1 OVS端口镜像创建基本流程
1、创建镜像mirror,在mirror中指定镜像数据源select与output
2、将镜像mirror应用到网桥bridge中
2 OVS端口镜像的基本概念
1、select_all : 设置为true时,进出该镜像mirror端口的所有数据包都被镜像
2、select_dst_port : 从该 port 离开虚拟交换机的数据包将会被镜像
3、select_src_port : 从该 port 进入虚拟交换机的数据包将会被镜像
4、select_vlan : 指定特定VLAN做为数据源,整个VLAN的数据包都会镜像到目的地
5、output_port : 将数据包镜像到特定的 port
6、output_vlan : 将数据包镜像到指定VLAN, 原始数据的VLAN tag会被剥掉。若镜像多个VLAN到同一个VLAN,没有办法区分镜像后的数据包来源于哪个VLAN。
3 实验
本次实验就围绕SPAN方式与基于GRE的RSPAN方式展开。
3.1 SPAN方式
3.1.1 构建实验环境
代码语言:shell复制## 创建网桥
root@junwu:/home/junwu# ovs-vsctl add-br br-int
## 创建port1、port2、port3并指定接口类型
root@junwu:/home/junwu# ovs-vsctl add-port br-int port1 -- set interface port1 type=internal
root@junwu:/home/junwu# ovs-vsctl add-port br-int port2 -- set interface port2 type=internal
root@junwu:/home/junwu# ovs-vsctl add-port br-int port3 -- set interface port3 type=internal
## 创建namespace
root@junwu:/home/junwu# ip netns add ns1
root@junwu:/home/junwu# ip netns add ns2
root@junwu:/home/junwu# ip netns add ns3
## 将三个端口分别加入namespace中
root@junwu:/home/junwu# ip link set dev port1 netns ns1
root@junwu:/home/junwu# ip link set dev port2 netns ns2
root@junwu:/home/junwu# ip link set dev port3 netns ns3
## 启动端口并配置IP
root@junwu:/home/junwu# ip netns exec ns1 ip addr add 11.11.11.11/24 dev port1
root@junwu:/home/junwu# ip netns exec ns1 ip link set up port1
root@junwu:/home/junwu# ip netns exec ns2 ip addr add 11.11.11.12/24 dev port2
root@junwu:/home/junwu# ip netns exec ns2 ip link set up port2
root@junwu:/home/junwu# ip netns exec ns3 ip link set up port3
查看环境信息:
代码语言:shell复制root@junwu:/home/junwu# ovs-vsctl show
b4e71381-9659-43b8-a96d-52d08fc5e801
Manager "tcp:10.190.23.66:6640"
Bridge br-int
Port br-int
Interface br-int
type: internal
Port port1
Interface port1
type: internal
Port port2
Interface port2
type: internal
Port port3
Interface port3
type: internal
ovs_version: "2.13.3"
3.1.2 实验操作与分析
1.在ns1中ping ns2中端口port2:
代码语言:shell复制root@junwu:/home/junwu# ip netns exec ns1 ping 11.11.11.12 -c 10
PING 11.11.11.12 (11.11.11.12) 56(84) bytes of data.
64 bytes from 11.11.11.12: icmp_seq=1 ttl=64 time=0.614 ms
64 bytes from 11.11.11.12: icmp_seq=2 ttl=64 time=0.049 ms
64 bytes from 11.11.11.12: icmp_seq=3 ttl=64 time=0.065 ms
64 bytes from 11.11.11.12: icmp_seq=4 ttl=64 time=0.051 ms
64 bytes from 11.11.11.12: icmp_seq=5 ttl=64 time=0.055 ms
64 bytes from 11.11.11.12: icmp_seq=6 ttl=64 time=0.057 ms
64 bytes from 11.11.11.12: icmp_seq=7 ttl=64 time=0.047 ms
64 bytes from 11.11.11.12: icmp_seq=8 ttl=64 time=0.049 ms
64 bytes from 11.11.11.12: icmp_seq=9 ttl=64 time=0.045 ms
64 bytes from 11.11.11.12: icmp_seq=10 ttl=64 time=0.043 ms
--- 11.11.11.12 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9208ms
rtt min/avg/max/mdev = 0.043/0.107/0.614/0.168 ms
root@junwu:/home/junwu#
2.同时在ns2中抓包分析(可以在ns2中port2下抓到port1访问port2的报文,符合预期):
代码语言:shell复制root@junwu:/home/junwu# ip netns exec ns2 tcpdump -i port2 -e -nn icmp or arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on port2, link-type EN10MB (Ethernet), capture size 262144 bytes
^C15:26:10.274873 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 60794, seq 72, length 64
15:26:10.274914 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60794, seq 72, length 64
15:26:11.298860 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 60794, seq 73, length 64
15:26:11.298896 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60794, seq 73, length 64
15:26:12.322854 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 60794, seq 74, length 64
15:26:12.322886 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60794, seq 74, length 64
15:26:13.346867 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 60794, seq 75, length 64
15:26:13.346904 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60794, seq 75, length 64
15:26:14.370852 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 60794, seq 76, length 64
15:26:14.370883 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60794, seq 76, length 64
10 packets captured
10 packets received by filter
0 packets dropped by kernel
3.同时在ns3中抓包分析(没有在ns3中port3下抓到报文,符合预期):
代码语言:shell复制root@junwu:/home/junwu# ip netns exec ns3 tcpdump -i port3 -e -nn icmp or arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on port3, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
4.接下来进入SPAN的核心。首先创建镜像mirror m0,并且将其应用到br-int上,并且将从ns1中port1(select_dst_port)离开数据包镜像到ns3中的port3(output_port)中:
代码语言:shell复制ovs-vsctl -- --id=@port1 get port port1
-- --id=@port3 get port port3
-- --id=@m create mirror name=m0 select_dst_port=@port1 output_port=@port3
-- set bridge br-int mirrors=@m
操作命令行:
代码语言:shell复制root@junwu:/home/junwu# ovs-vsctl -- --id=@port1 get port port1
> -- --id=@port3 get port port3
> -- --id=@m create mirror name=m0 select_dst_port=@port1 output_port=@port3
> -- set bridge br-int mirrors=@m
8e7d031a-ed70-4d8a-9b72-278a93041e1a
在OVS上查看镜像m0:
代码语言:shell复制root@junwu:/home/junwu# ovs-vsctl list mirror
_uuid : 8e7d031a-ed70-4d8a-9b72-278a93041e1a
external_ids : {}
name : m0
output_port : dc9236f9-683c-4cd7-bd0d-8e6ac83db0b9
output_vlan : []
select_all : false
select_dst_port : [bb35587e-4a93-493b-a6fa-0c3f7c9a6fb5]
select_src_port : []
select_vlan : []
snaplen : []
statistics : {tx_bytes=5026, tx_packets=53}
再执行在ns1中ping ns2中端口port2的操作,同时在ns2和ns3中抓包分析(可以在ns2中port2下抓包port1访问port2的报文,同时可以在ns3中port3下抓到报文,符合预期):
代码语言:shell复制root@junwu:/home/junwu# ip netns exec ns2 tcpdump -i port2 -e -nn icmp or arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on port2, link-type EN10MB (Ethernet), capture size 262144 bytes
^C15:40:01.058857 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 60992, seq 7, length 64
15:40:01.058893 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60992, seq 7, length 64
15:40:02.082863 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 60992, seq 8, length 64
15:40:02.082899 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60992, seq 8, length 64
15:40:03.106865 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 60992, seq 9, length 64
15:40:03.106903 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60992, seq 9, length 64
15:40:03.171028 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype ARP (0x0806), length 42: Request who-has 11.11.11.12 tell 11.11.11.11, length 28
15:40:03.171051 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype ARP (0x0806), length 42: Reply 11.11.11.12 is-at e6:f3:a7:23:50:f5, length 28
8 packets captured
8 packets received by filter
0 packets dropped by kernel
#############################################################################
##ns3 上抓包可以看到成功获得 port2 回应 port1 的ICMP响应数据包:
root@junwu:/home/junwu# ip netns exec ns3 tcpdump -i port3 -e -nn icmp or arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on port3, link-type EN10MB (Ethernet), capture size 262144 bytes
^C15:40:11.298886 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60992, seq 17, length 64
15:40:12.322863 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60992, seq 18, length 64
15:40:13.346868 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60992, seq 19, length 64
15:40:14.370807 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60992, seq 20, length 64
4 packets captured
4 packets received by filter
0 packets dropped by kernel
root@junwu:/home/junwu#
SPAN方式测试通过!
3.2 基于GRE的RSPAN方式
3.2.1 构建实验环境
测试环境可以采用3.1.1提供环境
3.2.2 实验操作与分析
1.清除镜像
代码语言:shell复制root@junwu:/home/junwu# ovs-vsctl clear bridge br-int mirrors
root@junwu:/home/junwu# ovs-vsctl list mirror
root@junwu:/home/junwu#
2.添加GRE端口
代码语言:shell复制ovs-vsctl add-port br-int gre0 -- set interface gre0 type=gre options:key=0x1000 options:remote_ip=192.168.1.10
查看端口信息:
代码语言:shell复制root@junwu:/home/junwu# ovs-vsctl show
b4e71381-9659-43b8-a96d-52d08fc5e801
Manager "tcp:10.190.23.66:6640"
Bridge br-int
Port br-int
Interface br-int
type: internal
Port port1
Interface port1
type: internal
Port gre0
Interface gre0
type: gre
options: {key="0x1000", remote_ip="192.168.1.10"}
Port port2
Interface port2
type: internal
Port port3
Interface port3
type: internal
ovs_version: "2.13.3"
3.创建镜像:
代码语言:shell复制ovs-vsctl -- --id=@port1 get port port1
-- --id=@gre0 get port gre0
-- --id=@m create mirror name=m3 select_src_port=@port1 output_port=@gre0
-- set bridge br-int mirrors=@m
执行命令行:
代码语言:shell复制root@junwu:/home/junwu# ovs-vsctl -- --id=@port1 get port port1
> -- --id=@gre0 get port gre0
> -- --id=@m create mirror name=m3 select_src_port=@port1 output_port=@gre0
> -- set bridge br-int mirrors=@m
546cdade-8d02-45e8-b265-e57177b206b9
查看镜像:
代码语言:shell复制root@junwu:/home/junwu# ovs-vsctl list mirror
_uuid : 546cdade-8d02-45e8-b265-e57177b206b9
external_ids : {}
name : m3
output_port : c9ae0113-e8c0-4883-a3cf-9532d845531f
output_vlan : []
select_all : false
select_dst_port : []
select_src_port : [bb35587e-4a93-493b-a6fa-0c3f7c9a6fb5]
select_vlan : []
snaplen : []
statistics : {tx_bytes=0, tx_packets=0}
root@junwu:/home/junwu#
4.抓包分析
可以在外网出口ens32上抓包,可以看到,GRE数据包已经发送:
代码语言:shell复制root@junwu:/home/junwu# tcpdump -i ens32 -nn -e proto gre
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens32, link-type EN10MB (Ethernet), capture size 262144 bytes
16:00:09.858874 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 14, length 64
16:00:10.882868 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 15, length 64
16:00:11.906806 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 16, length 64
16:00:12.930870 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 17, length 64
16:00:13.954850 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 18, length 64
16:00:14.978781 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 19, length 64
16:00:16.002797 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 20, length 64
16:00:17.026796 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 21, length 64
16:00:18.050824 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 22, length 64
16:00:19.074858 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 23, length 64
16:00:20.098859 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 24, length 64
16:00:21.122871 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 25, length 64
^C
12 packets captured
13 packets received by filter
0 packets dropped by kernel
2 packets dropped by interface
基于GRE的RSPAN方式测试通过!
4 问题
1、RSPAN方式存在关闭VLAN的MAC学习功能操作,避免影响正常网络转发的前置条件,本实验没有进行验证。
2、ovs NORMAL动作影响未验证
root@junwu:/home/junwu# sudo ovs-ofctl dump-flows -O openflow13 br-int
cookie=0x0, duration=4655.660s, table=0, n_packets=4106, n_bytes=388228, priority=0 actions=NORMAL
下一步实验将从这两个方面进行验证,欢迎交流学习。