虚拟化-ovn入门到精通(五)

OVN-L3 网关连接外部网络

1. 网关联通

参考网上,TOPO是这么个意思~

正如上面所看到的,我们添加了以下新组件:

  • OVN边界网关路由器(edge1)
  • 逻辑交换机(transit),用于连接edge1和tenant1路由器
  • 逻辑交换机(outside),用于将edge1连接到实验室网络

我们要做的是让VPC内的虚拟机能联通underlay物理网络,打通三层, NAT出去~

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

     | enp6s0f1 |  Physical Network
     ----------
          |
      ____|_____
     |  bridge  |  br-ex
      ----------
         | mapping
      outside(sw)
         |
         |          <192.168.0.250/24>
       edge1(gr)    <10.10.100.1/24>                    
         |
         |
     transit(join sw)
         |
         |                <10.10.100.2/24>                               
      router-tenant1(dr)  <172.16.250.1/24,172.16.251.1/24>
     /        \
  ls01(sw)    ls02(sw)
  /  |        /  \
vm1 vm2   vm11 vm12

创建逻辑边界路由器,gateway router位于一个特定的chassis中。为了完成绑定,我们需要确定 central节点的chassis id(我理解这里是VTEP网关的意思,需要固定到哪一台上,相当于是集中式的网络节点吧,这里依旧使用central节点作为集中式网关)

1
#ovn-sbctl show

1
#ovn-nbctl create Logical_Router name=edge1 options:classis=5e959521-218c-4dd3-bf25-ef29a522234b

创建逻辑中转交换机用于连接edge1和tenant1 , 作用: 连接两个路由器,因为网关路由器仅可以经由逻辑交换机连接到其他路由器, 没准将来这块社区能够优化掉~

1
#ovn-nbctl ls-add transit

联通路由器edge1和逻辑交换机transit上

1
2
3
4
5
#ovn-nbctl lrp-add edge1 edge1-transit 02:d4:1d:8c:d7:ae 10.10.100.1/24
#ovn-nbctl lsp-add transit transit-edge1
#ovn-nbctl lsp-set-type transit-edge1 router
#ovn-nbctl lsp-set-addresses transit-edge1 02:d4:1d:8c:d7:ae
#ovn-nbctl lsp-set-options transit-edge1 router-port=edge1-transit

联通路由器tenant1到逻辑交换机transit上

1
2
3
4
5
#ovn-nbctl lrp-add router-tenant1 tenant1-transit 02:d4:1d:8c:d9:af 10.10.100.2/24
#ovn-nbctl lsp-add transit transit-tenant1
#ovn-nbctl lsp-set-type transit-tenant1 router
#ovn-nbctl lsp-set-addresses transit-tenant1 02:d4:1d:8c:d9:af
#ovn-nbctl lsp-set-options transit-tenant1 router-port=tenant1-transit

添加静态路由

1
2
3
4
5
#ovn-nbctl lr-route-add edge1 "172.16.250.0/24" 10.10.100.2
#ovn-nbctl lr-route-add edge1 "172.16.251.0/24" 10.10.100.2
#ovn-nbctl lr-route-add router-tenant1 "0.0.0.0/0" 10.10.100.1
#ovn-nbctl lr-route-list edge1
#ovn-nbctl lr-route-list router-tenant1

测试连通性

1
2
#ip netns exec ns1 ping -c 2 10.10.100.1
#ip netns exec ns11 ping -c 2 10.10.100.1

至此, vm 到edge1路由器的网络已经联通~

2. SNAT联通物理underlay网络

我们接下去将使用central节点的ens35作为edge1 router和”data” network的连接点。为了完成这个任务,我们需要设置OVN使其通过一个专用的OVS bridge来使用ens35。这种类型的连接在OVN中被称为”localnet”。

2.1 central节点
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#在路由器 'edge1'创建新的端口,用于连接outside交换机
ovn-nbctl lrp-add edge1 edge1-outside 02:0a:7f:00:01:29 192.168.0.250/24
# set gateway chassis
ovn-nbctl lrp-set-gateway-chassis edge1-outside 5e959521-218c-4dd3-bf25-ef29a522234b
# 新建逻辑交换机,并将它连接到edge1
ovn-nbctl ls-add outside
ovn-nbctl lsp-add outside outside-edge1
ovn-nbctl lsp-set-type outside-edge1 router
ovn-nbctl lsp-set-addresses outside-edge1 02:0a:7f:00:01:29
ovn-nbctl lsp-set-options outside-edge1 nat-addresses=router router-port=edge1-outside

#在 'outside'交换机创建localnet端口。把网络名称设置为"physnet1"
ovn-nbctl lsp-add outside outside-localnet
ovn-nbctl lsp-set-addresses outside-localnet unknown
ovn-nbctl lsp-set-type outside-localnet localnet
ovn-nbctl lsp-set-options outside-localnet network_name=physnet1

依旧使用
# 为 eth1新建OVS网桥
ovs-vsctl add-br br-ex
# 为 eth1创建网桥映射: 把 "physnet1" 映射到 br-ex
ovs-vsctl add-port br-ex eth0
ovs-vsctl set Open_vSwitch . external-ids:ovn-bridge-mappings=physnet1:br-ex

#给 br-ex配置ip地址 192.168.0.201/24
ip addr add 192.168.0.201/24 dev br-ex
ip link set br-ex up

测试联通

虚机可以联通 192.168.0.250, 无法联通 192.168.0.201-203

1
2
3
4
5
6
7
8
9
10
11
12
[root@q15439v ~]# ip netns exec ns1 ping 192.168.0.250
PING 192.168.0.250 (192.168.0.250) 56(84) bytes of data.
64 bytes from 192.168.0.250: icmp_seq=1 ttl=253 time=0.260 ms
^C
--- 192.168.0.250 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.260/0.260/0.260/0.000 ms
[root@q15439v ~]# ip netns exec ns1 ping 192.168.0.201
PING 192.168.0.201 (192.168.0.201) 56(84) bytes of data.
^C
--- 192.168.0.201 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms


1
2
3
# create snat rule which will nat to the edge1-outside interface
ovn-nbctl -- --id=@nat create nat type="snat" logical_ip=172.16.250.0/24 external_ip=192.168.0.250 -- add logical_router edge1 nat @nat
#ovn-nbctl -- --id=@nat create nat type="dnat_and_snat" logical_ip=172.16.250.11 external_ip=192.168.0.199 -- add logical_router edge1 nat @nat

1
2
3
4
5
6
7
8
9
清理nat
ovn-nbctl lr-nat-del edge1 dnat_and_snat 192.168.0.199
ovn-nbctl lr-nat-del edge1 snat 172.16.250.0/24
ovn-nbctl ls-del outside
ovn-nbctl lrp-del edge1-outside

#
ovs-vsctl del-br br-ex

TRACE排查

1
2
ovn-trace --detail 交换机id inport = 虚机port, eth.src= 虚机mac,eth.dst=网关mac
ovn-trace --detail 0cd46441-6af4-45db-b201-16cd8342c519 'inport == "e69f6f79-7e62-4616-b1b8-be61cf9eac79" && eth.src == fa:16:3e:e9:52:50 && ip4.src == 192.168.99.131 && eth.dst == fa:16:3e:ee:d9:3e &&  ip4.dst == 8.8.8.8 &&  ip.ttl == 32'