内容简介:计算机网络,是分层实现的,不同协议工作在不同层,按着OSI的分层模型,共有七个层,我们一般所说的隔离,通常指的是第2层,也叫“数据链路层”;数据链路层的网络包,也叫“帧”,我们常说的网卡的MAC地址,就是帧的地址,MAC,其实是“媒体访问控制”(media access control)的简称,这是数据链路层的一个子层。为什么要在这个二层上做隔离呢?因为二层的帧,其中一些帧的地址是广播地址,在同一个二层的设备都可以、也必须接收这些帧,交换机一般认为工作在二层,对这些广播包,也都要转发,所以二层通常被称为一个
一、隔离
计算机网络,是分层实现的,不同协议工作在不同层,按着OSI的分层模型,共有七个层,我们一般所说的隔离,通常指的是第2层,也叫“数据链路层”;数据链路层的网络包,也叫“帧”,我们常说的网卡的MAC地址,就是帧的地址,MAC,其实是“媒体访问控制”(media access control)的简称,这是数据链路层的一个子层。
为什么要在这个二层上做隔离呢?因为二层的帧,其中一些帧的地址是广播地址,在同一个二层的设备都可以、也必须接收这些帧,交换机一般认为工作在二层,对这些广播包,也都要转发,所以二层通常被称为一个“广播域”。
二、VLAN
Openstack Neutorn的实现核心是二层物理网络的抽象与管理,支持多种不同的网络隔离技术,以保障租户tenant之间的网络隔离,而VLAN就是主要使用的隔离方案,它本身就是交换机广泛使用的二层隔离技术;但这种方案也有一定的局限性,首先管理相对麻烦,需要配合设置物理交换机,另外VLAN的可用数量也有限制,VLAN的ID号仅有四千多个,我们假设每个租户分配1个VLAN,那最多也就能支持四千多个租户。
三、虚拟网络设备
图1:vlan模式下计算节点的虚拟网络拓扑结构图
3.1 在vlan网络模式下,计算节点上虚拟网络设备如下:
(1)tapxxx设备
简单的理解为为虚拟机提供的虚拟网卡,就是VM对应的网口的vNIC。虚拟机的网络功能由vNIC提供,Hypervisor可以为每个虚拟机创建一个或多个vNIC。
(2) qbrxxx设备
Linux网桥,简单理解就是为安全组服务,负责安全;因为不能在tap设备上配置network ACL rules,增加该linux bridge来实现iptable的安全组策略。
(3) qvmxxx设备
qvm主要是给从VM出来的包打上vlan tag。
(4) plyxxx设备
Ovs bridge,主要功能是实现过滤非本机MAC的单播报文。
(5) pvixxx和pvoxxx设备
ply是策略网桥,ply与br-int之间由一对path port连接,连接ply的一端为pvi端口,连接br-int的一端为pvo端口。
(6) br-int设备
br-int集成网桥,主要是帧的转发功能。
(7) int-brcps和phy-brcps设备
主要负责将br-int转发的帧中的vlanid转换。
(8) brcps和trunk0设备
br-cps是Ovs bridge ,Trunk0由eth0和eth1组成的bond(active-backup模式),packets要想进入physical network,还得通过真正的物理网卡trunk0(eth2和eth4),所以将trunk0桥接到br-1上来打通整个链路。
(9) tapuuu设备
DHCP服务监听端口。
3.2 计算节点上的网络设备信息
3.2.1 Linux bridage信息
Compute153:~ # virsh list Id Name State ---------------------------------------------------- 1 instance-00000583 running 2 instance-000005df running 3 instance-00000603 running 4 instance-00000654 running 5 instance-0000068f running 6 instance-000006d7 running 7 instance-0000070d running 9 instance-00000769 running 10 instance-0000090d running 11 instance-00000a37 running
计算节点Compute153上启动了10个虚拟机。
Compute153 :~ # brctl show bridge name bridge id STP enabled interfaces qbr7fc1e7d0-0c 8000.bee6e69f9457 no qvm7fc1e7d0-0c tap7fc1e7d0-0c qbr931641ad-4b 8000.eaa1a27fffcb no qvm931641ad-4b tap931641ad-4b qbr963c4b38-70 8000.7635674ec1fc no qvm963c4b38-70 tap963c4b38-70 qbr9df6f9f9-42 8000.2e1eba67aca5 no qvm9df6f9f9-42 tap9df6f9f9-42 qbrb9dd9478-0f 8000.2e954943421c no qvmb9dd9478-0f tapb9dd9478-0f qbrc24f2999-b9 8000.427df7c7a333 no qvmc24f2999-b9 tapc24f2999-b9 qbrc3833757-af 8000.7e6eb025950b no qvmc3833757-af tapc3833757-af qbrc78917be-9c 8000.1a67a8814d03 no qvmc78917be-9c tapc78917b0-9c qbrd5cbf3b0-ef 8000.f6de8391f526 no qvmd5cbf3b0-ef tapd5cbf3b0-ef qbrfe79631b-85 8000.c2d425903a69 no qvmfe79631b-85 tapfe79631b-85
可以看到有10个qbr,每一个虚拟机的每一张网卡都有对应的qbr。每一个qbr都有对应的 tap和qvm,对应图上的qbr北向与南向接口。
3.2.2 ovs bridage信息
通过ovs-vsctl可以查询主机上已有的 OVS bridge及其中的 port。
Bridge "plyc24f2999-b9"
Port "qvmc24f2999-b9"
Interface"qvmc24f2999-b9"
type: internal
Port "plyc24f2999-b9"
Interface"plyc24f2999-b9"
type: internal
Port "pvic24f2999-b9"
Interface"pvic24f2999-b9"
type: patch
options: {peer="pvoc24f2999-b9"}
可以看到ply网桥信息,上面对接qvm,下面对接br-int,ply与br-int之间是一对port接口, pvi与pvo接口。
Bridge br-int
fail_mode: secure
Port "pvoc78917be-9c"
tag: 5
Interface"pvoc78917be-9c"
type: patch
options:{peer="pvic78917be-9c"}
Port "pvob9dd9478-0f"
tag: 9
Interface"pvob9dd9478-0f"
type: patch
options:{peer="pvib9dd9478-0f"}
注意pov端口是有tag的,这是一个内部的tag,主要是为了区分同一虚拟机的不同虚拟网 卡 设备,会将多张网卡依次编号。
Bridge br-int
fail_mode: secure
Port "pvoc78917be-9c"
tag: 5
Interface"pvoc78917be-9c"
type: patch
options:{peer="pvic78917be-9c"}
Port "pvob9dd9478-0f"
tag: 9
Interface"pvob9dd9478-0f"
type: patch
options:{peer="pvib9dd9478-0f"}
Port br-int
tag: 4095
Interface br-int
type: internal
Port int-brcps
Interface int-brcps
type: patch
options: {peer=phy-brcps}
Port "pvo9df6f9f9-42"
tag: 5
Interface"pvo9df6f9f9-42"
type: patch
options:{peer="pvi9df6f9f9-42"}
可以看到br-int网桥上的所有端口信息,向上是pvo口,向下是int-brcps口,是用来连接 brcps网桥。
Bridge br-int
fail_mode: secure
Port "pvoc78917be-9c"
tag: 5
Interface"pvoc78917be-9c"
type: patch
options:{peer="pvic78917be-9c"}
Port int-brcps
Interface int-brcps
type: patch
options: {peer=phy-brcps}
int-brcps和phy-brcps接口是br-int与brcps网桥相连的接口,查询br-int是可以找到与之相连的int-brcps,查询brcps网桥可以找到与之相连的phy-brcps接口。
Bridge brcps
Port external_om
tag:1405
Interface external_om
type: internal
Port "trunk0"
Interface "trunk0"
Port phy-brcps
Interface phy-brcps
type: patch
options: {peer=int-brcps}
Port external_api
tag:1400
Interface external_api
type: internal
Port brcps
tag:0
Interface brcps
type: internal
Port "om-physnet1"
tag:1089
Interface "om-physnet1"
type: internal
管理面网桥brcps上有多个端口,用于与外部通信打通的external_om与external_api端口,带tag;向上的phy-brcps接口;本地接口brcps,以及端口om-physnet1,还有最重要的trunk0,实际的数据物理通信接口。
以上就是vlan模式虚拟机通信需要经过的所有端口,数据流向如下:
1)数据帧从VM出来,经过TAP提供的虚拟网口vNIC,再经过 Linux 网桥qrb安全验证,走到qvm,会打上一个内部的VLANtag,成为主机节点内部的local id。这个id的作用是区分同一个主机内部的不同VM;
2)继续南下到ply,资料显示作用是过滤掉非本机的MAC,主要作用是为了方便访问同一个主机的其他VM,如果目的源是同一台主机则直接访问,不用br-int转发;
3)继续走到br-int会实现转发到目的帧主机,南下到patch port,port会把帧中间的之前打的内部VLAN ID即local id删除,换成外部的VLAN ID;
4)之后帧走到实际的外部物理交换机网口,发送到目的地。
3.2.2 br-int dump-flows信息
br-int完成从brcps上过来流量(从口int-brcps到达)的vlan tag转换,下面例子可以看到从外部VLAN ID:1013转换为内部VLAN ID:2。
Compute153 :~ # ovs-ofctl dump-flows br-int NXST_FLOW reply (xid=0x4): cookie=0xaf3ffaad56834ff8,duration=8767986.702s, table=0, n_packets=138635866, n_bytes=49130127982,idle_age=0, hard_age=65534, priority=3,in_port=1,dl_vlan=1013actions=mod_vlan_vid:2,NORMAL cookie=0xaf3ffaad56834ff8,duration=8759690.249s, table=0, n_packets=902894466, n_bytes=111008267998,idle_age=0, hard_age=65534, priority=3,in_port=1,dl_vlan=1014actions=mod_vlan_vid:3,NORMAL cookie=0xaf3ffaad56834ff8,duration=8606291.966s, table=0, n_packets=75523546, n_bytes=7721353259,idle_age=0, hard_age=65534, priority=3,in_port=1,dl_vlan=503actions=mod_vlan_vid:4,NORMAL cookie=0xaf3ffaad56834ff8,duration=7943259.828s, table=0, n_packets=27312770, n_bytes=4039091682,idle_age=0, hard_age=65534, priority=3,in_port=1,dl_vlan=1011actions=mod_vlan_vid:5,NORMAL cookie=0xaf3ffaad56834ff8,duration=7248098.099s, table=0, n_packets=17132221, n_bytes=1590164809,idle_age=0, hard_age=65534, priority=3,in_port=1,dl_vlan=504actions=mod_vlan_vid:6,NORMAL cookie=0xaf3ffaad56834ff8,duration=5730798.970s, table=0, n_packets=35859018, n_bytes=4389953008,idle_age=0, hard_age=65534, priority=3,in_port=1,dl_vlan=1012actions=mod_vlan_vid:7,NORMAL cookie=0xaf3ffaad56834ff8,duration=583874.187s, table=0, n_packets=2041814, n_bytes=433205117,idle_age=0, hard_age=65534, priority=3,in_port=1,dl_vlan=1015actions=mod_vlan_vid:8,NORMAL cookie=0xaf3ffaad56834ff8,duration=146306.053s, table=0, n_packets=435169, n_bytes=31391505, idle_age=0,hard_age=65534, priority=3,in_port=1,dl_vlan=1016 actions=mod_vlan_vid:9,NORMAL cookie=0xaf3ffaad56834ff8,duration=9233017.369s, table=0, n_packets=8966890076, n_bytes=2799828872226,idle_age=0, hard_age=65534, priority=2,in_port=1 actions=drop cookie=0xaf3ffaad56834ff8, duration=9233016.732s,table=0, n_packets=1106708092, n_bytes=190560627712, idle_age=0,hard_age=65534, priority=0 actions=NORMAL cookie=0xaf3ffaad56834ff8,duration=9233019.667s, table=23, n_packets=0, n_bytes=0, idle_age=65534,hard_age=65534, priority=0 actions=drop cookie=0xaf3ffaad56834ff8,duration=9233019.551s, table=24, n_packets=0, n_bytes=0, idle_age=65534,hard_age=65534, priority=0 actions=drop
3.2.3 brcps dump-flows信息
brcps上负责从br-int上过来的流量(从口phy-brcps到达),实现local vlan到外部vlan的转换,下面例子可以看到从内部VLAN ID:2转换为外部VLAN ID:1013。
Compute153 :~ # ovs-ofctl dump-flows brcps NXST_FLOW reply (xid=0x4): cookie=0xaaf94399aad7707e,duration=8768079.505s, table=0, n_packets=4610859, n_bytes=723908441,idle_age=6, hard_age=65534, priority=4,in_port=5,dl_vlan=2actions=mod_vlan_vid:1013,NORMAL cookie=0xaaf94399aad7707e,duration=8759783.046s, table=0, n_packets=1061625441, n_bytes=180117774176,idle_age=0, hard_age=65534, priority=4,in_port=5,dl_vlan=3actions=mod_vlan_vid:1014,NORMAL cookie=0xaaf94399aad7707e,duration=8606384.765s, table=0, n_packets=12135266, n_bytes=3806123480,idle_age=32, hard_age=65534, priority=4,in_port=5,dl_vlan=4actions=mod_vlan_vid:503,NORMAL cookie=0xaaf94399aad7707e,duration=7943352.621s, table=0, n_packets=8783552, n_bytes=1513703385,idle_age=0, hard_age=65534, priority=4,in_port=5,dl_vlan=5actions=mod_vlan_vid:1011,NORMAL cookie=0xaaf94399aad7707e,duration=7248190.902s, table=0, n_packets=2559355, n_bytes=510785011,idle_age=16, hard_age=65534, priority=4,in_port=5,dl_vlan=6actions=mod_vlan_vid:504,NORMAL cookie=0xaaf94399aad7707e,duration=5730891.771s, table=0, n_packets=16831749, n_bytes=3864947698,idle_age=0, hard_age=65534, priority=4,in_port=5,dl_vlan=7actions=mod_vlan_vid:1012,NORMAL cookie=0xaaf94399aad7707e,duration=583966.979s, table=0, n_packets=169878, n_bytes=24055409, idle_age=29,hard_age=65534, priority=4,in_port=5,dl_vlan=8 actions=mod_vlan_vid:1015,NORMAL cookie=0xaaf94399aad7707e,duration=146398.874s, table=0, n_packets=1541, n_bytes=157171, idle_age=132,hard_age=65534, priority=4,in_port=5,dl_vlan=9 actions=mod_vlan_vid:1016,NORMAL cookie=0xaaf94399aad7707e,duration=9233110.012s, table=0, n_packets=78, n_bytes=6780, idle_age=65534,hard_age=65534, priority=2,in_port=5 actions=drop cookie=0xaaf94399aad7707e,duration=9233111.393s, table=0, n_packets=10761364888, n_bytes=3180091314185,idle_age=0, hard_age=65534, priority=0 actions=
3.2.4 iptables安全组
每一个虚拟机的tap都对应2个chain表(out和in),dhcp agent到虚拟机的访问策略定义在out表;
Compute153 :~ # iptables -Lneutron-openvswi-sg-chain Chain neutron-openvswi-sg-chain ( 20 references) target prot opt source destination neutron-openvswi-i7fc1e7d0-0 all -- anywhere anywhere PHYSDEV match --physdev-outtap7fc1e7d0-0c --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-o7fc1e7d0-0 all -- anywhere anywhere PHYSDEV match --physdev-intap7fc1e7d0-0c --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-i931641ad-4 all -- anywhere anywhere PHYSDEV match --physdev-outtap931641ad-4b --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-o931641ad-4 all -- anywhere anywhere PHYSDEV match --physdev-intap931641ad-4b --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-i963c4b38-7 all -- anywhere anywhere PHYSDEV match --physdev-outtap963c4b38-70 --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-o963c4b38-7 all -- anywhere anywhere PHYSDEV match --physdev-intap963c4b38-70 --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-i9df6f9f9-4 all -- anywhere anywhere PHYSDEV match --physdev-outtap9df6f9f9-42 --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-o9df6f9f9-4 all -- anywhere anywhere PHYSDEV match --physdev-intap9df6f9f9-42 --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-ib9dd9478-0 all -- anywhere anywhere PHYSDEV match --physdev-outtapb9dd9478-0f --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-ob9dd9478-0 all -- anywhere anywhere PHYSDEV match --physdev-intapb9dd9478-0f --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-ic24f2999-b all -- anywhere anywhere PHYSDEV match --physdev-outtapc24f2999-b9 --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-oc24f2999-b all -- anywhere anywhere PHYSDEV match --physdev-intapc24f2999-b9 --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-ic3833757-a all -- anywhere anywhere PHYSDEV match --physdev-outtapc3833757-af --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-oc3833757-a all -- anywhere anywhere PHYSDEV match --physdev-intapc3833757-af --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-ic78917be-9 all -- anywhere anywhere PHYSDEV match --physdev-outtapc78917be-9c --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-oc78917be-9 all -- anywhere anywhere PHYSDEV match --physdev-intapc78917be-9c --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-id5cbf3b0-e all -- anywhere anywhere PHYSDEV match --physdev-outtapd5cbf3b0-ef --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-od5cbf3b0-e all -- anywhere anywhere PHYSDEV match --physdev-intapd5cbf3b0-ef --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-ife79631b-8 all -- anywhere anywhere PHYSDEV match --physdev-outtapfe79631b-85 --physdev-is-bridged /* Jump to the VM specific chain. */ neutron-openvswi-ofe79631b-8 all -- anywhere anywhere PHYSDEV match --physdev-intapfe79631b-85 --physdev-is-bridged /* Jump to the VM specific chain. */ ACCEPT all -- anywhere anywhere
Compute153 :~ # iptables -L neutron-openvswi-oc78917be-9 Chain neutron-openvswi-oc78917be- 9 ( 2 references) target prot opt source destination RETURN udp -- default 255.255.255.255 udpspt:bootpc dpt:bootps /* Allow DHCP client traffic. */ neutron-openvswi-sc78917be-9 all -- anywhere anywhere RETURN udp -- anywhere anywhere udp spt:bootpc dpt:bootps /* AllowDHCP client traffic. */ DROP udp -- anywhere anywhere udp spt:bootps udp dpt:bootpc /*Prevent DHCP Spoofing by VM. */ RETURN all -- anywhere anywhere state RELATED,ESTABLISHED /*Direct packets associated with a known session to the RETURN chain. */ RETURN all -- anywhere anywhere DROP all -- anywhere anywhere state INVALID /* Drop packets thatappear related to an existing connection (e.g. TCP ACK/FIN) but do not have anentry in conntrack. */ neutron-openvswi-sg-fallback all -- anywhere anywhere /* Send unmatched traffic to thefallback chain. */
Compute153 :~ # iptables -Lneutron-openvswi-ic78917be-9 Chain neutron-openvswi-ic78917be- 9 ( 1 references) target prot opt source destination RETURN all -- anywhere anywhere state RELATED,ESTABLISHED /*Direct packets associated with a known session to the RETURN chain. */ RETURN udp -- xxx.xxx.xxx.xxx anywhere udp spt:bootps udp dpt:bootpc ---DHCP RETURN udp -- xxx.xxx.xxx.xxx anywhere udp spt:bootps udp dpt:bootpc ---DHCP RETURN all -- anywhere anywhere DROP all -- anywhere anywhere state INVALID /* Drop packets thatappear related to an existing connection (e.g. TCP ACK/FIN) but do not have anentry in conntrack. */ neutron-openvswi-sg-fallback all -- anywhere anywhere /* Send unmatched traffic to thefallback chain. */
3.3 计算节点的vlan隔离
在vlan模式下,每个 vlan network 都有自己的 bridge,从而也就实现了基于 vlan 的隔离,vlan tag的转换需要在br-int和brcps两个网桥上进行相互配合。br-int负责从int-brcps过来的包(带外部vlan)转换为内部vlan,而brcps负责从phy-brcps过来的包(带内部vlan)转化为外部的vlan。租户的流量隔离也是通过vlan来进行的,因此包括两种vlan,虚拟机在Compute Node内流量带有的local vlan和在Compute Node之外物理网络上隔离不同租户的vlan。物理交换机与eth网卡相连的 port 设置成 trunk 模式,实现同一块物理网卡上面通过多个不同vlan 的数据。
以上所述就是小编给大家介绍的《openstack vlan模式下的隔离和数据流向》,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对 码农网 的支持!
猜你喜欢:
- Vue 系列之 Vuex 数据流向
- 分类算法解析推测比特币持有者类别与流向
- CSS进阶(终章)—— CSS世界流向的掌控者direction和writing-mode
- MySQL -- RR隔离与RC隔离
- MySQL -- 事务隔离
- MySQL事务隔离
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
