Linux

CentOS 上中繼埠之間的 VLAN 切換

  • May 17, 2021

我正在使用 CentOS Linux 版本 8.3.2011 並且正在努力將其設置為開關。網路拓撲如下:

[switch1]--------[vsphere]--------------[centos]--------------------[vRouter]
    gi0/0     vmnic2   SW1-trunk   end224   lnkbe296edcl2b     Gi0/0.10
                    SW1                bridge11

拓撲1

所以,總結一下:

  • 一個物理交換機 switch1,其介面 gi0/0 配置為中繼,一些交換的虛擬介面配置了用於測試的 IP 地址。對於本次測試,我將使用介面 vlan 10,其 IP 地址為 192.168.0.10/24;
  • vSphere hypervisor,帶有一個 vSwitch SW1,包含埠組“SW1 - trunk”和一個物理適配器 vmnic2。埠組配置了VLAN ID 4095,這是在vmware上將埠配置為trunk的方式;
  • 一個名為 CML 的 CentOS VM,它使用 KVM 來託管虛擬網路功能。我已經在它上面配置了一個虛擬路由器。我創建了 bridge11 並將面向 vmware 的介面 (ens224) 和麵向 vrouter 的介面 (lnkbe296edcl2b) 關聯到它。
  • 一個 vRouter,它是一個 IOSv(虛擬化 Cisco IOS),帶有一個 IP 地址為 192.168.0.11/24 的 IP 子介面。

下面的 vSphere 拓撲:

好吧,使用此配置,我無法從 vRouter (192.168.0.11) ping 到 switch1 SVI (192.168.0.10)。

R1#sh ip int br
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         unassigned      YES manual up                    up      
GigabitEthernet0/0.10      192.168.0.11    YES TFTP   up                    up      
GigabitEthernet0/1         unassigned      YES unset  administratively down down    
GigabitEthernet0/2         unassigned      YES unset  administratively down down    
GigabitEthernet0/3         unassigned      YES unset  administratively down down    
R1#ping 192.168.0.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.10, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.0.10            0   Incomplete      ARPA   
Internet  192.168.0.11            -   5254.0000.b61d  ARPA   GigabitEthernet0/0.10
R1#

如果我將網路拓撲更改為以下之一:

[switch1]--------[vsphere]--------------[centos]--------------------[vRouter]
    gi0/0     vmnic2   SW1-trunk  end224.10   lnkbe296edcl2b     Gi0/0
                    SW1                bridge11

拓撲 2 在此拓撲中:

  • 我在 centos 上使用一個子介面指向 vmware,因此,它從網橋接收未標記的流量並將其發送到 VMWare 埠組 SW1-trunk;
  • 我正在使用路由器中的主界面。因此,流量未標記;
  • 我已經在 bridge11 - 192.168.0.1/24 中添加了一個 IP 地址,用於測試。

在這種情況下,我可以從 bridge11 ping 到 switch1 以及從 bridge11 到 vRouter,但不能從 vRouter 到 switch1。

  • CentOS 測試:
[~]$ping -c5 -q 192.168.0.11
PING 192.168.0.11 (192.168.0.11) 56(84) bytes of data.

--- 192.168.0.11 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 11ms
rtt min/avg/max/mdev = 1.718/2.151/2.879/0.407 ms
[~]$ping -c5 -q 192.168.0.10
PING 192.168.0.10 (192.168.0.10) 56(84) bytes of data.

--- 192.168.0.10 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 103ms
rtt min/avg/max/mdev = 0.398/0.515/0.656/0.090 ms
[~]$ip nei show dev bridge11
192.168.0.10 lladdr 00:12:43:7e:4b:c1 STALE
192.168.0.11 lladdr 52:54:00:00:b6:1d STALE
[~]$
  • vRouter (R1) 測試:
R1#ping 192.168.0.1 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#ping 192.168.0.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.10, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#show arp         
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.0.1             0   000c.2997.7368  ARPA   GigabitEthernet0/0
Internet  192.168.0.10            0   Incomplete      ARPA   
Internet  192.168.0.11            -   5254.0000.b61d  ARPA   GigabitEthernet0/0
R1#

我已經搜尋並只找到了與 linux 取消標記流量和路由的引用……我需要 linux 充當 vlan 交換機,而無需查看 ip 標頭。

關於如何讓 CentOS 切換 vlan 流量,從中繼到中繼埠的任何提示?

提前致謝

編輯(21 年 5 月 16 日) - 包括 AB 詢問的命令的輸出:

[sysadmin]$sysctl -ne net.bridge.bridge-nf-call-iptables
0
[sysadmin]$tcpdump -e -n -i lnk2fb2a645ld1
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lnk2fb2a645ld1, link-type EN10MB (Ethernet), capture size 262144 bytes
18:00:26.276792 52:54:00:00:b6:1d > 01:00:0c:cc:cc:cc, 802.3, length 396: LLC, dsap SNAP (0xaa) Individual, ssap SNAP (0xaa) Command, ctrl 0x03: oui Cisco (0x00000c), pid CDP (0x2000), length 388: CDPv2, ttl: 180s, Device-ID 'R1', length 388
18:00:31.178085 52:54:00:00:b6:1d > 52:54:00:00:b6:1d, ethertype Loopback (0x9000), length 60: Loopback, skipCount 0, Reply, receipt number 0, data (40 octets)
18:00:35.482297 52:54:00:00:b6:1d > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 10, p 0, ethertype ARP, Request who-has 192.168.0.10 tell 192.168.0.11, length 46
18:00:39.480774 52:54:00:00:b6:1d > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 10, p 0, ethertype ARP, Request who-has 192.168.0.10 tell 192.168.0.11, length 46
18:00:41.177503 52:54:00:00:b6:1d > 52:54:00:00:b6:1d, ethertype Loopback (0x9000), length 60: Loopback, skipCount 0, Reply, receipt number 0, data (40 octets)
18:00:41.480474 52:54:00:00:b6:1d > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 10, p 0, ethertype ARP, Request who-has 192.168.0.10 tell 192.168.0.11, length 46
18:00:41.655353 52:54:00:00:b6:1d > ab:00:00:02:00:00, ethertype MOP RC (0x6002), length 77: 
       0x0000:  3d00 0700 0000 0100 0303 0000 0200 0221  =..............!
       0x0010:  0003 0006 0000 0000 0000 0400 023c 0005  .............<..
       0x0020:  0002 d805 0600 0200 0107 0006 5254 0000  ............RT..
       0x0030:  b61d 6400 0179 9001 0101 9101 02ee 05    ..d..y.........
18:00:43.480161 52:54:00:00:b6:1d > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 10, p 0, ethertype ARP, Request who-has 192.168.0.10 tell 192.168.0.11, length 46
^C
8 packets captured
8 packets received by filter
0 packets dropped by kernel
[sysadmin]$

編輯 (5/16/21) - 包括 AB 要求的其他命令輸出:

$ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master bridge0 state UP mode DEFAULT group default qlen 1000
   link/ether 00:0c:29:97:73:54 brd ff:ff:ff:ff:ff:ff
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master bridge1 state UP mode DEFAULT group default qlen 1000
   link/ether 00:0c:29:97:73:5e brd ff:ff:ff:ff:ff:ff
4: ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master bridge11 state UP mode DEFAULT group default qlen 1000
   link/ether 00:0c:29:97:73:68 brd ff:ff:ff:ff:ff:ff
5: ens256: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
   link/ether 00:0c:29:97:73:72 brd ff:ff:ff:ff:ff:ff
6: bridge0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
   link/ether 00:0c:29:97:73:54 brd ff:ff:ff:ff:ff:ff
7: bridge1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
   link/ether 00:0c:29:97:73:5e brd ff:ff:ff:ff:ff:ff
10: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000
   link/ether 52:54:00:90:2d:88 brd ff:ff:ff:ff:ff:ff
11: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state DOWN mode DEFAULT group default qlen 1000
   link/ether 52:54:00:90:2d:88 brd ff:ff:ff:ff:ff:ff
44: bridge11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
   link/ether 00:0c:29:97:73:68 brd ff:ff:ff:ff:ff:ff
45: lnk2fb2a645ld1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master bridge11 state UNKNOWN mode DEFAULT group default qlen 1000
   link/ether f2:ca:f4:6e:96:14 brd ff:ff:ff:ff:ff:ff
$ip -br link show
lo               UNKNOWN        00:00:00:00:00:00 <LOOPBACK,UP,LOWER_UP> 
ens160           UP             00:0c:29:97:73:54 <BROADCAST,MULTICAST,UP,LOWER_UP> 
ens192           UP             00:0c:29:97:73:5e <BROADCAST,MULTICAST,UP,LOWER_UP> 
ens224           UP             00:0c:29:97:73:68 <BROADCAST,MULTICAST,UP,LOWER_UP> 
ens256           UP             00:0c:29:97:73:72 <BROADCAST,MULTICAST,UP,LOWER_UP> 
bridge0          UP             00:0c:29:97:73:54 <BROADCAST,MULTICAST,UP,LOWER_UP> 
bridge1          UP             00:0c:29:97:73:5e <BROADCAST,MULTICAST,UP,LOWER_UP> 
virbr0           DOWN           52:54:00:90:2d:88 <NO-CARRIER,BROADCAST,MULTICAST,UP> 
virbr0-nic       DOWN           52:54:00:90:2d:88 <BROADCAST,MULTICAST> 
bridge11         UP             00:0c:29:97:73:68 <BROADCAST,MULTICAST,UP,LOWER_UP> 
lnk2fb2a645ld1   UNKNOWN        f2:ca:f4:6e:96:14 <BROADCAST,MULTICAST,UP,LOWER_UP> 
$ip -br address
lo               UNKNOWN        127.0.0.1/8 ::1/128 
ens160           UP             
ens192           UP             
ens224           UP             
ens256           UP             
bridge0          UP             10.30.8.241/22 fe80::20c:29ff:fe97:7354/64 
bridge1          UP             x.x.x.x/25 fe80::20c:29ff:fe97:735e/64 
virbr0           DOWN           192.168.255.1/24 
virbr0-nic       DOWN           
bridge11         UP             fe80::20c:29ff:fe97:7368/64 
lnk2fb2a645ld1   UNKNOWN        
$

為了使它工作,我需要做兩件事:

  1. 禁用 vlan_filtering (ip link set dev bridge11 type bridge vlan_filtering 0)
  2. 在 vmware vSphere 上啟用混雜模式和偽造傳輸(見下文)

在此處輸入圖像描述

引用自:https://unix.stackexchange.com/questions/649948

相關問答

Linux

Linux VLAN 感知網橋和中繼埠

  • December 11, 2019
檢視問答
Linux

配置網橋會導致連接斷開

  • October 4, 2019
檢視問答
Linux

IP 轉發、偽裝、NAT

  • July 15, 2021
檢視問答
Linux

Debian 網橋隨機停止工作

  • April 6, 2021
檢視問答
Linux

為什麼連接到網橋的物理介面在我的情況下無法通過 Internet 訪問?

  • September 27, 2020
檢視問答
Linux

如何為多播節目創建虛擬測試環境?

  • June 25, 2020
檢視問答