Shulou(Shulou.com)06/01 Report--

In this issue, Xiaobian will bring you an analysis of how to implement vlan isolation for OVS. The article is rich in content and analyzed and described from a professional perspective. After reading this article, I hope you can gain something.

Today we will analyze in detail how OVS achieves isolation between VLAN100 and VLAN101.

Unlike Linux Bridge drivers, Open vSwitch drivers do not segregate different VLANs through VLAN interfaces such as eth2.100 and eth2.101. All instances are connected to the same br-int, Open vSwitch uses flow rules to specify how to forward data in and out of br-int, thus achieving isolation between vlans.

Specifically, when data enters and exits br-int, flow rules can modify, add or strip VLAN tags of packets. Neutron is responsible for creating these flow rules and configuring them on br-int, br-eth2 and other Open vSwitches.

Let's look at the current flow rule.

The command to view the flow rule is ovs-ofctl dump-flow

First look at the flow rule for compute node br-eth2

br-eth2 is configured with four rules, each rule has many attributes, among which the more important attributes are:

priority

The priority of rule. The higher the value, the higher the priority. Open vSwitch applies rules in descending order of priority.

in_port

inbound port numbering, each port will have an internal number in Open vSwitch.

The port number can be viewed with the command ovs-ofctl show.

For example, br-eth2:

eth2 numbered 1;phy-br-eth2 numbered 2.

dl_vlan

The VLAN ID of the packet origin.

actions

Operations performed on packets.

br-eth2 The flow rules related to VLAN are the first two. Let's analyze them in detail below.

For clarity, we keep only important information, as follows:

priority=4,in_port=2,dl_vlan=1 actions=mod_vlan_vid:100,NORMAL priority=4,in_port=2,dl_vlan=5 actions=mod_vlan_vid:101,NORMAL

The meaning of Article 1 is:

Incoming packets received from port phy-br-eth2 (in_port=2) of br-eth2, if VLAN ID is 1 (dl_vlan=1), then VLAN ID needs to be changed to 100 (actions=mod_vlan_vid:100)

From the above network structure, we can see that phy-br-eth2 connects br-int, and the inbound packet of phy-br-eth2 is actually the data sent to the physical NIC by instance through br-int.

How do you change VLAN ID 1 to VLAN ID 100?

Look at the output of the computation node ovs-vsctl show below:

br-int separates different ports by a tag, which can be seen as an internal VLAN ID.

Incoming packets from qvo 4139d 09b-30 (corresponding to cirros-vm2, vlan100) are tagged with a VLAN tag of 1.

Incoming packets from qvo98582dc9-db (corresponding to cirros-vm3, vlan101) are tagged with the VLAN tag 5.

Because the VLAN ID in br-int is not the same as the VLAN ID in the physical network, br-eth2 needs to translate the VLAN when it receives the packet from br-int. Neutron is responsible for maintaining VLAN ID mapping and configuring translation rules in flow rules.

Having understood the flow rule of br-eth2, let's analyze the flow rule of br-int.

The most important are the following two:

priority=3,inport=1,dl_vlan=100 actions=mod_vlan_vid:1,NORMAL priority=3,inport=1,dl_vlan=101 actions=mod_vlan_vid:5,NORMAL

port 1 is int-br-eth2, so the meaning of these two rules should be:

1. Incoming packets received from the physical NIC are changed to internal VLAN 1 if VLAN 100.

2. Incoming packets received from a physical NIC will be internal VLAN 5 if VLAN 101.

Simply put, packets are isolated by VLAN 100 and VLAN 101 in the physical network, and by internal VLAN 1 and VLAN 5 in the compute node OVS br-int.

The above is the analysis of how to carry out OVS vlan isolation shared by Xiaobian for everyone. If there are similar doubts, please refer to the above analysis for understanding. If you want to know more about it, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.