openstack相关Openvswtich

Openvswitch,Popsuper,SoftwareDefinedNetwork,OpenFlowSwitchComponents,OpenFlowChannel负责同Controller的交互FlowTable包含许多entry，每个entry是对packet进行处理的规则GroupTable：处理更复杂的转发规则包含一系列GroupEntry每个Entry包含一系列操作集合(actionbuckets)每个操作集合包含一系列action，以及参数,Matchpackets:ingressportHeadersmetadata,Flowentriesmatchpacketsinpriorityorder,对packet处理:转发修改交给GroupTable交给下个Table,OpenFlowPacketProcessing,OpenFlowPacketProcessing,Actions:Output:转发Set-Queue:QoSDropGroupPush/Poptags,OpenFlowPacketProcessing,Actions:Output:转发Set-Queue:QoSDropGroupPush/Poptags,Openvswitch简介,Openvswitch是一个virutalswtich，支持OpenFlow协议，当然也有一些硬件Switch也支持OpenFlow协议，他们都可以被统一的Controller管理，从而实现物理机和虚拟机的网络联通。,Openvswitch简介,MatchField涵盖TCP/IP协议各层：Layer1TunnelID,InPort,QoSpriority,skbmarkLayer2MACaddress,VLANID,EthernettypeLayer3IPv4/IPv6fields,ARPLayer4TCP/UDP,ICMP,NDAction也主要包含下面的操作：Outputtoport(portrange,flood,mirror)Discard,ResubmittotablexPacketMangling(Push/PopVLANheader,TOS,.)Sendtocontroller,Learn,Openvswitch简介,可以设置Tunnel可以支持下列的框架来监控流量。sFlowNetFlowPortMirroringSPANRSPANERSPAN支持QoSUsesexistingTrafficControlLayerPolicer(Ingressratelimiter)HTB,HFSC(Egresstrafficclasses)Controller(OpenFlow)canselectTrafficClass,Openvswitch架构,Openvswitch架构,实验一：查看Openvswitch的架构,rootpopsuper1982:#psaux|grepopenvswitchroot9850.00.0211722120?Sdststart.endload:valuedststart.endlearn(argument,argument.),实验十五：模拟Openstack中Flow的操作,br-tun,1,2,Instance01,br-int,Tag1,Tag2,,,br-tun,1,2,Instance02,br-int,Tag1,Tag2,,,GRE,br-tun,1,2,Instance03,br-int,Tag1,Tag2,,,3,3,3,Table0,ToT1,ToT3,drop,in_port=1,in_port=2/3,Table1,ToT20,ToT21,drop,unicast,multicast,Table2,Table3,根据tunid设置vlanid,drop,ToT10,Table10,学习MAC,发送port1,Table20,根据vlanid设置tunid,ToT21,有MAC规则,发送port2/3,Table21,根据vlanid设置tunid,drop,发送port2/3,实验十五：模拟Openstack中Flow的操作,配置拓扑结构：在三台机器上都运行,ovs-vsctladd-brbr-intovs-vsctladd-brbr-tuniplinkaddbr-int-pairtypevethpeernamebr-tun-pairiplinksetbr-int-pairupiplinksetbr-tun-pairupovs-vsctladd-portbr-intbr-int-pairovs-vsctladd-portbr-tunbr-tun-pairiplinkaddvnic0typevethpeernamevnic0-br-intiplinksetvnic0upiplinksetvnic0-br-intupovs-vsctladd-portbr-intvnic0-br-intifconfigvnic0/24iplinkaddvnic1typevethpeernamevnic1-br-intiplinksetvnic1upiplinksetvnic1-br-intupovs-vsctladd-portbr-intvnic1-br-intifconfigvnic/24ovs-vsctlsetPortvnic0-br-inttag=1ovs-vsctlsetPortvnic1-br-inttag=2ovs-vsctladd-portbr-tungre0-setInterfacegre0type=greoptions:local_ip=00options:in_key=flowoptions:remote_ip=01options:out_key=flowovs-vsctladd-portbr-tungre1-setInterfacegre1type=greoptions:local_ip=00options:in_key=flowoptions:remote_ip=02options:out_key=flow,实验十五：模拟Openstack中Flow的操作,配置Flow删除所有的FlowTable0从port1进来的，由table1处理从port2/3进来的，由Table3处理默认丢弃,ovs-ofctldel-flowsbr-tun,ovs-ofctladd-flowbr-tunhard_timeout=0idle_timeout=0priority=1in_port=1actions=resubmit(,1),ovs-ofctladd-flowbr-tunhard_timeout=0idle_timeout=0priority=1in_port=2actions=resubmit(,3)ovs-ofctladd-flowbr-tunhard_timeout=0idle_timeout=0priority=1in_port=3actions=resubmit(,3),ovs-ofctladd-flowbr-tunhard_timeout=0idle_timeout=0priority=0actions=drop,实验十五：模拟Openstack中Flow的操作,Table1:对于单播，由table20处理对于多播，由table21处理Table2:默认丢弃,ovs-ofctladd-flowbr-tunhard_timeout=0idle_timeout=0priority=1table=1dl_dst=00:00:00:00:00:00/01:00:00:00:00:00actions=resubmit(,20),ovs-ofctladd-flowbr-tunhard_timeout=0idle_timeout=0priority=1table=1dl_dst=01:00:00:00:00:00/01:00:00:00:00:00actions=resubmit(,21),ovs-ofctladd-flowbr-tunhard_timeout=0idle_timeout=0priority=0table=2actions=drop,实验十五：模拟Openstack中Flow的操作,Table3:默认丢弃TunnelID-VLANIDTable10:MAC地址学习,ovs-ofctladd-flowbr-tunhard_timeout=0idle_timeout=0priority=0table=3actions=drop,ovs-ofctladd-flowbr-tunhard_timeout=0idle_timeout=0priority=1table=3tun_id=0 x1actions=mod_vlan_vid:1,resubmit(,10)ovs-ofctladd-flowbr-tunhard_timeout=0idle_timeout=0priority=1table=3tun_id=0 x2actions=mod_vlan_vid:2,resubmit(,10),ovs-ofctladd-flowbr-tunhard_timeout=0idle_timeout=0priority=1table=10actions=learn(table=20,priority=1,hard_timeout=300,NXM_OF_VLAN_TCI0.11,NXM_OF_ETH_DST=NXM_OF_ETH_SRC,load:0-NXM_OF_VLAN_TCI,load:NXM_NX_TUN_ID-NXM_NX_TUN_ID,output:NXM_OF_IN_PORT),output:1,table=10,priority=1actions=learn(table=20,hard_timeout=300,priority=1,NXM_OF_VLAN_TCI0.11,NXM_OF_ETH_DST=NXM_OF_ETH_SRC,load:0-NXM_OF_VLAN_TCI,load:NXM_NX_TUN_ID-NXM_NX_TUN_ID,output:NXM_OF_IN_PORT),output:1,table=20,priority=2,dl_vlan=1,dl_dst=fa:16:3e:7e:ab:ccactions=strip_vlan,set_tunnel:0 x3e9,output:2,Table10是用来学习MAC地址的，学习的结果放在Table20里面，Table20被称为MAClearningtableNXM_OF_VLAN_TCI这个是VLANTag，在MACLearningtable中，每一个entry都是仅仅对某一个VLAN来说的，不同VLAN的learningtable是分开的。在学习的结果的entry中，会标出这个entry是对于哪个VLAN的。NXM_OF_ETH_DST=NXM_OF_ETH_SRC这个的意思是当前包里面的MACSourceAddress会被放在学习结果的entry里面的dl_dst里面。这是因为每个switch都是通过Ingress包来学习，某个MAC从某个port进来，switch就应该记住以后发往这个MAC的包要从这个port出去，因而MACsourceaddress就被放在了Macdestinationaddress里面，因为这是为发送用的。load:0-NXM_OF_VLAN_TCI意思是发送出去的时候，vlantag设为0，所以结果中有actions=strip_vlanload:NXM_NX_TUN_ID-NXM_NX_TUN_ID意思是发出去的时候，设置tunnelid，进来的时候是多少，发送的时候就是多少，所以结果中有set_tunnel:0 x3e9output:NXM_OF_IN_PORT意思是发送给哪个port，由于是从port2进来的，因而结果中有output:2,学习指令,学习结果,实验十五：模拟Openstack中Flow的操作,Table20:这个是MACAddressLearningTable，如果不空就按照规则处理如果为空，就使用默认规则，交给Table21处理Table21:默认丢弃VLANID-TunnelID,ovs-ofctladd-flowbr-tunhard_timeout=0idle_timeout=0priority=0table=20actions=resubmit(,21),ovs-ofctladd-flowbr-tunhard_timeout=0idle_timeout=0priority=0table=21actions=drop,ovs-ofctladd-flowbr-tunhard_timeout=0idle_timeout=0priority=1table=21dl_vlan=1actions=strip_vlan,set_tunnel:0 x1,output:2,output:3ovs-ofctladd-flowbr-tunhard_timeout=0idle_timeout=0priority=1table=21dl_vlan=2actions=strip_vlan,set_tunnel:0 x2,output:2,output:3,实验十五：模拟Openstack中Flow的操作,从ping在Instance01上监听br-int上的端口在Instance01上监听eth0在Instance02上监听eth0在Instance02上监听br-int上的端口,Openvswitch:综合实例,OpenvSwitchAdvancedFeaturesTutorial/cgi-bin/gitweb.cgi?p=openvswitch;a=blob_plain;f=tutorial/Tutorial;hb=HEAD创建一个VirtualSwitch包含下面四个Port：P1,truckportP2,VLAN20P3,P4VLAN30包含五个flowtable:Table0:Admissioncontrol.Table1:VLANinputprocessing.Table2:LearnsourceMACandVLANforingressport.Table3:LookuplearnedportfordestinationMACandVLAN.Table4:Outputprocessing,Openvswitch:综合实例,创建一个bridge创建四个vethpair添加四个端口port，ofport_request是指定端口号,ovs-vsctladd-brhelloworld,iplinkaddfirst_brtypevethpeernamefirst_ifiplinkaddsecond_brtypevethpeernamesecond_ifiplinkaddthird_brtypevethpeernamethird_ifiplinkaddforth_brtypevethpeernameforth_if,ovs-vsctladd-porthelloworldfirst_br-setInterfacefirst_brofport_request=1ovs-vsctladd-porthelloworldsecond_br-setInterfacesecond_brofport_request=2ovs-vsctladd-porthelloworldthird_br-setInterfacethird_brofport_request=3ovs-vsctladd-porthelloworldforth_br-setInterfaceforth_brofport_request=4,Openvswitch:综合实例,新添加的port都是出于DOWN的状态，设成up,iplinksetfirst_ifupiplinksetfirst_brupiplinksetsecond_brupiplinksetsecond_ifupiplinksetthird_ifupiplinksetthird_brupiplinksetforth_brupiplinksetforth_ifup,Openvswitch:综合实例,实现第一个Table0，Admissioncontrol包进入vswitch的时候首先进入Table0，我们在这里可以设定规则，控制那些包可以进入，那些包不可以进入。multicast的不允许进入STP的也不接受添加最后一个flow，这个flow的priority低于default，如果上面两个不匹配，则我们进入table1测试Table0不满足条件DROP满足条件RESUBMIT,ovs-ofctladd-flowhelloworldtable=0,dl_src=01:00:00:00:00:00/01:00:00:00:00:00,actions=drop,ovs-ofctladd-flowhelloworldtable=0,dl_dst=01:80:c2:00:00:00/ff:ff:ff:ff:ff:f0,actions=drop,ovs-ofctladd-flowhelloworldtable=0,priority=0,actions=resubmit(,1),ovs-appctlofproto/tracehelloworldin_port=1,dl_dst=01:80:c2:00:00:05,ovs-appctlofproto/tracehelloworldin_port=1,dl_dst=01:80:c2:00:00:10,Openvswitch:综合实例,实现第二个Table1：VLANInputProcessing添加一个最低优先级的DROP的规则对于port1，是trunk口，无论有没有VLANHeader都接受对于port2,3,4,我们希望没有VLANTag，然后我们给打上VLANTag测试Table1从port1进入，tag为5从port2进入，没有打Tag的从port2进入，带Tag5的,ovs-ofctladd-flowhelloworldtable=1,priority=0,actions=drop,ovs-ofctladd-flowhelloworldtable=1,priority=99,in_port=1,actions=resubmit(,2),ovs-ofctladd-flowshelloworld-VLANTag。这样以后如果有需要发给这个MAC的包，不用ARP，switch自然之道应该发给哪个port，应该打什么VLANTag。OVS也要学习这个，并维护三个之间的mapping关系。,ovs-ofctladd-flowhelloworldtable=2actions=learn(table=10,NXM_OF_VLAN_TCI0.11,NXM_OF_ETH_DST=NXM_OF_ETH_SRC,load:NXM_OF_IN_PORT-NXM_NX_REG00.15),resubmit(,3),learn表示这是一个学习的actiontable10，这是一个MAClearningtable，学习的结果会放在这个table中。NXM_OF_VLAN_TCI这个是VLANTag，在MACLearningtable中，每一个entry都是仅仅对某一个VLAN来说的，不同VLAN的learningtable是分开的。在学习的结果的entry中，会标出这个entry是对于哪个VLAN的。NXM_OF_ETH_DST=NXM_OF_ETH_SRC这个的意思是当前包里面的MACSourceAddress会被放在学习结果的entry里面的dl_dst里面。这是因为每个switch都是通过Ingress包来学习，某个MAC从某个port进来，switch就应该记住以后发往这个MAC的包要从这个port出去，因而MACsourceaddress就被放在了Macdestinationaddress里面，因为这是为发送用的。NXM_OF_IN_PORT-NXM_NX_REG0将portf放入register.一般对于学习的entry还需要有hard_timeout，这是的每个学习结果都会expire，需要重新学习。,Openvswitch:综合实例,测试Table2:从port1来一个vlan为20的mac为50:00:00:00:00:01的包从port2进来，被打上了vlan20，mac为50:00:00:00:00:02,ovs-appctlofproto/tracehelloworldin_port=1,vlan_tci=20,dl_src=50:00:00:00:00:01-generate,ovs-ofctldump-flowshelloworld,table10多了一条，vlan为20，dl_dst为50:00:00:00:00:01，发送的时候从port1出去,ovs-appctlofproto/tracehelloworldin_port=2,dl_src=50:00:00:00:00:02-generate,Openvswitch:综合实例,实现第四个table3:LookUpDestinationPort在table2中，vswtich通过进入的包，学习了vlanidmacport的映射后，对于要发送的包，可以根据学习到的table10里面的内容，根据destinationmac和vlan，来找到相应的port发送出去，而不用每次都floodovs-ofctladd-flowhelloworldtable=3priority=50actions=resubmit(,10),resubmit(,4)添加这条规则，首先到table10中查找learntableentry，如果找不到则到table4如果包本身就是multicast的或者broadcast的，则不用去table10里面取查找ovs-ofctladd-flowhelloworldtable=3priority=99dl_dst=01:00:00:00:00:00/01:00:00:00:00:00actions=resubmit(,4),Openvswitch:综合实例,测试Table3:ovs-appctlofproto/tracehelloworldin_port=1,dl_vlan=20,dl_src=f0:00:00:00:00:01,dl_dst=90:00:00:00:00:01-generate由于目标地址f0:00:00:00:00:01没有在table10中找到，因而到达table4.但是这次测试使得table10中学习到了mac地址90:00:00:00:00:01ovs-appctlofproto/tracehelloworldin_port=2,dl_src=90:00:00:00:00:01,dl_dst=f0:00:00:00:00:01-generate因为刚才学习到了mac地址f0:00:00:00:00:01，所以这次在table10中找到了这条记录，这次同时也学习到了mac地址90:00:00:00:00:01再发送第一次的包ovs-appctlofproto/tracehelloworldin_port=1,dl_vlan=20,dl_src=f0:00:00:00:00:01,dl_dst=90:00:00:00:00:01-generate也在table10中找到了记录,Openvswitch:综合实例,实现第五个table4:OutputProcessing这个时候，register0中包含了outputport，如果是0则说明是flood对于port1来讲，是trunkport，所以携带的vlantag就让他带着，从port1出去ovs-ofctladd-flowhelloworldtable=4reg0=1actions=1对于port2来讲，是vlan20的，然而出去的时候，vlantag会被抹掉，从port2发出去对于port3，4来讲，是vlan30的，然而出去的时候，v