Operations¶
Intra-node ping¶
Ping green2 from green1:
green1-75667cbd6f-8kn74> cmd ping 10.60.0.2
PING 10.60.0.2 (10.60.0.2) 56(84) bytes of data.
64 bytes from 10.60.0.2: icmp_seq=1 ttl=64 time=1.91 ms
64 bytes from 10.60.0.2: icmp_seq=2 ttl=64 time=0.668 ms
^C
--- 10.60.0.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.668/1.289/1.910/0.621 ms
In this case, the traffic is simply bridged by hna1, without reaching
a leaf router.
Inter-node ping (same tenant)¶
Ping green3 from green1:
green1-75667cbd6f-8kn74> cmd ping 10.61.0.3
PING 10.61.0.3 (10.61.0.3) 56(84) bytes of data.
64 bytes from 10.61.0.3: icmp_seq=1 ttl=64 time=3.48 ms
64 bytes from 10.61.0.3: icmp_seq=2 ttl=64 time=1.66 ms
^C
--- 10.61.0.3 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 1.660/2.570/3.481/0.910 ms
In this case, the ping request is received by hna1, encapsulated into
a VXLAN tunnel, sent to a leaf router, received by hna2, and finally
sent to green3.
This works because all ICMP traffic is allowed from 10.60 to 10.61 inside the green tenant in the tenant CRD.
Inter-tenant ping¶
Ping red1 from green1:
green1-75667cbd6f-8kn74> cmd ping 10.62.0.1
PING 10.62.0.1 (10.62.0.1) 56(84) bytes of data.
64 bytes from 10.62.0.1: icmp_seq=1 ttl=63 time=0.984 ms
64 bytes from 10.62.0.1: icmp_seq=2 ttl=63 time=0.652 ms
64 bytes from 10.62.0.1: icmp_seq=3 ttl=63 time=0.974 ms
^C
--- 10.62.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2031ms
rtt min/avg/max/mdev = 0.652/0.870/0.984/0.154 ms
On the hypervisor, delete the inter-tenant CRD:
root@node1:~# kubectl delete intertenant green-10-60-to-red-10-62
intertenant.hna.6wind.com "green-10-60-to-red-10-62" deleted
The ping is now failing:
green1-75667cbd6f-8kn74> cmd ping 10.62.0.1
PING 10.62.0.1 (10.62.0.1) 56(84) bytes of data.
From 10.60.0.254 icmp_seq=1 Destination Host Unreachable
From 10.60.0.254 icmp_seq=2 Destination Host Unreachable
From 10.60.0.254 icmp_seq=3 Destination Host Unreachable
^CNetconf RPC interrupted.
--- 10.62.0.1 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2047ms
Reapply the CRD to restore the connectivity:
root@node1:~# kubectl apply -f intertenant-crd.yaml
ACL check¶
On green3, create a TCP server on port 5000:
green3-6cff5fb5bf-pjhqz$ nc -l -p 5000
On green1, try to connect on green3 port 5000:
green1-75667cbd6f-8kn74$ nc 10.61.0.3 5000
The connection is successful, because this port is allowed in the ACLs. However this is forbidden on another port, or in the reverse direction.
Anti-spoofing check¶
If a pod tries to send traffic with a different source IP, this traffic is filtered.
Change the IP address of red1 and try to ping red2:
red1-756864cd5b-kkmc9> edit running
red1-756864cd5b-kkmc9 running config# del / vrf main interface infrastructure ntfp1 ipv4
red1-756864cd5b-kkmc9 running config# / vrf main interface infrastructure ntfp1 ipv4 address 10.62.0.123/16
red1-756864cd5b-kkmc9 running config# commit
Configuration committed.
red1-756864cd5b-kkmc9 running config# cmd ping 10.62.0.2
<HANG>
Restore the originial IP address, and check ping is working again:
red1-756864cd5b-kkmc9 running config# del / vrf main interface infrastructure ntfp1 ipv4
red1-756864cd5b-kkmc9 running config# / vrf main interface infrastructure ntfp1 ipv4 address 10.62.0.1/16
red1-756864cd5b-kkmc9 running config# commit
Configuration committed.
red1-756864cd5b-kkmc9 running config# cmd ping 10.62.0.2
PING 10.62.0.2 (10.62.0.2) 56(84) bytes of data.
64 bytes from 10.62.0.2: icmp_seq=1 ttl=64 time=5.03 ms
64 bytes from 10.62.0.2: icmp_seq=2 ttl=64 time=1.89 ms
64 bytes from 10.62.0.2: icmp_seq=3 ttl=64 time=2.13 ms
64 bytes from 10.62.0.2: icmp_seq=4 ttl=64 time=1.59 ms
^CNetconf RPC interrupted.
Delete an HNA pod¶
It is possible to delete (or update) an HNA pod, and check the pings again.
root@node1:~# kubectl delete pod -n hna hna-hzj7l
pod "hna-hzj7l" deleted
When the pod is back, the pings are successful again.
Delete a CNF¶
Delete green1 and red1:
root@node1:~# kubectl delete pod -n green green1-75667cbd6f-8kn74
pod "green1-75667cbd6f-8kn74" deleted
root@node1:~# kubectl delete pod -n red red1-d75dc6b4f-dvp8d
pod "red1-d75dc6b4f-dvp8d" deleted
When the pods are back, the pings are successful again.
Delete HNA operators¶
Delete hna-operator and hna-device-plugin:
root@node1:~# kubectl delete pod -n hna-operator hna-operator-cwjp8
pod "hna-operator-cwjp8" deleted
root@node1:~# kubectl delete pod -n hna-operator hna-device-plugin-8t8rw
pod "hna-device-plugin-8t8rw" deleted
The ping traffic is never interrupted.