Analyze OVS How to achieve VLAN isolation-5 minutes a day to play with OpenStack (140)

650) this.width=650; "Src=" http://7xo6kd.com1.z0.glb.clouddn.com/ Upload-ueditor-image-20170119-1484822850249021860.jpg "/>

In the previous section we completed the construction of the OVS VLAN environment, with the current topology as follows:

650) this.width=650; "Src=" http://7xo6kd.com1.z0.glb.clouddn.com/ Upload-ueditor-image-20170119-1484822850549065346.jpg "/>

The CIRROS-VM1 is located in the control node and belongs to vlan100.
The cirros-vm2 is located in the compute node and belongs to vlan100.
The CIRROS-VM3 is located in the compute node and belongs to vlan101.

Today detailed analysis OVS how to achieve the isolation of vlan100 and vlan101.
Unlike Linux Bridge driver, the Open VSwitch driver does not isolate different VLANs through VLAN eth1.101 such as eth1.100, interface, and so on. All instance are connected to the same bridge Br-int, andOpen VSwitch uses flow rule to specify how to forward the data in and out of the br-int to enable isolation between VLANs .

Specifically: When data enters and exits the br-int, flow rule can modify, add, or strip the packet's VLAN Tag,neutron responsible for creating these flow rule and configuring them on the Open vSwitch such as Br-int,br-eth1.

Let's take a look at the current flow rule.

The command to view flow rule is Ovs-ofctl dump-flow <bridge>
First look at the flow rule:650 of the compute node br-eth1) this.width=650; "Src=" http://7xo6kd.com1.z0.glb.clouddn.com/ Upload-ueditor-image-20170119-1484822850816040765.jpg "/>

The BR-ETH1 is configured with four rule, each rule has a number of attributes, among which the more important attributes are:

Priority
The precedence of rule, the higher the value, the greater the priority. The Open VSwitch applies rules from highest to lowest priority.

In_port
Inbound port number, each port will have an internal number in the Open vSwitch.
You can view the port number by command Ovs-ofctl show <bridge>.
such as Br-eth1:
650) this.width=650; "Src=" http://7xo6kd.com1.z0.glb.clouddn.com/ Upload-ueditor-image-20170119-1484822851415080454.jpg "/>

The eth1 number is 1;phy-br-eth1 number 2.

Dl_vlan
The original VLAN ID of the packet.

Actions
The operation on the packet.

Br-eth1 with VLAN-related flow rule is the previous two, let's analyze it in detail below.
For clarity, we only retain important information, as follows:

Priority=4,in_port=2,dl_vlan=1 Actions=mod_vlan_vid:100,normal priority=4,in_port=2,dl_vlan=5 Actions=mod_vlan_ Vid:101,normal

The meaning of the first article is:
The packet received from Br-eth1 Port Phy-br-eth1 (in_port=2), if the VLAN ID is 1 (dl_vlan=1), then the VLAN ID needs to be changed to (ACTIONS=MOD_VLAN_VID:100)

650) this.width=650; "Src=" http://7xo6kd.com1.z0.glb.clouddn.com/ Upload-ueditor-image-20170119-1484822851523020361.jpg "/>

From the above network structure, we know that Phy-br-eth1 is connected to the Br-int,phy-br-eth1 inbound package is actually instance through the Br-int sent to the physical network card data.

So how do you know to change VLAN ID 1 to VLAN ID 100?
Take a look at the output of the compute node OVS-VSCTL show below:

650) this.width=650; "Src=" http://7xo6kd.com1.z0.glb.clouddn.com/ Upload-ueditor-image-20170119-1484822851662032955.jpg "/>

Br-int the different ports through the tag, this tag can be seen as the internal VLAN ID.
Packets entered from qvo4139d09b-30 (corresponding to cirros-vm2,vlan100) are tagged with 1 VLAN tags.
Packets entered from QVO98582DC9-DB (corresponding to cirros-vm3,vlan101) are tagged with 5 VLAN tags.

Because the VLAN ID in Br-int is not the same as the VLAN ID in the physical network, the VLAN needs to be transformed when Br-eth1 receives packets from Br-int. The Neutron is responsible for maintaining the VLAN ID correspondence and configuring the translation rules in flow rule.

Understanding the flow rule of br-eth1, we'll analyze Br-int's flow rule.

650) this.width=650; "Src=" http://7xo6kd.com1.z0.glb.clouddn.com/ Upload-ueditor-image-20170119-1484822851781065438.jpg "/>

The key is the following two articles:

priority=3,inport=1,dl_vlan=100 Actions=mod_vlan_vid:1,normal priority=3,inport=1,dl_vlan=101 Actions=mod_vlan_ Vid:5,normal

650) this.width=650; "Src=" http://7xo6kd.com1.z0.glb.clouddn.com/ Upload-ueditor-image-20170119-1484822852058024824.jpg "/>

Port 1 is int-br-eth1, then these two rules should have the following meanings:
1. The incoming packet is received from the physical NIC, and if the VLAN is 100, the internal VLAN 1 is changed.
2. The incoming packet is received from the physical NIC, and if the VLAN is 101, it will be internal VLAN 5.

Simply put, the packet is isolated in the physical network via VLAN 100 and VLAN 101, and in the compute node OVS br-int is isolated through internal VLAN 1 and VLAN 5.

The flow rule of the control node is very similar and left to everyone to analyze.

Here we have completed the Neutron OVS VLAN learning, and the next section discusses routing in the OVS environment.

650) this.width=650; "Src=" http://7xo6kd.com1.z0.glb.clouddn.com/ Upload-ueditor-image-20170119-1484822852155063885.jpg "/>

Analyze OVS How to achieve VLAN isolation-5 minutes a day to play with OpenStack (140)