环境

集群

节点	ip 1	ip 2	组件
master01	172.31.133.26/26	172.31.133.90/26	ovn-central(nb,sb,northd)
node01	172.31.133.27/26	172.31.133.91/26	controller,ovs(vswtichd,db)
node02	172.31.133.28/26	172.31.133.92/26	controller,ovs(vswtichd,ovsdb)

ovn初始环境

一个逻辑交换机bridge0 和一个逻辑路由器router0，交换机上挂了容器化的虚机vm0 172.66.1.12

网络配置

# add the router
ovn-nbctl lr-add router0

# create router port for the connection to 'bridge0'
ovn-nbctl lrp-add router0 router1-bridge0 04:ac:10:ff:34:00 172.66.1.10/24

# create the 'bridge0' switch port for connection to 'router0'
ovn-nbctl lsp-add bridge0 bridge0-router0
ovn-nbctl lsp-set-type bridge0-router0 router
ovn-nbctl lsp-set-addresses bridge0-router0 04:ac:10:ff:34:00
ovn-nbctl lsp-set-options bridge0-router0 router-port=router0-bridge0

ovn-nbctl show

router dfecb747-b655-42d8-a63b-54aad5123ab6 (router0)
    port router0-bridge0
        mac: "04:ac:10:ff:34:00"
        networks: ["172.66.1.10/24"]
switch b60a46af-de3a-44c2-ac88-4426fa004140 (bridge0)
    port bridge0-vm0
        addresses: ["dynamic"]
    port bridge0-router0
        type: router
        router-port: router0-bridge0

ovs-sbctl show

Chassis "aa8648e9-e367-4992-9d87-e96b99993ccc"
    hostname: "node01"
    Encap geneve
        ip: "172.31.133.27"
        options: {csum="true"}
Chassis "76dc7a18-0b4e-4a25-84c8-5fce4578cf78"
    hostname: "node02"
    Encap geneve
        ip: "172.31.133.28"
        options: {csum="true"}
    Port_Binding "bridge0-vm0"

gateway

网络拓扑图

][1]

文本流程图

         __________
        | enp6s0f1 |  Physical Network
         ----------
             |
         ____|_____
        |  bridge  |  br-ex
         ----------
             | mapping
         ____|____
        |  switch |   outside
         ---------
             |
         ____|____
        |  router |   router0 port 'router0-outside': 172.31.133.95/26
         ---------            port 'router0-bridge0': 172.66.1.10/24
             |
         ____|____
        |  switch |   bridge0 172.66.1.0/24
         ---------
         /       \
 _______/_       _\_______
|  vm0    |     |   vm1   |
 ---------       ---------
172.66.1.12      172.66.1.13

网络配置

STEP1

创建交换机outside并连接路由器router0

# create new port on router 'router0'
ovn-nbctl lrp-add router0 router0-outside 02:0a:7f:18:01:02 172.31.133.95/26
# set gateway chassis
ovn-nbctl lrp-set-gateway-chassis router0-outside 76dc7a18-0b4e-4a25-84c8-5fce4578cf78

# create new logical switch and connect it to 'router0'
ovn-nbctl ls-add outside
ovn-nbctl lsp-add outside outside-router0
ovn-nbctl lsp-set-type outside-router0 router
ovn-nbctl lsp-set-addresses outside-router0 02:0a:7f:18:01:02
ovn-nbctl lsp-set-options outside-router0 router-port=router0-outside
# ovn-nbctl lsp-set-options outside-router0  nat-addresses=router router-port=router0-outside

STEP2

创建ovs网桥br-ex，并关联逻辑交换机outside

# create localnet port on 'outside'. set the network name to "phyNet"
ovn-nbctl lsp-add outside outside-localnet
ovn-nbctl lsp-set-addresses outside-localnet unknown
ovn-nbctl lsp-set-type outside-localnet localnet
ovn-nbctl lsp-set-options outside-localnet network_name=phyNet

在node02上创建ovs网桥br-ex，然后将enp6s0f1挂到ovs网桥上

# create a bridge , then mapping outside port
ovs-vsctl add-br br-ex
ovs-vsctl set Open_vSwitch . external-ids:ovn-bridge-mappings=phyNet:br-ex

# add nic enp6s0f1
ovs-vsctl add-port br-ex enp6s0f1

STEP3

通过snat实现访问外网。通过dnat_and_snat实现fip

# snat 连外网
ovn-nbctl -- --id=@nat create nat type="snat" logical_ip=172.66.1.0/24 external_ip=172.31.133.95 -- add logical_router router0 nat @nat
# fip
ovn-nbctl -- --id=@nat create nat type="dnat_and_snat" logical_ip=172.66.1.12 external_ip=172.31.133.96 -- add logical_router router0 nat @nat

查看

查看nat

[root@master01 /]#  ovn-nbctl lr-nat-list router0
TYPE             EXTERNAL_IP        LOGICAL_IP            EXTERNAL_MAC         LOGICAL_PORT
dnat_and_snat    172.31.133.96      172.66.1.12
snat             172.31.133.95      172.66.1.0/24

查看ovn网络

[root@master01 /]#
[root@master01 /]# ovn-nbctl show
switch 463541bc-4d61-4ab4-b2de-7049d149ed13 (outside)
    port outside-router0
        type: router
        addresses: ["02:0a:7f:18:01:02"]
        router-port: router0-outside
    port outside-localnet
        type: localnet
        addresses: ["unknown"]
switch b60a46af-de3a-44c2-ac88-4426fa004140 (bridge0)
    port bridge0-vm0
        addresses: ["dynamic"]
    port bridge0-router0
        type: router
        router-port: router0-bridge0
router dfecb747-b655-42d8-a63b-54aad5123ab6 (router0)
    port router0-outside
        mac: "02:0a:7f:18:01:02"
        networks: ["172.31.133.95/26"]
        gateway chassis: [76dc7a18-0b4e-4a25-84c8-5fce4578cf78]
    port router0-bridge0
        mac: "04:ac:10:ff:34:00"
        networks: ["172.66.1.10/24"]
[root@master01 /]#
[root@master01 /]# ovn-sbctl show
Chassis "aa8648e9-e367-4992-9d87-e96b99993ccc"
    hostname: "node01"
    Encap geneve
        ip: "172.31.133.27"
        options: {csum="true"}
    Port_Binding "bridge2-vm2"
Chassis "76dc7a18-0b4e-4a25-84c8-5fce4578cf78"
    hostname: "node02"
    Encap geneve
        ip: "172.31.133.28"
        options: {csum="true"}
    Port_Binding "cr-router0-outside"
    Port_Binding "bridge0-vm0"

查看ovs网桥(node02)

[root@node02 ~]# ovs-vsctl show
1bd24d64-5b67-4497-b972-5789ba8d4fa7
    Bridge br-int
        fail_mode: secure
        Port patch-br-int-to-outside-localnet
            Interface patch-br-int-to-outside-localnet
                type: patch
                options: {peer=patch-outside-localnet-to-br-int}
        Port "qvm0cgmk4"
            Interface "qvm0cgmk4"
        Port "ovn-aa8648-0"
            Interface "ovn-aa8648-0"
                type: geneve
                options: {csum="true", key=flow, remote_ip="172.31.133.27"}
        Port br-int
            Interface br-int
                type: internal
        Port "ovn-1800fb-0"
            Interface "ovn-1800fb-0"
                type: geneve
                options: {csum="true", key=flow, remote_ip="172.31.133.26"}
    Bridge br-ex
        Port br-ex
            Interface br-ex
                type: internal
        Port patch-outside-localnet-to-br-int
            Interface patch-outside-localnet-to-br-int
                type: patch
                options: {peer=patch-br-int-to-outside-localnet}
        Port "enp6s0f1"
            Interface "enp6s0f1"
    ovs_version: "2.11.2"

clear

ovn-nbctl lr-nat-del router0 dnat_and_snat 172.31.133.96
ovn-nbctl lr-nat-del router0 snat 172.66.1.0/24
ovn-nbctl ls-del outside
ovn-nbctl lrp-del router0-outside

# node02
ovs-vsctl del-br br-ex

验证

在vm0里ping node01

注：此环境中enp6s0f1无法连通外网，不然可以在vm0中ping通外网

[root@master01 ovn]# virtctl console vm0
[root@vm0 ~]#
[root@vm0 ~]# ping 172.31.133.91
PING 172.31.133.91 (172.31.133.91) 56(84) bytes of data.
64 bytes from 172.31.133.91: icmp_seq=1 ttl=62 time=1.38 ms
64 bytes from 172.31.133.91: icmp_seq=2 ttl=62 time=0.396 ms

--- 172.31.133.91 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.396/0.889/1.383/0.494 ms
[root@vm0 ~]#

在master01上ping fip 172.31.133.96

[root@master01 home]# ping 172.31.133.96
PING 172.31.133.96 (172.31.133.96) 56(84) bytes of data.
64 bytes from 172.31.133.96: icmp_seq=1 ttl=62 time=2.04 ms
64 bytes from 172.31.133.96: icmp_seq=2 ttl=62 time=0.530 ms
^C
--- 172.31.133.96 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.530/1.285/2.041/0.756 ms
[root@master01 home]#

ovn gateway出网方案，以及fip (简化出网架构)

环境

集群