由 SuKai June 28, 2022
公有云网络中通过VPC来实现网络的隔离,VPC可以对应到OVN虚拟网络逻辑路由器,那么如何来实现两个路由器下子网通过路由方式直接访问呢?下面我来一起看看OVN如何配置的。
添加一个新的路由器和交换机
sudo ovn-nbctl create Logical_Router name=router2 options:chassis=6fa2da75-1393-4efe-984d-0c0310b95ad3
fecc0e10-0e9e-440e-aaac-5bb667bb2991
sudo ovn-nbctl ls-add lswitch3
连接路由器与交换机
# 路由器上添加一个端口
sudo ovn-nbctl lrp-add router2 lr2-ls3 52:54:00:c1:68:90 10.2.0.1/24
# 交换机上添加一个端口,类型为router,与路由器端口关联
sudo ovn-nbctl lsp-add lswitch3 ls3-lr2
sudo ovn-nbctl lsp-set-type ls3-lr2 router
sudo ovn-nbctl lsp-set-addresses ls3-lr2 52:54:00:c1:68:90
sudo ovn-nbctl lsp-set-options ls3-lr2 router-port=lr2-ls3
在节点上添加一个ovs internal port
# 交换机添加一个端口
sudo ovn-nbctl lsp-add lswitch3 ls3-vm2
sudo ovn-nbctl lsp-set-addresses ls3-vm2 "02:ac:10:ff:01:37 10.2.0.70"
sudo ovn-nbctl lsp-set-port-security ls3-vm2 "02:ac:10:ff:01:37 10.2.0.70"
# 主机上添加vm2接口,与交换机连接
sudo ifconfig br-int up
sudo ovs-vsctl add-port br-int vm2 -- set interface vm2 type=internal
sudo ip netns add vm2
sudo ip link set vm2 netns vm2
sudo ip netns exec vm2 ip link set lo up
sudo ip netns exec vm2 ip link set vm2 up
sudo ip netns exec vm2 ip link set vm2 address 02:ac:10:ff:01:37
sudo ip netns exec vm2 ip addr add 10.2.0.70/24 dev vm2
sudo ip netns exec vm2 ip route add default via 10.2.0.1 dev vm2
sudo ovs-vsctl set Interface vm2 external_ids:iface-id=ls3-vm2
连接两个路由器
sudo ovn-nbctl lrp-add router lr-lr2 52:54:00:c1:69:50 172.16.0.1/24 peer=lr2-lr
sudo ovn-nbctl lrp-add router2 lr2-lr 52:54:00:c1:70:51 172.16.0.2/24 peer=lr-lr2
路由器添加路由
sudo ovn-nbctl lr-route-add router 10.2.0.0/24 172.16.0.2
sudo ovn-nbctl lr-route-add router2 10.1.0.0/24 172.16.0.1
sudo ovn-nbctl lr-route-add router2 10.0.0.0/24 172.16.0.1
# 打通主机与路由器2的路由
sudo ovn-nbctl lr-route-add router2 100.64.0.0/16 172.16.0.1
sudo ovn-nbctl lr-route-add router2 192.168.0.0/24 172.16.0.1
主机上添加路由
# 打通主机与路由器2的路由
sudo ip route add 10.2.0.0/24 via 100.64.0.1 dev ovn0
查看信息
路由端口
sukai@ovn-1:~$ sudo ovn-nbctl list logical_router_port
_uuid : 2be179b0-ab04-46cf-a558-3bb0a596bfe6
enabled : []
external_ids : {}
gateway_chassis : []
ha_chassis_group : []
ipv6_ra_configs : {}
mac : "52:54:00:c1:68:60"
name : lr-ls2
networks : ["10.1.0.1/24"]
options : {}
peer : []
_uuid : ca250350-bec2-43e5-a684-2d0dd62267ff
enabled : []
external_ids : {}
gateway_chassis : []
ha_chassis_group : []
ipv6_ra_configs : {}
mac : "00:00:00:E2:21:46"
name : ovn-cluster-join
networks : ["100.64.0.1/16"]
options : {}
peer : []
_uuid : 13eff9c5-afaa-4b43-a548-03d049150c02
enabled : []
external_ids : {}
gateway_chassis : []
ha_chassis_group : []
ipv6_ra_configs : {}
mac : "52:54:00:c1:70:51"
name : lr2-lr
networks : ["172.16.0.2/24"]
options : {}
peer : lr-lr2
_uuid : fecd3729-2a10-4b63-87b8-2c55cfa33765
enabled : []
external_ids : {}
gateway_chassis : []
ha_chassis_group : []
ipv6_ra_configs : {}
mac : "52:54:00:c1:68:50"
name : lr-ls1
networks : ["10.0.0.1/24"]
options : {}
peer : []
_uuid : 30e5b4d2-3ca9-422d-bf56-195732e582a9
enabled : []
external_ids : {}
gateway_chassis : []
ha_chassis_group : []
ipv6_ra_configs : {}
mac : "52:54:00:c1:68:90"
name : lr2-ls3
networks : ["10.2.0.1/24"]
options : {}
peer : []
_uuid : 6e929483-0a94-435e-8487-23e83a2cfa94
enabled : []
external_ids : {}
gateway_chassis : []
ha_chassis_group : []
ipv6_ra_configs : {}
mac : "52:54:00:c1:69:50"
name : lr-lr2
networks : ["172.16.0.1/24"]
options : {}
peer : lr2-lr
ovn信息
sukai@ovn-1:~$ sudo ovn-nbctl show
switch d85756bc-e7d3-42fb-ace1-15168e017736 (lswitch2)
port ls2-ctn2
addresses: ["02:ac:10:ff:01:34 10.1.0.40"]
port ls2-lr1
type: router
addresses: ["52:54:00:c1:68:60"]
router-port: lr-ls2
switch 75a787a4-9e55-4542-acaa-e969bebfaf16 (lswitch1)
port ls1-vm1
addresses: ["02:ac:10:ff:01:30 10.0.0.10"]
port ls1-ctn1
addresses: ["02:ac:10:ff:01:33 10.0.0.30"]
port ls1-lr1
type: router
addresses: ["52:54:00:c1:68:50"]
router-port: lr-ls1
switch 734d1afd-c8eb-4e25-8ca1-59908ddd9392 (lswitch3)
port ls3-vm2
addresses: ["02:ac:10:ff:01:37 10.2.0.70"]
port ls3-lr2
type: router
addresses: ["52:54:00:c1:68:90"]
router-port: lr2-ls3
switch 5e9e0b6d-332a-412e-b268-dd5dd7623975 (join)
port node-ovn-2
addresses: ["00:00:00:B0:35:E3 100.64.0.3"]
port node-ovn-1
addresses: ["00:00:00:B0:35:E2 100.64.0.2"]
port join-ovn-cluster
type: router
addresses: ["00:00:00:E2:21:46"]
router-port: ovn-cluster-join
router fecc0e10-0e9e-440e-aaac-5bb667bb2991 (router2)
port lr2-lr
mac: "52:54:00:c1:70:51"
networks: ["172.16.0.2/24"]
port lr2-ls3
mac: "52:54:00:c1:68:90"
networks: ["10.2.0.1/24"]
router 3bccdebe-38de-450c-8e02-208eaff33398 (router)
port lr-ls2
mac: "52:54:00:c1:68:60"
networks: ["10.1.0.1/24"]
port lr-lr2
mac: "52:54:00:c1:69:50"
networks: ["172.16.0.1/24"]
port ovn-cluster-join
mac: "00:00:00:E2:21:46"
networks: ["100.64.0.1/16"]
port lr-ls1
mac: "52:54:00:c1:68:50"
networks: ["10.0.0.1/24"]
sukai@ovn-1:~$ sudo ovn-sbctl show
Chassis "28a87e04-b738-4db0-a767-380091e1a752"
hostname: ovn-2
Encap geneve
ip: "192.168.0.114"
options: {csum="true"}
Port_Binding node-ovn-2
Port_Binding ls3-vm2
Chassis "6fa2da75-1393-4efe-984d-0c0310b95ad3"
hostname: ovn-1
Encap geneve
ip: "192.168.0.115"
options: {csum="true"}
Port_Binding lr-lr2
Port_Binding node-ovn-1
Port_Binding lr2-lr
Port_Binding lr2-ls3
Port_Binding join-ovn-cluster
Port_Binding lr-ls1
Port_Binding ls1-lr1
Port_Binding ovn-cluster-join
Port_Binding ls1-vm1
Port_Binding ls3-lr2
Port_Binding ls1-ctn1
Port_Binding lr-ls2
Port_Binding ls2-lr1
sukai@ovn-1:~$
路由信息
sukai@ovn-1:~$ sudo ovn-nbctl lr-route-list router
IPv4 Routes
10.2.0.0/24 172.16.0.2 dst-ip
0.0.0.0/0 100.64.0.1 dst-ip
sukai@ovn-1:~$ sudo ovn-nbctl lr-route-list router2
IPv4 Routes
10.0.0.0/24 172.16.0.1 dst-ip
10.1.0.0/24 172.16.0.1 dst-ip
192.168.0.0/24 172.16.0.1 dst-ip
100.64.0.0/16 172.16.0.1 dst-ip
sukai@ovn-1:~$ sudo ovn-nbctl lr-policy-list router
Routing Policies
31000 ip4.dst == 10.0.0.0/24 allow
31000 ip4.dst == 10.1.0.0/24 allow
30000 ip4.dst == 192.168.0.114 reroute 100.64.0.3
30000 ip4.dst == 192.168.0.115 reroute 100.64.0.2
sukai@ovn-1:~$ sudo ovn-nbctl lr-policy-list router2
sukai@ovn-1:~$
sukai@ovn-1:~$ sudo ip route
default via 192.168.0.1 dev ens33 proto dhcp src 192.168.0.115 metric 100
10.0.0.0/24 via 100.64.0.1 dev ovn0
10.1.0.0/24 via 100.64.0.1 dev ovn0
10.2.0.0/24 via 100.64.0.1 dev ovn0
100.64.0.0/16 dev ovn0 proto kernel scope link src 100.64.0.2
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.0.0/24 dev ens33 proto kernel scope link src 192.168.0.115
192.168.0.1 dev ens33 proto dhcp scope link src 192.168.0.115 metric 100
192.168.100.0/24 dev ens34 proto kernel scope link src 192.168.100.10
sukai@ovn-1:~$
ovs端口信息
sukai@ovn-1:~$ sudo ovs-vsctl show
93fd4842-e0e9-4413-a99a-2c11e4180a0a
Bridge br-int
fail_mode: secure
Port ctn1
Interface ctn1
type: internal
Port vm1
Interface vm1
type: internal
Port br-int
Interface br-int
type: internal
Port ovn0
Interface ovn0
type: internal
Port ovn-28a87e-0
Interface ovn-28a87e-0
type: geneve
options: {csum="true", key=flow, remote_ip="192.168.0.114"}
ovs_version: "2.13.5"
sukai@ovn-1:~$
sukai@ovn-2:~$ sudo ovs-vsctl show
1ab53615-2604-4edf-ac6a-7a244803a25e
Bridge br-int
fail_mode: secure
Port vm2
Interface vm2
type: internal
Port ovn0
Interface ovn0
type: internal
Port br-int
Interface br-int
type: internal
Port ovn-6fa2da-0
Interface ovn-6fa2da-0
type: geneve
options: {csum="true", key=flow, remote_ip="192.168.0.115"}
ovs_version: "2.13.5"
sukai@ovn-2:~$
测试网络
sukai@ovn-1:~$ sudo ip netns exec vm1 /bin/bash
root@ovn-1:/home/sukai# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
7: vm1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
link/ether 02:ac:10:ff:01:30 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.10/24 brd 10.0.0.255 scope global dynamic vm1
valid_lft 2767sec preferred_lft 2767sec
inet6 fe80::ac:10ff:feff:130/64 scope link
valid_lft forever preferred_lft forever
root@ovn-1:/home/sukai# ip route
default via 10.0.0.1 dev vm1
10.0.0.0/24 dev vm1 proto kernel scope link src 10.0.0.10
root@ovn-1:/home/sukai# ping -c 1 10.2.0.70
PING 10.2.0.70 (10.2.0.70) 56(84) bytes of data.
64 bytes from 10.2.0.70: icmp_seq=1 ttl=62 time=3.55 ms
--- 10.2.0.70 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 3.547/3.547/3.547/0.000 ms
root@ovn-1:/home/sukai# ping -c 1 192.168.0.114
PING 192.168.0.114 (192.168.0.114) 56(84) bytes of data.
64 bytes from 192.168.0.114: icmp_seq=1 ttl=63 time=2.60 ms
--- 192.168.0.114 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.600/2.600/2.600/0.000 ms
root@ovn-1:/home/sukai# ping -c 1 192.168.0.115
PING 192.168.0.115 (192.168.0.115) 56(84) bytes of data.
64 bytes from 192.168.0.115: icmp_seq=1 ttl=63 time=2.53 ms
--- 192.168.0.115 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.525/2.525/2.525/0.000 ms
root@ovn-1:/home/sukai# ping -c 1 100.64.0.3
PING 100.64.0.3 (100.64.0.3) 56(84) bytes of data.
64 bytes from 100.64.0.3: icmp_seq=1 ttl=63 time=2.76 ms
--- 100.64.0.3 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.758/2.758/2.758/0.000 ms
root@ovn-1:/home/sukai# ping -c 1 100.64.0.2
PING 100.64.0.2 (100.64.0.2) 56(84) bytes of data.
64 bytes from 100.64.0.2: icmp_seq=1 ttl=63 time=0.897 ms
--- 100.64.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.897/0.897/0.897/0.000 ms
root@ovn-1:/home/sukai# ping -c 1 100.64.0.1
PING 100.64.0.1 (100.64.0.1) 56(84) bytes of data.
64 bytes from 100.64.0.1: icmp_seq=1 ttl=254 time=0.720 ms
--- 100.64.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.720/0.720/0.720/0.000 ms
root@ovn-1:/home/sukai#
主机ping不同路由下的IP
sukai@ovn-1:~$ ping -I 192.168.0.115 -c 1 10.2.0.70
PING 10.2.0.70 (10.2.0.70) from 192.168.0.115 : 56(84) bytes of data.
64 bytes from 10.2.0.70: icmp_seq=1 ttl=62 time=4.96 ms
--- 10.2.0.70 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 4.964/4.964/4.964/0.000 ms
sukai@ovn-1:~$
sukai@ovn-1:~$ ping -I 192.168.0.115 -c 1 10.0.0.10
PING 10.0.0.10 (10.0.0.10) from 192.168.0.115 : 56(84) bytes of data.
64 bytes from 10.0.0.10: icmp_seq=1 ttl=63 time=1.31 ms
--- 10.0.0.10 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.305/1.305/1.305/0.000 ms
sukai@ovn-1:~$
sukai@ovn-2:~$ ping -I 192.168.0.114 -c 1 10.0.0.10
PING 10.0.0.10 (10.0.0.10) from 192.168.0.114 : 56(84) bytes of data.
64 bytes from 10.0.0.10: icmp_seq=1 ttl=63 time=3.61 ms
--- 10.0.0.10 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 3.609/3.609/3.609/0.000 ms
sukai@ovn-2:~$ ping -I 192.168.0.114 -c 1 10.2.0.70
PING 10.2.0.70 (10.2.0.70) from 192.168.0.114 : 56(84) bytes of data.
64 bytes from 10.2.0.70: icmp_seq=1 ttl=62 time=4.18 ms
--- 10.2.0.70 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 4.175/4.175/4.175/0.000 ms
sukai@ovn-2:~$
不网络命名空间下ping
sukai@ovn-2:~$ sudo ip netns exec vm2 /bin/bash
root@ovn-2:/home/sukai#
root@ovn-2:/home/sukai# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
11: vm2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
link/ether 02:ac:10:ff:01:37 brd ff:ff:ff:ff:ff:ff
inet 10.2.0.70/24 scope global vm2
valid_lft forever preferred_lft forever
inet6 fe80::84ad:f6ff:fe4d:aed8/64 scope link
valid_lft forever preferred_lft forever
root@ovn-2:/home/sukai# ip r
default via 10.2.0.1 dev vm2
10.2.0.0/24 dev vm2 proto kernel scope link src 10.2.0.70
root@ovn-2:/home/sukai# ping -c 1 10.0.0.10
PING 10.0.0.10 (10.0.0.10) 56(84) bytes of data.
64 bytes from 10.0.0.10: icmp_seq=1 ttl=62 time=15.8 ms
--- 10.0.0.10 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 15.795/15.795/15.795/0.000 ms
root@ovn-2:/home/sukai# ping -c 1 192.168.0.115
PING 192.168.0.115 (192.168.0.115) 56(84) bytes of data.
64 bytes from 192.168.0.115: icmp_seq=1 ttl=62 time=27.6 ms
--- 192.168.0.115 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 27.586/27.586/27.586/0.000 ms
root@ovn-2:/home/sukai# ping -c 1 192.168.0.114
PING 192.168.0.114 (192.168.0.114) 56(84) bytes of data.
64 bytes from 192.168.0.114: icmp_seq=1 ttl=62 time=4.47 ms
--- 192.168.0.114 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 4.474/4.474/4.474/0.000 ms
root@ovn-2:/home/sukai# ping -c 1 100.64.0.2
PING 100.64.0.2 (100.64.0.2) 56(84) bytes of data.
64 bytes from 100.64.0.2: icmp_seq=1 ttl=62 time=2.44 ms
--- 100.64.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.439/2.439/2.439/0.000 ms
root@ovn-2:/home/sukai# ping -c 1 100.64.0.3
PING 100.64.0.3 (100.64.0.3) 56(84) bytes of data.
64 bytes from 100.64.0.3: icmp_seq=1 ttl=62 time=4.16 ms
--- 100.64.0.3 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 4.160/4.160/4.160/0.000 ms
root@ovn-2:/home/sukai#