This article describes how to use VLAN isolation of Open vSwitch VM traffic.
Setup established
This guide assumes the following configuration environment
Two physical networks
-
Data network
VM data traffic Ethernet, VLAN for carrying traffic between VM. Your physical switch forwards traffic must support with VLAN tag, and the physical switch interfaces should work in VLAN Trunk mode. (Typically, this is the default behavior physical switch hardware configuration beyond the scope of this article).
-
Network Management
Strictly speaking, this network does not have to, but this is a very simple way to give physical host can access the IP address of the remote, because eth0 port can not be assigned directly to an IP address (immediately about this).
Two physical hosts
This environment is assumed that two hosts: host1and host2they're all running software Open vSwitch. Each host two cards NIC: eth0 and eth1, configured as follows:
-
eth0 to a data network. no IP address is assigned to eth0.
-
eth1 connected to a network management (if required). eth1 have an IP address, it can be used to manage the physical machine.
Four virtual machines
Each host is running two virtual machines (VM). vm1And vm2running host1, while vm3and vm4run host2.
Each virtual machine has a port, as shown in a Linux physical host device (e.g., tap0).
Note :
For Xen / XenServer, VM virtual machine interface display similar to the name vif1.0of Linux devices. Other Linux systems may be displayed as a port vnet0,
vnet1waiting.
Configuration Steps
Host host1on the following configurations:
# Create OVS Bridge:
$ ovs-vsctl add-br br0
# Add eth0port to the bridge:
$ ovs-vsctl add-port br0 eth0
Note :
默认情况下,所有的OVS端口都是VLAN Trunk模式,所以eth0运行所有VLAN标签通过。
Note :
When you add to the eth0 OVS bridge, any IP address assigned to eth0 will stop working. Eth0 IP address to be migrated to a different port before it is added to the OVS bridge. This is why the separation achieved by the management eth1 connected.
-
Will be
vm1added as "Access Port" for VLAN 100 by the VM1 to the bridge which means that there will be no flow into the OVS VLAN tag, and is assumed to be a portion for VLAN 100:$ Transl-vsctl add port br0 tap0 tag = 100
Added to the VLAN 200 VM2:
$ ovs-vsctl add-port br0 tap1 tag=200
The host host2repeat the above steps:
-
The establishment of the eth0 as a bridge VLAN trunk of:
$ Transl-vsctl add-br br0
$ transl-vsctl add port br0 eth0 -
VM3 added to VLAN 100 ::
$ Transl-vsctl add port br0 tap0 tag = 100
-
VM4 added to VLAN 200 ::
$ ovs-vsctl add-port br0 tap1 tag=200
verification
From vm1PING vm3should succeed, because the two virtual machines in the same VLAN (100).
From vm2ping vm4should succeed because the two virtual machines are in the same VLAN (200).
From vm1or vm3ping vm2or vm4should not be successful, because these virtual machines not in the same VLAN. If you have a router, configured to forward traffic between VLAN, ping can work successfully. However, to the vm3source MAC address of the packet should be the MAC address of the router, rather than vm1the MAC address.