Shulou(Shulou.com)06/01 Report--

This article shows you how to do OVS VxLAN Flow analysis, the content is concise and easy to understand, absolutely can make your eyes shine, through the detailed introduction of this article I hope you can gain something.

The data flow of OVS is controlled by Flow rules. Today, we will analyze the Flow rules of VxLAN.

The flow rule on the control node is analyzed below, and the computation node is similar.

flow rule of br-int

Although the rule of br-int looks many, in fact, the logic is very simple, br-int is regarded as a layer 2 switch, and its important rule is the following:

cookie=0xaaa0e760a7848ec3, duration=52798.625s, table=0, n_packets=143, n_bytes=14594, idle_age=9415, priority=0 actions=NORMAL

The meaning of this rule is: forward according to vlan and mac.

Br-tun's flow rule

These are the rules that actually handle VXLAN packets.

The number in each square corresponds to the number of the table in the rule. For example, the square numbered 0 corresponds to the following three rules.

table 0

cookie=0xaaa0e760a7848ec3, duration=76707.867s, table=0, n_packets=70, n_bytes=6600, idle_age=33324, hard_age=65534, priority=1,in_port=1 actions=resubmit(,2)

cookie=0xaaa0e760a7848ec3, duration=76543.287s, table=0, n_packets=56, n_bytes=4948, idle_age=33324, hard_age=65534, priority=1,in_port=2 actions=resubmit(,4)

cookie=0xaaa0e760a7848ec3, duration=76707.867s, table=0, n_packets=0, n_bytes=0, idle_age=65534, hard_age=65534, priority=0 actions=drop

Table 0 flow rule means:

Packets from port 1 (patch-int) are thrown to table 2 for processing: actions= submit (,2)

Packets from port 2 (vxlan-a642100b) are thrown to table 4 for processing: actions= submit (,4)

That is, the first rule handles data from the internal br-int (which hosts all network services, including routing, DHCP, etc.); the second rule handles data from the external VXLAN tunnel.

table 4

cookie=0xaaa0e760a7848ec3, duration=76647.039s, table=4, n_packets=56, n_bytes=4948, idle_age=33324, hard_age=65534, priority=1,tun_id=0x64 actions=mod_vlan_vid:1,resubmit(,10)

The table 4 flow rule means that if the VXLAN tunnel ID of the packet is 100 (tun_id= 0x64), the action is to add the internal VLAN ID 1 (tag=1) and throw it to table 10 to learn.

table 10

cookie=0xaaa0e760a7848ec3, duration=76707.865s, table=10, n_packets=56, n_bytes=4948, idle_age=33324, hard_age=65534, priority=1 actions=learn(table=20,hard_timeout=300,priority=1,cookie=0xaaa0e760a7848ec3,NXM_OF_VLAN_TCI[0.. 11],NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],load:0->NXM_OF_VLAN_TCI[],load:NXM_NX_TUN_ID[]->NXM_NX_TUN_ID[],output:NXM_OF_IN_PORT[]),output:1

Table 10 flow rule means: learn incoming packets from the outside (tunnel), add normal forwarding rules for return packets to table 20, and then throw them from port 1 (patch-int) to br-int.

The following contents of the rule are learning rules, which will not be discussed in detail here.

NXM_OF_VLAN_TCI[0.. 11],NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],load:0->NXM_OF_VLAN_TCI[],load:NXM_NX_TUN_ID[]->NXM_NX_TUN_ID[],output:NXM_OF_IN_PORT[]

table 2

cookie=0xaaa0e760a7848ec3, duration=76707.866s, table=2, n_packets=28, n_bytes=3180, idle_age=33324, hard_age=65534, priority=0,dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,20)

cookie=0xaaa0e760a7848ec3, duration=76707.866s, table=2, n_packets=42, n_bytes=3420, idle_age=33379, hard_age=65534, priority=0,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,22)

Table 2 flow rule means:

br-int If the data sent is unicast packet, throw it to table 20 for processing: resubmit(,20)

br-int If the data sent is multicast or broadcast packet, throw table 22 processing: resubmit(,22)

table 20

cookie=0xaaa0e760a7848ec3, duration=76543.287s, table=20, n_packets=28, n_bytes=3180, idle_age=33324, hard_age=65534, priority=2,dl_vlan=1,dl_dst=fa:16:3e:fd:8a:ed actions=strip_vlan,set_tunnel:0x64,output:2

cookie=0xaaa0e760a7848ec3, duration=76707.865s, table=20, n_packets=0, n_bytes=0, idle_age=65534, hard_age=65534, priority=0 actions=resubmit(,22)

Table 20 flow rule means:

The first rule is table 10 learning. Packets with internal VLAN number 1 (tag=1) and destination MAC fa:16:3e:fd:8a:ed (virros-vm2), i.e. packets sent to virros-vm2, the action is to remove the VLAN number, add VXLAN tunnel ID 100(hexadecimal 0x64), and issue from port 2 (tunnel port vxlan-a642100b).

For packets that do not learn rules, they are thrown to table 22 for processing.

table 22

cookie=0xaaa0e760a7848ec3, duration=76543.282s, table=22, n_packets=2, n_bytes=84, idle_age=33379, hard_age=65534, dl_vlan=1 actions=strip_vlan,set_tunnel:0x64,output:2

cookie=0xaaa0e760a7848ec3, duration=76707.82s, table=22, n_packets=40, n_bytes=3336, idle_age=65534, hard_age=65534, priority=0 actions=drop

table 22 flow rule means: if the packet's internal VLAN number is 1 (tag=1), action is to remove the VLAN number, add VXLAN tunnel ID 100(hexadecimal 0x64), and send it from port 2 (tunnel port vxlan-a642100b).

VXLAN routing and floating IP support

For routing and floating IP between multiple VXLANs, the implementation method is very similar to vlan, and will not be described here. Please refer to the previous vlan-related sections.

This paper focuses on Neutron architecture, and through analyzing the technical details of Linux Bridge and Open vSwitch, four network types of local, flat, vlan, vxlan are practiced, and the implementation details of routing and floating IP are also discussed.

Linux Bridge and Open vSwitch both support advanced features such as Securet Group, Firewall as a Service, and Load Balancing as a Service, which are implemented in much the same way.

This is how to perform OVS VxLAN Flow analysis. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserves, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.