Virtual machine de-promiscuous mode with VLAN in Vxlan feature

Source: Internet
Author: User

1. Go to promiscuous mode 1.1 background

Promiscuous mode (promiscuous modes) is a machine that can receive all the traffic that passes through it, regardless of whether its destination address is it. is relative to the usual pattern (also known as "non-promiscuous mode").

This is used by network administrators to diagnose network problems, but is also used by people without authentication who want to eavesdrop on network traffic (which may include passwords and other sensitive information).

In the context of cloud computing OpenStack, the de-promiscuous mode is to suppress unknown unicast , so that only the destination Mac is its own message or broadcast/ multicast Wencai allow access to the virtual machine, Reduce the performance cost of unnecessary virtual machine-to-packet processing.

1.2 Unknown unicast

Unknown unicast, that is, the device Mac table does not have the destination Mac entry for that unicast frame.

In the switch operation, when the switch is started, the MAC Address table is empty, so if a host sends a frame to host B at this point, then when the switch accepts this frame, view the source address (host a) and add it to the MAC address table. However, the switch does not know which port the Host B is on (MAC Address table does not have the MAC address of Host B), so this frame is an unknown unicast frame. The swap opportunity floods this frame.

1.3 Group Network Diagram

1.4 Stream Table Analysis

In promiscuous mode, the policy Bridge flow table is similar to the "... actions=normal", which does not differentiate the traffic and can be forwarded as normal.

When you go to promiscuous mode, the policy bridge adds the following related flow tables:

priority=2, in_port=2, dl_dst= on:xx:xx:xx:xx:xx/ on:xx:xx:xx:xx:xx, action=Normal//broadcast, group broadcast text forwarding priority=2, in_port=2, dl_dst=$VM _mac, actions=Normal//to the destination address is the VM itself the MAC's message is normally forwarded prrority=1, in_port=2, actions=drop //Other messages are discarded 
2. VLAN in vxlan2.1 function

VLAN messages that communicate between virtual machines can be encapsulated into the Vxlan in an external network, similar to the QINQ (VLAN in VLAN).

2.2 Group Network Diagram

2.3 Stream Table Analysis
    • Policy Bridge
      • Virtual machine out of the message

Messages without VLAN information are sent down after Pkt_mark, and pkt_mark information is stored in registers:

0x0000/0x1ffff actions=load:1 -nxm_nx_pkt_mark[. +], normal

Messages with VLANs, the VLAN information (total 12bit) is saved in Pkt_mark and sent down:

actions = move:oxm_of_vlan_vid[0.. --nxm_nx_pkt_mark[0.  One 0-nxm_nx_pkt_mark[.  to Strip_vlan, Normal
      • Incoming messages to the virtual machine

Pkt_mark is a message for 0x1 sent directly to the virtual machine:

0x00000001 actions = Normal

Pkt_mark messages that are not 0x1 are sent from Pkt_mark to the virtual machine after obtaining VLAN information:

actions = move:nxm_nx_pkt_mark[0.. --oxm_of_vlan_vid[0. all], normal
    • Br-tun Network Bridge
      • Virtual machine out of the message

Pkt_mark is a 0x1 message and goes directly to table 20/22 according to normal flow:

0x00000001, actions = Resubmit (,)/(,)

Pkt_mark is not a 0x1 message, get and set VLAN information, set VNI after walk Vxlan tunnel out of the host:

actions = move:nxm_nx_pkt_mark[0.. --oxm_of_vlan_vid[0.  One set_tunnel:0x1388, Output:3
      • Incoming messages to the virtual machine

When the message does not have VLAN information, after setting the Pkt_mark flag, follow the normal flow of table 10:

0x0000/0x1fff0x1388, actions = load:1 -nxm_nx_pkt_mark[ ..  to Ten)

Message with VLAN information, save VLAN information to Pkt_mark, and modify Vxlan vni to local VLAN

0x1388, actions = move:oxm_of_vlan_vid[0. --nxm_nx_pkt_mark[0.  One 0->nxm_nx_pkt_mark[.  to mod_vlan_vid:1)

Virtual machine de-promiscuous mode with VLAN in Vxlan feature

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.