ovs测试vlan

时间  2021-01-16 标签 sdn openvswitch ovs vlan

ovs端口默认是trunk模式,且所有的VLAN tag都可以通过。

单个网桥实现vlan隔离的场景

实验拓扑如下:

在这里插入图片描述

1、首先创建一个网桥ovs-switch,在命名空间里创建两个接口p0和p1。分别分配地址为192.168.1.100/24和192.168.1.101/24

创建网桥并添加接口
ovs-vsctl add-br ovs-switch
ovs-vsctl add-port ovs-switch p0 – set Interface p0 ofport_request=100
ovs-vsctl set Interface p0 type=internal
创建命名空间ns0并添加接口p0
ip netns add ns0
ip link set p0 netns ns0
ip netns exec ns0 ip addr add 192.168.1.100/24 dev p0
ip netns exec ns0 ifconfig p0 promisc up
添加p1到网桥
ovs-vsctl add-port ovs-switch p1 – set Interface p1 ofport_request=100
ovs-vsctl set Interface p1 type=internal
创建命名空间ns1并添加接口p1
ip netns add ns1
ip link set p1 netns ns1
ip netns exec ns1 ip addr add 192.168.1.101/24 dev p1
ip netns exec ns1 ifconfig p1 promisc up

在这里插入图片描述

2、查看流表 并互ping

[[email protected] ~]# ovs-ofctl dump-flows ovs-switch
cookie=0x0,duration=850004.146s, table=0, n_packets=5420, n_bytes=450584,priority=0 actions=NORMAL

默认有一条优先级最低,动作为NORMAL的流表。会转为L2/L3进行处理。此时互ping可以ping通

3、分别给接口配置不同的vlan tag,再ping,发现无法ping通

[[email protected] ~]# ovs-vsctl set Port p0 tag=10
[[email protected] ~]# ovs-vsctl set Port p1 tag=20
[[email protected] ~]# ip netns exec ns1 ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.

4、使用了两种方式可以ping通

第一种,直接下发两条流表,指定默认的入接口和出接口,当然也可以加上源IP、目的IP,协议等信息。

[[email protected] ~]# ovs-ofctl add-flow ovs-switch in_port=p1,action=output:p0
[[email protected] ~]# ovs-ofctl add-flow ovs-switch in_port=p0,action=output:p1
[[email protected] ~]# ip netns exec ns1 ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
64 bytes from 192.168.1.100: icmp_seq=1 ttl=64 time=0.290 ms
64 bytes from 192.168.1.100: icmp_seq=2 ttl=64 time=0.060 ms
64 bytes from 192.168.1.100: icmp_seq=3 ttl=64 time=0.060 ms
64 bytes from 192.168.1.100: icmp_seq=4 ttl=64 time=0.059 ms
^C
— 192.168.1.100 ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.059/0.117/0.290/0.100 ms

第二种,下发流表,去掉VLAN标签再匹配,也可以ping通

[[email protected] ~]# ovs-ofctl del-flows ovs-switch in_port=p1
[[email protected] ~]# ovs-ofctl del-flows ovs-switch in_port=p0
[[email protected] ~]# ovs-ofctl add-flow ovs-switch priority=20,in_port=p0,nw_dst=192.168.1.101,actions=strip_vlan,output:p1
2020-07-23T03:26:56Z|00001|ofp_match|INFO|normalization changed ofp_match, details:
2020-07-23T03:26:56Z|00002|ofp_match|INFO| pre: in_port=100,nw_dst=192.168.1.101
2020-07-23T03:26:56Z|00003|ofp_match|INFO|post: in_port=100
[[email protected] ~]# ovs-ofctl add-flow ovs-switch priority=20,in_port=p1,nw_dst=192.168.1.100,actions=strip_vlan,output:p0
2020-07-23T03:26:59Z|00001|ofp_match|INFO|normalization changed ofp_match, details:
2020-07-23T03:26:59Z|00002|ofp_match|INFO| pre: in_port=1,nw_dst=192.168.1.100
2020-07-23T03:26:59Z|00003|ofp_match|INFO|post: in_port=1
[[email protected] ~]#
[[email protected] ~]# ip netns exec ns1 ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
64 bytes from 192.168.1.100: icmp_seq=1 ttl=64 time=0.291 ms
64 bytes from 192.168.1.100: icmp_seq=2 ttl=64 time=0.050 ms

5、可以用ovs-appctl ofproto/trace生成一个从端口p1发送到端口p0的数据包

[[email protected] ~]# ovs-appctl ofproto/trace ovs-switch in_port=1,dl_src=de:e2:d8:3e:d4:9f,dl_dst=c2:9f:27:4d:7d:3e -generate
Flow: in_port=1,vlan_tci=0x0000,dl_src=de:e2:d8:3e:d4:9f,dl_dst=c2:9f:27:4d:7d:3e,dl_type=0x0000
bridge(“ovs-switch”)
0. in_port=1, priority 20
strip_vlan
output:100
Final flow: unchanged
Megaflow: recirc_id=0,eth,in_port=1,dl_src=de:e2:d8:3e:d4:9f,dl_dst=c2:9f:27:4d:7d:3e,dl_type=0x0000
Datapath actions: 3
[[email protected] ~]#

6、删除接口的VLAN tag

[[email protected] ~]# ovs-vsctl clear port p0 tag
[[email protected] ~]# ovs-vsctl clear port p1 tag

两个网桥实现vlan隔离的场景

在这里插入图片描述

1、再创建一个网桥ovs-switch1,在命名空间里创建一个接口p3。分配地址为192.168.1.103/24

ovs-vsctl add-br ovs-switch1
ovs-vsctl add-port ovs-switch p3 – set Interface p3 ofport_request=100
ovs-vsctl set Interface p3 type=internal
ip netns add ns3
ip link set p3 netns ns3
ip netns exec ns3 ip addr add 192.168.1.103/24 dev p3
ip netns exec ns3 ifconfig p3 promisc up

2、创建patch port

ovs-vsctl add-port ovs-switch patch-ovs-1 – set interface patch-ovs-1 type=patch – set interface patch-ovs-1 option:peer=patch-ovs-2
ovs-vsctl add-port ovs-switch1 patch-ovs-2 – set interface patch-ovs-2 type=patch – set interface patch-ovs-2 option:peer=patch-ovs-1

3、设置p0和p3的VLAN tag,相同的VLAN可以ping通,不同的不可以ping通

[[email protected] ~]# ovs-vsctl set Port p0 tag=10
[[email protected] ~]# ovs-vsctl set Port p3 tag=10
[[email protected] ~]# ip netns exec ns3 ping 192.168.100.100
PING 192.168.100.100 (192.168.100.100) 56(84) bytes of data.
64 bytes from 192.168.100.100: icmp_seq=1 ttl=64 time=0.563 ms
64 bytes from 192.168.100.100: icmp_seq=2 ttl=64 time=0.060 ms
64 bytes from 192.168.100.100: icmp_seq=3 ttl=64 time=0.060 ms

4、现在将patch设备为trunk,且只允许vlan 20通过

ovs-vsctl set port patch-ovs-1 VLAN_mode=trunk
ovs-vsctl set port patch-ovs-2 VLAN_mode=trunk
ovs-vsctl set port patch-ovs-1 trunk=20
ovs-vsctl set port patch-ovs-2 trunk=20
此时使用ns3再去ping 192.168.100.100,就无法ping通,且ovs-switch收不到报文

5、设置p0和p3的VLAN tag均为20,此时可以ping通

[[email protected] ~]# ovs-vsctl set Port p3 tag=20
[[email protected] ~]# ovs-vsctl set Port p0 tag=20
[[email protected] ~]# ip netns exec ns3 ping 192.168.100.100
PING 192.168.100.100 (192.168.100.100) 56(84) bytes of data.
64 bytes from 192.168.100.100: icmp_seq=1 ttl=64 time=0.644 ms
64 bytes from 192.168.100.100: icmp_seq=2 ttl=64 time=0.059 ms
^C
— 192.168.100.100 ping statistics —
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.059/0.351/0.644/0.293 ms

参考

ovs 实现vlan隔离(一)
ovs 实现vlan隔离(二)
用patch port连接两个ovs网桥
踩坑经验之OVS跨子网流表以及vlan操作

联系我们 沪ICP备13005482号-10