Containerlab + VyOS 模拟三层网络
Containerlab + VyOS 网络模拟
基于
Containerlab、VyOS模拟一个三层网络环境
网络模拟
网络拓扑
Containerlab 配置信息
# clab-vyos.yaml
name: L3
topology:
nodes:
gw:
kind: linux
# 使用 vyos 容器 结合 Containerlab 进行实验
image: vyos/vyos:1.2.8
cmd: /sbin/init
binds:
- /lib/modules:/lib/modules
# 后期可以导出配置文件信息,直接挂载配置信息
# - ./startup-conf/gw-boot.cfg:/opt/vyatta/etc/config/config.boot
br-pool0:
kind: bridge
br-pool1:
kind: bridge
node1:
kind: linux
image: harbor.dayuan1997.com/devops/nettool:0.9
exec:
- ip addr add 10.1.5.10/24 dev net0
- ip route replace default via 10.1.5.1
node2:
kind: linux
image: harbor.dayuan1997.com/devops/nettool:0.9
exec:
- ip addr add 10.1.5.11/24 dev net0
- ip route replace default via 10.1.5.1
node3:
kind: linux
image: harbor.dayuan1997.com/devops/nettool:0.9
exec:
- ip addr add 10.1.8.10/24 dev net0
- ip route replace default via 10.1.8.1
node4:
kind: linux
image: harbor.dayuan1997.com/devops/nettool:0.9
exec:
- ip addr add 10.1.8.11/24 dev net0
- ip route replace default via 10.1.8.1
links:
- endpoints: ["br-pool0:br-pool0-net0", "node1:net0"]
- endpoints: ["br-pool0:br-pool0-net1", "node2:net0"]
- endpoints: ["br-pool1:br-pool1-net0", "node3:net0"]
- endpoints: ["br-pool1:br-pool1-net1", "node4:net0"]
- endpoints: ["gw:eth1", "br-pool0:br-pool0-net2"]
- endpoints: ["gw:eth2", "br-pool1:br-pool1-net2"]
网桥配置创建
brctl addbr br-pool0
ifconfig br-pool0 up
brctl addbr br-pool1
ifconfig br-pool1 up
VyOS 配置信息
set interfaces ethernet eth1 address '10.1.5.1/24'
set interfaces ethernet eth2 address '10.1.8.1/24'
set interfaces loopback lo
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address '10.1.0.0/16'
set nat source rule 100 translation address 'masquerade'
set system config-management commit-revisions '100'
set system console device ttyS0 speed '9600'
set system host-name 'gw'
set system ntp server 0.pool.ntp.org
set system ntp server 1.pool.ntp.org
set system ntp server 2.pool.ntp.org
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'
部署服务
- 首先创建网桥
brctl addbr br-pool0
ifconfig br-pool0 up
brctl addbr br-pool1
ifconfig br-pool1 up
- 应用
Containerlab配置信息
# clab deploy -t clab-vyos.yaml
INFO[0000] Containerlab v0.54.2 started
INFO[0000] Parsing & checking topology file: clab-vyos.yaml
INFO[0000] Creating docker network: Name="clab", IPv4Subnet="172.20.20.0/24", IPv6Subnet="2001:172:20:20::/64", MTU=1500
INFO[0000] Creating lab directory: /tmp/clab-L3
INFO[0000] Creating container: "node1"
INFO[0000] Creating container: "gw"
INFO[0001] Created link: br-pool0:br-pool0-net0 <--> node1:net0
INFO[0001] Created link: gw:eth1 <--> br-pool0:br-pool0-net2
INFO[0001] Created link: gw:eth2 <--> br-pool1:br-pool1-net2
INFO[0001] Creating container: "node2"
INFO[0001] Creating container: "node3"
INFO[0002] Created link: br-pool1:br-pool1-net0 <--> node3:net0
INFO[0002] Created link: br-pool0:br-pool0-net1 <--> node2:net0
INFO[0002] Creating container: "node4"
INFO[0002] Created link: br-pool1:br-pool1-net1 <--> node4:net0
INFO[0003] Executed command "ip addr add 10.1.8.10/24 dev net0" on the node "node3". stdout:
INFO[0003] Executed command "ip route replace default via 10.1.8.1" on the node "node3". stdout:
INFO[0003] Executed command "ip addr add 10.1.5.11/24 dev net0" on the node "node2". stdout:
INFO[0003] Executed command "ip route replace default via 10.1.5.1" on the node "node2". stdout:
INFO[0003] Executed command "ip addr add 10.1.8.11/24 dev net0" on the node "node4". stdout:
INFO[0003] Executed command "ip route replace default via 10.1.8.1" on the node "node4". stdout:
INFO[0003] Executed command "ip addr add 10.1.5.10/24 dev net0" on the node "node1". stdout:
INFO[0003] Executed command "ip route replace default via 10.1.5.1" on the node "node1". stdout:
INFO[0003] Adding containerlab host entries to /etc/hosts file
INFO[0003] Adding ssh config for containerlab nodes
INFO[0003] 🎉 New containerlab version 0.55.0 is available! Release notes: https://containerlab.dev/rn/0.55/
Run 'containerlab version upgrade' to upgrade or go check other installation options at https://containerlab.dev/install/
+---+---------------+--------------+------------------------------------------+-------+---------+----------------+----------------------+
| # | Name | Container ID | Image | Kind | State | IPv4 Address | IPv6 Address |
+---+---------------+--------------+------------------------------------------+-------+---------+----------------+----------------------+
| 1 | clab-L3-gw | 2259cad1153a | vyos/vyos:1.2.8 | linux | running | 172.20.20.3/24 | 2001:172:20:20::3/64 |
| 2 | clab-L3-node1 | e3af7e5cdc07 | harbor.dayuan1997.com/devops/nettool:0.9 | linux | running | 172.20.20.2/24 | 2001:172:20:20::2/64 |
| 3 | clab-L3-node2 | 08832f974c1d | harbor.dayuan1997.com/devops/nettool:0.9 | linux | running | 172.20.20.4/24 | 2001:172:20:20::4/64 |
| 4 | clab-L3-node3 | 4836e46b8487 | harbor.dayuan1997.com/devops/nettool:0.9 | linux | running | 172.20.20.5/24 | 2001:172:20:20::5/64 |
| 5 | clab-L3-node4 | a8d842733988 | harbor.dayuan1997.com/devops/nettool:0.9 | linux | running | 172.20.20.6/24 | 2001:172:20:20::6/64 |
+---+---------------+--------------+------------------------------------------+-------+---------+----------------+----------------------+
测试网络
clab-L3-node1节点测试到clab-L3-node2、网关、clab-L3-node3、qq.com的连通性
# lo clab-L3-node1 ip a l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
8: net0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9500 qdisc noqueue state UP group default
link/ether aa:c1:ab:75:15:e9 brd ff:ff:ff:ff:ff:ff link-netnsid 0
# 节点 ip 10.1.5.10
inet 10.1.5.10/24 scope global net0
valid_lft forever preferred_lft forever
inet6 fe80::a8c1:abff:fe75:15e9/64 scope link
valid_lft forever preferred_lft forever
14: eth0@if15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:14:14:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.20.20.2/24 brd 172.20.20.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 2001:172:20:20::2/64 scope global nodad
valid_lft forever preferred_lft forever
inet6 fe80::42:acff:fe14:1402/64 scope link
valid_lft forever preferred_lft forever
## 到 clab-L3-node2 节点 能正常访问
# lo clab-L3-node1 ping 10.1.5.11
PING 10.1.5.11 (10.1.5.11): 56 data bytes
64 bytes from 10.1.5.11: seq=0 ttl=64 time=1.686 ms
^C
--- 10.1.5.11 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 1.686/1.686/1.686 ms
## 到 网关 不通,网关当前未配置
# lo clab-L3-node1 ping 10.1.5.1
PING 10.1.5.1 (10.1.5.1): 56 data bytes
^C
--- 10.1.5.1 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
## 到 clab-L3-node3 节点 不通,没有对应路由
# lo clab-L3-node1 ping 10.1.8.10
PING 10.1.8.10 (10.1.8.10): 56 data bytes
^C
--- 10.1.8.10 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
## 路由信息
# lo clab-L3-node1 route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.1.5.1 0.0.0.0 UG 0 0 0 net0
10.1.5.0 0.0.0.0 255.255.255.0 U 0 0 0 net0
172.20.20.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
## qq.com 无法访问
# lo clab-L3-node1 ping qq.com
clab-L3-node3节点测试到clab-L3-node4、网关、clab-L3-node1、qq.com的连通性
# lo clab-L3-node3 ip a l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
16: net0@if17: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9500 qdisc noqueue state UP group default
link/ether aa:c1:ab:61:99:cf brd ff:ff:ff:ff:ff:ff link-netnsid 0
# 节点 ip 10.1.8.10
inet 10.1.8.10/24 scope global net0
valid_lft forever preferred_lft forever
inet6 fe80::a8c1:abff:fe61:99cf/64 scope link
valid_lft forever preferred_lft forever
26: eth0@if27: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:14:14:05 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.20.20.5/24 brd 172.20.20.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 2001:172:20:20::5/64 scope global nodad
valid_lft forever preferred_lft forever
inet6 fe80::42:acff:fe14:1405/64 scope link
valid_lft forever preferred_lft forever
## 到 clab-L3-node4 节点 能正常访问
# lo clab-L3-node3 ping 10.1.8.11
PING 10.1.8.11 (10.1.8.11): 56 data bytes
64 bytes from 10.1.8.11: seq=0 ttl=64 time=0.336 ms
^C
--- 10.1.8.11 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.336/0.336/0.336 ms
## 到 网关 不通,网关当前未配置
# lo clab-L3-node3 ping 10.1.8.1
PING 10.1.8.1 (10.1.8.1): 56 data bytes
^C
--- 10.1.8.1 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
## 到 clab-L3-node1 节点 不通,没有对应路由
# lo clab-L3-node3 ping 10.1.5.10
PING 10.1.5.10 (10.1.5.10): 56 data bytes
^C
--- 10.1.5.10 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
## 路由信息
# lo clab-L3-node3 route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.1.8.1 0.0.0.0 UG 0 0 0 net0
10.1.8.0 0.0.0.0 255.255.255.0 U 0 0 0 net0
172.20.20.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
## qq.com 无法访问
# lo clab-L3-node3 ping qq.com
设置路由器
启用三层配置,设置网关
登陆 gw 容器,应用 VyOS 配置信息
- 登陆容器,并查看路由信息
root@evescn:~# lo clab-L3-gw bash
root@vyos:/# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.20.20.1 0.0.0.0 UG 0 0 0 eth0
172.20.20.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
- 查看
ip信息,eth1eth2网卡均为配置ip地址
root@vyos:/# ip a l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
12: eth1@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9500 qdisc noqueue state UP group default
link/ether aa:c1:ab:4c:78:da brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::a8c1:abff:fe4c:78da/64 scope link
valid_lft forever preferred_lft forever
20: eth2@if21: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9500 qdisc noqueue state UP group default
link/ether aa:c1:ab:d0:0e:07 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::a8c1:abff:fed0:e07/64 scope link
valid_lft forever preferred_lft forever
22: eth0@if23: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:14:14:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.20.20.3/24 brd 172.20.20.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 2001:172:20:20::3/64 scope global nodad
valid_lft forever preferred_lft forever
inet6 fe80::42:acff:fe14:1403/64 scope link
valid_lft forever preferred_lft forever
- 切换到
vyos用户,配置vyos信息
root@vyos:/# su vyos
- 进入 配置模式
vyos@vyos:/$ configure
[edit]
vyos@vyos#
[edit]
- 应用配置
set interfaces ethernet eth1 address '10.1.5.1/24'
set interfaces ethernet eth2 address '10.1.8.1/24'
set interfaces loopback lo
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address '10.1.0.0/16'
set nat source rule 100 translation address 'masquerade'
set system config-management commit-revisions '100'
set system console device ttyS0 speed '9600'
set system host-name 'gw'
set system ntp server 0.pool.ntp.org
set system ntp server 1.pool.ntp.org
set system ntp server 2.pool.ntp.org
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'
- 提交和保存配置
vyos@vyos# commit
[edit]
vyos@vyos# save
Saving configuration to '/config/config.boot'...
Done
[edit]
- 退出编辑模式
vyos@vyos# exit
exit
- 查看网卡信息
vyos@vyos:/$ ip a l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
12: eth1@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9500 qdisc noqueue state UP group default
link/ether aa:c1:ab:4c:78:da brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.1.5.1/24 brd 10.1.5.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::a8c1:abff:fe4c:78da/64 scope link
valid_lft forever preferred_lft forever
20: eth2@if21: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9500 qdisc noqueue state UP group default
link/ether aa:c1:ab:d0:0e:07 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.1.8.1/24 brd 10.1.8.255 scope global eth2
valid_lft forever preferred_lft forever
inet6 fe80::a8c1:abff:fed0:e07/64 scope link
valid_lft forever preferred_lft forever
22: eth0@if23: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:14:14:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.20.20.3/24 brd 172.20.20.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 2001:172:20:20::3/64 scope global nodad
valid_lft forever preferred_lft forever
inet6 fe80::42:acff:fe14:1403/64 scope link
valid_lft forever preferred_lft forever
- 查看路由信息
vyos@vyos:/$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.20.20.1 0.0.0.0 UG 0 0 0 eth0
10.1.5.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.1.8.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
172.20.20.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
重新测试网络
测试
10.1.5.0/24网络和10.1.8.0/24网络连通性
## 正常访问
# lo clab-L3-node1 ping 10.1.8.10
PING 10.1.8.10 (10.1.8.10): 56 data bytes
64 bytes from 10.1.8.10: seq=0 ttl=63 time=0.205 ms
^C
--- 10.1.8.10 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.205/0.205/0.205 ms
## 正常访问
# lo clab-L3-node3 ping 10.1.5.10
PING 10.1.5.10 (10.1.5.10): 56 data bytes
64 bytes from 10.1.5.10: seq=0 ttl=63 time=0.323 ms
^C
--- 10.1.5.10 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.323/0.323/0.323 ms
通过
ttl值可以判断10.1.5.0/24网络和10.1.8.0/24网络 通过三层路由进行了数据交换。通过路由模式,ttl会自动减1
- 访问
qq.com
# lo clab-L3-node1 ping qq.com
PING qq.com (123.150.76.218): 56 data bytes
64 bytes from 123.150.76.218: seq=0 ttl=126 time=29.029 ms
64 bytes from 123.150.76.218: seq=1 ttl=126 time=30.533 ms
64 bytes from 123.150.76.218: seq=2 ttl=126 time=29.207 ms
64 bytes from 123.150.76.218: seq=3 ttl=126 time=30.003 ms
^C
--- qq.com ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 29.029/29.693/30.533 ms
gw为10.1.5.0/24和10.1.8.0/24提供了路由功能,以及SNAT功能,如此10.1.5.0/24和10.1.8.0/24才能正常访问外网
VyOS 配置文件信息
原始配置文件信息
root@vyos:/# cat /opt/vyatta/etc/config/config.boot
system {
host-name "vyos"
login {
user vyos {
authentication {
encrypted-password "$6$QxPS.uk6mfo$9QBSo8u1FkH16gMyAVhus6fU3LOzvLR9Z9.82m3tiHFAxTtIkhaZSWssSgzt4v4dGAL8rhVQxTg0oAG9/q11h/"
plaintext-password ""
}
level "admin"
}
}
syslog {
global {
facility all {
level "info"
}
facility protocols {
level "debug"
}
}
}
ntp {
server "0.pool.ntp.org"
server "1.pool.ntp.org"
server "2.pool.ntp.org"
}
config-management {
commit-revisions "100"
}
console {
device ttyS0 {
speed 9600
}
}
}
interfaces {
loopback "lo"
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@1:conntrack-sync@1:dhcp-relay@2:dhcp-server@5:dns-forwarding@1:firewall@5:ipsec@5:l2tp@1:mdns@1:nat@4:ntp@1:pppoe-server@2:pptp@1:qos@1:quagga@7:snmp@1:ssh@1:system@10:vrrp@2:wanloadbalance@3:webgui@1:webproxy@2:zone-policy@1" === */
/* Release version: 1.2.8 */
应用配置后新的配置文件信息
root@vyos:/# cat /opt/vyatta/etc/config/config.boot
interfaces {
ethernet eth1 {
address 10.1.5.1/24
duplex auto
smp-affinity auto
speed auto
}
ethernet eth2 {
address 10.1.8.1/24
duplex auto
smp-affinity auto
speed auto
}
loopback lo {
}
}
nat {
source {
rule 100 {
outbound-interface eth0
source {
address 10.1.0.0/16
}
translation {
address masquerade
}
}
}
}
system {
config-management {
commit-revisions 100
}
console {
device ttyS0 {
speed 9600
}
}
host-name gw
login {
user vyos {
authentication {
encrypted-password $6$QxPS.uk6mfo$9QBSo8u1FkH16gMyAVhus6fU3LOzvLR9Z9.82m3tiHFAxTtIkhaZSWssSgzt4v4dGAL8rhVQxTg0oAG9/q11h/
plaintext-password ""
}
level admin
}
}
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "wanloadbalance@3:l2tp@1:pptp@1:ntp@1:mdns@1:webgui@1:conntrack@1:ipsec@5:cluster@1:dhcp-server@5:nat@4:dhcp-relay@2:webproxy@1:system@10:pppoe-server@2:dns-forwarding@1:ssh@1:quagga@7:broadcast-relay@1:qos@1:snmp@1:firewall@5:zone-policy@1:config-management@1:webproxy@2:vrrp@2:conntrack-sync@1" === */
/* Release version: 1.2.8 */
