天天看點
傳回

OVS端口鏡像驗證明驗

1 OVS端口鏡像建立基本流程

1、建立鏡像mirror,在mirror中指定鏡像資料源select與output

2、将鏡像mirror應用到網橋bridge中

2 OVS端口鏡像的基本概念

1、select_all : 設定為true時,進出該鏡像mirror端口的所有資料包都被鏡像

2、select_dst_port : 從該 port 離開虛拟交換機的資料包将會被鏡像

3、select_src_port : 從該 port 進入虛拟交換機的資料包将會被鏡像

4、select_vlan : 指定特定VLAN做為資料源,整個VLAN的資料包都會鏡像到目的地

5、output_port : 将資料包鏡像到特定的 port

6、output_vlan : 将資料包鏡像到指定VLAN, 原始資料的VLAN tag會被剝掉。若鏡像多個VLAN到同一個VLAN,沒有辦法區分鏡像後的資料包來源于哪個VLAN。

3 實驗

本次實驗就圍繞SPAN方式與基于GRE的RSPAN方式展開。

3.1 SPAN方式

3.1.1 建構實驗環境 

## 建立網橋
root@junwu:/home/junwu# ovs-vsctl add-br br-int

## 建立port1、port2、port3并指定接口類型
root@junwu:/home/junwu# ovs-vsctl add-port br-int port1 -- set interface port1 type=internal
root@junwu:/home/junwu# ovs-vsctl add-port br-int port2 -- set interface port2 type=internal
root@junwu:/home/junwu# ovs-vsctl add-port br-int port3 -- set interface port3 type=internal

## 建立namespace
root@junwu:/home/junwu# ip netns add ns1
root@junwu:/home/junwu# ip netns add ns2
root@junwu:/home/junwu# ip netns add ns3

## 将三個端口分别加入namespace中
root@junwu:/home/junwu# ip link set dev port1 netns ns1
root@junwu:/home/junwu# ip link set dev port2 netns ns2
root@junwu:/home/junwu# ip link set dev port3 netns ns3

## 啟動端口并配置IP
root@junwu:/home/junwu# ip netns exec ns1 ip addr add 11.11.11.11/24 dev port1
root@junwu:/home/junwu# ip netns exec ns1 ip link set up port1
root@junwu:/home/junwu# ip netns exec ns2 ip addr add 11.11.11.12/24 dev port2
root@junwu:/home/junwu# ip netns exec ns2 ip link set up port2
root@junwu:/home/junwu# ip netns exec ns3 ip link set up port3

複制

檢視環境資訊:

root@junwu:/home/junwu# ovs-vsctl show
b4e71381-9659-43b8-a96d-52d08fc5e801
    Manager "tcp:10.190.23.66:6640"
    Bridge br-int
        Port br-int
            Interface br-int
                type: internal
        Port port1
            Interface port1
                type: internal
        Port port2
            Interface port2
                type: internal
        Port port3
            Interface port3
                type: internal
    ovs_version: "2.13.3"

複制

3.1.2 實驗操作與分析

1.在ns1中ping ns2中端口port2:

root@junwu:/home/junwu# ip netns exec ns1 ping 11.11.11.12 -c 10
PING 11.11.11.12 (11.11.11.12) 56(84) bytes of data.
64 bytes from 11.11.11.12: icmp_seq=1 ttl=64 time=0.614 ms
64 bytes from 11.11.11.12: icmp_seq=2 ttl=64 time=0.049 ms
64 bytes from 11.11.11.12: icmp_seq=3 ttl=64 time=0.065 ms
64 bytes from 11.11.11.12: icmp_seq=4 ttl=64 time=0.051 ms
64 bytes from 11.11.11.12: icmp_seq=5 ttl=64 time=0.055 ms
64 bytes from 11.11.11.12: icmp_seq=6 ttl=64 time=0.057 ms
64 bytes from 11.11.11.12: icmp_seq=7 ttl=64 time=0.047 ms
64 bytes from 11.11.11.12: icmp_seq=8 ttl=64 time=0.049 ms
64 bytes from 11.11.11.12: icmp_seq=9 ttl=64 time=0.045 ms
64 bytes from 11.11.11.12: icmp_seq=10 ttl=64 time=0.043 ms

--- 11.11.11.12 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9208ms
rtt min/avg/max/mdev = 0.043/0.107/0.614/0.168 ms
root@junwu:/home/junwu#

複制

2.同時在ns2中抓包分析(可以在ns2中port2下抓到port1通路port2的封包,符合預期):

root@junwu:/home/junwu# ip netns exec ns2 tcpdump -i port2 -e -nn icmp or arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on port2, link-type EN10MB (Ethernet), capture size 262144 bytes
^C15:26:10.274873 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 60794, seq 72, length 64
15:26:10.274914 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60794, seq 72, length 64
15:26:11.298860 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 60794, seq 73, length 64
15:26:11.298896 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60794, seq 73, length 64
15:26:12.322854 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 60794, seq 74, length 64
15:26:12.322886 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60794, seq 74, length 64
15:26:13.346867 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 60794, seq 75, length 64
15:26:13.346904 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60794, seq 75, length 64
15:26:14.370852 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 60794, seq 76, length 64
15:26:14.370883 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60794, seq 76, length 64

10 packets captured
10 packets received by filter
0 packets dropped by kernel

複制

3.同時在ns3中抓包分析(沒有在ns3中port3下抓到封包,符合預期):

root@junwu:/home/junwu# ip netns exec ns3 tcpdump -i port3 -e -nn icmp or arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on port3, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

複制

4.接下來進入SPAN的核心。首先建立鏡像mirror m0,并且将其應用到br-int上,并且将從ns1中port1(select_dst_port)離開資料包鏡像到ns3中的port3(output_port)中:

ovs-vsctl -- --id=@port1 get port port1  \
          -- --id=@port3 get port port3  \
          -- --id=@m create mirror name=m0 select_dst_port=@port1 output_port=@port3 \
          -- set bridge br-int mirrors=@m

複制

操作指令行:

root@junwu:/home/junwu# ovs-vsctl -- --id=@port1 get port port1  \
>           -- --id=@port3 get port port3  \
>           -- --id=@m create mirror name=m0 select_dst_port=@port1 output_port=@port3 \
>           -- set bridge br-int mirrors=@m
8e7d031a-ed70-4d8a-9b72-278a93041e1a

複制

在OVS上檢視鏡像m0:

root@junwu:/home/junwu# ovs-vsctl list mirror
_uuid               : 8e7d031a-ed70-4d8a-9b72-278a93041e1a
external_ids        : {}
name                : m0
output_port         : dc9236f9-683c-4cd7-bd0d-8e6ac83db0b9
output_vlan         : []
select_all          : false
select_dst_port     : [bb35587e-4a93-493b-a6fa-0c3f7c9a6fb5]
select_src_port     : []
select_vlan         : []
snaplen             : []
statistics          : {tx_bytes=5026, tx_packets=53}

複制

再執行在ns1中ping ns2中端口port2的操作,同時在ns2和ns3中抓包分析(可以在ns2中port2下抓包port1通路port2的封包,同時可以在ns3中port3下抓到封包,符合預期):

root@junwu:/home/junwu# ip netns exec ns2 tcpdump -i port2 -e -nn icmp or arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on port2, link-type EN10MB (Ethernet), capture size 262144 bytes
^C15:40:01.058857 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 60992, seq 7, length 64
15:40:01.058893 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60992, seq 7, length 64
15:40:02.082863 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 60992, seq 8, length 64
15:40:02.082899 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60992, seq 8, length 64
15:40:03.106865 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 60992, seq 9, length 64
15:40:03.106903 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60992, seq 9, length 64
15:40:03.171028 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype ARP (0x0806), length 42: Request who-has 11.11.11.12 tell 11.11.11.11, length 28
15:40:03.171051 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype ARP (0x0806), length 42: Reply 11.11.11.12 is-at e6:f3:a7:23:50:f5, length 28

8 packets captured
8 packets received by filter
0 packets dropped by kernel
#############################################################################
##ns3 上抓包可以看到成功獲得 port2 回應 port1 的ICMP響應資料包:
root@junwu:/home/junwu# ip netns exec ns3 tcpdump -i port3 -e -nn icmp or arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on port3, link-type EN10MB (Ethernet), capture size 262144 bytes
^C15:40:11.298886 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60992, seq 17, length 64
15:40:12.322863 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60992, seq 18, length 64
15:40:13.346868 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60992, seq 19, length 64
15:40:14.370807 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60992, seq 20, length 64

4 packets captured
4 packets received by filter
0 packets dropped by kernel
root@junwu:/home/junwu#

複制

SPAN方式測試通過!

3.2 基于GRE的RSPAN方式

3.2.1 建構實驗環境

測試環境可以采用3.1.1提供環境

3.2.2 實驗操作與分析

1.清除鏡像

root@junwu:/home/junwu# ovs-vsctl clear bridge br-int mirrors
root@junwu:/home/junwu# ovs-vsctl list mirror
root@junwu:/home/junwu#

複制

2.添加GRE端口

ovs-vsctl add-port br-int gre0 -- set interface gre0 type=gre options:key=0x1000 options:remote_ip=192.168.1.10

複制

檢視端口資訊:

root@junwu:/home/junwu# ovs-vsctl show
b4e71381-9659-43b8-a96d-52d08fc5e801
    Manager "tcp:10.190.23.66:6640"
    Bridge br-int
        Port br-int
            Interface br-int
                type: internal
        Port port1
            Interface port1
                type: internal
        Port gre0
            Interface gre0
                type: gre
                options: {key="0x1000", remote_ip="192.168.1.10"}
        Port port2
            Interface port2
                type: internal
        Port port3
            Interface port3
                type: internal
    ovs_version: "2.13.3"

複制

3.建立鏡像:

ovs-vsctl -- --id=@port1 get port port1  \
          -- --id=@gre0 get port gre0  \
          -- --id=@m create mirror name=m3 select_src_port=@port1 output_port=@gre0 \
          -- set bridge br-int mirrors=@m

複制

執行指令行:

root@junwu:/home/junwu# ovs-vsctl -- --id=@port1 get port port1  \
>           -- --id=@gre0 get port gre0  \
>           -- --id=@m create mirror name=m3 select_src_port=@port1 output_port=@gre0 \
>           -- set bridge br-int mirrors=@m
546cdade-8d02-45e8-b265-e57177b206b9

複制

檢視鏡像:

root@junwu:/home/junwu# ovs-vsctl list mirror
_uuid               : 546cdade-8d02-45e8-b265-e57177b206b9
external_ids        : {}
name                : m3
output_port         : c9ae0113-e8c0-4883-a3cf-9532d845531f
output_vlan         : []
select_all          : false
select_dst_port     : []
select_src_port     : [bb35587e-4a93-493b-a6fa-0c3f7c9a6fb5]
select_vlan         : []
snaplen             : []
statistics          : {tx_bytes=0, tx_packets=0}
root@junwu:/home/junwu#

複制

4.抓包分析

可以在外網出口ens32上抓包,可以看到,GRE資料包已經發送:

root@junwu:/home/junwu# tcpdump -i ens32 -nn -e proto gre
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens32, link-type EN10MB (Ethernet), capture size 262144 bytes
16:00:09.858874 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 14, length 64
16:00:10.882868 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 15, length 64
16:00:11.906806 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 16, length 64
16:00:12.930870 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 17, length 64
16:00:13.954850 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 18, length 64
16:00:14.978781 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 19, length 64
16:00:16.002797 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 20, length 64
16:00:17.026796 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 21, length 64
16:00:18.050824 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 22, length 64
16:00:19.074858 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 23, length 64
16:00:20.098859 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 24, length 64
16:00:21.122871 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 25, length 64
^C
12 packets captured
13 packets received by filter
0 packets dropped by kernel
2 packets dropped by interface

複制

基于GRE的RSPAN方式測試通過!

4 問題

1、RSPAN方式存在關閉VLAN的MAC學習功能操作,避免影響正常網絡轉發的前置條件,本實驗沒有進行驗證。

2、ovs NORMAL動作影響未驗證

root@junwu:/home/junwu# sudo ovs-ofctl dump-flows -O openflow13 br-int

cookie=0x0, duration=4655.660s, table=0, n_packets=4106, n_bytes=388228, priority=0 actions=NORMAL

下一步實驗将從這兩個方面進行驗證,歡迎交流學習。

上一篇: Kafka源碼分析(6)
下一篇: Palm 串行通訊GPS資料讀取的實作