Comment 1 for bug 1587486
Revision history for this message
| Louis Fourie (lfourie) wrote Re: Support SFC Encapsulation | #1 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
"At a first glance, it seems that it would work fine. And it can. At least if the IPSec function has only a single port-pair, so that we can match on the respective Neutron port as the entry point for the second and third port-chains. This is a problem, but let's suppose it's okay to have a single port-pair for the IPSec function and just ignore the problem for now."
This statement is not true. Port chains 2 and 3 can be set up, each having a number of flow-classifiers that have logical source ports that are the egress ports of the IPSec SFs. If the IPsec SF port-pair-group has three IPsec SFs (SF1, SF2, SF3) then PC2 and PC3 are configured as follows.
PC2 has flow-classifiers:
FC1=SF1 egress port & UDP
FC2=SF2 egress port & UDP
FC3=SF3 egress port & UDP
PC3 has flow-classifiers:
FC4=SF1 egress port & TCP
FC5=SF2 egress port & TCP
FC6=SF3 egress port & TCP