ovs是谁开源的 OVS端口镜像验证实验总结

树雙飛 2023-04-13 04:21:48

收藏赞分享

一、OVS端口镜像创建基本流程1、创建镜像mirror，在mirror中指定镜像数据源select与output，我来为大家科普一下关于ovs是谁开源的 OVS端口镜像验证实验总结?下面希望有你要的答案，我们一起来看看吧!

ovs是谁开源的 OVS端口镜像验证实验总结

ovs是谁开源的 OVS端口镜像验证实验总结

一、OVS端口镜像创建基本流程

1、创建镜像mirror，在mirror中指定镜像数据源select与output

2、将镜像mirror应用到网桥bridge中

二、 OVS端口镜像的基本概念

1、select_all : 设置为true时，进出该镜像mirror端口的所有数据包都被镜像

2、select_dst_port : 从该 port 离开虚拟交换机的数据包将会被镜像

3、select_src_port : 从该 port 进入虚拟交换机的数据包将会被镜像

4、select_vlan : 指定特定VLAN做为数据源，整个VLAN的数据包都会镜像到目的地

5、output_port : 将数据包镜像到特定的 port

6、output_vlan : 将数据包镜像到指定VLAN, 原始数据的VLAN tag会被剥掉。若镜像多个VLAN到同一个VLAN，没有办法区分镜像后的数据包来源于哪个VLAN。

三、实验

本次实验就围绕SPAN方式与基于GRE的RSPAN方式展开。

### 3.1 SPAN方式

#### 3.1.1 构建实验环境

```shell

## 创建网桥

root@junwu:/home/junwu# ovs-vsctl add-br br-int

## 创建port1、port2、port3并指定接口类型

root@junwu:/home/junwu# ovs-vsctl add-port br-int port1 -- set interface port1 type=internal

root@junwu:/home/junwu# ovs-vsctl add-port br-int port2 -- set interface port2 type=internal

root@junwu:/home/junwu# ovs-vsctl add-port br-int port3 -- set interface port3 type=internal

## 创建namespace

root@junwu:/home/junwu# ip netns add ns1

root@junwu:/home/junwu# ip netns add ns2

root@junwu:/home/junwu# ip netns add ns3

## 将三个端口分别加入namespace中

root@junwu:/home/junwu# ip link set dev port1 netns ns1

root@junwu:/home/junwu# ip link set dev port2 netns ns2

root@junwu:/home/junwu# ip link set dev port3 netns ns3

## 启动端口并配置IP

root@junwu:/home/junwu# ip netns exec ns1 ip addr add 11.11.11.11/24 dev port1

root@junwu:/home/junwu# ip netns exec ns1 ip link set up port1

root@junwu:/home/junwu# ip netns exec ns2 ip addr add 11.11.11.12/24 dev port2

root@junwu:/home/junwu# ip netns exec ns2 ip link set up port2

root@junwu:/home/junwu# ip netns exec ns3 ip link set up port3

```

查看环境信息：

```shell

root@junwu:/home/junwu# ovs-vsctl show

b4e71381-9659-43b8-a96d-52d08fc5e801

Manager "tcp:10.190.23.66:6640"

Bridge br-int

Port br-int

Interface br-int

type: internal

Port port1

Interface port1

type: internal

Port port2

Interface port2

type: internal

Port port3

Interface port3

type: internal

ovs_version: "2.13.3"

```

#### 3.1.2 实验操作与分析

1.在ns1中ping ns2中端口port2：

```shell

root@junwu:/home/junwu# ip netns exec ns1 ping 11.11.11.12 -c 10

PING 11.11.11.12 (11.11.11.12) 56(84) bytes of data.

64 bytes from 11.11.11.12: icmp_seq=1 ttl=64 time=0.614 ms

64 bytes from 11.11.11.12: icmp_seq=2 ttl=64 time=0.049 ms

64 bytes from 11.11.11.12: icmp_seq=3 ttl=64 time=0.065 ms

64 bytes from 11.11.11.12: icmp_seq=4 ttl=64 time=0.051 ms

64 bytes from 11.11.11.12: icmp_seq=5 ttl=64 time=0.055 ms

64 bytes from 11.11.11.12: icmp_seq=6 ttl=64 time=0.057 ms

64 bytes from 11.11.11.12: icmp_seq=7 ttl=64 time=0.047 ms

64 bytes from 11.11.11.12: icmp_seq=8 ttl=64 time=0.049 ms

64 bytes from 11.11.11.12: icmp_seq=9 ttl=64 time=0.045 ms

64 bytes from 11.11.11.12: icmp_seq=10 ttl=64 time=0.043 ms

--- 11.11.11.12 ping statistics ---

10 packets transmitted, 10 received, 0% packet loss, time 9208ms

rtt min/avg/max/mdev = 0.043/0.107/0.614/0.168 ms

root@junwu:/home/junwu#

```

2.同时在ns2中抓包分析(可以在ns2中port2下抓到port1访问port2的报文，符合预期)：

```shell

root@junwu:/home/junwu# ip netns exec ns2 tcpdump -i port2 -e -nn icmp or arp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on port2, link-type EN10MB (Ethernet), capture size 262144 bytes

^C15:26:10.274873 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 60794, seq 72, length 64

15:26:10.274914 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60794, seq 72, length 64

15:26:11.298860 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 60794, seq 73, length 64

15:26:11.298896 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60794, seq 73, length 64

15:26:12.322854 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 60794, seq 74, length 64

15:26:12.322886 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60794, seq 74, length 64

15:26:13.346867 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 60794, seq 75, length 64

15:26:13.346904 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60794, seq 75, length 64

15:26:14.370852 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 60794, seq 76, length 64

15:26:14.370883 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60794, seq 76, length 64

10 packets captured

10 packets received by filter

0 packets dropped by kernel

```

3.同时在ns3中抓包分析(没有在ns3中port3下抓到报文，符合预期)：

```shell

root@junwu:/home/junwu# ip netns exec ns3 tcpdump -i port3 -e -nn icmp or arp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on port3, link-type EN10MB (Ethernet), capture size 262144 bytes

^C

0 packets captured

0 packets received by filter

0 packets dropped by kernel

```

4.接下来进入SPAN的核心。首先创建镜像mirror m0，并且将其应用到br-int上，并且将从ns1中port1（select_dst_port）离开数据包镜像到ns3中的port3（output_port）中：

```shell

ovs-vsctl -- --id=@port1 get port port1 \

-- --id=@port3 get port port3 \

-- --id=@m create mirror name=m0 select_dst_port=@port1 output_port=@port3 \

-- set bridge br-int mirrors=@m

```

操作命令行：

```shell

root@junwu:/home/junwu# ovs-vsctl -- --id=@port1 get port port1 \

> -- --id=@port3 get port port3 \

> -- --id=@m create mirror name=m0 select_dst_port=@port1 output_port=@port3 \

> -- set bridge br-int mirrors=@m

8e7d031a-ed70-4d8a-9b72-278a93041e1a

```

在OVS上查看镜像m0:

```shell

root@junwu:/home/junwu# ovs-vsctl list mirror

_uuid : 8e7d031a-ed70-4d8a-9b72-278a93041e1a

external_ids : {}

name : m0

output_port : dc9236f9-683c-4cd7-bd0d-8e6ac83db0b9

output_vlan : []

select_all : false

select_dst_port : [bb35587e-4a93-493b-a6fa-0c3f7c9a6fb5]

select_src_port : []

select_vlan : []

snaplen : []

statistics : {tx_bytes=5026, tx_packets=53}

```

再执行在ns1中ping ns2中端口port2的操作，同时在ns2和ns3中抓包分析(可以在ns2中port2下抓包port1访问port2的报文，同时可以在ns3中port3下抓到报文，符合预期)：

```shell

root@junwu:/home/junwu# ip netns exec ns2 tcpdump -i port2 -e -nn icmp or arp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on port2, link-type EN10MB (Ethernet), capture size 262144 bytes

^C15:40:01.058857 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 60992, seq 7, length 64

15:40:01.058893 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60992, seq 7, length 64

15:40:02.082863 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 60992, seq 8, length 64

15:40:02.082899 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60992, seq 8, length 64

15:40:03.106865 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 60992, seq 9, length 64

15:40:03.106903 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60992, seq 9, length 64

15:40:03.171028 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype ARP (0x0806), length 42: Request who-has 11.11.11.12 tell 11.11.11.11, length 28

15:40:03.171051 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype ARP (0x0806), length 42: Reply 11.11.11.12 is-at e6:f3:a7:23:50:f5, length 28

8 packets captured

8 packets received by filter

0 packets dropped by kernel

#############################################################################

##在ns3中抓包可以看到成功获得 port2 回应 port1 的ICMP响应数据包:

root@junwu:/home/junwu# ip netns exec ns3 tcpdump -i port3 -e -nn icmp or arp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on port3, link-type EN10MB (Ethernet), capture size 262144 bytes

^C15:40:11.298886 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60992, seq 17, length 64

15:40:12.322863 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60992, seq 18, length 64

15:40:13.346868 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60992, seq 19, length 64

15:40:14.370807 e6:f3:a7:23:50:f5 > 1e:00:7c:b4:c4:e1, ethertype IPv4 (0x0800), length 98: 11.11.11.12 > 11.11.11.11: ICMP echo reply, id 60992, seq 20, length 64

4 packets captured

4 packets received by filter

0 packets dropped by kernel

root@junwu:/home/junwu#

```

SPAN方式测试通过！

### 3.2 基于GRE的RSPAN方式

#### 3.2.1 构建实验环境

测试环境可以采用3.1.1提供环境

#### 3.2.2 实验操作与分析

1.清除镜像

```shell

root@junwu:/home/junwu# ovs-vsctl clear bridge br-int mirrors

root@junwu:/home/junwu# ovs-vsctl list mirror

root@junwu:/home/junwu#

```

2.添加GRE端口

```shell

ovs-vsctl add-port br-int gre0 -- set interface gre0 type=gre options:key=0x1000 options:remote_ip=192.168.1.10

```

查看端口信息：

```shell

root@junwu:/home/junwu# ovs-vsctl show

b4e71381-9659-43b8-a96d-52d08fc5e801

Manager "tcp:10.190.23.66:6640"

Bridge br-int

Port br-int

Interface br-int

type: internal

Port port1

Interface port1

type: internal

Port gre0

Interface gre0

type: gre

options: {key="0x1000", remote_ip="192.168.1.10"}

Port port2

Interface port2

type: internal

Port port3

Interface port3

type: internal

ovs_version: "2.13.3"

```

3.创建镜像：

```shell

ovs-vsctl -- --id=@port1 get port port1 \

-- --id=@gre0 get port gre0 \

-- --id=@m create mirror name=m3 select_src_port=@port1 output_port=@gre0 \

-- set bridge br-int mirrors=@m

```

执行命令行：

```shell

root@junwu:/home/junwu# ovs-vsctl -- --id=@port1 get port port1 \

> -- --id=@gre0 get port gre0 \

> -- --id=@m create mirror name=m3 select_src_port=@port1 output_port=@gre0 \

> -- set bridge br-int mirrors=@m

546cdade-8d02-45e8-b265-e57177b206b9

```

查看镜像：

```shell

root@junwu:/home/junwu# ovs-vsctl list mirror

_uuid : 546cdade-8d02-45e8-b265-e57177b206b9

external_ids : {}

name : m3

output_port : c9ae0113-e8c0-4883-a3cf-9532d845531f

output_vlan : []

select_all : false

select_dst_port : []

select_src_port : [bb35587e-4a93-493b-a6fa-0c3f7c9a6fb5]

select_vlan : []

snaplen : []

statistics : {tx_bytes=0, tx_packets=0}

root@junwu:/home/junwu#

```

4.抓包分析

可以在外网出口ens32上抓包，可以看到，GRE数据包已经发送:

```shell

root@junwu:/home/junwu# tcpdump -i ens32 -nn -e proto gre

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on ens32, link-type EN10MB (Ethernet), capture size 262144 bytes

16:00:09.858874 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 14, length 64

16:00:10.882868 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 15, length 64

16:00:11.906806 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 16, length 64

16:00:12.930870 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 17, length 64

16:00:13.954850 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 18, length 64

16:00:14.978781 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 19, length 64

16:00:16.002797 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 20, length 64

16:00:17.026796 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 21, length 64

16:00:18.050824 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 22, length 64

16:00:19.074858 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 23, length 64

16:00:20.098859 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 24, length 64

16:00:21.122871 00:0c:29:6e:c0:06 > 80:3a:f4:56:b6:53, ethertype IPv4 (0x0800), length 140: 10.190.23.67 > 192.168.1.10: GREv0, key=0x1000, proto TEB (0x6558), length 106: 1e:00:7c:b4:c4:e1 > e6:f3:a7:23:50:f5, ethertype IPv4 (0x0800), length 98: 11.11.11.11 > 11.11.11.12: ICMP echo request, id 61067, seq 25, length 64

^C

12 packets captured

13 packets received by filter

0 packets dropped by kernel

2 packets dropped by interface

```

基于GRE的RSPAN方式测试通过！

四、问题

1、RSPAN方式存在关闭VLAN的MAC学习功能操作，避免影响正常网络转发的前置条件，本实验没有进行验证。

2、ovs NORMAL动作影响未验证

root@junwu:/home/junwu# sudo ovs-ofctl dump-flows -O openflow13 br0

cookie=0x0, duration=4655.660s, table=0, n_packets=4106, n_bytes=388228, priority=0 actions=NORMAL

下一步实验将从这两个方面进行验证。

,

免责声明：本文仅代表文章作者的个人观点，与本站无关。其原创性、真实性以及文中陈述文字和内容未经本站证实，对本文以及其中全部或者部分内容文字的真实性、完整性和原创性本站不作任何保证或承诺，请读者仅作参考，并自行核实相关内容。文章投诉邮箱：anhduc.ph@yahoo.com

猜您喜欢

热门推荐

排行榜