Open Cloud Blog

Openstack, Contrail and more

Openvswitch – Port Usage on Linux

In this post I show the basic commands for the openvswitch. You should have at least openvswitch 1.9 installed. This is the case, if you are running Ubuntu 13.04.

Preparation

In this blog, I show more than the basic commands. We use Linux network namespaces to show also the usage on the ip layer. The first step is to create two linux network namespaces (you must be root):

Next,  we need three console sessions. One for each network namespace (use ip netns exec ns <x> bash to get into the namespace) and one for the non namespace config. I recommend, that you change the prompt for each session – it  helps a lot, that you always knows, where you are.

 Create a Switch (bridge)

The next step is to create a new virtual switch (or bridge). Use the following command in the Main console:

By default, each virtual switch (=bridge), which has been created, gets one „internal port“ assigned. These internal ports are seen by the Linux OS. Type „ip link“ in the Main console and you get:

You can use this interface in the same way as all other Linux interfaces. Assign IP addresses to it or put IP access lists on it (iptables). We will ignore this interface.

An openvswitch bridge is not only a simple bridge, it’s a full blown software switch with

  • 4 k Vlans – nothing to do to create them – they are just there
  • it’s own MAC table

Create two ports in the bridge

The next step is to create two ports in the switch testsw1 and assign these to the two network namespaces. Run this in the Main console.

Check now in the Main console the openvswitch:

We see the two ports in the list. A shorter command to list only the ports is

Now look into the namespace windows. Type ip link in both windows and the new interfaces appeared.

In ns1:

In ns2:

Now it should be possible to ping the other side.

In the Main console check the MAC address table of testsw1:

The MAC addresses match those of the interfaces, we previously created. You might notice, that both MAC addresses are attached to Vlan 0. So – what is Vlan 0?

By default, ALL ports/interfaces, which are created on the openvswitch are able to transport dot1q tagged traffic unless there is a restriction added when the port is created. We made no restriction about this when we created the ports. Since both ip interfaces used in the network namespaces do not send dot1q tagged traffic, the openvswitch places this traffic in Vlan 0.

This Vlan 0 means: the openvswitch got untagged traffic on a link, where dot1q transport is enabled.

Create a dot1q tagged link

Now we create a dot1q tagged link in both network namespaces on top of the existing link. the command to do this is ip.

Example for network namespace ns1.

Do the same for network namespace ns2 (do not forget to change the interface name!)

Then bring the interface up and assign an ip address.

ns1 and ns2:

Look now on the MAC table of the ovenvswitch in the Main window:

You see now two Vlans with active MAC addresses. Yes they are the same in both Vlans. This is OK, since each Vlan has it’s own layer 2 forwarding table.

If the MAC entries disappear – don’t panic. This is a normal behaviour. As soon as traffic flows, they are populated again.

We have now the following setup:

After the first port has been added

By default a port created without restrictions will transport all vlan tags

Create a untagged port

The next step is to create ports on the openvswitch for the network namespaces, which are untagged by default. This is the case in 99.9% of all cases, when you are attaching LXC or KVM instances to an openvswitch. We attach these ports to vlan 33. This is done using the commands in the Main console:

By adding „tag=33“ while using the add-port the port is by default untagged (no dot1q tags are accepted) and the port is attached to Vlan 33 on the openvswitch.

A ovs-vsctl show executed in the Main console outputs now:

The ports ns1iface2 and ns2iface2 have now one additional line: „tag :33“. This means. The port is untagged and attached to Vlan 33. It does not mean, that only the Vlan tag 33 is accepted on a tagged link.

Next task: Bring the new interfaces up in the network namespaces, assign the ip addresses 10.2.0.1 for ns1 and 10.2.0.2 for ns2 and try to ping. Look at the MAC table on the openvswitch (from the Main console). You should see MAC addresses in Vlan 33.

We have now the following setup:

Add an untagged port

A port with tag= will be untagged on the link and will be attached to a fixed vlan on the openvswitch

Create a dot1q trunking port with a restricted vlan list

The next step is to create a new interface, which is dot1q tagged, but allows only a limited list of tags (=vlans) on the port.

The commands for the Main console are:

The keyword trunk tell the ovs to allow dot1q on this port. We allow the tags (=vlans) 44, 55 and 66.

The command „ovs-vsctl show“ shows now:

The new created ports have one line stating with trunks:. This means: The port is dot1q tagged and allows the transport of the tags 44, 55 and 66. All other tags are dropped.

Check if the 3 vlans are working on the new link. Configure also Vlan 77 on the link and verify, that the traffic is dropped at the openvswitch – reason: Vlan 77 ist not allowed on the port.  Configure an IP address on the native interface nsxiface3 and verify, that this traffic is also dropped.

We have now the following setup:

Add a port with a restricted vlan list

After adding a „trunking“ port with a restricted vlan list

 

Updated: 23/09/2013 — 20:14
Open Cloud Blog © 2013-2018 Impressum Datenschutzerklärung Frontier Theme