[ovs-discuss] showing what mac address use which IP ( arp entries )
Hi, i was playing around with ovs-appctl dpctl/dump-flows and other commands. But i could not find any command, that would tell me what IP Addresses are actually used on which MAC addresses. IF a flow exist, and was added via ovs-ofctl THEN you will get an output like: recirc_id(0),in_port(1),eth(src=44:ec:ce:4f:18:1b,dst=16:f9:22:83:c4:1d),eth_type(0x0800),ipv4(src=0.0.0.0/192.0.0.0,dst=43.54.111.54,frag=no), packets:16, bytes:2237, used:4.432s, flags:SFPR., actions:sample(sample=0.5%,actions(userspace(pid=2791693591,sFlow(vid=0,pcp=0,output=211),actions))),58 recirc_id(0),in_port(58),eth(src=16:f9:22:83:c4:1d,dst=44:ec:ce:4f:18:1b),eth_type(0x0800),ipv4(src=43.63.231.33,frag=no), packets:3710, bytes:833420, used:0.233s, flags:SFPR., actions:sample(sample=0.5%,actions(userspace(pid=3122871473,sFlow(vid=0,pcp=0,output=2),actions))),1 So there, you could get the dst and src of the two 43.x.x.x IPs so you know that on 16:f9:22:83:c4:1d this two IPs are running. But if you didnt define any flow, then you will just get something like: recirc_id(0),in_port(49),eth(src=16:15:6c:b6:07:50,dst=44:ec:ce:4f:18:1b),eth_type(0x0800),ipv4(frag=no), packets:7215, bytes:664147, used:0.232s, flags:SFPR., actions:sample(sample=0.5%,actions(userspace(pid=3547120171,sFlow(vid=0,pcp=0,output=2),actions))),1 recirc_id(0),in_port(1),eth(src=44:ec:ce:4f:18:1b,dst=16:15:6c:b6:07:50),eth_type(0x0800),ipv4(frag=no), packets:9360, bytes:666327, used:0.242s, flags:SFPR.EC, actions:sample(sample=0.5%,actions(userspace(pid=2791693591,sFlow(vid=0,pcp=0,output=259),actions))),49 So thre you see that 16:15:6c:b6:07:50 is connected, but which IPs exactly are using this mac ? Yes, you could get the informations via sflow and thats some kind of last resort actually. But i hoped i could just get the data directly from ovs. So is there actually something available that will show the arp ? Thank you! -- Mit freundlichen Gruessen / Best regards Oliver Dzombic Layer7 Networks mailto:i...@layer7.net Anschrift: Layer7 Networks GmbH Zum Sonnenberg 1-3 63571 Gelnhausen HRB 96293 beim Amtsgericht Hanau Geschäftsführung: Oliver Dzombic UST ID: DE259845632 ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
[ovs-discuss] Layer2 tunnel that will transport vlan tagging and arp and broadcast propagation
Hi, i am trying to interconnect two datacenterlocations. The goal is, that IP networks, that are available (means routed) at datacenter A should be also available on datacenter B. Like for example: In datacenter A we have available: 1.2.3.0/24 And a server will configure for example: ip addr add 1.2.3.4/24 dev eth0 since 1.2.3.0/24 is routed at datacenter A, everone who pings 1.2.3.4 will reach this server. --- In datacenter B we have: 10.10.10.0/24 available Also here a server will configure an IP from that IP space. --- Now i want create a tunnel between datacenter A and B. The goal shall be, that servers in datacenter A can use IPs from datacenter B. So if in datacenter B a server will add: ip addr add 1.2.3.10/24 dev eth0 It should be available to everyone. --- So far, i tried my luck with ipip ( via ip command ) or gre or vxlan tunnels via openvswitch. The tunnels work fine. The problem is, that no arp is relayed. So i can reach only the IPs that i actually added on the server that created the tunnels. But there is no arp propagation / broadcasting that is done. I was not able to find informations how to solve this problem. Does anyone have an idea howto solve that ? Thank you! -- Mit freundlichen Gruessen / Best regards Oliver Dzombic Layer7 Networks mailto:i...@layer7.net Anschrift: Layer7 Networks GmbH Zum Sonnenberg 1-3 63571 Gelnhausen HRB 96293 beim Amtsgericht Hanau Geschäftsführung: Oliver Dzombic UST ID: DE259845632 ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
[ovs-discuss] A Drop rule with less priority is served before a normal rule with higher priority
Hi folks, why does this drop rule, with lower priority, is served before the normal rule ? cookie=0x0, duration=1309.733s, table=0, n_packets=792, n_bytes=34414, priority=1000,dl_src=16:ec:3d:6e:f4:b9 actions=drop cookie=0x0, duration=1309.950s, table=0, n_packets=0, n_bytes=0, priority=2000,ip,dl_dst=16:ec:3d:6e:f4:b9,nw_dst=196.168.1.2 actions=NORMAL Is it as simple as, that a rule that is less specific will be served before a rule with more specific, even it has a higher priority ? The goal is that a specific mac address shall only be allowed to communicate over a specific IP address. If the traffic to or from this mac is for/from another IP, it shall be dropped. I will be very thankful for every hint or advice. Thank you ! -- Mit freundlichen Gruessen / Best regards Oliver Dzombic Layer7 Networks mailto:i...@layer7.net Anschrift: Layer7 Networks GmbH Zum Sonnenberg 1-3 63571 Gelnhausen HRB 96293 beim Amtsgericht Hanau Geschäftsführung: Oliver Dzombic UST ID: DE259845632 ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
[ovs-discuss] openvswitch anti spoof ebtables
Hi, as it seems open vswitch ignores the ebtables rules. Does open vswitch has something to set firewall rules ? Especially rules that will allow traffic only from specific IPs that come from specific MAC addresses, and drop anything else ? Thank you ! -- Mit freundlichen Gruessen / Best regards Oliver Dzombic Layer7 Networks mailto:i...@layer7.net Anschrift: Layer7 Networks GmbH Zum Sonnenberg 1-3 63571 Gelnhausen HRB 96293 beim Amtsgericht Hanau Geschäftsführung: Oliver Dzombic UST ID: DE259845632 ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
[ovs-discuss] Sflow maths and accuracy
Hi,
the goal is to math sflow into real traffic consumption.
I am testing using pmacct with the sfacctd as collector software.
I am using iperf3 to generate traffic between two hosts.
From my understanding if i do a sflow export configuration like:
agent : "127.0.0.1"
external_ids: {}
header : 1518
polling : 1
sampling: 1
targets : ["127.0.0.1:6343"]
Then every second, every package will be exported to the collector.
When i send for 5 seconds a total amount of 2.36 GBytes, i would expect
that the sum of the "bytes" would match with the 2.36 GB.
The numbers that were collected were:
{"event_type": "purge", "vlan": 0, "ip_src": "192.168.178.1", "ip_dst":
"192.168.178.2", "packets": 192, "bytes": 13519}
{"event_type": "purge", "vlan": 0, "ip_src": "192.168.178.1", "ip_dst":
"192.168.178.2", "packets": 435, "bytes": 30474}
{"event_type": "purge", "vlan": 0, "ip_src": "192.168.178.1", "ip_dst":
"192.168.178.2", "packets": 388, "bytes": 27180}
{"event_type": "purge", "vlan": 0, "ip_src": "192.168.178.1", "ip_dst":
"192.168.178.2", "packets": 318, "bytes": 22260}
{"event_type": "purge", "vlan": 0, "ip_src": "192.168.178.1", "ip_dst":
"192.168.178.2", "packets": 436, "bytes": 30544}
{"event_type": "purge", "vlan": 0, "ip_src": "192.168.178.1", "ip_dst":
"192.168.178.2", "packets": 340, "bytes": 23990}
And the math is not really matching.
I repeated the test, changing the sample rate ( and multiply the sum of
bytes with the sample rate ).
But that did not really help. The numbers are changing, but not to
amount of traffic that had been transfered.
Since i assume that old established software like pmacct aswell as
openvswitch will deliver correct numbers.
So as it seems to me, my math is (still) as good as my teachers told me
in the college.
Could someone please point me into the right direction how to math that ?
Thank you very much !
--
Mit freundlichen Gruessen / Best regards
Oliver Dzombic
Layer7 Networks
mailto:i...@layer7.net
Anschrift:
Layer7 Networks GmbH
Zum Sonnenberg 1-3
63571 Gelnhausen
HRB 96293 beim Amtsgericht Hanau
Geschäftsführung: Oliver Dzombic
UST ID: DE259845632
___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
[ovs-discuss] sFlow agent error: sfl_agent_error: receiver: flow sample too big for datagram
Hi Folks, when we have high rates of packets per second sflow will not export this traffic to the collector. Inside of ovs-vswitchd.log we can see tons of entries like: 2019-12-09T18:15:04.739Z|30436|sflow(handler17)|WARN|sFlow agent error: sfl_agent_error: receiver: flow sample too big for datagram Our configuration: ovs-vsctl -- --id=@sflow create sflow agent=127.0.0.1 target="\"127.0.0.1:6343\"" header=1518 sampling=500 polling=1 -- set bridge ovsbridge sflow=@sflow How can we improve this ? We would like to receive all traffic at the collector, no matter how many packets or what packetsize will come in. Any help / hint / idea is greatly appriciated. Thank you ! -- Mit freundlichen Gruessen / Best regards Oliver Dzombic Layer7 Networks mailto:i...@layer7.net Anschrift: Layer7 Networks GmbH Zum Sonnenberg 1-3 63571 Gelnhausen HRB 96293 beim Amtsgericht Hanau Geschäftsführung: Oliver Dzombic UST ID: DE259845632 ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
