Getting Started with Open vSwitch Configuring Port Mirroring Using OVS

foreword

When we want to obtain the traffic of the corresponding virtual network device without affecting the sending and receiving of data packets of the virtual network device, port mirroring is a good choice. Port mirroring refers to copying the packets passing through a designated port (mirror port) to another designated port (observing port). By observing the data packets received by the port, you can effectively identify the running status of the virtual network.

OVS provides related commands to configure or delete port mirroring. Let's experiment.

how to use

Port mirroring type

Port mirroring is divided into two parts: mirroring source and mirroring destination.

mirror source
  • select_all: Boolean type (true, false). When set to true, means all traffic on this bridge.
  • select_dst_port: String (port name). Indicates all traffic received by this port.
  • select_src_port: String (port name). Represents all traffic sent by this port.
  • select_vlan: Integer (1-4096). Indicates the traffic carrying this VLAN tag.
mirror purpose
  • output_port: String (port name). Observing port that receives traffic packets.
  • output_vlan: integer (1-4096). Indicates that only the VLAN tag is modified, and the original VLAN tag will be stripped.

Basic Operation Commands

Added port mirroring

ovs-vsctl -- set Bridge <bridge_name> mirrors=@m \
 -- --id=@<port0> get Port <port0> \
 -- --id=@<port1> get Port <port1> \
 -- --id=@m create Mirror name=<mirror_name> select-dst-port=@<port0> select-src-port=@<port0> output-port=@<port1>

This command will output an image ID

delete port mirroring

ovs-vsctl remove Bridge <bridge-name> mirrors <mirror-id>

Add a mirror source based on the original port mirroring

# Get the ID of the port
ovs-vsctl get port <port_name> _uuid

# Add mirror source on the basis of original port mirroring
ovs-vsctl add Mirror <mirror-name> select_src_port <port-id>
ovs-vsctl add Mirror <mirror-name> select_dst_port <port-id>

Delete a mirror source based on the original port mirroring

# Get the ID of the port
ovs-vsctl get port <port_name> _uuid

ovs-vsctl remove Mirror <mirror-name> select_src_port <port-id>
ovs-vsctl remove Mirror <mirror-name> select_dst_port <port-id>

Clear port mirroring

ovs-vsctl clear Mirror

View port mirroring

ovs-vsctl list Mirror

Disable port MAC address learning

ovs-ofctl mod-port <bridge-name> <port-name> NO-FLOOD

experiment

Experimental topology

The experimental topology is divided into one bridge, three virtual network devices,

# add bridge
ovs-vsctl add-br br-int
# Add three internal ports
ovs-vsctl add-port br-int vnet0 -- set Interface vnet0 type=internal
ovs-vsctl add-port br-int vnet1 -- set Interface vnet1 type=internal
ovs-vsctl add-port br-int vnet2 -- set Interface vnet2 type=internal
# add three netns
ip netns add ns0
ip netns add ns1
ip netns add ns2
# Move internal ports into netns separately
ip link set vnet0 netns ns0
ip link set vnet1 netns ns1
ip link set vnet2 netns ns2

# Start the port and configure the IP
ip netns exec ns0 ip link set lo up
ip netns exec ns0 ip link set vnet0 up
ip netns exec ns0 ip addr add 10.0.0.1/24 dev vnet0

ip netns exec ns1 ip link set lo up
ip netns exec ns1 ip link set vnet1 up
ip netns exec ns1 ip addr add 10.0.0.2/24 dev vnet1
# Note that only the network card is enabled here, but the IP is not configured
ip netns exec ns2 ip link set lo up
ip netns exec ns2 ip link set vnet2 up

ovs-vsctl -- set Bridge br-int mirrors=@m \
 -- --id=@vnet1 get Port vnet1 \
 -- --id=@vnet2 get Port vnet2 \
 -- --id=@m create Mirror name=mirror_test select-dst-port=@vnet1 select-src-port=@vnet1 output-port=@vnet2

test

Execute the following command to generate traffic

ip netns exec ns0 ping 10.0.0.2

Re-open a terminal and execute the following command to capture packets

ip netns exec ns2 tcpdump -i vnet2

Requires tcpdump to be installed to use

output

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vnet2, link-type EN10MB (Ethernet), capture size 262144 bytes
22:26:31.140974 IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 4599, seq 23, length 64
22:26:31.140996 IP 10.0.0.2 > 10.0.0.1: ICMP echo reply, id 4599, seq 23, length 64
22:26:32.141066 IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 4599, seq 24, length 64
22:26:32.141085 IP 10.0.0.2 > 10.0.0.1: ICMP echo reply, id 4599, seq 24, length 64
22:26:33.141066 IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 4599, seq 25, length 64
22:26:33.141108 IP 10.0.0.2 > 10.0.0.1: ICMP echo reply, id 4599, seq 25, length 64
22:26:34.141044 IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 4599, seq 26, length 64
22:26:34.141062 IP 10.0.0.2 > 10.0.0.1: ICMP echo reply, id 4599, seq 26, length 64
^C
8 packets captured
8 packets received by filter
0 packets dropped by kernel

Clean up the lab environment

ip netns del ns0
ip netns del ns1
ip netns del ns2

ovs-vsctl del-br br-int

This article first published my WeChat public account: I am in the opposite corner
Welcome to pay attention and receive the first update notification.

Tags: ovs

Posted by vyb3 on Fri, 03 Jun 2022 16:20:28 +0530

Hot Tags

©2023 Programs Team