拓扑
配置一个简单的L2 和 L3 Network 测试拓扑,包含两个L2 Network(logic switch),每个L2 Network连接两个vm(用netns模拟),包含一个VPC Router(logic router)连接两个L2 Network,使其能够三层互通。
这里将模拟云网络东西向流量的二三层互通。不涉及南北向流量。
逻辑拓扑如下:
image.png
分别测试同主机互通和跨主机互通,所以我们将"400-vm2" 这个虚拟机单独放到Node节点上,其他VM放到Central节点上。
物理拓扑如下:
image.png
OVN L2
OVN L2功能包括
- L2 switch
- L2 ACL
- Supports software-based L2 gateways
- Supports TOR (Top of Rack) based L2 gateways that implement the hardware_vtep schema
- Can provide networking for both VMs and containers running inside of those VMs, without a second layer of overlay networking
1、 配置sw-300,同主机二层互联
ovn-nbctl ls-add sw-300
ovn-nbctl lsp-add sw-300 sw-300-port-vm1
ovn-nbctl lsp-set-addresses sw-300-port-vm1 "fa:10:dd:1b:30:01 30.1.1.11/24"
ovn-nbctl lsp-set-port-security sw-300-port-vm1 "fa:10:dd:1b:30:01 30.1.1.11/24"
ovn-nbctl lsp-add sw-300 sw-300-port-vm2
ovn-nbctl lsp-set-addresses sw-300-port-vm2 "fa:10:dd:1b:30:02 30.1.1.12/24"
ovn-nbctl lsp-set-port-security sw-300-port-vm2 "fa:10:dd:1b:30:02 30.1.1.12/24"
## 转发面配置,只在 Central 节点配置两个虚拟机
ovs-vsctl add-port br-int sw-300-port-vm1 -- set interface sw-300-port-vm1 type=internal \
-- set Interface sw-300-port-vm1 external_ids:iface-id=sw-300-port-vm1
ovs-vsctl add-port br-int sw-300-port-vm2 -- set interface sw-300-port-vm2 type=internal \
-- set Interface sw-300-port-vm2 external_ids:iface-id=sw-300-port-vm2
ip netns add vm-300-1
ip netns add vm-300-2
ip link set netns vm-300-1 dev sw-300-port-vm1
ip link set netns vm-300-2 dev sw-300-port-vm2
ip netns exec vm-300-1 ip link set up dev lo
ip netns exec vm-300-1 ip link set up dev sw-300-port-vm1
ip netns exec vm-300-1 ip link set address fa:10:dd:1b:30:01 dev sw-300-port-vm1
ip netns exec vm-300-1 ip addr add 30.1.1.11/24 dev sw-300-port-vm1
ip netns exec vm-300-1 ip route add default via 30.1.1.1
ip netns exec vm-300-2 ip link set up dev lo
ip netns exec vm-300-2 ip link set up dev sw-300-port-vm2
ip netns exec vm-300-2 ip link set address fa:10:dd:1b:30:02 dev sw-300-port-vm2
ip netns exec vm-300-2 ip addr add 30.1.1.12/24 dev sw-300-port-vm2
ip netns exec vm-300-2 ip route add default via 30.1.1.1
## Central 节点
[root@localhost ~]# ovn-nbctl show
switch 7cb4da17-5b6f-4121-8de2-c88452bef8ee (sw-300)
port sw-300-port-vm1
addresses: ["fa:10:dd:1b:30:01 30.1.1.11/24"]
port sw-300-port-vm2
addresses: ["fa:10:dd:1b:30:02 30.1.1.12/24"]
[root@localhost ~]# ovs-vsctl show
9f827492-13aa-4029-add8-4d5c5f006bd9
Bridge br-int
fail_mode: secure
Port br-int
Interface br-int
type: internal
Port "sw-300-port-vm1"
Interface "sw-300-port-vm1"
type: internal
Port "sw-300-port-vm2"
Interface "sw-300-port-vm2"
type: internal
Port "ovn-ba702e-0"
Interface "ovn-ba702e-0"
type: geneve
options: {csum="true", key=flow, remote_ip="172.26.201.7"}
ovs_version: "2.11.0"
## Node上未发生实际配置
[root@172-26-201-7 ~]# ovs-vsctl show
c39793c4-a552-40b3-bc01-be55208ed292
Bridge br-int
fail_mode: secure
Port "ovn-bd8b43-0"
Interface "ovn-bd8b43-0"
type: geneve
options: {csum="true", key=flow, remote_ip="172.20.16.58"}
Port br-int
Interface br-int
type: internal
ovs_version: "2.11.0"
2、配置sw-400,跨主机二层互联
## 创建一个新的sw
ovn-nbctl ls-add sw-400
ovn-nbctl lsp-add sw-400 sw-400-port-vm1
ovn-nbctl lsp-set-addresses sw-400-port-vm1 "fa:10:dd:1b:40:01 40.1.1.11/24"
ovn-nbctl lsp-set-port-security sw-400-port-vm1 "fa:10:dd:1b:40:01 40.1.1.11/24"
ovn-nbctl lsp-add sw-400 sw-400-port-vm2
ovn-nbctl lsp-set-addresses sw-400-port-vm2 "fa:10:dd:1b:40:02 40.1.1.12/24"
ovn-nbctl lsp-set-port-security sw-400-port-vm2 "fa:10:dd:1b:40:02 40.1.1.12/24"
## 数据面配置,一个vm建在 Central,一个vm创建在 Node
## Central 节点配置
ip netns add vm-400-1
ip link set netns vm-400-1 dev sw-400-port-vm1
ip netns exec vm-400-1 ip link set up dev lo
ip netns exec vm-400-1 ip link set up dev sw-400-port-vm1
ip netns exec vm-400-1 ip link set address fa:10:dd:1b:40:01 dev sw-400-port-vm1
ip netns exec vm-400-1 ip addr add 40.1.1.11/24 dev sw-400-port-vm1
ip netns exec vm-400-1 ip route add default via 40.1.1.1
ovs-vsctl add-port br-int sw-400-port-vm1 -- set interface sw-400-port-vm1 type=internal \
-- set Interface sw-400-port-vm1 external_ids:iface-id=sw-400-port-vm1
## Node节点配置
ip netns add vm-400-2
ip link set netns vm-400-2 dev sw-400-port-vm2
ip netns exec vm-400-2 ip link set up dev lo
ip netns exec vm-400-2 ip link set up dev sw-400-port-vm2
ip netns exec vm-400-2 ip link set address fa:10:dd:1b:40:02 dev sw-400-port-vm2
ip netns exec vm-400-2 ip addr add 40.1.1.12/24 dev sw-400-port-vm2
ip netns exec vm-400-2 ip route add default via 40.1.1.1
ovs-vsctl add-port br-int sw-400-port-vm2 -- set interface sw-400-port-vm2 type=internal \
-- set Interface sw-400-port-vm2 external_ids:iface-id=sw-400-port-vm2
## 检查OVS配置
[root@Central ~]# ovs-vsctl show
9f827492-13aa-4029-add8-4d5c5f006bd9
Bridge br-int
fail_mode: secure
Port br-int
Interface br-int
type: internal
Port "sw-400-port-vm1"
Interface "sw-400-port-vm1"
type: internal
Port "sw-300-port-vm1"
Interface "sw-300-port-vm1"
type: internal
Port "sw-300-port-vm2"
Interface "sw-300-port-vm2"
type: internal
Port "ovn-ba702e-0"
Interface "ovn-ba702e-0"
type: geneve
options: {csum="true", key=flow, remote_ip="172.26.201.7"}
## Node节点上存在 vm port和tunnel port
[root@Node ~]# ovs-vsctl show
c39793c4-a552-40b3-bc01-be55208ed292
Bridge br-int
fail_mode: secure
Port "sw-400-port-vm2"
Interface "sw-400-port-vm2"
type: internal
Port "ovn-bd8b43-0"
Interface "ovn-bd8b43-0"
type: geneve
options: {csum="true", key=flow, remote_ip="172.20.16.58"}
Port br-int
Interface br-int
type: internal
ovs_version: "2.11.0"
OVN L3
OVN L3的功能包括
- IPv4/IPv6分布式L3路由
- ARP and IPv6 Neighbor Discovery suppression for known IP-MAC bindings
- L3 ACL
- Native support for NAT and load balancing using OVS connection tracking
- Native fully distributed support for DHCP
- Supports L3 gateways from logical to physical networks
1、配置VPC路由器,连接sw-300 和 sw-400
## 配置L3 Router
ovn-nbctl lr-add vpc-router
ovn-nbctl lrp-add vpc-router rt-300-port 02:d4:1d:8c:30:1 30.1.1.1/24
ovn-nbctl lrp-add vpc-router rt-400-port 02:d4:1d:8c:40:1 40.1.1.1/24
ovn-nbctl lsp-add sw-300 sw-300-port \
-- set Logical_Switch_Port sw-300-port type=router \
options:router-port=rt-300-port addresses='"02:d4:1d:8c:30:1"'
ovn-nbctl lsp-add sw-400 sw-400-port \
-- set Logical_Switch_Port sw-400-port type=router \
options:router-port=rt-400-port addresses='"02:d4:1d:8c:40:1"'
[root@localhost ~]# ovn-nbctl show
switch 7cb4da17-5b6f-4121-8de2-c88452bef8ee (sw-300)
port sw-300-port-vm1
addresses: ["fa:10:dd:1b:30:01 30.1.1.11/24"]
port sw-300-port-vm2
addresses: ["fa:10:dd:1b:30:02 30.1.1.12/24"]
port sw-300-port
type: router
addresses: ["02:d4:1d:8c:30:1"]
router-port: rt-300-port
switch c88de9c7-c7a7-4206-9529-793f3142d5e9 (sw-400)
port sw-400-port-vm2
addresses: ["fa:10:dd:1b:40:02 40.1.1.12/24"]
port sw-400-port
type: router
addresses: ["02:d4:1d:8c:40:1"]
router-port: sw-400-port
port sw-400-port-vm1
addresses: ["fa:10:dd:1b:40:01 40.1.1.11/24"]
router 84753b81-541f-4be8-bfbd-4fca8287b42b (vpc-router)
port rt-400-port
mac: "02:d4:1d:8c:40:1"
networks: ["40.1.1.1/24"]
port rt-300-port
mac: "02:d4:1d:8c:30:1"
networks: ["30.1.1.1/24"]
[root@localhost ~]# ovs-vsctl show
9f827492-13aa-4029-add8-4d5c5f006bd9
Bridge br-int
fail_mode: secure
Port br-int
Interface br-int
type: internal
Port "sw-400-port-vm1"
Interface "sw-400-port-vm1"
type: internal
Port "sw-300-port-vm1"
Interface "sw-300-port-vm1"
type: internal
Port "sw-300-port-vm2"
Interface "sw-300-port-vm2"
type: internal
Port "ovn-ba702e-0"
Interface "ovn-ba702e-0"
type: geneve
options: {csum="true", key=flow, remote_ip="172.26.201.7"}
ovs_version: "2.11.0"
测试
虚拟机vm-300-1、vm-300-2位于VPC网络sw-300中,二层互通;
虚拟机vm-400-1、vm-400-2位于VPC网络sw-400中,跨主机二层互通;
两个VPC网络中的VM相互之间三层互通。
流表
逻辑拓扑 & 物理拓扑
OVN 逻辑拓扑和我们的配置一一对应,表达了传统意义上的拓扑,OVN根据已经配置的业务产生逻辑流表 (ovn-sbctl list Logical_Flow)。
逻辑拓扑可以通过 通过ovn-nbctl show命令 查看,如下,可以看到逻辑datapath、逻辑port,以及他们的各种属性配置。
[root@Central ~]# ovn-nbctl show
switch 7cb4da17-5b6f-4121-8de2-c88452bef8ee (sw-300)
port sw-300-port-vm1
addresses: ["fa:10:dd:1b:30:01 30.1.1.11/24"]
port sw-300-port-vm2
addresses: ["fa:10:dd:1b:30:02 30.1.1.12/24"]
port sw-300-port
type: router
addresses: ["02:d4:1d:8c:30:1"]
router-port: rt-300-port
switch c88de9c7-c7a7-4206-9529-793f3142d5e9 (sw-400)
port sw-400-port-vm2
addresses: ["fa:10:dd:1b:40:02 40.1.1.12/24"]
port sw-400-port
type: router
addresses: ["02:d4:1d:8c:40:1"]
router-port: sw-400-port
port sw-400-port-vm1
addresses: ["fa:10:dd:1b:40:01 40.1.1.11/24"]
router 84753b81-541f-4be8-bfbd-4fca8287b42b (vpc-router)
port rt-400-port
mac: "02:d4:1d:8c:40:1"
networks: ["40.1.1.1/24"]
port rt-300-port
mac: "02:d4:1d:8c:30:1"
networks: ["30.1.1.1/24"]
OVN的物理拓扑当然是在ovs中的,其logic sw和logic router都是在ovs bridge br-int中实现的,是非常抽象的,数据面datapath网络功能基本都是通过流表实现;在物理拓扑形成前,如VM nic加入LS之前,逻辑流表不会转换为实际流表;
[root@Central ~]# ovs-vsctl show
9f827492-13aa-4029-add8-4d5c5f006bd9
Bridge br-int
fail_mode: secure
Port br-int
Interface br-int
type: internal
Port "sw-400-port-vm1"
Interface "sw-400-port-vm1"
type: internal
Port "sw-300-port-vm1"
Interface "sw-300-port-vm1"
type: internal
Port "sw-300-port-vm2"
Interface "sw-300-port-vm2"
type: internal
Port "ovn-ba702e-0"
Interface "ovn-ba702e-0"
type: geneve
options: {csum="true", key=flow, remote_ip="172.26.201.7"}
ovs_version: "2.11.0"
[root@Node ~]# ovs-vsctl show
c39793c4-a552-40b3-bc01-be55208ed292
Bridge br-int
fail_mode: secure
Port <
155-2731-8020