-
Notifications
You must be signed in to change notification settings - Fork 0
/
search.xml
919 lines (789 loc) · 232 KB
/
search.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
<?xml version="1.0" encoding="utf-8"?>
<search>
<entry>
<title>IP地址详解</title>
<url>/2021/11/17/IP%E5%9C%B0%E5%9D%80%E8%AF%A6%E8%A7%A3/</url>
<content><![CDATA[<h1 id="概念"><a href="#概念" class="headerlink" title="概念"></a>概念</h1><p>IP地址是一个32位的二进制数,通常被分割为4个“8位二进制数”(也就是4个字节)。IP地址通常用“点分十进制”表示成(a.b.c.d)的形式,其中,a,b,c,d都是0~255之间的十进制整数。例:点分十进IP地址(100.4.5.6),实际上是32位二进制数(01100100.00000100.00000101.00000110)。</p>
<ul>
<li>网络号:用于识别主机所在网络。</li>
<li>主机号:用于识别该网络中的主机。</li>
</ul>
<h1 id="IP地址分类"><a href="#IP地址分类" class="headerlink" title="IP地址分类"></a>IP地址分类</h1><p>IP地址分为五类,A类保留给政府机构,B类分配给中等规模的公司,C类分配给任何需要的人,D类用于组播,E类用于实验,各类可容纳的地址数目不同。</p>
<p>A、B、C三类IP地址的特征:当将IP地址写成二进制形式时,A类地址的第一位总是0,B类地址的前两位总是10,C类地址的前三位总是110。</p>
<blockquote>
<p>在计算机网络中,主机ID全部为0的地址为网络地址,而主机ID全部为1的地址为广播地址,这2个地址是不能分配给主机用的。</p>
</blockquote>
<p><img src="https://s3.us-west-2.amazonaws.com/secure.notion-static.com/6e23d6d9-9b00-4da1-a2c7-24e058238a8d/aHR0cDovL2kyLjUxY3RvLmNvbS9pbWFnZXMvYmxvZy8yMDE4MDUvMDQvZDhlZGFmZWJjYTViYmJmMWQ1YmIzNWNlZjQxNTYwMjYucG5n.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAT73L2G45EIPT3X45/20211117/us-west-2/s3/aws4_request&X-Amz-Date=20211117T074641Z&X-Amz-Expires=86400&X-Amz-Signature=6deea473cb723197c0a50a11e3451e7c2ded13d609c526eb116c6777f984924e&X-Amz-SignedHeaders=host&response-content-disposition=filename%20=%22aHR0cDovL2kyLjUxY3RvLmNvbS9pbWFnZXMvYmxvZy8yMDE4MDUvMDQvZDhlZGFmZWJjYTViYmJmMWQ1YmIzNWNlZjQxNTYwMjYucG5n.png%22" alt="IP地址分类"></p>
<h2 id="A类地址"><a href="#A类地址" class="headerlink" title="A类地址"></a>A类地址</h2><ul>
<li>A类地址第1字节为网络地址,其它3个字节为主机地址。它的第1个字节的第一位固定为0.</li>
<li>A类地址网络号范围:0.0.0.0—126.0.0.0 地址范围0.0.0.0到126.255.255.255</li>
<li>A类地址中的私有地址和保留地址:<ul>
<li>10.X.X.X是私有地址(所谓的私有地址就是在互联网上不使用,而被用在局域网络中的地址),范围(10.0.0.0—10.255.255.255)</li>
<li>127.X.X.X是保留地址,用做循环测试用的。</li>
</ul>
</li>
</ul>
<h2 id="B类地址"><a href="#B类地址" class="headerlink" title="B类地址"></a>B类地址</h2><ul>
<li>B类地址第1字节和第2字节为网络地址,其它2个字节为主机地址。它的第1个字节的前两位固定为10.</li>
<li>B类地址网络号范围:128.0.0.0—191.255.0.0。地址范围128.0.0.0到191.255.255.255。</li>
<li>B类地址的私有地址和保留地址<ul>
<li>172.16.0.0—172.31.255.255是私有地址</li>
<li>169.254.X.X是保留地址。如果你的IP地址是自动获取IP地址,而你在网络上又没有找到可用的DHCP服务器。就会得到其中一个IP。</li>
</ul>
</li>
</ul>
<p>191.255.255.255是广播地址,不能分配。</p>
<h2 id="C类地址"><a href="#C类地址" class="headerlink" title="C类地址"></a>C类地址</h2><ul>
<li>C类地址第1字节、第2字节和第3个字节为网络地址,第4个字节为主机地址。另外第1个字节的前三位固定为110。</li>
<li>C类地址网络号范围:192.0.0.0—223.255.255.0。地址范围 192.0.0.0到223.255.255.255</li>
<li>C类地址中的私有地址:<ul>
<li>192.168.X.X是私有地址。(192.168.0.0—192.168.255.255)</li>
</ul>
</li>
</ul>
<h2 id="D类地址"><a href="#D类地址" class="headerlink" title="D类地址"></a>D类地址</h2><ul>
<li>D类地址不分网络地址和主机地址,它的第1个字节的前四位固定为1110。</li>
<li>D类地址范围:224.0.0.0—239.255.255.255</li>
</ul>
<h2 id="E类地址"><a href="#E类地址" class="headerlink" title="E类地址"></a>E类地址</h2><ul>
<li>E类地址不分网络地址和主机地址,它的第1个字节的前五位固定为11110。</li>
<li>E类地址范围:240.0.0.0—255.255.255.254</li>
</ul>
<p>P地址如果只使用ABCDE类来划分,会造成大量的浪费:一个有500台主机的网络,无法使用C类地址。但如果使用一个B类地址,6万多个主机地址只有500个被使用,造成IP地址的大量浪费。因此,IP地址还支持VLSM技术,可以在ABC类网络的基础上,进一步划分子网。</p>
<p><img src="https://s3.us-west-2.amazonaws.com/secure.notion-static.com/dfd51f89-bb1a-4ef8-9a54-44756bbfa259/aHR0cDovL2kyLjUxY3RvLmNvbS9pbWFnZXMvYmxvZy8yMDE4MDUvMDQvYjQ0OTIzN2ZiOWZkMzk1MGI5MWE4MzY4ZjRmM2JkZWUucG5n.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAT73L2G45EIPT3X45/20211117/us-west-2/s3/aws4_request&X-Amz-Date=20211117T074756Z&X-Amz-Expires=86400&X-Amz-Signature=0264920251c44e99d858ac1d9dd86716ee2e30eb1200636e71fb080a3a2de167&X-Amz-SignedHeaders=host&response-content-disposition=filename%20=%22aHR0cDovL2kyLjUxY3RvLmNvbS9pbWFnZXMvYmxvZy8yMDE4MDUvMDQvYjQ0OTIzN2ZiOWZkMzk1MGI5MWE4MzY4ZjRmM2JkZWUucG5n.png%22" alt="IP地址进一步分类"></p>
<h2 id="无类地址"><a href="#无类地址" class="headerlink" title="无类地址"></a>无类地址</h2><p>除ABCDE以外的IP地址段划分方式,如:192.168.1.0 255.255.255.252等分成C段划分的地址</p>
<h2 id="实体IP"><a href="#实体IP" class="headerlink" title="实体IP"></a>实体IP</h2><p>在网络的世界里,为了要辨识每一部计算机的位置,因此有了计算机 IP 位址的定义。一个 IP 就好似一个门牌!例如,你要去微软的网站的话,就要去64.4.11.42 这个 IP 位置!这些可以直接在网际网络上沟通的 IP 就被称为实体 IP 了。</p>
<h2 id="虚拟IP"><a href="#虚拟IP" class="headerlink" title="虚拟IP"></a>虚拟IP</h2><p>不过,众所皆知的,IP 位址仅为 xxx.xxx.xxx.xxx 的资料型态,其中, xxx 为 1-255 间的整数,由于计算机的成长速度太快,实体的 IP 已经有点不足了,好在早在规划 IP 时就已经预留了三个网段的 IP 做为内部网域的虚拟 IP 之用。这三个预留的 IP 分别为:</p>
<ul>
<li>A级:10.0.0.1 - 10.255.255.254</li>
<li>B级:172.16.0.1 - 172.31.255.254</li>
<li>C级:192.168.0.1 - 192.168.255.254</li>
</ul>
<p>上述中最常用的是192.168.0.0这一组。不过,由于是虚拟 IP ,所以当您使用这些地址的时候﹐当然是有所限制的,限制如下:</p>
<ul>
<li>私有位址的路由信息不能对外散播</li>
<li>使用私有位址作为来源或目的地址的封包﹐不能透过Internet来转送</li>
<li>关于私有位址的参考纪录(如DNS)﹐只能限于内部网络使用</li>
</ul>
<p>由于虚拟 IP 的计算机并不能直接连上 Internet ,因此需要特别的功能才能上网。不过,这给我们架设IP网络提供了很大的方便﹐比如﹕您的公司还没有连上Internet﹐但这不保证将来不会。使用公共IP的话﹐如果没经过注册﹐在以后真正连上网络的时候﹐就很可能和别人冲突了。也正如前面所分析的﹐到时候再重新规划IP的话﹐将是件非常头痛的问题。这时候﹐我们可以先利用私有位址来架设网络﹐等到真要连上internet的时候﹐我们可以使用IP转换协定﹐如 NAT (Network Addresss Translation)等技术﹐配合新注册的IP就可以了。</p>
<h1 id="私有地址概念"><a href="#私有地址概念" class="headerlink" title="私有地址概念"></a>私有地址概念</h1><p>在现在的网络中,IP地址分为公网IP地址和私有IP地址。公网IP是在Internet使用的IP地址,而私有IP地址则是在局域网中使用的IP地址。</p>
<p>私有IP地址是一段保留的IP地址。只使用在局域网中,无法在Internet上使用。</p>
<h2 id="私有地址有公网地址的转换"><a href="#私有地址有公网地址的转换" class="headerlink" title="私有地址有公网地址的转换"></a>私有地址有公网地址的转换</h2><p>当私有网络内的主机要与位于公网上的主机进行通讯时必须经过地址转换,将其私有地址转换为合法公网地址才能对外访问。</p>
<h2 id="NAT-Network-Address-Translation-网络地址转换"><a href="#NAT-Network-Address-Translation-网络地址转换" class="headerlink" title="NAT-Network Address Translation 网络地址转换"></a>NAT-Network Address Translation 网络地址转换</h2><p>例如:设局域网内部网络的地址是10.0.0.0网段,而对外的正式IP地址是202.196.3.23 。内部的主机10.1.1.48以www方式访问网外的服务器202.18.245.251。主机10.1.1.48发出一个数据报文,选择一个源端口6084,目的端口为80。</p>
<p>在通过代理服务器后,该报文的源地址和端口可能改为202.196.3.23:32814,目的地址与端口不做改变。在代理服务器中维护着一张地址端口对应表。当外部网络的WWW服务器返回结果时,代理服务器会将结果数据报文中的目的IP地址及端口转化为10.1.1.48:6084。这样,内部主机10.1.1.48就可以访问外部的服务器了。</p>
<h1 id="保留地址范围"><a href="#保留地址范围" class="headerlink" title="保留地址范围"></a>保留地址范围</h1><p>在IP地址范围内,一部分地址将保留作为私人IP地址空间,专门用于内部局域网使用,这些地址如下表:</p>
<ul>
<li>A类 10.0.0.0-10.255.255.255 网络数:1</li>
<li>B类 172.16.0.0-172.31.255.255 网络数:16</li>
<li>C类 192.168.0.0-192.168.255.255 网络数:255</li>
</ul>
<p>特殊:</p>
<p>Carrier-grade NAT(运营商级NAT) 100.64.0.0- 100.127.255.255</p>
<p>NetRange: 100.64.0.0 - 100.127.255.255</p>
<p>CIDR: 100.64.0.0/10</p>
<p>OriginAS:</p>
<p>NetName: SHARED-ADDRESS-SPACE-RFCTBD-IANA-RESERVED</p>
<p>NetHandle: NET-100-64-0-0-1</p>
<p>Parent: NET-100-0-0-0-0</p>
<p>NetType: IANA Special Use</p>
<h1 id="特殊的网址"><a href="#特殊的网址" class="headerlink" title="特殊的网址"></a>特殊的网址</h1><p>IP地址中的每一个字节都为1的IP地址(“255.255.255.255”)是当前子网的广播地址;</p>
<p>IP地址中凡是以“11110”开头的E类IP地址都保留用于将来和实验使用。</p>
<p>IP地址中不能以十进制“127”作为开头,该类地址中数字127.0.0.1到127.255.255.255用于回路测试,如:127.0.0.1可以代表本机IP地址,用“<a href="http://127.0.0.1”就可以测试本机中配置的web服务器./">http://127.0.0.1”就可以测试本机中配置的Web服务器。</a></p>
<h2 id="IP地址0-0-0-0"><a href="#IP地址0-0-0-0" class="headerlink" title="IP地址0.0.0.0"></a>IP地址0.0.0.0</h2><p>严格说来,0.0.0.0已经不是一个真正意义上的IP地址了,它表示的是这样一个集合:</p>
<ol>
<li>所有不清楚的主机和目的网络。这里的“不清楚”是指在本机的路由表里没有特定条目指明如何到达。</li>
<li>对本机来说,它就是一个“收容所”,所有不认识的“三无”人员,一 律送进去。</li>
<li>如果在网络设置中设置了缺省网关,那么Windows系统会自动产生一个目的地址为0.0.0.0的缺省路由。</li>
</ol>
<p>就是表示所有的IP地址.</p>
<p>比如一个tomcat配置文件中,如果监听的IP地址设置了 0.0.0.0 就表示你的这个tomcat服务器监听在本机的所有IP地址上,通过任何一个IP地址都可以访问到.</p>
<p>如果本地的IP地址有 192.168.1.10, 172.16.2.10,那么访问你这个tomcat就可以<a href="http://192.168.1.10:8080/http://172.16.2.10:8080/">http://192.168.1.10:8080/http://172.16.2.10:8080/</a> 都可以访问</p>
<blockquote>
<p>RFC文档:0.0.0.0/8 - Addresses in this block refer to source hosts on “this”network. Address 0.0.0.0/32 may be used as a source address for this<br>host on this network; other addresses within 0.0.0.0/8 may be used torefer to specified hosts on this network ([RFC1122], Section 3.2.1.3).</p>
</blockquote>
<p>根据RFC文档描述,它不只是代表本机,0.0.0.0/8可以表示本网络中的所有主机,0.0.0.0/32可以用作本机的源地址,0.0.0.0/8也可表示本网络上的某个特定主机,综合起来可以说0.0.0.0表示整个网络。它的作用是帮助路由器发送路由表中无法查询的包。如果设置了全零网络的路由,路由表中无法查询的包都将送到全零网络的路由中去。</p>
<p>在路由器配置中可用0.0.0.0/0表示默认路由,作用是帮助路由器发送路由表中无法查询的包。如果设置了全零网络的路由,路由表中无法查询的包都将送到全零网络的路由中去。严格说来,0.0.0.0已经不是一个真正意义上的IP地址了。它表示的是这样一个集合:所有未知的主机和目的网络。这里的“未知”是指在本机的路由表里没有特定条目指明如何到达</p>
<p><img src="https://s3.us-west-2.amazonaws.com/secure.notion-static.com/d3762d1b-9b75-48e0-bba2-62e4348c53dc/aHR0cDovL2kyLjUxY3RvLmNvbS9pbWFnZXMvYmxvZy8yMDE4MDUvMDQvZTY2NGQxODFiZTg2OTcyMjliNTJmMmFmMjM2YWZhZTcucG5n.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAT73L2G45EIPT3X45/20211117/us-west-2/s3/aws4_request&X-Amz-Date=20211117T074831Z&X-Amz-Expires=86400&X-Amz-Signature=0f4ca4e1c5c2b9ddd31e3bfcb265fa09e7f75e457fcfd91da46f6d560152cb6b&X-Amz-SignedHeaders=host&response-content-disposition=filename%20=%22aHR0cDovL2kyLjUxY3RvLmNvbS9pbWFnZXMvYmxvZy8yMDE4MDUvMDQvZTY2NGQxODFiZTg2OTcyMjliNTJmMmFmMjM2YWZhZTcucG5n.png%22" alt="保留IP地址"></p>
<h1 id="子网"><a href="#子网" class="headerlink" title="子网"></a>子网</h1><p>引入子网掩码(NetMask),从逻辑上把一个大网络划分成一些小网络。子网掩码是由一系列的1和0构成,通过将其同IP地址做“与”运算来指出一个IP地址的网络号是什么。对于传统IP地址分类来说,A类地址的子网掩码是255.0.0.0;B类地址的子网掩码是255.255.0.0;C类地址的子网掩码是255.255.255.0。例如,如果要将一个B类网络166.111.0.0划分为多个C类子网来用的话,只要将其子网掩码设置为255.255.255.0即可,这样166.111.1.1和166.111.2.1就分属于不同的网络了。像这样,通过较长的子网掩码将一个网络划分为多个网络的方法就叫做划分子网(Subnetting)。</p>
<h1 id="超网"><a href="#超网" class="headerlink" title="超网"></a>超网</h1><p>超网(Supernetting)是同子网类似的概念,它通过较短的子网掩码将多个小网络合成一个大网络。例如,一个单位分到了8个C类地址:202.120.224.0 ~ 202.120.231.0,只要将其子网掩码设置为255.255.248.0,就能使这些C类网络相通。</p>
<h1 id="无类域间路由"><a href="#无类域间路由" class="headerlink" title="无类域间路由"></a>无类域间路由</h1><p>CIDR(Classless Inter-Domain Routing,无类域间路由)它消除了传统的A类、B类和C类地址以及划分子网的概念,因而可以更加有效地分配IPv4的地址空间。它可以将好几个IP网络结合在一起,使用一种无类别的域际路由选择算法,使它们合并成一条路由从而较少路由表中的路由条目减轻Internet路由器的负担。</p>
<p>CIDR 还使用“斜线记法”,它又称为CIDR记法,即在IP地址后面加上一个斜线“/”,然后写上网络前缀所占的比特数(这个数值对应于三级编址中子网掩码中比特1的个数)。</p>
<h2 id="CIDR与VLSM的区别"><a href="#CIDR与VLSM的区别" class="headerlink" title="CIDR与VLSM的区别"></a>CIDR与VLSM的区别</h2><ul>
<li>CIDR是把几个标准网络合成一个大的网络</li>
<li>VLSM是把一个标准网络分成几个小型网络(子网)</li>
<li>CIDR是子网掩码往左边移了,VLSM是子网掩码往右边移了</li>
</ul>
<h2 id="CIDR汇总与路由汇总的区别"><a href="#CIDR汇总与路由汇总的区别" class="headerlink" title="CIDR汇总与路由汇总的区别"></a>CIDR汇总与路由汇总的区别</h2><p>路由汇总与CIDR汇总的区别:路由汇总还有类的概念,汇总后的掩码长度必须要大于或等于主类网络的掩码长度;CIDR是无类域间路由,网络地址一致就能进行CIDR汇总。</p>
<p>示例:</p>
<ul>
<li>192.168.0.0/24 - 192.168.3.0/24<br>CIDR汇总:192.168.0.0/30<br>路由汇总:192.168.0.0/30</li>
<li>92.168.0.0/24 - 192.168.3.0/24<br>CIDR汇总:192.168.0.0/22<br>路由汇总:不能汇总!(因为22<24,不能进行路由汇总)</li>
</ul>
<p>注意:在Ripv2版本中,使用的是路由汇总,不支持CIDR汇总,但可以传递CIDR汇总。</p>
<h2 id="CIDR的计算方法"><a href="#CIDR的计算方法" class="headerlink" title="CIDR的计算方法"></a>CIDR的计算方法</h2><p>例1:192.168.9.0/24 192.168.10.0/24 192.168.11.0/24 192.168.12.0/24 192.168.13.0/24 192.168.14.0/24 192.168.15.0/24 汇总以上路由条目</p>
<p>192.168.00001 001.0</p>
<p>192.168.00001 010.0</p>
<p>192.168.00001 011.0</p>
<p>192.168.00001 100.0</p>
<p>192.168.00001 101.0</p>
<p>192.168.00001 110.0</p>
<p>192.168.00001 111.0</p>
<p>192.168.00001 000.0/21 即 192.168.8.0/21</p>
<p>例2:一个ISP准备把一些C类网络分配给各个用户群,目前已经分配了三个C类网段给用户,如果没有实施CIDR技术。ISP的路由器的路由表中会有三条下连网段的路由条目,并且会把它通告给Internet上的路由器。通过实施CIDR技术,我们可以在ISP的路由器上把这三个网段198.168.1.0,198.168.2.0,198.168.3.0汇聚成一条路由198.168.0.0/22.这样ISP路由器只向Internet通告198.168.0.0/22这一条路由,大大减少了路由表的数目。从而为网络路由器节省出了存储空间。值得注意的是,使用CIDR技术汇聚的网络地址的比特位必须是一致的,如上例所示。如果ISP连接了一个172.178.1.0网段,这些网段路由将无法汇聚,无法实现CIDR技术。</p>
<h1 id="路由汇聚"><a href="#路由汇聚" class="headerlink" title="路由汇聚"></a>路由汇聚</h1><p>路由汇聚的“含义”是把一组路由汇聚为一个单个的路由广播。路由汇聚的最终结果和最明显的好处是缩小网络上的路由表的尺寸。</p>
<h2 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h2><p>这样将减少与每一个路由跳有关的延迟,因为由于减少了路由登录项数量,查询路由表的平均时间将加快。由于路由登录项广播的数量减少,路由协议的开销也将显著减少。随着整个网络(以及子网的数量)的扩大,路由汇聚将变得更加重要。</p>
<p>路由汇聚的“用意”是当我们采用了一种体系化编址规划后的一种用一个IP地址代表一组IP地址的集合的方法。</p>
<p>除了缩小路由表的尺寸之外,路由汇聚还能通过在网络连接断开之后限制路由通信的传播来提高网络的稳定性。如果一台路由器仅向下一个下游的路由器发送汇聚的路由,那么,它就不会广播与汇聚的范围内包含的具体子网有关的变化。例如,如果一台路由器仅向其临近的路由器广播汇聚路由地址172.16.0.0/16,那么,如果它检测到172.16.10.0/24局域网网段中的一个故障,它将不更新临近的路由器。</p>
<p>这个原则在网络拓扑结构发生变化之后能够显著减少任何不必要的路由更新。实际上,这将加快汇聚,使网络更加稳定。为了执行能够强制设置的路由汇聚,需要一个无类路由协议。不过,无类路由协议本身还是不够的。制定这个IP地址管理计划是必不可少的,这样就可以在网络的战略点实施没有冲突的路由汇聚。</p>
<p>这些地址范围称作连续地址段。例如,一台把一组分支办公室连接到公司总部的路由器能够把这些分支办公室使用的全部子网汇聚为一个单个的路由广播。如果所有这些子网都在172.16.16.0/24至172.16.31.0/24的范围内,那么,这个地址范围就可以汇聚为172.16.16.0/20。这是一个与位边界(bit boundary)一致的连续地址范围,因此,可以保证这个地址范围能够汇聚为一个单一的声明。要实现路由汇聚的好处的最大化,制定细致的地址管理计划是必不可少的。</p>
<h2 id="算法实现"><a href="#算法实现" class="headerlink" title="算法实现"></a>算法实现</h2><ol>
<li>将各子网地址的网段以二进制写出。</li>
<li>比较,从第1位比特开始进行比较,将从开始不相同的比特到末尾位填充为0。由此得到的地址为汇总后的网段的网络地址,其网络位为连续的相同的比特的位数。</li>
</ol>
<p>假设下面有4个网络:</p>
<p>172.18.129.0/24</p>
<p>172.18.130.0/24</p>
<p>172.18.132.0/24</p>
<p>172.18.133.0/24</p>
<p>如果这四个进行路由汇聚,能覆盖这四个网络的汇总地址是:</p>
<p>172.18.128.0/21</p>
<p>算法:</p>
<p>129的二进制代码是10000001</p>
<p>130的二进制代码是10000010</p>
<p>132的二进制代码是10000100</p>
<p>133的二进制代码是10000101</p>
<p>这四个数的前五位相同都是10000,所以加上前面的172.18这两部分相同的位数,网络号就是8+8+5=21。而10000000的十进制数是128,所以,路由汇聚的Ip地址就是172.18.128.0。所以最终答案就是172.18.128.0/21。</p>
<p>使用前缀地址来汇总路由能够将路由条目保持为可管理的,而它带来的优点是:</p>
<ul>
<li>路由更加有效</li>
<li>减少重新计算路由表或匹配路由时的CPU周期</li>
<li>减少路由器的内存消耗</li>
<li>在网络发生变化时可以更快的收敛</li>
<li>容易排错</li>
</ul>
<p>路由汇聚比CIDR的要求低,它描述了网络的汇总,这个汇总的网络是有类的网络或是无类的网络的汇总,聚合在边界路由协议(BGP)中使用的更多。</p>
<p>此外,虽然不是传统的方法,也可以将有类的子网进行汇总。</p>
<h1 id="可变长子网掩码"><a href="#可变长子网掩码" class="headerlink" title="可变长子网掩码"></a>可变长子网掩码</h1><p>VLSM(可变长子网掩码) 是为了有效的使用无类别域间路由(CIDR)和路由汇聚(route summary)来控制路由表的大小,它是网络管理员常用的IP寻址技术,VLSM就是其中的常用方式,可以对子网进行层次化编址,以便最有效的利用现有的地址空间。</p>
<h2 id="定义"><a href="#定义" class="headerlink" title="定义"></a>定义</h2><p>VLSM(Variable Length Subnet Mask,可变长子网掩码)规定了如何在一个进行了子网划分的网络中的不同部分使用不同的子网掩码,这对于网络内部不同网段需要不同大小子网的情形来说很有效。</p>
<h2 id="简介-1"><a href="#简介-1" class="headerlink" title="简介"></a>简介</h2><p>VLSM其实就是相对于类的IP地址来说的。A类的第一段是网络号(前八位),B类地址的前两段是网络号(前十六位),C类的前三段是网络号(前二十四位)。而VLSM的作用就是在类的IP地址的基础上,从它们的主机号部分借出相应的位数来做网络号,也就是增加网络号的位数。各类网络可以用来再划分子网的位数为:A类有二十四位可以借,B类有十六位可以借,C类有八位可以借(可以再划分的位数就是主机号的位数。实际上不可以都借出来,因为IP地址中必须要有主机号的部分,而且主机号部分剩下一位是没有意义的,所以在实际中可以借的位数是在上面那些数字中再减去2,借的位作为子网部分)。</p>
<p>这是一种产生不同大小子网的网络分配机制,指一个网络可以配置不同的掩码。开发可变长度子网掩码的想法就是在每个子网上保留足够的主机数的同时,把一个子网进一步分成多个小子网时有更大的灵活性。如果没有VLSM,一个子网掩码只能提供给一个网络。这样就限制了要求的子网数上的主机数。另外,VLSM是基于比特位的,而类网络是基于8位组的。</p>
<p>在实际工程实践中,能够进一步将网络划分成三级或更多级子网。同时,能够考虑使用全0和全1子网以节省网络地址空间。某局域网上使用了27位的掩码,则每个子网可以支持30台主机(2^5-2=30);而对于WAN连接而言,每个连接只需要2个地址,理想的方案是使用30位掩码(2^2-2=2),然而同主类别网络相同掩码的约束,WAN之间也必须使用27位掩码,这样就浪费28个地址。</p>
<h2 id="原理"><a href="#原理" class="headerlink" title="原理"></a>原理</h2><p>可变长子网掩码实际上是相对于标准的有类子网掩码而言的,对于有类的IP地址的网络号部分的位数就相当于默认掩码的长度。A类的第一段是网络号(前八位),B类地址的前两段是网络号(前十六位),C类的前三段是网络号(前二十四位)。而VISM的作用就是在有类的P地址的基础上,从他们的主机号部分借出相应的位数来做网络号,也就是增加网络号的位数,增加了掩码的长度。各类网络可以用来再划分的位数为:A类有二十四位可以借,B类有十六位可以借,C类有八位可以借(可以再划分的位数就是主机号的位数。实际上不可以都借出来,因为P地址中必须要有主机号的部分,而且主机号部分剩下一位是没有意义的,剩下1位的时候不是代表主机号就是代表广播号,所以实际最多可以借位数为主机位数减去2)。这是一种产生不同大小子网的网络分配机制,指一个网络可以配置不同的掩码。开发可变长度子网掩码的想法就是在每个子网上保留足够的主机数的同时,把一个网分成多个子网时有更大的灵活性。如果没有ⅥISM,一个子网掩码只能提供给一个网络。这样就限制了要求的子网数上的主机数。</p>
<h2 id="基本算法"><a href="#基本算法" class="headerlink" title="基本算法"></a>基本算法</h2><p>VLSM是将大范围的IP网络划分成多个小范围的IP网络,为某一个单位或企业的不同部门对内可显示不同的网络,对外可显示同一个IP网络。提到VLSM,不得不提到的是掩码。掩码同IP一样,具有32位的二进制,用于与某一个IP进行运算,算出该IP的网络号。即将32位的IP与32位的掩码进行“与运算“,这样就可以得出网络号。</p>
<p>如:IP为:21.31.233.69与掩码255.255.255.192的网络号:</p>
<p>21.31.233.69=0001 0101 0001 1111 1110 1001 0100 0101</p>
<p>255.255.255.192=11111111 11111111 11111111 11000000</p>
<p>0001 0101 0001 1111 1110 1001 0100 0101 & 11111111 11111111 11111111 11000000=0001 0101 0001 1111 1110 1001 0100 0000=21.31.233.64</p>
<p>故21.31.233.69&255.255.255.192=21.31.233.64</p>
<p>所以该子网网络号为 21.31.233.64。</p>
<h2 id="应用实例"><a href="#应用实例" class="headerlink" title="应用实例"></a>应用实例</h2><p>某公司有两个主要部门:市场部和技术部。技术部又分为硬件部和软件部两个部门。该公司申请到了一个完整的C类IP地址段:210.31.233.0,子网掩码255.255.255.0。为了便于分级管理,该公司采用了VLSM技术,将原主网络划分称为两级子网(未考虑全0和全1子网)。市场部分得了一级子网中的第1个子网,即210.31.233.64,子网掩码255.255.255.192,该一级子网共有62个IP地址可供分配。 </p>
<p>技术部将所分得的一级子网中的第2个子网210.31.233.128,子网掩码255.255.255.192又进一步划分成了两个二级子网。其中第1个二级子网210.31.233.128,子网掩码255.255.255.224划分给技术部的下属分部—硬件部,该二级子网共有30个IP地址可供分配。技术部的下属分部—软件部分得了第2个二级子网210.31.233.160,子网掩码255.255.255.224,该二级子网共有30个IP地址可供分配。 </p>
<p>在实际工程实践中,可以进一步将网络划分成三级或者更多级子网。同时,可以考虑使用全0和全1子网以节省网络地址空间。</p>
]]></content>
<categories>
<category>network</category>
</categories>
<tags>
<tag>ip address</tag>
</tags>
</entry>
<entry>
<title>Linux下的/etc/fstab文件的详解</title>
<url>/2021/11/17/Linux%E4%B8%8Bfstab%E6%96%87%E4%BB%B6%E7%9A%84%E8%AF%A6%E8%A7%A3/</url>
<content><![CDATA[<h1 id="etc-fstab文件的作用"><a href="#etc-fstab文件的作用" class="headerlink" title="/etc/fstab文件的作用"></a>/etc/fstab文件的作用</h1><p>磁盘被手动挂载之后都必须把挂载信息写入/etc/fstab这个文件中,否则下次开机启动时仍然需要重新挂载。</p>
<p>系统开机时会主动读取/etc/fstab这个文件中的内容,根据文件里面的配置挂载磁盘。这样我们只需要将磁盘的挂载信息写入这个文件中我们就不需要每次开机启动之后手动进行挂载了。</p>
<h1 id="什么是挂载"><a href="#什么是挂载" class="headerlink" title="什么是挂载"></a>什么是挂载</h1><p>Linux 系统中“一切皆文件”,所有文件都放置在以根目录为树根的树形目录结构中。在 Linux 看来,任何硬件设备也都是文件,它们各有自己的一套文件系统(文件目录结构)。</p>
<p>因此产生的问题是,当在 Linux 系统中使用这些硬件设备时,只有将Linux本身的文件目录与硬件设备的文件目录合二为一,硬件设备才能为我们所用。合二为一的过程称为“挂载”。</p>
<blockquote>
<p>如果不挂载,通过Linux系统中的图形界面系统可以查看找到硬件设备,但命令行方式无法找到。</p>
</blockquote>
<p>挂载,指的就是将设备文件中的顶级目录连接到 Linux 根目录下的某一目录(最好是空目录),访问此目录就等同于访问设备文件。</p>
<p>纠正一个误区,并不是根目录下任何一个目录都可以作为挂载点,由于挂载操作会使得原有目录中文件被隐藏,因此根目录以及系统原有目录都不要作为挂载点,会造成系统异常甚至崩溃,挂载点最好是新建的空目录。</p>
<p>举个例子,我们想通过命令行访问某个 U 盘中的数据,下图 所示为 U 盘文件目录结构和 Linux 系统中的文件目录结构。</p>
<p><img src="https://raw.githubusercontent.com/dangervon/cloudpicture/main/linux_fstab_1.png" alt="Linux文件目录结构"></p>
<p>从上图可以看到,目前 U 盘和 Linux 系统文件分属两个文件系统,还无法使用命令行找到 U 盘文件,需要将两个文件系统进行挂载。</p>
<p>接下来,我们在根目录下新建一个目录 /sdb-u,通过挂载命令将 U 盘文件系统挂载到此目录,挂载效果如下图所示:</p>
<p><img src="https://raw.githubusercontent.com/dangervon/cloudpicture/main/linux_fstab_2.png" alt="U盘挂载目录"></p>
<p>可以看到,U 盘文件系统已经成为 Linux 文件系统目录的一部分,此时访问 /sdb-u/ 就等同于访问 U 盘。</p>
<p>前面讲过,根目录下的 /dev/ 目录文件负责所有的硬件设备文件,事实上,当 U 盘插入 Linux 后,系统也确实会给 U 盘分配一个目录文件(比如 sdb1),就位于 /dev/ 目录下(/dev/sdb1),但无法通过 /dev/sdb1/ 直接访问 U 盘数据,访问此目录只会提供给你此设备的一些基本信息(比如容量)。</p>
<p>总之,Linux 系统使用任何硬件设备,都必须将设备文件与已有目录文件进行挂载。</p>
<h1 id="挂载的限制"><a href="#挂载的限制" class="headerlink" title="挂载的限制"></a>挂载的限制</h1><ul>
<li>根目录是必须挂载的,而且一定要先于其他mount point被挂载。因为mount是所有目录的跟目录,其他木有都是由根目录 /衍生出来的。</li>
<li>挂载点必须是已经存在的目录。</li>
<li>挂载点的指定可以任意,但必须遵守必要的系统目录架构原则</li>
<li>所有挂载点在同一时间只能被挂载一次</li>
<li>所有分区在同一时间只能挂在一次</li>
<li>若进行卸载,必须将工作目录退出挂载点(及其子目录)之外。</li>
</ul>
<h1 id="etc-fstab文件中的参数"><a href="#etc-fstab文件中的参数" class="headerlink" title="/etc/fstab文件中的参数"></a>/etc/fstab文件中的参数</h1><p>下面我们看看看/etc/fstab文件,这是我的linux环境中/etc/fstab文件中的内容</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">[root@wpg ~]<span class="comment"># cat /etc/fstab</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># This file is edited by fstab-sync - see 'man fstab-sync' for details</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># Device Mount point filesystem parameters dump fsck</span></span><br><span class="line"></span><br><span class="line">LABEL=/ / ext3 defaults 1 1</span><br><span class="line"></span><br><span class="line">LABEL=/boot /boot ext3 defaults 1 2</span><br><span class="line"></span><br><span class="line">none /dev/pts devpts gid=5,mode=620 0 0</span><br><span class="line"></span><br><span class="line">none /dev/shm tmpfs defaults 0 0</span><br><span class="line"></span><br><span class="line">none /proc proc defaults 0 0</span><br><span class="line"></span><br><span class="line">none /sys sysfs defaults 0 0</span><br><span class="line"></span><br><span class="line">LABEL=SWAP-sda3 swap swap defaults 0 0</span><br><span class="line"></span><br><span class="line">/dev/sdb1 /u01 ext3 defaults 1 2</span><br><span class="line"></span><br><span class="line">UUID=18823fc1-2958-49a0-9f1e-e1316bd5c2c5 /u02 ext3 defaults 1 2</span><br><span class="line"></span><br><span class="line">/dev/hdc /media/cdrom1 auto pamconsole,<span class="built_in">exec</span>,noauto,managed 0 0</span><br><span class="line"></span><br><span class="line">/dev/fd0 /media/floppy auto pamconsole,<span class="built_in">exec</span>,noauto,managed 0 0</span><br></pre></td></tr></table></figure>
<p>在文件中我已经把每一列都做出来表示方便识别,我们可以看到一共有六列。</p>
<h2 id="第一列-Device"><a href="#第一列-Device" class="headerlink" title="第一列 Device"></a>第一列 Device</h2><p>磁盘设备文件或者该设备的Label或者UUID</p>
<h3 id="查看分区的label和uuid"><a href="#查看分区的label和uuid" class="headerlink" title="查看分区的label和uuid"></a>查看分区的label和uuid</h3><p>Label就是分区的标签,在最初安装系统是填写的挂载点就是标签的名字。可以通过查看一个分区的superblock中的信息找到UUID和Label name。</p>
<p>例如我们要查看/dev/sda1这个设备的uuid和label name</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">[root@wpg u02]<span class="comment"># dumpe2fs -h /dev/sda1</span></span><br><span class="line"></span><br><span class="line">dumpe2fs 1.35 (28-Feb-2004)</span><br><span class="line"></span><br><span class="line">Filesystem volume name: /boot //这个就是Label name</span><br><span class="line"></span><br><span class="line">Last mounted on: </span><br><span class="line"></span><br><span class="line">Filesystem UUID: 3b10fe13-def4-41b6-baae-9b4ef3b3616c //UUID</span><br><span class="line"></span><br><span class="line">Filesystem magic number: 0xEF53</span><br><span class="line"></span><br><span class="line">Filesystem revision <span class="comment">#: 1 (dynamic)</span></span><br><span class="line"></span><br><span class="line">Filesystem features: has_journal ext_attr resize_inode dir_index filetype needs_recovery sparse_super</span><br><span class="line"></span><br><span class="line">Default mount options: (none)</span><br><span class="line"></span><br><span class="line">Filesystem state: clean</span><br></pre></td></tr></table></figure>
<p>简单点的方式我们可以通过下面这个命令来查看</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">[root@wpg u02]<span class="comment"># blkid /dev/sda1</span></span><br><span class="line"></span><br><span class="line">/dev/sda1: LABEL=<span class="string">"/boot"</span> UUID=<span class="string">"3b10fe13-def4-41b6-baae-9b4ef3b3616c"</span> SEC_TYPE=<span class="string">"ext3"</span> TYPE=<span class="string">"ext2"</span></span><br></pre></td></tr></table></figure>
<h3 id="使用设备名和label及uuid作为标识的不同"><a href="#使用设备名和label及uuid作为标识的不同" class="headerlink" title="使用设备名和label及uuid作为标识的不同"></a>使用设备名和label及uuid作为标识的不同</h3><p>使用设备名称(/dev/sda)来挂载分区时是被固定死的,一旦磁盘的插槽顺序发生了变化,就会出现名称不对应的问题。因为这个名称是会改变的。</p>
<p>不过使用label挂载就不用担心插槽顺序方面的问题。不过要随时注意你的Label name。</p>
<p>至于UUID,每个分区被格式化以后都会有一个UUID作为唯一的标识号。使用uuid挂载的话就不用担心会发生错乱的问题了。</p>
<h2 id="第二列-Mount-point"><a href="#第二列-Mount-point" class="headerlink" title="第二列 Mount point"></a>第二列 Mount point</h2><p>设备的挂载点,就是你要挂载到哪个目录下。</p>
<h2 id="第三列-filesystem"><a href="#第三列-filesystem" class="headerlink" title="第三列 filesystem"></a>第三列 filesystem</h2><p>磁盘文件系统的格式,包括ext2、ext3、reiserfs、nfs、vfat等</p>
<h2 id="第四列-parameters"><a href="#第四列-parameters" class="headerlink" title="第四列 parameters"></a>第四列 parameters</h2><p>文件系统的参数</p>
<table>
<thead>
<tr>
<th>参数</th>
<th>含义</th>
</tr>
</thead>
<tbody><tr>
<td>Async/sync</td>
<td>设置是否为同步方式运行,默认为async</td>
</tr>
<tr>
<td>auto/noauto</td>
<td>当下载mount -a 的命令时,此文件系统是否被主动挂载。默认为auto</td>
</tr>
<tr>
<td>rw/ro</td>
<td>是否以以只读或者读写模式挂载</td>
</tr>
<tr>
<td>Defaults</td>
<td>同事具有rw,suid,dev,exec,auto,nouser,async等默认参数的设置</td>
</tr>
<tr>
<td>Grpquota</td>
<td>启动文件系统对群组磁盘配额模式的支持</td>
</tr>
<tr>
<td>Usrquota</td>
<td>启动文件系统支持磁盘配额模式</td>
</tr>
<tr>
<td>suid/nosuid</td>
<td>是否允许SUID的存在</td>
</tr>
<tr>
<td>user/nouser</td>
<td>是否允许用户使用mount命令挂载</td>
</tr>
<tr>
<td>exec/noexec</td>
<td>限制此文件系统内是否能够进行”执行”的操作</td>
</tr>
</tbody></table>
<h2 id="第五列:能否被dump备份命令作用"><a href="#第五列:能否被dump备份命令作用" class="headerlink" title="第五列:能否被dump备份命令作用"></a>第五列:能否被dump备份命令作用</h2><p>dump是一个用来作为备份的命令。通常这个参数的值为0或者1</p>
<table>
<thead>
<tr>
<th>参数</th>
<th>含义</th>
</tr>
</thead>
<tbody><tr>
<td>0</td>
<td>代表不要做dump备份</td>
</tr>
<tr>
<td>1</td>
<td>代表要每天进行dump的操作</td>
</tr>
<tr>
<td>2</td>
<td>代表不定日期的进行dump操作</td>
</tr>
</tbody></table>
<h2 id="第六列-是否检验扇区"><a href="#第六列-是否检验扇区" class="headerlink" title="第六列 是否检验扇区"></a>第六列 是否检验扇区</h2><p>开机的过程中,系统默认会以fsck检验我们系统是否为完整(clean)。</p>
<table>
<thead>
<tr>
<th>参数</th>
<th>含义</th>
</tr>
</thead>
<tbody><tr>
<td>0</td>
<td>不要检验</td>
</tr>
<tr>
<td>1</td>
<td>最早检验(一般根目录会选择)</td>
</tr>
<tr>
<td>2</td>
<td>1级别检验完成之后进行检验</td>
</tr>
</tbody></table>
]]></content>
<categories>
<category>linux</category>
</categories>
<tags>
<tag>linux</tag>
</tags>
</entry>
<entry>
<title>Neutron下的ACL规则列表</title>
<url>/2021/11/16/Neutron%E4%B8%8B%E7%9A%84ACL%E8%A7%84%E5%88%99%E5%88%97%E8%A1%A8/</url>
<content><![CDATA[<h1 id="端口规则"><a href="#端口规则" class="headerlink" title="端口规则"></a>端口规则</h1><h2 id="单个端口TCP规则"><a href="#单个端口TCP规则" class="headerlink" title="单个端口TCP规则"></a><strong>单个端口TCP规则</strong></h2><p>安全组:pg_810d9b01_5334_4e64_9899_dcf45fc37ac1</p>
<p>方向:入口(to-lport)</p>
<p>端口:8848</p>
<p>远程CIDR:192.168.1.0/24</p>
<p>优先级:1002</p>
<p>以太网类型:IP4</p>
<p>动作:允许包通过</p>
<figure class="highlight apache"><table><tr><td class="code"><pre><span class="line"><span class="attribute">to</span>-lport <span class="number">1002</span> (outport == @pg_<span class="number">810</span>d<span class="number">9</span>b<span class="number">01</span>_<span class="number">5334</span>_<span class="number">4</span>e<span class="number">64</span>_<span class="number">9899</span>_dcf<span class="number">45</span>fc<span class="number">37</span>ac<span class="number">1</span> && ip<span class="number">4</span> && ip<span class="number">4</span>.src == <span class="number">192.168.1.0</span>/<span class="number">24</span> && tcp && tcp.dst == <span class="number">8848</span>) <span class="literal">allow</span></span><br></pre></td></tr></table></figure>
<h2 id="范围端口TCP规则"><a href="#范围端口TCP规则" class="headerlink" title="范围端口TCP规则"></a>范围端口TCP规则</h2><p>安全组:pg_810d9b01_5334_4e64_9899_dcf45fc37ac1</p>
<p>方向:出口(from-lport)</p>
<p>端口:8848-8858</p>
<p>远程CIDR:192.168.1.0/24</p>
<p>优先级:1002</p>
<p>以太网类型:IP4</p>
<p>动作:丢包</p>
<figure class="highlight apache"><table><tr><td class="code"><pre><span class="line"><span class="attribute">from</span>-lport <span class="number">1002</span> (inport == @pg_<span class="number">810</span>d<span class="number">9</span>b<span class="number">01</span>_<span class="number">5334</span>_<span class="number">4</span>e<span class="number">64</span>_<span class="number">9899</span>_dcf<span class="number">45</span>fc<span class="number">37</span>ac<span class="number">1</span> && ip<span class="number">4</span> && ip<span class="number">4</span>.dst == <span class="number">192.168.1.0</span>/<span class="number">24</span> && tcp && tcp.dst >= <span class="number">8848</span> && tcp.dst <= <span class="number">8858</span>) drop</span><br></pre></td></tr></table></figure>
<h2 id="不指定端口TCP规则"><a href="#不指定端口TCP规则" class="headerlink" title="不指定端口TCP规则"></a>不指定端口TCP规则</h2><p>安全组:pg_810d9b01_5334_4e64_9899_dcf45fc37ac1</p>
<p>方向:出口(from-lport)</p>
<p>端口:所有端口</p>
<p>远程CIDR:192.168.1.0/24</p>
<p>优先级:1002</p>
<p>以太网类型:IP4</p>
<p>动作:允许包通过并且允许相关回包通过</p>
<figure class="highlight apache"><table><tr><td class="code"><pre><span class="line"><span class="attribute">from</span>-lport <span class="number">1002</span> (inport == @pg_<span class="number">810</span>d<span class="number">9</span>b<span class="number">01</span>_<span class="number">5334</span>_<span class="number">4</span>e<span class="number">64</span>_<span class="number">9899</span>_dcf<span class="number">45</span>fc<span class="number">37</span>ac<span class="number">1</span> && ip<span class="number">4</span> && ip<span class="number">4</span>.dst == <span class="number">192.168.1.0</span>/<span class="number">24</span> && tcp) <span class="literal">allow</span>-related</span><br></pre></td></tr></table></figure>
<h2 id="单个端口UDP规则"><a href="#单个端口UDP规则" class="headerlink" title="单个端口UDP规则"></a>单个端口UDP规则</h2><p>安全组:pg_810d9b01_5334_4e64_9899_dcf45fc37ac1</p>
<p>方向:入口(to-lport)</p>
<p>端口:8848</p>
<p>远程CIDR:192.168.1.0/24</p>
<p>优先级:1002</p>
<p>以太网类型:IP4</p>
<p>动作:允许包通过并且允许相关回包通过</p>
<figure class="highlight apache"><table><tr><td class="code"><pre><span class="line"><span class="attribute">to</span>-lport <span class="number">1002</span> (outport == @pg_<span class="number">810</span>d<span class="number">9</span>b<span class="number">01</span>_<span class="number">5334</span>_<span class="number">4</span>e<span class="number">64</span>_<span class="number">9899</span>_dcf<span class="number">45</span>fc<span class="number">37</span>ac<span class="number">1</span> && ip<span class="number">4</span> && ip<span class="number">4</span>.src == <span class="number">192.168.1.0</span>/<span class="number">24</span> && udp && udp.dst == <span class="number">8848</span>) <span class="literal">allow</span>-related</span><br></pre></td></tr></table></figure>
<h2 id="范围端口UDP规则"><a href="#范围端口UDP规则" class="headerlink" title="范围端口UDP规则"></a><strong>范围端口UDP规则</strong></h2><p>安全组:pg_810d9b01_5334_4e64_9899_dcf45fc37ac1</p>
<p>方向:出口(from-lport)</p>
<p>端口:8848-8858</p>
<p>远程CIDR:192.168.1.0/24</p>
<p>优先级:1002</p>
<p>以太网类型:IP4</p>
<p>动作:允许包通过并且允许相关回包通过</p>
<figure class="highlight apache"><table><tr><td class="code"><pre><span class="line"><span class="attribute">from</span>-lport <span class="number">1002</span> (inport == @pg_<span class="number">810</span>d<span class="number">9</span>b<span class="number">01</span>_<span class="number">5334</span>_<span class="number">4</span>e<span class="number">64</span>_<span class="number">9899</span>_dcf<span class="number">45</span>fc<span class="number">37</span>ac<span class="number">1</span> && ip<span class="number">4</span> && ip<span class="number">4</span>.dst == <span class="number">192.168.1.0</span>/<span class="number">24</span> && udp && udp.dst >= <span class="number">8848</span> && udp.dst <= <span class="number">8858</span>) <span class="literal">allow</span>-related</span><br></pre></td></tr></table></figure>
<h2 id="不指定端口UDP规则"><a href="#不指定端口UDP规则" class="headerlink" title="不指定端口UDP规则"></a><strong>不指定端口UDP规则</strong></h2><p>安全组:pg_810d9b01_5334_4e64_9899_dcf45fc37ac1</p>
<p>方向:出口(from-lport)</p>
<p>端口:所有端口</p>
<p>远程CIDR:192.168.1.0/24</p>
<p>优先级:1002</p>
<p>以太网类型:IP4</p>
<p>动作:允许包通过并且允许相关回包通过</p>
<figure class="highlight apache"><table><tr><td class="code"><pre><span class="line"><span class="attribute">from</span>-lport <span class="number">1002</span> (inport == @pg_<span class="number">810</span>d<span class="number">9</span>b<span class="number">01</span>_<span class="number">5334</span>_<span class="number">4</span>e<span class="number">64</span>_<span class="number">9899</span>_dcf<span class="number">45</span>fc<span class="number">37</span>ac<span class="number">1</span> && ip<span class="number">4</span> && ip<span class="number">4</span>.dst == <span class="number">192.168.1.0</span>/<span class="number">24</span> && udp) <span class="literal">allow</span>-related</span><br></pre></td></tr></table></figure>
<h1 id="IP协议规则"><a href="#IP协议规则" class="headerlink" title="IP协议规则"></a>IP协议规则</h1><h2 id="所有ICMP规则"><a href="#所有ICMP规则" class="headerlink" title="所有ICMP规则"></a><strong>所有ICMP规则</strong></h2><p>安全组:pg_810d9b01_5334_4e64_9899_dcf45fc37ac1</p>
<p>方向:入口(to-lport)</p>
<p>类型:所有</p>
<p>编码:所有</p>
<p>远程CIDR:192.168.1.0/24</p>
<p>优先级:1002</p>
<p>以太网类型:IP4</p>
<p>动作:允许包通过并且允许相关回包通过</p>
<figure class="highlight apache"><table><tr><td class="code"><pre><span class="line"><span class="attribute">to</span>-lport <span class="number">1002</span> (outport == @pg_<span class="number">810</span>d<span class="number">9</span>b<span class="number">01</span>_<span class="number">5334</span>_<span class="number">4</span>e<span class="number">64</span>_<span class="number">9899</span>_dcf<span class="number">45</span>fc<span class="number">37</span>ac<span class="number">1</span> && ip<span class="number">4</span> && ip<span class="number">4</span>.src == <span class="number">192.168.1.0</span>/<span class="number">24</span> && icmp<span class="number">4</span>) <span class="literal">allow</span>-related</span><br></pre></td></tr></table></figure>
<h2 id="指定ICMP规则"><a href="#指定ICMP规则" class="headerlink" title="指定ICMP规则"></a><strong>指定ICMP规则</strong></h2><p>安全组:pg_810d9b01_5334_4e64_9899_dcf45fc37ac1</p>
<p>方向:入口(to-lport)</p>
<p>类型:23</p>
<p>编码:55</p>
<p>远程CIDR:192.168.1.0/24</p>
<p>优先级:1002</p>
<p>以太网类型:IP4</p>
<p>动作:允许包通过并且允许相关回包通过</p>
<figure class="highlight apache"><table><tr><td class="code"><pre><span class="line"><span class="attribute">to</span>-lport <span class="number">1002</span> (outport == @pg_<span class="number">810</span>d<span class="number">9</span>b<span class="number">01</span>_<span class="number">5334</span>_<span class="number">4</span>e<span class="number">64</span>_<span class="number">9899</span>_dcf<span class="number">45</span>fc<span class="number">37</span>ac<span class="number">1</span> && ip<span class="number">4</span> && ip<span class="number">4</span>.src == <span class="number">192.168.1.0</span>/<span class="number">24</span> && icmp<span class="number">4</span> && icmp<span class="number">4</span>.type == <span class="number">23</span> && icmp<span class="number">4</span>.code == <span class="number">55</span>) <span class="literal">allow</span>-related</span><br></pre></td></tr></table></figure>
<h2 id="所有IP协议规则"><a href="#所有IP协议规则" class="headerlink" title="所有IP协议规则"></a><strong>所有IP协议规则</strong></h2><p>安全组:pg_810d9b01_5334_4e64_9899_dcf45fc37ac1</p>
<p>方向:出口(from-lport)</p>
<p>IP协议类型:所有</p>
<p>远程CIDR:192.168.1.0/24</p>
<p>优先级:1002</p>
<p>以太网类型:IP4</p>
<p>动作:允许包通过并且允许相关回包通过</p>
<figure class="highlight apache"><table><tr><td class="code"><pre><span class="line"><span class="attribute">from</span>-lport <span class="number">1002</span> (inport == @pg_<span class="number">810</span>d<span class="number">9</span>b<span class="number">01</span>_<span class="number">5334</span>_<span class="number">4</span>e<span class="number">64</span>_<span class="number">9899</span>_dcf<span class="number">45</span>fc<span class="number">37</span>ac<span class="number">1</span> && ip<span class="number">4</span> && ip<span class="number">4</span>.dst == <span class="number">192.168.1.0</span>/<span class="number">24</span>) <span class="literal">allow</span>-related</span><br></pre></td></tr></table></figure>
<h2 id="指定IP协议规则"><a href="#指定IP协议规则" class="headerlink" title="指定IP协议规则"></a><strong>指定IP协议规则</strong></h2><p>安全组:pg_810d9b01_5334_4e64_9899_dcf45fc37ac1</p>
<p>方向:入口(to-lport)</p>
<p>IP协议类型:8(EGP协议)</p>
<p>远程CIDR:192.168.1.0/24</p>
<p>优先级:1002</p>
<p>以太网类型:IP4</p>
<p>动作:允许包通过并且允许相关回包通过</p>
<figure class="highlight apache"><table><tr><td class="code"><pre><span class="line"><span class="attribute">to</span>-lport <span class="number">1002</span> (outport == @pg_<span class="number">810</span>d<span class="number">9</span>b<span class="number">01</span>_<span class="number">5334</span>_<span class="number">4</span>e<span class="number">64</span>_<span class="number">9899</span>_dcf<span class="number">45</span>fc<span class="number">37</span>ac<span class="number">1</span> && ip<span class="number">4</span> && ip<span class="number">4</span>.src == <span class="number">192.168.1.0</span>/<span class="number">24</span> && ip.proto == <span class="number">8</span>) <span class="literal">allow</span>-related</span><br></pre></td></tr></table></figure>
<h1 id="TCP-UDP规则"><a href="#TCP-UDP规则" class="headerlink" title="TCP/UDP规则"></a>TCP/UDP规则</h1><h2 id="TCP所有端口规则"><a href="#TCP所有端口规则" class="headerlink" title="TCP所有端口规则"></a><strong>TCP所有端口规则</strong></h2><p>安全组:pg_810d9b01_5334_4e64_9899_dcf45fc37ac1</p>
<p>方向:入口(to-lport)</p>
<p>端口范围:1-65535</p>
<p>远程CIDR:192.168.1.0/24</p>
<p>优先级:1002</p>
<p>以太网类型:IP4</p>
<p>动作:允许包通过并且允许相关回包通过</p>
<figure class="highlight apache"><table><tr><td class="code"><pre><span class="line"><span class="attribute">to</span>-lport <span class="number">1002</span> (outport == @pg_<span class="number">810</span>d<span class="number">9</span>b<span class="number">01</span>_<span class="number">5334</span>_<span class="number">4</span>e<span class="number">64</span>_<span class="number">9899</span>_dcf<span class="number">45</span>fc<span class="number">37</span>ac<span class="number">1</span> && ip<span class="number">4</span> && ip<span class="number">4</span>.src == <span class="number">192.168.1.0</span>/<span class="number">24</span> && tcp && tcp.dst >= <span class="number">1</span> && tcp.dst <= <span class="number">65535</span>) <span class="literal">allow</span>-related</span><br></pre></td></tr></table></figure>
<h2 id="UDP所有端口规则"><a href="#UDP所有端口规则" class="headerlink" title="UDP所有端口规则"></a><strong>UDP所有端口规则</strong></h2><p>安全组:pg_810d9b01_5334_4e64_9899_dcf45fc37ac1</p>
<p>方向:入口(to-lport)</p>
<p>端口范围:1-65535</p>
<p>远程CIDR:192.168.1.0/24</p>
<p>优先级:1002</p>
<p>以太网类型:IP4</p>
<p>动作:允许包通过并且允许相关回包通过</p>
<figure class="highlight apache"><table><tr><td class="code"><pre><span class="line"><span class="attribute">to</span>-lport <span class="number">1002</span> (outport == @pg_<span class="number">810</span>d<span class="number">9</span>b<span class="number">01</span>_<span class="number">5334</span>_<span class="number">4</span>e<span class="number">64</span>_<span class="number">9899</span>_dcf<span class="number">45</span>fc<span class="number">37</span>ac<span class="number">1</span> && ip<span class="number">4</span> && ip<span class="number">4</span>.src == <span class="number">192.168.1.0</span>/<span class="number">24</span> && udp && udp.dst >= <span class="number">1</span> && udp.dst <= <span class="number">65535</span>) <span class="literal">allow</span>-related</span><br></pre></td></tr></table></figure>
<h1 id="应用层协议规则"><a href="#应用层协议规则" class="headerlink" title="应用层协议规则"></a>应用层协议规则</h1><h2 id="DNS规则"><a href="#DNS规则" class="headerlink" title="DNS规则"></a><strong>DNS规则</strong></h2><p>安全组:pg_810d9b01_5334_4e64_9899_dcf45fc37ac1</p>
<p>方向:入口(to-lport)</p>
<p>tcp端口:53</p>
<p>远程CIDR:192.168.1.0/24</p>
<p>优先级:1002</p>
<p>以太网类型:IP4</p>
<p>动作:允许包通过并且允许相关回包通过</p>
<figure class="highlight apache"><table><tr><td class="code"><pre><span class="line"><span class="attribute">to</span>-lport <span class="number">1002</span> (outport == @pg_<span class="number">810</span>d<span class="number">9</span>b<span class="number">01</span>_<span class="number">5334</span>_<span class="number">4</span>e<span class="number">64</span>_<span class="number">9899</span>_dcf<span class="number">45</span>fc<span class="number">37</span>ac<span class="number">1</span> && ip<span class="number">4</span> && ip<span class="number">4</span>.src == <span class="number">192.168.1.0</span>/<span class="number">24</span> && tcp && tcp.dst == <span class="number">53</span>) <span class="literal">allow</span>-related</span><br></pre></td></tr></table></figure>
<h2 id="HTTP规则"><a href="#HTTP规则" class="headerlink" title="HTTP规则"></a><strong>HTTP规则</strong></h2><p>安全组:pg_810d9b01_5334_4e64_9899_dcf45fc37ac1</p>
<p>方向:入口(to-lport)</p>
<p>tcp端口:80</p>
<p>远程CIDR:192.168.1.0/24</p>
<p>优先级:1002</p>
<p>以太网类型:IP4</p>
<p>动作:允许包通过并且允许相关回包通过</p>
<figure class="highlight apache"><table><tr><td class="code"><pre><span class="line"><span class="attribute">to</span>-lport <span class="number">1002</span> (outport == @pg_<span class="number">810</span>d<span class="number">9</span>b<span class="number">01</span>_<span class="number">5334</span>_<span class="number">4</span>e<span class="number">64</span>_<span class="number">9899</span>_dcf<span class="number">45</span>fc<span class="number">37</span>ac<span class="number">1</span> && ip<span class="number">4</span> && ip<span class="number">4</span>.src == <span class="number">192.168.1.0</span>/<span class="number">24</span> && tcp && tcp.dst == <span class="number">80</span>) <span class="literal">allow</span>-related</span><br></pre></td></tr></table></figure>
<h2 id="HTTPS规则"><a href="#HTTPS规则" class="headerlink" title="HTTPS规则"></a><strong>HTTPS规则</strong></h2><p>安全组:pg_810d9b01_5334_4e64_9899_dcf45fc37ac1</p>
<p>方向:入口(to-lport)</p>
<p>tcp端口:443</p>
<p>远程CIDR:192.168.1.0/24</p>
<p>优先级:1002</p>
<p>以太网类型:IP4</p>
<p>动作:允许包通过并且允许相关回包通过</p>
<figure class="highlight apache"><table><tr><td class="code"><pre><span class="line"><span class="attribute">to</span>-lport <span class="number">1002</span> (outport == @pg_<span class="number">810</span>d<span class="number">9</span>b<span class="number">01</span>_<span class="number">5334</span>_<span class="number">4</span>e<span class="number">64</span>_<span class="number">9899</span>_dcf<span class="number">45</span>fc<span class="number">37</span>ac<span class="number">1</span> && ip<span class="number">4</span> && ip<span class="number">4</span>.src == <span class="number">192.168.1.0</span>/<span class="number">24</span> && tcp && tcp.dst == <span class="number">443</span>) <span class="literal">allow</span>-related</span><br></pre></td></tr></table></figure>
<h2 id="IMAP规则"><a href="#IMAP规则" class="headerlink" title="IMAP规则"></a><strong>IMAP规则</strong></h2><p>安全组:pg_810d9b01_5334_4e64_9899_dcf45fc37ac1</p>
<p>方向:入口(to-lport)</p>
<p>tcp端口:143</p>
<p>远程CIDR:192.168.1.0/24</p>
<p>优先级:1002</p>
<p>以太网类型:IP4</p>
<p>动作:允许包通过并且允许相关回包通过</p>
<figure class="highlight apache"><table><tr><td class="code"><pre><span class="line"><span class="attribute">to</span>-lport <span class="number">1002</span> (outport == @pg_<span class="number">810</span>d<span class="number">9</span>b<span class="number">01</span>_<span class="number">5334</span>_<span class="number">4</span>e<span class="number">64</span>_<span class="number">9899</span>_dcf<span class="number">45</span>fc<span class="number">37</span>ac<span class="number">1</span> && ip<span class="number">4</span> && ip<span class="number">4</span>.src == <span class="number">192.168.1.0</span>/<span class="number">24</span> && tcp && tcp.dst == <span class="number">143</span>) <span class="literal">allow</span>-related</span><br></pre></td></tr></table></figure>
<h2 id="IMAPS规则"><a href="#IMAPS规则" class="headerlink" title="IMAPS规则"></a><strong>IMAPS规则</strong></h2><p>安全组:pg_810d9b01_5334_4e64_9899_dcf45fc37ac1</p>
<p>方向:入口(to-lport)</p>
<p>tcp端口:993</p>
<p>远程CIDR:192.168.1.0/24</p>
<p>优先级:1002</p>
<p>以太网类型:IP4</p>
<p>动作:允许包通过并且允许相关回包通过</p>
<figure class="highlight apache"><table><tr><td class="code"><pre><span class="line"><span class="attribute">to</span>-lport <span class="number">1002</span> (outport == @pg_<span class="number">810</span>d<span class="number">9</span>b<span class="number">01</span>_<span class="number">5334</span>_<span class="number">4</span>e<span class="number">64</span>_<span class="number">9899</span>_dcf<span class="number">45</span>fc<span class="number">37</span>ac<span class="number">1</span> && ip<span class="number">4</span> && ip<span class="number">4</span>.src == <span class="number">192.168.1.0</span>/<span class="number">24</span> && tcp && tcp.dst == <span class="number">993</span>) <span class="literal">allow</span>-related</span><br></pre></td></tr></table></figure>
<h2 id="LDAP规则"><a href="#LDAP规则" class="headerlink" title="LDAP规则"></a><strong>LDAP规则</strong></h2><p>安全组:pg_810d9b01_5334_4e64_9899_dcf45fc37ac1</p>
<p>方向:入口(to-lport)</p>
<p>tcp端口:389</p>
<p>远程CIDR:192.168.1.0/24</p>
<p>优先级:1002</p>
<p>以太网类型:IP4</p>
<p>动作:允许包通过并且允许相关回包通过</p>
<figure class="highlight apache"><table><tr><td class="code"><pre><span class="line"><span class="attribute">to</span>-lport <span class="number">1002</span> (outport == @pg_<span class="number">810</span>d<span class="number">9</span>b<span class="number">01</span>_<span class="number">5334</span>_<span class="number">4</span>e<span class="number">64</span>_<span class="number">9899</span>_dcf<span class="number">45</span>fc<span class="number">37</span>ac<span class="number">1</span> && ip<span class="number">4</span> && ip<span class="number">4</span>.src == <span class="number">192.168.1.0</span>/<span class="number">24</span> && tcp && tcp.dst == <span class="number">389</span>) <span class="literal">allow</span>-related</span><br></pre></td></tr></table></figure>
<h2 id="MS-SQL规则"><a href="#MS-SQL规则" class="headerlink" title="MS-SQL规则"></a><strong>MS-SQL规则</strong></h2><p>安全组:pg_810d9b01_5334_4e64_9899_dcf45fc37ac1</p>
<p>方向:入口(to-lport)</p>
<p>tcp端口:1433</p>
<p>远程CIDR:192.168.1.0/24</p>
<p>优先级:1002</p>
<p>以太网类型:IP4</p>
<p>动作:允许包通过并且允许相关回包通过</p>
<figure class="highlight apache"><table><tr><td class="code"><pre><span class="line"><span class="attribute">to</span>-lport <span class="number">1002</span> (outport == @pg_<span class="number">810</span>d<span class="number">9</span>b<span class="number">01</span>_<span class="number">5334</span>_<span class="number">4</span>e<span class="number">64</span>_<span class="number">9899</span>_dcf<span class="number">45</span>fc<span class="number">37</span>ac<span class="number">1</span> && ip<span class="number">4</span> && ip<span class="number">4</span>.src == <span class="number">192.168.1.0</span>/<span class="number">24</span> && tcp && tcp.dst == <span class="number">1433</span>) <span class="literal">allow</span>-related</span><br></pre></td></tr></table></figure>
<h2 id="MYSQL规则"><a href="#MYSQL规则" class="headerlink" title="MYSQL规则"></a><strong>MYSQL规则</strong></h2><p>安全组:pg_810d9b01_5334_4e64_9899_dcf45fc37ac1</p>
<p>方向:入口(to-lport)</p>
<p>tcp端口:3306</p>
<p>远程CIDR:192.168.1.0/24</p>
<p>优先级:1002</p>
<p>以太网类型:IP4</p>
<p>动作:允许包通过并且允许相关回包通过</p>
<figure class="highlight apache"><table><tr><td class="code"><pre><span class="line"><span class="attribute">to</span>-lport <span class="number">1002</span> (outport == @pg_<span class="number">810</span>d<span class="number">9</span>b<span class="number">01</span>_<span class="number">5334</span>_<span class="number">4</span>e<span class="number">64</span>_<span class="number">9899</span>_dcf<span class="number">45</span>fc<span class="number">37</span>ac<span class="number">1</span> && ip<span class="number">4</span> && ip<span class="number">4</span>.src == <span class="number">192.168.1.0</span>/<span class="number">24</span> && tcp && tcp.dst == <span class="number">3306</span>) <span class="literal">allow</span>-related</span><br></pre></td></tr></table></figure>
<h2 id="PostgressSQL规则"><a href="#PostgressSQL规则" class="headerlink" title="PostgressSQL规则"></a><strong>PostgressSQL规则</strong></h2><p>安全组:pg_810d9b01_5334_4e64_9899_dcf45fc37ac1</p>
<p>方向:入口(to-lport)</p>
<p>tcp端口:5432</p>
<p>远程CIDR:192.168.1.0/24</p>
<p>优先级:1002</p>
<p>以太网类型:IP4</p>
<p>动作:允许包通过并且允许相关回包通过</p>
<figure class="highlight apache"><table><tr><td class="code"><pre><span class="line"><span class="attribute">to</span>-lport <span class="number">1002</span> (outport == @pg_<span class="number">810</span>d<span class="number">9</span>b<span class="number">01</span>_<span class="number">5334</span>_<span class="number">4</span>e<span class="number">64</span>_<span class="number">9899</span>_dcf<span class="number">45</span>fc<span class="number">37</span>ac<span class="number">1</span> && ip<span class="number">4</span> && ip<span class="number">4</span>.src == <span class="number">192.168.1.0</span>/<span class="number">24</span> && tcp && tcp.dst == <span class="number">5432</span>) <span class="literal">allow</span>-related</span><br></pre></td></tr></table></figure>
<h2 id="POP3规则"><a href="#POP3规则" class="headerlink" title="POP3规则"></a><strong>POP3规则</strong></h2><p>安全组:pg_810d9b01_5334_4e64_9899_dcf45fc37ac1</p>
<p>方向:入口(to-lport)</p>
<p>tcp端口:110</p>
<p>远程CIDR:192.168.1.0/24</p>
<p>优先级:1002</p>
<p>以太网类型:IP4</p>
<p>动作:允许包通过并且允许相关回包通过</p>
<figure class="highlight apache"><table><tr><td class="code"><pre><span class="line"><span class="attribute">to</span>-lport <span class="number">1002</span> (outport == @pg_<span class="number">810</span>d<span class="number">9</span>b<span class="number">01</span>_<span class="number">5334</span>_<span class="number">4</span>e<span class="number">64</span>_<span class="number">9899</span>_dcf<span class="number">45</span>fc<span class="number">37</span>ac<span class="number">1</span> && ip<span class="number">4</span> && ip<span class="number">4</span>.src == <span class="number">192.168.1.0</span>/<span class="number">24</span> && tcp && tcp.dst == <span class="number">110</span>) <span class="literal">allow</span>-related</span><br></pre></td></tr></table></figure>
<h2 id="POP3S规则"><a href="#POP3S规则" class="headerlink" title="POP3S规则"></a><strong>POP3S规则</strong></h2><p>安全组:pg_810d9b01_5334_4e64_9899_dcf45fc37ac1</p>
<p>方向:入口(to-lport)</p>
<p>tcp端口:995</p>
<p>远程CIDR:192.168.1.0/24</p>
<p>优先级:1002</p>
<p>以太网类型:IP4</p>
<p>动作:允许包通过并且允许相关回包通过</p>
<figure class="highlight apache"><table><tr><td class="code"><pre><span class="line"><span class="attribute">to</span>-lport <span class="number">1002</span> (outport == @pg_<span class="number">810</span>d<span class="number">9</span>b<span class="number">01</span>_<span class="number">5334</span>_<span class="number">4</span>e<span class="number">64</span>_<span class="number">9899</span>_dcf<span class="number">45</span>fc<span class="number">37</span>ac<span class="number">1</span> && ip<span class="number">4</span> && ip<span class="number">4</span>.src == <span class="number">192.168.1.0</span>/<span class="number">24</span> && tcp && tcp.dst == <span class="number">995</span>) <span class="literal">allow</span>-related</span><br></pre></td></tr></table></figure>
<h2 id="RDP规则"><a href="#RDP规则" class="headerlink" title="RDP规则"></a><strong>RDP规则</strong></h2><p>安全组:pg_810d9b01_5334_4e64_9899_dcf45fc37ac1</p>
<p>方向:入口(to-lport)</p>
<p>tcp端口:3389</p>
<p>远程CIDR:192.168.1.0/24</p>
<p>优先级:1002</p>
<p>以太网类型:IP4</p>
<p>动作:允许包通过并且允许相关回包通过</p>
<figure class="highlight apache"><table><tr><td class="code"><pre><span class="line"><span class="attribute">to</span>-lport <span class="number">1002</span> (outport == @pg_<span class="number">810</span>d<span class="number">9</span>b<span class="number">01</span>_<span class="number">5334</span>_<span class="number">4</span>e<span class="number">64</span>_<span class="number">9899</span>_dcf<span class="number">45</span>fc<span class="number">37</span>ac<span class="number">1</span> && ip<span class="number">4</span> && ip<span class="number">4</span>.src == <span class="number">192.168.1.0</span>/<span class="number">24</span> && tcp && tcp.dst == <span class="number">3389</span>) <span class="literal">allow</span>-related</span><br></pre></td></tr></table></figure>
<h2 id="SMTP规则"><a href="#SMTP规则" class="headerlink" title="SMTP规则"></a><strong>SMTP规则</strong></h2><p>安全组:pg_810d9b01_5334_4e64_9899_dcf45fc37ac1</p>
<p>方向:入口(to-lport)</p>
<p>tcp端口:25</p>
<p>远程CIDR:192.168.1.0/24</p>
<p>优先级:1002</p>
<p>以太网类型:IP4</p>
<p>动作:允许包通过并且允许相关回包通过</p>
<figure class="highlight apache"><table><tr><td class="code"><pre><span class="line"><span class="attribute">to</span>-lport <span class="number">1002</span> (outport == @pg_<span class="number">810</span>d<span class="number">9</span>b<span class="number">01</span>_<span class="number">5334</span>_<span class="number">4</span>e<span class="number">64</span>_<span class="number">9899</span>_dcf<span class="number">45</span>fc<span class="number">37</span>ac<span class="number">1</span> && ip<span class="number">4</span> && ip<span class="number">4</span>.src == <span class="number">192.168.1.0</span>/<span class="number">24</span> && tcp && tcp.dst == <span class="number">25</span>) <span class="literal">allow</span>-related</span><br></pre></td></tr></table></figure>
<h2 id="SMTPS规则"><a href="#SMTPS规则" class="headerlink" title="SMTPS规则"></a><strong>SMTPS规则</strong></h2><p>安全组:pg_810d9b01_5334_4e64_9899_dcf45fc37ac1</p>
<p>方向:入口(to-lport)</p>
<p>tcp端口:465</p>
<p>远程CIDR:192.168.1.0/24</p>
<p>优先级:1002</p>
<p>以太网类型:IP4</p>
<p>动作:允许包通过并且允许相关回包通过</p>
<figure class="highlight apache"><table><tr><td class="code"><pre><span class="line"><span class="attribute">to</span>-lport <span class="number">1002</span> (outport == @pg_<span class="number">810</span>d<span class="number">9</span>b<span class="number">01</span>_<span class="number">5334</span>_<span class="number">4</span>e<span class="number">64</span>_<span class="number">9899</span>_dcf<span class="number">45</span>fc<span class="number">37</span>ac<span class="number">1</span> && ip<span class="number">4</span> && ip<span class="number">4</span>.src == <span class="number">192.168.1.0</span>/<span class="number">24</span> && tcp && tcp.dst == <span class="number">465</span>) <span class="literal">allow</span>-related</span><br></pre></td></tr></table></figure>
<h2 id="SSH规则"><a href="#SSH规则" class="headerlink" title="SSH规则"></a><strong>SSH规则</strong></h2><p>安全组:pg_810d9b01_5334_4e64_9899_dcf45fc37ac1</p>
<p>方向:入口(to-lport)</p>
<p>tcp端口:22</p>
<p>远程CIDR:192.168.1.0/24</p>
<p>优先级:1002</p>
<p>以太网类型:IP4</p>
<p>动作:允许包通过并且允许相关回包通过</p>
<figure class="highlight apache"><table><tr><td class="code"><pre><span class="line"><span class="attribute">to</span>-lport <span class="number">1002</span> (outport == @pg_<span class="number">810</span>d<span class="number">9</span>b<span class="number">01</span>_<span class="number">5334</span>_<span class="number">4</span>e<span class="number">64</span>_<span class="number">9899</span>_dcf<span class="number">45</span>fc<span class="number">37</span>ac<span class="number">1</span> && ip<span class="number">4</span> && ip<span class="number">4</span>.src == <span class="number">192.168.1.0</span>/<span class="number">24</span> && tcp && tcp.dst == <span class="number">22</span>) <span class="literal">allow</span>-related</span><br></pre></td></tr></table></figure>
<h2 id="FTP规则"><a href="#FTP规则" class="headerlink" title="FTP规则"></a><strong>FTP规则</strong></h2><p>安全组:pg_810d9b01_5334_4e64_9899_dcf45fc37ac1</p>
<p>方向:入口(to-lport)</p>
<p>tcp端口:21</p>
<p>远程CIDR:192.168.1.0/24</p>
<p>优先级:1002</p>
<p>以太网类型:IP4</p>
<p>动作:允许包通过并且允许相关回包通过</p>
<figure class="highlight apache"><table><tr><td class="code"><pre><span class="line"><span class="attribute">to</span>-lport <span class="number">1002</span> (outport == @pg_<span class="number">810</span>d<span class="number">9</span>b<span class="number">01</span>_<span class="number">5334</span>_<span class="number">4</span>e<span class="number">64</span>_<span class="number">9899</span>_dcf<span class="number">45</span>fc<span class="number">37</span>ac<span class="number">1</span> && ip<span class="number">4</span> && ip<span class="number">4</span>.src == <span class="number">192.168.1.0</span>/<span class="number">24</span> && tcp && tcp.dst == <span class="number">21</span>) <span class="literal">allow</span>-related</span><br></pre></td></tr></table></figure>
]]></content>
<categories>
<category>openvswitch</category>
</categories>
<tags>
<tag>ovn</tag>
</tags>
</entry>
<entry>
<title>Ovirt下的OVN组网方案</title>
<url>/2021/11/19/Ovirt%E4%B8%8B%E7%9A%84OVN%E7%BB%84%E7%BD%91%E6%96%B9%E6%A1%88/</url>
<content><![CDATA[<h1 id="整体架构"><a href="#整体架构" class="headerlink" title="整体架构"></a>整体架构</h1><p>ovirt云平台下ovn组网方案整体架构如下图所示:</p>
<p><img src="https://s3.us-west-2.amazonaws.com/secure.notion-static.com/a1dff44f-748a-4048-b20f-c36e33f8fca3/ovirt%E4%BA%91%E5%B9%B3%E5%8F%B0%E7%BD%91%E7%BB%9C%E6%8B%93%E6%89%91.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=AKIAT73L2G45EIPT3X45/20211119/us-west-2/s3/aws4_request&X-Amz-Date=20211119T093120Z&X-Amz-Expires=86400&X-Amz-Signature=f46c1cd45e33a29464032de9c356b9ff3b90ef6b2f6b60e5a1d1a1315aeba636&X-Amz-SignedHeaders=host&response-content-disposition=filename%20=%22ovirt%25E4%25BA%2591%25E5%25B9%25B3%25E5%258F%25B0%25E7%25BD%2591%25E7%25BB%259C%25E6%258B%2593%25E6%2589%2591.png%22&x-id=GetObject" alt="ovirt云平台网络架构"></p>
<h2 id="ovirt-provider-ovn"><a href="#ovirt-provider-ovn" class="headerlink" title="ovirt-provider-ovn"></a>ovirt-provider-ovn</h2><p>是ovirt4.3的一个插件,作为OVN和ovirt之间的接口,它将ovirt中的数据翻译成为一种可以让ovn-northbound DB所能理解的逻辑网络配置数据,翻译后的数据采用ovsdb协议来传输。</p>
<h2 id="ovsdb"><a href="#ovsdb" class="headerlink" title="ovsdb"></a>ovsdb</h2><p>ovsdb管理协议(open vswitch database management protocol)是一个用于实现对虚拟交换机的可编程访问和配置管理的SDB管理协议,ovsdb管理协议定义了一套RPC接口,用户可以通过远程调用的方式来管理,主要包括通信协议(JSON-RPC)和所支持的OVSDB操作,ovs是ovsdb的主要应用,其数据模式由ovsdb schema定义,传输格式为JSON。</p>
<h2 id="Northbound-DB"><a href="#Northbound-DB" class="headerlink" title="Northbound DB"></a>Northbound DB</h2><p>Northbound DB里存储着ovirt provider ovn产生的逻辑网络相关数据,主要包括logical switch、logical router、logical port和ACL等。</p>
<h2 id="OVN-Northd-Daemon"><a href="#OVN-Northd-Daemon" class="headerlink" title="OVN Northd Daemon"></a>OVN Northd Daemon</h2><p>OVN Northd守护程序是一个集中的控制器,监听Northbound DB数据库里数据的变化,它能把Northbound DB里存储的逻辑网络相关的数据翻译为Southbound DB所能理解的Logical datapath flows,并传递给Southbound DB进行存储,进而被classis读取和应用,hypervisor和网关一起被称为传输节点或者classis。</p>
<h2 id="Southbound-DB"><a href="#Southbound-DB" class="headerlink" title="Southbound DB"></a>Southbound DB</h2><p>OVN Southbound DB是OVN的核心,它是OVN中最重要的部分,和其他的OVN组件都有交互。里面存放的数据和Northbound DB语义完全不一样,主要包含三类数据:</p>
<ul>
<li>物理网络数据,比如Hypervisor的IP地址,Hypervisor的tunnel封装格式,这类数据由ovn-controller写入;</li>
<li>逻辑网络数据,由Northbound DB转发而来;</li>
<li>物理网络和逻辑网络的绑定关系,比如逻辑端口关联到哪个hypervisor上面,这类数据存储在binding表中,字段有uuid,chassis, logical_datapath, logical_port, mac, parent_port, tag, tunnel_key。</li>
</ul>
<h2 id="OVN-Controller"><a href="#OVN-Controller" class="headerlink" title="OVN Controller"></a>OVN Controller</h2><p>ovn-controller运行在每个hypervisor和软件网关上面,主要有以下两个功能:</p>
<ul>
<li>把物理网络的信息写到Southbound DB里面;</li>
<li>把Southbound DB里的存放的一些数据转换成为openflow flow配到本地的ovs table里面,来实现报文的转发,具体实现就是ovn-controller连接到本地的ovsdb-server,监控、读取、管理openvswitch的配置信息。</li>
</ul>
<p>ovn-controller作为ovs-vswitched的openflow控制器来控制流量的转发,从上图中可以看出ovn-controller是一种分布式的SDN控制器。</p>
<h2 id="ovsdb-server和ovs-vswitched"><a href="#ovsdb-server和ovs-vswitched" class="headerlink" title="ovsdb-server和ovs-vswitched"></a>ovsdb-server和ovs-vswitched</h2><p>ovs-vswitched是openvswitch的核心模块,实现交换功能,和Linux内核一起实现基于流的交换。</p>
<p>ovsdb-server是一个数据库,其保存了整个openvswitch的配置信息,包括接口、流表、vlan等,ovs-vswitched从其中查询数据。</p>
<h1 id="OVN安装"><a href="#OVN安装" class="headerlink" title="OVN安装"></a>OVN安装</h1><blockquote>
<p>生产环境下不需以下步骤,virtualHost自带这些包,并且连接方式是ssl而不是tcp</p>
</blockquote>
<h2 id="环境初始化"><a href="#环境初始化" class="headerlink" title="环境初始化"></a>环境初始化</h2><p>配置本地yum源local_repo.repo,如下所示:</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">[jb-eap-7.2-for-rhel-7-server-rpms]</span><br><span class="line">name=jb-eap-7.2-for-rhel-7-server-rpms</span><br><span class="line">baseurl=http://172.16.126.238/rhvrepo/jb-eap-7.2-for-rhel-7-server-rpms/</span><br><span class="line">enabled=1</span><br><span class="line">gpgcheck=0</span><br><span class="line"></span><br><span class="line">[rhel-7-server-ansible-2.9-rpms]</span><br><span class="line">name=rhel-7-server-ansible-2.9-rpms</span><br><span class="line">baseurl=http://172.16.126.238/rhvrepo/rhel-7-server-ansible-2.9-rpms/</span><br><span class="line">enabled=1</span><br><span class="line">gpgcheck=0</span><br><span class="line"></span><br><span class="line">[rhel-7-server-rhv-4.3-manager-rpms]</span><br><span class="line">name=rhel-7-server-rhv-4.3-manager-rpms</span><br><span class="line">baseurl=http://172.16.126.238/rhvrepo/rhel-7-server-rhv-4.3-manager-rpms/</span><br><span class="line">enabled=1</span><br><span class="line">gpgcheck=0</span><br><span class="line"></span><br><span class="line">[rhel-7-server-rhv-4-manager-tools-rpms]</span><br><span class="line">name=rhel-7-server-rhv-4-manager-tools-rpms</span><br><span class="line">baseurl=http://172.16.126.238/rhvrepo/rhel-7-server-rhv-4-manager-tools-rpms/</span><br><span class="line">enabled=1</span><br><span class="line">gpgcheck=0</span><br><span class="line"></span><br><span class="line">[rhel-7-server-rhv-4-mgmt-agent-rpms]</span><br><span class="line">name=rhel-7-server-rhv-4-mgmt-agent-rpms</span><br><span class="line">baseurl=http://172.16.126.238/rhvrepo/rhel-7-server-rhv-4-mgmt-agent-rpms/</span><br><span class="line">enabled=1</span><br><span class="line">gpgcheck=0</span><br><span class="line"></span><br><span class="line">[rhel-7-server-rpms]</span><br><span class="line">name=rhel-7-server-rpms</span><br><span class="line">baseurl=http://172.16.126.238/rhvrepo/rhel-7-server-rpms/</span><br><span class="line">enabled=1</span><br><span class="line">gpgcheck=0</span><br><span class="line"></span><br><span class="line">[rh-gluster-3-for-rhel-7-server-rpms]</span><br><span class="line">name=rh-gluster-3-for-rhel-7-server-rpms</span><br><span class="line">baseurl=http://172.16.126.238/rhvrepo/rh-gluster-3-for-rhel-7-server-rpms/</span><br><span class="line">enabled=1</span><br><span class="line">gpgcheck=0</span><br></pre></td></tr></table></figure>
<p>完成后生成缓存并安装vim、net-tools及lrzsz等软件</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#yum makecache</span></span><br><span class="line"><span class="comment">#yum install vim net-tools lrzsz tcpdump</span></span><br></pre></td></tr></table></figure>
<p>更改Host映射关系或者直接在DNS服务器中添加中心节点及计算节点的域名解析</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#vim /etc/hosts</span></span><br><span class="line">127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4</span><br><span class="line">::1 localhost localhost.localdomain localhost6 localhost6.localdomain6</span><br><span class="line">172.16.126.70 ovn-central</span><br><span class="line">172.16.126.71 ovn-node1</span><br><span class="line">172.16.126.72 ovn-node2</span><br></pre></td></tr></table></figure>
<h2 id="OVN-CENTRAL中心节点安装"><a href="#OVN-CENTRAL中心节点安装" class="headerlink" title="OVN CENTRAL中心节点安装"></a>OVN CENTRAL中心节点安装</h2><h3 id="安装ovn-central软件包"><a href="#安装ovn-central软件包" class="headerlink" title="安装ovn-central软件包"></a>安装ovn-central软件包</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#yum install openvswitch2.11 openvswitch2.11-devel ovn2.11-central</span></span><br></pre></td></tr></table></figure>
<h3 id="选择关闭防火墙及selinux-和配置防火墙二选一即可"><a href="#选择关闭防火墙及selinux-和配置防火墙二选一即可" class="headerlink" title="选择关闭防火墙及selinux(和配置防火墙二选一即可)"></a>选择关闭防火墙及selinux(和配置防火墙二选一即可)</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#systemctl stop firewalld</span></span><br><span class="line"><span class="comment">#systemctl disable firewalld</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/sysconfig/selinux</span></span><br><span class="line"><span class="comment">#setenforce 0</span></span><br></pre></td></tr></table></figure>
<h3 id="选择配置防火墙规则"><a href="#选择配置防火墙规则" class="headerlink" title="选择配置防火墙规则"></a>选择配置防火墙规则</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#firewall-cmd --zone=public --add-service=ovn-central-firewall-service --permanent</span></span><br><span class="line"><span class="comment">#firewall-cmd --reload</span></span><br></pre></td></tr></table></figure>
<h3 id="开始端口监听并启动ovn-northd"><a href="#开始端口监听并启动ovn-northd" class="headerlink" title="开始端口监听并启动ovn-northd"></a>开始端口监听并启动ovn-northd</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#systemctl enable openvswitch ovn-northd</span></span><br><span class="line"><span class="comment">#systemctl start openvswitch ovn-northd</span></span><br></pre></td></tr></table></figure>
<h3 id="设置南向和北向数据库连接"><a href="#设置南向和北向数据库连接" class="headerlink" title="设置南向和北向数据库连接"></a>设置南向和北向数据库连接</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#ovn-nbctl set-connection ptcp:6641:172.16.126.70 -- set connection . inactivity_probe=60000</span></span><br><span class="line"><span class="comment">#ovn-sbctl set-connection ptcp:6642:172.16.126.70 -- set connection . inactivity_probe=60000</span></span><br></pre></td></tr></table></figure>
<h2 id="OVN-HOST计算节点安装"><a href="#OVN-HOST计算节点安装" class="headerlink" title="OVN HOST计算节点安装"></a>OVN HOST计算节点安装</h2><h3 id="安装OVN-HOST计算节点软件包"><a href="#安装OVN-HOST计算节点软件包" class="headerlink" title="安装OVN HOST计算节点软件包"></a>安装OVN HOST计算节点软件包</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#yum install openvswitch2.11 openvswitch2.11-devel ovn2.11-host</span></span><br></pre></td></tr></table></figure>
<h3 id="选择关闭防火墙及selinux"><a href="#选择关闭防火墙及selinux" class="headerlink" title="选择关闭防火墙及selinux"></a>选择关闭防火墙及selinux</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#systemctl stop firewalld</span></span><br><span class="line"><span class="comment">#systemctl disable firewalld</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/sysconfig/selinux</span></span><br><span class="line"><span class="comment">#setenforce 0</span></span><br></pre></td></tr></table></figure>
<h3 id="选择配置防火墙规则-1"><a href="#选择配置防火墙规则-1" class="headerlink" title="选择配置防火墙规则"></a>选择配置防火墙规则</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#firewall-cmd --zone=public --add-service=ovn-host-firewall-service --permanent</span></span><br><span class="line"><span class="comment">#firewall-cmd --reload</span></span><br></pre></td></tr></table></figure>
<h3 id="开始端口监听并启动ovn-controller"><a href="#开始端口监听并启动ovn-controller" class="headerlink" title="开始端口监听并启动ovn-controller"></a>开始端口监听并启动ovn-controller</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#systemctl enable openvswitch ovn-controller</span></span><br><span class="line"><span class="comment">#systemctl start openvswitch ovn-controller</span></span><br></pre></td></tr></table></figure>
<h3 id="将控制器连接到中心节点并设置为geneve网络(如果需要接入vtep,则需要将网络设置为geneve和vxlan共存)"><a href="#将控制器连接到中心节点并设置为geneve网络(如果需要接入vtep,则需要将网络设置为geneve和vxlan共存)" class="headerlink" title="将控制器连接到中心节点并设置为geneve网络(如果需要接入vtep,则需要将网络设置为geneve和vxlan共存)"></a>将控制器连接到中心节点并设置为geneve网络(如果需要接入vtep,则需要将网络设置为geneve和vxlan共存)</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#节点172.16.126.71上</span></span><br><span class="line"><span class="comment">#ovs-vsctl set open . external-ids:ovn-remote=tcp:172.16.126.70:6642</span></span><br><span class="line"><span class="comment">#ovs-vsctl set open . external-ids:ovn-encap-type=geneve,vxlan</span></span><br><span class="line"><span class="comment">#ovs-vsctl set open . external-ids:ovn-encap-ip=172.16.126.71</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#节点172.16.126.72上</span></span><br><span class="line"><span class="comment">#ovs-vsctl set open . external-ids:ovn-remote=tcp:172.16.126.70:6642</span></span><br><span class="line"><span class="comment">#ovs-vsctl set open . external-ids:ovn-encap-type=geneve,vxlan</span></span><br><span class="line"><span class="comment">#ovs-vsctl set open . external-ids:ovn-encap-ip=172.16.126.72</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#此时查看central节点上的南向数据库,可以看到节点已经绑定</span></span><br><span class="line"><span class="comment"># ovn-sbctl show</span></span><br><span class="line">Chassis <span class="string">"74ad0b26-6dde-4f0a-8244-c786e30ce953"</span></span><br><span class="line"> hostname: <span class="string">"ovn-node2"</span></span><br><span class="line"> Encap vxlan</span><br><span class="line"> ip: <span class="string">"172.16.126.72"</span></span><br><span class="line"> options: {csum=<span class="string">"true"</span>}</span><br><span class="line"> Encap geneve</span><br><span class="line"> ip: <span class="string">"172.16.126.72"</span></span><br><span class="line"> options: {csum=<span class="string">"true"</span>}</span><br><span class="line">Chassis <span class="string">"3d564c9f-d126-44a5-b604-0e165472e759"</span></span><br><span class="line"> hostname: <span class="string">"ovn-node1"</span></span><br><span class="line"> Encap geneve</span><br><span class="line"> ip: <span class="string">"172.16.126.71"</span></span><br><span class="line"> options: {csum=<span class="string">"true"</span>}</span><br><span class="line"> Encap vxlan</span><br><span class="line"> ip: <span class="string">"172.16.126.71"</span></span><br><span class="line"> options: {csum=<span class="string">"true"</span>}</span><br></pre></td></tr></table></figure>
<h3 id="如果没有br-int网桥则创建网桥并设置网桥的接收流表方式为secure(仅接收控制器下发流表)"><a href="#如果没有br-int网桥则创建网桥并设置网桥的接收流表方式为secure(仅接收控制器下发流表)" class="headerlink" title="如果没有br-int网桥则创建网桥并设置网桥的接收流表方式为secure(仅接收控制器下发流表)"></a>如果没有br-int网桥则创建网桥并设置网桥的接收流表方式为secure(仅接收控制器下发流表)</h3><p>一般情况下,此时的br-int网桥会由上一步创建</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#ovs-vsctl add-br br-int -- set Bridge br-int fail-mode=secure</span></span><br></pre></td></tr></table></figure>
<h1 id="网络拓扑"><a href="#网络拓扑" class="headerlink" title="网络拓扑"></a>网络拓扑</h1><p><img src="https://s3.us-west-2.amazonaws.com/secure.notion-static.com/e17a94bc-d851-4502-8479-6b69d940d056/ovirt%E4%BA%91%E5%B9%B3%E5%8F%B0%E7%BD%91%E7%BB%9C%E6%8B%93%E6%89%91.bmp?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=AKIAT73L2G45EIPT3X45/20211119/us-west-2/s3/aws4_request&X-Amz-Date=20211119T093206Z&X-Amz-Expires=86400&X-Amz-Signature=91d0132ce009d168b8ea1778f3d40b27906a6bba167995e18be236eedda61ff5&X-Amz-SignedHeaders=host&response-content-disposition=filename%20=%22ovirt%25E4%25BA%2591%25E5%25B9%25B3%25E5%258F%25B0%25E7%25BD%2591%25E7%25BB%259C%25E6%258B%2593%25E6%2589%2591.bmp%22&x-id=GetObject" alt="ovirt云平台网络拓扑"></p>
<h1 id="二层网络创建"><a href="#二层网络创建" class="headerlink" title="二层网络创建"></a>二层网络创建</h1><h2 id="创建逻辑交换机"><a href="#创建逻辑交换机" class="headerlink" title="创建逻辑交换机"></a>创建逻辑交换机</h2><p>在central节点上创建逻辑交换机</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#ovn-nbctl ls-add switchA</span></span><br><span class="line"><span class="comment">#下面这步骤指定子网为192.168.1.0/24网段,并排除192.168.1.1-192.168.1.80的DHCP分配,仅分配192.168.1.81-192.168.1.254中间分配</span></span><br><span class="line"><span class="comment">#在没有路由端口时,只有指定了子网才可以DHCP分配;如果有路由口,将server_id配置为路由口,则由路由口进行DHCP分配,就不用配置子网属性了</span></span><br><span class="line"><span class="comment">#ovn-nbctl set logical_switch switchA other_config:subnet="192.168.1.0/24" other_config:exclude_ips="192.168.1.1..192.168.1.80"</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#ovn-nbctl ls-add switchB</span></span><br><span class="line"><span class="comment">#下面这步骤指定子网为192.168.2.0/24网段,并排除192.168.2.1-192.168.2.80的DHCP分配,仅分配192.168.2.81-192.168.2.254中间分配</span></span><br><span class="line"><span class="comment">#在没有路由端口时,只有指定了子网才可以DHCP分配;如果有路由口,将server_id配置为路由口,则由路由口进行DHCP分配,就不用配置子网属性了</span></span><br><span class="line"><span class="comment">#ovn-nbctl set logical_switch switchB other_config:subnet="192.168.2.0/24" other_config:exclude_ips="192.168.2.1..192.168.2.80"</span></span><br></pre></td></tr></table></figure>
<p>为逻辑交换机switchA增加端口并设置端口的mac地址</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#ovn-nbctl lsp-add switchA switchA_portA</span></span><br><span class="line"><span class="comment">#ovn-nbctl lsp-set-addresses switchA_portA "02:ac:10:ff:00:11" #如果需要虚拟机手动设置IP地址就这样设置</span></span><br><span class="line"><span class="comment">#ovn-nbctl lsp-set-addresses switchA_portA "02:ac:10:ff:00:11 dynamic" #如果需要虚拟机DHCP获取IP地址就这样设置</span></span><br><span class="line"><span class="comment">#ovn-nbctl lsp-set-addresses switchA_portA "02:ac:10:ff:00:11 192.168.1.20" #如果需要虚拟机DHCP获取固定IP地址就这样设置</span></span><br><span class="line"><span class="comment">#ovn-nbctl lsp-set-port-security switchA_portA "02:ac:10:ff:00:11" #设置端口安全,限制出入端口的流量地址匹配</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#ovn-nbctl lsp-add switchA switchA_portB</span></span><br><span class="line"><span class="comment">#ovn-nbctl lsp-set-addresses switchA_portB "02:ac:10:ff:00:22" #如果需要虚拟机手动设置IP地址就这样设置</span></span><br><span class="line"><span class="comment">#ovn-nbctl lsp-set-addresses switchA_portB "02:ac:10:ff:00:22 dynamic" #如果需要虚拟机DHCP获取IP地址就这样设置</span></span><br><span class="line"><span class="comment">#ovn-nbctl lsp-set-addresses switchA_portB "02:ac:10:ff:00:22 192.168.1.30" #如果需要虚拟机DHCP获取固定IP地址就这样设置</span></span><br><span class="line"><span class="comment">#ovn-nbctl lsp-set-port-security switchA_portB "02:ac:10:ff:00:22"</span></span><br></pre></td></tr></table></figure>
<p>为逻辑交换机switchB增加端口并设置端口的mac地址</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#ovn-nbctl lsp-add switchB switchB_portA</span></span><br><span class="line"><span class="comment">#ovn-nbctl lsp-set-addresses switchB_portA "02:ac:10:ff:00:33" #如果需要虚拟机手动设置IP地址就这样设置</span></span><br><span class="line"><span class="comment">#ovn-nbctl lsp-set-addresses switchB_portA "02:ac:10:ff:00:33 dynamic" #如果需要虚拟机DHCP获取IP地址就这样设置</span></span><br><span class="line"><span class="comment">#ovn-nbctl lsp-set-addresses switchB_portA "02:ac:10:ff:00:33 192.168.2.40" #如果需要虚拟机DHCP获取固定IP地址就这样设置</span></span><br><span class="line"><span class="comment">#ovn-nbctl lsp-set-port-security switchB_portA "02:ac:10:ff:00:33" #设置端口安全,限制出入端口的流量地址匹配</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#ovn-nbctl lsp-add switchB switchB_portB</span></span><br><span class="line"><span class="comment">#ovn-nbctl lsp-set-addresses switchB_portB "02:ac:10:ff:00:44" #如果需要虚拟机手动设置IP地址就这样设置</span></span><br><span class="line"><span class="comment">#ovn-nbctl lsp-set-addresses switchB_portB "02:ac:10:ff:00:44 dynamic" #如果需要虚拟机DHCP获取IP地址就这样设置</span></span><br><span class="line"><span class="comment">#ovn-nbctl lsp-set-addresses switchB_portB "02:ac:10:ff:00:44 192.168.2.50" #如果需要虚拟机DHCP获取固定IP地址就这样设置</span></span><br><span class="line"><span class="comment">#ovn-nbctl lsp-set-port-security switchB_portB "02:ac:10:ff:00:44"</span></span><br></pre></td></tr></table></figure>
<h2 id="创建虚拟机并手动设置IP地址"><a href="#创建虚拟机并手动设置IP地址" class="headerlink" title="创建虚拟机并手动设置IP地址"></a>创建虚拟机并手动设置IP地址</h2><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#使用命名空间进行测试,在node1上创建命名空间</span></span><br><span class="line"><span class="comment">#ip netns add vm1</span></span><br><span class="line"><span class="comment">#ovs-vsctl add-port br-int vm1_nic -- set interface vm1_nic type=internal</span></span><br><span class="line"><span class="comment">#ip link set vm1_nic netns vm1</span></span><br><span class="line"><span class="comment">#ip netns exec vm1 ip link set vm1_nic address 02:ac:10:ff:00:11</span></span><br><span class="line"><span class="comment">#ip netns exec vm1 ip addr add 192.168.1.11/24 dev vm1_nic</span></span><br><span class="line"><span class="comment">#ip netns exec vm1 ip link set vm1_nic up</span></span><br><span class="line"><span class="comment">#ovs-vsctl set interface vm1_nic external_ids:iface-id=switchA_portA</span></span><br><span class="line"><span class="comment">#ip netns exec vm1 ip addr</span></span><br><span class="line"><span class="comment">#ip netns exec vm1 ip route show</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#ip netns add vm3</span></span><br><span class="line"><span class="comment">#ovs-vsctl add-port br-int vm3_nic -- set interface vm3_nic type=internal</span></span><br><span class="line"><span class="comment">#ip link set vm3_nic netns vm3</span></span><br><span class="line"><span class="comment">#ip netns exec vm3 ip link set vm3_nic address 02:ac:10:ff:00:33</span></span><br><span class="line"><span class="comment">#ip netns exec vm3 ip addr add 192.168.2.13/24 dev vm3_nic</span></span><br><span class="line"><span class="comment">#ip netns exec vm3 ip link set vm3_nic up</span></span><br><span class="line"><span class="comment">#ovs-vsctl set interface vm3_nic external_ids:iface-id=switchB_portA</span></span><br><span class="line"><span class="comment">#ip netns exec vm3 ip addr</span></span><br><span class="line"><span class="comment">#ip netns exec vm3 ip route show</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#使用命名空间进行测试,在node2上创建命名空间</span></span><br><span class="line"><span class="comment">#ip netns add vm2</span></span><br><span class="line"><span class="comment">#ovs-vsctl add-port br-int vm2_nic -- set interface vm2_nic type=internal</span></span><br><span class="line"><span class="comment">#ip link set vm2_nic netns vm2</span></span><br><span class="line"><span class="comment">#ip netns exec vm2 ip link set vm2_nic address 02:ac:10:ff:00:22</span></span><br><span class="line"><span class="comment">#ip netns exec vm2 ip addr add 192.168.1.12/24 dev vm2_nic</span></span><br><span class="line"><span class="comment">#ip netns exec vm2 ip link set vm2_nic up</span></span><br><span class="line"><span class="comment">#ovs-vsctl set interface vm2_nic external_ids:iface-id=switchA_portB</span></span><br><span class="line"><span class="comment">#ip netns exec vm2 ip addr</span></span><br><span class="line"><span class="comment">#ip netns exec vm2 ip route show</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#ip netns add vm4</span></span><br><span class="line"><span class="comment">#ovs-vsctl add-port br-int vm4_nic -- set interface vm4_nic type=internal</span></span><br><span class="line"><span class="comment">#ip link set vm4_nic netns vm4</span></span><br><span class="line"><span class="comment">#ip netns exec vm4 ip link set vm4_nic address 02:ac:10:ff:00:44</span></span><br><span class="line"><span class="comment">#ip netns exec vm4 ip addr add 192.168.2.14/24 dev vm4_nic</span></span><br><span class="line"><span class="comment">#ip netns exec vm4 ip link set vm4_nic up</span></span><br><span class="line"><span class="comment">#ovs-vsctl set interface vm4_nic external_ids:iface-id=switchB_portB</span></span><br><span class="line"><span class="comment">#ip netns exec vm4 ip addr</span></span><br><span class="line"><span class="comment">#ip netns exec vm4 ip route show</span></span><br></pre></td></tr></table></figure>
<p>此时查看南向数据库端口绑定</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">[root@ovn-central ~]<span class="comment"># ovn-sbctl show</span></span><br><span class="line">Chassis <span class="string">"74ad0b26-6dde-4f0a-8244-c786e30ce953"</span></span><br><span class="line"> hostname: <span class="string">"ovn-node2"</span></span><br><span class="line"> Encap vxlan</span><br><span class="line"> ip: <span class="string">"172.16.126.72"</span></span><br><span class="line"> options: {csum=<span class="string">"true"</span>}</span><br><span class="line"> Encap geneve</span><br><span class="line"> ip: <span class="string">"172.16.126.72"</span></span><br><span class="line"> options: {csum=<span class="string">"true"</span>}</span><br><span class="line"> Port_Binding switchB_portB</span><br><span class="line"> Port_Binding switchA_portB</span><br><span class="line">Chassis <span class="string">"3d564c9f-d126-44a5-b604-0e165472e759"</span></span><br><span class="line"> hostname: <span class="string">"ovn-node1"</span></span><br><span class="line"> Encap geneve</span><br><span class="line"> ip: <span class="string">"172.16.126.71"</span></span><br><span class="line"> options: {csum=<span class="string">"true"</span>}</span><br><span class="line"> Encap vxlan</span><br><span class="line"> ip: <span class="string">"172.16.126.71"</span></span><br><span class="line"> options: {csum=<span class="string">"true"</span>}</span><br><span class="line"> Port_Binding switchA_portA</span><br><span class="line"> Port_Binding switchB_portA</span><br></pre></td></tr></table></figure>
<p>测试虚拟机互通,可以看出二层网络已经打通,三层不通</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># ip netns exec vm1 ping 192.168.1.12</span></span><br><span class="line">PING 192.168.1.12 (192.168.1.12) 56(84) bytes of data.</span><br><span class="line">64 bytes from 192.168.1.12: icmp_seq=1 ttl=64 time=4.08 ms</span><br><span class="line">64 bytes from 192.168.1.12: icmp_seq=2 ttl=64 time=0.561 ms</span><br><span class="line">^C</span><br><span class="line">--- 192.168.1.12 ping statistics ---</span><br><span class="line">2 packets transmitted, 2 received, 0% packet loss, time 1001ms</span><br><span class="line">rtt min/avg/max/mdev = 0.561/2.325/4.089/1.764 ms</span><br><span class="line"><span class="comment"># ip netns exec vm3 ping 192.168.2.14</span></span><br><span class="line">PING 192.168.2.14 (192.168.2.14) 56(84) bytes of data.</span><br><span class="line">64 bytes from 192.168.2.14: icmp_seq=1 ttl=64 time=2.93 ms</span><br><span class="line">64 bytes from 192.168.2.14: icmp_seq=2 ttl=64 time=0.501 ms</span><br><span class="line">64 bytes from 192.168.2.14: icmp_seq=3 ttl=64 time=0.578 ms</span><br><span class="line">^C</span><br><span class="line">--- 192.168.2.14 ping statistics ---</span><br><span class="line">3 packets transmitted, 3 received, 0% packet loss, time 2001ms</span><br><span class="line">rtt min/avg/max/mdev = 0.501/1.337/2.934/1.130 ms</span><br><span class="line"></span><br><span class="line"><span class="comment"># ip netns exec vm3 ping 192.168.1.11</span></span><br><span class="line">connect: Network is unreachable</span><br><span class="line"></span><br><span class="line"><span class="comment"># ip netns exec vm3 ping 192.168.1.12</span></span><br><span class="line">connect: Network is unreachable</span><br><span class="line"></span><br><span class="line"><span class="comment"># ip netns exec vm1 ping 192.168.2.13</span></span><br><span class="line">connect: Network is unreachable</span><br><span class="line"></span><br><span class="line"><span class="comment"># ip netns exec vm1 ping 192.168.2.14</span></span><br><span class="line">connect: Network is unreachable</span><br></pre></td></tr></table></figure>
<h2 id="创建并分配DHCP选项给端口"><a href="#创建并分配DHCP选项给端口" class="headerlink" title="创建并分配DHCP选项给端口"></a>创建并分配DHCP选项给端口</h2><p>创建DHCP选项</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># ovn-nbctl dhcp-options-create 192.168.1.0/24 network=switchA</span></span><br><span class="line"><span class="comment"># ovn-nbctl dhcp-options-create 192.168.2.0/24 network=switchB</span></span><br></pre></td></tr></table></figure>
<p>查看DHCP选项</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># ovn-nbctl list dhcp-options</span></span><br><span class="line">_uuid : 1e204723-aa55-405f-a9c5-8a36aaf40805</span><br><span class="line">cidr : <span class="string">"192.168.1.0/24"</span></span><br><span class="line">external_ids : {network=switchA}</span><br><span class="line">options : {}</span><br><span class="line"></span><br><span class="line">_uuid : e483f5df-9e03-49b1-a5e0-dce69f10971f</span><br><span class="line">cidr : <span class="string">"192.168.2.0/24"</span></span><br><span class="line">external_ids : {network=switchB}</span><br><span class="line">options : {}</span><br></pre></td></tr></table></figure>
<p>填充DHCP参数</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#此处的server_id和server_mac需要填写,但是值不重要,可以填路由地址或者网络地址,因为采用了openflow的DHCP自回应(二层DHCP回应)</span></span><br><span class="line"><span class="comment"># ovn-nbctl dhcp-options-set-options 1e204723-aa55-405f-a9c5-8a36aaf40805 lease_time=86400 router=192.168.1.1 server_id=192.168.1.0 server_mac=03:ac:10:ff:00:11</span></span><br><span class="line"><span class="comment"># ovn-nbctl dhcp-options-set-options e483f5df-9e03-49b1-a5e0-dce69f10971f lease_time=86400 router=192.168.2.1 server_id=192.168.2.0 server_mac=03:ac:10:ff:00:22</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># ovn-nbctl list dhcp-options</span></span><br><span class="line">_uuid : 1e204723-aa55-405f-a9c5-8a36aaf40805</span><br><span class="line">cidr : <span class="string">"192.168.1.0/24"</span></span><br><span class="line">external_ids : {network=switchA}</span><br><span class="line">options : {lease_time=<span class="string">"3600"</span>, router=<span class="string">"192.168.1.1"</span>, server_id=<span class="string">"192.168.1.0"</span>, server_mac=<span class="string">"03:ac:10:ff:00:11"</span>}</span><br><span class="line"></span><br><span class="line">_uuid : e483f5df-9e03-49b1-a5e0-dce69f10971f</span><br><span class="line">cidr : <span class="string">"192.168.2.0/24"</span></span><br><span class="line">external_ids : {network=switchB}</span><br><span class="line">options : {lease_time=<span class="string">"3600"</span>, router=<span class="string">"192.168.2.1"</span>, server_id=<span class="string">"192.168.2.0"</span>, server_mac=<span class="string">"03:ac:10:ff:00:22"</span>}</span><br></pre></td></tr></table></figure>
<p>分配DHCP给逻辑端口</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#为logical_switch_port分配DHCP</span></span><br><span class="line"><span class="comment"># ovn-nbctl lsp-set-dhcpv4-options switchA_portA 1e204723-aa55-405f-a9c5-8a36aaf40805</span></span><br><span class="line"><span class="comment"># ovn-nbctl lsp-set-dhcpv4-options switchA_portB 1e204723-aa55-405f-a9c5-8a36aaf40805</span></span><br><span class="line"><span class="comment"># ovn-nbctl lsp-set-dhcpv4-options switchB_portA e483f5df-9e03-49b1-a5e0-dce69f10971f</span></span><br><span class="line"><span class="comment"># ovn-nbctl lsp-set-dhcpv4-options switchB_portB e483f5df-9e03-49b1-a5e0-dce69f10971f</span></span><br></pre></td></tr></table></figure>
<h2 id="虚拟机DHCP从IP池中分配IP地址"><a href="#虚拟机DHCP从IP池中分配IP地址" class="headerlink" title="虚拟机DHCP从IP池中分配IP地址"></a>虚拟机DHCP从IP池中分配IP地址</h2><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#VM1 DHCP分配</span></span><br><span class="line"><span class="comment"># ip netns exec vm1 dhclient -d vm1_nic</span></span><br><span class="line">Internet Systems Consortium DHCP Client 4.2.5</span><br><span class="line">Copyright 2004-2013 Internet Systems Consortium.</span><br><span class="line">All rights reserved.</span><br><span class="line">For info, please visit https://www.isc.org/software/dhcp/</span><br><span class="line"></span><br><span class="line">Listening on LPF/vm1_nic/02:ac:10:ff:00:11</span><br><span class="line">Sending on LPF/vm1_nic/02:ac:10:ff:00:11</span><br><span class="line">Sending on Socket/fallback</span><br><span class="line">DHCPDISCOVER on vm1_nic to 255.255.255.255 port 67 interval 4 (xid=0x13b2fb58)</span><br><span class="line">DHCPREQUEST on vm1_nic to 255.255.255.255 port 67 (xid=0x13b2fb58)</span><br><span class="line">DHCPOFFER from 192.168.1.0</span><br><span class="line">DHCPACK from 192.168.1.0 (xid=0x13b2fb58)</span><br><span class="line">bound to 192.168.1.81 -- renewal <span class="keyword">in</span> 1469 seconds.</span><br><span class="line"></span><br><span class="line"><span class="comment">#VM3 DHCP分配</span></span><br><span class="line"><span class="comment"># ip netns exec vm3 dhclient -d vm3_nic</span></span><br><span class="line">Internet Systems Consortium DHCP Client 4.2.5</span><br><span class="line">Copyright 2004-2013 Internet Systems Consortium.</span><br><span class="line">All rights reserved.</span><br><span class="line">For info, please visit https://www.isc.org/software/dhcp/</span><br><span class="line"></span><br><span class="line">Listening on LPF/vm3_nic/02:ac:10:ff:00:33</span><br><span class="line">Sending on LPF/vm3_nic/02:ac:10:ff:00:33</span><br><span class="line">Sending on Socket/fallback</span><br><span class="line">DHCPDISCOVER on vm3_nic to 255.255.255.255 port 67 interval 6 (xid=0x4059d691)</span><br><span class="line">DHCPREQUEST on vm3_nic to 255.255.255.255 port 67 (xid=0x4059d691)</span><br><span class="line">DHCPOFFER from 192.168.2.0</span><br><span class="line">DHCPACK from 192.168.2.0 (xid=0x4059d691)</span><br><span class="line">bound to 192.168.2.82 -- renewal <span class="keyword">in</span> 1639 seconds.</span><br><span class="line"></span><br><span class="line"><span class="comment">#VM2 DHCP分配</span></span><br><span class="line"><span class="comment"># ip netns exec vm2 dhclient -d vm2_nic</span></span><br><span class="line">Internet Systems Consortium DHCP Client 4.2.5</span><br><span class="line">Copyright 2004-2013 Internet Systems Consortium.</span><br><span class="line">All rights reserved.</span><br><span class="line">For info, please visit https://www.isc.org/software/dhcp/</span><br><span class="line"></span><br><span class="line">Listening on LPF/vm2_nic/02:ac:10:ff:00:22</span><br><span class="line">Sending on LPF/vm2_nic/02:ac:10:ff:00:22</span><br><span class="line">Sending on Socket/fallback</span><br><span class="line">DHCPDISCOVER on vm2_nic to 255.255.255.255 port 67 interval 8 (xid=0x2a5bf2d9)</span><br><span class="line">DHCPREQUEST on vm2_nic to 255.255.255.255 port 67 (xid=0x2a5bf2d9)</span><br><span class="line">DHCPOFFER from 192.168.1.0</span><br><span class="line">DHCPACK from 192.168.1.0 (xid=0x2a5bf2d9)</span><br><span class="line">bound to 192.168.1.82 -- renewal <span class="keyword">in</span> 1674 seconds.</span><br><span class="line"></span><br><span class="line"><span class="comment">#VM4 DHCP分配</span></span><br><span class="line"><span class="comment"># ip netns exec vm4 dhclient -d vm4_nic</span></span><br><span class="line">Internet Systems Consortium DHCP Client 4.2.5</span><br><span class="line">Copyright 2004-2013 Internet Systems Consortium.</span><br><span class="line">All rights reserved.</span><br><span class="line">For info, please visit https://www.isc.org/software/dhcp/</span><br><span class="line"></span><br><span class="line">Listening on LPF/vm4_nic/02:ac:10:ff:00:44</span><br><span class="line">Sending on LPF/vm4_nic/02:ac:10:ff:00:44</span><br><span class="line">Sending on Socket/fallback</span><br><span class="line">DHCPDISCOVER on vm4_nic to 255.255.255.255 port 67 interval 8 (xid=0x173b5665)</span><br><span class="line">DHCPREQUEST on vm4_nic to 255.255.255.255 port 67 (xid=0x173b5665)</span><br><span class="line">DHCPOFFER from 192.168.2.0</span><br><span class="line">DHCPACK from 192.168.2.0 (xid=0x173b5665)</span><br><span class="line">bound to 192.168.2.81 -- renewal <span class="keyword">in</span> 1680 seconds.</span><br></pre></td></tr></table></figure>
<h2 id="虚拟机DHCP分配固定IP地址"><a href="#虚拟机DHCP分配固定IP地址" class="headerlink" title="虚拟机DHCP分配固定IP地址"></a>虚拟机DHCP分配固定IP地址</h2><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#VM1 DHCP分配固定IP地址</span></span><br><span class="line"><span class="comment"># ip netns exec vm1 dhclient -d vm1_nic</span></span><br><span class="line">Internet Systems Consortium DHCP Client 4.2.5</span><br><span class="line">Copyright 2004-2013 Internet Systems Consortium.</span><br><span class="line">All rights reserved.</span><br><span class="line">For info, please visit https://www.isc.org/software/dhcp/</span><br><span class="line"></span><br><span class="line">Listening on LPF/vm1_nic/02:ac:10:ff:00:11</span><br><span class="line">Sending on LPF/vm1_nic/02:ac:10:ff:00:11</span><br><span class="line">Sending on Socket/fallback</span><br><span class="line">DHCPREQUEST on vm1_nic to 255.255.255.255 port 67 (xid=0x1f1eaf4)</span><br><span class="line">DHCPNAK from 192.168.1.1 (xid=0x1f1eaf4)</span><br><span class="line">DHCPDISCOVER on vm1_nic to 255.255.255.255 port 67 interval 6 (xid=0x1706fa15)</span><br><span class="line">DHCPREQUEST on vm1_nic to 255.255.255.255 port 67 (xid=0x1706fa15)</span><br><span class="line">DHCPOFFER from 192.168.1.1</span><br><span class="line">DHCPACK from 192.168.1.1 (xid=0x1706fa15)</span><br><span class="line">bound to 192.168.1.20 -- renewal <span class="keyword">in</span> 1643 seconds.</span><br><span class="line">^C</span><br><span class="line"></span><br><span class="line"><span class="comment">#VM2 DHCP分配固定IP地址</span></span><br><span class="line"><span class="comment"># ip netns exec vm3 dhclient -d vm3_nic</span></span><br><span class="line">Internet Systems Consortium DHCP Client 4.2.5</span><br><span class="line">Copyright 2004-2013 Internet Systems Consortium.</span><br><span class="line">All rights reserved.</span><br><span class="line">For info, please visit https://www.isc.org/software/dhcp/</span><br><span class="line"></span><br><span class="line">Listening on LPF/vm3_nic/02:ac:10:ff:00:33</span><br><span class="line">Sending on LPF/vm3_nic/02:ac:10:ff:00:33</span><br><span class="line">Sending on Socket/fallback</span><br><span class="line">DHCPREQUEST on vm3_nic to 255.255.255.255 port 67 (xid=0x1a89050f)</span><br><span class="line">DHCPNAK from 192.168.2.1 (xid=0x1a89050f)</span><br><span class="line">DHCPDISCOVER on vm3_nic to 255.255.255.255 port 67 interval 7 (xid=0x5158e2c)</span><br><span class="line">DHCPREQUEST on vm3_nic to 255.255.255.255 port 67 (xid=0x5158e2c)</span><br><span class="line">DHCPOFFER from 192.168.2.1</span><br><span class="line">DHCPACK from 192.168.2.1 (xid=0x5158e2c)</span><br><span class="line">bound to 192.168.2.40 -- renewal <span class="keyword">in</span> 1558 seconds.</span><br><span class="line"></span><br><span class="line"><span class="comment">#VM3 DHCP分配固定IP地址</span></span><br><span class="line"><span class="comment"># ip netns exec vm2 dhclient -d vm2_nic</span></span><br><span class="line">Internet Systems Consortium DHCP Client 4.2.5</span><br><span class="line">Copyright 2004-2013 Internet Systems Consortium.</span><br><span class="line">All rights reserved.</span><br><span class="line">For info, please visit https://www.isc.org/software/dhcp/</span><br><span class="line"></span><br><span class="line">Listening on LPF/vm2_nic/02:ac:10:ff:00:22</span><br><span class="line">Sending on LPF/vm2_nic/02:ac:10:ff:00:22</span><br><span class="line">Sending on Socket/fallback</span><br><span class="line">DHCPREQUEST on vm2_nic to 255.255.255.255 port 67 (xid=0x22dbe262)</span><br><span class="line">DHCPNAK from 192.168.1.1 (xid=0x22dbe262)</span><br><span class="line">DHCPDISCOVER on vm2_nic to 255.255.255.255 port 67 interval 3 (xid=0x6ac15f68)</span><br><span class="line">DHCPREQUEST on vm2_nic to 255.255.255.255 port 67 (xid=0x6ac15f68)</span><br><span class="line">DHCPOFFER from 192.168.1.1</span><br><span class="line">DHCPACK from 192.168.1.1 (xid=0x6ac15f68)</span><br><span class="line">bound to 192.168.1.30 -- renewal <span class="keyword">in</span> 1700 seconds.</span><br><span class="line"></span><br><span class="line"><span class="comment">#VM4 DHCP分配固定IP地址</span></span><br><span class="line"><span class="comment"># ip netns exec vm4 dhclient -d vm4_nic</span></span><br><span class="line">Internet Systems Consortium DHCP Client 4.2.5</span><br><span class="line">Copyright 2004-2013 Internet Systems Consortium.</span><br><span class="line">All rights reserved.</span><br><span class="line">For info, please visit https://www.isc.org/software/dhcp/</span><br><span class="line"></span><br><span class="line">Listening on LPF/vm4_nic/02:ac:10:ff:00:44</span><br><span class="line">Sending on LPF/vm4_nic/02:ac:10:ff:00:44</span><br><span class="line">Sending on Socket/fallback</span><br><span class="line">DHCPREQUEST on vm4_nic to 255.255.255.255 port 67 (xid=0x18ab31df)</span><br><span class="line">DHCPNAK from 192.168.2.1 (xid=0x18ab31df)</span><br><span class="line">DHCPDISCOVER on vm4_nic to 255.255.255.255 port 67 interval 8 (xid=0x50ca1ad2)</span><br><span class="line">DHCPREQUEST on vm4_nic to 255.255.255.255 port 67 (xid=0x50ca1ad2)</span><br><span class="line">DHCPOFFER from 192.168.2.1</span><br><span class="line">DHCPACK from 192.168.2.1 (xid=0x50ca1ad2)</span><br><span class="line">bound to 192.168.2.50 -- renewal <span class="keyword">in</span> 1408 seconds.</span><br></pre></td></tr></table></figure>
<h2 id="跟踪DHCP请求和回应"><a href="#跟踪DHCP请求和回应" class="headerlink" title="跟踪DHCP请求和回应"></a>跟踪DHCP请求和回应</h2><p>在ovn-central上可以根据ovn-trace来跟踪DHCP的请求和响应</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># ovn-trace --summary switchA 'inport=="switchA_portA" && eth.src==02:ac:10:ff:00:11 && ip4.src==0.0.0.0 && ip.ttl==1 && ip4.dst==255.255.255.255 && udp.src==68 && udp.dst==67'</span></span><br><span class="line"><span class="comment">#跟踪到的信息如下</span></span><br><span class="line"><span class="comment"># udp,reg14=0x1,vlan_tci=0x0000,dl_src=02:ac:10:ff:00:11,dl_dst=00:00:00:00:00:00,nw_src=0.0.0.0,nw_dst=255.255.255.255,nw_tos=0,nw_ecn=0,nw_ttl=1,tp_src=68,tp_dst=67</span></span><br><span class="line">ingress(dp=<span class="string">"switchA"</span>, inport=<span class="string">"switchA_portA"</span>) {</span><br><span class="line"> next;</span><br><span class="line"> reg0[3] = put_dhcp_opts(offerip = 192.168.1.20, lease_time = 86400, netmask = 255.255.255.0, router = 192.168.1.1, server_id = 192.168.1.0);</span><br><span class="line"> /* We assume that this packet is DHCPDISCOVER or DHCPREQUEST. */;</span><br><span class="line"> next;</span><br><span class="line"> eth.dst = eth.src;</span><br><span class="line"> eth.src = 03:ac:10:ff:00:11;</span><br><span class="line"> ip4.dst = 192.168.1.20;</span><br><span class="line"> ip4.src = 192.168.1.0;</span><br><span class="line"> udp.src = 67;</span><br><span class="line"> udp.dst = 68;</span><br><span class="line"> outport = inport;</span><br><span class="line"> flags.loopback = 1;</span><br><span class="line"> output;</span><br><span class="line"> egress(dp=<span class="string">"switchA"</span>, inport=<span class="string">"switchA_portA"</span>, outport=<span class="string">"switchA_portA"</span>) {</span><br><span class="line"> next;</span><br><span class="line"> output;</span><br><span class="line"> /* output to <span class="string">"switchA_portA"</span>, <span class="built_in">type</span> <span class="string">""</span> */;</span><br><span class="line"> };</span><br></pre></td></tr></table></figure>
<h1 id="三层网络创建"><a href="#三层网络创建" class="headerlink" title="三层网络创建"></a>三层网络创建</h1><h2 id="创建逻辑路由器"><a href="#创建逻辑路由器" class="headerlink" title="创建逻辑路由器"></a>创建逻辑路由器</h2><p>在central节点创建逻辑路由器</p>
<p>创建路基路由器A,并创建逻辑路由器A到逻辑交换机的接口。注意逻辑路由器上的IP地址为逻辑交换机的网关地址,而且必须配子网掩码</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#ovn-nbctl lr-add routerA</span></span><br><span class="line"><span class="comment">#ovn-nbctl lrp-add routerA routerA2switchA 02:ac:10:ff:01:88 192.168.1.1/24</span></span><br><span class="line"><span class="comment">#ovn-nbctl lrp-add routerA routerA2switchB 02:ac:10:ff:01:99 192.168.2.1/24</span></span><br></pre></td></tr></table></figure>
<h2 id="创建逻辑交换机上的路由端口"><a href="#创建逻辑交换机上的路由端口" class="headerlink" title="创建逻辑交换机上的路由端口"></a>创建逻辑交换机上的路由端口</h2><p>创建逻辑交换机A到逻辑路由器A的接口</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#ovn-nbctl lsp-add switchA switchA2routerA </span></span><br><span class="line"><span class="comment">#ovn-nbctl lsp-set-type switchA2routerA router</span></span><br><span class="line"><span class="comment">#ovn-nbctl lsp-set-addresses switchA2routerA 02:ac:10:ff:01:88</span></span><br><span class="line"><span class="comment">#ovn-nbctl lsp-set-options switchA2routerA router-port=routerA2switchA</span></span><br></pre></td></tr></table></figure>
<p>创建逻辑交换机B到逻辑路由器A的接口</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#ovn-nbctl lsp-add switchB switchB2routerA</span></span><br><span class="line"><span class="comment">#ovn-nbctl lsp-set-type switchB2routerA router</span></span><br><span class="line"><span class="comment">#ovn-nbctl lsp-set-addresses switchB2routerA 02:ac:10:ff:01:99</span></span><br><span class="line"><span class="comment">#ovn-nbctl lsp-set-options switchB2routerA router-port=routerA2switchB</span></span><br></pre></td></tr></table></figure>
<p>查看此时逻辑网络</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># ovn-nbctl show</span></span><br><span class="line">switch 0acd0085-18ab-489e-85db-67f31173c17d (switchB)</span><br><span class="line"> port switchB_portB</span><br><span class="line"> addresses: [<span class="string">"02:ac:10:ff:00:44 192.168.2.50"</span>]</span><br><span class="line"> port switchB_portA</span><br><span class="line"> addresses: [<span class="string">"02:ac:10:ff:00:33 192.168.2.40"</span>]</span><br><span class="line"> port switchB2routerA</span><br><span class="line"> <span class="built_in">type</span>: router</span><br><span class="line"> addresses: [<span class="string">"02:ac:10:ff:01:99"</span>]</span><br><span class="line"> router-port: routerA2switchB</span><br><span class="line">switch 1d8ff1a1-91d5-46f5-9f9b-ce631353e102 (switchA)</span><br><span class="line"> port switchA_portA</span><br><span class="line"> addresses: [<span class="string">"02:ac:10:ff:00:11 192.168.1.20"</span>]</span><br><span class="line"> port switchA2routerA</span><br><span class="line"> <span class="built_in">type</span>: router</span><br><span class="line"> addresses: [<span class="string">"02:ac:10:ff:01:88"</span>]</span><br><span class="line"> router-port: routerA2switchA</span><br><span class="line"> port switchA_portB</span><br><span class="line"> addresses: [<span class="string">"02:ac:10:ff:00:22 192.168.1.30"</span>]</span><br><span class="line">router bd119949-3cf7-4440-b79e-f861feb7d5a5 (routerA)</span><br><span class="line"> port routerA2switchB</span><br><span class="line"> mac: <span class="string">"02:ac:10:ff:01:99"</span></span><br><span class="line"> networks: [<span class="string">"192.168.2.1/24"</span>]</span><br><span class="line"> port routerA2switchA</span><br><span class="line"> mac: <span class="string">"02:ac:10:ff:01:88"</span></span><br><span class="line"> networks: [<span class="string">"192.168.1.1/24"</span>]</span><br></pre></td></tr></table></figure>
<h2 id="虚拟机互通测试"><a href="#虚拟机互通测试" class="headerlink" title="虚拟机互通测试"></a>虚拟机互通测试</h2><p>从node1上的vm1测试到switchA网关的连通性</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># ip netns exec vm1 ping 192.168.1.1</span></span><br><span class="line">PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.</span><br><span class="line">64 bytes from 192.168.1.1: icmp_seq=1 ttl=254 time=0.238 ms</span><br><span class="line">64 bytes from 192.168.1.1: icmp_seq=2 ttl=254 time=0.261 ms</span><br><span class="line">64 bytes from 192.168.1.1: icmp_seq=3 ttl=254 time=0.129 ms</span><br></pre></td></tr></table></figure>
<p>从node1上的vm1上测试跨越本机逻辑路由器的连通性</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># ip netns exec vm1 ping 192.168.2.40</span></span><br><span class="line">PING 192.168.2.40 (192.168.2.40) 56(84) bytes of data.</span><br><span class="line">64 bytes from 192.168.2.40: icmp_seq=1 ttl=63 time=0.406 ms</span><br><span class="line">64 bytes from 192.168.2.40: icmp_seq=2 ttl=63 time=0.077 ms</span><br><span class="line">64 bytes from 192.168.2.40: icmp_seq=3 ttl=63 time=0.062 ms</span><br></pre></td></tr></table></figure>
<p>从node1上的vm1上测试跨越不同主机SDN网络的连通性</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># ip netns exec vm1 ping 192.168.2.50</span></span><br><span class="line">PING 192.168.2.50 (192.168.2.50) 56(84) bytes of data.</span><br><span class="line">64 bytes from 192.168.2.50: icmp_seq=1 ttl=63 time=4.97 ms</span><br><span class="line">64 bytes from 192.168.2.50: icmp_seq=2 ttl=63 time=1.06 ms</span><br><span class="line">64 bytes from 192.168.2.50: icmp_seq=3 ttl=63 time=0.582 ms</span><br></pre></td></tr></table></figure>
<h1 id="连接外部网络"><a href="#连接外部网络" class="headerlink" title="连接外部网络"></a>连接外部网络</h1><h2 id="创建外部逻辑交换机"><a href="#创建外部逻辑交换机" class="headerlink" title="创建外部逻辑交换机"></a>创建外部逻辑交换机</h2><p>在central节点上创外部建逻辑交换机</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#ovn-nbctl ls-add switch_external</span></span><br></pre></td></tr></table></figure>
<p>为外部逻辑交换机增加外部端口</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#ovn-nbctl lsp-add switch_external external_port</span></span><br><span class="line"><span class="comment">#ovn-nbctl lsp-set-type external_port localnet</span></span><br><span class="line"><span class="comment">#ovn-nbctl lsp-set-addresses external_port unknown</span></span><br><span class="line"><span class="comment">#ovn-nbctl lsp-set-options external_port network_name=dataNet</span></span><br></pre></td></tr></table></figure>
<p>为外部逻辑交换机增加到逻辑路由器A的端口</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#ovn-nbctl lsp-add switch_external external2routerA</span></span><br><span class="line"><span class="comment">#ovn-nbctl lsp-set-type external2routerA router</span></span><br><span class="line"><span class="comment">#ovn-nbctl lsp-set-addresses external2routerA 02:ac:10:ff:01:77</span></span><br><span class="line"><span class="comment">#ovn-nbctl lsp-set-options external2routerA router-port=routerA2external</span></span><br></pre></td></tr></table></figure>
<h2 id="设置逻辑路由器"><a href="#设置逻辑路由器" class="headerlink" title="设置逻辑路由器"></a>设置逻辑路由器</h2><p>查看绑定的计算节点</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># ovn-sbctl show</span></span><br><span class="line">Chassis <span class="string">"74ad0b26-6dde-4f0a-8244-c786e30ce953"</span></span><br><span class="line"> hostname: <span class="string">"ovn-node2"</span></span><br><span class="line"> Encap vxlan</span><br><span class="line"> ip: <span class="string">"172.16.126.72"</span></span><br><span class="line"> options: {csum=<span class="string">"true"</span>}</span><br><span class="line"> Encap geneve</span><br><span class="line"> ip: <span class="string">"172.16.126.72"</span></span><br><span class="line"> options: {csum=<span class="string">"true"</span>}</span><br><span class="line"> Port_Binding switchB_portB</span><br><span class="line"> Port_Binding switchA_portB</span><br><span class="line">Chassis <span class="string">"3d564c9f-d126-44a5-b604-0e165472e759"</span></span><br><span class="line"> hostname: <span class="string">"ovn-node1"</span></span><br><span class="line"> Encap geneve</span><br><span class="line"> ip: <span class="string">"172.16.126.71"</span></span><br><span class="line"> options: {csum=<span class="string">"true"</span>}</span><br><span class="line"> Encap vxlan</span><br><span class="line"> ip: <span class="string">"172.16.126.71"</span></span><br><span class="line"> options: {csum=<span class="string">"true"</span>}</span><br><span class="line"> Port_Binding switchA_portA</span><br><span class="line"> Port_Binding switchB_portA</span><br></pre></td></tr></table></figure>
<p>为逻辑路由器增加到外部逻辑交换机的端口,端口IP必须为外部网络中未使用的IP地址,我们可以在外部逻辑交换机中预留一段IP地址</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#ovn-nbctl lrp-add routerA routerA2external 02:ac:10:ff:01:77 172.16.126.74/24</span></span><br></pre></td></tr></table></figure>
<p>为端口设置网络节点,将node1和node2均作为网络节点(平衡负载),并设置优先级</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#ovn-nbctl lrp-set-gateway-chassis routerA2external 3d564c9f-d126-44a5-b604-0e165472e759 100</span></span><br><span class="line"><span class="comment">#ovn-nbctl lrp-set-gateway-chassis routerA2external 74ad0b26-6dde-4f0a-8244-c786e30ce953 90</span></span><br></pre></td></tr></table></figure>
<p>此时可以在节点1和节点2上看到bfd信息,此处有问题,如何实现负载自动切换,是需要设置HA吧</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#ovn-node1</span></span><br><span class="line"><span class="comment"># ovs-vsctl show</span></span><br><span class="line">ebabcc03-5219-421a-9562-7443921fa275</span><br><span class="line"> Bridge br-int</span><br><span class="line"> fail_mode: secure</span><br><span class="line"> Port <span class="string">"vm3_nic"</span></span><br><span class="line"> Interface <span class="string">"vm3_nic"</span></span><br><span class="line"> <span class="built_in">type</span>: internal</span><br><span class="line"> Port <span class="string">"vm1_nic"</span></span><br><span class="line"> Interface <span class="string">"vm1_nic"</span></span><br><span class="line"> <span class="built_in">type</span>: internal</span><br><span class="line"> Port <span class="string">"ovn-74ad0b-0"</span></span><br><span class="line"> Interface <span class="string">"ovn-74ad0b-0"</span></span><br><span class="line"> <span class="built_in">type</span>: geneve</span><br><span class="line"> options: {csum=<span class="string">"true"</span>, key=flow, remote_ip=<span class="string">"172.16.126.72"</span>}</span><br><span class="line"> bfd_status: {diagnostic=<span class="string">"Control Detection Time Expired"</span>, flap_count=<span class="string">"3"</span>, forwarding=<span class="string">"true"</span>, remote_diagnostic=<span class="string">"Control Detection Time Expired"</span>, remote_state=up, state=up}</span><br><span class="line"> Port br-int</span><br><span class="line"> Interface br-int</span><br><span class="line"> <span class="built_in">type</span>: internal</span><br><span class="line"> ovs_version: <span class="string">"2.11.0"</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#ovn-node2</span></span><br><span class="line"><span class="comment"># ovs-vsctl show</span></span><br><span class="line">35f58dbd-6b8b-45e3-8a5d-0567811ecb76</span><br><span class="line"> Bridge br-int</span><br><span class="line"> fail_mode: secure</span><br><span class="line"> Port <span class="string">"vm4_nic"</span></span><br><span class="line"> Interface <span class="string">"vm4_nic"</span></span><br><span class="line"> <span class="built_in">type</span>: internal</span><br><span class="line"> Port <span class="string">"ovn-3d564c-0"</span></span><br><span class="line"> Interface <span class="string">"ovn-3d564c-0"</span></span><br><span class="line"> <span class="built_in">type</span>: geneve</span><br><span class="line"> options: {csum=<span class="string">"true"</span>, key=flow, remote_ip=<span class="string">"172.16.126.71"</span>}</span><br><span class="line"> bfd_status: {diagnostic=<span class="string">"Control Detection Time Expired"</span>, flap_count=<span class="string">"3"</span>, forwarding=<span class="string">"true"</span>, remote_diagnostic=<span class="string">"Control Detection Time Expired"</span>, remote_state=up, state=up}</span><br><span class="line"> Port <span class="string">"vm2_nic"</span></span><br><span class="line"> Interface <span class="string">"vm2_nic"</span></span><br><span class="line"> <span class="built_in">type</span>: internal</span><br><span class="line"> Port br-int</span><br><span class="line"> Interface br-int</span><br><span class="line"> <span class="built_in">type</span>: internal</span><br><span class="line"> ovs_version: <span class="string">"2.11.0"</span></span><br></pre></td></tr></table></figure>
<h2 id="在网络节点设置映射"><a href="#在网络节点设置映射" class="headerlink" title="在网络节点设置映射"></a>在网络节点设置映射</h2><p>在设置逻辑路由器时,我们将node1和node2上设置了网络节点,现在在node1和node2上设置映射</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#node1 ovirt上此步骤是由VDSM生成的随机名称网桥</span></span><br><span class="line"><span class="comment">#ovs-vsctl add-br br-ex</span></span><br><span class="line"><span class="comment">#ovs-vsctl set Open_vSwitch . external-ids:ovn-bridge-mappings=dataNet:br-ex</span></span><br><span class="line"><span class="comment">#ovs-vsctl add-port br-ex eth0</span></span><br><span class="line"><span class="comment">#ovs-vsctl add-port br-ex dataNet -- set interface dataNet type=interface</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#node2 ovirt上此步骤是由VDSM生成的随机名称网桥</span></span><br><span class="line"><span class="comment">#ovs-vsctl add-br br-ex</span></span><br><span class="line"><span class="comment">#ovs-vsctl set Open_vSwitch . external-ids:ovn-bridge-mappings=dataNet:br-ex</span></span><br><span class="line"><span class="comment">#ovs-vsctl add-port br-ex eth0</span></span><br><span class="line"><span class="comment">#ovs-vsctl add-port br-ex dataNet -- set interface dataNet type=interface</span></span><br></pre></td></tr></table></figure>
<p>为dataNet设置IP地址并删除eth0上的IP地址</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#node1</span></span><br><span class="line"><span class="comment">#ip addr del 172.16.126.71/24 dev eth0</span></span><br><span class="line"><span class="comment">#ip addr add 172.16.126.71/24 dev dataNet</span></span><br><span class="line"><span class="comment">#ip link set dataNet up</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#node2</span></span><br><span class="line"><span class="comment">#ip addr del 172.16.126.72/24 dev eth0</span></span><br><span class="line"><span class="comment">#ip addr add 172.16.126.72/24 dev dataNet</span></span><br><span class="line"><span class="comment">#ip link set dataNet up</span></span><br></pre></td></tr></table></figure>
<p>如果是在ovirt的ovs集群上配置的虚拟机主机,可能会出现网络不通的故障,这是因为ovn默认开启了mac地址检查功能,需要将虚拟机主机的逻辑端口设置为unknown即可</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># ovn-nbctl lsp-set-addresses 29263d0e-f4f7-4bd5-9e4e-4383eb7df3c8 unknown</span></span><br><span class="line"><span class="comment"># ovn-nbctl lsp-set-addresses 720ba611-5bc9-4bef-b56b-46ff1b42c270 unknown</span></span><br><span class="line"><span class="comment"># ovn-nbctl lsp-set-addresses 288debcb-dae0-41a7-aaeb-ba567c391ceb unknown</span></span><br></pre></td></tr></table></figure>
<p>如果网络还是不通,则检查ovs集群的网络是否配置了端口安全,如果配置了端口安全,则该端口可能被加入到了DropAll端口组,对包进行了丢弃。</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># ovn-nbctl list logical_switch_port 288debcb-dae0-41a7-aaeb-ba567c391ceb</span></span><br><span class="line">_uuid : cf218523-5d0c-4bfa-ab39-7bf3d2b66995</span><br><span class="line">addresses : [unknown]</span><br><span class="line">dhcpv4_options : bed6def8-6333-475a-94a3-b65ad3ef4601</span><br><span class="line">dhcpv6_options : []</span><br><span class="line">dynamic_addresses : []</span><br><span class="line">enabled : <span class="literal">true</span></span><br><span class="line">external_ids : {ovirt_device_id=<span class="string">"942816d4-70e9-44aa-bf74-d7e4e7f55b48"</span>, ovirt_device_owner=oVirt, ovirt_nic_name=<span class="string">"nic1"</span>, ovirt_security_groups=<span class="string">""</span>}</span><br><span class="line">ha_chassis_group : []</span><br><span class="line">name : <span class="string">"288debcb-dae0-41a7-aaeb-ba567c391ceb"</span></span><br><span class="line">options : {}</span><br><span class="line">parent_name : []</span><br><span class="line">port_security : []<span class="comment">#查看是否启用了端口安全功能</span></span><br><span class="line">tag : []</span><br><span class="line">tag_request : []</span><br><span class="line"><span class="built_in">type</span> : <span class="string">""</span></span><br><span class="line">up : <span class="literal">true</span></span><br></pre></td></tr></table></figure>
<p>如果在ovirt上网络还是不通的话,请检查虚拟化平台的nwfilter设置,并删除该端口所对应的nwfilter-</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">virsh <span class="comment"># nwfilter-binding-list </span></span><br><span class="line"> Port Dev Filter </span><br><span class="line">------------------------------------------------------------------</span><br><span class="line"> vnet0 vdsm-no-mac-spoofing</span><br><span class="line"> vnet2 vdsm-no-mac-spoofing</span><br><span class="line"> vnet3 vdsm-no-mac-spoofing</span><br><span class="line"> vnet4 vdsm-no-mac-spoofing</span><br><span class="line"> vnet5 vdsm-no-mac-spoofing</span><br><span class="line"> vnet6 vdsm-no-mac-spoofing</span><br><span class="line"></span><br><span class="line">virsh <span class="comment"># nwfilter-binding-delete vnet2</span></span><br></pre></td></tr></table></figure>
<p>如果需要网络设置可持久化,需要将配置写入到如下文件中</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#node1 上</span></span><br><span class="line"><span class="comment">#vim /etc/rc.d/rc.local</span></span><br><span class="line">ip addr del 172.16.126.71/24 dev eth0</span><br><span class="line">ip addr add 172.16.126.71/24 dev dataNet</span><br><span class="line">ip link <span class="built_in">set</span> dataNet up</span><br><span class="line"></span><br><span class="line"><span class="comment">#node2 上</span></span><br><span class="line"><span class="comment">#vim /etc/rc.d/rc.local</span></span><br><span class="line">ip addr del 172.16.126.72/24 dev eth0</span><br><span class="line">ip addr add 172.16.126.72/24 dev dataNet</span><br><span class="line">ip link <span class="built_in">set</span> dataNet up</span><br><span class="line"></span><br><span class="line"><span class="comment">#设置权限</span></span><br><span class="line">[root@openstack ~]<span class="comment"># chmod u+x /etc/rc.d/rc.local</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#如果没有成功,请查看系统日志</span></span><br><span class="line">[root@openstack ~]<span class="comment">#cat /var/log/message | grep rc.local</span></span><br></pre></td></tr></table></figure>
<p>注意:rc.local 运行在操作系统完全引导成功、但尚未启动login shell之前。所以我们配置在 /etc/profiles 或 bashrc 里的环境变量并未得到执行、还未生效,因此,在 rc.local 执行阶段看不到任何环境变量。有些时候添加的自启动命令不生效,可能是该原因导致,如果在 rc.local 中添加的自启动命令对环境变量有依赖的话,可能会因为环境变量未生效而导致自启动失败。</p>
<p>解决办法:在 rc.local 中在执行启动命令之前加上 export 环境变量设置。或者启动命令做到避免依赖环境变量。</p>
<h2 id="设置NAT"><a href="#设置NAT" class="headerlink" title="设置NAT"></a>设置NAT</h2><p>增加snat,让内部网络可以访问外部网络</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#ovn-nbctl lr-nat-add routerA snat 172.16.126.74 192.168.1.0/24</span></span><br><span class="line"><span class="comment">#ovn-nbctl lr-nat-add routerA snat 172.16.126.74 192.168.2.0/24</span></span><br></pre></td></tr></table></figure>
<p>增加dnat,让外部网络可以访问内部服务</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#ovn-nbctl lr-nat-add routerA dnat_and_snat 172.16.126.75 192.168.1.20</span></span><br></pre></td></tr></table></figure>
<p>查看此时的北向数据库配置</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># ovn-nbctl show</span></span><br><span class="line">switch 1d8ff1a1-91d5-46f5-9f9b-ce631353e102 (switchA)</span><br><span class="line"> port switchA_portA</span><br><span class="line"> addresses: [<span class="string">"02:ac:10:ff:00:11 192.168.1.20"</span>]</span><br><span class="line"> port switchA2routerA</span><br><span class="line"> <span class="built_in">type</span>: router</span><br><span class="line"> addresses: [<span class="string">"02:ac:10:ff:01:88"</span>]</span><br><span class="line"> router-port: routerA2switchA</span><br><span class="line"> port switchA_portB</span><br><span class="line"> addresses: [<span class="string">"02:ac:10:ff:00:22 192.168.1.30"</span>]</span><br><span class="line">switch 0acd0085-18ab-489e-85db-67f31173c17d (switchB)</span><br><span class="line"> port switchB_portB</span><br><span class="line"> addresses: [<span class="string">"02:ac:10:ff:00:44 192.168.2.50"</span>]</span><br><span class="line"> port switchB_portA</span><br><span class="line"> addresses: [<span class="string">"02:ac:10:ff:00:33 192.168.2.40"</span>]</span><br><span class="line"> port switchB2routerA</span><br><span class="line"> <span class="built_in">type</span>: router</span><br><span class="line"> addresses: [<span class="string">"02:ac:10:ff:01:99"</span>]</span><br><span class="line"> router-port: routerA2switchB</span><br><span class="line">switch 082b74b1-9d01-4989-914a-60ad66a3bdbf (switch_external)</span><br><span class="line"> port external2routerA</span><br><span class="line"> <span class="built_in">type</span>: router</span><br><span class="line"> addresses: [<span class="string">"02:ac:10:ff:01:77"</span>]</span><br><span class="line"> router-port: routerA2external</span><br><span class="line"> port external_port</span><br><span class="line"> <span class="built_in">type</span>: localnet</span><br><span class="line"> addresses: [<span class="string">"unknown"</span>]</span><br><span class="line">router bd119949-3cf7-4440-b79e-f861feb7d5a5 (routerA)</span><br><span class="line"> port routerA2external</span><br><span class="line"> mac: <span class="string">"02:ac:10:ff:01:77"</span></span><br><span class="line"> networks: [<span class="string">"172.16.126.74/24"</span>]</span><br><span class="line"> gateway chassis: [3d564c9f-d126-44a5-b604-0e165472e759 74ad0b26-6dde-4f0a-8244-c786e30ce953]</span><br><span class="line"> port routerA2switchB</span><br><span class="line"> mac: <span class="string">"02:ac:10:ff:01:99"</span></span><br><span class="line"> networks: [<span class="string">"192.168.2.1/24"</span>]</span><br><span class="line"> port routerA2switchA</span><br><span class="line"> mac: <span class="string">"02:ac:10:ff:01:88"</span></span><br><span class="line"> networks: [<span class="string">"192.168.1.1/24"</span>]</span><br><span class="line"> nat af870889-880d-418f-8cd4-8208d7935d9b</span><br><span class="line"> external ip: <span class="string">"172.16.126.74"</span></span><br><span class="line"> logical ip: <span class="string">"192.168.1.0/24"</span></span><br><span class="line"> <span class="built_in">type</span>: <span class="string">"snat"</span></span><br><span class="line"> nat b7af144a-1e0c-4ba0-b30e-672769e38339</span><br><span class="line"> external ip: <span class="string">"172.16.126.74"</span></span><br><span class="line"> logical ip: <span class="string">"192.168.2.0/24"</span></span><br><span class="line"> <span class="built_in">type</span>: <span class="string">"snat"</span></span><br><span class="line"> nat bf84a00a-94c0-4895-b4d2-d5053fe4675f</span><br><span class="line"> external ip: <span class="string">"172.16.126.75"</span></span><br><span class="line"> logical ip: <span class="string">"192.168.1.20"</span></span><br><span class="line"> <span class="built_in">type</span>: <span class="string">"dnat_and_snat"</span></span><br></pre></td></tr></table></figure>
<h2 id="测试NAT的连接性"><a href="#测试NAT的连接性" class="headerlink" title="测试NAT的连接性"></a>测试NAT的连接性</h2><p>从vm1中访问外部网络</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># ip netns exec vm1 ping 172.16.126.221</span></span><br><span class="line">PING 172.16.126.221 (172.16.126.221) 56(84) bytes of data.</span><br><span class="line">64 bytes from 172.16.126.221: icmp_seq=1 ttl=63 time=1.09 ms</span><br><span class="line">64 bytes from 172.16.126.221: icmp_seq=2 ttl=63 time=0.236 ms</span><br><span class="line">^C</span><br><span class="line">--- 172.16.126.221 ping statistics ---</span><br></pre></td></tr></table></figure>
<p>在外部网络中访问vm2的服务</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># ping 172.16.126.75</span></span><br><span class="line">PING 172.16.126.75 (172.16.126.75) 56(84) bytes of data.</span><br><span class="line">64 bytes from 172.16.126.75: icmp_seq=1 ttl=63 time=0.764 ms</span><br><span class="line">64 bytes from 172.16.126.75: icmp_seq=2 ttl=63 time=0.205 ms</span><br><span class="line">64 bytes from 172.16.126.75: icmp_seq=3 ttl=63 time=0.189 ms</span><br><span class="line">64 bytes from 172.16.126.75: icmp_seq=4 ttl=63 time=0.088 ms</span><br><span class="line">^C</span><br><span class="line">--- 172.16.126.75 ping statistics ---</span><br><span class="line">4 packets transmitted, 4 received, 0% packet loss, time 3000ms</span><br></pre></td></tr></table></figure>
<p>还有一个比较复杂的设置nat的方法,通过create方法来操作北向数据库,可以了解一下</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#ovn-nbctl -- --id=@nat create nat type="snat" logical_ip=192.168.1.0/24 external_ip=172.16.126.74 -- add logical_router logical_routerA nat @nat</span></span><br><span class="line"><span class="comment">#ovn-nbctl -- --id=@nat create nat type="snat" logical_ip=192.168.2.0/24 external_ip=172.16.126.74 -- add logical_router logical_routerA nat @nat</span></span><br><span class="line"><span class="comment">#ovn-nbctl -- --id=@nat create nat type="dnat" logical_ip=192.168.1.20 external_ip=172.16.126.75 -- add logical_router logical_routerA nat @nat</span></span><br></pre></td></tr></table></figure>
<h1 id="网络安全相关配置"><a href="#网络安全相关配置" class="headerlink" title="网络安全相关配置"></a>网络安全相关配置</h1><h2 id="端口组"><a href="#端口组" class="headerlink" title="端口组"></a>端口组</h2><h3 id="添加端口组"><a href="#添加端口组" class="headerlink" title="添加端口组"></a>添加端口组</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#ovn-nbctl pg-add pg_default</span></span><br></pre></td></tr></table></figure>
<h3 id="查看端口组"><a href="#查看端口组" class="headerlink" title="查看端口组"></a>查看端口组</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># ovn-nbctl list port_group</span></span><br><span class="line">_uuid : 452cad08-1afa-45ea-a199-18d3dab9c334</span><br><span class="line">acls : []</span><br><span class="line">external_ids : {}</span><br><span class="line">name : pg_default</span><br><span class="line">ports : []</span><br></pre></td></tr></table></figure>
<h3 id="添加端口到端口组"><a href="#添加端口到端口组" class="headerlink" title="添加端口到端口组"></a>添加端口到端口组</h3><p>仅能添加逻辑交换机端口,不能添加逻辑路由器端口</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#ovn-nbctl pg-set-ports pg_default switchA_portA switchA_portB switchB_portA switchB_portB</span></span><br><span class="line"><span class="comment">#ovn-nbctl list port_group</span></span><br><span class="line">_uuid : 452cad08-1afa-45ea-a199-18d3dab9c334</span><br><span class="line">acls : []</span><br><span class="line">external_ids : {}</span><br><span class="line">name : pg_default</span><br><span class="line">ports : [616f220c-3f87-4c72-a8c4-617a4d0f42ad, 6b283ec9-e2a2-4013-bad3-0ec0a8fa20d5, aba2c95e-2ed6-4616-89d6-c52fdf49ba60, bbb3d86d-cd69-4279-a9e3-0bd7297f7db7]</span><br></pre></td></tr></table></figure>
<h3 id="从端口组删除端口"><a href="#从端口组删除端口" class="headerlink" title="从端口组删除端口"></a>从端口组删除端口</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># ovn-nbctl remove port_group pg_default ports 616f220c-3f87-4c72-a8c4-617a4d0f42ad</span></span><br><span class="line"><span class="comment"># ovn-nbctl list port_group</span></span><br><span class="line">_uuid : 452cad08-1afa-45ea-a199-18d3dab9c334</span><br><span class="line">acls : []</span><br><span class="line">external_ids : {}</span><br><span class="line">name : pg_default</span><br><span class="line">ports : [6b283ec9-e2a2-4013-bad3-0ec0a8fa20d5, aba2c95e-2ed6-4616-89d6-c52fdf49ba60, bbb3d86d-cd69-4279-a9e3-0bd7297f7db7]</span><br></pre></td></tr></table></figure>
<h3 id="往端口组增加单个端口"><a href="#往端口组增加单个端口" class="headerlink" title="往端口组增加单个端口"></a>往端口组增加单个端口</h3><p>只能通过uuid添加,不能通过名字添加</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># ovn-nbctl add port_group pg_default ports 616f220c-3f87-4c72-a8c4-617a4d0f42ad</span></span><br><span class="line"><span class="comment"># ovn-nbctl list port_group</span></span><br><span class="line">_uuid : 452cad08-1afa-45ea-a199-18d3dab9c334</span><br><span class="line">acls : []</span><br><span class="line">external_ids : {}</span><br><span class="line">name : pg_default</span><br><span class="line">ports : [616f220c-3f87-4c72-a8c4-617a4d0f42ad, 6b283ec9-e2a2-4013-bad3-0ec0a8fa20d5, aba2c95e-2ed6-4616-89d6-c52fdf49ba60, bbb3d86d-cd69-4279-a9e3-0bd7297f7db7]</span><br></pre></td></tr></table></figure>
<h3 id="删除端口组"><a href="#删除端口组" class="headerlink" title="删除端口组"></a>删除端口组</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#ovn-nbctl pg-del pg_default</span></span><br></pre></td></tr></table></figure>
<h2 id="定义ACL规则"><a href="#定义ACL规则" class="headerlink" title="定义ACL规则"></a>定义ACL规则</h2><h3 id="基本定义"><a href="#基本定义" class="headerlink" title="基本定义"></a>基本定义</h3><p>ACL规则,ACL规则的主体是逻辑交换机和端口组,一条ACL必须要有对应的主体,无法单独创建,不能对类型为localnet和router类型的端口应用ACL规则</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">priority:优先级,0-32767的整型,数字越大优先级越高</span><br><span class="line">direction:ACL规则应用的流向,from-lport(入站)对应端口inport,to-lport (出站)对应端口outport</span><br><span class="line">match:匹配规则,不允许在<span class="built_in">type</span>=router和<span class="built_in">type</span>=localnet的端口上匹配ACL,outport逻辑端口仅适用于to-lport路径,inport适用于to-lport和from-lport双向路径。</span><br><span class="line">action:动作,allow-related,它允许反向相关的流量(例如,响应,fragements等)通过,drop(丢包),allow(允许包通过),reject(丢包,并且回应一个带RST标识的TCP包)</span><br><span class="line">注:</span><br><span class="line">ip:所有IP包</span><br><span class="line">tcp:所有TCP报文,如tcp.dst=22就是ssh端口</span><br></pre></td></tr></table></figure>
<h3 id="增加ACL规则"><a href="#增加ACL规则" class="headerlink" title="增加ACL规则"></a>增加ACL规则</h3><p>对switchA应用安全策略,完全锁定switchA的switchA_portB端口,丢弃switchA交换机上switchA_portB端口的所有出站流量(从交换机方向出发是出站,从虚拟机方面出发是入站)</p>
<p>注意转义符的使用及单引号双引号的配合使用,最外层使用单引号,里层的虚拟端口必须使用双引号,ACL规则才能生效</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#应用ACL规则</span></span><br><span class="line"><span class="comment">#ovn-nbctl acl-add switchA to-lport 1000 'outport == "switchA_portB" && ip4' drop</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#查看虚拟机流量,可以看到流量均被丢弃</span></span><br><span class="line"><span class="comment"># ip netns exec vm2 ping 192.168.2.50</span></span><br><span class="line">PING 192.168.2.50 (192.168.2.50) 56(84) bytes of data.</span><br><span class="line">^C</span><br><span class="line">--- 192.168.2.50 ping statistics ---</span><br><span class="line">175 packets transmitted, 0 received, 100% packet loss, time 175013ms</span><br></pre></td></tr></table></figure>
<h3 id="修改ACL规则"><a href="#修改ACL规则" class="headerlink" title="修改ACL规则"></a>修改ACL规则</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#首先查看ACL规则</span></span><br><span class="line"><span class="comment"># ovn-nbctl list acl</span></span><br><span class="line">_uuid : 5efa45de-9f30-4993-beaa-ed5eb09e444a</span><br><span class="line">action : drop</span><br><span class="line">direction : to-lport</span><br><span class="line">external_ids : {}</span><br><span class="line"><span class="built_in">log</span> : <span class="literal">false</span></span><br><span class="line">match : <span class="string">"outport == \"switchA_portB\" && ip4"</span></span><br><span class="line">meter : []</span><br><span class="line">name : []</span><br><span class="line">priority : 1000</span><br><span class="line">severity : []</span><br><span class="line"></span><br><span class="line"><span class="comment">#修改ACL规则</span></span><br><span class="line"><span class="comment"># ovn-nbctl set acl 5efa45de-9f30-4993-beaa-ed5eb09e444a match='"outport == \"switchA_portA\" && ip4"'</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#查看虚拟机流量</span></span><br><span class="line"><span class="comment"># ip netns exec vm2 ping 172.16.126.220</span></span><br><span class="line">PING 172.16.126.220 (172.16.126.220) 56(84) bytes of data.</span><br><span class="line">64 bytes from 172.16.126.220: icmp_seq=1 ttl=63 time=1.49 ms</span><br><span class="line">64 bytes from 172.16.126.220: icmp_seq=2 ttl=63 time=0.794 ms</span><br><span class="line">^C</span><br><span class="line">--- 172.16.126.220 ping statistics ---</span><br><span class="line">2 packets transmitted, 2 received, 0% packet loss, time 1043ms</span><br><span class="line"></span><br><span class="line"><span class="comment"># ip netns exec vm1 ping 172.16.126.220</span></span><br><span class="line">PING 172.16.126.220 (172.16.126.220) 56(84) bytes of data.</span><br><span class="line">^C</span><br><span class="line">--- 172.16.126.220 ping statistics ---</span><br><span class="line">3 packets transmitted, 0 received, 100% packet loss, time 2000ms</span><br></pre></td></tr></table></figure>
<h3 id="增加web访问ACL规则"><a href="#增加web访问ACL规则" class="headerlink" title="增加web访问ACL规则"></a>增加web访问ACL规则</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#首先在switchA的vm1上启动web服务</span></span><br><span class="line"><span class="comment"># rm /tmp/www -rf</span></span><br><span class="line"><span class="comment"># mkdir -p /tmp/www</span></span><br><span class="line"><span class="comment"># echo "i am vm1" > /tmp/www/index.html</span></span><br><span class="line"><span class="comment"># cd /tmp/www</span></span><br><span class="line"><span class="comment"># ls</span></span><br><span class="line">index.html</span><br><span class="line"><span class="comment"># ip netns exec vm1 python -m SimpleHTTPServer 8000</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#验证其他vm可以访问这个web服务</span></span><br><span class="line"><span class="comment"># ip netns exec vm3 curl 192.168.1.20:8000</span></span><br><span class="line">i am vm1</span><br><span class="line"><span class="comment"># ip netns exec vm2 curl 192.168.1.20:8000</span></span><br><span class="line">i am vm1</span><br><span class="line"><span class="comment"># ip netns exec vm4 curl 192.168.1.20:8000</span></span><br><span class="line">i am vm1</span><br><span class="line"></span><br><span class="line"><span class="comment">#查看web服务返回消息</span></span><br><span class="line"><span class="comment"># ip netns exec vm1 python -m SimpleHTTPServer 8000</span></span><br><span class="line">Serving HTTP on 0.0.0.0 port 8000 ...</span><br><span class="line">192.168.2.40 - - [19/Nov/2021 09:56:23] <span class="string">"GET / HTTP/1.1"</span> 200 -</span><br><span class="line">192.168.1.30 - - [19/Nov/2021 09:56:51] <span class="string">"GET / HTTP/1.1"</span> 200 -</span><br><span class="line">192.168.2.50 - - [19/Nov/2021 09:56:58] <span class="string">"GET / HTTP/1.1"</span> 200 -</span><br><span class="line"></span><br><span class="line"><span class="comment">#添加drop规则,使得访问web服务失败</span></span><br><span class="line"><span class="comment"># ovn-nbctl acl-add switchA to-lport 100 'outport == "switchA_portA" && ip4' drop</span></span><br><span class="line"><span class="comment"># ovn-nbctl acl-add switchA from-lport 100 'inport == "switchA_portA" && ip4' drop</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#此时其他虚拟机均无法访问vm1的web服务</span></span><br><span class="line"><span class="comment"># ip netns exec vm4 curl 192.168.1.20:8000</span></span><br><span class="line">^C</span><br><span class="line"><span class="comment"># ip netns exec vm2 curl 192.168.1.20:8000</span></span><br><span class="line">^C</span><br><span class="line"><span class="comment"># ip netns exec vm3 curl 192.168.1.20:8000</span></span><br><span class="line">^C</span><br><span class="line"></span><br><span class="line"><span class="comment">#添加allow规则,使得switchB上的虚拟机可以访问web,但是switchA上的依然无法访问</span></span><br><span class="line"><span class="comment"># ovn-nbctl acl-add switchA to-lport 1000 'outport == "switchA_portA" && ip4.src == 192.168.2.0/24 && tcp.dst == 8000' allow-related</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#此时测试web服务,发现switchA上的vm2依然无法访问web服务,但是switchB的vm3和vm4均可以访问web服务了</span></span><br><span class="line"><span class="comment"># ip netns exec vm2 curl 192.168.1.20:8000</span></span><br><span class="line">^C</span><br><span class="line"><span class="comment"># ip netns exec vm4 curl 192.168.1.20:8000</span></span><br><span class="line">i am vm1</span><br><span class="line"><span class="comment"># ip netns exec vm3 curl 192.168.1.20:8000</span></span><br><span class="line">i am vm1</span><br><span class="line"></span><br><span class="line"><span class="comment">#删除acl规则</span></span><br><span class="line"><span class="comment"># ovn-nbctl acl-del switchA</span></span><br></pre></td></tr></table></figure>
<h3 id="从逻辑交换机移除该ACL规则"><a href="#从逻辑交换机移除该ACL规则" class="headerlink" title="从逻辑交换机移除该ACL规则"></a>从逻辑交换机移除该ACL规则</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">ovn-nbctl remove logical_switch 1d8ff1a1-91d5-46f5-9f9b-ce631353e102 acls 5efa45de-9f30-4993-beaa-ed5eb09e444a</span><br></pre></td></tr></table></figure>
<h3 id="彻底删除ACL规则"><a href="#彻底删除ACL规则" class="headerlink" title="彻底删除ACL规则"></a>彻底删除ACL规则</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#这条语句将把switch交换机下的ACL规则全部清空</span></span><br><span class="line"><span class="comment">#ovn-nbctl acl-del switchA</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#这条语句将删除某一条ACL语句,注意空格也要匹配到才能成功删除</span></span><br><span class="line"><span class="comment"># ovn-nbctl acl-del switchA to-lport 1000 'outport == "switchA_portA" && ip4'</span></span><br></pre></td></tr></table></figure>
<h3 id="列出ACL规则"><a href="#列出ACL规则" class="headerlink" title="列出ACL规则"></a>列出ACL规则</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#列出虚拟交换机上的ACL规则,可以看出此时所有规则均被删除</span></span><br><span class="line"><span class="comment">#ovn-nbctl acl-list switchA</span></span><br></pre></td></tr></table></figure>
<h3 id="添加ACL规则到端口组"><a href="#添加ACL规则到端口组" class="headerlink" title="添加ACL规则到端口组"></a>添加ACL规则到端口组</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#ovn-nbctl acl-add pg_default to-lport 1000 'ip4 && ip4.src == 172.16.126.0/24' drop</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#此时可以看到端口组的ACL规则</span></span><br><span class="line"><span class="comment"># ovn-nbctl acl-list pg_default</span></span><br><span class="line"> to-lport 1000 (ip4 && ip4.src == 172.16.126.0/24) drop</span><br><span class="line"></span><br><span class="line"><span class="comment">#此时端口组下的所有虚拟机均无法访问172.16.126.0/24网段,而其他网段并不受影响</span></span><br><span class="line"><span class="comment"># ip netns exec vm1 ping 172.16.126.220</span></span><br><span class="line">PING 172.16.126.220 (172.16.126.220) 56(84) bytes of data.</span><br><span class="line">^C</span><br><span class="line">--- 172.16.126.220 ping statistics ---</span><br><span class="line">3 packets transmitted, 0 received, 100% packet loss, time 2000ms</span><br><span class="line"></span><br><span class="line"><span class="comment"># ip netns exec vm1 ping 192.168.1.30</span></span><br><span class="line">PING 192.168.1.30 (192.168.1.30) 56(84) bytes of data.</span><br><span class="line">64 bytes from 192.168.1.30: icmp_seq=1 ttl=64 time=1.73 ms</span><br><span class="line">64 bytes from 192.168.1.30: icmp_seq=2 ttl=64 time=0.587 ms</span><br><span class="line">^C</span><br><span class="line">--- 192.168.1.30 ping statistics ---</span><br><span class="line">2 packets transmitted, 2 received, 0% packet loss, time 1001ms</span><br><span class="line">rtt min/avg/max/mdev = 0.587/1.158/1.730/0.572 ms</span><br><span class="line"></span><br><span class="line"><span class="comment"># ip netns exec vm1 ping 192.168.2.40</span></span><br><span class="line">PING 192.168.2.40 (192.168.2.40) 56(84) bytes of data.</span><br><span class="line">64 bytes from 192.168.2.40: icmp_seq=1 ttl=63 time=0.424 ms</span><br><span class="line">64 bytes from 192.168.2.40: icmp_seq=2 ttl=63 time=0.080 ms</span><br><span class="line">^C</span><br><span class="line">--- 192.168.2.40 ping statistics ---</span><br><span class="line">2 packets transmitted, 2 received, 0% packet loss, time 999ms</span><br><span class="line">rtt min/avg/max/mdev = 0.080/0.252/0.424/0.172 ms</span><br></pre></td></tr></table></figure>
<h3 id="从端口组移除ACL规则"><a href="#从端口组移除ACL规则" class="headerlink" title="从端口组移除ACL规则"></a>从端口组移除ACL规则</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#仅从端口组移除ACL规则</span></span><br><span class="line"><span class="comment"># ovn-nbctl remove port_group 452cad08-1afa-45ea-a199-18d3dab9c334 acls a97c8206-8cee-4de8-8c4e-0e54fb2448e3</span></span><br></pre></td></tr></table></figure>
<h3 id="彻底删除端口组ACL规则"><a href="#彻底删除端口组ACL规则" class="headerlink" title="彻底删除端口组ACL规则"></a>彻底删除端口组ACL规则</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#ovn-nbctl acl-del pg_default to-lport 1000 'ip4 && ip4.src == 172.16.126.0/24'</span></span><br></pre></td></tr></table></figure>
<h3 id="直接摧毁ACL规则"><a href="#直接摧毁ACL规则" class="headerlink" title="直接摧毁ACL规则"></a>直接摧毁ACL规则</h3><p>直接从数据库中摧毁该ACL,注意如果当前ACL规则还挂载到虚拟交换机或者端口组,则无法摧毁</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># ovn-nbctl destroy acl a97c8206-8cee-4de8-8c4e-0e54fb2448e3</span></span><br></pre></td></tr></table></figure>
<h1 id="服务质量(Qos)"><a href="#服务质量(Qos)" class="headerlink" title="服务质量(Qos)"></a>服务质量(Qos)</h1><p>Qos可以针对某个端口设置,也可以针对某个逻辑交换机设置,以下是服务质量的一些名词</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">priority:优先级,0-32767</span><br><span class="line">direction:流量流向,from-lport或者to-lport</span><br><span class="line">match:匹配语句,Qos适配规则要匹配的对象</span><br><span class="line">action:键值对,键必须是dscp,值在0-63之间,如果设置了,流表则应用了dscp标记</span><br><span class="line">bandwidth:键值对,键必须是brust或rate,值在1 - 4,294,967,295之间,rate的单位是kbps,brust单位kilobits</span><br></pre></td></tr></table></figure>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">dscp:DSCP差分服务代码点(Differentiated Services Code Point),IETF于1998年12月发布了Diff-Serv(Differentiated Service)的QoS分类标准。它在每个数据包IP头部的服务类别TOS标识字节中,利用已使用的6比特和未使用的2比特,通过编码值来区分优先级.DSCP 使用6个bit,DSCP的值得范围为0~63。DSCP 是“IP 优先”和“服务类型”字段的组合。为了利用只支持“IP 优先”的旧路由器,会使用 DSCP 值,因为 DSCP 值与“IP 优先”字段兼容。用通俗一点的语言解释,其实DSCP就是为了保证通信的QoS,在数据包IP头部的8个标识字节进行编码,来划分服务类别,区分服务的优先级。其实DSCP就是用来保证IP层的优先级的,用于流量的区分。</span><br><span class="line">rate:带宽限制,单位kbps,千比特每秒</span><br><span class="line">burst:突发量,以kilobits(千比特,125字节)为单位</span><br></pre></td></tr></table></figure>
<h2 id="针对端口的Qos"><a href="#针对端口的Qos" class="headerlink" title="针对端口的Qos"></a>针对端口的Qos</h2><h3 id="添加端口Qos"><a href="#添加端口Qos" class="headerlink" title="添加端口Qos"></a>添加端口Qos</h3><blockquote>
<p>这个方案仅支持出方向和跨主机的Qos,QoS范围 1M <- -> 100M。</p>
</blockquote>
<p>qos_max_rate: </p>
<p>如果设置,表示从该接口发送数据的最大速率,以比特/秒(bit/s)为单位,流量将根据此限制进行调整。</p>
<p>qos_burst: </p>
<p>如果设置,则指示从此接口发送的数据的最大突发大小,以位(bit)为单位。</p>
<ul>
<li>OVN提供设置Port的QoS接口</li>
</ul>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#添加端口switchA_portA的Qos,单位bit/s</span></span><br><span class="line"><span class="comment">#ovn-nbctl set logical_switch_port switchA_portA options:qos_max_rate=1000000</span></span><br><span class="line"><span class="comment">#ovn-nbctl set logical_switch_port switchA_portA options:qos_brust=1000000</span></span><br><span class="line"><span class="comment">#ovn-nbctl find logical_switch_port name=switchA_portA</span></span><br><span class="line">_uuid : 616f220c-3f87-4c72-a8c4-617a4d0f42ad</span><br><span class="line">addresses : [<span class="string">"02:ac:10:ff:00:11 192.168.1.20"</span>]</span><br><span class="line">dhcpv4_options : 1e204723-aa55-405f-a9c5-8a36aaf40805</span><br><span class="line">dhcpv6_options : []</span><br><span class="line">dynamic_addresses : []</span><br><span class="line">enabled : []</span><br><span class="line">external_ids : {}</span><br><span class="line">ha_chassis_group : []</span><br><span class="line">name : switchA_portA</span><br><span class="line">options : {qos_brust=<span class="string">"1000000"</span>, qos_max_rate=<span class="string">"1000000"</span>}</span><br><span class="line">parent_name : []</span><br><span class="line">port_security : [<span class="string">"02:ac:10:ff:00:11"</span>]</span><br><span class="line">tag : []</span><br><span class="line">tag_request : []</span><br><span class="line"><span class="built_in">type</span> : <span class="string">""</span></span><br><span class="line">up : <span class="literal">true</span></span><br></pre></td></tr></table></figure>
<ul>
<li>ovn-controller 处理local binding port时,本地维护local port的qos_map</li>
<li>基于overlay port的remote找到egress interface</li>
</ul>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># ovs-vsctl list interface "ovn-74ad0b-0"</span></span><br><span class="line">_uuid : 0fe33a87-70f7-4df3-bfe9-cc042d914bb4</span><br><span class="line">admin_state : up</span><br><span class="line">bfd : {<span class="built_in">enable</span>=<span class="string">"true"</span>}</span><br><span class="line">bfd_status : {diagnostic=<span class="string">"No Diagnostic"</span>, flap_count=<span class="string">"1"</span>, forwarding=<span class="string">"true"</span>, remote_diagnostic=<span class="string">"No Diagnostic"</span>, remote_state=up, state=up}</span><br><span class="line">cfm_fault : []</span><br><span class="line">cfm_fault_status : []</span><br><span class="line">cfm_flap_count : []</span><br><span class="line">cfm_health : []</span><br><span class="line">cfm_mpid : []</span><br><span class="line">cfm_remote_mpids : []</span><br><span class="line">cfm_remote_opstate : []</span><br><span class="line">duplex : []</span><br><span class="line">error : []</span><br><span class="line">external_ids : {}</span><br><span class="line">ifindex : 12</span><br><span class="line">ingress_policing_burst: 0</span><br><span class="line">ingress_policing_rate: 0</span><br><span class="line">lacp_current : []</span><br><span class="line">link_resets : 0</span><br><span class="line">link_speed : []</span><br><span class="line">link_state : up</span><br><span class="line">lldp : {}</span><br><span class="line">mac : []</span><br><span class="line">mac_in_use : <span class="string">"06:31:46:b7:15:ff"</span></span><br><span class="line">mtu : []</span><br><span class="line">mtu_request : []</span><br><span class="line">name : <span class="string">"ovn-74ad0b-0"</span></span><br><span class="line">ofport : 9</span><br><span class="line">ofport_request : []</span><br><span class="line">options : {csum=<span class="string">"true"</span>, key=flow, remote_ip=<span class="string">"172.16.126.72"</span>}</span><br><span class="line">other_config : {}</span><br><span class="line">statistics : {rx_bytes=1421868, rx_packets=21453, tx_bytes=62710399906, tx_packets=46918276}</span><br><span class="line">status : {tunnel_egress_iface=dataNet, tunnel_egress_iface_carrier=up}</span><br><span class="line"><span class="built_in">type</span> : geneve</span><br></pre></td></tr></table></figure>
<ul>
<li>查看egress interface的 linux_htb规则,可以看出,没有创建规则</li>
</ul>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># tc -d -s -p qdisc show dev dataNet</span></span><br><span class="line">qdisc noqueue 0: root refcnt 2</span><br><span class="line"> Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)</span><br><span class="line"> backlog 0b 0p requeues 0</span><br><span class="line"></span><br><span class="line"><span class="comment"># tc -d -s -p class show dev dataNet</span></span><br></pre></td></tr></table></figure>
<h3 id="测试端口qos"><a href="#测试端口qos" class="headerlink" title="测试端口qos"></a>测试端口qos</h3><p>测试时注意将端口加入到防火墙的端口例外</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># ip netns exec vm2 iperf3 -s -i 10 -p 1100</span></span><br><span class="line">-----------------------------------------------------------</span><br><span class="line">Server listening on 1100</span><br><span class="line">-----------------------------------------------------------</span><br><span class="line">Accepted connection from 192.168.1.20, port 49898</span><br><span class="line">[ 5] <span class="built_in">local</span> 192.168.1.30 port 1100 connected to 192.168.1.20 port 49900</span><br><span class="line">[ ID] Interval Transfer Bandwidth</span><br><span class="line">[ 5] 0.00-10.01 sec 0.00 Bytes 0.00 bits/sec</span><br><span class="line">[ 5] 10.01-20.01 sec 0.00 Bytes 0.00 bits/sec</span><br><span class="line">[ 5] 20.01-30.00 sec 0.00 Bytes 0.00 bits/sec</span><br><span class="line">[ 5] 30.00-30.03 sec 0.00 Bytes 0.00 bits/sec</span><br><span class="line">- - - - - - - - - - - - - - - - - - - - - - - - -</span><br><span class="line">[ ID] Interval Transfer Bandwidth</span><br><span class="line">[ 5] 0.00-30.03 sec 0.00 Bytes 0.00 bits/sec sender</span><br><span class="line">[ 5] 0.00-30.03 sec 0.00 Bytes 0.00 bits/sec receiver</span><br><span class="line">-----------------------------------------------------------</span><br><span class="line">Server listening on 1100</span><br><span class="line">-----------------------------------------------------------</span><br><span class="line"></span><br><span class="line"><span class="comment"># ip netns exec vm1 iperf3 -c 192.168.1.30 -i 3 -t 30 -p 1100</span></span><br><span class="line">Connecting to host 192.168.1.30, port 1100</span><br><span class="line">[ 4] <span class="built_in">local</span> 192.168.1.20 port 49900 connected to 192.168.1.30 port 1100</span><br><span class="line">[ ID] Interval Transfer Bandwidth Retr Cwnd</span><br><span class="line">[ 4] 0.00-3.00 sec 84.8 KBytes 231 Kbits/sec 3 1.41 KBytes</span><br><span class="line">[ 4] 3.00-6.00 sec 0.00 Bytes 0.00 bits/sec 1 1.41 KBytes</span><br><span class="line">[ 4] 6.00-9.00 sec 0.00 Bytes 0.00 bits/sec 1 1.41 KBytes</span><br><span class="line">[ 4] 9.00-12.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes</span><br><span class="line">[ 4] 12.00-15.00 sec 0.00 Bytes 0.00 bits/sec 1 1.41 KBytes</span><br><span class="line">[ 4] 15.00-18.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes</span><br><span class="line">[ 4] 18.00-21.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes</span><br><span class="line">[ 4] 21.00-24.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes</span><br><span class="line">[ 4] 24.00-27.00 sec 0.00 Bytes 0.00 bits/sec 1 1.41 KBytes</span><br><span class="line">[ 4] 27.00-30.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes</span><br><span class="line">- - - - - - - - - - - - - - - - - - - - - - - - -</span><br><span class="line">[ ID] Interval Transfer Bandwidth Retr</span><br><span class="line">[ 4] 0.00-30.00 sec 84.8 KBytes 23.2 Kbits/sec 7 sender</span><br><span class="line">[ 4] 0.00-30.00 sec 0.00 Bytes 0.00 bits/sec receiver</span><br><span class="line"></span><br><span class="line">iperf Done.</span><br></pre></td></tr></table></figure>
<p>测试结果,发送端的带宽为23.2 Kbits/sec,而我们设置的为1000000bit/sec,即1000Kbits/sec,这种速度远远没达到限速值,也谈不上实验成功,可能和使用命名空间有关,所以在生产环境测试一下。</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#测试前的网络测试</span></span><br><span class="line">[root@ovn-node2 ~]<span class="comment"># iperf3 -s -i 10 -p 1100</span></span><br><span class="line">-----------------------------------------------------------</span><br><span class="line">Server listening on 1100</span><br><span class="line">-----------------------------------------------------------</span><br><span class="line">Accepted connection from 172.16.126.71, port 34432</span><br><span class="line">[ 5] <span class="built_in">local</span> 172.16.126.72 port 1100 connected to 172.16.126.71 port 34434</span><br><span class="line">[ ID] Interval Transfer Bandwidth</span><br><span class="line">[ 5] 0.00-10.00 sec 1.08 GBytes 931 Mbits/sec</span><br><span class="line">[ 5] 10.00-20.00 sec 1.09 GBytes 938 Mbits/sec</span><br><span class="line">[ 5] 20.00-30.00 sec 1.08 GBytes 925 Mbits/sec</span><br><span class="line">[ 5] 30.00-40.00 sec 1.08 GBytes 930 Mbits/sec</span><br><span class="line">[ 5] 40.00-50.00 sec 1.09 GBytes 939 Mbits/sec</span><br><span class="line">[ 5] 50.00-60.00 sec 1.07 GBytes 916 Mbits/sec</span><br><span class="line">[ 5] 60.00-70.00 sec 1.09 GBytes 933 Mbits/sec</span><br><span class="line">[ 5] 70.00-80.00 sec 1.09 GBytes 939 Mbits/sec</span><br><span class="line">[ 5] 80.00-90.00 sec 1.06 GBytes 914 Mbits/sec</span><br><span class="line">[ 5] 90.00-100.00 sec 1.00 GBytes 861 Mbits/sec</span><br><span class="line">[ 5] 100.00-100.06 sec 6.61 MBytes 933 Mbits/sec</span><br><span class="line">- - - - - - - - - - - - - - - - - - - - - - - - -</span><br><span class="line">[ ID] Interval Transfer Bandwidth</span><br><span class="line">[ 5] 0.00-100.06 sec 0.00 Bytes 0.00 bits/sec sender</span><br><span class="line">[ 5] 0.00-100.06 sec 10.7 GBytes 923 Mbits/sec receiver</span><br><span class="line">-----------------------------------------------------------</span><br><span class="line">Server listening on 1100</span><br><span class="line">-----------------------------------------------------------</span><br><span class="line"></span><br><span class="line">[root@ovn-node1 ~]<span class="comment"># iperf3 -c 172.16.126.72 -i 1 -t 100 -p 1100</span></span><br><span class="line">Connecting to host 172.16.126.72, port 1100</span><br><span class="line">[ 4] <span class="built_in">local</span> 172.16.126.71 port 34434 connected to 172.16.126.72 port 1100</span><br><span class="line">[ ID] Interval Transfer Bandwidth Retr Cwnd</span><br><span class="line">[ 4] 0.00-1.00 sec 109 MBytes 913 Mbits/sec 14 395 KBytes</span><br><span class="line">[ 4] 1.00-2.00 sec 112 MBytes 940 Mbits/sec 0 567 KBytes</span><br><span class="line">[ 4] 2.00-3.00 sec 112 MBytes 937 Mbits/sec 0 698 KBytes</span><br><span class="line">[ 4] 3.00-4.00 sec 112 MBytes 942 Mbits/sec 0 809 KBytes</span><br><span class="line">[ 4] 4.00-5.00 sec 112 MBytes 942 Mbits/sec 0 905 KBytes</span><br><span class="line">[ 4] 5.00-6.00 sec 112 MBytes 937 Mbits/sec 0 992 KBytes</span><br><span class="line">[ 4] 6.00-7.00 sec 113 MBytes 946 Mbits/sec 0 1.05 MBytes</span><br><span class="line">[ 4] 7.00-8.00 sec 112 MBytes 939 Mbits/sec 7 1.12 MBytes</span><br><span class="line">[ 4] 8.00-9.00 sec 112 MBytes 944 Mbits/sec 0 1.19 MBytes</span><br><span class="line">[ 4] 9.00-10.00 sec 111 MBytes 933 Mbits/sec 18 1.25 MBytes</span><br><span class="line">[ 4] 10.00-11.00 sec 111 MBytes 933 Mbits/sec 0 1.31 MBytes</span><br><span class="line">[ 4] 11.00-12.00 sec 112 MBytes 944 Mbits/sec 0 1.37 MBytes</span><br><span class="line">- - - - - - - - - - - - - - - - - - - - - - - - -</span><br><span class="line">[ ID] Interval Transfer Bandwidth Retr</span><br><span class="line">[ 4] 0.00-100.00 sec 10.7 GBytes 923 Mbits/sec 15941 sender</span><br><span class="line">[ 4] 0.00-100.00 sec 10.7 GBytes 923 Mbits/sec receiver</span><br><span class="line"></span><br><span class="line">iperf Done.</span><br></pre></td></tr></table></figure>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#配置qos</span></span><br><span class="line">[root@engine220 ovirt-engine]<span class="comment"># ovn-nbctl set logical_switch_port 29263d0e-f4f7-4bd5-9e4e-4383eb7df3c8 options:qos_max_rate=1000000</span></span><br><span class="line">[root@engine220 ovirt-engine]<span class="comment"># ovn-nbctl set logical_switch_port 29263d0e-f4f7-4bd5-9e4e-4383eb7df3c8 options:qos_brust=1000000</span></span><br><span class="line">[root@engine220 ovirt-engine]<span class="comment"># ovn-nbctl list logical_switch_port 29263d0e-f4f7-4bd5-9e4e-4383eb7df3c8</span></span><br><span class="line">_uuid : d4304e68-bd4f-4914-9804-a4ec5684c945</span><br><span class="line">addresses : [unknown]</span><br><span class="line">dhcpv4_options : bed6def8-6333-475a-94a3-b65ad3ef4601</span><br><span class="line">dhcpv6_options : []</span><br><span class="line">dynamic_addresses : []</span><br><span class="line">enabled : <span class="literal">true</span></span><br><span class="line">external_ids : {ovirt_device_id=<span class="string">"d6c4f295-b90c-4263-8fb0-80e1c764dd0f"</span>, ovirt_device_owner=oVirt, ovirt_nic_name=<span class="string">"nic1"</span>, ovirt_security_groups=<span class="string">""</span>}</span><br><span class="line">ha_chassis_group : []</span><br><span class="line">name : <span class="string">"29263d0e-f4f7-4bd5-9e4e-4383eb7df3c8"</span></span><br><span class="line">options : {qos_brust=<span class="string">"1000000"</span>, qos_max_rate=<span class="string">"1000000"</span>}</span><br><span class="line">parent_name : []</span><br><span class="line">port_security : []</span><br><span class="line">tag : []</span><br><span class="line">tag_request : []</span><br><span class="line"><span class="built_in">type</span> : <span class="string">""</span></span><br><span class="line">up : <span class="literal">true</span></span><br></pre></td></tr></table></figure>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#配置qos后的网络测试</span></span><br><span class="line">[root@ovn-node2 ~]<span class="comment"># iperf3 -s -i 10 -p 1100</span></span><br><span class="line">-----------------------------------------------------------</span><br><span class="line">Server listening on 1100</span><br><span class="line">-----------------------------------------------------------</span><br><span class="line">-----------------------------------------------------------</span><br><span class="line">Accepted connection from 172.16.126.71, port 34436</span><br><span class="line">[ 5] <span class="built_in">local</span> 172.16.126.72 port 1100 connected to 172.16.126.71 port 34438</span><br><span class="line">[ ID] Interval Transfer Bandwidth</span><br><span class="line">[ 5] 0.00-10.00 sec 1.08 GBytes 932 Mbits/sec</span><br><span class="line">[ 5] 10.00-20.00 sec 1002 MBytes 841 Mbits/sec</span><br><span class="line">[ 5] 20.00-30.00 sec 1.09 GBytes 939 Mbits/sec</span><br><span class="line">[ 5] 30.00-40.00 sec 1.01 GBytes 867 Mbits/sec</span><br><span class="line">[ 5] 40.00-50.00 sec 1.06 GBytes 911 Mbits/sec</span><br><span class="line">[ 5] 50.00-60.00 sec 1.09 GBytes 939 Mbits/sec</span><br><span class="line">[ 5] 60.00-70.00 sec 1.09 GBytes 934 Mbits/sec</span><br><span class="line">[ 5] 70.00-80.00 sec 1.08 GBytes 929 Mbits/sec</span><br><span class="line">[ 5] 80.00-90.00 sec 1015 MBytes 851 Mbits/sec</span><br><span class="line">[ 5] 90.00-100.00 sec 1.09 GBytes 939 Mbits/sec</span><br><span class="line">[ 5] 100.00-100.06 sec 6.28 MBytes 937 Mbits/sec</span><br><span class="line">- - - - - - - - - - - - - - - - - - - - - - - - -</span><br><span class="line">[ ID] Interval Transfer Bandwidth</span><br><span class="line">[ 5] 0.00-100.06 sec 0.00 Bytes 0.00 bits/sec sender</span><br><span class="line">[ 5] 0.00-100.06 sec 10.6 GBytes 908 Mbits/sec receiver</span><br><span class="line">-----------------------------------------------------------</span><br><span class="line">Server listening on 1100</span><br><span class="line">-----------------------------------------------------------</span><br><span class="line"></span><br><span class="line">[root@ovn-node1 ~]<span class="comment"># iperf3 -c 172.16.126.72 -i 1 -t 100 -p 1100</span></span><br><span class="line">Connecting to host 172.16.126.72, port 1100</span><br><span class="line">[ 4] <span class="built_in">local</span> 172.16.126.71 port 34438 connected to 172.16.126.72 port 1100</span><br><span class="line">[ ID] Interval Transfer Bandwidth Retr Cwnd</span><br><span class="line">[ 4] 0.00-1.00 sec 109 MBytes 914 Mbits/sec 28 309 KBytes</span><br><span class="line">[ 4] 1.00-2.00 sec 112 MBytes 942 Mbits/sec 0 512 KBytes</span><br><span class="line">[ 4] 2.00-3.00 sec 112 MBytes 938 Mbits/sec 0 654 KBytes</span><br><span class="line">[ 4] 3.00-4.00 sec 112 MBytes 936 Mbits/sec 32 766 KBytes</span><br><span class="line">[ 4] 4.00-5.00 sec 112 MBytes 941 Mbits/sec 0 867 KBytes</span><br><span class="line">[ 4] 5.00-6.00 sec 112 MBytes 939 Mbits/sec 0 957 KBytes</span><br><span class="line">[ 4] 6.00-7.00 sec 113 MBytes 947 Mbits/sec 0 1.02 MBytes</span><br><span class="line">[ 4] 7.00-8.00 sec 112 MBytes 938 Mbits/sec 0 1.09 MBytes</span><br><span class="line">[ 4] 8.00-9.00 sec 112 MBytes 941 Mbits/sec 0 1.16 MBytes</span><br><span class="line">[ 4] 9.00-10.00 sec 112 MBytes 944 Mbits/sec 0 1.23 MBytes</span><br><span class="line">[ 4] 10.00-11.00 sec 111 MBytes 933 Mbits/sec 0 1.29 MBytes</span><br><span class="line">[ 4] 11.00-12.00 sec 90.0 MBytes 755 Mbits/sec 1029 2.43 MBytes</span><br><span class="line">[ 4] 12.00-13.00 sec 111 MBytes 933 Mbits/sec 0 3.00 MBytes</span><br><span class="line">- - - - - - - - - - - - - - - - - - - - - - - - -</span><br><span class="line">[ ID] Interval Transfer Bandwidth Retr</span><br><span class="line">[ 4] 0.00-100.00 sec 10.6 GBytes 909 Mbits/sec 24967 sender</span><br><span class="line">[ 4] 0.00-100.00 sec 10.6 GBytes 909 Mbits/sec receiver</span><br></pre></td></tr></table></figure>
<p>可以看出,Qos并没有起作用,针对端口的限速不成功。清除环境</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">[root@engine220 ovirt-engine]<span class="comment"># ovn-nbctl clear logical_switch_port 29263d0e-f4f7-4bd5-9e4e-4383eb7df3c8 options</span></span><br><span class="line">[root@engine220 ovirt-engine]<span class="comment"># ovn-nbctl list logical_switch_port 29263d0e-f4f7-4bd5-9e4e-4383eb7df3c8</span></span><br><span class="line">_uuid : d4304e68-bd4f-4914-9804-a4ec5684c945</span><br><span class="line">addresses : [unknown]</span><br><span class="line">dhcpv4_options : bed6def8-6333-475a-94a3-b65ad3ef4601</span><br><span class="line">dhcpv6_options : []</span><br><span class="line">dynamic_addresses : []</span><br><span class="line">enabled : <span class="literal">true</span></span><br><span class="line">external_ids : {ovirt_device_id=<span class="string">"d6c4f295-b90c-4263-8fb0-80e1c764dd0f"</span>, ovirt_device_owner=oVirt, ovirt_nic_name=<span class="string">"nic1"</span>, ovirt_security_groups=<span class="string">""</span>}</span><br><span class="line">ha_chassis_group : []</span><br><span class="line">name : <span class="string">"29263d0e-f4f7-4bd5-9e4e-4383eb7df3c8"</span></span><br><span class="line">options : {}</span><br><span class="line">parent_name : []</span><br><span class="line">port_security : []</span><br><span class="line">tag : []</span><br><span class="line">tag_request : []</span><br><span class="line"><span class="built_in">type</span> : <span class="string">""</span></span><br><span class="line">up : <span class="literal">true</span></span><br><span class="line"></span><br><span class="line">[root@ovn-central ~]<span class="comment"># ovn-nbctl clear logical_switch_port switchA_portA options</span></span><br><span class="line">[root@ovn-central ~]<span class="comment"># ovn-nbctl list logical_switch_port switchA_portA</span></span><br><span class="line">_uuid : 616f220c-3f87-4c72-a8c4-617a4d0f42ad</span><br><span class="line">addresses : [<span class="string">"02:ac:10:ff:00:11 192.168.1.20"</span>]</span><br><span class="line">dhcpv4_options : 1e204723-aa55-405f-a9c5-8a36aaf40805</span><br><span class="line">dhcpv6_options : []</span><br><span class="line">dynamic_addresses : []</span><br><span class="line">enabled : []</span><br><span class="line">external_ids : {}</span><br><span class="line">ha_chassis_group : []</span><br><span class="line">name : switchA_portA</span><br><span class="line">options : {}</span><br><span class="line">parent_name : []</span><br><span class="line">port_security : [<span class="string">"02:ac:10:ff:00:11"</span>]</span><br><span class="line">tag : []</span><br><span class="line">tag_request : []</span><br><span class="line"><span class="built_in">type</span> : <span class="string">""</span></span><br><span class="line">up : <span class="literal">true</span></span><br></pre></td></tr></table></figure>
<h2 id="针对虚拟交换机的Qos"><a href="#针对虚拟交换机的Qos" class="headerlink" title="针对虚拟交换机的Qos"></a>针对虚拟交换机的Qos</h2><h3 id="添加Qos"><a href="#添加Qos" class="headerlink" title="添加Qos"></a>添加Qos</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># ovn-nbctl qos-add switchA to-lport 900 dscp=55 rate=10 burst=5</span></span><br><span class="line"><span class="comment"># ovn-nbctl list qos</span></span><br><span class="line">_uuid : 4eff7af0-4782-4c9b-8a79-211405579bb8</span><br><span class="line">action : {}</span><br><span class="line">bandwidth : {burst=5, rate=10}</span><br><span class="line">direction : to-lport</span><br><span class="line">external_ids : {}</span><br><span class="line">match : <span class="string">"dscp=55"</span></span><br><span class="line">priority : 900</span><br></pre></td></tr></table></figure>
<h3 id="测试qos"><a href="#测试qos" class="headerlink" title="测试qos"></a>测试qos</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># ip netns exec vm1 iperf3 -s -i 10 -p 1100</span></span><br><span class="line">-----------------------------------------------------------</span><br><span class="line">Server listening on 1100</span><br><span class="line">-----------------------------------------------------------</span><br><span class="line">Accepted connection from 192.168.2.50, port 36730</span><br><span class="line">[ 5] <span class="built_in">local</span> 192.168.1.20 port 1100 connected to 192.168.2.50 port 36732</span><br><span class="line">[ ID] Interval Transfer Bandwidth</span><br><span class="line">[ 5] 0.00-10.01 sec 0.00 Bytes 0.00 bits/sec</span><br><span class="line">[ 5] 10.01-20.01 sec 0.00 Bytes 0.00 bits/sec</span><br><span class="line">[ 5] 20.01-30.01 sec 0.00 Bytes 0.00 bits/sec</span><br><span class="line">[ 5] 30.01-30.04 sec 0.00 Bytes 0.00 bits/sec</span><br><span class="line">- - - - - - - - - - - - - - - - - - - - - - - - -</span><br><span class="line">[ ID] Interval Transfer Bandwidth</span><br><span class="line">[ 5] 0.00-30.04 sec 0.00 Bytes 0.00 bits/sec sender</span><br><span class="line">[ 5] 0.00-30.04 sec 0.00 Bytes 0.00 bits/sec receiver</span><br><span class="line">-----------------------------------------------------------</span><br><span class="line">Server listening on 1100</span><br><span class="line">-----------------------------------------------------------</span><br><span class="line"></span><br><span class="line"><span class="comment"># ip netns exec vm4 iperf3 -c 192.168.1.20 -i 3 -t 30 -p 1100</span></span><br><span class="line">Connecting to host 192.168.1.20, port 1100</span><br><span class="line">[ 4] <span class="built_in">local</span> 192.168.2.50 port 36732 connected to 192.168.1.20 port 1100</span><br><span class="line">[ ID] Interval Transfer Bandwidth Retr Cwnd</span><br><span class="line">[ 4] 0.00-3.00 sec 84.8 KBytes 231 Kbits/sec 3 1.41 KBytes</span><br><span class="line">[ 4] 3.00-6.00 sec 0.00 Bytes 0.00 bits/sec 1 1.41 KBytes</span><br><span class="line">[ 4] 6.00-9.00 sec 0.00 Bytes 0.00 bits/sec 1 1.41 KBytes</span><br><span class="line">[ 4] 9.00-12.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes</span><br><span class="line">[ 4] 12.00-15.00 sec 0.00 Bytes 0.00 bits/sec 1 1.41 KBytes</span><br><span class="line">[ 4] 15.00-18.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes</span><br><span class="line">[ 4] 18.00-21.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes</span><br><span class="line">[ 4] 21.00-24.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes</span><br><span class="line">[ 4] 24.00-27.00 sec 0.00 Bytes 0.00 bits/sec 1 1.41 KBytes</span><br><span class="line">[ 4] 27.00-30.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes</span><br><span class="line">- - - - - - - - - - - - - - - - - - - - - - - - -</span><br><span class="line">[ ID] Interval Transfer Bandwidth Retr</span><br><span class="line">[ 4] 0.00-30.00 sec 84.8 KBytes 23.2 Kbits/sec 7 sender</span><br><span class="line">[ 4] 0.00-30.00 sec 0.00 Bytes 0.00 bits/sec receiver</span><br><span class="line"></span><br><span class="line">iperf Done.</span><br></pre></td></tr></table></figure>
<p>测试完毕,qos还是没起作用!!!</p>
<h3 id="编辑Qos"><a href="#编辑Qos" class="headerlink" title="编辑Qos"></a>编辑Qos</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># ovn-nbctl set qos 4eff7af0-4782-4c9b-8a79-211405579bb8 bandwidth:rate=20</span></span><br><span class="line"><span class="comment"># ovn-nbctl list qos</span></span><br><span class="line">_uuid : 4eff7af0-4782-4c9b-8a79-211405579bb8</span><br><span class="line">action : {}</span><br><span class="line">bandwidth : {burst=5, rate=20}</span><br><span class="line">direction : to-lport</span><br><span class="line">external_ids : {}</span><br><span class="line">match : <span class="string">"dscp=55"</span></span><br><span class="line">priority : 900</span><br><span class="line"></span><br><span class="line"><span class="comment"># ovn-nbctl set qos 4eff7af0-4782-4c9b-8a79-211405579bb8 match='dscp\=30'</span></span><br><span class="line"><span class="comment"># ovn-nbctl list qos</span></span><br><span class="line">_uuid : 4eff7af0-4782-4c9b-8a79-211405579bb8</span><br><span class="line">action : {}</span><br><span class="line">bandwidth : {burst=5, rate=20}</span><br><span class="line">direction : to-lport</span><br><span class="line">external_ids : {}</span><br><span class="line">match : <span class="string">"dscp=30"</span></span><br><span class="line">priority : 900</span><br></pre></td></tr></table></figure>
<h3 id="删除Qos"><a href="#删除Qos" class="headerlink" title="删除Qos"></a>删除Qos</h3><p>删除整个逻辑交换机上的所有Qos</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#ovn-nbctl qos-del switchA</span></span><br></pre></td></tr></table></figure>
<p>删除逻辑交换机上的出站或者入站的Qos</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#ovn-nbctl qos-del logical_switchA to-lport</span></span><br></pre></td></tr></table></figure>
<p>根据match规则删除入站或者出站的某条Qos</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#ovn-nbctl qos-del switchA to-lport 900 dscp=30</span></span><br></pre></td></tr></table></figure>
<h3 id="列出Qos"><a href="#列出Qos" class="headerlink" title="列出Qos"></a>列出Qos</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#ovn-nbctl qos-list logical_switchA</span></span><br></pre></td></tr></table></figure>
<h1 id="地址集"><a href="#地址集" class="headerlink" title="地址集"></a>地址集</h1><h2 id="增加地址集"><a href="#增加地址集" class="headerlink" title="增加地址集"></a>增加地址集</h2><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#将整个172.16.126.0网段加入到地址集</span></span><br><span class="line"><span class="comment">#ovn-nbctl create Address_Set name=external_ids addresses='172.16.126.243/24'</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># ovn-nbctl list address_set</span></span><br><span class="line">_uuid : 81d6cf52-9472-41eb-9ebc-c20107e018ed</span><br><span class="line">addresses : [<span class="string">"172.16.126.243/24"</span>]</span><br><span class="line">external_ids : {}</span><br><span class="line">name : external_ids</span><br></pre></td></tr></table></figure>
<h2 id="编辑地址集"><a href="#编辑地址集" class="headerlink" title="编辑地址集"></a>编辑地址集</h2><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#可以用mac地址作为地址集</span></span><br><span class="line"><span class="comment">#ovn-nbctl set Address_Set external_ids addresses='"02:ac:10:ff:00:33","02:ac:10:ff:00:44"'</span></span><br><span class="line"><span class="comment"># ovn-nbctl list address_set</span></span><br><span class="line">_uuid : 81d6cf52-9472-41eb-9ebc-c20107e018ed</span><br><span class="line">addresses : [<span class="string">"02:ac:10:ff:00:33"</span>, <span class="string">"02:ac:10:ff:00:44"</span>]</span><br><span class="line">external_ids : {}</span><br><span class="line">name : external_ids</span><br><span class="line"></span><br><span class="line"><span class="comment">#将地址集地址换为两个单个的地址</span></span><br><span class="line"><span class="comment">#ovn-nbctl set Address_Set external_ids addresses='172.16.126.244,172.16.126.245'</span></span><br><span class="line"><span class="comment"># ovn-nbctl list address_set</span></span><br><span class="line">_uuid : 81d6cf52-9472-41eb-9ebc-c20107e018ed</span><br><span class="line">addresses : [<span class="string">"172.16.126.244"</span>, <span class="string">"172.16.126.245"</span>]</span><br><span class="line">external_ids : {}</span><br><span class="line">name : external_ids</span><br></pre></td></tr></table></figure>
<h2 id="测试地址集"><a href="#测试地址集" class="headerlink" title="测试地址集"></a>测试地址集</h2><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#将地址集加入到ACL中</span></span><br><span class="line"><span class="comment">#ovn-nbctl acl-add switchA to-lport 1000 'outport == "switchA_portA" && ip4 && ip4.src==$external_ids' drop</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># ovn-nbctl list acl</span></span><br><span class="line">_uuid : c61928f9-9d35-4755-9e55-380a16aa3d76</span><br><span class="line">action : drop</span><br><span class="line">direction : to-lport</span><br><span class="line">external_ids : {}</span><br><span class="line"><span class="built_in">log</span> : <span class="literal">false</span></span><br><span class="line">match : <span class="string">"outport == \"switchA_portA\" && ip4 && ip4.src==<span class="variable">$external_ids</span>"</span></span><br><span class="line">meter : []</span><br><span class="line">name : []</span><br><span class="line">priority : 1000</span><br><span class="line">severity : []</span><br><span class="line"></span><br><span class="line"><span class="comment">#此时在node1上进行测试,可以看出,acl已经应用到了地址集上</span></span><br><span class="line"><span class="comment"># ip netns exec vm1 ping 172.16.126.244</span></span><br><span class="line">PING 172.16.126.244 (172.16.126.244) 56(84) bytes of data.</span><br><span class="line">^C</span><br><span class="line">--- 172.16.126.244 ping statistics ---</span><br><span class="line">3 packets transmitted, 0 received, 100% packet loss, time 1999ms</span><br><span class="line"></span><br><span class="line"><span class="comment"># ip netns exec vm1 ping 172.16.126.245</span></span><br><span class="line">PING 172.16.126.245 (172.16.126.245) 56(84) bytes of data.</span><br><span class="line">^C</span><br><span class="line">--- 172.16.126.245 ping statistics ---</span><br><span class="line">3 packets transmitted, 0 received, 100% packet loss, time 1999ms</span><br><span class="line"></span><br><span class="line"><span class="comment">#测试地址集为mac地址的地址集时,反复测试均发现成功,待后续再研究</span></span><br></pre></td></tr></table></figure>
<h2 id="使用nmap创建端口监听测试地址集"><a href="#使用nmap创建端口监听测试地址集" class="headerlink" title="使用nmap创建端口监听测试地址集"></a>使用nmap创建端口监听测试地址集</h2><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#在vm1上开启3306端口监听</span></span><br><span class="line"><span class="comment">#ip netns exec vm1 ncat -l -p 3306</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#在其他虚拟机上测试到vm1 3306端口的连接,可以用如下命令,但是这天命令在监听端不显示信息,故我们不用</span></span><br><span class="line"><span class="comment">#ip netns exec vm3 ncat -w 1 192.168.1.20 3306</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#用curl命令在其他虚拟机上测试到vm1 3306端口的连接</span></span><br><span class="line"><span class="comment"># ip netns exec vm2 curl 192.168.1.20:3306</span></span><br><span class="line">^C</span><br><span class="line"><span class="comment"># ip netns exec vm4 curl 192.168.1.20:3306</span></span><br><span class="line">^C</span><br><span class="line"><span class="comment"># ip netns exec vm3 curl 192.168.1.20:3306</span></span><br><span class="line">^C</span><br><span class="line"></span><br><span class="line"><span class="comment">#在vm1上可以看到,端口是通的</span></span><br><span class="line"><span class="comment"># ip netns exec vm1 ncat -l -p 3306</span></span><br><span class="line">GET / HTTP/1.1</span><br><span class="line">User-Agent: curl/7.29.0</span><br><span class="line">Host: 192.168.1.20:3306</span><br><span class="line">Accept: */*</span><br><span class="line"></span><br><span class="line"><span class="comment"># ip netns exec vm1 ncat -l -p 3306</span></span><br><span class="line">GET / HTTP/1.1</span><br><span class="line">User-Agent: curl/7.29.0</span><br><span class="line">Host: 192.168.1.20:3306</span><br><span class="line">Accept: */*</span><br><span class="line"></span><br><span class="line"><span class="comment"># ip netns exec vm1 ncat -l -p 3306</span></span><br><span class="line">GET / HTTP/1.1</span><br><span class="line">User-Agent: curl/7.29.0</span><br><span class="line">Host: 192.168.1.20:3306</span><br><span class="line">Accept: */*</span><br><span class="line"></span><br><span class="line"><span class="comment">#将地址集的IP地址改为192.168.1.30和192.168.2.50</span></span><br><span class="line"><span class="comment">#ovn-nbctl set Address_Set external_ids addresses='192.168.1.30,192.168.2.50'</span></span><br><span class="line"><span class="comment"># ovn-nbctl list address_set</span></span><br><span class="line">_uuid : d443b492-0ee0-4756-bda7-2391a55bd46e</span><br><span class="line">addresses : [<span class="string">"192.168.1.30"</span>, <span class="string">"192.168.2.50"</span>]</span><br><span class="line">external_ids : {}</span><br><span class="line">name : external_ids</span><br><span class="line"></span><br><span class="line"><span class="comment">#创建ACL限制地址集内的IP地址访问VM1的3306端口</span></span><br><span class="line"><span class="comment">#ovn-nbctl acl-add switchA to-lport 1000 'outport == "switchA_portA" && ip4.src == $external_ids && tcp.dst == 3306' drop</span></span><br><span class="line"><span class="comment"># ovn-nbctl list acl</span></span><br><span class="line">_uuid : 54774269-76fd-4e0d-93d8-a5f396965b36</span><br><span class="line">action : drop</span><br><span class="line">direction : to-lport</span><br><span class="line">external_ids : {}</span><br><span class="line"><span class="built_in">log</span> : <span class="literal">false</span></span><br><span class="line">match : <span class="string">"outport == \"switchA_portA\" && ip4.src == <span class="variable">$external_ids</span> && tcp.dst == 3306"</span></span><br><span class="line">meter : []</span><br><span class="line">name : []</span><br><span class="line">priority : 1000</span><br><span class="line">severity : []</span><br><span class="line"></span><br><span class="line"><span class="comment">#此时测试其他vm到vm1端口3306的访问</span></span><br><span class="line"><span class="comment"># ip netns exec vm1 ncat -l -p 3306</span></span><br><span class="line">GET / HTTP/1.1</span><br><span class="line">User-Agent: curl/7.29.0</span><br><span class="line">Host: 192.168.1.20:3306</span><br><span class="line">Accept: */*</span><br><span class="line"><span class="comment"># ip netns exec vm3 curl 192.168.1.20:3306</span></span><br><span class="line">^C</span><br><span class="line"></span><br><span class="line"><span class="comment"># ip netns exec vm2 ncat -w 1 192.168.1.20 3306</span></span><br><span class="line">Ncat: Connection timed out.</span><br><span class="line"><span class="comment"># ip netns exec vm4 ncat -w 1 192.168.1.20 3306</span></span><br><span class="line">Ncat: Connection timed out.</span><br><span class="line"></span><br><span class="line"><span class="comment">#可以看出地址集测试成功</span></span><br></pre></td></tr></table></figure>
<h2 id="查看地址集"><a href="#查看地址集" class="headerlink" title="查看地址集"></a>查看地址集</h2><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># ovn-nbctl list address_set</span></span><br><span class="line">_uuid : 81d6cf52-9472-41eb-9ebc-c20107e018ed</span><br><span class="line">addresses : [<span class="string">"172.16.126.244"</span>, <span class="string">"172.16.126.245"</span>]</span><br><span class="line">external_ids : {}</span><br><span class="line">name : external_ids</span><br><span class="line"></span><br><span class="line"><span class="comment"># ovn-nbctl find address_set name=external_ids</span></span><br><span class="line">_uuid : 81d6cf52-9472-41eb-9ebc-c20107e018ed</span><br><span class="line">addresses : [<span class="string">"172.16.126.244"</span>, <span class="string">"172.16.126.245"</span>]</span><br><span class="line">external_ids : {}</span><br><span class="line">name : external_ids</span><br></pre></td></tr></table></figure>
<h2 id="删除地址集"><a href="#删除地址集" class="headerlink" title="删除地址集"></a>删除地址集</h2><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#ovn-nbctl destroy address_set external_ids</span></span><br></pre></td></tr></table></figure>
<h1 id="LB负载平衡"><a href="#LB负载平衡" class="headerlink" title="LB负载平衡"></a>LB负载平衡</h1><p>OVN负载均衡器旨在为OVN逻辑网络空间内的工作负载提供非常基本的负载均衡服务。由于其简单的功能集,它不是设计用于替换那些为高级用例提供更多花里胡哨的功能的硬件负载均衡器。</p>
<p>其它负载均衡器大多使用基于哈希的算法来平衡VIP的请求到逻辑空间内的相关IP地址池。由于哈希算法是使用客户端请求的头来计算的,所以平衡应当是随机性的,其中每个单独的客户端请求在连接的持续时间内始终选择同一个负载均衡池的特定成员。</p>
<p>OVN中的负载平衡可以应用于逻辑交换机或逻辑路由器。选择何种方式取决于您的具体要求。每种方法都有注意事项。</p>
<p>当应用于逻辑路由器时,需要牢记以下注意事项:</p>
<ul>
<li>负载平衡只能应用于“集中式”路由器(即网关路由器)。</li>
<li>第1个注意事项已经决定了路由器上的负载平衡是非分布式服务。</li>
</ul>
<p>应用于逻辑交换机时,需要牢记以下注意事项:</p>
<ul>
<li>负载平衡是“分布式”的,因为它被应用于潜在的多个OVS主机。</li>
<li>仅在来自VIF(虚拟接口)的流量入口处评估逻辑交换机上的负载平衡。这意味着它必须应用在“客户端”逻辑交换机上,而不是在“服务器”逻辑交换机上。</li>
<li>由于第2个注意事项,您可能需要根据您的设计规模对多个逻辑交换机应用负载平衡。</li>
</ul>
<h2 id="配置web访问"><a href="#配置web访问" class="headerlink" title="配置web访问"></a>配置web访问</h2><p>在node71和node72上配置vm1和vm2作为web服务器(两个虚拟机均是switchA逻辑网络下的虚拟机)</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#mkdir /tmp/www</span></span><br><span class="line"><span class="comment">#echo "i am vm1" > /tmp/www/index.html</span></span><br><span class="line"><span class="comment">#cd /tmp/www</span></span><br><span class="line"><span class="comment">#ip netns exec vm1 python -m SimpleHTTPServer 8000</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#mkdir /tmp/www</span></span><br><span class="line"><span class="comment">#echo "i am vm2" > /tmp/www/index.html</span></span><br><span class="line"><span class="comment">#cd /tmp/www</span></span><br><span class="line"><span class="comment">#ip netns exec vm2 python -m SimpleHTTPServer 8000</span></span><br></pre></td></tr></table></figure>
<h2 id="配置逻辑路由器上的LB"><a href="#配置逻辑路由器上的LB" class="headerlink" title="配置逻辑路由器上的LB"></a>配置逻辑路由器上的LB</h2><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#需要注意的是,172.16.126.211是external网络中一个未使用的IP地址,我们将其作为VIP</span></span><br><span class="line"><span class="comment"># ovn-nbctl lb-add lb2router 172.16.126.211:8000 "192.168.1.20:8000,192.168.1.30:8000"</span></span><br><span class="line"><span class="comment"># ovn-nbctl lr-lb-add routerA lb2router</span></span><br><span class="line"><span class="comment"># ovn-nbctl lb-list</span></span><br><span class="line">UUID LB PROTO VIP IPs</span><br><span class="line">44396c09-cd56-4609-bc66-135d73660764 lb2router tcp 172.16.126.211:8000 192.168.1.20:8000,192.168.1.30:8000</span><br><span class="line"></span><br><span class="line"><span class="comment">#测试LB,本次测试在物理网络的测试客户端上进行测试。从测试结果可以看出,LB是配置成功的</span></span><br><span class="line"><span class="comment"># curl 172.16.126.211:8000</span></span><br><span class="line">i am vm2</span><br><span class="line"><span class="comment"># curl 172.16.126.211:8000</span></span><br><span class="line">i am vm2</span><br><span class="line"><span class="comment"># curl 172.16.126.211:8000</span></span><br><span class="line">i am vm2</span><br><span class="line"><span class="comment"># curl 172.16.126.211:8000</span></span><br><span class="line">i am vm1</span><br><span class="line"><span class="comment"># curl 172.16.126.211:8000</span></span><br><span class="line">i am vm1</span><br><span class="line"><span class="comment"># curl 172.16.126.211:8000</span></span><br><span class="line">i am vm1</span><br></pre></td></tr></table></figure>
<h2 id="配置逻辑交换机上的LB"><a href="#配置逻辑交换机上的LB" class="headerlink" title="配置逻辑交换机上的LB"></a>配置逻辑交换机上的LB</h2><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#此处需要注意的是,逻辑交换机上配置LB,需要LB的VIP和逻辑交换机的网段不同,所以我们只能将LB配置到switchB上</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># ovn-nbctl lb-add lb2switch 192.168.1.60:8000 "192.168.1.20:8000,192.168.1.30:8000"</span></span><br><span class="line"><span class="comment"># ovn-nbctl lb-list</span></span><br><span class="line">UUID LB PROTO VIP IPs</span><br><span class="line">44396c09-cd56-4609-bc66-135d73660764 lb2router tcp 172.16.126.211:8000 192.168.1.20:8000,192.168.1.30:8000</span><br><span class="line">c31d23f1-53e4-4514-afb0-b1e40555e1d2 lb2switch tcp 192.168.1.60:8000 192.168.1.20:8000,192.168.1.30:8000</span><br><span class="line"><span class="comment"># ovn-nbctl ls-lb-add switchB lb2switch</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#测试LB,本次测试在虚拟机客户端上进行,从测试结果可以看出,LB是配置成功的</span></span><br><span class="line"><span class="comment"># ip netns exec vm3 curl 192.168.1.60:8000</span></span><br><span class="line">i am vm1</span><br><span class="line"><span class="comment"># ip netns exec vm3 curl 192.168.1.60:8000</span></span><br><span class="line">i am vm2</span><br><span class="line"><span class="comment"># ip netns exec vm3 curl 192.168.1.60:8000</span></span><br><span class="line">i am vm2</span><br><span class="line"><span class="comment"># ip netns exec vm3 curl 192.168.1.60:8000</span></span><br><span class="line">i am vm1</span><br><span class="line"><span class="comment"># ip netns exec vm3 curl 192.168.1.60:8000</span></span><br><span class="line">i am vm1</span><br><span class="line">[<span class="comment"># ip netns exec vm3 curl 192.168.1.60:8000</span></span><br><span class="line">i am vm1</span><br><span class="line"></span><br><span class="line"><span class="comment">#如果在switchA的虚拟机客户端上进行,则无响应。这也就说明负载均衡应该设置到用户的logical switch而不是server的logical switch</span></span><br><span class="line"><span class="comment"># ip netns exec vm1 curl 192.168.1.60:8000</span></span><br><span class="line">^C</span><br><span class="line"></span><br></pre></td></tr></table></figure>
<h2 id="配置LB的健康检查"><a href="#配置LB的健康检查" class="headerlink" title="配置LB的健康检查"></a>配置LB的健康检查</h2><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#目前还未配置健康检查,我们可以关闭一个web服务器,再次看LB的执行情况</span></span><br><span class="line"><span class="comment"># ip netns exec vm1 python -m SimpleHTTPServer 8000</span></span><br><span class="line">Serving HTTP on 0.0.0.0 port 8000 ...</span><br><span class="line">172.16.126.70 - - [19/Nov/2021 15:39:28] <span class="string">"GET / HTTP/1.1"</span> 200 -</span><br><span class="line">172.16.126.70 - - [19/Nov/2021 15:39:28] <span class="string">"GET / HTTP/1.1"</span> 200 -</span><br><span class="line">KeyboardInterrupt</span><br><span class="line"></span><br><span class="line"><span class="comment">#执行LB的测试,可以看出,如果未配置健康检查,则执行结果是有可能返回错误的</span></span><br><span class="line"><span class="comment"># ip netns exec vm3 curl 192.168.1.60:8000</span></span><br><span class="line">i am vm2</span><br><span class="line"><span class="comment"># ip netns exec vm3 curl 192.168.1.60:8000</span></span><br><span class="line">curl: (7) Failed connect to 192.168.1.60:8000; Connection refused</span><br><span class="line"><span class="comment"># ip netns exec vm3 curl 192.168.1.60:8000</span></span><br><span class="line">i am vm2</span><br><span class="line"><span class="comment"># ip netns exec vm3 curl 192.168.1.60:8000</span></span><br><span class="line">curl: (7) Failed connect to 192.168.1.60:8000; Connection refused</span><br><span class="line"></span><br><span class="line"><span class="comment">#配置LB的健康检查</span></span><br><span class="line"><span class="comment"># ovn-nbctl -- --id=@hc create load_balancer_health_check vip="192.168.1.60\:8000" options:timeout=10 -- add load_balancer c31d23f1-53e4-4514-afb0-b1e40555e1d2 health_check @hc</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#可以看出来,lb2switch已经配置了健康检查</span></span><br><span class="line"><span class="comment"># ovn-nbctl list load_balancer</span></span><br><span class="line">_uuid : c31d23f1-53e4-4514-afb0-b1e40555e1d2</span><br><span class="line">external_ids : {}</span><br><span class="line">health_check : [65dde008-e110-4d55-bc8a-010ab67bb7d4]</span><br><span class="line">ip_port_mappings : {}</span><br><span class="line">name : <span class="string">"lb2switch"</span></span><br><span class="line">protocol : tcp</span><br><span class="line">vips : {<span class="string">"192.168.1.60:8000"</span>=<span class="string">"192.168.1.20:8000,192.168.1.30:8000"</span>}</span><br><span class="line"></span><br><span class="line">_uuid : 44396c09-cd56-4609-bc66-135d73660764</span><br><span class="line">external_ids : {}</span><br><span class="line">health_check : []</span><br><span class="line">ip_port_mappings : {}</span><br><span class="line">name : <span class="string">"lb2router"</span></span><br><span class="line">protocol : tcp</span><br><span class="line">vips : {<span class="string">"172.16.126.211:8000"</span>=<span class="string">"192.168.1.20:8000,192.168.1.30:8000"</span>}</span><br></pre></td></tr></table></figure>
<h1 id="HA高可用"><a href="#HA高可用" class="headerlink" title="HA高可用"></a>HA高可用</h1><p>待更新</p>
<h1 id="静态路由"><a href="#静态路由" class="headerlink" title="静态路由"></a>静态路由</h1><h2 id="增加静态路由"><a href="#增加静态路由" class="headerlink" title="增加静态路由"></a>增加静态路由</h2><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#ovn-nbctl lr-route-add logical_routerA "192.168.1.0/24" 182.168.1.1</span></span><br></pre></td></tr></table></figure>
<h2 id="删除静态路由"><a href="#删除静态路由" class="headerlink" title="删除静态路由"></a>删除静态路由</h2><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#ovn-nbctl lr-route-del logical_routerA 192.168.1.0/24</span></span><br></pre></td></tr></table></figure>
<h2 id="列出静态路由"><a href="#列出静态路由" class="headerlink" title="列出静态路由"></a>列出静态路由</h2><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment">#ovn-nbctl lr-route-list logical_routerA</span></span><br></pre></td></tr></table></figure>
]]></content>
<categories>
<category>openvswitch</category>
</categories>
<tags>
<tag>ovn</tag>
</tags>
</entry>
</search>