Versions Compared

Old Version 6

changes.mady.by.user Sangho Shin

Saved on

compared with

New Version 7

changes.mady.by.user Sangho Shin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
table=5,ip,nw_dst=10.10.0.13 actions=set_field:fa:16:3e:b8:92:fe->eth_dst ,output:5
table=5,ip,nw_dst=10.10.0.10 actions=set_field:10.0.0.166->tun_dst,output:1


Overall SONA TTP

Image Added

Example

Image Added

 

Code Block
titleVNI Table
table=0,ip,in_port=2, actions=set_field:0x402->tun_id,goto_table:1
table=0,ip,in_port=3, actions=set_field:0x402->tun_id,goto_table:1
table=0,ip,in_port=4, actions=set_field:0x501->tun_id,goto_table:1
table=0,ip,in_port=5, actions=set_field:0x501->tun_id,goto_table:1
Code Block
titleSecurity Group 
table=1,ip,nw_src=10.10.0.2,nw_dst=10.10.0.3 actions=goto_table:4
table=1,ip,nw_src=10.10.0.3,nw_dst=10.10.0.2 actions=goto_table:4
table=1,ip,nw_src=10.10.1.2,nw_dst=10.10.1.3 actions=goto_table:4
table=1,ip,nw_src=10.10.1.3,nw_dst=10.10.1.2 actions=goto_table:4
table=1,ip,ct_state=-trk, actions=ct(table:2)

Security groups are set per VMs, and we need M x M (M=number of VMs) rules are required. We might be able to reduce the rules using subnet when all VMs in a subnet are set with the same security group.

 

 

Code Block
titleConnection Tracking
table=2,ip,nw_src=10.10.0.2,ct_state=+trk+new,action=ct(commit),goto_table:3
table=2,ip,nw_dst=10.10.0.2,ct_state=+trk+est,action=goto_table:3
table=2,ip,nw_dst=10.10.0.2,ct_state=+trk+new,action=drop

Connection Tracking is activated only for VMs that do not have “allow all incoming” rules.

 

 

Code Block
titleJump Table
table=3,ip,eth_dst=fa:00:00:00:00:00,action=goto_table:5
table=3,ip,action=goto_table:7

 

 

Code Block
titleRouting Table
table=5,ip,tun_id=0x402,nw_src=10.10.0.0/24,nw_dst=10.10.0.0/24, action=set_field:0x402->tun_id, goto_table:5 (1)
table=5,ip,tun_id=0x501,nw_src=10.10.1.0/24,nw_dst=10.10.1.0/24, action=set_field:0x3f7->tun_id, goto_table:5 (2)
table=5,ip,tun_id=0x402,nw_src=10.10.0.0/24,nw_dst=10.10.1.0/24, action=set_field:0x402->tun_id, goto_table:5 (3)
table=5,ip,tun_id=0x501,nw_src=10.10.1.0/24,nw_dst=10.10.0.0/24, action=set_field:0x3f7->tun_id, goto_table:5 (4)

 

Flow rules (1) & (2) are default routing rule for VMs within its subnet and set whenever a virtual network is created.
Flow rules (3) & (4) are the routing rules between subnets. NxN (N=# of subnets) rules are required.

 

 

Code Block
titleSwitching Table
table=7,ip,tun_id=0x402,nw_dst=10.10.0.2 actions=set_field:fa:16:3e:b8:92:fe->eth_dst, output:2
table=7,ip,tun_id=0x402,nw_dst=10.10.0.3 actions=set_field:fa:16:3e:b8:92:fe->eth_dst, output:3
table=7,ip,tun_id=0x501,nw_dst=10.10.1.2 actions=set_field:fa:16:3e:b8:92:fe->eth_dst, output:4
table=7,ip,tun_id=0x501,nw_dst=10.10.1.3 actions=set_field:fa:16:3e:b8:92:fe->eth_dst, output:5