On 12/23/2016 03:45 AM, pranab boruah wrote:
Hello Everyone,
We are trying to experiment OVN ACLs on a native setup.(non-OpenStack
and non-sandbox). We couldn't find any blog posts or documentation on
how to do this.
*Gerhard Stenzel* has posted in this thread somewhat similar to what I
need :
https://mail.openvswitch.org/pipermail/ovs-discuss/2016-July/041871.html
But my requirements are different. Also the ovn architecture document
specifically mentions that we shouldn't add physical ports to br-int*:**
C**h**a**s**s**i**s* *S**e**t**u**p *section in
http://openvswitch.org/support/dist-docs/ovn-architecture.7.html.
Setup Configurations :
Physical Host 1:
- ovs 2.6 installed.
- launched a VM with MacVTap(macvtap0) to em1(physical NIC).
- VM's nic ip : 172.16.10.50
Physical Host 2:
- em1(Physical NIC) with IP 172.16.10.10
I can ping 172.16.10.50 from 172.16.10.10. My question is how do I
set-up ACL rules for the traffic that are to be allowed/not-allowed to
this VM. The constraints are :
1) Should work in non-OpenStack and non-sandbox environment.
2) VM's interface attached either through MacVTap or SRIOV modes only.
To echo what Ben said already, you can't use MacVTAP or SRIOV interfaces
with OVN, as both of these types of interfaces bypass OVS (and OVS is
where the ACLs are enforced).
Using "normal" TAP interfaces for your VMs would work, though, even in
non-OpenStack environments.
Best of luck,
--
Scott
_______________________________________________
discuss mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
