OVS端口镜像验证实验

2022-02-15 16:44:29 浏览数 (1)

1 OVS端口镜像创建基本流程

1、创建镜像mirror,在mirror中指定镜像数据源select与output

2、将镜像mirror应用到网桥bridge中

2 OVS端口镜像的基本概念

1、select_all : 设置为true时,进出该镜像mirror端口的所有数据包都被镜像

2、select_dst_port : 从该 port 离开虚拟交换机的数据包将会被镜像

3、select_src_port : 从该 port 进入虚拟交换机的数据包将会被镜像

4、select_vlan : 指定特定VLAN做为数据源,整个VLAN的数据包都会镜像到目的地

5、output_port : 将数据包镜像到特定的 port

6、output_vlan : 将数据包镜像到指定VLAN, 原始数据的VLAN tag会被剥掉。若镜像多个VLAN到同一个VLAN,没有办法区分镜像后的数据包来源于哪个VLAN。

3 实验

本次实验就围绕SPAN方式与基于GRE的RSPAN方式展开。

3.1 SPAN方式

3.1.1 构建实验环境
代码语言:shell复制
## 创建网桥
root@junwu:/home/junwu# ovs-vsctl add-br br-int

## 创建port1、port2、port3并指定接口类型
root@junwu:/home/junwu# ovs-vsctl add-port br-int port1 -- set interface port1 type=internal
root@junwu:/home/junwu# ovs-vsctl add-port br-int port2 -- set interface port2 type=internal
root@junwu:/home/junwu# ovs-vsctl add-port br-int port3 -- set interface port3 type=internal

## 创建namespace
root@junwu:/home/junwu# ip netns add ns1
root@junwu:/home/junwu# ip netns add ns2
root@junwu:/home/junwu# ip netns add ns3

## 将三个端口分别加入namespace中
root@junwu:/home/junwu# ip link set dev port1 netns ns1
root@junwu:/home/junwu# ip link set dev port2 netns ns2
root@junwu:/home/junwu# ip link set dev port3 netns ns3

## 启动端口并配置IP
root@junwu:/home/junwu# ip netns exec ns1 ip addr add 11.11.11.11/24 dev port1
root@junwu:/home/junwu# ip netns exec ns1 ip link set up port1
root@junwu:/home/junwu# ip netns exec ns2 ip addr add 11.11.11.12/24 dev port2
root@junwu:/home/junwu# ip netns exec ns2 ip link set up port2
root@junwu:/home/junwu# ip netns exec ns3 ip link set up port3

查看环境信息:

代码语言:shell复制
root@junwu:/home/junwu# ovs-vsctl show
b4e71381-9659-43b8-a96d-52d08fc5e801
    Manager "tcp:10.190.23.66:6640"
    Bridge br-int
        Port br-int
            Interface br-int
                type: internal
        Port port1
            Interface port1
                type: internal
        Port port2
            Interface port2
                type: internal
        Port port3
            Interface port3
                type: internal
    ovs_version: "2.13.3"
3.1.2 实验操作与分析

1.在ns1中ping ns2中端口port2:

代码语言:shell复制
root@junwu:/home/junwu# ip netns exec ns1 ping 11.11.11.12 -c 10
PING 11.11.11.12 (11.11.11.12) 56(84) bytes of data.
64 bytes from 11.11.11.12: icmp_seq=1 ttl=64 time=0.614 ms
64 bytes from 11.11.11.12: icmp_seq=2 ttl=64 time=0.049 ms
64 bytes from 11.11.11.12: icmp_seq=3 ttl=64 time=0.065 ms
64 bytes from 11.11.11.12: icmp_seq=4 ttl=64 time=0.051 ms
64 bytes from 11.11.11.12: icmp_seq=5 ttl=64 time=0.055 ms
64 bytes from 11.11.11.12: icmp_seq=6 ttl=64 time=0.057 ms
64 bytes from 11.11.11.12: icmp_seq=7 ttl=64 time=0.047 ms
64 bytes from 11.11.11.12: icmp_seq=8 ttl=64 time=0.049 ms
64 bytes from 11.11.11.12: icmp_seq=9 ttl=64 time=0.045 ms
64 bytes from 11.11.11.12: icmp_seq=10 ttl=64 time=0.043 ms

--- 11.11.11.12 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9208ms
rtt min/avg/max/mdev = 0.043/0.107/0.614/0.168 ms
root@junwu:/home/junwu#

2.同时在ns2中抓包分析(可以在ns2中port2下抓到port1访问port2的报文,符合预期):

代码语言:shell复制
root@junwu:/home/junwu# ip netns exec ns2 tcpdump -i port2 -e -nn icmp or arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on port2, link-type EN10MB (Ethernet), capture size 262144 bytes
^C15:26:10.274873 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 60794, seq 72, length 64
15:26:10.274914 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60794, seq 72, length 64
15:26:11.298860 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 60794, seq 73, length 64
15:26:11.298896 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60794, seq 73, length 64
15:26:12.322854 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 60794, seq 74, length 64
15:26:12.322886 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60794, seq 74, length 64
15:26:13.346867 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 60794, seq 75, length 64
15:26:13.346904 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60794, seq 75, length 64
15:26:14.370852 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 60794, seq 76, length 64
15:26:14.370883 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60794, seq 76, length 64

10 packets captured
10 packets received by filter
0 packets dropped by kernel

3.同时在ns3中抓包分析(没有在ns3中port3下抓到报文,符合预期):

代码语言:shell复制
root@junwu:/home/junwu# ip netns exec ns3 tcpdump -i port3 -e -nn icmp or arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on port3, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

4.接下来进入SPAN的核心。首先创建镜像mirror m0,并且将其应用到br-int上,并且将从ns1中port1(select_dst_port)离开数据包镜像到ns3中的port3(output_port)中:

代码语言:shell复制
ovs-vsctl -- --id=@port1 get port port1  
          -- --id=@port3 get port port3  
          -- --id=@m create mirror name=m0 select_dst_port=@port1 output_port=@port3 
          -- set bridge br-int mirrors=@m

操作命令行:

代码语言:shell复制
root@junwu:/home/junwu# ovs-vsctl -- --id=@port1 get port port1  
>           -- --id=@port3 get port port3  
>           -- --id=@m create mirror name=m0 select_dst_port=@port1 output_port=@port3 
>           -- set bridge br-int mirrors=@m
8e7d031a-ed70-4d8a-9b72-278a93041e1a

在OVS上查看镜像m0:

代码语言:shell复制
root@junwu:/home/junwu# ovs-vsctl list mirror
_uuid               : 8e7d031a-ed70-4d8a-9b72-278a93041e1a
external_ids        : {}
name                : m0
output_port         : dc9236f9-683c-4cd7-bd0d-8e6ac83db0b9
output_vlan         : []
select_all          : false
select_dst_port     : [bb35587e-4a93-493b-a6fa-0c3f7c9a6fb5]
select_src_port     : []
select_vlan         : []
snaplen             : []
statistics          : {tx_bytes=5026, tx_packets=53}

再执行在ns1中ping ns2中端口port2的操作,同时在ns2和ns3中抓包分析(可以在ns2中port2下抓包port1访问port2的报文,同时可以在ns3中port3下抓到报文,符合预期):

代码语言:shell复制
root@junwu:/home/junwu# ip netns exec ns2 tcpdump -i port2 -e -nn icmp or arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on port2, link-type EN10MB (Ethernet), capture size 262144 bytes
^C15:40:01.058857 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 60992, seq 7, length 64
15:40:01.058893 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60992, seq 7, length 64
15:40:02.082863 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 60992, seq 8, length 64
15:40:02.082899 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60992, seq 8, length 64
15:40:03.106865 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 60992, seq 9, length 64
15:40:03.106903 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60992, seq 9, length 64
15:40:03.171028 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype ARP (0x0806), length 42: Request who-has 11.11.11.12 tell 11.11.11.11, length 28
15:40:03.171051 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype ARP (0x0806), length 42: Reply 11.11.11.12 is-at e6:f3:a7:23:50:f5, length 28

8 packets captured
8 packets received by filter
0 packets dropped by kernel
#############################################################################
##ns3 上抓包可以看到成功获得 port2 回应 port1 的ICMP响应数据包:
root@junwu:/home/junwu# ip netns exec ns3 tcpdump -i port3 -e -nn icmp or arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on port3, link-type EN10MB (Ethernet), capture size 262144 bytes
^C15:40:11.298886 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60992, seq 17, length 64
15:40:12.322863 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60992, seq 18, length 64
15:40:13.346868 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60992, seq 19, length 64
15:40:14.370807 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60992, seq 20, length 64

4 packets captured
4 packets received by filter
0 packets dropped by kernel
root@junwu:/home/junwu#

SPAN方式测试通过!

3.2 基于GRE的RSPAN方式

3.2.1 构建实验环境

测试环境可以采用3.1.1提供环境

3.2.2 实验操作与分析

1.清除镜像

代码语言:shell复制
root@junwu:/home/junwu# ovs-vsctl clear bridge br-int mirrors
root@junwu:/home/junwu# ovs-vsctl list mirror
root@junwu:/home/junwu#

2.添加GRE端口

代码语言:shell复制
ovs-vsctl add-port br-int gre0 -- set interface gre0 type=gre options:key=0x1000 options:remote_ip=192.168.1.10

查看端口信息:

代码语言:shell复制
root@junwu:/home/junwu# ovs-vsctl show
b4e71381-9659-43b8-a96d-52d08fc5e801
    Manager "tcp:10.190.23.66:6640"
    Bridge br-int
        Port br-int
            Interface br-int
                type: internal
        Port port1
            Interface port1
                type: internal
        Port gre0
            Interface gre0
                type: gre
                options: {key="0x1000", remote_ip="192.168.1.10"}
        Port port2
            Interface port2
                type: internal
        Port port3
            Interface port3
                type: internal
    ovs_version: "2.13.3"

3.创建镜像:

代码语言:shell复制
ovs-vsctl -- --id=@port1 get port port1  
          -- --id=@gre0 get port gre0  
          -- --id=@m create mirror name=m3 select_src_port=@port1 output_port=@gre0 
          -- set bridge br-int mirrors=@m

执行命令行:

代码语言:shell复制
root@junwu:/home/junwu# ovs-vsctl -- --id=@port1 get port port1  
>           -- --id=@gre0 get port gre0  
>           -- --id=@m create mirror name=m3 select_src_port=@port1 output_port=@gre0 
>           -- set bridge br-int mirrors=@m
546cdade-8d02-45e8-b265-e57177b206b9

查看镜像:

代码语言:shell复制
root@junwu:/home/junwu# ovs-vsctl list mirror
_uuid               : 546cdade-8d02-45e8-b265-e57177b206b9
external_ids        : {}
name                : m3
output_port         : c9ae0113-e8c0-4883-a3cf-9532d845531f
output_vlan         : []
select_all          : false
select_dst_port     : []
select_src_port     : [bb35587e-4a93-493b-a6fa-0c3f7c9a6fb5]
select_vlan         : []
snaplen             : []
statistics          : {tx_bytes=0, tx_packets=0}
root@junwu:/home/junwu#

4.抓包分析

可以在外网出口ens32上抓包,可以看到,GRE数据包已经发送:

代码语言:shell复制
root@junwu:/home/junwu# tcpdump -i ens32 -nn -e proto gre
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens32, link-type EN10MB (Ethernet), capture size 262144 bytes
16:00:09.858874 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 14, length 64
16:00:10.882868 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 15, length 64
16:00:11.906806 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 16, length 64
16:00:12.930870 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 17, length 64
16:00:13.954850 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 18, length 64
16:00:14.978781 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 19, length 64
16:00:16.002797 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 20, length 64
16:00:17.026796 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 21, length 64
16:00:18.050824 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 22, length 64
16:00:19.074858 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 23, length 64
16:00:20.098859 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 24, length 64
16:00:21.122871 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 25, length 64
^C
12 packets captured
13 packets received by filter
0 packets dropped by kernel
2 packets dropped by interface

基于GRE的RSPAN方式测试通过!

4 问题

1、RSPAN方式存在关闭VLAN的MAC学习功能操作,避免影响正常网络转发的前置条件,本实验没有进行验证。

2、ovs NORMAL动作影响未验证

root@junwu:/home/junwu# sudo ovs-ofctl dump-flows -O openflow13 br-int

cookie=0x0, duration=4655.660s, table=0, n_packets=4106, n_bytes=388228, priority=0 actions=NORMAL

下一步实验将从这两个方面进行验证,欢迎交流学习。

0 人点赞