目录
IP in IP隧道
IP GRE隧道
vxlan隧道
IP in IP隧道
拓扑:
1.0/24---eth0:1 (1.1)-vm1-eth0(100.1)------eth0(100.2)-vm2-eth0:1 (2.1)---2.0/24
IP地址前两个字节是192.168。所有的子网前缀长度都是24位。
为了简化环境,在eth0上配置第二个IP地址,形式上是给接口eth0:1配置IP地址。用来模拟vm后面的子网和主机。
vm1上配置
ifconfig eth0 192.168.100.1/24
ifconfig eth0:1 192.168.1.1/24
modprobe ipip
ip tunnel add tun0 mode ipip remote 192.168.100.2 local 192.168.100.1 ttl 64
ip link set tun0 up
ip addr add 192.168.3.1/24 peer 192.168.3.2/24 dev tun0
ip route add 192.168.2.0/24 dev tun0
iptables -Fvm2上配置
ifconfig eth0 192.168.100.1/24
ifconfig eth0:1 192.168.2.1/24
modprobe ipip
ip tunnel add tun0 mode ipip remote 192.168.100.1 local 192.168.100.2 ttl 64
ip link set tun0 up
ip addr add 192.168.3.2/24 peer 192.168.3.1/24 dev tun0
ip route add 192.168.1.0/24 dev tun0
iptables -F说明:如果隧道接口不启用什么协议,只作为静态路由出接口,则可以不配置IP地址。比如上面的例子中vm1、vm2中的ip addr add命令可以不配置。如果隧道接口要启用协议,比如OSPF,才需要配置IP地址。可以为隧道接口配置独立的IP地址,上面的例子中就是为隧道接口配置了独立的IP地址。也可以让隧道接口借用其它私网地址,但是这样对协议运行可能构成一定的限制。例如上面的例子中,vm1的ip addr add命令修改为ip addr add 192.168.1.1/24 peer 192.168.2.1/24 dev tun0,vm2 的ip addr add命令修改为ip addr add 192.168.2.1/24 peer 192.168.1.1/24 dev tun0。这样就是让隧道接口借用vm1的eth0:1和vm2的eth0:1的地址。这里说的Tunnel接口IP地址配置的三种方式也同样适用于下面的IP GRE隧道和VXLAN隧道。
vm1上查看接口状态和路由:
# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.100.1 netmask 255.255.255.0 broadcast 192.168.101.255
inet6 fe80::f816:3eff:fe1c:79e5 prefixlen 64 scopeid 0x20<link>
ether fa:16:3e:1c:79:e5 txqueuelen 1000 (Ethernet)
RX packets 17 bytes 2006 (1.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 21 bytes 2386 (2.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255
ether fa:16:3e:1c:79:e5 txqueuelen 1000 (Ethernet)
tun0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1480 #mtu已经考虑了隧道开销为20个字节。
inet 192.168.3.1 netmask 255.255.255.0 destination 192.168.3.2
tunnel txqueuelen 1000 (IPIP Tunnel)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
# route -n
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.101.1 0.0.0.0 UG 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0这样一来vm1后面的192.168.1.0/24和vm2后面的192.168.2.0/24就可以通过ip in ip隧道通信了。
Vm1上ping:
# ping -I 192.168.1.1 192.168.2.1
PING 192.168.2.1 (192.168.2.1) from 192.168.1.1 : 56(84) bytes of data.
64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=1.11 ms报文结构:外层IP头部的protocol字段是4,再往内就是内层IP头部。
IP GRE隧道
拓扑同ip in ip隧道
IP GRE隧道的配置方式和IP in IP隧道非常相似。只需要加载ip_gre模块,隧道模式改为gre即可。
vm1上配置
ifconfig eth0 192.168.100.1/24
ifconfig eth0:1 192.168.1.1/24
modprobe ipip
modprobe ip_gre
ip tunnel add tun0 mode gre remote 192.168.100.2 local 192.168.100.1 ttl 64
ip link set tun0 up
ip addr add 192.168.3.1/24 peer 192.168.3.2/24 dev tun0
ip route add 192.168.2.0/24 dev tun0
iptables -Fvm2上配置
ifconfig eth0 192.168.100.1/24
ifconfig eth0:1 192.168.2.1/24
modprobe ip_gre
ip tunnel add tun0 mode gre remote 192.168.100.1 local 192.168.100.2 ttl 64
ip link set tun0 up
ip addr add 192.168.3.2/24 peer 192.168.3.1/24 dev tun0
ip route add 192.168.1.0/24 dev tun0
iptables -Fvm1上查看tun0接口状态和路由。
# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.100.1 netmask 255.255.255.0 broadcast 192.168.101.255
inet6 fe80::f816:3eff:feaa:e1fb prefixlen 64 scopeid 0x20<link>
ether fa:16:3e:aa:e1:fb txqueuelen 1000 (Ethernet)
RX packets 19 bytes 2198 (2.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 22 bytes 2428 (2.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255
ether fa:16:3e:aa:e1:fb txqueuelen 1000 (Ethernet)
tun0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1476 #mtu已经考虑了隧道开销为24个字节。
inet 192.168.3.1 netmask 255.255.255.0 destination 192.168.3.2
inet6 fe80::5efe:c0a8:6508 prefixlen 64 scopeid 0x20<link>
unspec C0-A8-65-08-00-00-C0-6F-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1 bytes 56 (56.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
# route -n
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.101.1 0.0.0.0 UG 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0这样一来vm1后面的192.168.1.0/24和vm2后面的192.168.2.0/24就可以通过ip gre ip隧道通信了。
Vm1上ping:
# ping -I 192.168.1.1 192.168.2.1
PING 192.168.2.1 (192.168.2.1) from 192.168.1.1 : 56(84) bytes of data.
64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=1.11 ms报文结构:外层IP头部的protocol字段是47,再往内就是GRE头部,GRE头部的protocol type是0x0800,再往内是内层IP头部。
vxlan隧道
拓扑仍然同ip in ip隧道
vm1上配置
ifconfig eth0 192.168.100.1/24
ifconfig eth0:1 192.168.1.1/24
# id是指vni。两侧的vni要相同。
ip link add vxlan0 type vxlan id 1 dstport 4789 192.168.100.2 local 192.168.100.1 ttl 64
ifconfig vxlan0 mtu 1450 #缺省vxlan0接口mtu和vm的eth0的mtu值相同,这样会因为分片导致吞吐量降低。vxlan隧道开销是50个字节,所以这里mtu设置为1500-50=1450。
ip link set vxlan0 up
ip addr add 192.168.3.1/24 peer 192.168.3.2/24 dev vxlan0
ip route add 192.168.2.0/24 dev vxlan0
iptables -Fvm2上配置
ifconfig eth0 192.168.100.1/24
ifconfig eth0:1 192.168.2.1/24
ip link add vxlan0 type vxlan id 1 dstport 4789 remote 192.168.100.1 local 192.168.100.2
ifconfig vxlan0 mtu 1450
ip link set vxlan0 up
ip addr add 192.168.3.2/24 peer 192.168.3.1/24 dev vxlan0
ip route add 192.168.1.0/24 dev vxlan0
iptables -Fvm1上查看接口状态和路由:
# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.100.1 netmask 255.255.255.0 broadcast 192.168.101.255
inet6 fe80::f816:3eff:fe37:6481 prefixlen 64 scopeid 0x20<link>
ether fa:16:3e:37:64:81 txqueuelen 1000 (Ethernet)
RX packets 20 bytes 2506 (2.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 24 bytes 2708 (2.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255
ether fa:16:3e:37:64:81 txqueuelen 1000 (Ethernet)
vxlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1450
inet 192.168.3.1 netmask 255.255.255.0 broadcast 0.0.0.0
inet6 fe80::64:78ff:fe25:44f4 prefixlen 64 scopeid 0x20<link>
ether 02:64:78:25:44:f4 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3 bytes 224 (224.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
# route -n
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.101.1 0.0.0.0 UG 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 vxlan0
192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 vxlan0
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0这样一来vm1后面的192.168.1.0/24和vm2后面的192.168.2.0/24就可以通过vxlan隧道通信了。
Vm1上ping:
# ping -I 192.168.1.1 192.168.2.1
PING 192.168.2.1 (192.168.2.1) from 192.168.1.1 : 56(84) bytes of data.
64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=1.11 ms报文结构:
VXLAN报文的封装格式为:在原始二层数据帧外添加VXLAN头、UDP头、IP头和以太头。其中,UDP目的端口号为4789,表明内层是VXLAN头。
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
