ovs 实现vlan隔离

Posted dream397

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了ovs 实现vlan隔离相关的知识,希望对你有一定的参考价值。

技术图片

 

 

[root@kunpeng82 devuser]# ovs-vsctl list port tap6_br
_uuid               : 70e22269-7254-4300-88fc-b3e8cfcc1df6
bond_active_slave   : []
bond_downdelay      : 0
bond_fake_iface     : false
bond_mode           : []
bond_updelay        : 0
cvlans              : []
external_ids        : {}
fake_bridge         : false
interfaces          : [151c8cc1-d6ab-4351-afb7-cef0021ca246]
lacp                : []
mac                 : []
name                : "tap6_br"
other_config        : {}
protected           : false
qos                 : []
rstp_statistics     : {}
rstp_status         : {}
statistics          : {}
status              : {}
tag                 : 100
trunks              : []
vlan_mode           : []
[root@kunpeng82 devuser]# ovs-vsctl list port tap7_br
_uuid               : 2f371b05-f6f2-41c6-91f3-7cd7e7f883cf
bond_active_slave   : []
bond_downdelay      : 0
bond_fake_iface     : false
bond_mode           : []
bond_updelay        : 0
cvlans              : []
external_ids        : {}
fake_bridge         : false
interfaces          : [060208b7-834c-4ffa-b4e3-7bc15733b7a3]
lacp                : []
mac                 : []
name                : "tap7_br"
other_config        : {}
protected           : false
qos                 : []
rstp_statistics     : {}
rstp_status         : {}
statistics          : {}
status              : {}
tag                 : 200
trunks              : []
vlan_mode           : []
[root@kunpeng82 devuser]# ovs-vsctl list port tap0_br
_uuid               : f8b41259-a1b3-4226-bd25-afb7c0dfe9e1
bond_active_slave   : []
bond_downdelay      : 0
bond_fake_iface     : false
bond_mode           : []
bond_updelay        : 0
cvlans              : []
external_ids        : {}
fake_bridge         : false
interfaces          : [202a2f21-c8f3-4f23-8a64-5dc5de6c6e72]
lacp                : []
mac                 : []
name                : "tap0_br"
other_config        : {}
protected           : false
qos                 : []
rstp_statistics     : {}
rstp_status         : {}
statistics          : {}
status              : {}
tag                 : 100
trunks              : []
vlan_mode           : []
[root@kunpeng82 devuser]# ovs-vsctl list port tap3_br
_uuid               : 29780fb3-41de-46b6-bf96-2df7ac16fb9d
bond_active_slave   : []
bond_downdelay      : 0
bond_fake_iface     : false
bond_mode           : []
bond_updelay        : 0
cvlans              : []
external_ids        : {}
fake_bridge         : false
interfaces          : [9fe5705c-f864-42e9-87e1-671062bba462]
lacp                : []
mac                 : []
name                : "tap3_br"
other_config        : {}
protected           : false
qos                 : []
rstp_statistics     : {}
rstp_status         : {}
statistics          : {}
status              : {}
tag                 : 200
trunks              : []
vlan_mode           : []
[root@kunpeng82 devuser]# 

 

[root@kunpeng82 devuser]# ovs-vsctl show 
25581fe4-f414-4c0a-a9eb-5d04cc658c0c
    Bridge "vswitch0"
        Port "tap3_br"
            tag: 200
            Interface "tap3_br"
        Port "vswitch0"
            Interface "vswitch0"
                type: internal
        Port "vxlan1"
            Interface "vxlan1"
                type: vxlan
                options: {key=flow, remote_ip="10.10.18.216"}
        Port "patch_to_vswitch1"
            Interface "patch_to_vswitch1"
                type: patch
                options: {peer="patch_to_vswitch0"}
        Port "tap0_br"
            tag: 100
            Interface "tap0_br"
    Bridge "vswitch1"
        Port "tap7_br"
            tag: 200
            Interface "tap7_br"
        Port "patch_to_vswitch0"
            Interface "patch_to_vswitch0"
                type: patch
                options: {peer="patch_to_vswitch1"}
        Port "tap6_br"
            tag: 100
            Interface "tap6_br"
        Port "vswitch1"
            Interface "vswitch1"
                type: internal
    ovs_version: "2.12.0"
[root@kunpeng82 devuser]# 
[root@kunpeng82 devuser]# ip netns exec ns6 ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
64 bytes from 192.168.1.100: icmp_seq=1 ttl=64 time=0.423 ms
64 bytes from 192.168.1.100: icmp_seq=2 ttl=64 time=0.026 ms
64 bytes from 192.168.1.100: icmp_seq=3 ttl=64 time=0.014 ms
64 bytes from 192.168.1.100: icmp_seq=4 ttl=64 time=0.016 ms
^C
--- 192.168.1.100 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3108ms
rtt min/avg/max/mdev = 0.014/0.119/0.423/0.175 ms
[root@kunpeng82 devuser]# ip netns exec ns6 ping 192.168.1.200
PING 192.168.1.200 (192.168.1.200) 56(84) bytes of data.
^C
--- 192.168.1.200 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1018ms

[root@kunpeng82 devuser]#

[root@kunpeng82 devuser]# ip netns exec ns7 ping 192.168.1.200
PING 192.168.1.200 (192.168.1.200) 56(84) bytes of data.
64 bytes from 192.168.1.200: icmp_seq=1 ttl=64 time=0.487 ms
64 bytes from 192.168.1.200: icmp_seq=2 ttl=64 time=0.025 ms
^C
--- 192.168.1.200 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1068ms
rtt min/avg/max/mdev = 0.025/0.256/0.487/0.231 ms
[root@kunpeng82 devuser]#

 

相同vlan能够通信,不通vlan之间隔离了

ovs端口默认是trunk模式,且所有的VLAN tag都可以通过。

 

现在将patch设备为trunk,且只允许vlan 200通过

 

 

[root@kunpeng82 devuser]# ovs-vsctl set port patch_to_vswitch1 VLAN_mode=trunk
[root@kunpeng82 devuser]# ovs-vsctl set port patch_to_vswitch0 VLAN_mode=trunk
[root@kunpeng82 devuser]# ovs-vsctl set port patch_to_vswitch0 trunk=200
[root@kunpeng82 devuser]# ovs-vsctl set port patch_to_vswitch1 trunk=200
[root@kunpeng82 devuser]# ip netns exec ns7 ping 192.168.1.200
PING 192.168.1.200 (192.168.1.200) 56(84) bytes of data.
64 bytes from 192.168.1.200: icmp_seq=1 ttl=64 time=0.304 ms
64 bytes from 192.168.1.200: icmp_seq=2 ttl=64 time=0.025 ms
^C
--- 192.168.1.200 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1008ms
rtt min/avg/max/mdev = 0.025/0.164/0.304/0.140 ms
[root@kunpeng82 devuser]# ip netns exec ns6 ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
^C
--- 192.168.1.100 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1068ms

 

以上是关于ovs 实现vlan隔离的主要内容,如果未能解决你的问题,请参考以下文章

分析 OVS 如何实现 vlan 隔离 - 每天5分钟玩转 OpenStack(140)

业界docker实现的技术

super-vlan(聚合vlan)mux-vlan以及端口隔离(port-isolate)的特点

端口隔离技术

Tstack基础云修改网络模式Vxlan_OVs到Vlan_OVS

华为的MUX VLAN功能及配置