From 8dc54921af5ef8bef9a1f8f9ef6268b4133dc01e Mon Sep 17 00:00:00 2001 From: Ben Pfaff Date: Mon, 16 Dec 2013 22:19:08 -0800 Subject: [PATCH] FAQ: Describe weak and strong ES models. Signed-off-by: Ben Pfaff Acked-by: Andy Zhou --- FAQ | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/FAQ b/FAQ index 2912ae335..df7b6ef30 100644 --- a/FAQ +++ b/FAQ @@ -935,6 +935,50 @@ A: Yes. Use an "internal port" configured as an access port. For ovs-vsctl add-port br0 vlan9 tag=9 -- set interface vlan9 type=internal ifconfig vlan9 192.168.0.7 + See also the following question. + +Q: I configured one IP address on VLAN 0 and another on VLAN 9, like + this: + + ovs-vsctl add-br br0 + ovs-vsctl add-port br0 eth0 + ifconfig br0 192.168.0.5 + ovs-vsctl add-port br0 vlan9 tag=9 -- set interface vlan9 type=internal + ifconfig vlan9 192.168.0.9 + + but other hosts that are only on VLAN 0 can reach the IP address + configured on VLAN 9. What's going on? + +A: RFC 1122 section 3.3.4.2 "Multihoming Requirements" describes two + approaches to IP address handling in Internet hosts: + + - In the "Strong ES Model", where an ES is a host ("End + System"), an IP address is primarily associated with a + particular interface. The host discards packets that arrive + on interface A if they are destined for an IP address that is + configured on interface B. The host never sends packets from + interface A using a source address configured on interface B. + + - In the "Weak ES Model", an IP address is primarily associated + with a host. The host accepts packets that arrive on any + interface if they are destined for any of the host's IP + addresses, even if the address is configured on some + interface other than the one on which it arrived. The host + does not restrict itself to sending packets from an IP + address associated with the originating interface. + + Linux uses the weak ES model. That means that when packets + destined to the VLAN 9 IP address arrive on eth0 and are bridged to + br0, the kernel IP stack accepts them there for the VLAN 9 IP + address, even though they were not received on vlan9, the network + device for vlan9. + + To simulate the strong ES model on Linux, one may add iptables rule + to filter packets based on source and destination address and + adjust ARP configuration with sysctls. + + BSD uses the strong ES model. + Q: My OpenFlow controller doesn't see the VLANs that I expect. A: The configuration for VLANs in the Open vSwitch database (e.g. via -- 2.43.0