玩转Openvwitch第二站:Bridge和Controller

叁叁肆2018-11-06 16:20

此文已由作者刘超授权网易云社区发布。

欢迎访问网易云社区,了解更多网易技术产品运营经验。


Bridge表结构如下:



我们先看其中的一项,就是Controller




OpenFlow配置项:从架构图中我们可以看出,openvwitch的一个bridge可以通过openflow协议,被一个统一的controller管理的。


一旦一个bridge连到一个openflow controller,则flow table就由controller统一管理,如果连接断了:

  • secure: 这个bridge会试图一直连接controller,并不自己建立flow table

  • standalone:一旦bridge三次连不上controller,就自己建立和管理flow table


OpenFlow Controller多种多样

http://groups.geni.net/geni/wiki/OpenFlow/Controllers


我们的这次试验使用Floodlight




首先创建三个虚拟机,都连接到Bridge ubuntu_br上







安装floodlight

  • http://www.projectfloodlight.org/getting-started/

  • git clone git://github.com/floodlight/floodlight.git

  • cd floodlight/

  • ant

  • nohup java -jar target/floodlight.jar > floodlight.log 2>&1 &


设置Controller


ovs-vsctl set-controller ubuntu_br tcp:192.168.100.1:6633




访问floodlight的界面


http://16.158.166.150:8080/ui/index.html


Floodlight的Rest API


http://docs.projectfloodlight.org/display/floodlightcontroller/Floodlight+REST+API


默认情况下,三台机器可以相互ping的通



调用Rest API设定规则,只允许Instance01和Instance03之间相互通信


curl -d '{"switch": "00:00:2a:96:0e:c7:85:49", "name":"static-flow1", "cookie":"0", "priority":"32768", "src-mac":"52:54:00:9b:d5:11","active":"true", "actions":"output=12"}'  http://16.158.166.150:8080/wm/staticflowentrypusher/json


curl -d '{"switch": "00:00:2a:96:0e:c7:85:49", "name":"static-flow2", "cookie":"0", "priority":"32768", "src-mac":"52:54:00:9b:d5:77","active":"true", "actions":"output=10"}'  http://16.158.166.150:8080/wm/staticflowentrypusher/json


用REST API清除所有规则


curl http://16.158.166.150:8080/wm/staticflowentrypusher/clear/00:00:2a:96:0e:c7:85:49/json



将正确的mac导向正确的port


curl -d '{"switch": "00:00:2a:96:0e:c7:85:49", "name":"static-flow1", "cookie":"0", "priority":"32768", "dst-mac":"52:54:00:9b:d5:11","active":"true", "actions":"output=10"}'  http://16.158.166.150:8080/wm/staticflowentrypusher/json


curl -d '{"switch": "00:00:2a:96:0e:c7:85:49", "name":"static-flow2", "cookie":"0", "priority":"32768", "dst-mac":"52:54:00:9b:d5:33","active":"true", "actions":"output=11"}'  http://16.158.166.150:8080/wm/staticflowentrypusher/json


curl -d '{"switch": "00:00:2a:96:0e:c7:85:49", "name":"static-flow3", "cookie":"0", "priority":"32768", "dst-mac":"52:54:00:9b:d5:77","active":"true", "actions":"output=12"}'  http://16.158.166.150:8080/wm/staticflowentrypusher/json


接下来我们故意调整flow,使得本应该转发给Instance03的,强行转发给Instance02


从Instance01来ping Instance03,用tcpdump监听Instance02和Instance03,在这个过程中,用REST API将Instance03的包转发给Instance02


curl -d '{"switch": "00:00:2a:96:0e:c7:85:49", "name":"static-flow3", "cookie":"0", "priority":"32768", "dst-mac":"52:54:00:9b:d5:77","active":"true", "actions":"output=11"}'  http://16.158.166.150:8080/wm/staticflowentrypusher/json




免费体验云安全(易盾)内容安全、验证码等服务

11.1—11.15云计算基础服务全场5折起

更多网易技术、产品、运营经验分享请点击