前言
在后面咱们曾经应用Linux Bridge实现了多台网络设备的通信,然而它对于网络隔离的反对不是很好,长期以来,在Linux平台上短少一个性能齐备的虚构交换机,直到OVS的呈现。
试验
接下来咱们来尝试实现两个试验,单机无隔离网络、单机隔离网络。
试验一:单机无隔离网络
应用ovs构建无隔离网络非常简单,只须要增加一个网桥,而后在这个网桥上再减少几个外部端口,最初把端口挪动到netns中即可。
# 增加网桥ovs-vsctl add-br br-int# 增加三个外部端口ovs-vsctl add-port br-int vnet0 -- set Interface vnet0 type=internalovs-vsctl add-port br-int vnet1 -- set Interface vnet1 type=internalovs-vsctl add-port br-int vnet2 -- set Interface vnet2 type=internal# 增加三个netnsip netns add ns0ip netns add ns1ip netns add ns2# 将外部端口别离挪动到netns中ip link set vnet0 netns ns0ip link set vnet1 netns ns1ip link set vnet2 netns ns2# 启动端口并配置IPip netns exec ns0 ip link set lo upip netns exec ns0 ip link set vnet0 upip netns exec ns0 ip addr add 10.0.0.1/24 dev vnet0ip netns exec ns1 ip link set lo upip netns exec ns1 ip link set vnet1 upip netns exec ns1 ip addr add 10.0.0.2/24 dev vnet1ip netns exec ns2 ip link set lo upip netns exec ns2 ip link set vnet2 upip netns exec ns2 ip addr add 10.0.0.3/24 dev vnet2测试
测试ns0和ns1是否通信ip netns exec ns0 ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=1.05 ms64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=0.059 ms64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=0.056 ms64 bytes from 10.0.0.2: icmp_seq=4 ttl=64 time=0.053 ms^C--- 10.0.0.2 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 3000msrtt min/avg/max/mdev = 0.053/0.304/1.051/0.431 ms测试ns0和ns2是否通信ip netns exec ns0 ping 10.0.0.3
PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data.64 bytes from 10.0.0.3: icmp_seq=1 ttl=64 time=1.17 ms64 bytes from 10.0.0.3: icmp_seq=2 ttl=64 time=0.067 ms64 bytes from 10.0.0.3: icmp_seq=3 ttl=64 time=0.058 ms64 bytes from 10.0.0.3: icmp_seq=4 ttl=64 time=0.064 ms^C--- 10.0.0.3 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 3001msrtt min/avg/max/mdev = 0.058/0.341/1.177/0.482 ms依据测试后果能够看到,三台设施都是能够相互拜访的,这样咱们就胜利搭建了一个无隔离的二层互通网络。
试验二: 单机隔离网络
应用ovs构建隔离网络也很简略,只须要给相应的端口设置上VLAN标签,就能实现网络的隔离。
# 设置vnet0的VLAN tag为100ovs-vsctl set Port vnet0 tag=100# 设置vnet1和vnet2的VLAN tag为200ovs-vsctl set Port vnet1 tag=200ovs-vsctl set Port vnet2 tag=200应用ovs-vsctl show命令查看VLAN tag是否配置胜利
90139c71-8d11-49b2-b44c-f34174259dc8 Bridge br-int Port "vnet0" tag: 100 Interface "vnet0" type: internal Port br-int Interface br-int type: internal Port "vnet2" tag: 200 Interface "vnet2" type: internal Port "vnet1" tag: 200 Interface "vnet1" type: internal ovs_version: "2.9.0"测试
测试ns0与ns1的是否通信 ip netns exec ns0 ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.^C--- 10.0.0.2 ping statistics ---2 packets transmitted, 0 received, 100% packet loss, time 1000ms测试ns0与ns2的是否通信 ip netns exec ns0 ping 10.0.0.3
PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data.^C--- 10.0.0.3 ping statistics ---2 packets transmitted, 0 received, 100% packet loss, time 999ms测试ns1与ns2的是否通信 ip netns exec ns1 ping 10.0.0.3
PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data.64 bytes from 10.0.0.3: icmp_seq=1 ttl=64 time=0.930 ms64 bytes from 10.0.0.3: icmp_seq=2 ttl=64 time=0.057 ms64 bytes from 10.0.0.3: icmp_seq=3 ttl=64 time=0.056 ms64 bytes from 10.0.0.3: icmp_seq=4 ttl=64 time=0.057 ms^C--- 10.0.0.3 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 3000msrtt min/avg/max/mdev = 0.056/0.275/0.930/0.378 ms测试ns2与ns1的是否通信 ip netns exec ns2 ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.088 ms64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=0.057 ms64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=0.050 ms64 bytes from 10.0.0.2: icmp_seq=4 ttl=64 time=0.060 ms^C--- 10.0.0.2 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 2999msrtt min/avg/max/mdev = 0.050/0.063/0.088/0.017 ms依据测试后果能够看出,ns0是无法访问到ns1和ns2的,ns1和ns2能够相互拜访。这是因为端口vnet0的数据报文收回后被OVS批改了包头,减少了VLAN 100标签,与vnet1、vnet2的VLAN 200标签不匹配,OVS交换机便不再将vnet0的数据报文发送给其余两个端口,由此便实现了网络隔离。
清理试验环境
ovs-vsctl del-br br-intip netns del ns0ip netns del ns1ip netns del ns2本文首发我的微信公众号:我在对面的角落
欢送关注,接管第一工夫更新告诉。