ovn搭建虚拟路由网络final

OVN虚拟路由部署目录TOC\o"1-5"\h\z\o"CurrentDocument"在每个节点上安装ovn软件 3\o"CurrentDocument"普通节点上创建集成化网桥 4\o"CurrentDocument"将普通节点的Chassis控制器连接到控制节点的中央控制器 4\o"CurrentDocument"在控制节点创建逻辑交换机和逻辑路由器 4\o"CurrentDocument"控制节点在逻辑交换机上配置2台测试虚拟机的逻辑端口 5\o"CurrentDocument"在控制节点上定义DHCP选项 5\o"CurrentDocument"在普通节点给2台测试虚拟机预配置VIF 6\o"CurrentDocument"开启vbox或者kvm虚拟机，注意第七步的vm-id是真实虚拟机的uuid 6\o"CurrentDocument"虚拟机VIF迁移 6\o"CurrentDocument"卸载清理网络环境 7\o"CurrentDocument"虚拟机上外网 7网络图：&eT4n4nt&eT4n4nt■:152逻辑路由器：tenant逻辑交换机：inside虚拟机：vm3，vm41.在每个节点上安装ovn软件在ubuntu18.04上安装ovnapt-getinstall-yopenvswitch-switchovn-centralovn-commonovn-controller-vtepovn-dockerovn-host检测ovsdb-server进程是否监听TCP6641,6642端口。6641端口用于监听OVN北向数据库,6642端口用于监听OVN南向数据库。root@t-desktop:~/ovn#netstat-lntp激活Internet连接（仅服务器）ProtoRecv-QSend-QLocalAddressForeignAddressStatePID/Programnametcp000.0.0.0:66410.0.0.0:*LISTEN18537/ovsdb-servertcp000.0.0.0:66420.0.0.0:*LISTEN18545/ovsdb-server如果ovsdb-server没有使用6641/6642那么需要通过运行启动脚本来启动这些进程。启动脚本路径为/etc/init.d/openvswitchswitch和/etc/init.d/ovn-central（注意区别节点和搭建模式，控制节点执行ovn-central）。或者执行ovn-sbctlset-connectionptcp:6642:0.0.0.0ovn-nbctlset-connectionptcp:6641:0.0.0.02.普通节点上创建集成化网桥ovs-vsctllist-br如果看不到“br-int”网桥，那么需要手工创建。注意:所有运行虚拟机的节点都要存在“br-int”网桥ovs-vsctladd-brbr-int--setBridgebr-intfail-mode=secureovs-vsctllist-br“fail-mode=secure”是一个安全特性，其让网桥丢掉所有流量。这里用这个参数是因为我们不想在OVN控制器启用前使用网络.3•将普通节点的Chassis控制器连接到控制节点的中央控制器ovs-vsctlsetopen.external-ids:ovn-remote=tcp:XXX.XXX.XXX.XXX:6642（XXX控制节点ip）ovs-vsctlsetopen.external-ids:ovn-encap-type=geneveovs-vsctlsetopen.external-ids:ovn-encap-ip=###.###.###.### （###本机ip）我们指定了overlay网络封装数据平面流量的协议为geneve协议，在普通节点上检查Chassis控制器与中央控制器的连接情况。root@t-desktop:~/ovn#netstat-antp|grep6642tcp000.0.0.0:66420.0.0.0:*LISTEN 18545/ovsdb-servertcp00127.0.0.1:6642127.0.0.1:59336ESTABLISHED18545/ovsdb-servertcp00127.0.0.1:59336127.0.0.1:6642ESTABLISHED18636/ovn-controlle4•在控制节点创建逻辑交换机和逻辑路由器4.1创建逻辑交换机ovn-nbctlls-addinside4.2创建逻辑路由器ovn-nbctllr-addtenant4.3为路由器tenant创建一个连接到inside交换机的端口ovn-nbctllrp-addtenanttenant-inside08:00:27:27:57:84192.168.23.1/244.4为inside交换机创建用于连接到路由器tenant的端口inside-tenantovn-nbctllsp-addinsideinside-tenantovn-nbctllsp-set-typeinside-tenantrouterovn-nbctllsp-set-addressesinside-tenant08:00:27:27:57:84ovn-nbctllsp-set-optionsinside-tenantrouter-port=tenant-inside4.5查看逻辑路由器和交换机的创建结果root@t-desktop:~#ovn-nbctlshowswitch422a08a2-5661-43e6-b2cd-d4ce59077ba3(inside)portinside-tenanttype:routeraddresses:["08:00:27:27:57:84"]router-port:tenant-insiderouterf5e6c226-a613-46be-ad86-6b2404e0170c(tenant)porttenant-insidemac:"08:00:27:27:57:84"networks:["192.168.23.1/24"]5.控制节点在逻辑交换机上配置2台测试虚拟机的逻辑端口ovn-nbctllsp-addinsideinside-vm3ovn-nbctllsp-set-addressesinside-vm3"08:00:27:27:57:85192.168.23.194"ovn-nbctllsp-set-port-securityinside-vm3"08:00:27:27:57:85192.168.23.194"ovn-nbctllsp-addinsideinside-vm4ovn-nbctllsp-set-addressesinside-vm4"08:00:27:27:57:86192.168.23.195"ovn-nbctllsp-set-port-securityinside-vm4"08:00:27:27:57:86192.168.23.195"查看创建结果如第三步。6•在控制节点上定义DHCP选项insideDhcp="$(ovn-nbctlcreateDHCP_Optionscidr=192.168.23.0/24\options="\"server_id\"=\"192.168.23.1\"\"server_mac\"=\"08:00:27:27:57:84\"\\"leasetime\"=\"3600\"\"router\"=\"192.168.23.1\"\"dnsserver\"=\"{223.5.5.5,114.114.114.114}\"")"echo$insideDhcp查看已经定义的dhcp选项root@t-desktop:~#ovn-nbctllistDHCP_Options_uuid :452ce3b0-e24f-458c-8a57-054e673f29d6cidr :"192.168.23.0/24"external_ids :{}options :{dns_server="{223.5.5.5,114.114.114.114}",lease_time="3600",router=T92.168.23.1",server_id=T92.168.23.T,servermac="08:00:27:27:57:84"}或者使用“ovn-nbctldhcp-options-list”命令。使用存储在变量中的UUID为我们的逻辑交换机端口分配DHCP_Options（ovn-nbctllistDHCP_Options-->452ce3b0-e24f-458c-8a57-054e673f29d6,项目开发中，尽量使用uuid）ovn-nbctllsp-set-dhcpv4-optionsinside-vm3$insideDhcpovn-nbctllsp-get-dhcpv4-optionsinside-vm3ovn-nbctllsp-set-dhcpv4-optionsinside-vm4$insideDhcpovn-nbctllsp-get-dhcpv4-optionsinside-vm47.在普通节点给2台测试虚拟机预配置VIFovs-vsctladd-portbr-intvm3--setinterfacevm3type=internaliplinksetvm3address08:00:27:27:57:85（此处mac可以不同于虚拟机mac）upovs-vsctlsetInterfacevm3external_ids:iface-id=inside-vm3ovs-vsctlsetInterfacevm3external-ids:iface-status=activeovs-vsctlsetInterfacevm3external-ids:attached-mac=08:00:27:27:57:85ovs-vsctlsetInterfacevm3external-ids:vm-id=804dc543-9222-445a-a386-d694cb984599ovs-vsctladd-portbr-intvm4--setinterfacevm4type=internaliplinksetvm4address08:00:27:27:57:86upovs-vsctlsetInterfacevm4external_ids:iface-id=inside-vm4ovs-vsctlsetInterfacevm4external-ids:iface-status=activeovs-vsctlsetInterfacevm4external-ids:attached-mac=08:00:27:27:57:86ovs-vsctlsetInterfacevm4external-ids:vm-id=57e21c05-ec2b-4a43-96ef-8a62e074708b8.开启vbox或者kvm虚拟机，注意第七步的vm-id是真实虚拟机的uuid.9•虚拟机VIF迁移在源主机上执行ovs-vsctl--if-exists--with-ifacedel-portbr-intvm3root@t-desktop:~/ovn#ovs-vsctllist-portsbr-intvm4在目标主机上执行第七步。10.卸载清理网络环境#删除逻辑路由器ovn-nbctllr-deltenant#删除逻辑交换机及其端口ovn-nbctlls-delinside#删除vm的vifipaddrflushdevvm3iplinksetvm3downovs-vsctl--if-exists--with-ifacedel-portbr-intvm3ipaddrflushdevvm4iplinksetvm4downovs-vsctl--if-exists--with-ifacedel-portbr-intvm411.虚拟机上外网设置网关路由ovn-nbctlsetLogical-router18e4e53c-38fd-4cc3-af8c-211ebedfc0c5（路由器uuid）options:chassis=caa2869e-e42c-480b-9bc6-023361f9c9d3（ovn-sbctlshow）创建gateway-sw交换机ovn-nbctlls-addgateway-swovn-nbctllsp-addgateway-swlocalnet-portovn-nbctllsp-set-addresseslocalnet-portunknownovn-nbctllsp-set-typelocalnet-portlocalnetovn-nbctllsp-set-optionslocalnet-portnetwork_name=physical-net创建tenant路由连接gateway的端口ovn-nbctllrp-addtenanttenant-gw00:e0:4c:7d:42:6f192.168.25.131/24（虚拟网网关ip）ovn-nbctllsp-addgateway-swgw-tenantovn-nbctllsp-set-typegw-tenantrouterovn-nbctllsp-set-addressesgw-tenant00:e0:4c:7d:42:6fovn-nbctllsp-set-optionsgw-tenantrouter-port=tenant-gw添加静态路由ovn-nbctllr-route-addtenant0.0.0.0/0192.168.25.250（物理网网关）主控创建br_exovs-vsctladd-brbr_exovs-vsctladd-portbr_exenp2s0ifconfigenp2s00.0.0.0upipaddradd192.168.25.59/24（主机ip）devbr_exiplinksetbr_exupovs-vsctlsetOpen_vSwitch.external-ids:ovn-bridge-mappings=physical-net:br_ex配置使用snatovn-nbctllr-nat-addtenantsnat192.168.25.131192.168.23.0/24（虚拟网络位）配置使用dnat_and_snatovn—nbctllr—nat—addtenantdnat_and_snat192.168.25.136（externalip）192.168.23.194（logicalip）inside-vm308:00:27:27:57:85（vm的mac）12・ACL+Address_set访问控制以ip地址创建地址集ovn-nbctlcreateaddress_setname=vlan1addresses="192.168.23.195,192.168.23.194"ovn-nbctlcreateaddress_setname=vlan1addresses="192.168.23.196"或者以网络号创建地址集ovn-nbctlcreateaddress_setname=vlanladdresses="192.168.23.0/24"添加不同地址集之间隔离策略（drop模式）ovn-nbctlacl-addinsideto-lport1000'outport=="inside-vm3"&&ip4.src==$vlan2'dropovn-nbctlacl-addinsideto-lport1000'inport=="inside-vm3"&&ip4.src==$vlan2'dropovn-nbctlacl-addinsideto-lport1000'outport=="inside-vm4"&&ip4.src==$vlan2'dropovn-nbctlacl-addinsideto-lport1000'inport=="inside-vm4"&&ip4.src==$vlan2'dropovn-nbctlacl-addinsideto-lport1000'outport=="inside-vm5"&&ip4.src==$vlan1'dropovn-nbctlacl-addinsideto-lport1000'inport=="inside-vm5"&&ip4.src==$vlan1'drop#添加默认ACL策略（对不匹配任何转发规则的流量进行丢弃）（allow模式）ovn-nbctlacl-addinsideto-lport900'outport=="inside-vm5"&&ip'dropovn-nbctlacl-addinsideto-lport900'outport=="inside-vm4"&&ip'dropovn-nbctlacl-addinsideto-lport900'outport=="inside-vm3"&&ip'drop添加不同地址集之间通讯策略ovn-nbctlacl-addinsidefrom-lport1000'inport=="inside-vm3"&&ip4.src==$vlan1'allowovn-nbctlacl-addinsidefrom-lport1000'outport=="inside-vm3"&&ip4.src==$vlan1'allowovn-nbctlacl-addinsidefrom-lport1000'inport=="inside-vm4"&&ip4.src==$vlan1'allowovn-nbctlacl-addinsidefrom-lport1000'outport=="inside-vm4"&&ip4.src==$vlanl'allowovn-nbctlacl-addinsidefrom-lport1000'inport=="inside-vm5"&&ip4.src==$vlan2'allowovn-nbctlacl-addinsidefrom-lport1000'outport=="inside-vm5"&&ip4.src==$vlan2'allowovn-nbctlacl-addinsideto-lport1000'inport=="inside-vm3"&&ip4.src==$vlan1'allowovn-nbctlacl-addinsideto-lport1000'outport=="inside-vm3"&&ip4.src==$vlan1'allowovn-nbctlacl-addinsideto-lport1000'inport=="inside-vm4"&&ip4.src==