Isolating VM Traffic Using VLANs
2016-03-09 10:04
429 查看
原文:http://openvswitch.org/support/config-cookbooks/vlan-configuration-cookbook/
the default behavior. Configuring your physical switching hardware is beyond the scope of this document.)
Management Network: This network is not strictly required, but it is a simple way to give the physical host an IP address for remote access, since an IP address cannot be assigned directly to eth0 (more on that in a moment).
eth0 is connected to the Data Network. No IP address is assigned to eth0.
eth1 is connected to the Management Network (if necessary). eth1 has an IP address that is used to reach the physical host for management.
Each VM has a single interface that appears as a Linux device (e.g., "tap0") on the physical host. (Note: for Xen/XenServer, VM interfaces appears as Linux devices with names like "vif1.0". Other Linux systems may present these interfaces as "vnet0", "vnet1",
etc.)
The following diagram graphically illustrates the environment assumed by this configuration cookbook:
Create an OVS bridge:
ovs-vsctl add-br br0
Add eth0 to the bridge (by default, all OVS ports are VLAN trunks, so eth0 will pass all VLANs):
ovs-vsctl add-port br0 eth0
Note that when you add eth0 to the OVS bridge, any IP addresses that might have been assigned to eth0 stop working. IP address assigned to eth0 should be migrated to a different interface before adding eth0 to the OVS bridge.
This is the reason for the separate management connection via eth1.
Add VM1 as an "access port" on VLAN 100. This means that traffic coming into OVS from VM1 will be untagged and considered part of VLAN 100:
ovs-vsctl add-port br0 tap0 tag=100
Add VM2 on VLAN 200.
ovs-vsctl add-port br0 tap1 tag=200
Repeat these steps on Host 2:
Setup a bridge with eth0 as a VLAN trunk:
Add VM3 to VLAN 100:
Add VM4 to VLAN 200:
Pings from VM2 to VM4 should also succeed, since these VMs are also on the same VLAN as each other.
Pings from VM1/VM3 to VM2/VM4 should not succeed, as these VMs are on different VLANs. If you have a router configured to forward between the VLANs, then pings will work, but packets arriving at VM3 should have the source MAC address of the router, not of VM1.
Isolating VM Traffic Using VLANs
The goal of this configuration cookbook is to isolate VM traffic using VLANs.Environment
This walkthrough assumes the environment is configured as described in the following sections.Two Physical Networks
Data Network: Ethernet network for VM data traffic, which will carry VLAN-tagged traffic between VMs. Your physical switch(es) must be capable of forwarding VLAN-tagged traffic and the physical switch ports should operate as VLAN trunks. (Usually this isthe default behavior. Configuring your physical switching hardware is beyond the scope of this document.)
Management Network: This network is not strictly required, but it is a simple way to give the physical host an IP address for remote access, since an IP address cannot be assigned directly to eth0 (more on that in a moment).
Two Physical Hosts
The environment assumes the use of two hosts, named Host1 and Host2. Both hosts are running Open vSwitch. Each host has two NICs, eth0 and eth1, which are configured as follows:eth0 is connected to the Data Network. No IP address is assigned to eth0.
eth1 is connected to the Management Network (if necessary). eth1 has an IP address that is used to reach the physical host for management.
Four Virtual Machines
Each host will run two virtual machines (VMs). VM1 and VM2 are running on Host1, while VM3 and VM4 are running on Host2.Each VM has a single interface that appears as a Linux device (e.g., "tap0") on the physical host. (Note: for Xen/XenServer, VM interfaces appears as Linux devices with names like "vif1.0". Other Linux systems may present these interfaces as "vnet0", "vnet1",
etc.)
The following diagram graphically illustrates the environment assumed by this configuration cookbook:
Configuration Steps
Perform the following configuration on Host 1:Create an OVS bridge:
ovs-vsctl add-br br0
Add eth0 to the bridge (by default, all OVS ports are VLAN trunks, so eth0 will pass all VLANs):
ovs-vsctl add-port br0 eth0
Note that when you add eth0 to the OVS bridge, any IP addresses that might have been assigned to eth0 stop working. IP address assigned to eth0 should be migrated to a different interface before adding eth0 to the OVS bridge.
This is the reason for the separate management connection via eth1.
Add VM1 as an "access port" on VLAN 100. This means that traffic coming into OVS from VM1 will be untagged and considered part of VLAN 100:
ovs-vsctl add-port br0 tap0 tag=100
Add VM2 on VLAN 200.
ovs-vsctl add-port br0 tap1 tag=200
Repeat these steps on Host 2:
Setup a bridge with eth0 as a VLAN trunk:
ovs-vsctl add-br br0 ovs-vsctl add-port br0 eth0
Add VM3 to VLAN 100:
ovs-vsctl add-port br0 tap0 tag=100
Add VM4 to VLAN 200:
ovs-vsctl add-port br0 tap1 tag=200
Testing
Pings from VM1 to VM3 should succeed, as these two VMs are on the same VLAN.Pings from VM2 to VM4 should also succeed, since these VMs are also on the same VLAN as each other.
Pings from VM1/VM3 to VM2/VM4 should not succeed, as these VMs are on different VLANs. If you have a router configured to forward between the VLANs, then pings will work, but packets arriving at VM3 should have the source MAC address of the router, not of VM1.
相关文章推荐
- opencv学习四
- [iOS]Missing iOS Distribution signing identity for XXXXXX
- 配置MySQL远程连接(win7)
- 关于图的一些日常
- 一步一步实现一个简单的OS(异常处理)
- iOS应用架构谈(一):架构设计的方法论
- JavaScript的相关内容
- android ClassCastException 类型转换错误
- ios保存录制好的视频 图片 到相簿
- 性能需求怎么提
- unity3d学习笔记(十一)-NGUI结合Shader制作小map
- android:screenOrientation属性
- 令operator=返回一个reference to *this
- unity3d 在UGUI中制作自适应调整大小的滚动布局控件
- 网页书写汉字通过ajax传入数据库再返回,刷新出现乱码问题
- 匿名内部类!!!
- Oracle绿色客户端(Instant Client)配置方法
- sql获取每门课程成绩最好的学生信息
- Servlet之过滤器
- BC31pairs&&hdoj5178&&hdoj5179