Monday, October 13, 2014

Howto Connect network namespaces using OpenvSwitch and OpenvSwitch Ports

1)
Install OpenvSwitch


#sudo apt-get install openvswitch-switch

2)
Create Namespaces



http://www.opencloudblog.com/?p=66


2a)
Create 2 Namespaces
#sudo ip netns add ns1
#sudo ip netns add ns2


2b)
List all namespaces
#sudo ip netns list
3)
Create an OpenvSwitch


3a)
List all OpenvSwitchs
#sudo ovs-vsctl list-br

3b)
Create an OpenvSwitch "my-ov-switch1"
#sudo ovs-vsctl add-br my-ov-switch1

3c)
List all OpenvSwitchs
#sudo ovs-vsctl list-br

3d)
List all interfaces in the global namespace and find the OpenvSwitch "my-ov-switch1"
#ifconfig  -a
OR
#ifconfig my-ov-switch1


4)
Create first internal ovs port and attach to namespace "ns1"


4a)
Create an internal ovs port
#sudo ovs-vsctl add-port my-ov-switch1 tap1 -- set Interface tap1 type=internal

4b)
List ports/interfaces in the OpenvSwitch "my-ov-switch1"
#sudo ovs-vsctl list-ports my-ov-switch1

* At this point you can see the port "tap1"

4c)
Check the newly created interface in the global namespace
#sudo ifconfig tap1

* At this point the interface "tap1" don't have IP associated with it.

4d)
Attach ovs port "tap1" to namespace "ns1"
#sudo ip link set tap1 netns ns1

* At this point if you run "#sudo ifconfig tap1" in global namespace you would not able to see the "tap1" interface there.
* Run "#ifconfig -a" in "ns1" namespace to see "tap1" interface.
* Example:#sudo ip netns exec ns1 ifconfig -a

4e)
Set the port/interface "tap1" to UP
#sudo ip netns exec ns1 ip link set dev tap1 up
#sudo ip netns exec ns1 ifconfig tap1

* At this point the port/interface "tap1" is in UP state. You can see the status as "UP BROADCAST MULTICAST", that means UP.

5)
Create second internal ovs port and attach to namespace "ns2"

5a)

Create an internal ovs port
#sudo ovs-vsctl add-port my-ov-switch1 tap2 -- set Interface tap2 type=internal

5b)
List ports/interfaces in the OpenvSwitch "my-ov-switch1"
#sudo ovs-vsctl list-ports my-ov-switch1

* At this point you can see the ports "tap1" and "tap2"

5c)
Check the newly created interface in the global namespace
#sudo ifconfig tap2

* At this point the interface "tap2" don't have IP associated with it.

5d)
Attach ovs port "tap2" to namespace "ns2"
#sudo ip link set tap2 netns ns2

* At this point if you run "#sudo ifconfig tap2" in global namespace you would not able to see the "tap2" interface there.
* Run "#ifconfig -a" in "ns2" namespace to see "tap2" interface.
* Example:#sudo ip netns exec ns2 ifconfig -a

5e)
Set the port/interface "tap2" to UP
#sudo ip netns exec ns2 ip link set dev tap2 up
#sudo ip netns exec ns2 ifconfig tap2


* At this point the port/interface "tap2" is in UP state. You can see the status as "UP BROADCAST MULTICAST", that means UP.

6)
Assign IP address to the interfaces "tap1" in the namespace "ns1 and "tap2" in the namespace "ns2" and ping from "ns1" to "ns2".


6a)

Assign IP address to the interface "tap1" in the namespace "ns1".
#sudo ip netns exec ns1 ip addr add 10.1.1.4/24 dev tap1

6b)
Assign IP address to the interface "tap2" in the namespace "ns2".
#sudo ip netns exec ns2 ip addr add 10.1.1.5/24 dev tap2

6c)
Check the IP address of the interfaces "tap1" and "tap2"
#sudo ip netns exec ns1 ifconfig -a tap1
#sudo ip netns exec ns2 ifconfig -a tap2


* You should see the IP for the interfaces "tap1" and "tap2"

6d)

Check the routing table in the namespace "ns1" and "ns2"
#sudo ip netns exec ns1 route -n
#sudo ip netns exec ns2 route -n


* You should see the entry for "tap1" and "tap2" in routing table of namespaces "ns1" and "ns2" respectively. If you can't see, that means interface is DOWN.

6e)
Ping from "ns1" to "ns2".
#sudo ip netns exec ns1 ping 10.1.1.5

* Ping should work

7)

7a)

Check the Flow Table of OpenvSwitch "my-ov-switch1"
#sudo ovs-ofctl show my-ov-switch1
#sudo ovs-ofctl dump-tables my-ov-switch1
#sudo ovs-ofctl dump-flows my-ov-switch1


7b)
#sudo ovs-vsctl show

8)
Ping to "173.194.36.16" (www.google.com)


8a)
Ping to "173.194.36.16" (www.google.com) from namespace "ns1"
#sudo ip netns exec ns1 ping 173.194.36.16

* Ping will not work : connect: Network is unreachable

8b)
Capture Ping (ICMP) packets from the OpenvSwitch "my-ov-switch1"
#sudo tshark -i my-ov-switch1 icmp

* We will not get any ICMP packets from the OpenvSwitch "my-ov-switch1" since the packet are droping from the namespace "ns1" itself since there is no default gateway (path to redirect all packets whose dest address not in 10.1.1.4/24 network) defined in the routing table of namespace "ns1".

8c)
Check the routing table in the namespace "ns1".
#sudo ip netns exec ns1 route -n

* You can see that there is no default gateway defined

8d)
Check the IP of the OpenvSwitch "my-ov-switch1"
#sudo ifconfig -a my-ov-switch1

8e)
Attach IP to OpenvSwitch "my-ov-switch1"
#sudo ip addr add 10.1.1.3/24 dev my-ov-switch1

8f)

Check the IP of the OpenvSwitch "my-ov-switch1"
#ifconfig -a my-ov-switch1

8g)
Add a default gateway to flow packets which are not destined for the network 10.1.1.x to outside.
Defalut gateway has to be set the IP address of the OpenvSwitch "my-ov-switch1"
#sudo ip netns exec ns1 route add default gw 10.1.1.3 tap1

8f)
Check the routing table in the namespace "ns1".
#sudo ip netns exec ns1 route -n

* You can see the entry of default gateway

8g)

Ping to 173.194.36.16 from namespace "ns1"
#sudo ip netns exec ns1 ping 173.194.36.16

* Ping will not work, But you will get the ICMP request packets in OpenvSwitch "my-ov-switch1" nad no reply packets.
* Use the command (#sudo tshark -i my-ov-switch1 icmp) to capture the packets from the OpenvSwitch "my-ov-switch1"
* That means reply packets are not routing properly. So we need to add SNAT in global namespace for packet which has source IP:10.1.1.4 or 10.1.1.x. OR we need to add MASQURIDE rule for interface "eth0"(virtualBox NAT).

No comments:

Post a Comment