培訓(xùn)時(shí)間：2025年8月5日培訓(xùn)講師：XXXSDN云網(wǎng)一體化

業(yè)務(wù)流量原理培訓(xùn)課件

課堂規(guī)則Open—開放的心態(tài)、積極參與、勇敢發(fā)問

Close—封閉的環(huán)境，不要受外界的干擾，請(qǐng)將手機(jī)關(guān)機(jī)或靜音請(qǐng)勿隨意走動(dòng)、交談感謝您的配合SDN云網(wǎng)一體化

業(yè)務(wù)流量原理本章節(jié)主要講述云網(wǎng)一體化場(chǎng)景下，路由網(wǎng)絡(luò)中云主機(jī)訪問公網(wǎng)的流量走向。掌握虛擬機(jī)流量從虛擬交換機(jī)進(jìn)入VXLANFabric，經(jīng)過防火墻訪問公網(wǎng)走向。學(xué)完本課程后，您將能夠：描述OVS在云網(wǎng)一體化場(chǎng)景的基本原理描述云主機(jī)使用SNAT服務(wù)訪問公共的流量走向云網(wǎng)一體化業(yè)務(wù)發(fā)放物理網(wǎng)絡(luò)實(shí)體基本原理虛擬機(jī)交換機(jī)基本原理云主機(jī)業(yè)務(wù)流SDN-FW2SDN-FW1AR2220OpenStackClusterAC-DCN3.0CNA02CNA01Spine-1Spine-2Leaf-1Leaf-2ALeaf-2BLeaf-310GE1/0/1-48物理網(wǎng)絡(luò)拓?fù)涔芾砑河?jì)算集群雙活網(wǎng)關(guān)WAN出口VASVXLANFabricAC-DCN物理拓?fù)銩C-DCN將南向物理設(shè)備加入Fabric，呈現(xiàn)相同物理網(wǎng)絡(luò)拓?fù)洌笇?dǎo)業(yè)務(wù)下發(fā)。云網(wǎng)一體化環(huán)境介紹管理集群：云平臺(tái)和AC-DCN，進(jìn)行云業(yè)務(wù)發(fā)放。計(jì)算集群：云DC場(chǎng)景下CNA作計(jì)算節(jié)點(diǎn)接入到云平臺(tái)，也可以是KVM或EXSi計(jì)算資源池。用于發(fā)放云主機(jī)等計(jì)算業(yè)務(wù)。VXLANFabric：Spine-Leaf二層架構(gòu)的VXLAN網(wǎng)絡(luò)。Spine、Border-leaf和Service-leaf合一部署。VAS(ValueAddedServices)：防火墻主備鏡像模式，旁掛Spine節(jié)點(diǎn)。業(yè)務(wù)調(diào)測(cè)云網(wǎng)一體化環(huán)境下，租戶云主機(jī)VM01使用SNAT訪問外部網(wǎng)絡(luò)30.1.1.1。描述參數(shù)云主機(jī)VM01，192.168.100.10路由網(wǎng)絡(luò)Router_net,192.168.100.0/24SNAT20.1.1.231公網(wǎng)地址30.1.1.1IntranetvRouter,

10.3.1.0/24InternetPublic_Internet,20.1.1.0/24ServiceCenterVPCServiceCenter兩個(gè)外部網(wǎng)絡(luò)vRouter和Public_Internet，分別配置為Intranet和Internet。VPC成功申請(qǐng)路由器，路由器使用Intranet網(wǎng)絡(luò)。創(chuàng)建路由網(wǎng)絡(luò)router_net，192.168.100.0/24，vxlanid為9951。向Internet網(wǎng)絡(luò)，成功申請(qǐng)SNAT服務(wù)，地址20.1.1.231。云主機(jī)網(wǎng)絡(luò)成功申請(qǐng)?zhí)摂M機(jī)。本地為路由網(wǎng)絡(luò)地址192.168.100.10，通過SNAT，到達(dá)外部公網(wǎng)地址30.1.1.1。云網(wǎng)一體化業(yè)務(wù)發(fā)放物理網(wǎng)絡(luò)實(shí)體基本原理虛擬機(jī)交換機(jī)基本原理云主機(jī)業(yè)務(wù)流Neutron-dhcp-agentSNAT20.1.1.231SDN-FW2SDN-FW1AR2220InternetOpenStackClusterAC-DCN3.0CNA02CNA01Spine-1Spine-2Leaf-1Leaf-2ALeaf-2BLeaf-310GE1/0/1-48云主機(jī)流量VM01192.168.100.10GWVTEP192.168.100.1Internet30.1.1.1云主機(jī)訪問公網(wǎng)云主機(jī)DHCP流量云主機(jī)路由網(wǎng)絡(luò)云網(wǎng)一體化，云平臺(tái)路由網(wǎng)絡(luò)映射為物理設(shè)備VXLANOverlay網(wǎng)絡(luò)。Overly網(wǎng)絡(luò)為采用VXLANEVPN集中式網(wǎng)關(guān)方式。Spine、Leaf-1、Leaf2和Leaf-3為VETP。路由網(wǎng)絡(luò)網(wǎng)關(guān)部署于Spine。計(jì)算實(shí)例從Leaf節(jié)點(diǎn)接入。物理Overlay網(wǎng)絡(luò)(1)Leaf-1與Spine網(wǎng)關(guān)組和Leaf-3之間成功建立VXLAN隧道。VXLANVNI為云平臺(tái)指定9951，交換機(jī)上生成BD5002。業(yè)務(wù)接入口上VLAN1000流量進(jìn)入VXLAN隧道。<Leaf-1>displayvxlantunnelNumberofvxlantunnel:2TunnelIDSourceDestinationStateTypeUptime-----------------------------------------------------------------------------------402653184810.1.1.110.45.45.45updynamic0028h21m402653184910.1.1.110.3.3.3updynamic0028h21m<Leaf-1>displayvxlanvniNumberofvxlanvni:1VNIBD-IDState---------------------------------------99515002up[Leaf-1-10GE1/0/1.200]disth#interface10GE1/0/1.200model2

encapsulationdot1qvid1000bridge-domain5002物理Overlay網(wǎng)絡(luò)(2)VXLAN網(wǎng)關(guān)位于Spine，綁定VPN實(shí)例，實(shí)現(xiàn)租戶隔離。[Spine-1-bd5002]displaythisbridge-domain5002vxlanvni9951arpbroadcast-suppressenableevpnroute-distinguisher6:9951vpn-target0:9951export-extcommunityvpn-target0:10004export-extcommunityvpn-target0:9951import-extcommunity[Spine-1-Vbdif5002]displaythisinterfaceVbdif5002ipbindingvpn-instanceVDC(2664d2-VPC-10004ipaddress192.168.100.1255.255.255.0mac-address0000-5e00-0102arpcollecthostenable[Leaf3-10GE1/0/41.201]displaythis#interface10GE1/0/41.201model2

encapsulationdot1qvid1000bridge-domain5002云主機(jī)DHCP路由網(wǎng)絡(luò)DHCP功能由neutron-dhcp-agent提供。OpenStack在兩個(gè)網(wǎng)絡(luò)節(jié)點(diǎn)上創(chuàng)建DHCPagent，用于向網(wǎng)段提供DHCP服務(wù)。DHCP服務(wù)器和云主機(jī)大二層互通，由Leaf-3接入VXLAN網(wǎng)絡(luò)。云主機(jī)SNAT

云網(wǎng)一體化場(chǎng)景，云主機(jī)SNAT能力由物理防火墻提供。云平臺(tái)申請(qǐng)防火墻，物理防火墻自動(dòng)創(chuàng)建vsys。AC-DCN自動(dòng)下發(fā)防火墻和Spine之間互聯(lián)VLAN和IP地址，從互聯(lián)資源分配。防火墻一個(gè)vsys和Spine上一個(gè)VPN實(shí)例對(duì)接。云網(wǎng)一體化業(yè)務(wù)發(fā)放物理網(wǎng)絡(luò)實(shí)體基本原理虛擬機(jī)交換機(jī)基本原理云主機(jī)業(yè)務(wù)流虛擬機(jī)交換機(jī)云網(wǎng)一體化場(chǎng)景下，物理Overlay網(wǎng)絡(luò)承載主要租戶網(wǎng)絡(luò)。VXLANOverlay網(wǎng)絡(luò)業(yè)務(wù)接入點(diǎn)使用二層子接口，將云平臺(tái)租戶網(wǎng)絡(luò)流量映射到物理VXLAN網(wǎng)絡(luò)。云平臺(tái)租戶網(wǎng)絡(luò)流量通過虛擬交換機(jī)進(jìn)行區(qū)分。ToR/Leaf云平臺(tái)SpineVLANVXLANFabricOVS基本概念OpenvSwitch是Apache2.0開源的項(xiàng)目，是運(yùn)行在虛擬化平臺(tái)（例如KVM，Xen）上的虛擬交換機(jī)。OVS可以為動(dòng)態(tài)變化的端點(diǎn)提供二層交換功能，很好的控制虛擬網(wǎng)絡(luò)中的訪問策略、網(wǎng)絡(luò)隔離、流量監(jiān)控等等。FusionSphereOpenStack中，OVS由brcps、br-int和br-tun這3種主要網(wǎng)橋組成?；靖拍蠲枋鯬acket網(wǎng)絡(luò)轉(zhuǎn)發(fā)的最小數(shù)據(jù)單元，每個(gè)包都來自某個(gè)端口，最終會(huì)被發(fā)往一個(gè)或多個(gè)目標(biāo)端口。BridgeOpenvSwitch中的網(wǎng)橋就是交換機(jī)，其功能是根據(jù)一定規(guī)則，把從端口收到的數(shù)據(jù)包轉(zhuǎn)發(fā)到另一個(gè)或多個(gè)端口。Port收發(fā)數(shù)據(jù)包的單元。OpenvSwitch中，每個(gè)端口都屬于一個(gè)特定的網(wǎng)橋。端口收到的數(shù)據(jù)包會(huì)經(jīng)過流規(guī)則的處理，發(fā)往其他端口。Interface連接到Port的網(wǎng)絡(luò)接口設(shè)備（網(wǎng)卡）。在通常情況下，Port和Interface是一對(duì)一的關(guān)系,只有在配置Port為bond模式后，Port和Interface是一對(duì)多的關(guān)系。FlowTable流表是交換機(jī)進(jìn)行轉(zhuǎn)發(fā)策略控制的核心數(shù)據(jù)結(jié)構(gòu)，定義了端口之間數(shù)據(jù)包的交換規(guī)則。交換機(jī)通過查找流表表項(xiàng)來決策網(wǎng)絡(luò)流量的后續(xù)動(dòng)作。OVS常見端口類型OpenvSwitch端口與物理交換機(jī)端口類似，每個(gè)Port都屬于一個(gè)Bridge。不同用途的端口有不同的端口類型。端口類型作用Normal操作系統(tǒng)中的網(wǎng)卡綁定到OVS的Bridge上，OVS生成一個(gè)普通端口處理這塊網(wǎng)卡進(jìn)出的數(shù)據(jù)包。Internal端口類型為internal時(shí)，OVS會(huì)創(chuàng)建一塊虛擬機(jī)網(wǎng)卡。當(dāng)OVS創(chuàng)建一個(gè)新網(wǎng)橋時(shí)，默認(rèn)會(huì)創(chuàng)建一個(gè)與網(wǎng)橋同名的InternalPort。Patch當(dāng)系統(tǒng)中有多個(gè)網(wǎng)橋時(shí)，可以使用PatchPort把兩個(gè)網(wǎng)橋連起來。PatchPort成對(duì)出現(xiàn)，分別連接在兩個(gè)網(wǎng)橋上，在兩個(gè)網(wǎng)橋之間交換數(shù)據(jù)。Tunnel隧道端口是一種虛擬端口，支持使用gre或vxlan等隧道技術(shù)與位于網(wǎng)絡(luò)上其他位置的遠(yuǎn)程端口通訊。查看FusionSphereOpenStack網(wǎng)橋網(wǎng)橋?yàn)閎rcps。Porttrunk0為normalport，綁定操作系統(tǒng)中的網(wǎng)卡。Portphy-brcps為patchport，連接的port為int-brcps。Portexternal_api為internalport，為虛擬網(wǎng)卡，VLANtag為4004。Host01:~#ovs-vsctlshowBridgebrcpsPort"trunk0"Interface"trunk0"Portphy-brcpsInterfacephy-brcpstype:patchoptions:{peer=int-brcps}Portexternal_basetag:4006Interfaceexternal_basetype:internalPortexternal_apitag:4004Interfaceexternal_apitype:internalPortexternal_omtag:4005Interfaceexternal_omtype:internalPortbrcpstag:0Interfacebrcpstype:internalqvm+OVS數(shù)據(jù)幀轉(zhuǎn)發(fā)流程VLAN模式VM發(fā)出數(shù)據(jù)幀，經(jīng)過tap提供的虛擬網(wǎng)口vNIC。再經(jīng)過Linux網(wǎng)橋qbr安全驗(yàn)證，到達(dá)qvm端口。繼續(xù)南下到ply策略網(wǎng)橋，在進(jìn)入br-int時(shí)打上一個(gè)內(nèi)部的VLANtag，為主機(jī)節(jié)點(diǎn)內(nèi)部的localid，區(qū)分同一個(gè)主機(jī)內(nèi)部的不同VM。br-int會(huì)實(shí)現(xiàn)轉(zhuǎn)發(fā)到目的幀主機(jī)，或繼續(xù)南下到br-1網(wǎng)橋。流表動(dòng)作會(huì)將localid刪除，換成外部的VLANID。數(shù)據(jù)幀送達(dá)實(shí)際的外部物理交換機(jī)網(wǎng)口，發(fā)送到目的地。VXLAN模式VXLAN模式下br-int之前傳遞相同，不同的是數(shù)據(jù)包送往br-tun、TunnelBearing。ply+br-intvm01-eth0tap+vm02-eth0br-tunpatch-tunpatch-intKVM-VXLANtunnel_bearingvxlan_portin_port=2in_port=3pvi+pvo+ply+pvi+pvo+tap+Localvlantag:1in_port=1in_port=2qbr+qbr+qvm+qvm+ply+br-intvm1-eth0tap+vm02-eth0br-1Int-br-1phy-br-1Xen-VLANeth0,eth1bondxin_port=2in_port=3pvi+pvo+ply+pvi+pvo+tap+Localvlantag:1in_port=1in_port=2qbr+qbr+qvm+云網(wǎng)一體化業(yè)務(wù)發(fā)放物理網(wǎng)絡(luò)實(shí)體基本原理虛擬機(jī)交換機(jī)基本原理云主機(jī)業(yè)務(wù)流云主機(jī)業(yè)務(wù)流虛擬機(jī)流量，經(jīng)過CNA01的OVS封裝VLAN，進(jìn)入VXLANFabric。網(wǎng)關(guān)位于Spine，使用VPN進(jìn)行租戶隔離。網(wǎng)關(guān)出口流量指向防火墻虛擬系統(tǒng)，進(jìn)行NAT轉(zhuǎn)換后進(jìn)入Public墻。Public墻將流量引回Spine公共路由表，通過出口到達(dá)Internet。ToR/LeafSpineVPNVLANVXLANCNA01vsysPublicNATSpinePublicInternetFusionCompute查看虛擬機(jī)虛擬機(jī)VM01下發(fā)到CNA01上。CNA01為云主機(jī)生成獨(dú)立主機(jī)ID。CNA查看虛擬機(jī)網(wǎng)卡查詢當(dāng)前主機(jī)的qbr信息。安全組，每張網(wǎng)卡對(duì)應(yīng)一個(gè)安全組。CNA01:~#brctlshowbridgenamebridgeidSTPenabledinterfacesqbra7b524f9-fc8000.2e6317746946noqvma7b524f9-fc

tapa7b524f9-fcCNA01:~#virshdumpxmli-00000020<interfacetype='bridge'><macaddress='fa:16:3e:7d:60:ee'/><vifpci='0'/>

<sourcebridge='qbra7b524f9-fc'/><virtualporttype='openvswitch'><parametersinterfaceid='a7b524f9-fcd3-4439b40aa7a3984d4c67'/></virtualport><targetdev='tapa7b524f9-fc'/></interface>虛擬機(jī)根據(jù)虛擬機(jī)ID查看虛擬機(jī)網(wǎng)卡信息。查詢虛擬機(jī)tap虛擬網(wǎng)卡信息，用于VM通信。虛擬機(jī)生成qbr網(wǎng)橋，每個(gè)qbr都有對(duì)應(yīng)的tap和qvm端口。CNA的OVS網(wǎng)橋(1)查詢OVS網(wǎng)橋和接口信息。Ply是策略網(wǎng)橋，pvi端口連接br-int網(wǎng)橋的pvo端口。CNA01:~#ovs-vsctlshow

Bridge"plya7b524f9-fc"fail_mode:secure

Port"pvia7b524f9-fc"Interface"pvia7b524f9-fc"type:patchoptions:{peer="pvoa7b524f9-fc"}Port"plya7b524f9-fc"tag:4095Interface"plya7b524f9-fc"type:internalPort"qvma7b524f9-fc"Interface"qvma7b524f9-fc"type:internal

Bridgebr-intfail_mode:securePortbr-intInterfacebr-inttype:internalPort"int-br-1"Interface"int-br-1"type:patchoptions:{peer="phy-br-1"}Portpatch-tunInterfacepatch-tuntype:patchoptions:{peer=patch-int}Port"pvoa7b524f9-fc"

tag:8Interface"pvoa7b524f9-fc"type:patch

options:{peer="pvia7b524f9-fc"}CNA的OVS網(wǎng)橋(2)網(wǎng)橋br-int的另一個(gè)portint-br-1，連接到網(wǎng)橋br-1。虛擬機(jī)通過依次通過qbr、ply、br-int和br-1，最后到達(dá)物理口。CNA01:~#ovs-vsctlshow

Bridge"br-1"Port"bond18"

Interface"bond18"type:systemPort"Mgnt-0"tag:4005Interface"Mgnt-0"type:internalPort"br-1"Interface"br-1"type:internal

Port"phy-br-1"Interface"phy-br-1"type:patch

options:{peer="int-br-1"}

Port"br-1@vxlan"Interface"br-1@vxlan"type:vxlanevsBridgebr-intfail_mode:securePortbr-intInterfacebr-inttype:internalPort"int-br-1"Interface"int-br-1"type:patch

options:{peer="phy-br-1"}Portpatch-tunInterfacepatch-tuntype:patchoptions:{peer=patch-int}Port"pvoa7b524f9-fc"tag:8Interface"pvoa7b524f9-fc"type:patchoptions:{peer="pvia7b524f9-fc"}查看br-1端口查看網(wǎng)橋br-1的端口號(hào)。3號(hào)端口為phy-br-1，連接北向網(wǎng)橋br-int，接收虛擬機(jī)流量。CNA01:~#ovs-ofctlshowbr-11(bond18):addr:38:bc:01:69:24:5econfig:0state:0speed:0Mbpsnow,0Mbpsmax2(Mgnt-0):addr:38:bc:01:69:24:5econfig:0state:0speed:0Mbpsnow,0Mbpsmax3(phy-br-1):addr:32:19:52:78:88:d5config:0state:0speed:0Mbpsnow,0Mbpsmax4(br-1@vxlan):addr:8a:c8:6e:12:b4:6bconfig:0state:0speed:0Mbpsnow,0MbpsmaxLOCAL(br-1):addr:38:bc:01:69:24:5econfig:PORT_DOWNstate:LINK_DOWNspeed:0Mbpsnow,0Mbpsmax查看br-1網(wǎng)橋流表(模糊流表)查看br-1的流表，可以看到VM01到達(dá)公網(wǎng)業(yè)務(wù)流的信息。流表匹配項(xiàng)，in_port=3，dl_vlan=8，表示從3號(hào)口收到VLAN為8的數(shù)據(jù)包。流表執(zhí)行動(dòng)作，mo_vlan_vid:1000，表示修改VLAN為1000；NORMAL，表示模仿傳統(tǒng)交換機(jī)方式轉(zhuǎn)發(fā)。CNA01:~#ovs-ofctldump-flowsbr-1NXST_FLOWreply(xid=0x4):cookie=0xb82d462d21774a97,duration=85881.575s,table=2,n_packets=12654,n_bytes=846733,idle_age=0,hard_age=65534,priority=4,in_port=3,dl_vlan=8actions=mod_vlan_vid:1000,NORMALcookie=0xb82d462d21774a97,duration=1044137.414s,table=2,n_packets=44,n_bytes=15048,idle_age=65534,hard_age=65534,priority=2,in_port=3actions=dropcookie=0xb82d462d21774a97,duration=1044137.139s,table=3,n_packets=0,n_bytes=0,idle_age=65534,hard_age=65534,priority=2,dl_src=fa:16:3f:04:9b:06actions=output:3cookie=0xb82d462d21774a97,duration=1044137.309s,table=3,n_packets=0,n_bytes=0,idle_age=65534,hard_age=65534,priority=2,dl_src=fa:16:3f:82:41:e5actions=output:3cookie=0xb82d462d21774a97,duration=1044137.222s,table=3,n_packets=0,n_bytes=0,idle_age=65534,hard_age=65534,priority=2,dl_src=fa:16:3f:1f:33:98actions=output:3cookie=0xb82d462d21774a97,duration=1044137.391s,table=3,n_packets=19908849,n_bytes=39102834997,idle_age=0,hard_age=65534,priority=1actions=NORMAL查看OVS轉(zhuǎn)發(fā)表查看br-1的fdb表項(xiàng)。Fdb轉(zhuǎn)發(fā)表為模仿傳統(tǒng)交換機(jī)方式的轉(zhuǎn)發(fā)表。虛擬機(jī)MAC地址和網(wǎng)關(guān)MAC地址對(duì)應(yīng)的VLAN均為1000。CNA01:~#ovs-appctlfdb/showbr-1portVLANMACAge14005fa:16:3e:1b:cd:2542400538:bc:01:69:24:5e01100000:00:5e:00:01:02014005fa:16:3e:77:bf:70031000fa:16:3e:7d:60:ee014005fa:16:3e:ca:5d:d201400588:66:39:ab:d3:b10<Spine-1>displayinterfaceVbdif5002Vbdif5002currentstate:UP(ifindex:68)Lineprotocolcurrentstate:UPLastlineprotocoluptime:2018-04-0211:11:54Description:RoutePort,TheMaximumTransmitUnitis1500InternetAddressis192.168.100.1/24IPSendingFrames'FormatisPKTFMT_ETHNT_2,Hardwareaddressis0000-5e00-0102Currentsystemtime:2018-04-1220:48:27查看內(nèi)核流表(精確流表)OVSkernal中僅有一個(gè)流表，用于精確匹配。源地址192.168.100.10，目的地址30.1.1.1的ICMP報(bào)文，執(zhí)行push_vlan，打上VLAN1000標(biāo)簽，到2號(hào)端口，bond18。源地址30.1.1.1，目的地址192.168.100.10，VLAN1000的報(bào)文，執(zhí)行pop_vlan，到7號(hào)端口，qvma7b524f9-fc。CNA01:~#ovs-dpctldump-flowsskb_priority(0),in_port(2),eth(src=38:bc:01:c3:a1:00,dst=fa:16:3e:7d:60:ee),eth_type(0x8100),vlan(vid=1000,pcp=0),encap(eth_type(0x0800),ipv4(src=30.1.1.1/0.0.0.0,dst=192.168.100.10/0.0.0.0,proto=1/0xff,tos=0/0,ttl=252/0,frag=no/0xff),icmp(type=0/0xff,code=0/0)),packets:356146,bytes:26354804,used:0.492s,actions:pop_vlan,7skb_priority(0),in_port(7),eth(src=fa:16:3e:7d:60:ee,dst=00:00:5e:00:01:02),eth_type(0x0800),ipv4(src=192.168.100.10/0.0.0.0,dst=30.1.1.1/0.0.0.0,proto=1/0xff,tos=0/0,ttl=128/0,frag=no/0xff),icmp(type=8/0xff,code=0/0),packets:356146,bytes:26354804,used:0.492s,actions:push_vlan(vid=1000,pcp=0),2查看OVS端口列表查看OVS端口列表。此端口列表和內(nèi)核流表對(duì)應(yīng)。網(wǎng)關(guān)對(duì)應(yīng)的port為3，從Mgnt-0端口學(xué)習(xí)到網(wǎng)關(guān)虛擬機(jī)對(duì)應(yīng)port為br-1，從br-1學(xué)習(xí)到虛擬機(jī)地址。CNA01:~#ovs-dpctlshowsystem@ovs-system:lookups:hit:19651916missed:272329lost:0flows:28port0:ovs-system(internal)port1:br-1(internal)port2:bond18port3:Mgnt-0(internal)port4:br-int(internal)port5:br-tun(internal)port6:plya7b524f9-fc(internal)port7:qvma7b524f9-fc(internal)port8:br-1@vxlan(vxlanevs:df_default=false,status=0)CNA虛擬交換機(jī)轉(zhuǎn)發(fā)流程VM01發(fā)出數(shù)據(jù)幀，tap接口提供虛擬網(wǎng)卡能力。經(jīng)過qbr網(wǎng)橋，進(jìn)行安全組策略配置。經(jīng)過ply策略網(wǎng)橋，實(shí)現(xiàn)流量過濾功能。到達(dá)br-int，為虛擬機(jī)流量封裝Localvlan8。查看br-1流表，執(zhí)行流表action。發(fā)送到OVS內(nèi)核，執(zhí)行轉(zhuǎn)發(fā)。qvma7b524f9-fcplya7b524f9-fcbr-intVM01-eth0tapa7b524f9-fcbr-1Int-br-1phy-br-1CNA01eth0,eth1bond18pvia7b524f9-fcpvoa7b524f9-fcLocalvlantag:8qbra7b524f9-fcvlantag:1000物理Overlay流量Leaf-1的10GE1/0/1對(duì)接CNA01，使用二層子接口方式，將VLAN1000虛擬機(jī)流量封裝進(jìn)入Bridge-domain5002的VXLAN隧道。BD5002網(wǎng)關(guān)為與Spine節(jié)點(diǎn)。VM01去往公網(wǎng)30.1.1.1流量，下一跳到達(dá)網(wǎng)關(guān)Spine節(jié)點(diǎn)VBDIF

192.168.100.1。租戶網(wǎng)絡(luò)隔離，通過綁定名為VDC(2664d2-VPC-10004的VPN實(shí)例實(shí)現(xiàn)。[Leaf-1-10GE1/0/1.200]disth#interface10GE1/0/1.200model2

encapsulationdot1qvid1000bridge-domain5002[Spine-1-Vbdif5002]displaythis#interfaceVbdif5002ipbindingvpn-instanceVDC(2664d2-VPC-10004ipaddress192.168.100.1255.255.255.0mac-address0000-5e00-0102arpcollecthostenableSpine與防火墻互聯(lián)Spine互聯(lián)接口為Vbdif5003和Vbdif5004，防火墻互聯(lián)接口為Vlanif3041和3042?；ヂ?lián)接口配置由控制器自動(dòng)下發(fā)。FWPublicFWvsysSpineVPNSpinePublicVbdif500410.125.97.241Vbdif500310.125.97.241Vlanif304110.125.97.242Virtual-if1Virtual-if0Vlanif304210.125.97.242AC-DCN下發(fā)互聯(lián)接口配置AC-DCN接受云平臺(tái)請(qǐng)求，創(chuàng)建虛擬防火墻，和虛擬路由器和虛擬防火墻之間互聯(lián)鏈路。AC-DCN從互聯(lián)資源池內(nèi)選擇未使用VLAN和IP地址，下發(fā)到物理設(shè)備。查看Spine互聯(lián)接口查看Spine接口配置。Vbdif5003和Vbdif5004，為AC-DCN自動(dòng)下發(fā)Spine與防火墻互聯(lián)接口。[Spine-1-Vbdif5003]disth#interfaceVbdif5003

ipbindingvpn-instanceVDC(2664d2-VPC-10004ipaddress10.125.97.241255.255.255.252mac-address0000-5e00-0102arpcollecthostenable[Spine-1]interfaceVbdif5004[Spine-1-Vbdif5004]disth#interfaceVbdif5004

ipaddress10.125.97.241255.255.255.252mac-address0000-5e00-0102arpcollecthostenable#查看Spine租戶出口路由Spine上查看出口路由，下一跳地址為10.125.97.242，出口為Vbdif5003。租戶出口路由交給租戶對(duì)應(yīng)的虛擬機(jī)防火墻。<Spine-1>displayiprouting-tablevpn-instanceVDC(2664d2-VPC-10004Proto:ProtocolPre:PreferenceRouteFlags:R-relay,D-downloadtofib,T-tovpn-instance,B-blackholeroute------------------------------------------------------------------------------RoutingTable:VDC(2664d2-VPC-10004Destinations:8Routes:8Destination/MaskProtoPreCostFlagsNextHopInterface

0.0.0.0/0Static600RD10.125.97.242Vbdif500310.125.97.240/30Direct00D10.125.97.241Vbdif500310.125.97.241/32Direct00D127.0.0.1Vbdif500310.125.97.243/32Direct00D127.0.0.1Vbdif5003192.168.100.0/24Direct00D192.168.100.1Vbdif5002192.168.100.1/32Direct00D127.0.0.1Vbdif5002192.168.100.255/32Direct00D127.0.0.1Vbdif5002255.255.255.255/32Direct00D127.0.0.1InLoopBack0查看防火墻配置防火墻創(chuàng)建虛擬機(jī)系統(tǒng)，配置互聯(lián)接口。HRP_M<SDN-FW1>displayvsys2018-04-1010:56:41.520TotalVirtualsystemConfigured:2Remained:198--------------------------------------------------------------------------------NameIDStartupTime--------------------------------------------------------------------------------public02018/03/1620:25:14vsys_2664d223_VPC_1000412018/04/0213:11:34--------------------------------------------------------------------------------HRP_M[SDN-FW1]displayipinterfacebriefInterfaceIPAddress/MaskPhysicalProtocolGigabitEthernet1/0/10unassigneddowndownNULL0unassignedupup(s)Virtual-if0unassignedupup(s)Virtual-if1unassignedupup(s)Vlanif304110.125.97.242/30upupVlanif304210.125.97.242/30upup查看虛擬機(jī)防火墻NAT配置虛擬機(jī)防火墻進(jìn)行SNAT轉(zhuǎn)換，將VM01內(nèi)部網(wǎng)段，轉(zhuǎn)換為公網(wǎng)地址20.1.1.231。HRP_M<SDN-FW1-vsys_2664d223_VPC_10004>displaynataddress-groupNATaddress-groupinformation:Total1address-group(s)nataddress-groupaddgrp_771040f59bfdff7b0referencecount:1modepatstatusactivesection120.1.1.23120.1.1.231HRP_M[SDN-FW1-vsys_2664d223_VPC_10004]displaynat-policyrulenamenatpolicy_71024dc89e3de4a82018-04-1311:48:39.730(883timesmatched)rulenamenatpolicy_71024dc89e3de4a8source-zonetrustdestination-zoneuntrustsource-address192.168.100.0mask255.255.255.0actionnataddress-groupaddgrp_771040f59bfdff7b虛擬防火墻出口路由虛擬機(jī)防火墻到達(dá)公網(wǎng)30.1.1.1路由查看路由表。匹配默認(rèn)路由通往Public防火墻Virtual-if0。HRP_M<SDN-FW1-vsys_2664d223_VPC_10004>disiprouting-table2018-04-1313:43:41.640RouteFlags:R-relay,D-downloadtofib------------------------------------------------------------------------------RoutingTables:vsys_2664d223_VPC_10004Destinations:5Routes:5Destination/MaskProtoPreCostFlagsNextHopInterface0.0.0.0/0Static600D0.0.0.0Virtual-if010.125.97.240/30Direct00D10.125.97.242Vlanif304110.125.97.242/32Direct00D127.0.0.1Vlanif304120.1.1.231/32Static600D0.0.0.0NULL0192.168.100.0/24Static600RD10.125.97.241Vlanif3041防火墻出口路由防火墻查看出口路由，下一跳地址為Spine互聯(lián)接口。HRP_M[SDN-FW1]displayiprouting-table2018-04-1313:50:18.710RouteFlags:R-relay,D-downloadtofib------------------------------------------------------------------------------RoutingTables:PublicDestinations:10Routes:10Destination/MaskPro