port mirroring through GRE tunnel to remote host
I have openstack deployment with a controller, one compute node and a network node. I want to mirror all the traffic from a tenant network to a separate host where I have some packet monitoring tools (like IDS).
I launched two VMs for a test. I added a mirror port in the compute node and I made the mirror port a type of GRE tunnel to the remote host. From the remote host I created the other end of the tunnel.
Here is the output of ovs-vsctl show command from compute node
Bridge br-tun
fail_mode: secure
Port patch-int
Interface patch-int
type: patch
options: {peer=patch-tun}
Port "vxlan-ac106207"
Interface "vxlan-ac106207"
type: vxlan
options: {df_default="true", in_key=flow, local_ip="z.z.z.z", out_key=flow, remote_ip="y.y.y.y"}
Port br-tun
Interface br-tun
type: internal
Bridge br-int
fail_mode: secure
Port br-int
Interface br-int
type: internal
Port patch-tun
Interface patch-tun
type: patch
options: {peer=patch-int}
Port "qvod3ef531d-27"
tag: 1
Interface "qvod3ef531d-27"
Port "qvo7d435b5f-d2"
tag: 1
Interface "qvo7d435b5f-d2"
Port snooper
Interface snooper
type: gre
options: {remote_ip="x.x.x.x"}
ovs_version: "2.4.1"
where x.x.x.x is the IP of remote host
the out put of ovs-vsctl show from the remote host is
Bridge br-tun
Port "vnet0"
Interface "vnet0"
Port gremirror
Interface gremirror
type: gre
options: {remote_ip="p.p.p.p"}
Port br-tun
Interface br-tun
type: internal
ovs_version: "2.0.2"
where p.p.p.p is the IP of the compute node
For the VM-VM communication (ping from one VM to other) it works fine. I can see all the packets in the remote host. But when there is a packet from outside I can only see the return packets (i.e. if I ping one of the VM from outside of the cloud, I will see only the return packets from the VM in the remote host) ? why is the incoming packet not mirrored (forwarded through tunnel ) ? what am I missing ?
Thank you for the help in advance.