社区Liberty版本Neutron VPNaaS:流程

测试的两个VM

lihui@l-openstack:~$ nova list
+--------------------------------------+------+--------+------------+-------------+-----------------------+
| ID                                   | Name | Status | Task State | Power State | Networks              |
+--------------------------------------+------+--------+------------+-------------+-----------------------+
| cd84c43a-b05c-44a3-9c12-6174d0931a69 | vm-1 | ACTIVE | -          | Running     | vpn-network-1=2.3.4.4 |
| 2f27000a-c732-4976-a9fe-829394b28302 | vm-2 | ACTIVE | -          | Running     | vpn-network-2=4.3.2.3 |
+--------------------------------------+------+--------+------------+-------------+-----------------------+

VM1

lihui@l-openstack:~$ nova interface-list cd84c43a-b05c-44a3-9c12-6174d0931a69
+------------+--------------------------------------+--------------------------------------+--------------+-------------------+
| Port State | Port ID                              | Net ID                               | IP addresses | MAC Addr          |
+------------+--------------------------------------+--------------------------------------+--------------+-------------------+
| ACTIVE     | 6a8587af-9908-43ba-afd6-8a70c57387d2 | cafca5c7-5f8f-41b9-9e69-502d94a6590f | 2.3.4.4      | fa:16:3e:86:fc:82 |
+------------+--------------------------------------+--------------------------------------+--------------+-------------------+

VM2

lihui@l-openstack:~$ nova interface-list 2f27000a-c732-4976-a9fe-829394b28302
+------------+--------------------------------------+--------------------------------------+--------------+-------------------+
| Port State | Port ID                              | Net ID                               | IP addresses | MAC Addr          |
+------------+--------------------------------------+--------------------------------------+--------------+-------------------+
| ACTIVE     | 723fdc88-0016-4a19-933a-9fe7637541e4 | 582af77d-494e-43ea-980e-35616945fd5b | 4.3.2.3      | fa:16:3e:ab:e1:b4 |
+------------+--------------------------------------+--------------------------------------+--------------+-------------------+

linux bridge,qbr还是有的,应该还是为了安全组

lihui@l-openstack:~$ sudo brctl show
bridge name	bridge id		STP enabled	interfaces
qbr6a8587af-99		8000.fe163e86fc82	no		qvb6a8587af-99
							tap6a8587af-99
qbr723fdc88-00		8000.42aa09dbc730	no		qvb723fdc88-00
							tap723fdc88-00
virbr0		8000.000000000000	yes

根据br-int,br-ex上的ports,以及linux bridge上的port,大概可以拼凑出一个这样的图

如果没有画错的话,流程真的是超级简单了,两个router的gateway直接进行转发就搞定了;之前测试的时候也抓过包了,就不继续写了

这里是单节点的场景,真实用法当中应该是南北流量通信,而对于非DVR的版本,br-ex是在网络节点出去的,跨节点通过br-tun通信,这样流表应该要复杂一些

NewImage

 

 

 

 

 

 

 

 

 

 

 

 

总之VPNaaS和FIP一样,作为南北流量通道,但是对于讲究保证流量安全性来说,就会更多地考虑VPN服务

发表评论