linux修改vlan子接口mac地址,macvlan虚拟接口
macvlan是kernel提供的一種網卡虛擬化技術,可以將網卡(不一定是真是的物理網卡,virtio等虛擬網卡也可以)虛擬出多個接口,這個網卡稱為master或者父接口,這些虛擬接口和外面環境通信都是通過父接口。作用的話比如用于k8s的macvlan cni。
macvlan提供了五種模式: bridge, vepa, private, passthrough和source
private mode:
這種模式下,同一父接口下的子接口之間彼此隔離,不能通信。即
使從外部的交換機導流再次被父接口接收,也會被無情地丟掉。
vepa mode:
這種模式下,子接口之間的通信流量需要導到外部支持
802.1Qbg/VPEA 功能的交換機上(可以是物理的或者虛擬的),
經由外部交換機轉發,再繞回來。
注:802.1Qbg/VPEA 功能簡單說就是交換機要支持 發夾
(hairpin) 功能,也就是數據包從一個接口上收上來之后還能再扔
回去。
bridge mode:
這種模式下,模擬的是 Linux bridge 的功能,但比 bridge 要好的一
點是每個接口的 MAC 地址是已知的,不用學習。所以,這種模式
下,子接口之間就是直接可以通信的。
passthru mode:
這種模式,只允許單個子接口連接父接口。
source mode:
這種模式,只接收源mac為指定的mac地址的報文。
下面圖片是在網上截圖的,各個模式下,數據如何轉發。不管哪種模式,子接口都不能和父接口通信。
image.png
下面是通過ip命令創建macvlan接口的help信息
root@node2:~# ip link add link ens8 dev macvlan1 type macvlan help
Usage: ... macvlan mode MODE [flag MODE_FLAG] MODE_OPTS
MODE: private | vepa | bridge | passthru | source
MODE_FLAG: null | nopromisc -->只針對passthru模式
MODE_OPTS: for mode "source": -->只針對source模式
macaddr { { add | del } | set [ [ ... ] ] | flush }
有兩個選項需要注意:
a. nopromisc 配置只針對passthru模式
b. 添加macaddr的選項只針對source模式,以便在source模式下只接收從外部接收的源mac這些設定的值的報文
如何查看父接口和子接口的對應關系
a. 如果子接口和父接口都在同一個namespace,比如都在root namespace,則可以通過查看 /sys/class/net/xxx/下的鏈接文件獲知。
注意兩個前綴lower和upper,對于macvlan,從層級上看,父接口是網卡,子接口是虛擬出來的,所以父接口在下面,子接口在上面,所以lower表示父接口,而upper表示子接口。
#查看macvlan子接口的父接口(macvlan1的父接口為ens8)
root@node2:~# ls -l /sys/class/net/macvlan1/lower*
lrwxrwxrwx 1 root root 0 Oct 27 13:55 /sys/class/net/macvlan1/lower_ens8 -> ../../../pci0000:00/0000:00:08.0/net/ens8
#查看父接口的macvlan子接口(ens8有兩個子接口: macvlan1和macvlan2)
root@node2:~# ls -l /sys/class/net/ens8/upper*
lrwxrwxrwx 1 root root 0 Oct 27 13:55 /sys/class/net/ens8/upper_macvlan1 -> ../../../../virtual/net/macvlan1
lrwxrwxrwx 1 root root 0 Oct 27 13:56 /sys/class/net/ens8/upper_macvlan2 -> ../../../../virtual/net/macvlan2
b. 如果子接口和父接口不在同一個namespace,比如將子接口放在其他namespace,方法a就不生效了。可查看網卡名字@后面的數字,比如下面的macvlan1@if3和macvlan2@if3,@后面的if3,表示對應root namespace的網卡索引,即ens8的索引號。
root@node2:~# ip netns exec test1 ip a
...
8308: macvlan1@if3: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether ce:dc:2c:c2:e3:ca brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 1.1.1.3/24 scope global macvlan1
valid_lft forever preferred_lft forever
inet6 fe80::ccdc:2cff:fec2:e3ca/64 scope link
valid_lft forever preferred_lft forever
root@node2:~# ip netns exec test2 ip a
...
8309: macvlan2@if3: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 22:c1:18:2a:68:25 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 1.1.1.4/24 scope global macvlan2
valid_lft forever preferred_lft forever
inet6 fe80::20c1:18ff:fe2a:6825/64 scope link
valid_lft forever preferred_lft forever
root@node2:~# ip a
...
3: ens8: mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 52:54:00:55:4e:f8 brd ff:ff:ff:ff:ff:ff
inet 1.1.1.2/24 scope global ens8
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe55:4ef8/64 scope link
valid_lft forever preferred_lft forever
c. 不論父子接口是否在同一個ns,都可以通過查看父接口的fdb表得知,一般會把macvlan子接口的mac地址添加到父接口中
root@node2:~# bridge fdb show dev ens8
ce:dc:2c:c2:e3:ca self permanent --->macvlan1的mac
22:c1:18:2a:68:25 self permanent --->macvlan2的mac
33:33:00:00:00:01 self permanent
01:00:5e:00:00:01 self permanent
33:33:ff:55:4e:f8 self permanent
33:33:ff:c2:e3:ca self permanent
33:33:ff:2a:68:25 self permanent
關于 nopromisc
#nopromisc 沒有此標志時,父接口 ens8 會默認使能混雜模式(promiscuity 為1)
ip link add link ens8 dev macvlan1 type macvlan mode passthru
ip link set dev macvlan1 up
root@node2:~# ip -d link
1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 promiscuity 0 minmtu 0 maxmtu 0 addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
2: ens3: mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether 52:54:00:bd:2b:7d brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 60 maxmtu 4096 addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
3: ens8: mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether 52:54:00:55:4e:f8 brd ff:ff:ff:ff:ff:ff promiscuity 1 minmtu 60 maxmtu 4096 addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
25: macvlan1@ens8: mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 52:54:00:55:4e:f8 brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 4096
macvlan mode passthru addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
#nopromisc 加上此標志后,父接口 ens8 就不會使能混雜模式(promiscuity 為0)
ip link add link ens8 dev macvlan1 type macvlan mode passthru nopromisc
ip link set dev macvlan1 up
root@node2:~# ip -d link
1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 promiscuity 0 minmtu 0 maxmtu 0 addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
2: ens3: mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether 52:54:00:bd:2b:7d brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 60 maxmtu 4096 addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
3: ens8: mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether 52:54:00:55:4e:f8 brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 60 maxmtu 4096 addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
26: macvlan1@ens8: mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 52:54:00:55:4e:f8 brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 4096
macvlan mode passthru nopromisc addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
實踐
在host上創建VM,此VM有兩個網卡ens3和ens8,網卡在host上分別對應vnet0和vnet1,vnet0添加在默認網橋virbr0,vnet1添加在新建網橋br1上。下面創建macvlan子接口和namespace的操作都在VM內部完全。
a. bridge
//設置父接口ip
ip link set dev ens8 up
ip address add dev ens8 1.1.1.2/24
//創建兩個macvlan子接口,模式為bridge
ip link add link ens8 dev macvlan1 type macvlan mode bridge
ip link add link ens8 dev macvlan2 type macvlan mode bridge
//創建兩個namespace
ip netns add test1
ip netns add test2
//將兩個macvlan子接口分別放在namespace中
ip link set dev macvlan1 netns test1
ip link set dev macvlan2 netns test2
//在namespace中分別配置兩個子接口ip
ip netns exec test1 ip link set dev lo up
ip netns exec test1 ip link set dev macvlan1 up
ip netns exec test1 ip address add dev macvlan1 1.1.1.3/24
ip netns exec test2 ip link set dev lo up
ip netns exec test2 ip link set dev macvlan2 up
ip netns exec test2 ip address add dev macvlan2 1.1.1.4/24
root@node2:~# ip netns exec test1 ip a
1: lo: mtu 65536 qdisc noop state UP group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
92: macvlan1@if3: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether ae:f3:a6:e4:72:5f brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 1.1.1.3/24 scope global macvlan1
valid_lft forever preferred_lft forever
inet6 fe80::acf3:a6ff:fee4:725f/64 scope link
valid_lft forever preferred_lft forever
root@node2:~# ip netns exec test2 ip a
1: lo: mtu 65536 qdisc noop state UP group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
93: macvlan2@if3: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether ba:11:1e:65:b6:89 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 1.1.1.4/24 scope global macvlan2
valid_lft forever preferred_lft forever
inet6 fe80::b811:1eff:fe65:b689/64 scope link
valid_lft forever preferred_lft forever
#ping 父接口 不通
root@node2:~# ip netns exec test2 ping 1.1.1.2
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
^C
--- 1.1.1.2 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
#test1 ping test2 可以通
root@node2:~# ip netns exec test2 ping 1.1.1.3
PING 1.1.1.3 (1.1.1.3) 56(84) bytes of data.
64 bytes from 1.1.1.3: icmp_seq=1 ttl=64 time=0.450 ms
^C
--- 1.1.1.3 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.450/0.450/0.450/0.000 ms
b. private
//設置父接口ip
ip link set dev ens8 up
ip address add dev ens8 1.1.1.2/24
//創建兩個macvlan子接口,模式為private
ip link add link ens8 dev macvlan1 type macvlan mode private
ip link add link ens8 dev macvlan2 type macvlan mode private
//創建兩個namespace
ip netns add test1
ip netns add test2
//將兩個macvlan子接口分別放在namespace中
ip link set dev macvlan1 netns test1
ip link set dev macvlan2 netns test2
//在namespace中分別配置兩個子接口ip
ip netns exec test1 ip link set dev lo up
ip netns exec test1 ip link set dev macvlan1 up
ip netns exec test1 ip address add dev macvlan1 1.1.1.3/24
ip netns exec test2 ip link set dev lo up
ip netns exec test2 ip link set dev macvlan2 up
ip netns exec test2 ip address add dev macvlan2 1.1.1.4/24
#ping 主接口不通
root@node2:~# ip netns exec test2 ping 1.1.1.2
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
^C
--- 1.1.1.2 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
#test2 ping test1 不通
root@node2:~# ip netns exec test2 ping 1.1.1.3
PING 1.1.1.3 (1.1.1.3) 56(84) bytes of data.
^C
--- 1.1.1.3 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1001ms
vepa
//設置父接口ip
ip link set dev ens8 up
ip address add dev ens8 1.1.1.2/24
//創建兩個macvlan子接口,模式為vepa
ip link add link ens8 dev macvlan1 type macvlan mode vepa
ip link add link ens8 dev macvlan2 type macvlan mode vepa
//創建兩個namespace
ip netns add test1
ip netns add test2
//將兩個macvlan子接口分別放在namespace中
ip link set dev macvlan1 netns test1
ip link set dev macvlan2 netns test2
//在namespace中分別配置兩個子接口ip
ip netns exec test1 ip link set dev lo up
ip netns exec test1 ip link set dev macvlan1 up
ip netns exec test1 ip address add dev macvlan1 1.1.1.3/24
ip netns exec test2 ip link set dev lo up
ip netns exec test2 ip link set dev macvlan2 up
ip netns exec test2 ip address add dev macvlan2 1.1.1.4/24
#ping 父接口不通
root@node2:~# ip netns exec test2 ping 1.1.1.2
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
^C
--- 1.1.1.2 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
#test2 ping test1 不通
root@node2:~# ip netns exec test2 ping 1.1.1.3
PING 1.1.1.3 (1.1.1.3) 56(84) bytes of data.
^C
--- 1.1.1.3 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
passthru
//設置父接口ip
ip link set dev ens8 up
ip address add dev ens8 1.1.1.2/24
ip link add link ens8 dev macvlan1 type macvlan mode passthru
#只能添加一個passthru模式的子接口,再次添加報錯(添加其他模式也不行)
ip link add link ens8 dev macvlan2 type macvlan mode passthru
RTNETLINK answers: File exists
ip netns add test1
ip link set dev macvlan1 netns test1
ip netns exec test1 ip link set dev lo up
ip netns exec test1 ip link set dev macvlan1 up
ip netns exec test1 ip address add dev macvlan1 1.1.1.3/24
#ping 父接口不通
root@node2:~# ip netns exec test1 ping 1.1.1.2
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
^C
--- 1.1.1.2 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
source
//br1在host上,VM內部的網卡ens8在host上對應的vnet1加在網橋br1上。
//給br1配置ip 1.1.1.9
root@ubuntu:~# ip address show dev br1
25: br1: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 5e:88:02:89:d5:51 brd ff:ff:ff:ff:ff:ff
inet 1.1.1.9/24 brd 1.1.1.255 scope global br1
valid_lft forever preferred_lft forever
inet6 fe80::5c88:2ff:fe89:d551/64 scope link
valid_lft forever preferred_lft forever
root@ubuntu:~# brctl show
bridge name bridge id STP enabled interfaces
br1 8000.5e880289d550 no vnet1 ---> vnet1對應VM內部ens8
//vm內部執行下面幾條命令
//創建macvlan1接口,模式為source,指定mac地址為br1的mac地址
ip link add link ens8 dev macvlan1 type macvlan mode source macaddr add 5e:88:02:89:d5:50
ip link set dev macvlan1 up
ip address add dev macvlan1 1.1.1.4/24
//vm內部ping br1是可以通的
root@node2:~# ping 1.1.1.9
PING 1.1.1.9 (1.1.1.9) 56(84) bytes of data.
64 bytes from 1.1.1.9: icmp_seq=1 ttl=64 time=1.45 ms
64 bytes from 1.1.1.9: icmp_seq=2 ttl=64 time=0.300 ms
64 bytes from 1.1.1.9: icmp_seq=3 ttl=64 time=0.339 ms
^C
--- 1.1.1.9 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2005ms
rtt min/avg/max/mdev = 0.300/0.696/1.450/0.533 ms
//在host修改br1的mac地址
root@ubuntu:~# ip link set dev br1 address 5e:88:02:89:d5:51
//在vm內部再次ping就不通了
root@node2:~# ping 1.1.1.9
PING 1.1.1.9 (1.1.1.9) 56(84) bytes of data.
^C
--- 1.1.1.9 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1028ms
參考
總結
以上是生活随笔為你收集整理的linux修改vlan子接口mac地址,macvlan虚拟接口的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: AspectJ
- 下一篇: 使用Elasticsearch做向量空间