Virtual management of kvm network

1. Linux Bridge Bridge Management

Multiple virtual machines are added to a bridge. Virtual machines can communicate with each other, and at the same time, all virtual machines can connect to the external network.

 

The bridge management of kvm can be done by brctl command

[root@localhost ~]# brctl
.......
 #Bridge addbr < bridge > Add Bridge
        delbr           <bridge>              delete bridge
 #Port addif < bridge > < device > Add interface to bridge
        delif           <bridge> <device>       delete interface from bridge
        hairpin         <bridge> <port> {on|off}  turn hairpin on/off
        setageing       <bridge> <time>         set ageing time
        setbridgeprio    <bridge> <prio>         set bridge priority
        setfd           <bridge> <time>        set bridge forward delay
        sethello         <bridge> <time>        set hello time
        setmaxage       <bridge> <time>        set max message age
        setpathcost      <bridge> <port> <cost>   set path cost
        setportprio      <bridge> <port> <prio>   set port priority
        show           [ <bridge> ]            show a list of bridges
        showmacs       <bridge>              show a list of mac addrs
        showstp        <bridge>               show bridge stp info
        stp            <bridge> {on|off}        turn stp on/off
[root@localhost ~]# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.0050562266e7       no              ens33
virbr0          8000.5254009483b2       yes             virbr0-nic

2. VLAN

LAN refers to Local Area Network, which usually uses Hub and Switch to connect computers in LAN. Generally speaking, when two computers are connected to the same Hub or Switch, they are in the same LAN.

A LAN represents a broadcast domain. The meaning is: all members in the LAN will receive the broadcast package sent by any member.

VLAN represents Virtual LAN. A switch with VLAN function can divide its ports into multiple LANs. Broadcast packets from computers can be received by other computers on the same LAN, but computers on other LANs cannot. In short, VLAN divides a switch into several switches, limits the scope of broadcasting, and isolates computers into different VLANs in the second layer.

For example, there are two groups of machines, Group A and B. We want to configure that the machines in Group A can access each other, and the machines in Group B can access each other, but the machines in a and B cannot access each other. One way is to use two switches, a and B connected to one switch respectively. Another method is to use a switch with VLAN function to put the machines of a and B into different VLANs.

VLAN isolation refers to the isolation on the second layer. When A and B cannot access each other, it means that the second layer broadcast packets (such as arp) cannot cross the VLAN boundary. But on three layers (such as IP), A and B can communicate through routers.

Nowadays, almost all switches support VLAN. Generally, there are two configuration modes for switch ports: Access and Trunk. As shown below

Access port

Access port allows only one VLAN to pass through. These ports are labeled with VLAN, indicating which VLAN the port belongs to. Different VLANs are distinguished by VLAN ID. the range of VLAN ID is 1-4096. Access interface is directly connected to the computer network card, so the packets from the network card flow into the access interface and are labeled with the VLAN. Access port can only belong to one VLAN.

Trunk

Suppose there are two switches A and B. There are VLAN1 (red), VLAN2 (yellow) and VLAN3 (blue) on A and VLAN1, 2 and 3 on B. how can we make the same VLAN on AB communicate with each other?

The method is to connect A and B, and the port connecting A and B should allow VLAN 1, 2 and 3 data to pass through. Such A port is the Trunk port. VLAN1, 2 and 3 packets always carry their own VLAN tags when they arrive at the other switch through Trunk port.

trunk port can allow multiple VLAN s to pass through.

3. VLAN principle of Linux Bridge

       For the physical device, route the connection switch, set access interface on the switch to realize different VLAN connection, set trunk port to realize the connection between switches, the physical machine is directly connected with these switches, but on the kvm virtual machine, as shown in the figure below, there is a virtual interface eth0.10 on the physical network card of the host machine, the virtual interface is the VLAN device, and the virtual interface is connected in the On the virtual bridge, connect the virtual machine through the virtual network card vent0. Different from the physical connection mode, the VLAN of kvm must have virtual network card and network

 

Similarly, for multiple virtual machines, multiple VLAN s are required to connect to the physical network card.

4. Linux Bridge realizes VLAN

1> Check whether the core provides VLAN function

Check the physical configuration through the dmesg command to see if there are 802 fields, and check whether the / proc/net/vlan directory exists. If VLAN function is not provided, the directory does not exist.

[root@localhost ~]# dmesg | grep -i 802
[    0.380228] pci 0000:00:11.0: PCI bridge to [bus 02] (subtractive decode)
[    0.380255] pci 0000:00:11.0:   bridge window [io  0x2000-0x3fff]
[    0.380281] pci 0000:00:11.0:   bridge window [mem 0xfd500000-0xfdffffff]
[    0.580240] pci 0000:00:17.6: bridge window [io  0x1000-0x0fff] to [bus 19] add_size 1000
[    1.221802] pcieport 0000:00:15.7: irq 32 for MSI/MSI-X
[    1.228025] pciehp 0000:00:18.5:pcie04: Slot #261 AttnBtn+ PwrCtrl+ MRL- AttnInd- PwrInd- HotPlug+ Surprise- Interlock- NoCompl+ LLActRep+
[    1.249802] hp_sw: device handler registered
[    2.917802] systemd[1]: Inserted module 'ip_tables'

If the 8021 module is not loaded into the system. You can use the modprobe module group command to load the 8021q module, and then use the lsmod command to check whether the module is loaded into the core.

[root@localhost ~]# modprobe 8021q
[root@localhost ~]# lsmod | grep 8021q
8021q                  33104  0
garp                   14384  1 8021q
mrp                    18542  1 8021q
[root@localhost ~]#

 

Set the power on load 8021q module (optional)

Add a file of 8021q.modules under / etc/sysconfig/modules. The content of the file is modprobe 8021q

vim /etc/sysconfig/modules/8021q.modules
modprobe 8021q

2> Install VLAN management tool vconfig

[root@localhost ~]# rz

[root@localhost ~]# ls
vconfig-1.9-16.el7.x86_64.rpm
[root@localhost ~]# yum localinstall vconfig-1.9-16.el7.x86_64.rpm -y

3 > create VLAN interface

Before creating a VLAN interface, add a network card to the device and configure it as static. Set VLAN on the network card ens37.

 

add adapter

[root@localhost ~]# cd /etc/sysconfig/network-scripts/
[root@localhost network-scripts]# ls
[root@localhost network-scripts]# nmtui


Modify network card profile

[root@localhost ~]# cd /etc/sysconfig/network-scripts/
[root@localhost network-scripts]# vim ifcfg-ens37
BOOTPROTO=static                                              #Just change this line
[root@localhost network-scripts]# systemctl restart network   #Because the ip cannot be obtained, it may not be able to restart. Since the network card is only used as a VLAN, it can not be started
[root@localhost ~]# ip a
....
9: ens37: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:cc:05:06 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::4d27:24e8:e097:435c/64 scope link
       valid_lft forever preferred_lft forever
......

Add VLAN. Use the command vconfig add

[root@localhost ~]# vconfig add ens37 10
Added VLAN with VID == 10 to IF -:ens37:-
[root@localhost ~]# ip a
..
11: ens37.10@ens37: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 00:0c:29:cc:05:06 brd ff:ff:ff:ff:ff:ff
.....
[root@localhost ~]# vconfig add ens37 20
Added VLAN with VID == 20 to IF -:ens37:-

 

Configure two VLAN ports and write to bridge brvlan

[root@localhost network-scripts]# cp ifcfg-ens37 ifcfg-ens37.10
[root@localhost network-scripts]# vim ifcfg-ens37.10
VLAN=yes
TYPE=vlan
PHYSDEV=ens37
VLAN_ID=10
NAME=ens37.10
ONBOOT=yes
ZONE=trusted
DEVICE=ens37.10
BRIDGE=brvlan-10
[root@localhost network-scripts]# cp ifcfg-ens37.10 ifcfg-ens37.20
[root@localhost network-scripts]# vim ifcfg-ens37.20
VLAN=yes
TYPE=vlan
PHYSDEV=ens37
VLAN_ID=10
NAME=ens37.10
ONBOOT=yes
ZONE=trusted
DEVICE=ens37.10
BRIDGE=brvlan-10
:%s/10/20/g

//result:
VLAN=yes
TYPE=vlan
PHYSDEV=ens37
VLAN_ID=20
NAME=ens37.20
ONBOOT=yes
ZONE=trusted
DEVICE=ens37.20
BRIDGE=brvlan-20

 

Add two bridges

[root@localhost ~]# brctl addbr brvlan-10
[root@localhost ~]# brctl addbr brvlan-20

Configure Bridge

[root@localhost network-scripts]# vim ifcfg-brvlan-10
TYPE=bridge
BOOTPROTO=static
NAME=brvlan-10
DEVICE=brvlan-10
ONBOOT=yes
[root@localhost network-scripts]# vim ifcfg-brvlan-20
TYPE=bridge
BOOTPROTO=static
NAME=brvlan-20
DEVICE=brvlan-20
ONBOOT=yes

Connect the bridge brvlan-10 to the network port ens37.10, brvlan-20 to the network port ens37.20, and use the command brctl addif

[root@localhost network-scripts]# brctl addif brvlan-10 ens37.10
[root@localhost network-scripts]# brctl addif brvlan-20 ens37.20

Restart, view,

[root@localhost network-scripts]# systemctl stop NetworkManager
[root@localhost network-scripts]# systemctl restart network
[root@localhost network-scripts]# ip a
11: ens37.10@ens37: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master brvlan-10 state UP qlen 1000
    link/ether 00:0c:29:cc:05:06 brd ff:ff:ff:ff:ff:ff
12: ens37.20@ens37: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master brvlan-20 state UP qlen 1000
    link/ether 00:0c:29:cc:05:06 brd ff:ff:ff:ff:ff:ff
13: brvlan-10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 00:0c:29:cc:05:06 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::20c:29ff:fecc:506/64 scope link
       valid_lft forever preferred_lft forever
14: brvlan-20: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 00:0c:29:cc:05:06 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::20c:29ff:fecc:506/64 scope link
       valid_lft forever preferred_lft forever

 

4> Clone virtual machine

Two virtual machines will be used in the experiment, but since the host computer 192.168.16.3 has only one virtual machine CentOS 7.0, it is necessary to clone one virtual machine for further experiment.

There are two ways to clone virtual machine: graphic interface clone directly, code interface clone with command virsh clone.

 

1) Graphical interface clone

Shut down the virtual machine to be cloned, right-click to clone.

2) Command line interface clone

Download virt

[root@localhost ~]# mount /dev/cdrom /mnt
mount: /dev/sr0 Write protected, will be mounted read-only
[root@localhost ~]# yum install virt* -y

clone

[root@localhost ~]# virt-clone -o centos7.0 -n vm2 -f /var/lib/libvirt/vm2.qcow2
//Successfully cloned 'vm2'.

see

[root@localhost ~]# virsh list --all
 Id    name                         state
----------------------------------------------------
 -     centos7.0                      close
 -     vm1                            close
 -     vm2                            close

 

5> Virtual machine connection bridge

VM1 with brvlan-10, VM2 with brvlan-20

 

6> Turn on two virtual machines. At this time, our framework has been set up.

 

7> Test whether two virtual machines can communicate

In order to be able to test, manually set ip for two virtual machines

       vm1:10.10.10.10  ;vm2:10.10.10.20

At this time, the two virtual machines are different from each other, because brvlan-10 and brvlan-20 are not in the same network segment, change them to the same network segment for retest

If two virtual machines want to connect to the Internet, they only need to add a network card

Because in the configuration file / etc/resove.conf Contains domain name resolution, so can visit Baidu.

5. Network card configuration bond

1>

Network card bond, also known as network card bundling. It is to bind two or more physical network cards into a virtual network card. Network card is a common technology in application deployment, which can realize the redundancy, bandwidth expansion and load balance of local network card by binding multiple network cards into one logical network card.

In fact, multi network card binding needs to provide an additional software bond driver. The driver can shield multiple network cards. For the TCP/IP protocol layer, there is only one bond network card. In the bond program, the load balance of network traffic is realized, that is, a network request is relocated to different network cards to improve the overall network availability.

 

2> Purpose of network card binding

Increase the throughput of the network card.

Enhance the high availability of the network and realize the load balance at the same time.

3> Configure the bond mode of the network card:

1) mode = 0 (balance RR) means load sharing round robin, balanced polling strategy, with load balancing and fault tolerance functions;

The MAC address of the network card of bond is the MAC address (bond0) of the currently active network card. The switch needs to set the aggregation mode to bind multiple network cards into one link.

2) mode = 1 (active backup) indicates the active standby mode, with fault tolerance function. Only one network card is active and the other is standby. If the switch is equipped with bundling, it will not work normally. Because the switch contracts to two network cards, half of the packets are discarded.

3) mode = 2 (balance XOR) indicates XOR Hash load sharing (exclusive or balancing strategy), with load balancing and fault tolerance functions. Each slave interface transmits each packet and the aggregation of the switch forces non negotiation. (Xmit required_ hash_ policy).

4) Mode=3(broadcast) means that all packets are sent from all interface s, broadcast policy has fault tolerance capability, which is unbalanced, only redundancy mechanism... And aggregation of switch forces non negotiation.  

5) Mode=4(802.3ad) indicates that it supports 802.3ad protocol (IEEE802.3ad dynamic link aggregation) and the aggregation LACP mode of the switch (Xmit is required)_ hash_ policy).

6) the mode = 5 (balance TLB) adapter can balance the load of transmission, send in parallel, and cannot receive in parallel, which solves the bottleneck of data transmission. It is to select the slave to send according to the load of each slave, and use the current slave when receiving.  

7) mode = 6 (balance ALB) adds rlb to tlb of 5. The adapter load balancing mode sends and receives packets in parallel.

 

5) and 6) do not need the switch end setting, and the network card can automatically aggregate. 4 it needs to support 802.3ad. 0, 2 and 3 need static aggregation in theory, but 0 can be received unevenly by mac address spoofing when the switch is not set.

 

There are three common types:

mode=0: balanced load mode, with automatic backup, but need "Switch" support and setting.

mode=1: automatic backup mode. If one line breaks, other lines will be automatically backed up.

mode=6: load balancing mode, with automatic backup, without "Switch" support and setting.

 

4> Demonstrate bond with mode 6 as an example

The experiment needs two host computers, each host computer needs five network cards.

1) Add four network cards and clone a host

Network card 1 is set to nat mode to connect to the external network, and network cards 2-5 are set to vmnat1 only host mode to bond (bind)

 

Clone virtual machine

 

2) Unbound experimental environment

First, unbound the ens37 network card of the Linux bridge experiment

1) shut down the virtual machine and disconnect from the network port from the bridge

[root@localhost ~]# brctl show
bridge name bridge id              STP enabled interfaces
br0         8000.0050563d215c  no          ens33
brvlan-10             8000.000c2942c3f7   no          ens37.10
brvlan-20             8000.000c2942c3f7   no          ens37.20
virbr0            8000.5254009483b2  yes         virbr0-nic
[root@localhost ~]# brctl delif brvlan-10 ens37.10
[root@localhost ~]# brctl delif brvlan-20 ens37.20
[root@localhost ~]# brctl show
bridge name bridge id              STP enabled interfaces
br0         8000.0050563d215c  no          ens33
brvlan-10             8000.000000000000  no         
brvlan-20             8000.000000000000  no

2) delete Bridge

[root@localhost ~]# brctl delbr brvlan-10
bridge brvlan-10 is still up; can't delete it    #Command line cannot be deleted. Use graphical interface to delete
[root@localhost ~]# nmtui

3) delete virtual network interface

[root@localhost ~]# vconfig rem ens37.10
Removed VLAN -:ens37.10:-
[root@localhost ~]# vconfig rem ens37.20
Removed VLAN -:ens37.20:-

 

3) Bind ens37, 38, 39, 40 to bond0

[root@localhost ~]# cd /etc/sysconfig/network-scripts/
[root@localhost network-scripts]# vim ifcfg-ens37
TYPE=Ethernet
BOOTPROTO=none
DEVICE=ens37
ONBOOT=yes
MASTER=bond0
SLAVE=yes

[root@localhost network-scripts]# vim ifcfg-ens38 TYPE=Ethernet BOOTPROTO=none DEVICE=ens38 ONBOOT=yes MASTER=bond0 SLAVE=yes [root@localhost network-scripts]# vim ifcfg-ens39 TYPE=Ethernet BOOTPROTO=none DEVICE=ens39 ONBOOT=yes MASTER=bond0 SLAVE=yes [root@localhost network-scripts]# vim ifcfg-ens40 TYPE=Ethernet BOOTPROTO=none DEVICE=ens40 ONBOOT=yes MASTER=bond0 SLAVE=yes

4) Loading the binding module

[root@localhost network-scripts]# modprobe bonding

5) Create bond0 network card profile

[root@localhost network-scripts]# vim ifcfg-bond0
DEVICE=bond0
TYPE=Bond
NAME=bond0
BONDING_MASTER=yes                      #Set as binding network card master
BOOTPROTO=static
USERCTL=no
ONBOOT=yes
BONDING_OPTS="mode=6 miimon=100"        #Mode 6, detect the status of the 100 second network card
BRIDGE=br1 

6) Configure bridge br1

[root@localhost network-scripts]# vim ifcfg-br1
TYPE=Bridge
DEVICE=br1
ONBOOT=yes
BOOTPROTO=static
NAME=br1

 

7) Create virtual network port br1.10 and br1.20 on BR1

[root@localhost network-scripts]# brctl addbr br1           #Add virtual network interface
[root@localhost network-scripts]# brctl addbr br2
[root@localhost network-scripts]# vconfig add br1 10        #Add VLAN
Added VLAN with VID == 10 to IF -:br1:-
[root@localhost network-scripts]# vconfig add br1 20
Added VLAN with VID == 20 to IF -:br1:-
[root@localhost network-scripts]# ip a
15: br1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 62:27:26:04:33:2f brd ff:ff:ff:ff:ff:ff
16: br2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 66:1c:df:79:22:3a brd ff:ff:ff:ff:ff:ff
17: br1.10@br1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 62:27:26:04:33:2f brd ff:ff:ff:ff:ff:ff
18: br1.20@br1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 62:27:26:04:33:2f brd ff:ff:ff:ff:ff:ff

 

8) Create virtual bridge brvlan-10, brvlan-20

[root@localhost network-scripts]# brctl addbr brvlan-10
[root@localhost network-scripts]# brctl addbr brvlan-20

 

9) Connecting virtual bridge and VLAN interface

[root@localhost network-scripts]# brctl addif brvlan-10 br1.10
[root@localhost network-scripts]# brctl addif brvlan-20 br1.20
[root@localhost network-scripts]# brctl show
brvlan-10             8000.62272604332f   no          br1.10
brvlan-20             8000.62272604332f   no          br1.20

 

10) Configure virtual network interface

[root@localhost network-scripts]# vim ifcfg-br1.10
VLAN=yes
TYPE=vlan
PHYSDEV=br1
VLAN_ID=10
NAME=br1.10
ONBOOT=yes
ZONE=trusted
DEVICE=br1.10
BRIDGE=brvlan-10

[root@localhost network-scripts]# vim ifcfg-br1.20
VLAN=yes
TYPE=vlan
PHYSDEV=br1
VLAN_ID=20
NAME=br1.20
ONBOOT=yes
ZONE=trusted
DEVICE=br1.20
BRIDGE=brvlan-20

 

11) Configure virtual bridge

[root@localhost network-scripts]# vim ifcfg-brvlan-10
TYPE=bridge
BOOTPROTO=static
NAME=brvlan-10
DEVICE=brvlan-10
ONBOOT=yes

[root@localhost network-scripts]# vim ifcfg-brvlan-20
TYPE=bridge
BOOTPROTO=static
NAME=brvlan-20
DEVICE=brvlan-20
ONBOOT=yes

 

12) Restart the network

[root@localhost network-scripts]# systemctl restart network
[root@localhost network-scripts]# ip a
.......
17: br1.10@br1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master brvlan-10 state UP qlen 1000
    link/ether 62:27:26:04:33:2f brd ff:ff:ff:ff:ff:ff
18: br1.20@br1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master brvlan-20 state UP qlen 1000
    link/ether 62:27:26:04:33:2f brd ff:ff:ff:ff:ff:ff

 

13) Open virtual machine, connect test

Modify network card connection

Using vm1 to ping vm2, because vm1 is in brvlan-10 and vm2 is in brvlan-20, which is not in the same network segment, it cannot ping.

 

If vm1 and vm2 are set to the same VLAN, the two virtual machines can ping

 

From: https://www.cnblogs.com/ajunyu/p/11073956.html

Tags: network vim Linux Mac

Posted on Sun, 31 May 2020 19:05:17 -0700 by pointsplat