参考链接
https://segmentfault.com/a/1190000019612525
实验说明:
用ovs-docker 创建docker 容器附着在ovs 网桥上,模拟虚拟机跨主机通信,抓包理解vlan, vxlan、overlay 网络
网络拓扑如下:
环境搭建详情:
host1:192.168.53.136
网桥: ovs0
容器:
con6 192.168.1.2
con7 192.168.1.3
con8 192.168.1.4
host2:192.168.53.140
网桥: ovs1
容器:
con11 192.168.1.6
配置命令
docker run -itd --name con6 --net=none ubuntu:14.04 /bin/bash
ovs-vsctl add-br ovs0
ovs-docker add-port ovs0 eth0 con6 --ipaddress=192.168.1.2/24
ovs-vsctl set port <port interface> tag=100
查看ovs port 和容器对应关系
ovs-vsctl list interface <f1c0a9d0994d4_l> |grep container_id
host1 上设置vxlan
ovs-vsctl add-port ovs0 vxlan1 -- set interface vxlan1 type=vxlan options:remote_ip=192.168.53.140 options:key=flow
[root@test1]# ovs-vsctl show
5e2cfe39-7d6e-4c79-ba5b-372524e2dd55
Bridge "ovs0"
Port "7eb8d6795f624_l"
tag: 200
Interface "7eb8d6795f624_l"
Port "86047aff42594_l"
tag: 100
Interface "86047aff42594_l"
Port "ovs0"
Interface "ovs0"
type: internal
Port "86e15b03eba74_l"
tag: 100
Interface "86e15b03eba74_l"
Port "vxlan1"
Interface "vxlan1"
type: vxlan
options: {key=flow, remote_ip="192.168.53.140"}
ovs_version: "2.12.0"
host2 上操做
ovs-vsctl add-port ovs1 vxlan1 -- set interface vxlan1 type=vxlan options:remote_ip=192.168.53.136
options:key=flow
给con 11 设置vlan tag
ovs-vsctl set port beaf399b4cc14_l tag=100
[root@test2 ~]# ovs-vsctl show
be517ba2-a048-48de-b69a-0feefabe5f99
Bridge "ovs1"
Port "ovs1"
Interface "ovs1"
type: internal
Port "vxlan1"
Interface "vxlan1"
type: vxlan
options: {key=flow, remote_ip="192.168.53.136"}
Port "beaf399b4cc14_l"
tag: 100
Interface "beaf399b4cc14_l"
ovs_version: "2.12.0"
测试:
[root@test2 ~]# docker exec -ti con11 bash
root@82f37de52551:/# ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=1.35 ms
64 bytes from 192.168.1.2: icmp_seq=2 ttl=64 time=1.28 ms
^C
--- 192.168.1.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 1.285/1.320/1.355/0.035 ms
root@82f37de52551:/# ping 192.168.1.3
PING 192.168.1.3 (192.168.1.3) 56(84) bytes of data.
^C
--- 192.168.1.3 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
清除vlan tag 后
[root@test2 ~]# ovs-vsctl clear port beaf399b4cc14_l tag
[root@test2 ~]# ovs-vsctl show
be517ba2-a048-48de-b69a-0feefabe5f99
Bridge "ovs1"
Port "ovs1"
Interface "ovs1"
type: internal
Port "vxlan1"
Interface "vxlan1"
type: vxlan
options: {key=flow, remote_ip="192.168.53.136"}
Port "beaf399b4cc14_l"
Interface "beaf399b4cc14_l"
ovs_version: "2.12.0"
[root@test2 ~]#
[root@test2 ~]# docker exec -it con11 bash
root@82f37de52551:/# ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
^C
--- 192.168.1.2 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms
root@82f37de52551:/# ping 192.168.1.3
PING 192.168.1.3 (192.168.1.3) 56(84) bytes of data.
^C
--- 192.168.1.3 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1002ms
vxlan只能连通两台机器的ovs上同一个网段的容器,无法连通ovs上不同网段的容器。如果需要连通不同网段的容器,可以尝试通过ovs的流表来解决这个问题。
理解:
比如vlan 100 的数据帧封装进udp , 然后到达隧道另一端后,vlan 报文解封装后,到达vlan 为100
的广播域,因此找不到vlan 为200 的目标ip
wireshark 解析vxlan 报文
https://blog.csdn.net/zhuzhuxiazst/article/details/112468861
1、tcpdump的参数信息
-n 不转换主机地址到主机名,这样用于避免DNS解析
-i 指定网络接口
-e 增加以太网帧头部信息输出
-v 输出更详细的信息
基本抓包
抓vxlan vni
tcpdump -i ens33 -e -v |grep vni
抓vlan id
tcpdump -i ens33 -e -v |grep vlan
抓udp
tcpdump -i ens33 -p udp
抓vxlan 目的端口
tcpdump -i ens33 port 4789
抓arp 解析
tcpdump -i any -e -v -p arp
隧道的源mac 地址,隧道的源ip 和目的ip
报文解析
1. 以下是udp 协议,源端口和目标端口
- vxlan 网络, vni 为0,给一个租户可以分配一个vni 号,类似于vlan id
- 下面是vm 的mac 地址, 以太网帧
- 下面是vlan 报文, vlan id 是100
下面是封装前的ip 协议,里面包含vm 的源地址和目的地址
没有vlan tag
带vlan tag
