Got it

EIP traffic direction Highlighted

Latest reply: May 21, 2022 09:32:23 3096 30 24 0 0

Hello, everyone!

The Elastic IP (EIP) service enables you to access virtual machines (VMs) in cloud data centers (DCs) from the Internet. The EIP service must work with the ECS or elastic load balance (ELB) service. You can apply for and bind EIPs to VMs or load balancers so that services on cloud DCs allow

access from the Internet.

How to check network information

1. Run the following command to check the VM IP

Nova list --all-t | grep CentOS

Nova list --all-t | grep CentOS

2. The internal FIP (internal public network IP address) is the external_relay_network network, which is the external network (the 11.64 or 100.64 networks) of the cascading and cascaded systems.

Dummy_external_network VPC private network


VPC

external

The following describes the workflow of the EIP in detail.

Step1.   

qbr-xxx

1. Log in to the cascading FusionSphere OpenStack system and query the VM ID.

Nova list --all-t | grep VM_Name

ova list --all-t | grep VM_Name

2. Log in to the cascaded FusionSphere OpenStack system and query the ID of the VM at the cascaded FusionSphere OpenStack system based on the ID obtained in the cascading FusionSphere OpenStack system.

Nova list --all-t | grep Cascading_ID

Nova list --all-t | grep Cascading_ID3. Query host_id and host_ip based on the VM ID in the cascaded FusionSphere OpenStack system.

Nova show VM_ID | grep host

Cps host-list | grep host_id

VM ID

cps host-list

4. Querying the NIC port ID of a VM

Nova interface-list VM_ID

NIC port ID

5. Log in to the host where the VM is located. The first 11 digits of port_id are the tap port ID and QBR bridge ID.

brctl show | grep port_id 

Nova interface-list VM_ID

Capture packets at the tap port.

./tcpdump -i tap246a7c56-97 -nne host xx.xx.200.220

If packets with the IP address can be captured on the tap port, the VM is normal and packets have been sent to the security group.

If the VM has a security group, the port of qvm-xxx is available.

Step2

ply-xxx

1. Log in to the host where the VM is located and check the qvm port number.(QVM interface generated after the security group function is configured)

ovs-vsctl show  | grep port_id top11

ovs-vsctl

Capture packets on the QVM interface.

./tcpdump -i qvm246a7c56-97 -nne host xxx.xxx.200.220

If packets can be captured on the security group port, the security group configuration is correct.

Step3

qrouter-xxx

After the packet exits the QVM interface, it enters the qrouter namespace and starts the inner FIP translation.

1. Locate the router ID based on the port ID of the VM at the cascaded layer.

Obtains the port id

Nova interface-list VM_id 

Obtains the floating IP address ID.

Neutron floatingip-list --port-id= port_id 

Obtains the router_ID

Neutron floatingip-show  floatingip_ID   

The following figure shows some problems

floatingip_ID

Correct display

Neutron floatingip-show  floatingip_ID


2. Log in to the host where the VM is located and find the rfp port and qr port in qrouter_id and qrouter space based on router_id.

Ip netns | grep router_id   

Ip netns exec qrouter_id  ip a    

Ip netns exec qrouter_id  ip a

Capture packets on the Qr interface to check whether the packets enter the qrouter namespace.

ip netns exec qrouter-e6b1254a-6bc2-415c-a218-7f41a81c35cf tcpdump -i qr-94e72a12-cf -nne

Capture packets on the RFP interface and check whether the packets enter the FIP namespace.

ip netns exec qrouter-e6b1254a-6bc2-415c-a218-7f41a81c35cf tcpdump -i rfp-e6b1254a-6 -nne

Step 4

fip-xxx

After packets are sent out from the qrouter namespace, the packets enter the FIP namespace. Check whether the fpr and fg interfaces receive the packets.

1. Find the ID of the floatingip based on port_id, and then find the floating_network_id based on the ID of the floatingip.

Neutron floating-list | grep port_id

Neutron floatingip-show floatingip_id       

floatingip_id

2. Find the ID of the FIP, and then find the fpr port and fg port.

(If there are multiple FPR ports, the port ID must be the same as the RFP port ID.)

ip netns | grep b127c1da-9e71-4017-afaa-d60218abdd24

Ip netns | grep

ip netns exec fip-b127c1da-9e71-4017-afaa-d60218abdd24 ip a

ip netns exec

Capture packets on the fpr and fg ports.

ip netns exec fip-b127c1da-9e71-4017-afaa-d60218abdd24 tcpdump -i fpr-e6b1254a-6 -nne

Step5

EIP namespace

After the traffic exits the EIP namespace, the traffic passes through br-int and br1, reaches the trunk interface, and then enters the software NAT node of the firewall.

•  Capture packets on the physical NIC of the node where the cascaded VM resides, that is, the trunk/bond port.

•  ./tcpdump -i trunk/bond -nne host xxx.xxx.100.72, Note that the source IP address has been converted to the FIP.

Step 6

EIP outgoing traffic does not pass through network nodes, but EIP incoming traffic passes through network nodes.

Note that Type 1 EIP traffic does not travel through the soft NAT node in the outbound direction, but travels through the soft NAT node in the inbound direction. Therefore, only reply packets but no request packets are displayed during packet capture. This is normal.

EIP INGOING

1. The extranet client is connected to the core switch, and the traffic is routed to the firewall.

2. After the traffic exits the firewall, it reaches the InNetwork VRF of the core switch and reaches the TOR in the network service zone. The TOR is the network service zone performs load balancing and then reaches the NAT node.

3. The software NAT performs the first NAT, and the destination |P is translated into the 11.64 internal IP address of the virtual machine.

4. The traffic reaches the compute node, and some of the traffic is converted from 11.64 to the actual IP address of the virtual machine.

EIP outgoing

1. Traffic is sent from the VM. The destination IP address is the public network |P. The source IP address is the actual internal IP address of the VM. In the namespace of the FIP, the source IP address is translated into the public network |P address.

2. Traffic is routed and imported to the service firewall. If EIP QoS is available, EIP QoS is configured on the service firewall.

3. Traffic is sent from the service firewall to the Internet through the Internet VRF of the core switch.

a.  Log in to the controller node in the cascading FusionSphere OpenStack system and locate the nodes where the two nat-server/vrouter services are deployed.

cps host-list| grep nat -C 8

nat-server/vrouter

All incoming EIP traffic is transmitted through the trunk-lbaas of the network node.

Trunk-lbaas 

./tcpdump -i trunk-lbaas -nne host xxx.xxx.100.72

trunk

Querying Network Segments Isolated by Tenant dvr-compute

The EIP cannot belong to an isolated network segment.

EIP

Can the FIP namespace of the compute node in the cascaded system where the VM resides ping the gateway of the external_relay_network network (internal public network 11.64 or 100.64)?

If the communication fails, check whether the VLAN of the external_relay_network network of the cascaded FusionSphere OpenStack is allowed from the compute node to the core gateway.

FIP

Check the IP address of the namespace of the network node and check whether the configured gateway can be pinged.

Ip netns exec ns-br-eth-pub ping xxx.xxx.100.1

IP netns

Are equal-cost routes to network nodes configured on the core switch?

The IP address in the red box is the IP address of the network namespace.

VPN

That's all, thanks!

  • x
  • convention:

olive.zhao
Admin Created Dec 25, 2021 01:25:43

Thanks for your sharing!
View more
  • x
  • convention:

Chanbora
Chanbora Created Feb 2, 2022 02:37:07 (0) (0)
 
little_fish
Admin Created Dec 25, 2021 01:58:08

nice case
View more
  • x
  • convention:

user_4400653
user_4400653 Created Feb 2, 2022 02:38:26 (0) (0)
 
JackJ
Created Jan 1, 2022 05:00:38

Good share
View more
  • x
  • convention:

user_4400653
user_4400653 Created Feb 2, 2022 02:38:32 (0) (0)
 
TriNguyen
Created Jan 3, 2022 02:25:52

Good share
View more
  • x
  • convention:

nochhie
nochhie Created Feb 2, 2022 02:39:22 (0) (0)
 
NTan33
Created Jan 3, 2022 02:49:36

Much interesting information to go though.
View more
  • x
  • convention:

nochhie
nochhie Created Feb 2, 2022 02:39:28 (0) (0)
 
zj5000
Created Jan 4, 2022 08:23:18

So so so so good!
View more
  • x
  • convention:

Sokrin
Sokrin Created Feb 2, 2022 02:40:27 (0) (0)
 
MahMush
Moderator Author Created Jan 10, 2022 04:58:01

informative
View more
  • x
  • convention:

Sokrin
Sokrin Created Feb 2, 2022 02:40:21 (0) (0)
 
Abdussamed
HCIE MVE Created Jan 11, 2022 06:50:32

Thanks for your sharing!
View more
  • x
  • convention:

kunthea
kunthea Created Feb 2, 2022 02:41:10 (0) (0)
 
wissal
MVE Created Jan 11, 2022 07:50:50

Very well explained case!
View more
  • x
  • convention:

kunthea
kunthea Created Feb 2, 2022 02:41:15 (0) (0)
 
123
Back to list

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.