建立ovs接口连接两个namespace组成二层网络
环境搭建拓扑
br0
+--------------------------------------+
+--+ +--+
+---+ | tap1 tap2| +---+
| +--+ +--+ |
| | | |
| +--------------------------------------+ |
| |
| |
| |
| |
+------------------+ +-------------------+
| tap1 | | tap2 |
|192.168.1.102/24 | | 192.168.1.102/24 |
| | | |
| | | |
| | | |
| namespace ns1 | | namespace ns1 |
| | | |
+------------------+ +-------------------+
实现脚本:
ip netns add ns1 ip netns add ns2 ovs-vsctl add-br br0 ovs-vsctl add-port br0 tap1 -- set Interface tap1 type=internal ip link set tap1 netns ns1 ip netns exec ns1 ip link set dev tap1 up ovs-vsctl add-port br0 tap2 -- set Interface tap2 type=internal ip link set tap2 netns ns2 ip netns exec ns2 ip link set dev tap2 up ip netns exec ns1 ip addr add 192.168.1.102/24 dev tap1 ip netns exec ns2 ip addr add 192.168.1.101/24 dev tap2 ip netns exec ns1 ip link set lo up ip netns exec ns2 ip link set lo up ip netns exec ns1 ping -c 4 192.168.1.102 ip netns exec ns1 ping -c 4 192.168.1.101
建立vlan二层网络
环境搭建拓扑
br0 trunk vlan tag 10,11 br1
+------------------------+ +------------------------+
| | tag10 tag10 | |
| trunk_br0 +-----------------------+trunk_br1 |
| +-----------------------+ |
| | tag11 tag11 | |
|tap1 tap2 | | tap3 |
+------------------------+ +------------------------+
|tag 10 tag11| tag10|
| | |
| | |
192.168.1.101/24 | | 192.168.1.102/24 | 192.168.1.103/24
+-------+ +-------+ +-------+
| tap1 | | tap2 | |tap3 |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
+-------+ +-------+ +-------+
ns1 ns2 ns3
环境实现脚本
ip netns add ns1 ip netns add ns2 ovs-vsctl add-br br0 ovs-vsctl add-port br0 tap1 -- set Interface tap1 type=internal ovs-vsctl set Port tap1 tag=10 ip link set tap1 netns ns1 ip netns exec ns1 ip link set dev tap1 up ovs-vsctl add-port br0 tap2 -- set Interface tap2 type=internal ovs-vsctl set Port tap2 tag=11 ip link set tap2 netns ns2 ip netns exec ns2 ip link set dev tap2 up ip netns exec ns1 ip addr add 192.168.1.101/24 dev tap1 ip netns exec ns2 ip addr add 192.168.1.102/24 dev tap2 ip netns exec ns1 ip link set lo up ip netns exec ns2 ip link set lo up ovs-vsctl add-br br1 ovs-vsctl add-port br1 tap3 -- set Interface tap3 type=internal ovs-vsctl add-port br0 trunk_br0 trunks=10,11 -- set Interface trunk_br0 type=patch options:peer=trunk_br1 ovs-vsctl add-port br1 trunk_br1 trunks=10,11 -- set Interface trunk_br1 type=patch options:peer=trunk_br0 ip netns add ns3 ip link set tap3 netns ns3 ip netns exec ns3 ip addr add 192.168.1.103/24 dev tap3 ip netns exec ns3 ip link set dev tap3 up ovs-vsctl set Port tap3 tag=10 ip netns exec ns3 ping -c 4 192.168.1.101 ip netns exec ns3 ping -c 4 192.168.1.102
说明:
-
br0和br1两个交换机之间连接使用的是patch口,在创建时候需要指明peer(对端口)选项
-
ovs-vsctl add-port br0 trunk_br0 trunks=10,11 -- set Interface trunk_br0 type=patch options:peer=trunk_br1 ovs-vsctl add-port br1 trunk_br1 trunks=10,11 -- set Interface trunk_br1 type=patch options:peer=trunk_br0
br0和br1两个交换机之间连接在trunk口附加上tag10和tag11
-
结论
ns3:tap3:vlan10 能ping通ns1:tap1:vlan10 因为ns3和ns1属于同一个vlan;同时无法ping通ns2
ovs vlan报文转发原理探究
环境搭建拓扑
first_ns second_ns third_ns
+-----------+ +-----------+ +-----------+
| | | | | |
| | | | | |
| | | | | |
| first_br | second_br | third_br|
+-----------+ +-----------+ +-----------+
10.0.0.4/24 10.0.0.5/24 | 10.0.0.6/24
| | |
| | |
|tag 10 | 无 tag | trunk 11,12
+------------------------------------------+
| first_br second_br third_br
| |
| br0 |
| |
+------------------------------------------+
| tag 10
|
|
|
|
|10.0.0.1/24
+------------+
| |
| |
| |
| |
+------------+
ns1
搭建网络脚本
ovs-vsctl add-br br0 ovs-vsctl add-port br0 first_br -- set Interface first_br type=internal ovs-vsctl set Port first_br tag=10 ip netns add first ip link set first_br netns first ip netns exec first ip addr add 10.0.0.4/24 dev first_br ip netns exec first ip link set dev first_br up ip netns add ns1 ovs-vsctl add-port br0 tap1 -- set Interface tap1 type=internal ovs-vsctl set Port tap1 tag=10 ip link set tap1 netns ns1 ip netns exec ns1 ip link set lo up ip netns exec ns1 ip link set dev tap1 up ip netns exec ns1 ip addr add 10.0.0.1/24 dev tap1 ovs-vsctl add-port br0 second_br -- set Interface second_br type=internal ip netns add second ip link set second_br netns second ip netns exec second ip addr add 10.0.0.5/24 dev second_br ip netns exec second ip link set dev second_br up ovs-vsctl add-port br0 third_br trunks=11,12 -- set Interface third_br type=internal ip netns add third ip link set third_br netns third ip netns exec third ip addr add 10.0.0.6/24 dev third_br ip netns exec third ip link set dev third_br up
实验过程:
进入netns1,一直ping 10.0.0.4,在netns first、second、third分别抓包
实验记录
- first抓取报文
-
root@controller-VirtualBox:~# ip netns exec first tcpdump -n -e -i first_br arp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on first_br, link-type EN10MB (Ethernet), capture size 262144 bytes 15:47:54.636790 9a:03:f1:61:48:9d > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.4 tell 10.0.0.1, length 28 15:47:54.636808 4e:cc:d6:5a:53:f4 > 9a:03:f1:61:48:9d, ethertype ARP (0x0806), length 42: Reply 10.0.0.4 is-at 4e:cc:d6:5a:53:f4, length 28
-
抓到arp广播包
second抓取报文
root@controller-VirtualBox:~# ip netns exec second tcpdump -n -e -i second_br arp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on second_br, link-type EN10MB (Ethernet), capture size 262144 bytes 15:49:40.345271 9a:03:f1:61:48:9d > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 10, p 0, ethertype ARP, Request who-has 10.0.0.4 tell 10.0.0.1, length 28
抓到arp广播包
third抓取报文
root@controller-VirtualBox:~# ip netns exec third tcpdump -n -e -i third_br arp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on third_br, link-type EN10MB (Ethernet), capture size 262144 bytes
没有抓到arp广播
结论
- trunk port
(1)这个port不配置tag,配置trunks,如果trunks为空,则所有的VLAN都trunk,也就意味着对于所有的VLAN的包,本身带什么VLAN ID,就是携带者什么VLAN ID,
(2)如果没有设置VLAN,就属于VLAN 0,全部允许通过。
(3)如果trunks不为空,则仅仅带着这些VLAN ID的包通过。 - access port
(1)这个port配置tag,从这个port进来的包会被打上这个tag,
(2)从其他的trunk port中进来的本身就带有VLAN ID的包,如果VLAN ID等于tag,则会从这个port发出,
(3)从其他的access port上来的包,如果tag相同,也会被forward到这个port。
(4)从access port发出的包不带VLAN ID。
(5)如果一个本身带VLAN ID的包到达access port,即便VLAN ID等于tag,也会被抛弃。
openvswitch概念补充
几个重要的概念
- Bridge: Bridge 代表一个以太网交换机(Switch),一个主机中可以创建一个或者多个 Bridge 设备。
- Port: 端口与物理交换机的端口概念类似,每个 Port 都隶属于一个 Bridge。
- Interface: 连接到 Port 的网络接口设备。在通常情况下,Port 和 Interface 是一对一的关系, 只有在配置 Port 为 bond 模式后,Port 和 Interface 是一对多的关系。
- Controller: OpenFlow 控制器。OVS 可以同时接受一个或者多个 OpenFlow 控制器的管理。
- datapath: 在 OVS 中,datapath 负责执行数据交换,也就是把从接收端口收到的数据包在流表中进行匹配,并执行匹配到的动作。
- Flow table: 每个 datapath 都和一个“flow table”关联,当 datapath 接收到数据之后, OVS 会在 flow table 中查找可以匹配的 flow,执行对应的操作, 例如转发数据到另外的端口。