Macvlan network isolation and connectivity-5 minutes a day to play Docker container technology (57)

In the previous section we created two Macvlan and deployed the container with the following network structure:

This section verifies the connectivity between Macvlan.

Bbox1 can ping through Bbox3,bbox2 can ping bbox4. That is, the same Macvlan network can communicate.

Bbox1 cannot ping Bbox2 and bbox4. That is, there is no communication between different macvlan networks. But it should be more accurate to say that different Macvlan networks cannot communicate on the two level . The Macvlan can be connected via a gateway on layer three, and the gateway is enabled below.

We will configure the Host 192.168.56.101 as a virtual router, set up the gateway and forward traffic to VLAN10 and VLAN20. Of course, you can use a physical router to achieve the same effect. First make sure that the operating system IP Forwarding is enabled.

An output of 1 means enable, if 0 can be enabled by the following command:

sysctl-w net.ipv4.ip_forward=1

Configure VLAN sub-interface in/etc/network/interfaces:

Auto Eth2

iface eth2 inet manual

Auto eth2.10

iface eth2.10 inet manual

Vlan-raw-device eth2

Auto eth2.20

iface eth2.20 inet manual

Vlan-raw-device eth2

Enable Sub-interface:

ifup eth2.10

ifup eth2.20

Configure the Gateway IP to Sub-interface:

ifconfig eth2.10 172.16.10.1 netmask 255.255.255.0 up

ifconfig eth2.20 172.16.20.1 netmask 255.255.255.0 up

Add iptables rules to forward packets of different VLANs.

iptables-t nat-a postrouting-o eth2.10-j Masquerade

iptables-t nat-a postrouting-o eth2.20-j Masquerade

iptables-a forward-i eth2.10-o eth2.20-m State--state related,established-j ACCEPT

iptables-a forward-i eth2.20-o eth2.10-m State--state related,established-j ACCEPT

iptables-a forward-i eth2.10-o eth2.20-j ACCEPT

iptables-a forward-i eth2.20-o eth2.10-j ACCEPT

The current network topology is as follows:

Now the Bbox1 on the host1 mac_net10 is already able to communicate with mac_net20 in Bbox4 on the host2.

Below we analyze how the packet arrives from Bbox1 (172.16.10.10) to Bbox4 (172.16.20.11). The entire process is as follows:

① because Bbox1 and bbox4 are in different IP network segments, followed by the Bbox1 routing table:

The packet is sent to the gateway 172.16.10.1.

The ② router receives the packet from Eth2.10, discovers that the destination address is 172.16.20.11, and looks at its own routing table:

The packet is then forwarded from the eth2.20.

③ through the ARP record information, the router can know 172.16.20.11 on the host2, so the data packets sent to HOST2.

④HOST2 data is packets to BBOX4 based on destination address and VLAN information.

The connectivity and isolation of the Macvlan network relies entirely on VLANs, IP subnet, and routing, and Docker itself does not have any limitations, and users can manage the Macvlan as if they were managing traditional VLAN networks.

At this point, Macvlan on the discussion, congratulations on the completion of a network program, the next section we began to learn flannel.

Macvlan network isolation and connectivity-5 minutes a day to play Docker container technology (57)