网络节点设计
以上完成VPC的设计,并验证VPC网络的添加及业务验证。上述工作实现VPC内的通信,VPC之间的通信需要vrouter实现三层通信。在非DVR环境中,所有三层流量均需通过网络节点,VROUTER均运行在网络节点中,因此本节介绍并实现网络节点。
网络节点设计原理:
NETWORK
以下模型中外部网络采用的是VLAN 模式,如一个外部网络详细信息如下:
+---------------------------+--------------------------------------+
| Field | Value |
+---------------------------+--------------------------------------+
| admin_state_up | True |
| id | 87e49a47-d17c-4fae-b112-07f08eaa1590 |
| mtu | 0 |
| name | dedicate_net |
| provider:network_type | vlan |
| provider:network_type | physnet7 |
| provider:segmentation_id | 1102 |
| qos_policy_id | |
| router:external | True |
| shared | False |
| status | ACTIVE |
| subnets | 10529c92-898d-4611-ab4b-63ed96576f96 |
| tenant_id | ffabd3833bfb428b9ee191f7cb512189 |
+---------------------------+--------------------------------------+
- provider:network_type: VLAN模式
- provider:network_type: physnet7对应的是br-ex
- provider:segmentation_id: 1102是进入互联网流量所带VLAN
网络节点模块功能说明:
- br-prv, br-tun: 承载vxlan的underlay设备
- br-ex-biz: 承载南北向流量的网桥
- br-int: 集成网桥,dhcp及vrouter均连接在此设备上
- dhcp: namespace,运行dhcp进程,虚拟机的地址分配
- vrouter: namespace,虚拟路由器,实现虚机对外通信,及利用iptables实现的nat功能
部分端口说明:
- qr-xxx: VPC-GW,VPC网关
- ha-xxx: vrouter keepalived高可用通信的网口,每一个vrouter的ha通信有独立的VPC网络
- qg-xxx: 对外通信的端口,overlay网络离开NEUTRON网络的接口,具有一个内部vlan
南北向流量走向:
- 南向流量
- 流量通过eth1到达br-ex-biz,到达br-int;
- br-int, ovs流表将外部VLAN转换成内部VLAN,通过qg-xxx口,进入vrouter;
- vrouter经过NAT将目的地址转换成内部VPC的地址,通过qr-xxx网关,到达br-int;
- br-int经过br-tun将数据流转发至对应的VM。
- 北向流量
- VM1流量通过br-tun进入NETWORk节点,通过网关qr-xxx到达vrouter;
- vrouter中,经过iptables的nat转换成外部地址,经过qg-xxx设备离开vrouter到达br-int,并携带local vlan;
- 携带有local vlan的数据流到达br-ex;
- br-ex-biz ovs流表将此local vlan转换成外部vlan,如1102,并通过eth1离开neutron 网络,进入underlay网络。
网络节点vrouter的高可用,暂不介绍实现。下文中,手动实现网络节点:
- 完成NAT功能
- 对外通信
添加VPC-GW
添加internal port:
#ovs-vsctl add-port br-int qr-123 -- set Interface qr-123 type=internal
添加vrouter:
#ip netns add qrouter-123
#ip link set dev qr-123 netns qrouter-123
#ip netns exec qrouter-123 ip link set qr-123 up
#ip netns exec qrouter-123 ip addr add 192.168.10.1/24 dev qr-123
设置local vlan:
网络节点与计算节点1复用,VPC在节点上的Local Vlan: 12
#ovs-vsctl set port qr-123 tag=12
同时,由于复用的compute1,关于vxlan的流表也复用,因此无需添加流表,主要复用以下两条:
cookie=0x79, table=4, priority=1,tun_id=0x22 actions=mod_vlan_vid:12,resubmit(,10)
cookie=0x79, table=22, dl_vlan=12 actions=strip_vlan,set_tunnel:0x22,output:8
连通性测试,从compute2节点ping 此网关,已连通:
# ip netns exec test ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1) 56(84) bytes of data.
64 bytes from 192.168.10.1: icmp_seq=1 ttl=64 time=1.60 ms
64 bytes from 192.168.10.1: icmp_seq=2 ttl=64 time=0.498 ms
64 bytes from 192.168.10.1: icmp_seq=3 ttl=64 time=0.520 ms
64 bytes from 192.168.10.1: icmp_seq=4 ttl=64 time=0.508 ms
64 bytes from 192.168.10.1: icmp_seq=5 ttl=64 time=0.480 ms
^C
--- 192.168.10.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4002ms
rtt min/avg/max/mdev = 0.480/0.723/1.609/0.443 ms
外部连接
外部连接参数(Local Vlan是由NEUTRON分配的):
- Out Vlan: 1102
- Local Vlan: 50
- CIDR: 18.18.18.0/24
添加br-ex-biz网桥:
#ovs-vsctl add-br br-ex-biz
#ovs-vsctl add-port br-ex-biz ex-biz--int -- set interface ex-biz--int type=patch -- set interface ex-biz--int options:peer=int--ex-biz
#ovs-vsctl add-port br-int int--ex-biz -- set interface int--ex-biz type=patch -- set interface int--ex-biz options:peer=ex-biz--int
添加qg-xxx端口:
#ovs-vsctl add-port br-int qg-123 -- set Interface qg-123 type=internal
#ip link set dev qg-123 netns qrouter-123
#ip netns exec qrouter-123 ip link set qg-123 up
#ip netns exec qrouter-123 ip addr add 18.18.18.10/24 dev qg-123
设置Local VLAN:
#ovs-vsctl set port qg-123 tag=50
流表添加
北向流量,流表主要作用于br-ex-biz:
第一条流表的作用即是将local vlan 50转换成外部vlan 1102
#ovs-ofctl add-flow br-ex-biz 'cookie=0x79, table=0, priority=4,in_port=1,dl_vlan=50 actions=mod_vlan_vid:1102,NORMAL'
#ovs-ofctl add-flow br-ex-biz 'cookie=0x79, table=0, priority=2,in_port=1 actions=drop'
#ovs-ofctl add-flow br-ex-biz 'cookie=0x79, table=0, priority=0 actions=NORMAL'
南向流量,流表主要作用于br-int,int_port为int--ex-biz端口号:
#ovs-ofctl add-flow br-int 'cookie=0x79,table=0, priority=3,in_port=7,dl_vlan=1102 actions=mod_vlan_vid:50,NORMAL'
#ovs-ofctl add-flow br-int 'cookie=0x79,table=0, priority=2,in_port=7 actions=drop'
外部网络连通性测试
设置外部端口:
#ip netns add outer
#ovs-vsctl add-port br-ex-biz outer-123 -- set Interface outer-123 type=internal
#ip link set dev outer-123 netns outer
#ip netns exec outer ip link set outer-123 up
#ip netns exec outer ip addr add 18.18.18.1/24 dev outer-123
#ovs-vsctl set port outer-123 tag=1102
vrouter中ping br-ex-biz测试,测试结果:
[root@localhost ~]# ip netns exec qrouter-123 ping 18.18.18.1
PING 18.18.18.1 (18.18.18.1) 56(84) bytes of data.
64 bytes from 18.18.18.1: icmp_seq=1 ttl=64 time=0.373 ms
64 bytes from 18.18.18.1: icmp_seq=2 ttl=64 time=0.051 ms
64 bytes from 18.18.18.1: icmp_seq=3 ttl=64 time=0.042 ms
64 bytes from 18.18.18.1: icmp_seq=4 ttl=64 time=0.040 ms
^C
--- 18.18.18.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.040/0.126/0.373/0.142 ms
NAT功能
上述中,已实现VM到网关,以及qg-xxx到外部网络的连通性,SNAT。
#ip netns exec qrouter-123 iptables -t nat -A POSTROUTING -o qg-123 -j SNAT --to-source 18.18.18.10
#ip netns exec qrouter-123 iptables -t nat -A POSTROUTING -m mark ! --mark 0x2/0xffff -m conntrack --ctstate DNAT -j SNAT --to-source 18.18.18.10
#ip netns exec qrouter-123 iptables -t mangle -I PREROUTING -i qg-123 -j MARK --set-xmark 0x2/0xffff
DNAT规则:
#ip netns exec qrouter-123 iptables -t nat -A PREROUTING -d 18.18.18.10/32 -p tcp -m tcp --dport 6000 -j DNAT --to-destination 192.168.10.11:22
vrouter添加路由:
#ip netns exec qrouter-123 route add -net Default gw 18.18.18.1
测试namespace添加路由:
#ip netns exec test route add -net 0.0.0.0 gw 192.168.10.1
vrouter所在物理机开启转发功能:
#echo "1" > /proc/sys/net/ipv4/ip_forward
vrouter中开启转发功能,这步注意,先添加namespace,在设置物理机的转发功能,namespace不会变化,需要对namespace在进行设置:
#ip netns exec qrouter-123 sysctl -w net.ipv4.ip_forward=1
vrouter功能测试
测试结果:
# ip netns exec test ping 18.18.18.1
PING 18.18.18.1 (18.18.18.1) 56(84) bytes of data.
64 bytes from 18.18.18.1: icmp_seq=1 ttl=63 time=1.59 ms
64 bytes from 18.18.18.1: icmp_seq=2 ttl=63 time=0.554 ms
64 bytes from 18.18.18.1: icmp_seq=3 ttl=63 time=0.535 ms
64 bytes from 18.18.18.1: icmp_seq=4 ttl=63 time=0.539 ms
^C
--- 18.18.18.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 0.535/0.806/1.599/0.458 ms
抓包如下,可以看出其地址已被转换成18.18.18.10:
# ip netns exec outer tcpdump -i outer-123
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on outer-123, link-type EN10MB (Ethernet), capture size 65535 bytes
13:17:10.117962 IP 18.18.18.10 > localhost.localdomain: ICMP echo request, id 20917, seq 1, length 64
13:17:10.117997 IP localhost.localdomain > 18.18.18.10: ICMP echo reply, id 20917, seq 1, length 64
13:17:11.119042 IP 18.18.18.10 > localhost.localdomain: ICMP echo request, id 20917, seq 2, length 64
13:17:11.119105 IP localhost.localdomain > 18.18.18.10: ICMP echo reply, id 20917, seq 2, length 64
13:17:12.119501 IP 18.18.18.10 > localhost.localdomain: ICMP echo request, id 20917, seq 3, length 64
13:17:12.119558 IP localhost.localdomain > 18.18.18.10: ICMP echo reply, id 20917, seq 3, length 64
13:17:13.119471 IP 18.18.18.10 > localhost.localdomain: ICMP echo request, id 20917, seq 4, length 64
13:17:13.119529 IP localhost.localdomain > 18.18.18.10: ICMP echo reply, id 20917, seq 4, length 64
^C
8 packets captured
8 packets received by filter
0 packets dropped by kernel
VPC之间连通性测试
在我们的实际测试环境中,我们创建了两个VPC:
- VPC01:
vni: 0x22 cidr: 192.168.10.0/24 - VPC02:
vni: 0x33 cidr: 10.20.10.0/24
测试,利用vrouter打通这两个VPC。vrouter-123中,已完成VPC01网关的添加,添加VPC02的网关。
#ovs-vsctl add-port br-int qr-124 -- set Interface qr-124 type=internal
#ip link set dev qr-124 netns qrouter-123
#ip netns exec qrouter-123 ip link set qr-124 up
#ip netns exec qrouter-123 ip addr add 10.20.10.1/24 dev qr-124
设置local vlan:
#ovs-vsctl set port qr-124 tag=33
无需添加流表,添加VPC时已创建相应的流表,复用。
test124 netns中添加路由:
#ip netns exec test124 route add -net default gw 10.20.10.1
测试,test124中ping网关:
# ip netns exec test124 ping 10.20.10.1
PING 10.20.10.1 (10.20.10.1) 56(84) bytes of data.
64 bytes from 10.20.10.1: icmp_seq=1 ttl=64 time=0.385 ms
64 bytes from 10.20.10.1: icmp_seq=2 ttl=64 time=0.062 ms
64 bytes from 10.20.10.1: icmp_seq=3 ttl=64 time=0.053 ms
ping VPC02:
# ip netns exec test ping 10.20.10.11
PING 10.20.10.11 (10.20.10.11) 56(84) bytes of data.
64 bytes from 10.20.10.11: icmp_seq=1 ttl=63 time=1.00 ms
64 bytes from 10.20.10.11: icmp_seq=2 ttl=63 time=0.544 ms
64 bytes from 10.20.10.11: icmp_seq=3 ttl=63 time=0.525 ms
^C
--- 10.20.10.11 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 0.525/0.692/1.009/0.225 ms
如上,两个VPC通过vrouter打通了。
网络节点VROUTER的高可用,利用keepalived保证的,以下是配置说明:
# cat /var/lib/neutron/ha_confs/e38c89c5-b25d-4fdd-84f1-fbc773f2b809/keepalived.conf
vrrp_instance VR_1 {
当前节点在此虚拟路由器上的初始状态
state BACKUP
设置实例绑定的网卡 VRRP心跳包从哪块网卡发出
interface ha-169f8bf1-f3
当前虚拟路由器的惟一标识,范围是0-255
virtual_router_id 1
当前主机在此虚拟路径器中的优先级;范围1-254
priority 50
当切为主状态后多久更新ARP缓存
garp_master_delay 60
不抢占
nopreempt
检查间隔,2s VRRP心跳包的发送周期
advert_int 2
监控网卡
track_interface {
ha-169f8bf1-f3
}
设置VIP
virtual_ipaddress {
169.254.0.1/24 dev ha-169f8bf1-f3
}
virtual_ipaddress_excluded {
10.0.10.1/24 dev qr-6a6bcd46-03
183.188.2.2/24 dev qg-ff44bb7a-a5
fe80::f816:3eff:fe93:4309/64 dev qg-ff44bb7a-a5 scope link
fe80::f816:3eff:fed4:5382/64 dev qr-6a6bcd46-03 scope link
}
默认路由
virtual_routes {
0.0.0.0/0 via 183.188.2.1 dev qg-ff44bb7a-a5
}
}
