On Tue, Mar 13, 2012 at 03:09:46PM -0300, Luiz Ozaki wrote: > On 3/13/12 2:38 PM, Ben Pfaff wrote: > >The way I would suggest doing it is to have the controller track the > >VM that is supposed to be associated with a given OpenFlow port and > >drop any traffic originating from the port that claims a different > >source MAC or IP. It's possible to do the latter with OpenFlow. > Yea, on the controller I could only install the flow if the MAC and > IP address matches a valid database(for example). > > But that don't avoid another VM on the same or another vswitch to > alter his own MAC and IP and the controller install the same flow.
Here's what I have in mind. Presumably you are working with some kind of hypervisor or CMS or whatever that has a database of VMs. That database would normally include the MAC address that the VM "owns"; perhaps it also includes an IP address. Now suppose that your controller knows how to talk to the database of VMs as well as to an OpenFlow switch and to OVSDB. When a new port appears through OpenFlow, the controller figures out which VM it is associated with (via the "external-ids" in the OVSDB row for the interface), looks it up in the database of VMs, and sets up the proper ACLs via OpenFlow to allow the VM to talk on its own MAC (and possibly IP) but not on others. Does that make sense? _______________________________________________ discuss mailing list [email protected] http://openvswitch.org/mailman/listinfo/discuss
