Ask Your Question

SFC not working in Ocata

asked 2018-08-29 06:40:10 -0500

Dhopu gravatar image

I have a Ocata set up (not devstack) with SFC installed. I am trying to set up SFC with 3 VM'S, all on same subnet VM1 - VM2 - VM3. I am able to ping VM1 to VM3. With SFC I want to steer the traffic to VM2. But as VM2 does not have any SFC function, it will drop the packet. Consequently, with SFC, my ping from VM1 to VM3 should fail. I executed the following commands:

**ports of VM2

neutron port-pair-create --ingress 9c9d9f1d-d381-4125-941b-e6adff797331 --egress 4e5e3179-8ef3-48e0-a537-b653ccd7a8db PP1

neutron port-pair-group-create --port-pair PP1 PPG1

**source port of VM1 and destination port of VM3

neutron flow-classifier-create --ethertype IPv4 --logical-source-port 5a26fdbe-38f6-4389-b6aa-ef08c4646cca --logical-destination-port 197383c0-5c07-4de6-b025-f5f06cbffae6 --protocol icmp FC1

neutron port-chain-create create --port-pair-group PPG1 --flow-classifier FC1 PC1

But I am still able to ping VM3 from VM1? What is wrong? How do I investigate whether the flow classifier is correctly set? Does SFC work if the 2 VM's are on the same host and in the same subnet?

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2018-09-12 20:45:47 -0500

hoangphuoc gravatar image

Hi, you have to create the chain with the same network. You also need to enable packet forwarding by setting "net.ipv4.ip_forward=1".

Hope that can help you.

edit flag offensive delete link more


Hi, thanks for you suggestion. I moved to the Rocky version and I had the same problem. I succeeded in having traffic in the VF ports, but there are still strange things: I have to set the security group including ICMP traffic for all the ports or I have to disable the anti spoofing?

Silvia gravatar imageSilvia ( 2018-10-22 07:45:27 -0500 )edit

There are also some strange things: - once I see the traffic in all the interfaces, if I stop the ping and restart, I see it again only at the src and the dst - In the VFs I see only reply packets (I was expecting to see only request since the setting is unidirectional from src to dst)

Silvia gravatar imageSilvia ( 2018-10-22 07:46:26 -0500 )edit

Timestamps are in the wrong order. The reply do: DST-SRC-VF1-VF2. I was expecting ICMP request doing SRC - VF1- VF2- DST

Silvia gravatar imageSilvia ( 2018-10-22 07:47:56 -0500 )edit

Hi Silvia,

I am trying networking-sfc with devstack. In my environment, firstly I have to turn off security group feature by setting (disable security groups):

Q_USE_SECGROUP=False LIBVIRT_FIREWALL_DRIVER=nova.virt.firewall.NoopFirewallDriver

I didn't meet the wrong order problem. Hope that help

hoangphuoc gravatar imagehoangphuoc ( 2018-10-24 06:34:23 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2018-08-29 06:40:10 -0500

Seen: 194 times

Last updated: Sep 12 '18