OpenvSwitch实现简单VLAN

2023-10-28

需求：

现有拓扑结构如下的网络结构(s1-s4为交换机，h1-h9为主机)，现欲让单数主机(h1、h3、h5、h7、h9)之间互相能ping通，双数主机之间互相能够ping通，但单数和双数主机之间不能访问。

# 拓扑结构:
------------------------------------------------------
-------------------------s1---------------------------
---------------------/---|---\-------------------------
-----------------/-------|------\---------------------
--------------/----------|---------\------------------
------------/------------|------------\---------------
---------s2--------------s3--------------s4-----------
-------/--|--\---------/--|--\---------/--|--\--------
------h1--h2--h3------h4--h5--h6------h7--h8--h9------
------------------------------------------------------
------------------------------------------------------

OpenvSwitch实现分组

第一步，打开mininet 连接控制器

打开控制器

这里选择任意控制器均可，但是控制器要支持openflow1.3协议

打开mininet

mn --controller=remote,ip=127.0.0.1--mac --nat --topo=tree,depth=2,fanout=3 --switch ovs,protocols=OpenFlow13

–controller=remote,ip=127.0.0.1。指定了控制器为本地控制器
–topo=tree,depth=2,fanout=3。创建深度为2，度为3的树形结构的拓扑结构网络
–switch ovs,protocols=OpenFlow13。指定交换机为ovs，协议为OpenFlow1.3

第二步：

先在mininet里面pingall

用来生成初始流表

然后删除除了s1以外其它控制器的流表

ovs-ofctl -O OpenFlow13 del-flows s2
ovs-ofctl -O OpenFlow13 del-flows s3
ovs-ofctl -O OpenFlow13 del-flows s4

第三步，添加流表：

自定义转发规则,单数主机和双数主机分别添加进入不同的VLAN组内，交换机分发报文时根据来源的组判断发往的端口。

# s2
ovs-ofctl -O OpenFlow13 add-flow s2 priority=1,in_port=1,actions=push_vlan:0x8100,set_field:4096-\>vlan_vid,output:4
ovs-ofctl -O OpenFlow13 add-flow s2 priority=1,in_port=2,actions=push_vlan:0x8100,set_field:4097-\>vlan_vid,output:4
ovs-ofctl -O OpenFlow13 add-flow s2 priority=1,in_port=3,actions=push_vlan:0x8100,set_field:4096-\>vlan_vid,output:4
ovs-ofctl -O OpenFlow13 add-flow s2 priority=1,dl_vlan=0,actions=pop_vlan,output:1,output:3
ovs-ofctl -O OpenFlow13 add-flow s2 priority=1,dl_vlan=1,actions=pop_vlan,output:2
# ovs-ofctl -O OpenFlow13 add-flow s2 priority=1,dl_vlan=0,actions=pop_vlan,output:3
# s3
ovs-ofctl -O OpenFlow13 add-flow s3 priority=1,in_port=1,actions=push_vlan:0x8100,set_field:4097-\>vlan_vid,output:4
ovs-ofctl -O OpenFlow13 add-flow s3 priority=1,in_port=2,actions=push_vlan:0x8100,set_field:4096-\>vlan_vid,output:4
ovs-ofctl -O OpenFlow13 add-flow s3 priority=1,in_port=3,actions=push_vlan:0x8100,set_field:4097-\>vlan_vid,output:4
ovs-ofctl -O OpenFlow13 add-flow s3 priority=1,dl_vlan=1,actions=pop_vlan,output:1,output:3
ovs-ofctl -O OpenFlow13 add-flow s3 priority=1,dl_vlan=0,actions=pop_vlan,output:2
# ovs-ofctl -O OpenFlow13 add-flow s3 priority=1,dl_vlan=1,actions=pop_vlan,output:3
# s4
ovs-ofctl -O OpenFlow13 add-flow s4 priority=1,in_port=1,actions=push_vlan:0x8100,set_field:4096-\>vlan_vid,output:4
ovs-ofctl -O OpenFlow13 add-flow s4 priority=1,in_port=2,actions=push_vlan:0x8100,set_field:4097-\>vlan_vid,output:4
ovs-ofctl -O OpenFlow13 add-flow s4 priority=1,in_port=3,actions=push_vlan:0x8100,set_field:4096-\>vlan_vid,output:4
ovs-ofctl -O OpenFlow13 add-flow s4 priority=1,dl_vlan=0,actions=pop_vlan,output:1,output:3
ovs-ofctl -O OpenFlow13 add-flow s4 priority=1,dl_vlan=1,actions=pop_vlan,output:2
# ovs-ofctl -O OpenFlow13 add-flow s4 priority=1,dl_vlan=0,actions=pop_vlan,output:3

含义：
从sx的in_port对应的机器分到set_field/vlan_id,通过4号口(对应s1)发出去
来自dl_vlan的数据包发送给output端口。

测试

在这里插入图片描述

目前存在的问题：

同一个交换机内部的组内总是ping不通，例如s2下的h1和h3 ping不通
可以通过继续添加流表(交换机内部节点之间的转发规则)解决

改进：实现VLAN

经过分析可知上述方法会阻断不同组之间的所有流量，而VLAN的目的是阻断广播流量而不阻断单播流量。
故对上述方法进行改进：增加流表的过滤条件的dl_dst字段，过滤出dl_dst=FF:FF:FF:FF:FF:FF的分组即广播分组，对此类分组做处理使其只能转发给特定的组。

操作步骤：

和上述方法类似，只是不用删除原始流表。

要添加的流表如下：


# s1
ovs-ofctl -O OpenFlow13 add-flow s1 priority=10,in_port=1,actions=output:1,output:2,output:3
ovs-ofctl -O OpenFlow13 add-flow s1 priority=10,in_port=2,actions=output:1,output:2,output:3
ovs-ofctl -O OpenFlow13 add-flow s1 priority=10,in_port=3,actions=output:1,output:2,output:3

# s2
ovs-ofctl -O OpenFlow13 add-flow s2 priority=10,in_port=1,dl_dst=FF:FF:FF:FF:FF:FF,actions=push_vlan:0x8100,set_field:4096-\>vlan_vid,output:4,output:3
ovs-ofctl -O OpenFlow13 add-flow s2 priority=10,in_port=2,dl_dst=FF:FF:FF:FF:FF:FF,actions=push_vlan:0x8100,set_field:4097-\>vlan_vid,output:4
ovs-ofctl -O OpenFlow13 add-flow s2 priority=10,in_port=3,dl_dst=FF:FF:FF:FF:FF:FF,actions=push_vlan:0x8100,set_field:4096-\>vlan_vid,output:4,output:1
ovs-ofctl -O OpenFlow13 add-flow s2 priority=10,dl_vlan=0,actions=pop_vlan,output:1,output:3
ovs-ofctl -O OpenFlow13 add-flow s2 priority=10,dl_vlan=1,actions=pop_vlan,output:2

# s3
ovs-ofctl -O OpenFlow13 add-flow s3 priority=10,in_port=1,dl_dst=FF:FF:FF:FF:FF:FF,actions=push_vlan:0x8100,set_field:4097-\>vlan_vid,output:4,output:3
ovs-ofctl -O OpenFlow13 add-flow s3 priority=10,in_port=2,dl_dst=FF:FF:FF:FF:FF:FF,actions=push_vlan:0x8100,set_field:4096-\>vlan_vid,output:4
ovs-ofctl -O OpenFlow13 add-flow s3 priority=10,in_port=3,dl_dst=FF:FF:FF:FF:FF:FF,actions=push_vlan:0x8100,set_field:4097-\>vlan_vid,output:4,output:1
ovs-ofctl -O OpenFlow13 add-flow s3 priority=10,dl_vlan=1,actions=pop_vlan,output:1,output:3
ovs-ofctl -O OpenFlow13 add-flow s3 priority=10,dl_vlan=0,actions=pop_vlan,output:2

# s4
ovs-ofctl -O OpenFlow13 add-flow s4 priority=10,in_port=1,dl_dst=FF:FF:FF:FF:FF:FF,actions=push_vlan:0x8100,set_field:4096-\>vlan_vid,output:4,output:3
ovs-ofctl -O OpenFlow13 add-flow s4 priority=10,in_port=2,dl_dst=FF:FF:FF:FF:FF:FF,actions=push_vlan:0x8100,set_field:4097-\>vlan_vid,output:4
ovs-ofctl -O OpenFlow13 add-flow s4 priority=10,in_port=3,dl_dst=FF:FF:FF:FF:FF:FF,actions=push_vlan:0x8100,set_field:4096-\>vlan_vid,output:4,output:1
ovs-ofctl -O OpenFlow13 add-flow s4 priority=10,dl_vlan=0,actions=pop_vlan,output:1,output:3
ovs-ofctl -O OpenFlow13 add-flow s4 priority=10,dl_vlan=1,actions=pop_vlan,output:2

测试

首先安装Scapy用于发送报文

sudo apt-get install scapy -y
# 或者去官网下载源码安装

连接mininet测试连通性

见下图

添加流表并测试VLAN

添加流表，然后pingall测试，可见节点之间仍然是通的。
在这里插入图片描述

后台打开h5，h6的xterm，启动wireshark对h1抓包（s2-eth1）。

# mininet输入：
h5 xterm &
h6 xterm &

h5，h6分别利用scapy发送arp报文，内容如下：

# sendp()来构造二层报文
# 这里构造了一个源MAC地址为00:00:00:00:00:05, 源IP地址为10.0.0.5, 目标MAC地址为ff:ff:ff:ff:ff:ff，目标IP地址为10.0.0.88(不存在)，payload为i am cheney的ARP报文,该报文将从h5-eth0网卡发出。
sendp(Ether(dst='ff:ff:ff:ff:ff:ff') / ARP(hwsrc = '00:00:00:00:00:05', psrc = '10.0.0.5', hwdst = 'ff:ff:ff:ff:ff:ff', pdst = '10.0.0.88') / 'i am cheney', iface='h5-eth0')
# 下面类似
sendp(Ether(dst='ff:ff:ff:ff:ff:ff') / ARP(hwsrc = '00:00:00:00:00:06', psrc = '10.0.0.6', hwdst = 'ff:ff:ff:ff:ff:ff', pdst = '10.0.0.88') / 'i am cheney', iface='h6-eth0')

在这里插入图片描述

可见h1能够收到h5的arp报文，但是收不到h6 的，可见VLAN起了作用，测试结束。

本文内容由网友自发贡献，版权归原作者所有，本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容，请联系:hwhale#tublm.com(使用前将#替换为@)

网络与Linux系列

SDN

Openvswitch

VLAN

mininet