main branch by [0].
>>
>> 0:
>> https://github.com/ovn-org/ovn/commit/8c341b9d704cdf002126699527308203319954f0
>>
>> --
>> Frode Nordahl
>>
>> >
>> > (openvswitch-vswitchd)[root@ctrl1 /]# cat /etc/lsb-release
>> > DISTRIB_ID=Ubuntu
>> > DISTRIB_RELEASE=22.04
>> > DISTRIB_CODENAME=jammy
>> > DISTRIB_DESCRIPTION="Ubuntu 22.04.1 LTS"
>> >
>> >
>> >
>> > ___
>> > discuss mailing list
>> > disc...@openvswitch.org
>> > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>>
>
___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

Re: [ovs-discuss] OVN/OVS tunnel to public cloud provider

[Satish Patel via discuss]

Seems like OVN does support IPsec tunnel based on doc but may need to
figure out how to integrate with your use case [1]

[1] https://docs.ovn.org/en/latest/tutorials/ovn-ipsec.html

On Tue, Feb 14, 2023 at 8:20 AM Gavin McKee via discuss <
ovs-discuss@openvswitch.org> wrote:

> Hi ,
>
> Is it possible to connect an IPSEC tunnel from a Public cloud provider
> such as Azure, AWS / GCP to an OVN logical router ?
>
> I need to be able to route between a subnet in Azure / GCP and a subnet in
> OVN?
>
> Has anyone been able to achieve this , and if so can you provide an
> example configuration ?
>
> Gav
>
>
> *Disclaimer*
>
> The information contained in this communication from the sender is
> confidential. It is intended solely for use by the recipient and others
> authorized to receive it. If you are not the recipient, you are hereby
> notified that any disclosure, copying, distribution or taking action in
> relation of the contents of this information is strictly prohibited and may
> be unlawful.
> ___
> discuss mailing list
> disc...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>
___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

Re: [ovs-discuss] OVN/OVS tunnel to public cloud provider

[Gavin McKee via discuss]

Satish,

We are using the Mellanox Connect X6 card / possibly we can use bluefield2
card to do IPSEC hardware offload .  So somehow we could build a tunnel to
a server with StrongSwan IPSEC .  The key thing is to tie this IPSEC
interface into the OVN/OVS setup and somehow associate it with a customer's
virtual router.

Am I even thinking off this the correct way?

Gav


On Tue, Feb 14, 2023 at 7:15 AM Satish Patel  wrote:

> Seems like OVN does support IPsec tunnel based on doc but may need to
> figure out how to integrate with your use case [1]
>
> [1] https://docs.ovn.org/en/latest/tutorials/ovn-ipsec.html
> 
>
>
> On Tue, Feb 14, 2023 at 8:20 AM Gavin McKee via discuss <
> ovs-discuss@openvswitch.org> wrote:
>
>> Hi ,
>>
>> Is it possible to connect an IPSEC tunnel from a Public cloud provider
>> such as Azure, AWS / GCP to an OVN logical router ?
>>
>> I need to be able to route between a subnet in Azure / GCP and a subnet
>> in OVN?
>>
>> Has anyone been able to achieve this , and if so can you provide an
>> example configuration ?
>>
>> Gav
>>
>>
>> *Disclaimer*
>>
>> The information contained in this communication from the sender is
>> confidential. It is intended solely for use by the recipient and others
>> authorized to receive it. If you are not the recipient, you are hereby
>> notified that any disclosure, copying, distribution or taking action in
>> relation of the contents of this information is strictly prohibited and may
>> be unlawful.
>> ___
>> discuss mailing list
>> disc...@openvswitch.org
>> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>> 
>>
>

Disclaimer

The information contained in this communication from the sender is 
confidential. It is intended solely for use by the recipient and others 
authorized to receive it. If you are not the recipient, you are hereby notified 
that any disclosure, copying, distribution or taking action in relation of the 
contents of this information is strictly prohibited and may be unlawful.

This email has been scanned for viruses and malware, and may have been 
automatically archived by Mimecast, a leader in email security and cyber 
resilience. Mimecast integrates email defenses with brand protection, security 
awareness training, web security, compliance and other essential capabilities. 
Mimecast helps protect large and small organizations from malicious activity, 
human error and technology failure; and to lead the movement toward building a 
more resilient world. To find out more, visit our website.
___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

Re: [ovs-discuss] OVN/OVS tunnel to public cloud provider

[Numan Siddique via discuss]

Looks like this would require BGP to exchange the routes ?

I'm not sure.  I may be wrong.  Adding @Daniel Alvarez Sanchez  if he
has any comments as he worked on supporting BGP in Openstack with OVN.

Thanks
Numan


On Tue, Feb 14, 2023 at 1:50 PM Gavin McKee via discuss
 wrote:
>
> Satish,
>
> We are using the Mellanox Connect X6 card / possibly we can use bluefield2 
> card to do IPSEC hardware offload .  So somehow we could build a tunnel to a 
> server with StrongSwan IPSEC .  The key thing is to tie this IPSEC interface 
> into the OVN/OVS setup and somehow associate it with a customer's virtual 
> router.
>
> Am I even thinking off this the correct way?
>
> Gav
>
>
> On Tue, Feb 14, 2023 at 7:15 AM Satish Patel  wrote:
>>
>> Seems like OVN does support IPsec tunnel based on doc but may need to figure 
>> out how to integrate with your use case [1]
>>
>> [1] https://docs.ovn.org/en/latest/tutorials/ovn-ipsec.html
>>
>> On Tue, Feb 14, 2023 at 8:20 AM Gavin McKee via discuss 
>>  wrote:
>>>
>>> Hi ,
>>>
>>> Is it possible to connect an IPSEC tunnel from a Public cloud provider such 
>>> as Azure, AWS / GCP to an OVN logical router ?
>>>
>>> I need to be able to route between a subnet in Azure / GCP and a subnet in 
>>> OVN?
>>>
>>> Has anyone been able to achieve this , and if so can you provide an example 
>>> configuration ?
>>>
>>> Gav
>>>
>>>
>>> Disclaimer
>>>
>>> The information contained in this communication from the sender is 
>>> confidential. It is intended solely for use by the recipient and others 
>>> authorized to receive it. If you are not the recipient, you are hereby 
>>> notified that any disclosure, copying, distribution or taking action in 
>>> relation of the contents of this information is strictly prohibited and may 
>>> be unlawful.
>>>
>>> ___
>>> discuss mailing list
>>> disc...@openvswitch.org
>>> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>
>
>
> Disclaimer
>
> The information contained in this communication from the sender is 
> confidential. It is intended solely for use by the recipient and others 
> authorized to receive it. If you are not the recipient, you are hereby 
> notified that any disclosure, copying, distribution or taking action in 
> relation of the contents of this information is strictly prohibited and may 
> be unlawful.
>
> ___
> discuss mailing list
> disc...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

Re: [ovs-discuss] OVN/OVS tunnel to public cloud provider

[Gavin McKee via discuss]

Hi Numan,

I'd be happy to start with static routes , as long as I can get the
connectivity in place i.e. be able to connect a VM on a logical switch to a
VM in a public cloud via IPSEC tunnel.

Gav

On Tue, Feb 14, 2023 at 3:28 PM Numan Siddique  wrote:

> Looks like this would require BGP to exchange the routes ?
>
> I'm not sure. I may be wrong. Adding @Daniel Alvarez Sanchez if he
> has any comments as he worked on supporting BGP in Openstack with OVN.
>
> Thanks
> Numan
>
>
> On Tue, Feb 14, 2023 at 1:50 PM Gavin McKee via discuss
>  wrote:
> >
> > Satish,
> >
> > We are using the Mellanox Connect X6 card / possibly we can use
> bluefield2 card to do IPSEC hardware offload . So somehow we could build a
> tunnel to a server with StrongSwan IPSEC . The key thing is to tie this
> IPSEC interface into the OVN/OVS setup and somehow associate it with a
> customer's virtual router.
> >
> > Am I even thinking off this the correct way?
> >
> > Gav
> >
> >
> > On Tue, Feb 14, 2023 at 7:15 AM Satish Patel 
> wrote:
> >>
> >> Seems like OVN does support IPsec tunnel based on doc but may need to
> figure out how to integrate with your use case [1]
> >>
> >> [1] https://docs.ovn.org/en/latest/tutorials/ovn-ipsec.html
> 
> >>
> >> On Tue, Feb 14, 2023 at 8:20 AM Gavin McKee via discuss <
> ovs-discuss@openvswitch.org> wrote:
> >>>
> >>> Hi ,
> >>>
> >>> Is it possible to connect an IPSEC tunnel from a Public cloud provider
> such as Azure, AWS / GCP to an OVN logical router ?
> >>>
> >>> I need to be able to route between a subnet in Azure / GCP and a
> subnet in OVN?
> >>>
> >>> Has anyone been able to achieve this , and if so can you provide an
> example configuration ?
> >>>
> >>> Gav
> >>>
> >>>
> >>> Disclaimer
> >>>
> >>> The information contained in this communication from the sender is
> confidential. It is intended solely for use by the recipient and others
> authorized to receive it. If you are not the recipient, you are hereby
> notified that any disclosure, copying, distribution or taking action in
> relation of the contents of this information is strictly prohibited and may
> be unlawful.
> >>>
> >>> ___
> >>> discuss mailing list
> >>> disc...@openvswitch.org
> >>> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
> 
> >
> >
> >
> > Disclaimer
> >
> > The information contained in this communication from the sender is
> confidential. It is intended solely for use by the recipient and others
> authorized to receive it. If you are not the recipient, you are hereby
> notified that any disclosure, copying, distribution or taking action in
> relation of the contents of this information is strictly prohibited and may
> be unlawful.
> >
> > ___
> > discuss mailing list
> > disc...@openvswitch.org
> > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
> 
>

Disclaimer

The information contained in this communication from the sender is 
confidential. It is intended solely for use by the recipient and others 
authorized to receive it. If you are not the recipient, you are hereby notified 
that any disclosure, copying, distribution or taking action in relation of the 
contents of this information is strictly prohibited and may be unlawful.

This email has been scanned for viruses and malware, and may have been 
automatically archived by Mimecast, a leader in email security and cyber 
resilience. Mimecast integrates email defenses with brand protection, security 
awareness training, web security, compliance and other essential capabilities. 
Mimecast helps protect large and small organizations from malicious activity, 
human error and technology failure; and to lead the movement toward building a 
more resilient world. To find out more, visit our website.
___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

Re: [ovs-discuss] OVN/OVS tunnel to public cloud provider

[Numan Siddique via discuss]

On Tue, Feb 14, 2023 at 6:40 PM Gavin McKee via discuss
 wrote:
>
> Hi Numan,
>
> I'd be happy to start with static routes , as long as I can get the 
> connectivity in place i.e. be able to connect a VM on a logical switch to a 
> VM in a public cloud via IPSEC tunnel.

so you're trying to connect an OVN deployment on one end and a public
cloud on the other.  Looks to me you may need to establish an IPSEC
tunnel yourself.  One end of the tunnel should be
your gateway node in OVN deployment and other end your public cloud.

For North/South gateway traffic to work with OVN,  you need to
configure ovn-bridge-mappings on the gateway node.  OVN will create a
patch port from br-int to the provider ovs bridge (lets say br-ex).
And it is expected that br-ex would be attached with a physical nic
which would provide connectivity to the external.

Seems to me you need to establish the IPSEC tunnel in br-ex as this is
out of OVN's scope.

Thanks
Numan


>
> Gav
>
> On Tue, Feb 14, 2023 at 3:28 PM Numan Siddique  wrote:
>>
>> Looks like this would require BGP to exchange the routes ?
>>
>> I'm not sure. I may be wrong. Adding @Daniel Alvarez Sanchez if he
>> has any comments as he worked on supporting BGP in Openstack with OVN.
>>
>> Thanks
>> Numan
>>
>>
>> On Tue, Feb 14, 2023 at 1:50 PM Gavin McKee via discuss
>>  wrote:
>> >
>> > Satish,
>> >
>> > We are using the Mellanox Connect X6 card / possibly we can use bluefield2 
>> > card to do IPSEC hardware offload . So somehow we could build a tunnel to 
>> > a server with StrongSwan IPSEC . The key thing is to tie this IPSEC 
>> > interface into the OVN/OVS setup and somehow associate it with a 
>> > customer's virtual router.
>> >
>> > Am I even thinking off this the correct way?
>> >
>> > Gav
>> >
>> >
>> > On Tue, Feb 14, 2023 at 7:15 AM Satish Patel  wrote:
>> >>
>> >> Seems like OVN does support IPsec tunnel based on doc but may need to 
>> >> figure out how to integrate with your use case [1]
>> >>
>> >> [1] https://docs.ovn.org/en/latest/tutorials/ovn-ipsec.html
>> >>
>> >> On Tue, Feb 14, 2023 at 8:20 AM Gavin McKee via discuss 
>> >>  wrote:
>> >>>
>> >>> Hi ,
>> >>>
>> >>> Is it possible to connect an IPSEC tunnel from a Public cloud provider 
>> >>> such as Azure, AWS / GCP to an OVN logical router ?
>> >>>
>> >>> I need to be able to route between a subnet in Azure / GCP and a subnet 
>> >>> in OVN?
>> >>>
>> >>> Has anyone been able to achieve this , and if so can you provide an 
>> >>> example configuration ?
>> >>>
>> >>> Gav
>> >>>
>> >>>
>> >>> Disclaimer
>> >>>
>> >>> The information contained in this communication from the sender is 
>> >>> confidential. It is intended solely for use by the recipient and others 
>> >>> authorized to receive it. If you are not the recipient, you are hereby 
>> >>> notified that any disclosure, copying, distribution or taking action in 
>> >>> relation of the contents of this information is strictly prohibited and 
>> >>> may be unlawful.
>> >>>
>> >>> ___
>> >>> discuss mailing list
>> >>> disc...@openvswitch.org
>> >>> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>> >
>> >
>> >
>> > Disclaimer
>> >
>> > The information contained in this communication from the sender is 
>> > confidential. It is intended solely for use by the recipient and others 
>> > authorized to receive it. If you are not the recipient, you are hereby 
>> > notified that any disclosure, copying, distribution or taking action in 
>> > relation of the contents of this information is strictly prohibited and 
>> > may be unlawful.
>> >
>> > ___
>> > discuss mailing list
>> > disc...@openvswitch.org
>> > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>
>
>
> Disclaimer
>
> The information contained in this communication from the sender is 
> confidential. It is intended solely for use by the recipient and others 
> authorized to receive it. If you are not the recipient, you are hereby 
> notified that any disclosure, copying, distribution or taking action in 
> relation of the contents of this information is strictly prohibited and may 
> be unlawful.
>
> ___
> discuss mailing list
> disc...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

Re: [ovs-discuss] OVN/OVS tunnel to public cloud provider

[Gavin McKee via discuss]

Understood,

I already have a working topology that sends external traffic to a vrf on
the physical network that provides internet access for VMs , tag=120.  So I
could probably add a new logical switch for the IPSEC connection set a
bridge mapping to br-ipsec-aws (or something like that) and see if I can
route all the way through.

switch 4774aa10-e2ec-4ab4-80fa-b6d4196eb618 (localswitch)
port c2-localsw-lr0
type: router
router-port: c2-lr0-localswitch
port localswitch-local
type: localnet
parent:
tag: 120
addresses: ["unknown"]
port localswitch-lr0
type: router
router-port: c1-lr0-localswitch
switch 7aae50e1-3e2f-46d4-838d-c40adab6ba0b (customer2-sw0)
port c2-sw0-p2
addresses: ["b8:3f:d2:21:87:31 dynamic"]
port c2-sw0-p1
addresses: ["b8:3f:d2:21:87:12 dynamic"]
port c2-sw0-c2-lr0
type: router
router-port: c2-lr0-sw0-l3
switch dbcdca43-7c70-4f78-8db1-6a72e7c1276c (customer1-sw0)
port c1-sw0-p3
addresses: ["b8:3f:d2:21:87:11 dynamic"]
port c1-sw0-p1
addresses: ["b8:3f:d2:21:87:01 dynamic"]
port c1-sw0-c1-lr0
type: router
router-port: c1-lr0-sw0-l3
port c1-sw0-p2
addresses: ["b8:3f:d2:21:87:41 dynamic"]
router 8d0fc968-2b32-4b14-b409-bceec6d737bb (customer2-vpc-lr0)
port c2-lr0-localswitch
mac: "0a:22:00:22:00:22"
networks: ["172.16.0.2/20"]
gateway chassis: [bf79b7bc-b3bb-4c49-a7c0-56a9e16b2d03]
port c2-lr0-sw0-l3
mac: "0a:02:02:02:02:01"
networks: ["10.200.0.1/24"]
nat a384f167-80f4-4628-9caa-17136b6cd551
external ip: "204.52.31.3"
logical ip: "10.200.0.11"
type: "snat"

On Tue, Feb 14, 2023 at 4:57 PM Numan Siddique  wrote:

> On Tue, Feb 14, 2023 at 6:40 PM Gavin McKee via discuss
>  wrote:
> >
> > Hi Numan,
> >
> > I'd be happy to start with static routes , as long as I can get the
> connectivity in place i.e. be able to connect a VM on a logical switch to a
> VM in a public cloud via IPSEC tunnel.
>
> so you're trying to connect an OVN deployment on one end and a public
> cloud on the other. Looks to me you may need to establish an IPSEC
> tunnel yourself. One end of the tunnel should be
> your gateway node in OVN deployment and other end your public cloud.
>
> For North/South gateway traffic to work with OVN, you need to
> configure ovn-bridge-mappings on the gateway node. OVN will create a
> patch port from br-int to the provider ovs bridge (lets say br-ex).
> And it is expected that br-ex would be attached with a physical nic
> which would provide connectivity to the external.
>
> Seems to me you need to establish the IPSEC tunnel in br-ex as this is
> out of OVN's scope.
>
> Thanks
> Numan
>
>
> >
> > Gav
> >
> > On Tue, Feb 14, 2023 at 3:28 PM Numan Siddique  wrote:
> >>
> >> Looks like this would require BGP to exchange the routes ?
> >>
> >> I'm not sure. I may be wrong. Adding @Daniel Alvarez Sanchez if he
> >> has any comments as he worked on supporting BGP in Openstack with OVN.
> >>
> >> Thanks
> >> Numan
> >>
> >>
> >> On Tue, Feb 14, 2023 at 1:50 PM Gavin McKee via discuss
> >>  wrote:
> >> >
> >> > Satish,
> >> >
> >> > We are using the Mellanox Connect X6 card / possibly we can use
> bluefield2 card to do IPSEC hardware offload . So somehow we could build a
> tunnel to a server with StrongSwan IPSEC . The key thing is to tie this
> IPSEC interface into the OVN/OVS setup and somehow associate it with a
> customer's virtual router.
> >> >
> >> > Am I even thinking off this the correct way?
> >> >
> >> > Gav
> >> >
> >> >
> >> > On Tue, Feb 14, 2023 at 7:15 AM Satish Patel 
> wrote:
> >> >>
> >> >> Seems like OVN does support IPsec tunnel based on doc but may need
> to figure out how to integrate with your use case [1]
> >> >>
> >> >> [1] https://docs.ovn.org/en/latest/tutorials/ovn-ipsec.html
> 
> >> >>
> >> >> On Tue, Feb 14, 2023 at 8:20 AM Gavin McKee via discuss <
> ovs-discuss@openvswitch.org> wrote:
> >> >>>
> >> >>> Hi ,
> >> >>>
> >> >>> Is it possible to connect an IPSEC tunnel from a Public cloud
> provider such as Azure, AWS / GCP to an OVN logical router ?
> >> >>>
> >> >>> I need to be able to route between a subnet in Azure / GCP and a
> subnet in OVN?
> >> >>>
> >> >>> Has anyone been able to achieve this , and if so can you provide an
> example configuration ?
> >> >>>
> >> >>> Gav
> >> >>>
> >> >>>
> >> >>> Disclaimer
> >> >>>
> >> >>> The information contained in this communication from the sender is
> confidential. It is intended solely for use by the recipient and others
> authorized to receive it. If you are not the recipient, you are hereby
> notified that any disclosure, copying, distribution or taking action in
> relation of the contents of this information is strictly prohibited and may
> be unlawful.
> >> >>>
> >> >>> __

Re: [ovs-discuss] OVN Failed Flow Offload

[Lazuardi Nasution via discuss]

Hi Ajit,

Is there any update on this? If it is firmware matter, what is suggested
firmware for enabling flow offload with OVN?

Best regards.

On Thu, Feb 9, 2023, 12:17 PM Lazuardi Nasution 
wrote:

> Hi Ajit,
>
> I'm using firmware version 219.0.144.0.of
>
> I'm not sure that the problem is about the capability of the firmware. By
> digging the source code of bnxt PMD, it seems that this problem is related
> to bnxt_validate_and_parse_flow_type() function which throws an error if
> the destination Ethernet address is broadcast Ethernet address. I'm using
> the following URL as reference.
>
> https://github.com/DPDK/dpdk/blob/v21.11/drivers/net/bnxt/bnxt_flow.c#L228
>
> From what I can understand of David statement, it should not throw an RTE
> error but just leave an incompatible flow non-offloaded.
>
> Best regards.
>
> On Thu, Feb 9, 2023 at 12:14 AM Ajit Khaparde 
> wrote:
>
>> Hi,
>> From what I can see, it looks like the offload is being attempted on a
>> card which does not have offload functionality enabled.
>> Can you share the FW version on the NICs?
>>
>> If needed, will it be possible for you to update the firmware on the NICs?
>>
>> For the warning regarding flow control setting, let me check and get back.
>>
>> Thanks
>> Ajit
>>
>> On Wed, Feb 8, 2023 at 4:14 AM Lazuardi Nasution 
>> wrote:
>> >
>> > Hi Ajit,
>> >
>> > Have you find the way to overcome this problem? Would you mind to
>> explain why this reserved Ethernet addresses throw error on offloading the
>> flows and not just make related flows non-offloaded?
>> >
>> > Another think, but not so important is bnxt PMD logs warning about
>> cannot do flow control on VF even though I have used none, true or false of
>> interface flow control setting. This warning always appear on OVS
>> restarting.
>> >
>> > Best regards.
>> >
>> > On Tue, Feb 7, 2023, 12:21 AM Lazuardi Nasution 
>> wrote:
>> >>
>> >> Hi Ajit,
>> >>
>> >> I'm using the following versions.
>> >>
>> >> dpdk_version: "DPDK 21.11.2"
>> >> ovs_version : "3.0.1"
>> >>
>> >> Best regards.
>> >>
>> >> On Tue, Feb 7, 2023 at 12:12 AM Ajit Khaparde <
>> ajit.khapa...@broadcom.com> wrote:
>> >>>
>> >>> On Mon, Feb 6, 2023 at 9:02 AM Lazuardi Nasution <
>> mrxlazuar...@gmail.com> wrote:
>> >>> >
>> >>> > Hi David,
>> >>> >
>> >>> > I think I can understand your opinion. So your target is to prevent
>> frames with those ethernet addresses from reaching CP, right? FYI, I'm
>> using bonded VFs of bonded PFs as OVS-DPDK interfaces, so offcourse LACP
>> should be handled by bonded PFs only.
>> >>> What is the version of DPDK & OVS used here, BTW? Thanks
>> >>>
>> >>> >
>> >>> > Best regards,
>> >>> >
>> >>> > On Mon, Feb 6, 2023 at 11:54 PM David Marchand <
>> david.march...@redhat.com> wrote:
>> >>> >>
>> >>> >> On Mon, Feb 6, 2023 at 5:46 PM Lazuardi Nasution <
>> mrxlazuar...@gmail.com> wrote:
>> >>> >> >
>> >>> >> > HI David,
>> >>> >> >
>> >>> >> > Don't you think that offload of reserved Ethernet address should
>> be disabled by default?
>> >>> >>
>> >>> >> What OVN requests in this trace (dropping) makes sense to me if
>> those
>> >>> >> lacp frames are to be ignored at the CP level.
>> >>> >> I don't see why some ethernet address would require some special
>> >>> >> offloading considerations, but maybe others have a better opinion
>> on
>> >>> >> this topic.
>> >>> >>
>> >>> >>
>> >>> >> --
>> >>> >> David Marchand
>> >>> >>
>>
>
___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss