Linux策略路由使用场景及验证
来源:互联网 发布:怎么签署淘宝空间协议 编辑:程序博客网 时间:2024/06/06 08:59
实验环境:CentOS7 + OVS2.4.0
原理图
拓扑图
1、如拓扑,各个端口组、虚拟机配置对应的IP
2、qos_pri和policy_bridge两个网桥使用patch_port连接起来
ovs-vsctladd-portpolicy_bridgepatch_to_qos
ovs-vsctl set Interfacepatch_to_qostype=patch
ovs-vsctlsetInterfacepatch_to_qosoptions:peer=patch_to_policy
ovs-vsctlshow
ovs-vsctladd-portpatch_to_policyqos_pri
ovs-vsctladd-portqos_pripatch_to_policy
ovs-vsctlsetInterfacepatch_to_policytype=patch
ovs-vsctlsetInterfacepatch_to_policyoptions:peer=patch_to_qos
未配置策略路由也未配置patch_port的情况下
vm到两个端口组都不通,原因是默认172.168.1.0网段报文会走test_pg接口,但是vm的报文只能到qos_pri桥就终止了转发
[root@localhost ~]#route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 100.5.4.254 0.0.0.0 UG 100 0 0 eno1
100.5.4.0 0.0.0.0 255.255.252.0 U 100 0 0 eno1
172.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0test_pg
172.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0qos_pg
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0br-test
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0virbr0
未配置策略路由,配置patch port后
VM变换ping 1.15和1.10,在两个端口组抓报文
tcpdump -i qos_pg -n –nn
抓不到任何报文
tcpdump -i test_pg -n -nn
可以抓到1.15和1.10的请求回应报文
16:41:50.438155IP172.168.1.12 > 172.168.1.15: ICMP echo request, id 14797,seq 16,length 64
16:41:50.438205 IP 172.168.1.15 >172.168.1.12: ICMP echo reply, id 14797,seq 16, length64
16:41:21.217165 IP 172.168.1.12 >172.168.1.10: ICMP echo request, id 14585,seq 1209, length 64
16:41:21.217226 IP 172.168.1.10 >172.168.1.12: ICMP echo reply, id 14585,seq 1209, length 64
配置策略路由配置patchport
[root@localhost ~]#iproute add 172.168.1.0 via 172.168.1.15devqos_pg table 11
[root@localhost ~]#iproute add default via 172.168.1.15devqos_pg table 11
[root@localhost ~]#ip ruleadd from 172.168.1.15 table 11
[root@localhost ~]#tcpdump -iqos_pg -n -nn
tcpdump: verbose output suppressed, use -v or -vv forfull protocol decode
listening onqos_pg,link-type EN10MB (Ethernet), capture size 65535 bytes
16:45:35.441155 IP 172.168.1.12 >172.168.1.15: ICMP echo request, id 14797,seq 241, length 64
16:45:35.441214 IP 172.168.1.15 >172.168.1.12: ICMP echo reply, id 14797,seq 241, length64
[root@localhost ~]#tcpdump -itest_pg -n -nn
tcpdump: verbose output suppressed, use -v or -vv forfull protocol decode
listening ontest_pg,link-type EN10MB (Ethernet), capture size 65535 bytes
16:46:13.504134 IP 172.168.1.12 >172.168.1.10: ICMP echo request, id 14842,seq 8, length 64
16:46:13.504214 IP 172.168.1.10 >172.168.1.12: ICMP echo reply, id 14842,seq 8, length 64
报文转发原理
[root@localhost ~]#ip ruleshow
0: fromall lookup local
32764: from172.168.1.15 lookup 11
32765: from10.1.1.3 lookup 10
32766: fromall lookup main
32767: fromall lookup default
[root@localhost ~]#iproute show table 11
default via 172.168.1.15devqos_pg
172.168.1.0 via 172.168.1.15devqos_pg
报文查找路由表有一个优先级,根据添加的路由规则,源地址172.168.1.15的报文会去table11中查找路由,table11路由表设置出接口是qos_pg即可
- Linux策略路由使用场景及验证
- Linux路由应用-使用策略路由实现访问控制
- Linux路由应用-使用策略路由实现访问控制
- 使用Linux 策略路由配置多网卡路由
- linux路由表,策略路由,路由查找
- linux策略路由实例
- linux 策略路由
- Linux 策略路由
- linux 策略路由
- Linux策略路由基础
- linux 策略路由
- Linux 策略路由介绍
- Linux策略路由
- Linux策略路由
- Linux策略路由**************8
- Linux策略路由
- linux 策略路由
- Linux策略路由
- 《RocketMq》六、Broker中心节点
- 如何在vs2015下配置boost库
- 【d3.js教程03】动态初探索
- 阿里云 linux rsync 数据同步亲自配置成功过,现在已经运行中
- Corporate Identity
- Linux策略路由使用场景及验证
- 百度地图debug.keystore
- mongo $where的使用
- 关于安卓的那些事
- NSDictionary初始化的坑
- KeyTool用法详解,CA证书
- synchronized
- ibatis的几个类型属性
- 获取当前时间所在凌晨和23:59:59