文稿成果open相關(guān)openvswtich

OpenvswitchPopsuperSoftwareDefinedNetworkCPUPoolStoragePoolVirtualInfrastructureOpenFlowSwitchComponentsOpenFlowChannel負(fù)責(zé)同Controller的交互FlowTable包含許多entry，每個(gè)entry是對(duì)packet進(jìn)行處理的規(guī)則GroupTable：處理更復(fù)雜的轉(zhuǎn)發(fā)規(guī)則包含一系列GroupEntry每個(gè)Entry包含一系列操作集合(actionbuckets)每個(gè)操作集合包含一系列action，以及參數(shù)Matchpackets:ingressportHeadersmetadataFlowentriesmatchpacketsinpriorityorder對(duì)packet處理:轉(zhuǎn)發(fā)修改交給GroupTable交給下個(gè)TableOpenFlowPacketProcessingOpenFlowPacketProcessingActions:Output:轉(zhuǎn)發(fā)Set-Queue:QoSDropGroupPush/PoptagsOpenFlowPacketProcessingActions:Output:轉(zhuǎn)發(fā)Set-Queue:QoSDropGroupPush/PoptagsOpenvswitch簡(jiǎn)介Openvswitch是一個(gè)virutalswtich，支持OpenFlow協(xié)議，當(dāng)然也有一些硬件Switch也支持OpenFlow協(xié)議，他們都可以被統(tǒng)一的Controller管理，從而實(shí)現(xiàn)物理機(jī)和虛擬機(jī)的網(wǎng)絡(luò)聯(lián)通。Openvswitch簡(jiǎn)介MatchField涵蓋TCP/IP協(xié)議各層：Layer1–TunnelID,InPort,QoSpriority,skbmarkLayer2–MACaddress,VLANID,EthernettypeLayer3–IPv4/IPv6fields,ARPLayer4–TCP/UDP,ICMP,NDAction也主要包含下面的操作：Outputtoport(portrange,flood,mirror)Discard,ResubmittotablexPacketMangling(Push/PopVLANheader,TOS,...)Sendtocontroller,LearnOpenvswitch簡(jiǎn)介可以設(shè)置Tunnel可以支持下列的框架來(lái)監(jiān)控流量。sFlowNetFlowPortMirroringSPANRSPANERSPAN支持QoSUsesexistingTrafficControlLayerPolicer(Ingressratelimiter)HTB,HFSC(Egresstrafficclasses)Controller(OpenFlow)canselectTrafficClassOpenvswitch架構(gòu)Openvswitch架構(gòu)實(shí)驗(yàn)一：查看Openvswitch的架構(gòu)root@popsuper1982:~#psaux|grepopenvswitchroot9850.00.0211722120?S<Aug061:20ovsdb-server/etc/openvswitch/conf.db-vconsole:emer-vsyslog:err-vfile:info--remote=punix:/var/run/openvswitch/db.sock--private-key=db:Open_vSwitch,SSL,private_key--certificate=db:Open_vSwitch,SSL,certificate--bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert--no-chdir--log-file=/var/log/openvswitch/ovsdb-server.log--pidfile=/var/run/openvswitch/ovsdb-server.pid--detach--monitorroot10080.10.824294831712?S<LlAug0632:17ovs-vswitchdunix:/var/run/openvswitch/db.sock-vconsole:emer-vsyslog:err-vfile:info--mlockall--no-chdir--log-file=/var/log/openvswitch/ovs-vswitchd.log--pidfile=/var/run/openvswitch/ovs-vswitchd.pid--detach--monitorroot@popsuper1982:~#lsmod|grepopenvswitchopenvswitch669010gre138081openvswitchvxlan376191openvswitchlibcrc32c126442btrfs,openvswitch實(shí)驗(yàn)一：查看Openvswitch的架構(gòu)實(shí)驗(yàn)一：查看Openvswitch的架構(gòu)實(shí)驗(yàn)一：查看Openvswitch的架構(gòu)straceovs-vsctlshow//建立unixsocket，和ovs-dbserver進(jìn)行通信socket(PF_LOCAL,SOCK_STREAM,0)=3fcntl(3,F_GETFL)=0x2(flagsO_RDWR)fcntl(3,F_SETFL,O_RDWR|O_NONBLOCK)=0connect(3,{sa_family=AF_LOCAL,sun_path="/var/run/openvswitch/db.sock"},31)=0//寫入命令write(3,"{\"method\":\"monitor\",\"id\":0,\"para"...,409)=409//讀取結(jié)果read(3,"{\"id\":0,\"result\":{\"Port\":{\"8afee"...,512)=512read(3,"7a8\"],[\"uuid\",\"8afee51e-6e71-4d4"...,512)=501read(3,0x24b4d05,11)=-1EAGAIN(Resourcetemporarilyunavailable)向終端輸出結(jié)果write(1,"c1fe4192-ae6a-457f-a2e1-dfc67284"...,37c1fe4192-ae6a-457f-a2e1-dfc6728470eb)=37write(1,"Bridgeubuntu_br\n",21Bridgeubuntu_br)=21write(1,"Portubuntu_br\n",23Portubuntu_br)=23write(1,"Interfaceubuntu_br\n",32Interfaceubuntu_br)=32write(1,"type:internal\n",31type:internal)=31write(1,"Port\"vnet0\"\n",21Port"vnet0")=21write(1,"Interface\"vnet0\"\n",30Interface"vnet0")=30write(1,"ovs_version:\"2.0.1\"\n",25ovs_version:"2.0.1")=25實(shí)驗(yàn)一：查看Openvswitch的架構(gòu)straceovs-dpctlshow實(shí)驗(yàn)一：查看Openvswitch的架構(gòu)#straceovs-ofctlshowubuntu_brsocket(PF_LOCAL,SOCK_STREAM,0)=3connect(3,{sa_family=AF_LOCAL,sun_path="/var/run/openvswitch/ubuntu_br"},33)=-1ENOENT(Nosuchfileordirectory)close(3)=0socket(PF_LOCAL,SOCK_STREAM,0)=3connect(3,{sa_family=AF_LOCAL,sun_path="/var/run/openvswitch/ubuntu_br.mgmt"},38)=0Openvswitch數(shù)據(jù)庫(kù)表結(jié)構(gòu)實(shí)驗(yàn)二：打印數(shù)據(jù)庫(kù)表結(jié)構(gòu)cat/etc/openvswitch/conf.db，我們會(huì)發(fā)現(xiàn)它是json格式的數(shù)據(jù)庫(kù)可以通過(guò)ovsdb-clientdump將數(shù)據(jù)庫(kù)內(nèi)容打印出來(lái)Openvswitch:Open_vSwitch表數(shù)據(jù)庫(kù)的根全局的配置項(xiàng)other_config:stats-update-interval：將統(tǒng)計(jì)信息寫入數(shù)據(jù)庫(kù)的間隔時(shí)間other_config:flow-limit：在flowtable中flowentry的數(shù)量other_config:n-handler-threads：用于處理新flow的線程數(shù)other_config:n-revalidator-threads：用于驗(yàn)證flow的線程數(shù).other_config:enable-statistics是否統(tǒng)計(jì)statistics:cpu統(tǒng)計(jì)cpu數(shù)量，線程statistics:load_averagesystemloadstatistics:memory總RAM，swapstatistics:process_NAME：withNAMEreplacedbyaprocessname，統(tǒng)計(jì)memorysize,cputime等statistics:file_systems：mountpoint,size,used指向其他表bridge表SSL表Manager表Openvswitch:ManagerManager表配置的是ovsdb-server的ovsdb-server使用manager_options中的配置來(lái)監(jiān)聽端口，等待client來(lái)連接。punix:file:監(jiān)聽unixsocketptcp:port[:ip]:監(jiān)聽TCP連接pssl:port[:ip]:監(jiān)聽SSL連接實(shí)驗(yàn)三：設(shè)置Manager的TCP連接ovs-vsctlset-managerptcp:8881在另外一臺(tái)機(jī)器上Openvswitch:SSLSSL的配置主要包含幾個(gè)部分：PrivateKey:私鑰Certificate:證書CACertificate:CA的證書privatekey和publickey對(duì)，其中publickey放在certificate中，并且需要CA使用自己的privatekey進(jìn)行簽名，CA來(lái)?yè)?dān)保這個(gè)certificate是合法的，為了驗(yàn)證這個(gè)CA簽名，當(dāng)然需要CA的publickey，而CA的publickey是放在cacert里面的，當(dāng)然也需要被簽名，被更高級(jí)的CA擔(dān)保，或者自己擔(dān)保自己。bootstrap_ca_cert是一個(gè)boolean，如果是true，則每次啟動(dòng)的時(shí)候，都會(huì)向controller去拿最新的cacert。默認(rèn)表是空的實(shí)驗(yàn)四：設(shè)置SSL連接生成privatekey,certificate,CAkey,CAcertificate生成一個(gè)CA的privatekeyCA有一個(gè)certificate，里面放著CA的publickey，要生成這個(gè)certificate，則需要寫一個(gè)certificaterequestopensslgenrsa-outcaprivate.key1024opensslreq-keycaprivate.key-new-outcacertificate.req3.由于這里的CA是rootCA，沒有更高級(jí)的CA了，所以要進(jìn)行自簽發(fā)，用自己的privatekey對(duì)自己的certificate請(qǐng)求進(jìn)行簽發(fā)4.普通的機(jī)構(gòu)需要有自己的privatekey5.也需要一個(gè)證書，里面放自己的publickey，需要一個(gè)證書請(qǐng)求實(shí)驗(yàn)四：設(shè)置SSL連接opensslx509-req-incacertificate.req-signkeycaprivate.key-outcacertificate.pemopensslgenrsa-outcliu8private.key1024opensslreq-keycliu8private.key-new-outcliu8certificate.req實(shí)驗(yàn)四：設(shè)置SSL連接6.要使得這個(gè)證書被認(rèn)可，則需要一個(gè)CA對(duì)這個(gè)證書進(jìn)行簽名，我們用上面的CA的privatekey對(duì)他進(jìn)行簽名opensslx509-req-incliu8certificate.req-CAcacertificate.pem-CAkeycaprivate.key-outcliu8certificate.pem-CAcreateserial實(shí)驗(yàn)四：設(shè)置SSL連接設(shè)置manager在另一臺(tái)機(jī)器上ovs-vsctldel-managerovs-vsctlset-managerpssl:8881ovs-vsctlset-ssl/root/keys/openvswitch/cliu8private.key/root/keys/openvswitch/cliu8certificate.pem/root/keys/openvswitch/cacertificate.pemOpenvswitch:ControllerOpenvswitch:ControllerOpenFlow配置項(xiàng)：從架構(gòu)圖中我們可以看出，openvwitch的一個(gè)bridge可以通過(guò)openflow協(xié)議，被一個(gè)統(tǒng)一的controller管理的Controllerflow_tablesfail_mode:一旦一個(gè)bridge連到一個(gè)openflowcontroller，則flowtable就由controller統(tǒng)一管理，如果連接斷了secure：這個(gè)bridge會(huì)試圖一直連接controller，并不自己建立flowtablestandalone：一旦bridge三次連不上controller，就自己建立和管理flowtabledatapath_id：Openvswitch:ControllerOpenFlowController多種多樣

Beacon

isaJava-basedcontrollerthatsupportsbothevent-basedandthreadedoperation.BeaconwasdevelopedatStanford.Floodlight

isaJava-basedcontrollerthatwasforkedfromtheBeaconcontroller,andnowissupportedbyacommunityofdevelopers.FloodlightisreleasedundertheApacheLicense.Maestro

isamulti-threadedJava-basedplatformthatallowsdeveloperstoimplementnewOpenFlowcontrollers.MaestrowasdevelopedatRiceUniversity.NodeFlow

isan

OpenFlow

controllerwritteninpureJavaScriptforNode.JS.Node.JSprovidesanasynchronouslibraryoverJavaScriptforserversideprogrammingwhichisperfectforwritingnetworkbasedapplications.NOX

isaC++basedplatformthatgivestheabilitytodeveloperstoimplementnewcontrollersbywritingNOXmodulesineitherC++.POX

isaPythonbasedplatformthatgivestheabilitytodeveloperstoimplementnewcontrollersbywritingNOXmodulesineitherPython.PoxwaspartofwhatisnowcalledNoxclassic,butitwasseparatedintoadifferentcontrollerplatformthatonlysupportsPython.Trema

isaCbasedplatformthatallowsdeveloperstowritenewcontrollersbywritingTremamodulesineitherCorRuby.TremawasdevelopedbyNEC.Openvswitch:Controller使用Floodlight實(shí)驗(yàn)五：配置使用OpenFlowController創(chuàng)建三個(gè)虛擬機(jī)實(shí)驗(yàn)五：配置使用OpenFlowController安裝floodlight

gitclonegit:///floodlight/floodlight.gitcdfloodlight/antnohupjava-jartarget/floodlight.jar>floodlight.log2>&1&設(shè)置Controllerovs-vsctlset-controllerubuntu_brtcp::6633實(shí)驗(yàn)五：配置使用OpenFlowController訪問floodlight的界面

Floodlight的RestAPI+API默認(rèn)情況下，三臺(tái)機(jī)器可以相互ping的通Instance01Instance02Instance03ubuntu_br實(shí)驗(yàn)五：配置使用OpenFlowController調(diào)用RestAPI設(shè)定規(guī)則，只允許Instance01和Instance03之間相互通信curl-d'{"switch":"00:00:2a:96:0e:c7:85:49","name":"static-flow1","cookie":"0","priority":"32768","src-mac":"52:54:00:9b:d5:11","active":"true","actions":"output=12"}'curl-d'{"switch":"00:00:2a:96:0e:c7:85:49","name":"static-flow2","cookie":"0","priority":"32768","src-mac":"52:54:00:9b:d5:77","active":"true","actions":"output=10"}'實(shí)驗(yàn)五：配置使用OpenFlowController用RESTAPI清除所有規(guī)則將正確的mac導(dǎo)向正確的portcurlcurl-d'{"switch":"00:00:2a:96:0e:c7:85:49","name":"static-flow1","cookie":"0","priority":"32768","dst-mac":"52:54:00:9b:d5:11","active":"true","actions":"output=10"}'curl-d'{"switch":"00:00:2a:96:0e:c7:85:49","name":"static-flow2","cookie":"0","priority":"32768","dst-mac":"52:54:00:9b:d5:33","active":"true","actions":"output=11"}'curl-d'{"switch":"00:00:2a:96:0e:c7:85:49","name":"static-flow3","cookie":"0","priority":"32768","dst-mac":"52:54:00:9b:d5:77","active":"true","actions":"output=12"}'實(shí)驗(yàn)五：配置使用OpenFlowController從Instance01來(lái)pingInstance03，用tcpdump監(jiān)聽I(yíng)nstance02和Instance03，在這個(gè)過(guò)程中，用RESTAPI將Instance03的包轉(zhuǎn)發(fā)給Instance02curl-d'{"switch":"00:00:2a:96:0e:c7:85:49","name":"static-flow3","cookie":"0","priority":"32768","dst-mac":"52:54:00:9b:d5:77","active":"true","actions":"output=11"}'Openvswitch:sFlow,NetFlow/IPFIX采樣流sFlow（SampledFlow）是一種基于報(bào)文采樣的網(wǎng)絡(luò)流量監(jiān)控技術(shù)，主要用于對(duì)網(wǎng)絡(luò)流量進(jìn)行統(tǒng)計(jì)分析。Flow采樣是sFlowAgent設(shè)備在指定端口上按照特定的采樣方向和采樣比對(duì)報(bào)文進(jìn)行采樣分析,該采樣方式主要是關(guān)注流量的細(xì)節(jié)，這樣就可以監(jiān)控和分析網(wǎng)絡(luò)上的流行為。Counter采樣是sFlowAgent設(shè)備周期性的獲取接口上的流量統(tǒng)計(jì)信息,只關(guān)注接口上流量的量，而不關(guān)注流量的詳細(xì)信息。Openvswitch:sFlow,NetFlow/IPFIXCiscoNetFlowand

IPFIX

(theIETFstandardbasedonNetFlow)

也是一個(gè)協(xié)議，將流量記錄發(fā)送給服務(wù)器Openvswitch:sFlow,NetFlow/IPFIXsFlowNetFlow/IPFIXInMonsFlowTrendSolarWindsReal-TimeNetFlowAnalyzer流量統(tǒng)計(jì)包括L2僅僅包含L3NoCache,real-timeWithflowcachemonitoralltypesoftraffic:ARP,IPv6,

DHCP/BOOTP,STP,

LLDPIPv4traffic服務(wù)器負(fù)責(zé)解析包Switch負(fù)責(zé)解析包ovs-vsctl----id=@sflowcreatesflowagent=eth0

target=\"1:6343\"header=128sampling=512polling=10--setbridgeubuntu_brsflow=@sflowovs-vsctllistsflowovs-vsctl--clearBridgeubuntu_brsflowovs-vsctl----id=@nfcreateNetFlowtargets=\"1:2055\"active-timeout=60--setBridgeubuntu_brnetflow=@nfovs-vsctllistNetFlowovs-vsctl--clearBridgeubuntu_brNetFlow實(shí)驗(yàn)六:使用sFlow和NetFlowOpenvswitch:MirrorMirror就是配置一個(gè)bridge，將某些包發(fā)給指定的mirroredports對(duì)于包的選擇：select_all，所有的包select_dst_portselect_src_portselect_vlan對(duì)于指定的目的：output_port(SPAN

SwitchedPortANalyzer)output_vlan(RSPANRemoteSwitchedPortANalyzer)Openvswitch:MirrorSPANSource(SPAN)port

-AportthatismonitoredwithuseoftheSPANfeature.Destination(SPAN)port

-Aportthatmonitorssourceports,usuallywhereanetworkanalyzerisconnected.Openvswitch:MirrorRSPAN被監(jiān)控的流量不是發(fā)送到一個(gè)指定的端口，而是Flood給指定的VLAN

監(jiān)聽的端口不一定要在本地switch上，可以在指定的VLAN的任意switch上S1isasourceswitchS2andS3areintermediateswitchesS4andS5aredestinationswitches.

learningisdisabledtoenableflooding實(shí)驗(yàn)七:測(cè)試Mirror的SPAN和RSPANubuntu_brInstance01first_brfirst_ifsecond_brsecond_ifvnet0vnet1vnet2Instance02Instance030102helloworldthird_ifthird_br00實(shí)驗(yàn)七:測(cè)試Mirror的SPAN和RSPAN創(chuàng)建拓?fù)浣Y(jié)構(gòu)ovs-vsctladd-brhelloworldiplinkaddfirst_brtypevethpeernamefirst_ifiplinkaddsecond_brtypevethpeernamesecond_ifiplinkaddthird_brtypevethpeernamethird_ifovs-vsctladd-portubuntu_brfirst_brovs-vsctladd-portubuntu_brsecond_br--setPortsecond_brtag=110ovs-vsctladd-porthelloworldsecond_if--setPortsecond_iftag=110ovs-vsctladd-porthelloworldthird_br--setPortthird_brtag=110實(shí)驗(yàn)七:測(cè)試Mirror的SPAN和RSPAN在first_br上面mirror所有進(jìn)出vnet0的包監(jiān)聽first_if，并且從instance01里面ping02ovs-vsctl--setbridgeubuntu_brmirrors=@m----id=@vnet0getPortvnet0----id=@first_brgetPortfirst_br----id=@mcreateMirrorname=mirrorvnet0select-dst-port=@vnet0select-src-port=@vnet0output-port=@first_br實(shí)驗(yàn)七:測(cè)試Mirror的SPAN和RSPAN對(duì)進(jìn)入vnet1的所有進(jìn)出包，然而ouput到一個(gè)vlan110在helloworld中也要配置從110來(lái)的，都o(jì)utput到vlan110Disablemacaddresslearningforvlan110ovs-vsctl--setbridgeubuntu_brmirrors=@m----id=@vnet1getPortvnet1----id=@mcreateMirrorname=mirrorvnet1select-dst-port=@vnet1select-src-port=@vnet1output-vlan=110ovs-vsctl--setbridgehelloworldmirrors=@m----id=@mcreateMirrorname=mirrorvlanselect-vlan=110output-vlan=110ovs-vsctlsetbridgeubuntu_brflood-vlans=110ovs-vsctlsetbridgehelloworldflood-vlans=110實(shí)驗(yàn)七:測(cè)試Mirror的SPAN和RSPAN監(jiān)聽third_if，并且從instance02里面ping02實(shí)驗(yàn)七:測(cè)試Mirror的SPAN和RSPAN刪除Mirror查看ubuntu_brovs-vsctllistbridgeubuntu_br清除里面的mirrorsovs-vsctlclearBridgeubuntu_brmirrors清除flood_vlansovs-vsctlclearBridgeubuntu_brflood_vlans查看所有的Mirrorovs-vsctllistMirrorovs-vsctlclearBridgehelloworldmirrorsovs-vsctlclearBridgehelloworldflood_vlansOpenvswitch:Port一般來(lái)說(shuō)一個(gè)Port就是一個(gè)Interface，當(dāng)然也有一個(gè)Port對(duì)應(yīng)多個(gè)Interface的情況，成為BondOpenvswitch:PortPort的一個(gè)重要的方面就是VLANConfiguration，有兩種模式：trunkport這個(gè)port不配置tag，配置trunks如果trunks為空，則所有的VLAN都trunk，也就意味著對(duì)于所有的VLAN的包，本身帶什么VLANID，就是攜帶者什么VLANID，如果沒有設(shè)置VLAN，就屬于VLAN0，全部允許通過(guò)。如果trunks不為空，則僅僅帶著這些VLANID的包通過(guò)。accessport這個(gè)port配置tag，從這個(gè)port進(jìn)來(lái)的包會(huì)被打上這個(gè)tag如果從其他的trunkport中進(jìn)來(lái)的本身就帶有VLANID的包，如果VLANID等于tag，則會(huì)從這個(gè)port發(fā)出從其他的accessport上來(lái)的包，如果tag相同，也會(huì)被forward到這個(gè)port從accessport發(fā)出的包不帶VLANID如果一個(gè)本身帶VLANID的包到達(dá)accessport，即便VLANID等于tag，也會(huì)被拋棄。實(shí)驗(yàn)八:測(cè)試Port的VLAN功能ubuntu_brInstance01Instance02Instance03first_br(tag=103)first_ifsecond_br(trunk)second_if000102third_br(trunks=101,102)third_ifvnet0(tag=101)vnet1(tag=102)vnet2(tag=103)030405實(shí)驗(yàn)八:測(cè)試Port的VLAN功能創(chuàng)建拓?fù)浣Y(jié)構(gòu)ovs-vsctladd-portubuntu_brfirst_brovs-vsctladd-portubuntu_brsecond_brovs-vsctladd-portubuntu_brthird_brovs-vsctlsetPortvnet0tag=101ovs-vsctlsetPortvnet1tag=102ovs-vsctlsetPortvnet2tag=103ovs-vsctlsetPortfirst_brtag=103ovs-vsctlclearPortsecond_brtagovs-vsctlsetPortthird_brtrunks=101,102需要監(jiān)聽ARP，所以禁止MAC地址學(xué)習(xí)ovs-vsctlsetbridgeubuntu_brflood-vlans=101,102,103實(shí)驗(yàn)八:測(cè)試Port的VLAN功能從02來(lái)ping03，應(yīng)該first_if和second_if能夠收到包first_if收到包了，從first_br出來(lái)的包頭是沒有VLANID的second_if也收到包了，由于second_br是trunkport，因而出來(lái)的包頭是有VLANID的，103third_if收不到包實(shí)驗(yàn)八:測(cè)試Port的VLAN功能從00在ping05,則second_if和third_if可以收到包(當(dāng)然ping不通，因?yàn)閠hird_if不屬于某個(gè)VLAN)first_if收不到包second_if能夠收到包，而且包頭里面是VLANID=101third_if也能收到包，而且包頭里面是VLANID=101實(shí)驗(yàn)八:測(cè)試Port的VLAN功能從01來(lái)ping04,則second_if和third_if可以收到包first_if收不到包second_br能夠收到包，而且包頭里面是VLANID=102third_if也能收到包，而且包頭里面是VLANID=102實(shí)驗(yàn)八:測(cè)試Port的VLAN功能清理環(huán)境ovs-vsctlclearBridgeubuntu_brflood_vlansovs-vsctllistPortovs-vsctlclearPortvnet1tagovs-vsctlclearPortvnet0tagovs-vsctlclearPortfirst_brtagovs-vsctlclearPortthird_brtrunksOpenvwitch:Bond有關(guān)Interface，就不得不提BondBond將設(shè)備用多個(gè)連接在一起，形成一個(gè)虛擬的連接，從而實(shí)現(xiàn)高可用性以及高吞吐量很多別名：LACPTrunk,Bond,EtherchannelLACP(LinkAggregationControlProtocol)Openvwitch:Bondbond_modeactive-backup:一個(gè)連接是active，其他的backup，當(dāng)active失效的時(shí)候，backup頂上balance-slb:流量安裝源MAC和outputVLAN進(jìn)行負(fù)載均衡balance-tcp:必須在支持LACP協(xié)議的情況下才可以，可根據(jù)L2,L3,L4進(jìn)行負(fù)載均衡實(shí)驗(yàn)九:測(cè)試Bond功能helloworldInstance03Instance04Instance01first_brfirst_ifsecond_brsecond_if000203ubuntu_brInstance02vnet0vnet1vnet2vnet3bond0bond101ovs-vsctladd-bondubuntu_brbond0first_brsecond_brovs-vsctladd-bondhelloworldbond1first_ifsecond_ifovs-vsctlsetPortbond0lacp=activeovs-vsctlsetPortbond1lacp=active實(shí)驗(yàn)九:測(cè)試Bond功能查看Bond查看LACProot@popsuper1982:/home/openstack#ovs-appctllacp/show----bond0----status:activenegotiatedsys_id:2a:96:0e:c7:85:49sys_priority:65534aggregationkey:7lacp_time:slowslave:first_br:currentattachedport_id:7port_priority:65535may_enable:trueactorsys_id:2a:96:0e:c7:85:49actorsys_priority:65534actorport_id:7actorport_priority:65535actorkey:7actorstate:activityaggregationsynchronizedcollectingdistributingpartnersys_id:72:d2:d3:59:8c:41partnersys_priority:65534partnerport_id:3partnerport_priority:65535partnerkey:3partnerstate:activityaggregationsynchronizedcollectingdistributingslave:second_br:currentattachedport_id:8port_priority:65535may_enable:trueactorsys_id:2a:96:0e:c7:85:49actorsys_priority:65534actorport_id:8actorport_priority:65535actorkey:7actorstate:activityaggregationsynchronizedcollectingdistributingpartnersys_id:72:d2:d3:59:8c:41partnersys_priority:65534partnerport_id:4partnerport_priority:65535partnerkey:3partnerstate:activityaggregationsynchronizedcollectingdistributing----bond1----status:activenegotiatedsys_id:72:d2:d3:59:8c:41sys_priority:65534aggregationkey:3lacp_time:slowslave:first_if:currentattachedport_id:3port_priority:65535may_enable:trueactorsys_id:72:d2:d3:59:8c:41actorsys_priority:65534actorport_id:3actorport_priority:65535actorkey:3actorstate:activityaggregationsynchronizedcollectingdistributingpartnersys_id:2a:96:0e:c7:85:49partnersys_priority:65534partnerport_id:7partnerport_priority:65535partnerkey:7partnerstate:activityaggregationsynchronizedcollectingdistributingslave:second_if:currentattachedport_id:4port_priority:65535may_enable:trueactorsys_id:72:d2:d3:59:8c:41actorsys_priority:65534actorport_id:4actorport_priority:65535actorkey:3actorstate:activityaggregationsynchronizedcollectingdistributingpartnersys_id:2a:96:0e:c7:85:49partnersys_priority:65534partnerport_id:8partnerport_priority:65535partnerkey:7partnerstate:activityaggregationsynchronizedcollectingdistributing實(shí)驗(yàn)九:測(cè)試Bond功能默認(rèn)情況下bond_mode是active-backup模式，一開始active的是first_br和first_if從00ping02，以及01ping03，都是從first_if通過(guò)實(shí)驗(yàn)九:測(cè)試Bond功能如果把first_if設(shè)成down，則包的走向會(huì)變iplinksetfirst_ifdown發(fā)現(xiàn)second_if開始有流量，京first_if變成down,00和01似乎沒有收到影響second_br和second_if變成active實(shí)驗(yàn)九:測(cè)試Bond功能重啟first_if，但是second_br和second_if仍然是activeiplinksetfirst_ifup實(shí)驗(yàn)九:測(cè)試Bond功能把bond_mode設(shè)為balance-slbovs-vsctlsetPortbond0bond_mode=balance-slbovs-vsctlsetPortbond1bond_mode=balance-slb同時(shí)00ping02,01ping03,已經(jīng)分流了把bond_mode設(shè)為balance-tcpovs-vsctlsetPortbond0bond_mode=balance-tcpovs-vsctlsetPortbond1bond_mode=balance-tcp同時(shí)在00上：netperf-H02-tUDP_STREAM---m1024在01上：netperf-H03-tUDP_STREAM---m1024Openvswitch:QoSLinuxingressegressPolicyShapingOpenvswitch:QoSClasslessQueuingDisciplines默認(rèn)為pfifo_fastOpenvswitch:QoSSFQ,StochasticFairQueuing有很多的FIFO的隊(duì)列，TCPSession或者UDPstream會(huì)被分配到某個(gè)隊(duì)列。包會(huì)RoundRobin的從各個(gè)隊(duì)列中取出發(fā)送。這樣不會(huì)一個(gè)Session占據(jù)所有的流量。但不是每一個(gè)Session都有一個(gè)隊(duì)列，而是有一個(gè)Hash算法，將大量的Session分配到有限的隊(duì)列中。這樣兩個(gè)Session會(huì)共享一個(gè)隊(duì)列，也有可能互相影響。Hash函數(shù)會(huì)經(jīng)常改變，從而session不會(huì)總是相互影響。Openvswitch:QoSTBF,TokenBucketFilter兩個(gè)概念Tokensandbuckets所有的包排成隊(duì)列進(jìn)行發(fā)送，但不是到了隊(duì)頭就能發(fā)送，而是需要拿到Token才能發(fā)送Token根據(jù)設(shè)定的速度rate生成，所以即便隊(duì)列很長(zhǎng)，也是按照rate進(jìn)行發(fā)送的當(dāng)沒有包在隊(duì)列中的時(shí)候，Token還是以既定的速度生成，但是不是無(wú)限累積的，而是放滿了buckets為止，籃子的大小常用burst/buffer/maxburst來(lái)設(shè)定Buckets會(huì)避免下面的情況：當(dāng)長(zhǎng)時(shí)間沒有包發(fā)送的時(shí)候，積累了大量的Token，突然來(lái)了大量的包，每個(gè)都能得到Token，造成瞬間流量大增Openvswitch:QoSClassfulQueuingDisciplinesHTB,HierarchicalTokenBucketShaping：僅僅發(fā)生在葉子節(jié)點(diǎn)，依賴于其他的QueueBorrowing:當(dāng)網(wǎng)絡(luò)資源空閑的時(shí)候，借點(diǎn)過(guò)來(lái)為我所用Rate：設(shè)定的發(fā)送速度Ceil：最大的速度，和rate之間的差是最多能向別人借多少typeofclassclassstateHTBinternalstateactiontakenleaf<

rateHTB_CAN_SENDLeafclasswilldequeuequeuedbytesuptoavailabletokens(nomorethanburstpackets)leaf>

rate,<

ceilHTB_MAY_BORROWLeafclasswillattempttoborrowtokens/ctokensfromparentclass.Iftokensareavailable,theywillbelentin

quantum

incrementsandtheleafclasswilldequeueupto

cburst

bytesleaf>

ceilHTB_CANT_SENDNopacketswillbedequeued.Thiswillcausepacketdelayandwillincreaselatencytomeetthedesiredrate.inner,root<

rateHTB_CAN_SENDInnerclasswilllendtokenstochildren.inner,root>

rate,<

ceilHTB_MAY_BORROWInnerclasswillattempttoborrowtokens/ctokensfromparentclass,lendingthemtocompetingchildrenin

quantum

incrementsperrequest.inner,root>

ceilHTB_CANT_SENDInnerclasswillnotattempttoborrowfromitsparentandwillnotlendtokens/ctokenstochildrenclasses.Openvswitch:QoSOpenvswitch:QoS創(chuàng)建一個(gè)HTB的qdisc在eth0上，句柄為1:，default12表示默認(rèn)發(fā)送給1:12tcqdiscadddeveth0roothandle1:htbdefault12創(chuàng)建一個(gè)rootclass，然后創(chuàng)建幾個(gè)子class同一個(gè)rootclass下的子類可以相互借流量，如果直接不在qdisc下面創(chuàng)建一個(gè)rootclass，而是直接創(chuàng)建三個(gè)class，他們之間是不能相互借流量的。tcclassadddeveth0parent1:classid1:1htbrate100kbpsceil100kbpstcclassadddeveth0parent1:1classid1:10htbrate30kbpsceil100kbpstcclassadddeveth0parent1:1classid1:11htbrate10kbpsceil100kbpstcclassadddeveth0parent1:1classid1:12htbrate60kbpsceil100kbps創(chuàng)建葉子qdisc，分別為fifo和sfqtcqdiscadddeveth0parent1:10handle20:pfifolimit5tcqdiscadddeveth0parent1:11handle30:pfifolimit5tcqdiscadddeveth0parent1:12handle40:sfqperturb10設(shè)定規(guī)則：從來(lái)的，發(fā)送給port80的包，從1:10走；其他從發(fā)送來(lái)的包從1:11走；其他的走默認(rèn)tcfilteradddeveth0protocolipparent1:0prio1u32matchipsrcmatchipdport800xffffflowid1:10tcfilteradddeveth0protocolipparent1:0prio1u32matchipsrcflowid1:11Openvswitch:QoS時(shí)間0的時(shí)候，0,1,2都以90k的速度發(fā)送數(shù)據(jù)，在時(shí)間3的時(shí)候，將0的發(fā)送停止，紅色的線歸零，剩余的流量按照比例分給了藍(lán)色的和綠色的線。在時(shí)間6的時(shí)候，將0的發(fā)送重啟為90k，則藍(lán)色和綠色的流量返還給紅色的流量。在時(shí)間9的時(shí)候，將1的發(fā)送停止，綠色的流量為零，剩余的流量按照比例分給了藍(lán)色和紅色。在時(shí)間12,將1的發(fā)送恢復(fù)，紅色和藍(lán)色返還流量。在時(shí)間15，將2的發(fā)送停止，藍(lán)色流量為零，剩余的流量按照比例分給紅色和綠色。在時(shí)間19，將1的發(fā)送停止，綠色的流量為零，所有的流量都?xì)w了紅色。Openvswitch:QoSOpenvswitch支持兩種：Ingresspolicyovs-vsctlsetInterfacetap0ingress_policing_rate=100000ovs-vsctlsetInterfacetap0ingress_policing_burst=10000Egressshaping:PortQoSpolicy僅支持HTB在port上可以創(chuàng)建QoS一個(gè)QoS可以有多個(gè)Queue規(guī)則通過(guò)Flow設(shè)定QoSQueue實(shí)驗(yàn)十:測(cè)試QoS功能helloworldInstance03Instance04Instance01first_brfirst_if000203ubuntu_brInstance02vnet0vnet1vnet2vnet301實(shí)驗(yàn)十:測(cè)試QoS功能在什么都沒有配置的時(shí)候，測(cè)試一下速度，從00netperf03設(shè)置一下first_ifovs-vsctlsetInterfacefirst_ifingress_policing_rate=100000ovs-vsctlsetInterfacefirst_ifingress_policing_burst=10000實(shí)驗(yàn)十:測(cè)試QoS功能清理現(xiàn)場(chǎng)ovs-vsctlsetInterfacefirst_ifingress_policing_burst=0ovs-vsctlsetInterfacefirst_ifingress_policing_rate=0ovs-vsctllistInterfacefirst_if添加QoS添加Flow(first_br是ubuntu_br上的port5)ovs-vsctlsetportfirst_brqos=@newqos----id=@newqoscreateqostype=linux-htbother-config:max-rate=10000000queues=0=@q0,1=@q1,2=@q2----id=@q0createqueueother-config:min-rate=3000000other-config:max-rate=10000000----id=@q1createqueueother-config:min-rate=1000000other-config:max-rate=10000000----id=@q2createqueueother-config:min-rate=6000000other-config:max-rate=10000000ovs-ofctladd-flowubuntu_br"in_port=6nw_src=00actions=enqueue:5:0"ovs-ofctladd-flowubuntu_br"in_port=7nw_src=01actions=enqueue:5:1"ovs-ofctladd-flowubuntu_br"in_port=8nw_src=02actions=enqueue:5:2"實(shí)驗(yàn)十:測(cè)試QoS功能實(shí)驗(yàn)十:測(cè)試QoS功能單獨(dú)測(cè)試從00，01，02到03如果三個(gè)一起測(cè)試，發(fā)現(xiàn)是按照比例3:1:6進(jìn)行的實(shí)驗(yàn)十:測(cè)試QoS功能如果Instance01和Instance02一起，則3:1如果Instance01和Instance03一起，則1:2如果Instance02和Instance03一起，則1:6實(shí)驗(yàn)十:測(cè)試QoS功能清理環(huán)境Openvswitch:Tunnelgrevxlanipsec_greOpenvswitch:TunnelGREGenericRoutingEncapsulation(GRE)isatunnelingprotocolthatcanencapsulateawidevarietyofnetworklayerprotocolsinsidevirtualpoint-to-pointlinksoveranInternetProtocolinternetwork.Openvswitch:TunnelGREGREHeader從L2到L3，數(shù)據(jù)可打包后跨越網(wǎng)關(guān)和路由器然后解包稱為L(zhǎng)2的數(shù)據(jù)Openvswitch:TunnelGRE缺點(diǎn)：點(diǎn)對(duì)點(diǎn)，擴(kuò)展性不好網(wǎng)絡(luò)設(shè)備對(duì)GRE包頭支持有限，往往負(fù)載均衡和防火墻ACL都是根據(jù)IP和Port來(lái)的。Openvswitch:TunnelVXLANVXLAN：通過(guò)對(duì)L2包的打包和解包實(shí)現(xiàn)不同的L2網(wǎng)絡(luò)感覺在同一個(gè)L2網(wǎng)絡(luò)里面Components:Multicastsupport,IGMPandPIMVXLANNetworkIdentifier(VNI):24-bitsegmentIDVXLANGatewayVXLANTunnelEndPoint(VTEP)VXLANSegment/VXLANOverlayNetworkOpenvswitch:TunnelVXLANEthernetHeader:DestinationAddress

MACaddressofthedestinationVTEPifitislocal,MACaddrofgatewaywhenthedestinationVTEPisonadifferentL3network.IPHeader:Protocol

–Set0×11toindicatethattheframecontainsaUDPpacketSourceIP

–IPaddressoforiginatingVTEPDestinationIP

–IPaddressoftargetVTEP.UDPHeader:SourcePort

–SetbytransmittingVTEPVXLANPort

–IANAassignedVXLANPort.

VXLANHeader:VNI

–24-bitfieldthatistheVXLANNetworkIdentifierOpenvswitch:TunnelVXLANARP VM2 MAC2

VTEP2IGMPreport:加入組 VM1 MAC1

VTEP1IGMPreport:加入組

VM1及VM2連接到VXLAN網(wǎng)絡(luò)100,兩個(gè)VXLAN主機(jī)加入IP多播組VTEP–VXLAN隧道終端(VXLANTunnelingEndPoint)1L2/L3networkinfrastructureOpenvswitch:TunnelVXLANARPNetIDMACIPNetIDMACIP100MAC1IP1_vtep1VTEP2 VM2MAC2VTEP1 VM1MAC1BCASTMAC1ARPReq1MACHdrIPHdrDA:SA:IP_vtep1UDPHdrVXLANHdrVXLANID:100BCASTMAC1ARPReq2用IP多播封裝原廣播報(bào)文BCASTMAC1ARPReq5MACHdrIPHdrDA:SA:IP_vtep1UDPHdrVXLANHdrVXLANID:100BCASTMAC1ARPReq4學(xué)習(xí)內(nèi)層MAC到外層源IP地址 的映射VM1發(fā)送ARP請(qǐng)求(廣播)以獲得VM2的MAC地址，VXLANID為100VTEP–VXLAN隧道終端(VXLANTunnelingEndPoint)12L2/L3網(wǎng)絡(luò)3封裝后的報(bào)文經(jīng)多播轉(zhuǎn)發(fā)到達(dá)Openvswitch:TunnelVXLANARPNetIDMACIP100MAC2IP_vtep2NetIDMACIP100MAC1IP_vtep1VTEP2 VM2MAC2VTEP1 VM1MAC1MAC1MAC2ARPResp42已知MAC1的外層IP地址,使用IP單播封裝MAC1MAC2ARPResp1MACHdrIPHdrDA:IP_vtep1SA:IP_vtep2UDPHdrVXLANHdrVXLANID:100MAC1MAC2ARPResp3學(xué)習(xí)內(nèi)層MAC到外層源IP地址的映射MACHdrIPHdrDA:IP_vtep1SA:IP_vtep2UDPHdrVXLANHdrVXLANID:100MAC1MAC2ARPRespVM2發(fā)送ARP應(yīng)答(單播)到VM1VTEP–VXLAN隧道終端(VXLANTunnelingEndPoint)3L2/L3網(wǎng)絡(luò)Openvswitch:TunnelVXLANOpenvswitch:TunnelVXLAN可支持Multicas