linux虚拟网络二

Posted by dodoYuan on August 17, 2018

0. 要求:

使用light weight tunnel 功能, 实现单个bridge和单个vxlan设备使不同虚拟网络互通

####1. 基本概念:

1). vlan_filtering

Previously, if we wanted to use distinct subnets with guests on a virtualization server, we need to create multiple VLANs and bridges. Something like: image.png Now, with the VLAN filtering feature, we only need one bridge interface and no VLAN interfaces. image.png

2). LWT

A traditional vxlan netdev ▪ Deployed with one netdev per vni ▪ Each vxlan netdev maintains forwarding database (fdb) for its vni • Fdb entries hashed by mac Recent kernels support ability to deploy a single vxlan netdev for all VNI’s ▪ Such a mode is called collect_metadata or LWT mode ▪ A single forwarding database (fdb) for all VNI’s ▪ Fdb entries are hashed by <mac, VNI>

3. 网络配置

网络简单示意图: image.png 目标:主机1和主机2都包含两个虚拟网络vlan1和vlan2,连接到同一个bridge,VID分别为 2和3, 实现两个主机内的同一虚拟网络ns之间通过vxlan通信。

1)基本设置 生成两个命名空间,模拟两个虚拟网络,连接到bridge

ip netns add ns2
ip netns add ns3
ip link add tap1_0 type veth peer name tap1_1
ip link set tap1_1 netns ns2
brctl addif br1 tap1_0
ip netns exec ns2 ip addr add local 100.0.1.2/24 dev tap1_1
ip link set tap1_0 up
ip netns exec ns2 ip link set tap1_1 up
ip link add tap2_0 type veth peer name tap2_1
ip link set tap2_1 netns ns3 
brctl addif br1 tap2_0
ip netns exec ns3 ip addr add local 100.0.2.1/24 dev tap2_1
ip link set tap2_0 up
ip netns exec ns3 ip link set tap2_1 up

2)开启vlan filtering ,vlan vid设置

ip link set br1 type bridge vlan_filtering 1
bridge vlan add dev tap1_0 vid 2 pvid untagged master
bridge vlan add dev tap2_0 vid 3 pvid untagged master

bridge vlan add vid 2 dev vxlan0
bridge vlan add vid 3 dev vxlan0

image.png

3) VID映射设置

bridge vlan add dev vxlan0 vid 2 tunnel_info id 2
bridge vlan add dev vxlan0 vid 3 tunnel_info id 3

4) 结果 实现基本的互通 image.png

image.png 数据抓包分析 image.png

image.png

image.png

问题: vxlan没有实现vni的转换,两个虚网都使用vni 100。

vlan_tunnel on or vlan_tunnel off Controls whether vlan to tunnel mapping is enabled on the port. By default this flag is off.

bridge link set dev vxlan0 vlan_tunnel on

内核不支持。 系统更新到18.04,将iproute模块升级到4.15.0

问题:VID映射添加不了

image.png

原因一:在初始时添加vxlan设备时指定了VID image.png

添加vxlan设备时需要格外注意(采用组播简单验证)。

ip link add vxlan0 type vxlan dstport 4789 external group \
239.1.1.1 local 192.168.1.4 dev eth0

相应修改后还是没有生成vlan id–>vxlan id的映射关系。LWT模式没有生效。 原因二:TODO

参考资料

https://developers.redhat.com/blog/2017/09/14/vlan-filter-support-on-bridge/ https://www.mail-archive.com/netdev@vger.kernel.org/msg149091.html https://www.systutorials.com/docs/linux/man/8-ip-link/ https://patchwork.ozlabs.org/cover/830914/ http://man7.org/linux/man-pages/man8/bridge.8.html https://mirrors.edge.kernel.org/pub/linux/utils/net/iproute2/