VLAN簡介

虛擬區域網路(Virtual Local Area Network或簡寫VLAN, V-LAN)是一種建構於區域網路交換技術(LAN Switch)的網路管理的技術,網管人員可以藉此透過控制交換器有效分派出入區域網的封包到正確的出入埠,達到對不同實體區域網中的裝置進行邏輯分群(Grouping)管理,並降低區域網內大量資料流通時,因無用封包過多導致壅塞的問題,以及提昇區域網的資訊安全保障。 簡言之,VLAN實現了對不同位置設備的虛擬區域網路分群(對廣播域進行分群),方便進行管理。

本文目標

將Host的一網路界面與Netns中的網路界面劃歸在同一VLAN下,使得Host與Netns在同一VLAN下通訊

環境

VM:Debian10

Netns:

1
2
root@YoungDebian:~# ip netns ls
net1 (id: 0)

Veth pair:

1
2
3
4
5
6
7
8
9
root@YoungDebian:~# ifconfig 
veth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.1 netmask 255.255.255.0 broadcast 10.0.0.255
inet6 fe80::c028:efff:feb3:b9e4 prefixlen 64 scopeid 0x20<link>
ether c2:28:ef:b3:b9:e4 txqueuelen 1000 (Ethernet)
RX packets 15 bytes 1202 (1.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 40 bytes 4891 (4.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

1
2
3
4
5
6
7
8
root@YoungDebian:~# ip netns exec net1 ifconfig
veth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.2 netmask 255.255.255.0 broadcast 10.0.0.255
inet6 fe80::e400:36ff:fefd:38e6 prefixlen 64 scopeid 0x20<link>
ether e6:00:36:fd:38:e6 txqueuelen 1000 (Ethernet)
RX packets 46 bytes 5419 (5.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 17 bytes 1342 (1.3 KiB)

安裝vconfig

1
root@YoungDebian:~# apt-get install vlan

載入802.1Q模塊並確認

1
2
3
4
5
root@YoungDebian:~# modprobe 8021q
root@YoungDebian:~# lsmod | grep -i 8021q
8021q 40960 0
garp 16384 1 8021q
mrp 20480 1 8021q

設定VLAN到Vethpair(tag為100)

1
2
3
root@YoungDebian:~# vconfig add veth0 100
root@YoungDebian:~# ifconfig veth0.100 192.168.1.100/24 up
root@YoungDebian:~# route add 192.168.1.101 dev veth0.100
1
2
3
root@YoungDebian:~# ip netns exec net1 vconfig add veth1 100
root@YoungDebian:~# ip netns exec net1 ifconfig veth1.100 192.168.1.101/24 up
root@YoungDebian:~# ip netns exec net1 route add 192.168.1.100 dev veth1.100

測試連通性

Terminal1:

1
2
3
4
5
6
7
8
9
10
root@YoungDebian:~# ping -vI veth0.100 192.168.1.101
PING 192.168.1.101 (192.168.1.101) from 192.168.1.100 veth0.100: 56(84) bytes of data.
64 bytes from 192.168.1.101: icmp_seq=1 ttl=64 time=0.080 ms
64 bytes from 192.168.1.101: icmp_seq=2 ttl=64 time=0.073 ms
64 bytes from 192.168.1.101: icmp_seq=3 ttl=64 time=0.089 ms
64 bytes from 192.168.1.101: icmp_seq=4 ttl=64 time=0.109 ms
^C
--- 192.168.1.101 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 77ms
rtt min/avg/max/mdev = 0.073/0.087/0.109/0.017 ms

Terminal2:

1
2
3
4
5
6
7
root@YoungDebian:~# tcpdump -i veth0 -v -e 
tcpdump: listening on veth0, link-type EN10MB (Ethernet), capture size 262144 bytes
22:40:56.202264 c2:28:ef:b3:b9:e4 (oui Unknown) > e6:00:36:fd:38:e6 (oui Unknown), ethertype 802.1Q (0x8100), length 102: vlan 100, p 0, ethertype IPv4, (tos 0x0, ttl 64, id 54754, offset 0, flags [DF], proto ICMP (1), length 84)
YoungDebian > 192.168.1.101: ICMP echo request, id 3352, seq 1, length 64
22:40:56.202313 e6:00:36:fd:38:e6 (oui Unknown) > c2:28:ef:b3:b9:e4 (oui Unknown), ethertype 802.1Q (0x8100), length 102: vlan 100, p 0, ethertype IPv4, (tos 0x0, ttl 64, id 38346, offset 0, flags [none], proto ICMP (1), length 84)
192.168.1.101 > YoungDebian: ICMP echo reply, id 3352, seq 1, length 64
22:40:57.227785 c2:28:ef:b3:b9:e4 (oui Unknown) > e6:00:36:fd:38:e6 (oui Unknown), ethertype 802.1Q (0x8100), length 102: vlan 100, p 0, ethertype IPv4, (tos 0x0, ttl 64, id 54795, offset 0, flags [DF], proto ICMP (1), length 84)

可見Host端的veth0.100和Netns端的veth1.100通過tag100成功溝通。

後記

  • 本文是VLAN的簡單實踐,較複雜情況的模擬後續可拓展
  • 新年快樂!