Hi, With the Openstack Pike release, Observed that traffic is being mirrored from one of the access ports even though the port is not the actual destination for the traffic.
Have a configuration like this. Two VMs VM1 and VM2 have trunk ports and sub-ports that carry VLAN tagged traffic and another VM VM3 has an access port. Mirror is created with VM3 port as source interface for this mirror. When ping is initiated from VM1 destined to VM2 (Sub-ports on subnet 40.40.2.0/24), we see that the traffic also passes through the tap interface of VM3 access port attached to the integration bridge (br-int) and since mirror is created, the same is traffic is mirrored to the remote tunnel end-point. VM1 - 40.40.2.189 VM2 - 40.40.2.204 VM3 - 40.40.2.104 Mirror created with VM3's port as source interface ovs-vsctl add-port br-int vxlan0 -- set Interface vxlan0 type=vxlan options:local_ip=10.115.57 .203 options:remote_ip=30.1.1.16 options:key=0 option:dst_port=4789 -- --id=@p get port vxlan0 -- --id=@m create mirror name=mirror0 output-port=@p -- set bridge br-int mir rors=@m ovs-vsctl -- --id=@p1 get Port vhu35512a63-ea -- add Mirror mirror0 select-dst-port @p1 ovs-vsctl -- --id=@p1 get Port vhu35512a63-ea -- add Mirror mirror0 select-src-port @p1 Traffic is ping from 40.40.2.189 --> 40.40.2.204 (VM1 - VM2). Traffic also passes through the VM3 connected tap interface on integration bridge (vhu35512a63-ea) and since a mirror is created here, the same traffic is being mirrored to remote destinations. Possible root cause found is: In this scenario, We observed that on the integration bridge there are three ports carrying the same VLAN tag. Port "spi-e0212fcc-b7" <== patch port corresponding to bridge “tbr-683e3538-0” (IP: 40.40.2.204) tag: 3 Interface "spi-e0212fcc-b7" type: patch options: {peer="spt-e0212fcc-b7"} Port "vhu35512a63-ea". <== VM access port corresponding to VM having IP 40.40.2.104 tag: 3 Interface "vhu35512a63-ea" type: dpdkvhostuserclient options: {vhost-server-path="/var/run/openvswitch/vhu35512a63-ea"} Port "spi-2013cf5d-dd". <== patch port corresponding to bridge “tbr-fb95e589-3” (IP: 40.40.2.189) tag: 3 Interface "spi-2013cf5d-dd" type: patch options: {peer="spt-2013cf5d-dd"} Now say if we try to send any traffic between the above two patch ports. We can see that the traffic will also be sent to the VM access port. (Ping from 40.40.2.189 > 40.40.2.204) Tcpdump on vhu35512a63-ea IP 40.40.2.189 > 40.40.2.204: ICMP echo request, id 12125, seq 171, length 64 IP 40.40.2.189 > 40.40.2.204: ICMP echo request, id 12125, seq 172, length 64 And the same traffic is being mirrored. PS: Bridge tbr-fb95e589-3 and tbr-683e3538-0 created when the trunk ports are created. All the ports have a default security group attached. ALLOW IPv6 1-65535/tcp to ::/0 ALLOW IPv4 ip_proto=253 from 0.0.0.0/0 ALLOW IPv6 1-65535/tcp from ::/0 ALLOW IPv6 ipv6-icmp from ::/0 ALLOW IPv4 ip_proto=47 from 0.0.0.0/0 ALLOW IPv6 to ::/0 ALLOW IPv4 ip_proto=253 to 0.0.0.0/0 ALLOW IPv4 1-65535/tcp from 0.0.0.0/0 ALLOW IPv4 1-65535/udp to 0.0.0.0/0 ALLOW IPv6 from default ALLOW IPv4 ip_proto=47 to 0.0.0.0/0 ALLOW IPv4 1-65535/tcp to 0.0.0.0/0 ALLOW IPv4 to 0.0.0.0/0 ALLOW IPv4 icmp from 0.0.0.0/0 ALLOW IPv4 from default ALLOW IPv4 1-65535/udp from 0.0.0.0/0 ALLOW IPv4 icmp to 0.0.0.0/0 Is this expected behaviour. Why do different ports have the same VLAN tag on the integration bridge (br-int).
_______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss