OpenFlow网络综合实验:vlan隔离(基础版)

vlan、链接真实网络

Posted by chochi on June 30, 2018

1 实验说明

1.1 配置

  • OpenFlow1.3,OpenVSwitch2.9.0,Mininet2.3, Ubuntu18.04, oh-my-zsh

1.2 背景

全局拓扑

  • 在物理主机(ip:172.17.172.100)内创建四台虚拟机,其四台虚拟主机通过桥接物理网卡可以连通外网。
  • 四台虚拟主机进行VLAN隔离,VLAN20:H1+H2,VLAN30:H2+H4 。
  • 保证物理主机可以连通外网,详见该链接
  • 该实验是为之后的大型实验做一个基础验证,故协议的选取上只让ARP,ICMP针对下发了流表项。
  • 未来工作:端口映射,MAC Learning

1.3 知识介绍

  1. patch port,用于链接两个网桥的一对端口。
ovs-vsctl add-port br1 patch-ovs-1 -- set Interface patch-ovs-1 type=patch -- set Interface patch-ovs-1 options:peer=patch-ovs-2

ovs-vsctl add-port br2 patch-ovs-2 -- set Interface patch-ovs-2 type=patch -- set Interface patch-ovs-2 options:peer=patch-ovs-1  
  1. vlan字段解释
  2. 实验基础命令
  3. 因为实验比较复杂,用的flow entry比较多,所以使用了pipline特性。
  4. 整个实验的项目地址

2 实验步骤

2.1 拓扑搭建

  • 在物理机子上开启ODL控制器,127.0.0.1:663
  • 打开Mininet的可视化功能,打开实验项目里面的vlan.mn拓扑文件,运行,Mininet可视化中拓扑如下图。 image
  • 全局拓扑不连接控制器,所以另外设置。
  • ODL中看到的拓扑如下图,因为两个交换机之间没有链路,所以肯定是不同的(数据不走链接控制器的通道)。 image
  • 刷脚本!刷起来!具体逻辑自己阅读脚本,线刷chochi_final.sh,再刷vlan.sh,这些做完就可以达到Vlan隔离的效果了。 image
#!/bin/bash
# file-name:chochi_final.sh
sudo ovs-vsctl add-br chochi
ifconfig eth0 0
sudo ovs-vsctl add-port chochi eth0
sudo dhclient chochi
ping www.baidu.com -c 2
sudo ovs-vsctl add-port chochi patch11 -- set interface patch11 type=patch options:peer=patch12
sudo ovs-vsctl add-port s1     patch12 -- set interface patch12 type=patch options:peer=patch11
sudo ovs-vsctl add-port chochi patch21 -- set interface patch21 type=patch options:peer=patch22
sudo ovs-vsctl add-port s2     patch22 -- set interface patch22 type=patch options:peer=patch21
ping www.baidu.com -c 2

# flow entry
sudo ovs-ofctl add-flow chochi  "priority=100,in_port=eth0,arp,actions=normal"  #外网向内发送的arp
sudo ovs-ofctl add-flow chochi  "priority=100,in_port=eth0,icmp,actions=normal" #外网向内发送的icmp
sudo ovs-ofctl add-flow chochi  "priority=80,vlan_vid=0x1000/0x1000,arp,arp_tpa=192.168.0.0/16,actions=normal" # 内网的arp
sudo ovs-ofctl add-flow chochi  "priority=80,vlan_vid=0x1000/0x1000,icmp,nw_dst=192.168.0.0/16,actions=normal" #内网的icmp
sudo ovs-ofctl add-flow chochi  "priority=50,in_port=patch11,vlan_vid=0x1000/0x1000,actions=strip_vlan,eth0" # 不是要向内网发送的数据,剥离vlan tag
sudo ovs-ofctl add-flow chochi  "priority=50,in_port=patch21,vlan_vid=0x1000/0x1000,actions=strip_vlan,eth0"
sudo ovs-ofctl add-flow chochi  "priority=10,actions=normal" #table-miss packets
#!/bin/bash
# file-name:vlan.sh
#---------------------- s1 -----------------------
## s1 - table 0
sudo ovs-ofctl add-flow s1 -O OpenFlow13 "table=0,priority=50,in_port=1,actions=mod_vlan_vid:20,resubmit(,1)" # h1->h2 :  vlan20 ->>  table 1
sudo ovs-ofctl add-flow s1 -O OpenFlow13 "table=0,priority=50,in_port=2,actions=mod_vlan_vid:30,resubmit(,1)" # h3->h4 :  vlan30 ->>  table 1
sudo ovs-ofctl add-flow s1 -O OpenFlow13 "table=0,priority=60,dl_vlan=20,actions=resubmit(,2)"                # h2->h1 :  带vlan tag 20 标签 ->> table 2
sudo ovs-ofctl add-flow s1 -O OpenFlow13 "table=0,priority=60,dl_vlan=30,actions=resubmit(,3)"                # h4->h3 :  带vlan tag 30 标签 ->> table 3
sudo ovs-ofctl add-flow s1 -O OpenFlow13 "table=0,priority=40,in_port=patch12,actions=resubmit(,4)"           # 外网数据->> table4
sudo ovs-ofctl dump-flows  -O OpenFlow13 s1 table=0
## s1 - table 1
sudo ovs-ofctl add-flow s1 -O OpenFlow13 "table=1,priority=50,dl_vlan=20,actions=output:patch12" # h1->h2 vlan:20 : output (chochi)
sudo ovs-ofctl add-flow s1 -O OpenFlow13 "table=1,priority=50,dl_vlan=30,actions=output:patch12" # h3->h4 vlan:30 : output (chochi)
sudo ovs-ofctl dump-flows  -O OpenFlow13 s1 table=1
## s1 - table 2
sudo ovs-ofctl add-flow s1 -O OpenFlow13 "table=2,priority=50,dl_vlan=20,actions=strip_vlan,output:1" # h2->h1 : output=(h1)
sudo ovs-ofctl dump-flows  -O OpenFlow13 s1 table=2
## s1 - table 3
sudo ovs-ofctl add-flow s1 -O OpenFlow13 "table=3,priority=50,dl_vlan=30,actions=strip_vlan,output:2" # h4->h2 : output=(h3)
sudo ovs-ofctl dump-flows  -O OpenFlow13 s1 table=3
## s1 - table 4
sudo ovs-ofctl add-flow s1 -O OpenFlow13 "table=4,priority=50,actions=1,2"                            #外网数据输入

#---------------------- s2 ------------------------
# s2 - table 0
sudo ovs-ofctl add-flow s2 -O OpenFlow13 "table=0,priority=50,in_port=1,actions=mod_vlan_vid:20,resubmit(,1)" # h2->h1 : vlan20 ->> table 1
sudo ovs-ofctl add-flow s2 -O OpenFlow13 "table=0,priority=50,in_port=2,actions=mod_vlan_vid:30,resubmit(,1)" # h4->h3 : vlan30 ->> table 1
sudo ovs-ofctl add-flow s2 -O OpenFlow13 "table=0,priority=60,dl_vlan=20,actions=resubmit(,2)"                # h1->h2 : 带vlan tag 20 标签 ->> table 2
sudo ovs-ofctl add-flow s2 -O OpenFlow13 "table=0,priority=60,dl_vlan=30,actions=resubmit(,3)"                # h3->h4 : 带vlan tag 30 标签 ->> table 3
sudo ovs-ofctl add-flow s2 -O OpenFlow13 "table=0,priority=40,in_port=patch22,actions=resubmit(,4)"           # 外网数据->> table4
sudo ovs-ofctl dump-flows  -O OpenFlow13 s2 table=0

# s2 - table 1
sudo ovs-ofctl add-flow s2 -O OpenFlow13 "table=1,priority=50,dl_vlan=20,actions=output:patch22"         # h2->h1 : vlan20 output=(chochi)
sudo ovs-ofctl add-flow s2 -O OpenFlow13 "table=1,priority=50,dl_vlan=30,actions=output:patch22"         # h4->h3 : vlan30 output=(chochi)
sudo ovs-ofctl dump-flows  -O OpenFlow13 s2 table=1

# s2 - table 2
sudo ovs-ofctl add-flow s2 -O OpenFlow13 "table=2,priority=50,dl_vlan=20,actions=strip_vlan,output:1"         # h1->h2 : output=(h2)
sudo ovs-ofctl dump-flows  -O OpenFlow13 s2 table=2

# s2 -table 3
sudo ovs-ofctl add-flow s2 -O OpenFlow13 "table=3,priority=50,dl_vlan=30,actions=strip_vlan,output:2"         # h3->h4 : output=(h4)
sudo ovs-ofctl dump-flows  -O OpenFlow13 s2 table=3
# s2 - table 4
sudo ovs-ofctl add-flow s2 -O OpenFlow13 "table=4,priority=50,actions=1,2"                                    # 外网数据输入 
#####
##主机ping外网的数据流由chochi网桥处理。
  • 此时已经完成,VLAN隔离,物理主机可以通外网,但是因为虚拟主机没有DNS解析等一系列东西,我将虚拟主机连外网的测试,转换为ping同一个校园网的主机(IP:172.17.170.148)。
  • 将虚拟主机加一个默认路由,因为是不同网段的。
h1 route add 172.17.170.148 dev h1-eth0
h2 route add 172.17.170.148 dev h2-eth0
h3 route add 172.17.170.148 dev h3-eth0
h4 route add 172.17.170.148 dev h4-eth0

image

  • 虚拟主机互通的对象主机需要加一个默认路由。
sudo route add -net 192.168.0.0 netmask 255.255.0.0 dev [对象主机的物理网卡]
  • 此时虚拟主机与对象主机的arp,icmp可以顺利接受了。 image
  • 再次检查物理主机通外网。 image

你是不是觉得我这个博客写的很水 = = ,恩我也这样觉得。。做了一天的实验。。现在只想快速完成博客,你们一切意会!