ovs 实现vlan隔离
Posted dream397
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了ovs 实现vlan隔离相关的知识,希望对你有一定的参考价值。
[root@kunpeng82 devuser]# ovs-vsctl list port tap6_br _uuid : 70e22269-7254-4300-88fc-b3e8cfcc1df6 bond_active_slave : [] bond_downdelay : 0 bond_fake_iface : false bond_mode : [] bond_updelay : 0 cvlans : [] external_ids : {} fake_bridge : false interfaces : [151c8cc1-d6ab-4351-afb7-cef0021ca246] lacp : [] mac : [] name : "tap6_br" other_config : {} protected : false qos : [] rstp_statistics : {} rstp_status : {} statistics : {} status : {} tag : 100 trunks : [] vlan_mode : [] [root@kunpeng82 devuser]# ovs-vsctl list port tap7_br _uuid : 2f371b05-f6f2-41c6-91f3-7cd7e7f883cf bond_active_slave : [] bond_downdelay : 0 bond_fake_iface : false bond_mode : [] bond_updelay : 0 cvlans : [] external_ids : {} fake_bridge : false interfaces : [060208b7-834c-4ffa-b4e3-7bc15733b7a3] lacp : [] mac : [] name : "tap7_br" other_config : {} protected : false qos : [] rstp_statistics : {} rstp_status : {} statistics : {} status : {} tag : 200 trunks : [] vlan_mode : [] [root@kunpeng82 devuser]# ovs-vsctl list port tap0_br _uuid : f8b41259-a1b3-4226-bd25-afb7c0dfe9e1 bond_active_slave : [] bond_downdelay : 0 bond_fake_iface : false bond_mode : [] bond_updelay : 0 cvlans : [] external_ids : {} fake_bridge : false interfaces : [202a2f21-c8f3-4f23-8a64-5dc5de6c6e72] lacp : [] mac : [] name : "tap0_br" other_config : {} protected : false qos : [] rstp_statistics : {} rstp_status : {} statistics : {} status : {} tag : 100 trunks : [] vlan_mode : [] [root@kunpeng82 devuser]# ovs-vsctl list port tap3_br _uuid : 29780fb3-41de-46b6-bf96-2df7ac16fb9d bond_active_slave : [] bond_downdelay : 0 bond_fake_iface : false bond_mode : [] bond_updelay : 0 cvlans : [] external_ids : {} fake_bridge : false interfaces : [9fe5705c-f864-42e9-87e1-671062bba462] lacp : [] mac : [] name : "tap3_br" other_config : {} protected : false qos : [] rstp_statistics : {} rstp_status : {} statistics : {} status : {} tag : 200 trunks : [] vlan_mode : [] [root@kunpeng82 devuser]#
[root@kunpeng82 devuser]# ovs-vsctl show 25581fe4-f414-4c0a-a9eb-5d04cc658c0c Bridge "vswitch0" Port "tap3_br" tag: 200 Interface "tap3_br" Port "vswitch0" Interface "vswitch0" type: internal Port "vxlan1" Interface "vxlan1" type: vxlan options: {key=flow, remote_ip="10.10.18.216"} Port "patch_to_vswitch1" Interface "patch_to_vswitch1" type: patch options: {peer="patch_to_vswitch0"} Port "tap0_br" tag: 100 Interface "tap0_br" Bridge "vswitch1" Port "tap7_br" tag: 200 Interface "tap7_br" Port "patch_to_vswitch0" Interface "patch_to_vswitch0" type: patch options: {peer="patch_to_vswitch1"} Port "tap6_br" tag: 100 Interface "tap6_br" Port "vswitch1" Interface "vswitch1" type: internal ovs_version: "2.12.0" [root@kunpeng82 devuser]#
[root@kunpeng82 devuser]# ip netns exec ns6 ping 192.168.1.100 PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data. 64 bytes from 192.168.1.100: icmp_seq=1 ttl=64 time=0.423 ms 64 bytes from 192.168.1.100: icmp_seq=2 ttl=64 time=0.026 ms 64 bytes from 192.168.1.100: icmp_seq=3 ttl=64 time=0.014 ms 64 bytes from 192.168.1.100: icmp_seq=4 ttl=64 time=0.016 ms ^C --- 192.168.1.100 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3108ms rtt min/avg/max/mdev = 0.014/0.119/0.423/0.175 ms [root@kunpeng82 devuser]# ip netns exec ns6 ping 192.168.1.200 PING 192.168.1.200 (192.168.1.200) 56(84) bytes of data. ^C --- 192.168.1.200 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1018ms [root@kunpeng82 devuser]#
[root@kunpeng82 devuser]# ip netns exec ns7 ping 192.168.1.200
PING 192.168.1.200 (192.168.1.200) 56(84) bytes of data.
64 bytes from 192.168.1.200: icmp_seq=1 ttl=64 time=0.487 ms
64 bytes from 192.168.1.200: icmp_seq=2 ttl=64 time=0.025 ms
^C
--- 192.168.1.200 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1068ms
rtt min/avg/max/mdev = 0.025/0.256/0.487/0.231 ms
[root@kunpeng82 devuser]#
相同vlan能够通信,不通vlan之间隔离了
ovs端口默认是trunk模式,且所有的VLAN tag都可以通过。
现在将patch设备为trunk,且只允许vlan 200通过
[root@kunpeng82 devuser]# ovs-vsctl set port patch_to_vswitch1 VLAN_mode=trunk [root@kunpeng82 devuser]# ovs-vsctl set port patch_to_vswitch0 VLAN_mode=trunk [root@kunpeng82 devuser]# ovs-vsctl set port patch_to_vswitch0 trunk=200 [root@kunpeng82 devuser]# ovs-vsctl set port patch_to_vswitch1 trunk=200 [root@kunpeng82 devuser]# ip netns exec ns7 ping 192.168.1.200 PING 192.168.1.200 (192.168.1.200) 56(84) bytes of data. 64 bytes from 192.168.1.200: icmp_seq=1 ttl=64 time=0.304 ms 64 bytes from 192.168.1.200: icmp_seq=2 ttl=64 time=0.025 ms ^C --- 192.168.1.200 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1008ms rtt min/avg/max/mdev = 0.025/0.164/0.304/0.140 ms [root@kunpeng82 devuser]# ip netns exec ns6 ping 192.168.1.100 PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data. ^C --- 192.168.1.100 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1068ms
以上是关于ovs 实现vlan隔离的主要内容,如果未能解决你的问题,请参考以下文章
分析 OVS 如何实现 vlan 隔离 - 每天5分钟玩转 OpenStack(140)
super-vlan(聚合vlan)mux-vlan以及端口隔离(port-isolate)的特点