OVN路由器对等连接

SuKai June 28, 2022

公有云网络中通过VPC来实现网络的隔离,VPC可以对应到OVN虚拟网络逻辑路由器,那么如何来实现两个路由器下子网通过路由方式直接访问呢?下面我来一起看看OVN如何配置的。

添加一个新的路由器和交换机

sudo ovn-nbctl create Logical_Router name=router2 options:chassis=6fa2da75-1393-4efe-984d-0c0310b95ad3
fecc0e10-0e9e-440e-aaac-5bb667bb2991

sudo ovn-nbctl ls-add lswitch3

连接路由器与交换机

# 路由器上添加一个端口
sudo ovn-nbctl lrp-add router2 lr2-ls3 52:54:00:c1:68:90 10.2.0.1/24

# 交换机上添加一个端口,类型为router,与路由器端口关联
sudo ovn-nbctl lsp-add lswitch3 ls3-lr2
sudo ovn-nbctl lsp-set-type ls3-lr2 router
sudo ovn-nbctl lsp-set-addresses ls3-lr2 52:54:00:c1:68:90
sudo ovn-nbctl lsp-set-options ls3-lr2 router-port=lr2-ls3

在节点上添加一个ovs internal port

# 交换机添加一个端口
sudo ovn-nbctl lsp-add lswitch3 ls3-vm2
sudo ovn-nbctl lsp-set-addresses ls3-vm2 "02:ac:10:ff:01:37 10.2.0.70"
sudo ovn-nbctl lsp-set-port-security ls3-vm2 "02:ac:10:ff:01:37 10.2.0.70"

# 主机上添加vm2接口,与交换机连接
sudo ifconfig br-int up
sudo ovs-vsctl add-port br-int vm2 -- set interface vm2 type=internal
sudo ip netns add vm2
sudo ip link set vm2 netns vm2
sudo ip netns exec vm2 ip link set lo up
sudo ip netns exec vm2 ip link set vm2 up
sudo ip netns exec vm2 ip link set vm2 address 02:ac:10:ff:01:37
sudo ip netns exec vm2 ip addr add 10.2.0.70/24 dev vm2
sudo ip netns exec vm2 ip route add default via 10.2.0.1 dev vm2
sudo ovs-vsctl set Interface vm2 external_ids:iface-id=ls3-vm2

连接两个路由器

sudo ovn-nbctl lrp-add router lr-lr2 52:54:00:c1:69:50 172.16.0.1/24 peer=lr2-lr
sudo ovn-nbctl lrp-add router2 lr2-lr 52:54:00:c1:70:51 172.16.0.2/24 peer=lr-lr2

路由器添加路由

sudo ovn-nbctl lr-route-add router 10.2.0.0/24 172.16.0.2
sudo ovn-nbctl lr-route-add router2 10.1.0.0/24 172.16.0.1
sudo ovn-nbctl lr-route-add router2 10.0.0.0/24 172.16.0.1
# 打通主机与路由器2的路由
sudo ovn-nbctl lr-route-add router2 100.64.0.0/16 172.16.0.1
sudo ovn-nbctl lr-route-add router2 192.168.0.0/24 172.16.0.1

主机上添加路由

# 打通主机与路由器2的路由
sudo ip route add 10.2.0.0/24 via 100.64.0.1 dev ovn0

查看信息

路由端口

sukai@ovn-1:~$ sudo ovn-nbctl list logical_router_port
_uuid               : 2be179b0-ab04-46cf-a558-3bb0a596bfe6
enabled             : []
external_ids        : {}
gateway_chassis     : []
ha_chassis_group    : []
ipv6_ra_configs     : {}
mac                 : "52:54:00:c1:68:60"
name                : lr-ls2
networks            : ["10.1.0.1/24"]
options             : {}
peer                : []

_uuid               : ca250350-bec2-43e5-a684-2d0dd62267ff
enabled             : []
external_ids        : {}
gateway_chassis     : []
ha_chassis_group    : []
ipv6_ra_configs     : {}
mac                 : "00:00:00:E2:21:46"
name                : ovn-cluster-join
networks            : ["100.64.0.1/16"]
options             : {}
peer                : []

_uuid               : 13eff9c5-afaa-4b43-a548-03d049150c02
enabled             : []
external_ids        : {}
gateway_chassis     : []
ha_chassis_group    : []
ipv6_ra_configs     : {}
mac                 : "52:54:00:c1:70:51"
name                : lr2-lr
networks            : ["172.16.0.2/24"]
options             : {}
peer                : lr-lr2

_uuid               : fecd3729-2a10-4b63-87b8-2c55cfa33765
enabled             : []
external_ids        : {}
gateway_chassis     : []
ha_chassis_group    : []
ipv6_ra_configs     : {}
mac                 : "52:54:00:c1:68:50"
name                : lr-ls1
networks            : ["10.0.0.1/24"]
options             : {}
peer                : []

_uuid               : 30e5b4d2-3ca9-422d-bf56-195732e582a9
enabled             : []
external_ids        : {}
gateway_chassis     : []
ha_chassis_group    : []
ipv6_ra_configs     : {}
mac                 : "52:54:00:c1:68:90"
name                : lr2-ls3
networks            : ["10.2.0.1/24"]
options             : {}
peer                : []

_uuid               : 6e929483-0a94-435e-8487-23e83a2cfa94
enabled             : []
external_ids        : {}
gateway_chassis     : []
ha_chassis_group    : []
ipv6_ra_configs     : {}
mac                 : "52:54:00:c1:69:50"
name                : lr-lr2
networks            : ["172.16.0.1/24"]
options             : {}
peer                : lr2-lr

ovn信息

sukai@ovn-1:~$ sudo ovn-nbctl show
switch d85756bc-e7d3-42fb-ace1-15168e017736 (lswitch2)
    port ls2-ctn2
        addresses: ["02:ac:10:ff:01:34 10.1.0.40"]
    port ls2-lr1
        type: router
        addresses: ["52:54:00:c1:68:60"]
        router-port: lr-ls2
switch 75a787a4-9e55-4542-acaa-e969bebfaf16 (lswitch1)
    port ls1-vm1
        addresses: ["02:ac:10:ff:01:30 10.0.0.10"]
    port ls1-ctn1
        addresses: ["02:ac:10:ff:01:33 10.0.0.30"]
    port ls1-lr1
        type: router
        addresses: ["52:54:00:c1:68:50"]
        router-port: lr-ls1
switch 734d1afd-c8eb-4e25-8ca1-59908ddd9392 (lswitch3)
    port ls3-vm2
        addresses: ["02:ac:10:ff:01:37 10.2.0.70"]
    port ls3-lr2
        type: router
        addresses: ["52:54:00:c1:68:90"]
        router-port: lr2-ls3
switch 5e9e0b6d-332a-412e-b268-dd5dd7623975 (join)
    port node-ovn-2
        addresses: ["00:00:00:B0:35:E3 100.64.0.3"]
    port node-ovn-1
        addresses: ["00:00:00:B0:35:E2 100.64.0.2"]
    port join-ovn-cluster
        type: router
        addresses: ["00:00:00:E2:21:46"]
        router-port: ovn-cluster-join
router fecc0e10-0e9e-440e-aaac-5bb667bb2991 (router2)
    port lr2-lr
        mac: "52:54:00:c1:70:51"
        networks: ["172.16.0.2/24"]
    port lr2-ls3
        mac: "52:54:00:c1:68:90"
        networks: ["10.2.0.1/24"]
router 3bccdebe-38de-450c-8e02-208eaff33398 (router)
    port lr-ls2
        mac: "52:54:00:c1:68:60"
        networks: ["10.1.0.1/24"]
    port lr-lr2
        mac: "52:54:00:c1:69:50"
        networks: ["172.16.0.1/24"]
    port ovn-cluster-join
        mac: "00:00:00:E2:21:46"
        networks: ["100.64.0.1/16"]
    port lr-ls1
        mac: "52:54:00:c1:68:50"
        networks: ["10.0.0.1/24"]
sukai@ovn-1:~$ sudo ovn-sbctl show
Chassis "28a87e04-b738-4db0-a767-380091e1a752"
    hostname: ovn-2
    Encap geneve
        ip: "192.168.0.114"
        options: {csum="true"}
    Port_Binding node-ovn-2
    Port_Binding ls3-vm2
Chassis "6fa2da75-1393-4efe-984d-0c0310b95ad3"
    hostname: ovn-1
    Encap geneve
        ip: "192.168.0.115"
        options: {csum="true"}
    Port_Binding lr-lr2
    Port_Binding node-ovn-1
    Port_Binding lr2-lr
    Port_Binding lr2-ls3
    Port_Binding join-ovn-cluster
    Port_Binding lr-ls1
    Port_Binding ls1-lr1
    Port_Binding ovn-cluster-join
    Port_Binding ls1-vm1
    Port_Binding ls3-lr2
    Port_Binding ls1-ctn1
    Port_Binding lr-ls2
    Port_Binding ls2-lr1
sukai@ovn-1:~$

路由信息

sukai@ovn-1:~$ sudo ovn-nbctl lr-route-list router
IPv4 Routes
              10.2.0.0/24                172.16.0.2 dst-ip
                0.0.0.0/0                100.64.0.1 dst-ip
sukai@ovn-1:~$ sudo ovn-nbctl lr-route-list router2
IPv4 Routes
              10.0.0.0/24                172.16.0.1 dst-ip
              10.1.0.0/24                172.16.0.1 dst-ip
           192.168.0.0/24                172.16.0.1 dst-ip
            100.64.0.0/16                172.16.0.1 dst-ip
sukai@ovn-1:~$ sudo ovn-nbctl lr-policy-list router
Routing Policies
     31000                             ip4.dst == 10.0.0.0/24           allow
     31000                             ip4.dst == 10.1.0.0/24           allow
     30000                           ip4.dst == 192.168.0.114         reroute                100.64.0.3
     30000                           ip4.dst == 192.168.0.115         reroute                100.64.0.2
sukai@ovn-1:~$ sudo ovn-nbctl lr-policy-list router2
sukai@ovn-1:~$
sukai@ovn-1:~$ sudo ip route
default via 192.168.0.1 dev ens33 proto dhcp src 192.168.0.115 metric 100
10.0.0.0/24 via 100.64.0.1 dev ovn0
10.1.0.0/24 via 100.64.0.1 dev ovn0
10.2.0.0/24 via 100.64.0.1 dev ovn0
100.64.0.0/16 dev ovn0 proto kernel scope link src 100.64.0.2
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.0.0/24 dev ens33 proto kernel scope link src 192.168.0.115
192.168.0.1 dev ens33 proto dhcp scope link src 192.168.0.115 metric 100
192.168.100.0/24 dev ens34 proto kernel scope link src 192.168.100.10
sukai@ovn-1:~$

ovs端口信息

sukai@ovn-1:~$ sudo ovs-vsctl show
93fd4842-e0e9-4413-a99a-2c11e4180a0a
    Bridge br-int
        fail_mode: secure
        Port ctn1
            Interface ctn1
                type: internal
        Port vm1
            Interface vm1
                type: internal
        Port br-int
            Interface br-int
                type: internal
        Port ovn0
            Interface ovn0
                type: internal
        Port ovn-28a87e-0
            Interface ovn-28a87e-0
                type: geneve
                options: {csum="true", key=flow, remote_ip="192.168.0.114"}
    ovs_version: "2.13.5"
sukai@ovn-1:~$

sukai@ovn-2:~$ sudo ovs-vsctl show
1ab53615-2604-4edf-ac6a-7a244803a25e
    Bridge br-int
        fail_mode: secure
        Port vm2
            Interface vm2
                type: internal
        Port ovn0
            Interface ovn0
                type: internal
        Port br-int
            Interface br-int
                type: internal
        Port ovn-6fa2da-0
            Interface ovn-6fa2da-0
                type: geneve
                options: {csum="true", key=flow, remote_ip="192.168.0.115"}
    ovs_version: "2.13.5"
sukai@ovn-2:~$

测试网络

sukai@ovn-1:~$ sudo ip netns exec vm1 /bin/bash
root@ovn-1:/home/sukai# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
7: vm1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether 02:ac:10:ff:01:30 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.10/24 brd 10.0.0.255 scope global dynamic vm1
       valid_lft 2767sec preferred_lft 2767sec
    inet6 fe80::ac:10ff:feff:130/64 scope link
       valid_lft forever preferred_lft forever
root@ovn-1:/home/sukai# ip route
default via 10.0.0.1 dev vm1
10.0.0.0/24 dev vm1 proto kernel scope link src 10.0.0.10
root@ovn-1:/home/sukai# ping -c 1 10.2.0.70
PING 10.2.0.70 (10.2.0.70) 56(84) bytes of data.
64 bytes from 10.2.0.70: icmp_seq=1 ttl=62 time=3.55 ms

--- 10.2.0.70 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 3.547/3.547/3.547/0.000 ms
root@ovn-1:/home/sukai# ping -c 1 192.168.0.114
PING 192.168.0.114 (192.168.0.114) 56(84) bytes of data.
64 bytes from 192.168.0.114: icmp_seq=1 ttl=63 time=2.60 ms

--- 192.168.0.114 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.600/2.600/2.600/0.000 ms
root@ovn-1:/home/sukai# ping -c 1 192.168.0.115
PING 192.168.0.115 (192.168.0.115) 56(84) bytes of data.
64 bytes from 192.168.0.115: icmp_seq=1 ttl=63 time=2.53 ms

--- 192.168.0.115 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.525/2.525/2.525/0.000 ms
root@ovn-1:/home/sukai# ping -c 1 100.64.0.3
PING 100.64.0.3 (100.64.0.3) 56(84) bytes of data.
64 bytes from 100.64.0.3: icmp_seq=1 ttl=63 time=2.76 ms

--- 100.64.0.3 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.758/2.758/2.758/0.000 ms
root@ovn-1:/home/sukai# ping -c 1 100.64.0.2
PING 100.64.0.2 (100.64.0.2) 56(84) bytes of data.
64 bytes from 100.64.0.2: icmp_seq=1 ttl=63 time=0.897 ms

--- 100.64.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.897/0.897/0.897/0.000 ms
root@ovn-1:/home/sukai# ping -c 1 100.64.0.1
PING 100.64.0.1 (100.64.0.1) 56(84) bytes of data.
64 bytes from 100.64.0.1: icmp_seq=1 ttl=254 time=0.720 ms

--- 100.64.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.720/0.720/0.720/0.000 ms
root@ovn-1:/home/sukai#

主机ping不同路由下的IP

sukai@ovn-1:~$ ping -I 192.168.0.115 -c 1 10.2.0.70
PING 10.2.0.70 (10.2.0.70) from 192.168.0.115 : 56(84) bytes of data.
64 bytes from 10.2.0.70: icmp_seq=1 ttl=62 time=4.96 ms

--- 10.2.0.70 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 4.964/4.964/4.964/0.000 ms
sukai@ovn-1:~$

sukai@ovn-1:~$ ping -I 192.168.0.115 -c 1 10.0.0.10
PING 10.0.0.10 (10.0.0.10) from 192.168.0.115 : 56(84) bytes of data.
64 bytes from 10.0.0.10: icmp_seq=1 ttl=63 time=1.31 ms

--- 10.0.0.10 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.305/1.305/1.305/0.000 ms
sukai@ovn-1:~$

sukai@ovn-2:~$ ping -I 192.168.0.114 -c 1 10.0.0.10
PING 10.0.0.10 (10.0.0.10) from 192.168.0.114 : 56(84) bytes of data.
64 bytes from 10.0.0.10: icmp_seq=1 ttl=63 time=3.61 ms

--- 10.0.0.10 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 3.609/3.609/3.609/0.000 ms
sukai@ovn-2:~$ ping -I 192.168.0.114 -c 1 10.2.0.70
PING 10.2.0.70 (10.2.0.70) from 192.168.0.114 : 56(84) bytes of data.
64 bytes from 10.2.0.70: icmp_seq=1 ttl=62 time=4.18 ms

--- 10.2.0.70 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 4.175/4.175/4.175/0.000 ms
sukai@ovn-2:~$

不网络命名空间下ping

sukai@ovn-2:~$ sudo ip netns exec vm2 /bin/bash
root@ovn-2:/home/sukai#
root@ovn-2:/home/sukai# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
11: vm2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether 02:ac:10:ff:01:37 brd ff:ff:ff:ff:ff:ff
    inet 10.2.0.70/24 scope global vm2
       valid_lft forever preferred_lft forever
    inet6 fe80::84ad:f6ff:fe4d:aed8/64 scope link
       valid_lft forever preferred_lft forever
root@ovn-2:/home/sukai# ip r
default via 10.2.0.1 dev vm2
10.2.0.0/24 dev vm2 proto kernel scope link src 10.2.0.70
root@ovn-2:/home/sukai# ping -c 1 10.0.0.10
PING 10.0.0.10 (10.0.0.10) 56(84) bytes of data.
64 bytes from 10.0.0.10: icmp_seq=1 ttl=62 time=15.8 ms

--- 10.0.0.10 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 15.795/15.795/15.795/0.000 ms
root@ovn-2:/home/sukai# ping -c 1 192.168.0.115
PING 192.168.0.115 (192.168.0.115) 56(84) bytes of data.
64 bytes from 192.168.0.115: icmp_seq=1 ttl=62 time=27.6 ms

--- 192.168.0.115 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 27.586/27.586/27.586/0.000 ms
root@ovn-2:/home/sukai# ping -c 1 192.168.0.114
PING 192.168.0.114 (192.168.0.114) 56(84) bytes of data.
64 bytes from 192.168.0.114: icmp_seq=1 ttl=62 time=4.47 ms

--- 192.168.0.114 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 4.474/4.474/4.474/0.000 ms
root@ovn-2:/home/sukai# ping -c 1 100.64.0.2
PING 100.64.0.2 (100.64.0.2) 56(84) bytes of data.
64 bytes from 100.64.0.2: icmp_seq=1 ttl=62 time=2.44 ms

--- 100.64.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.439/2.439/2.439/0.000 ms
root@ovn-2:/home/sukai# ping -c 1 100.64.0.3
PING 100.64.0.3 (100.64.0.3) 56(84) bytes of data.
64 bytes from 100.64.0.3: icmp_seq=1 ttl=62 time=4.16 ms

--- 100.64.0.3 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 4.160/4.160/4.160/0.000 ms
root@ovn-2:/home/sukai#