ovs+ns+vxlan通信+多租户隔离

1. ovs+ns+vxlan通信+多租户隔离

明细流表(vlan tag场景)

同一租户下流量互通,不通租户下流量隔离。
在这里插入图片描述
host1

# 创建ns模拟vm,创建veth pair连接
ip netns add ns1
ip link add tap1 type veth peer name tap2
ip link set dev tap2 up
ip link set tap1 netns ns1
ip netns exec ns1 ip link set dev tap1 up 
ip netns exec ns1 ip addr add 10.1.1.1/24 dev tap1

# 创建qbr,连接tap2端
brctl addbr qbr
brctl addif qbr tap2

# 创建br-int,通过veth pair连接qbr网桥
ovs-vsctl add-br br-int
ip link add qvo type veth peer name qvb
ip link set dev qvb up
ip link set dev qvo up
ip link set qbr up
brctl addif qbr qvb
ovs-vsctl add-port br-int qvo


# 创建br-tun,通过patchport连接br-int
ip link add patch-int type veth peer name patch-tun
ovs-vsctl add-br br-tun
ovs-vsctl add-port br-tun patch-int
ovs-vsctl add-port br-int patch-tun
ovs-vsctl set interface patch-int type=patch
ovs-vsctl set interface patch-tun type=patch
ovs-vsctl set interface patch-int options:peer=patch-tun
ovs-vsctl set interface patch-tun options:peer=patch-int

ip link set br-int up
ip link set br-tun up
ip link set patch-tun up
ip link set patch-int up
# 配置vxlan
ip link add vxlan1 type vxlan id 100 dstport 4789 \
 remote 192.168.1.101 local 192.168.1.100 dev ens38
# ip a a 192.168.10.1/24 dev vxlan1
ip link set vxlan1 up
ovs-vsctl add-port br-tun vxlan1

host1 增加vm4
ip netns add ns2
ip link add tap10 type veth peer name tap20
ip link set dev tap20 up
ip link set tap10 netns ns2
ip netns exec ns2 ip link set dev tap10 up 
ip netns exec ns2 ip addr add 10.1.1.4/24 dev tap10

brctl addbr qbr20
brctl addif qbr20 tap20


ip link add qvo20 type veth peer name qvb20
ip link set dev qvb20 up
ip link set dev qvo20 up
ip link set qbr20 up
brctl addif qbr20 qvb20
ovs-vsctl add-port br-int qvo20

host2

# 创建ns模拟vm,创建veth pair连接
ip netns add ns1
ip link add tap1 type veth peer name tap2
ip link set dev tap2 up
ip link set tap1 netns ns1
ip netns exec ns1 ip link set dev tap1 up 
ip netns exec ns1 ip addr add 10.1.1.2/24 dev tap1

# 创建qbr,连接tap2端
brctl addbr qbr
brctl addif qbr tap2

# 创建br-int,通过veth pair连接qbr网桥
ovs-vsctl add-br br-int
ip link add qvo type veth peer name qvb
ip link set dev qvb up
ip link set dev qvo up
ip link set qbr up
brctl addif qbr qvb
ovs-vsctl add-port br-int qvo


# 创建br-tun,通过patchport连接br-int
ip link add patch-int type veth peer name patch-tun
ovs-vsctl add-br br-tun
ovs-vsctl add-port br-tun patch-int
ovs-vsctl add-port br-int patch-tun
ovs-vsctl set interface patch-int type=patch
ovs-vsctl set interface patch-tun type=patch
ovs-vsctl set interface patch-int options:peer=patch-tun
ovs-vsctl set interface patch-tun options:peer=patch-int

ip link set br-int up
ip link set br-tun up
ip link set patch-tun up
ip link set patch-int up
# 配置vxlan
ip link add vxlan1 type vxlan id 100 dstport 4789 \
 remote 192.168.1.100 local 192.168.1.101 dev ens38
# ip a a 192.168.10.1/24 dev vxlan1
ip link set vxlan1 up
ovs-vsctl add-port br-tun vxlan1

host2增加vm3

ip netns add ns2
ip link add tap10 type veth peer name tap20
ip link set dev tap20 up
ip link set tap10 netns ns2
ip netns exec ns2 ip link set dev tap10 up 
ip netns exec ns2 ip addr add 10.1.1.3/24 dev tap10

brctl addbr qbr20
brctl addif qbr20 tap20


ip link add qvo20 type veth peer name qvb20
ip link set dev qvb20 up
ip link set dev qvo20 up
ip link set qbr20 up
brctl addif qbr20 qvb20
ovs-vsctl add-port br-int qvo20

host1

ovs-vsctl set port qvo tag=10
ovs-vsctl set port qvo20 tag=20

host2

ovs-vsctl set port qvo tag=10
ovs-vsctl set port qvo20 tag=20

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
host1和host2 流表相同,前提是ovs-ofctl show br-tun显示的端口编号一致

ovs-ofctl del-flows br-tun # 清掉NORMAL规则

ovs-ofctl add-flow br-tun "in_port=2,priority=1,actions=resubmit(,12)"
ovs-ofctl add-flow br-tun "in_port=1,actions=resubmit(,4)"
ovs-ofctl add-flow br-tun "table=4,priority=1,dl_vlan=100,actions=mod_vlan_vid:10,resubmit(,10)"
ovs-ofctl add-flow br-tun "table=4,priority=1,dl_vlan=200,actions=mod_vlan_vid:20,resubmit(,10)"
ovs-ofctl add-flow br-tun "table=10,priority=1,actions=learn(table=20,hard_timeout=300,priority=1,NXM_OF_VLAN_TCI[0..11],NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],load:0->NXM_OF_VLAN_TCI[],load:NXM_NX_TUN_ID[]->NXM_NX_TUN_ID[],output:NXM_OF_IN_PORT[]),output:2"
ovs-ofctl add-flow br-tun "table=12,priority=1,dl_vlan=10,actions=mod_vlan_vid:100,resubmit(,2)"
ovs-ofctl add-flow br-tun "table=12,priority=1,dl_vlan=20,actions=mod_vlan_vid:200,resubmit(,2)"
ovs-ofctl add-flow br-tun "table=2,priority=0,dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,20)"
ovs-ofctl add-flow br-tun "table=2,priority=0,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,20)"
ovs-ofctl add-flow br-tun "table=20,priority=0,actions=resubmit(,22)"
ovs-ofctl add-flow br-tun "table=22,actions=set_tunnel:0x64,output:1"

测试
在这里插入图片描述
在host2将qvo20 tag改为10,即可通信
ovs-vsctl set port qvo20 tag=10
在这里插入图片描述

2. 扩展:

对br-int网桥增加流表仅让10.1.1.1的arp请求能够转发出去。
在这里插入图片描述

ovs-ofctl add-flow br-int "priority=10,arp,in_port=1,actions=resubmit(,4)"
ovs-ofctl add-flow br-int "table=4,priority=2,arp,in_port=1,arp_spa=10.1.1.1,actions=NORMAL"
ovs-ofctl add-flow br-int table=4,priority=0,actions=drop

在这里插入图片描述
将vm1的IP改为10.1.1.10,ping vm2,arp_spa不是10.1.1.1,被流表拒绝。
在这里插入图片描述
在这里插入图片描述

版权声明:本文为ledrsnet原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接和本声明。