ovs 实现vlan隔离（一）

[root@kunpeng82 devuser]# ovs-ofctl dump-flows vswitch0
 cookie=0x0, duration=3.829s, table=0, n_packets=0, n_bytes=0, priority=0 actions=NORMAL
[root@kunpeng82 devuser]# ovs-ofctl show  vswitch0
OFPT_FEATURES_REPLY (xid=0x2): dpid:00000613a93fae46
n_tables:254, n_buffers:0
capabilities: FLOW_STATS TABLE_STATS PORT_STATS QUEUE_STATS ARP_MATCH_IP
actions: output enqueue set_vlan_vid set_vlan_pcp strip_vlan mod_dl_src mod_dl_dst mod_nw_src mod_nw_dst mod_nw_tos mod_tp_src mod_tp_dst
 1(tap0_br): addr:72:69:5a:e8:0c:9f
     config:     0
     state:      0
     current:    10GB-FD COPPER
     speed: 10000 Mbps now, 0 Mbps max
 2(tap3_br): addr:52:85:e1:a0:f2:69
     config:     0
     state:      0
     current:    10GB-FD COPPER
     speed: 10000 Mbps now, 0 Mbps max
 3(vxlan1): addr:b2:16:c1:cf:38:07
     config:     0
     state:      0
     speed: 0 Mbps now, 0 Mbps max
 LOCAL(vswitch0): addr:06:13:a9:3f:ae:46
     config:     PORT_DOWN
     state:      LINK_DOWN
     speed: 0 Mbps now, 0 Mbps max
OFPT_GET_CONFIG_REPLY (xid=0x4): frags=normal miss_send_len=0
[root@kunpeng82 devuser]# ip netns exec ns2 ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
64 bytes from 192.168.1.100: icmp_seq=1 ttl=64 time=0.363 ms
64 bytes from 192.168.1.100: icmp_seq=2 ttl=64 time=0.026 ms
^C
--- 192.168.1.100 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1076ms
rtt min/avg/max/mdev = 0.026/0.194/0.363/0.169 ms
1、set tap0_br tag=100
[root@kunpeng82 devuser]# ovs-vsctl set port tap0_br tag=100


[root@kunpeng82 devuser]# ip netns exec ns2 ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
^C
--- 192.168.1.100 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2098ms
无法ping通
2、set tap3_br tag=100
[root@kunpeng82 devuser]# ovs-vsctl set port tap3_br tag=100 
[root@kunpeng82 devuser]# ip netns exec ns2 ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
64 bytes from 192.168.1.100: icmp_seq=1 ttl=64 time=0.315 ms
64 bytes from 192.168.1.100: icmp_seq=2 ttl=64 time=0.028 ms
^C
--- 192.168.1.100 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1008ms
rtt min/avg/max/mdev = 0.028/0.171/0.315/0.144 ms
[root@kunpeng82 devuser]# ovs-vsctl set port tap3_br tag=200 
[root@kunpeng82 devuser]# ip netns exec ns2 ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
^C
--- 192.168.1.100 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1008ms

[root@kunpeng82 devuser]# ovs-ofctl  show
ovs-ofctl: 'show' command requires at least 1 arguments
[root@kunpeng82 devuser]# ovs-ofctl  show vswitch0
OFPT_FEATURES_REPLY (xid=0x2): dpid:00000613a93fae46
n_tables:254, n_buffers:0
capabilities: FLOW_STATS TABLE_STATS PORT_STATS QUEUE_STATS ARP_MATCH_IP
actions: output enqueue set_vlan_vid set_vlan_pcp strip_vlan mod_dl_src mod_dl_dst mod_nw_src mod_nw_dst mod_nw_tos mod_tp_src mod_tp_dst
 1(tap0_br): addr:72:69:5a:e8:0c:9f
     config:     0
     state:      0
     current:    10GB-FD COPPER
     speed: 10000 Mbps now, 0 Mbps max
 2(tap3_br): addr:52:85:e1:a0:f2:69
     config:     0
     state:      0
     current:    10GB-FD COPPER
     speed: 10000 Mbps now, 0 Mbps max
 3(vxlan1): addr:b2:16:c1:cf:38:07
     config:     0
     state:      0
     speed: 0 Mbps now, 0 Mbps max
 LOCAL(vswitch0): addr:06:13:a9:3f:ae:46
     config:     PORT_DOWN
     state:      LINK_DOWN
     speed: 0 Mbps now, 0 Mbps max
OFPT_GET_CONFIG_REPLY (xid=0x4): frags=normal miss_send_len=0
[root@kunpeng82 devuser]# ovs-ofctl dump-flows vswitch0
 cookie=0x0, duration=293.671s, table=0, n_packets=20, n_bytes=1596, priority=0 actions=NORMAL
[root@kunpeng82 devuser]# 

我们使用ovs-appctl ofproto/trace生成一个从端口tap0_br发送到端口tap1_br的数据包

[root@kunpeng82 devuser]# ovs-appctl ofproto/trace vswitch0 in_port=1,dl_src=72:69:5a:e8:0c:9f,dl_dst=52:85:e1:a0:f2:69 -generate
Flow: in_port=1,vlan_tci=0x0000,dl_src=72:69:5a:e8:0c:9f,dl_dst=52:85:e1:a0:f2:69,dl_type=0x0000

bridge("vswitch0")
------------------
 0. priority 0
    NORMAL
     -> no learned MAC for destination, flooding
     -> output to kernel tunnel

Final flow: unchanged
Megaflow: recirc_id=0,eth,in_port=1,vlan_tci=0x0000/0x1fff,dl_src=72:69:5a:e8:0c:9f,dl_dst=52:85:e1:a0:f2:69,dl_type=0x0000
Datapath actions: push_vlan(vid=100,pcp=0),1,set(tunnel(tun_id=0x0,dst=10.10.18.216,ttl=64,tp_dst=4789,flags(df|key))),4
[root@kunpeng82 devuser]# 

clear port tap3_br tag

[root@kunpeng82 devuser]# ovs-vsctl clear port tap3_br tag
[root@kunpeng82 devuser]# ip netns exec ns2 ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
From 192.168.1.200 icmp_seq=1 Destination Host Unreachable
From 192.168.1.200 icmp_seq=2 Destination Host Unreachable
From 192.168.1.200 icmp_seq=3 Destination Host Unreachable
^C
--- 192.168.1.100 ping statistics ---
5 packets transmitted, 0 received, +3 errors, 100% packet loss, time 4128ms
pipe 4

创建一条新的Flow：对于于从端口tap1_br进入交换机的数据包，如果它不包含任何VLAN tag，则自动为它添加VLAN tag 100。

[root@kunpeng82 devuser]# ovs-ofctl add-flow vswitch0 priority=3,in_port=2,dl_vlan=0xffff,actions=mod_vlan_vid:100,normal
[root@kunpeng82 devuser]# ip netns exec ns2 ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
From 192.168.1.200 icmp_seq=1 Destination Host Unreachable
From 192.168.1.200 icmp_seq=2 Destination Host Unreachable
From 192.168.1.200 icmp_seq=3 Destination Host Unreachable
^C
--- 192.168.1.100 ping statistics ---
无法ping通

将tap0_br发往tap1_br的数据strip_vlan 

[root@kunpeng82 devuser]# ovs-ofctl add-flow vswitch0 priority=1,in_port=1,actions=strip_vlan,output:2
[root@kunpeng82 devuser]# ip netns exec ns2 ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
64 bytes from 192.168.1.100: icmp_seq=1 ttl=64 time=0.942 ms
64 bytes from 192.168.1.100: icmp_seq=2 ttl=64 time=0.042 ms
64 bytes from 192.168.1.100: icmp_seq=3 ttl=64 time=0.022 ms
^C
--- 192.168.1.100 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2068ms
rtt min/avg/max/mdev = 0.022/0.335/0.942/0.429 ms

[root@kunpeng82 devuser]# ovs-appctl ofproto/trace vswitch0 in_port=1,dl_src=72:69:5a:e8:0c:9f,dl_dst=52:85:e1:a0:f2:69 -generate
Flow: in_port=1,vlan_tci=0x0000,dl_src=72:69:5a:e8:0c:9f,dl_dst=52:85:e1:a0:f2:69,dl_type=0x0000

bridge("vswitch0")
------------------
 0. in_port=1, priority 1
    strip_vlan
    output:2

Final flow: unchanged
Megaflow: recirc_id=0,eth,in_port=1,dl_type=0x0000
Datapath actions: 3

测试从tap0_br发送一条消息到ovs，将会命中哪条规则

[root@kunpeng82 devuser]# ovs-appctl ofproto/trace vswitch0 in_port=1
Flow: in_port=1,vlan_tci=0x0000,dl_src=00:00:00:00:00:00,dl_dst=00:00:00:00:00:00,dl_type=0x0000

bridge("vswitch0")
------------------
 0. in_port=1, priority 1
    strip_vlan
    output:2

Final flow: unchanged
Megaflow: recirc_id=0,eth,in_port=1,dl_type=0x0000
Datapath actions: 3