自己翻译,加强理解、并学习英文和写作。
英文地址:http://docs.openstack.org/networking-guide/intro_basic_networking.html
目录:
基础网络
Ethernet以太网
Ethernet is a networking protocol, specified by the IEEE 802.3 standard. Most wired network interface cards (NICs) communicate using Ethernet.
Ethernet是一个网络协议, 由IEEE 802.3 标准制定的. 多数双绞线网卡 (NICs) 使用 Ethernet通信.
In the OSI model of networking protocols, Ethernet occupies the second layer, which is known as the data link layer. When discussing Ethernet, you will often hear terms such as local network, layer 2, L2, link layer and data link layer.
在 OSI 网络协议模型中, Ethernet 位于第二层(也叫数据链路层). 当讨论Ethernet时, 你经常听到诸如 局域网, 二层, L2, 链路层和数据链路层.
In an Ethernet network, the hosts connected to the network communicate by exchanging frames, which is the Ethernet terminology for packets. Every host on an Ethernet network is uniquely identified by an address called the media access control (MAC) address. In particular, in an OpenStack environment, every virtual machine instance has a unique MAC address, which is different from the MAC address of the compute host. A MAC address has 48 bits and is typically represented as a hexadecimal string, such as 08:00:27:b9:88:74. The MAC address is hard-coded into the NIC by the manufacturer, although modern NICs allow you to change the MAC address programatically. In Linux, you can retrieve the MAC address of a NIC using the ip command:
在一个以太网中,连接到网络上的主机通过交换帧进行通信,帧是以太网数据包的术语。每个在一个以太网中的主机被一个叫做介质访问控制地址(MAC)唯一定义。特殊的是一个openstack 环境中,每个虚拟机实例有一个唯一的MAC地址,例如08:00:27:b9:88:74。 这个MAC地址是被制造商硬编码进网卡,然而现代化的网卡允许你通过编程改变MAC地址。在Linux中,你可以通过ip命令查询网卡的MAC地址:
$ ip link show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether 08:00:27:b9:88:74 brd ff:ff:ff:ff:ff:ff
Conceptually, you can think of an Ethernet network as a single bus that each of the network hosts connects to. In early implementations, an Ethernet network consisted of a single coaxial cable that hosts would tap into to connect to the network. Modern Ethernet networks do not use this approach, and instead each network host connects directly to a network device called a switch. Still, this conceptual model is useful, and in network diagrams (including those generated by the OpenStack dashboard) an Ethernet network is often depicted as if it was a single bus. You’ll sometimes hear an Ethernet network referred to as a layer 2 segment.
从概念上你可以把以太网想象成为一个每个网络主机都连上的单一总线。在早期的实现中,一个以太网由一个同轴电缆组成,主机通过监听同轴电缆接入网络。现代的以太网不使用这种方法,并且替换为每个主机直接地连接一个叫做交换机的网络设备。这个概念模型仍然是有用的,在网络图中(包括哪些通过OpenStack面板生产的)一个以太网经常被描述作为一个单一总线。你将会有些时候听到一个以太网被作为一个二层部分提到。
In an Ethernet network, every host on the network can send a frame directly to every other host. An Ethernet network also supports broadcasts, so that one host can send a frame to every host on the network by sending to the special MAC addressff:ff:ff:ff:ff:ff. ARP and DHCP are two notable protocols that use Ethernet broadcasts. Because Ethernet networks support broadcasts, you will sometimes hear an Ethernet network referred to as a broadcast domain.
在一个以太网中,每个网络上的主机可以直接发送一个帧到其他主机。一个以太网也支持广播,所以一个主机可以通过发送特殊的MAC 地址ff:ff:ff:ff:ff:ff向网络上的每个一个主机发送一个帧。 ARP and DHCP是二个值得注意的使用广播的协议。以为以太网支持广播,你会有些时候听到以太网被作为一个广播域提到。
When a NIC receives an Ethernet frame, by default the NIC checks to see if the destination MAC address matches the address of the NIC (or the broadcast address), and the Ethernet frame is discarded if the MAC address does not match. For a compute host, this behavior is undesirable because the frame may be intended for one of the instances. NICs can be configured for promiscuous mode, where they pass all Ethernet frames to the operating system, even if the MAC address does not match. Compute hosts should always have the appropriate NICs configured for promiscuous mode.
当一个网卡接收到一个以太网帧,这个网卡默认地检查目标MAC地址是否和网卡的MAC地址匹配(或者是广播地址),如果不匹配以太网帧会被丢弃掉。对于一个计算节点主机,这种行为是不受欢迎的,因为帧可能被其中的一个实例需要的。网卡可以被设置为混杂模式,这种模式下他把所有的帧都传给操作系统,即使MAC地址不匹配。计算节点主机应该总是有合适的可以配置为混杂模式的网卡。
As mentioned earlier, modern Ethernet networks use switches to interconnect the network hosts. A switch is a box of networking hardware with a large number of ports, that forwards Ethernet frames from one connected host to another. When hosts first send frames over the switch, the switch doesn’t know which MAC address is associated with which port. If an Ethernet frame is destined for an unknown MAC address, the switch broadcasts the frame to all ports. The port learns which MAC addresses are at which ports by observing the traffic. Once it knows which MAC address is associated with a port, it can send Ethernet frames to the correct port instead of broadcasting. The switch maintains the mappings of MAC addresses to switch ports in a table called aforwarding table or forwarding information base (FIB). Switches can be daisy-chained together, and the resulting connection of switches and hosts behaves like a single network.
像刚才提到的,现代以太网使用交换机互联网络主机。一个交换机是一个有很多数量端口的网络硬件盒子,它在把以太网帧从一个连接的主机转发到其他主机。当一个以太网帧的目的为一个未知的MAC地址时,交换机广播帧到所有的端口。端口通过观察流量学习到哪个MAC地址在哪个端口。一旦交换机知道MAC地址关联的端口,它就发送以太网帧到正确的端口而不再使用广播。交换机在一个叫转发表或者转发信息基地(FIB)维护了MAC地址到交换端口的映射。交换机可以以菊花形链接组合在一起,结果是交换机和主机连接表现的就像一个网络。
VLANs
VLAN is a networking technology that enables a single switch to act as if it was multiple independent switches. Specifically, two hosts that are connected to the same switch but on different VLANs do not see each other’s traffic. OpenStack is able to take advantage of VLANs to isolate the traffic of different tenants, even if the tenants happen to have instances running on the same compute host. Each VLAN has an associated numerical ID, between 1 and 4095. We say “VLAN 15” to refer to the VLAN with numerical ID of 15.
VLAN 是一个可以使一个交换机表现的像多个独立交换机的网络技术。 特别的,二个连接相同交换机的主机处于不同VLAN不能看到彼此的流量。OpenStack能够利用VLAN的好处来隔离不同租户间的流量,即使不同租户正好有实例运行在同一个主机上。每个VLAN有一个关联的数字ID,从1到4095。 我们说 “VLAN 15” 是指这个VLAN具有 ID 15.
To understand how VLANs work, let’s consider VLAN applications in a traditional IT environment, where physical hosts are attached to a physical switch, and no virtualization is involved. Imagine a scenario where you want three isolated networks, but you only have a single physical switch. The network administrator would choose three VLAN IDs, say, 10, 11, and 12, and would configure the switch to associate switchports with VLAN IDs. For example, switchport 2 might be associated with VLAN 10, switchport 3 might be associated with VLAN 11, and so forth. When a switchport is configured for a specific VLAN, it is called anaccess port. The switch is responsible for ensuring that the network traffic is isolated across the VLANs.
为了理解VLAN怎样的工作,让我们考虑在一个传统IT环境下考虑VLAN应用,物理主机被连接到物理交换机上,并且不涉及任何的虚拟化。 设想一下一个场景,当你需要3个隔离网络但你只有一个交换机。这个网络管理员将会挑选3个VLAN ID 10、11、12,并且配置交换机把交换端口和vlan 关联起来。 例如,端口2可能关联VLAN 10,端口3可能关联VLAN 11等等。当一个交换端口被配置为特定的VLAN,它被做一个接入口 access port。 交换机负责确保VLAN间的网络流量被隔离。
Now consider the scenario that all of the switchports in the first switch become occupied, and so the organization buys a second switch and connects it to the first switch to expand the available number of switchports. The second switch is also configured to support VLAN IDs 10, 11, and 12. Now imagine host A connected to switch 1 on a port configured for VLAN ID 10 sends an Ethernet frame intended for host B connected to switch 2 on a port configured for VLAN ID 10. When switch 1 forwards the Ethernet frame to switch 2, it must communicate that the frame is associated with VLAN ID 10.
现在考虑一个场景,第1个交换机所有交换端口都被占用接着组织买第2个交换机并连接到第1个交换机为了扩展可用的交换端口数目。第2个交换机也被配置为支持 VLAN IDs 10, 11, 12。 现在设想一下主机A连接到交换机1上一个被配置为VLAN ID 10的端口发送一个以太帧到主机B,主机B连接到交换机2一个被配置为VLAN ID 10的端口。当交换机1转发以太网帧到交换机2,它必须进行帧关联到VLAN ID 10的通信。
If two switches are to be connected together, and the switches are configured for VLANs, then the switchports used for cross-connecting the switches must be configured to allow Ethernet frames from any VLAN to be forwarded to the other switch. In addition, the sending switch must tag each Ethernet frame with the VLAN ID so that the receiving switch can ensure that only hosts on the matching VLAN are eligible to receive the frame.
如果2个交换机能够被连接到一起,交换机们都被配置为使用VLAN,用来做交叉互联交换机的交换端口必须被配置为允许从任何VLAN来的以太网帧转发到其他交换机。另外,发送方交换机必须给每个以太网帧打上VLAN ID标签以便接收方交换机能够确保仅有匹配的VLAN的主机有资格接收到这个帧。
When a switchport is configured to pass frames from all VLANs and tag them with the VLAN IDs it is called a trunk port. IEEE 802.1Q is the network standard that describes how VLAN tags are encoded in Ethernet frames when trunking is being used.
当一个交换端口被配置为通过所有VLAN并且被VLAN标记的帧,它被叫做一个(干线口) trunk port。 IEEE 802.1Q 是描述当干线被使用时VLAN标签怎样编码进以太网帧的网络标准。
Note that if you are using VLANs on your physical switches to implement tenant isolation in your OpenStack cloud, you must ensure that all of your switchports are configured as trunk ports.
注意如果你在你的Opensack云的物理交换机上使用VLAN来实现租户的隔离,你必须确保所有的交换端口被配置为干线端口。
It is important that you select a VLAN range that your current network infrastructure is not using. For example, if you estimate that your cloud must support a maximum of 100 projects, pick a VLAN range outside of that value, such as VLAN 200–299. OpenStack and all physical network infrastructure that handles tenant networks must then support this VLAN range.
你选定一个当前你的网络基础设施未使用的VLAN范围是很重要的。 例如,你估算你的云必须支持100个工程数量,在那个值外选择一个VLAN范围,例如VLAN 200–299。 用于处理租户网络的OpenStack和所有的物理网络设施必须支持这个VLAN范围。
Trunking is used to connect between different switches. Each trunk uses a tag to identify which VLAN is in use. This ensures that switches on the same VLAN can communicate.
干线被用来连接不通的交换机。每个干线使用一个标签区分使用的VLAN。这确保了位于同一VLAN的交换机可以通信。