EVPN VXLAN: SG needs to be updated even for Intra VN BMS to VM traffic
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Juniper Openstack |
Won't Fix
|
High
|
Hari Prasad Killi | ||
| R4.0 |
Won't Fix
|
High
|
Hari Prasad Killi | ||
| Trunk |
Won't Fix
|
High
|
Hari Prasad Killi | ||
Bug Description
In EVPN VXLAN solution when BMS is pinging VM , vrouter is dropping the packet as Flow Action Drop due to SG. Only when We change the default SG to allow Ingress traffic from 0.0.0.0 , traffic is passing.
root@5b11s15:~# dropstats | grep -v " 0$"
IF Drop 6
Flow Action Drop 7753
Discards 199
Cloned Original 406
Invalid NH 13
Invalid VNID 1
root@5b11s15:~# dropstats | grep -v " 0$"
IF Drop 6
Flow Action Drop 7755
Discards 199
Cloned Original 406
Invalid NH 13
Invalid VNID 1
root@5b11s15:~# flow -l
Flow table(size 614498304, entries 4800768)
Entries: Created 29 Added 20 Deleted 21 Changed 24 Processed 28 Used Overflow entries 0
(Created Flows/CPU: 0 0 1 0 0 1 0 0 2 0 0 0 1 14 3 1 1 0 0 1 1 0 0 0 0 0 0 0 0 0 3 0)(oflows 0)
Action:F=Forward, D=Drop N=NAT(S=SNAT, D=DNAT, Ps=SPAT, Pd=DPAT, L=Link Local Port)
Other:
Flags:E=Evicted, Ec=Evict Candidate, N=New Flow, M=Modified Dm=Delete Marked
TCP(r=reverse)
Index Source:
-------
167904<=>3715152 1.1.1.8:1664 1 (2)
(Gen: 2, K(nh):25, Action:F, Flags:, QOS:-1, S(nh):16, Stats:268/26264,
SPort 63599, TTL 0, Sinfo 172.16.2.1)
658472<=>2803480 1.1.1.6:1668 1 (2)
(Gen: 1, K(nh):25, Action:H, Flags:, QOS:-1, S(nh):25, Stats:0/0, SPort 55222,
TTL 0, Sinfo 0.0.0.0)
2803480<=>658472 1.1.1.8:1668 1 (2)
(Gen: 1, K(nh):25, Action:D(SG), Flags:, QOS:-1, S(nh):16, Stats:32/3136,
SPort 63187, TTL 0, Sinfo 172.16.2.1)
3715152<=>167904 1.1.1.6:1664 1 (2)
(Gen: 1, K(nh):25, Action:F, Flags:, QOS:-1, S(nh):25, Stats:269/26362,
SPort 57528, TTL 0, Sinfo 3.0.0.0)
After changing the SG
root@5b11s15:~# flow -l
Flow table(size 614498304, entries 4800768)
Entries: Created 29 Added 21 Deleted 24 Changed 29 Processed 29 Used Overflow entries 0
(Created Flows/CPU: 0 0 1 0 0 1 0 0 2 0 0 0 1 14 3 1 1 0 0 1 1 0 0 0 0 0 0 0 0 0 3 0)(oflows 0)
Action:F=Forward, D=Drop N=NAT(S=SNAT, D=DNAT, Ps=SPAT, Pd=DPAT, L=Link Local Port)
Other:
Flags:E=Evicted, Ec=Evict Candidate, N=New Flow, M=Modified Dm=Delete Marked
TCP(r=reverse)
Index Source:
-------
658472<=>2803480 1.1.1.6:1668 1 (2)
(Gen: 1, K(nh):25, Action:F, Flags:, QOS:-1, S(nh):25, Stats:36/3528,
SPort 55222, TTL 0, Sinfo 3.0.0.0)
2803480<=>658472 1.1.1.8:1668 1 (2)
(Gen: 2, K(nh):25, Action:F, Flags:, QOS:-1, S(nh):16, Stats:36/3528,
SPort 50900, TTL 0, Sinfo 172.16.2.1)
| summary: |
- EVPN VXLAN: SG needs to be updated even from Intra VN BMS to VM traffic + EVPN VXLAN: SG needs to be updated even for Intra VN BMS to VM traffic |
| Changed in juniperopenstack: | |
| importance: | Undecided → Critical |
| importance: | Critical → High |
| assignee: | nobody → Hari Prasad Killi (haripk) |
| milestone: | none → r4.0.1.0 |
| information type: | Proprietary → Public |
| Hari Prasad Killi (haripk) wrote | #1 |
| tags: | added: releasenote |
| Changed in juniperopenstack: | |
| status: | New → Won't Fix |
In OVSDB case, the routes were exported from TOR-Agent where the SG was appropriately updated so that inter-VN traffic didnt require any explicit SG to be configured for it to pass. When TOR is peering with control node, this SG has to be explicitly configured and this is expected.