测试的两个VM
lihui@l-openstack:~$ nova list +--------------------------------------+------+--------+------------+-------------+-----------------------+ | ID | Name | Status | Task State | Power State | Networks | +--------------------------------------+------+--------+------------+-------------+-----------------------+ | cd84c43a-b05c-44a3-9c12-6174d0931a69 | vm-1 | ACTIVE | - | Running | vpn-network-1=2.3.4.4 | | 2f27000a-c732-4976-a9fe-829394b28302 | vm-2 | ACTIVE | - | Running | vpn-network-2=4.3.2.3 | +--------------------------------------+------+--------+------------+-------------+-----------------------+
VM1
lihui@l-openstack:~$ nova interface-list cd84c43a-b05c-44a3-9c12-6174d0931a69 +------------+--------------------------------------+--------------------------------------+--------------+-------------------+ | Port State | Port ID | Net ID | IP addresses | MAC Addr | +------------+--------------------------------------+--------------------------------------+--------------+-------------------+ | ACTIVE | 6a8587af-9908-43ba-afd6-8a70c57387d2 | cafca5c7-5f8f-41b9-9e69-502d94a6590f | 2.3.4.4 | fa:16:3e:86:fc:82 | +------------+--------------------------------------+--------------------------------------+--------------+-------------------+
VM2
lihui@l-openstack:~$ nova interface-list 2f27000a-c732-4976-a9fe-829394b28302 +------------+--------------------------------------+--------------------------------------+--------------+-------------------+ | Port State | Port ID | Net ID | IP addresses | MAC Addr | +------------+--------------------------------------+--------------------------------------+--------------+-------------------+ | ACTIVE | 723fdc88-0016-4a19-933a-9fe7637541e4 | 582af77d-494e-43ea-980e-35616945fd5b | 4.3.2.3 | fa:16:3e:ab:e1:b4 | +------------+--------------------------------------+--------------------------------------+--------------+-------------------+
linux bridge,qbr还是有的,应该还是为了安全组
lihui@l-openstack:~$ sudo brctl show bridge name bridge id STP enabled interfaces qbr6a8587af-99 8000.fe163e86fc82 no qvb6a8587af-99 tap6a8587af-99 qbr723fdc88-00 8000.42aa09dbc730 no qvb723fdc88-00 tap723fdc88-00 virbr0 8000.000000000000 yes
根据br-int,br-ex上的ports,以及linux bridge上的port,大概可以拼凑出一个这样的图
如果没有画错的话,流程真的是超级简单了,两个router的gateway直接进行转发就搞定了;之前测试的时候也抓过包了,就不继续写了
这里是单节点的场景,真实用法当中应该是南北流量通信,而对于非DVR的版本,br-ex是在网络节点出去的,跨节点通过br-tun通信,这样流表应该要复杂一些
总之VPNaaS和FIP一样,作为南北流量通道,但是对于讲究保证流量安全性来说,就会更多地考虑VPN服务