10.0www.6633.us

Sign-inhere:http://tinyurl.
com/nanog57-rosterWorkshopSlides:http://tinyurl.
com/nanog57-slidescopyrightIndianaUniversityOpenflow90minutesIndianaCenterforNetworkTranslationalResearchandEducationtheresearcharmofInstructorsStevenWallacessw@iu.
eduChrisSmallchsmall@indiana.
edu31October2012Toolsthatwe'llbeusingtoday.
.
.
AmazonWebServices(EC2)OpenVSwitch-theOpenVSwitchdistributionincludesanOFcontroller(i.
e.
,ovs-controller)andausefulcommand-lineutilityovs-ofclt.
WireShark-anopensourcenetwork"sniffer"Mininet-opensourcevirtualnetworkondesktopTeachingHTMLtoexplaintheWWWOpenFlow'spromiseisitsapplication,notitsinternalworkingsYetmuchoftodayisaboutOpenFlow'sinternalworkings,andverylittlewillbepolishedexamplesofitsapplication.
LogisticsOpentherosterspreadsheet(http://tinyurl.
com/nanog57-roster)Findyourrownumber,callitXOpentwoterminalwindowsvia:sshopenflow@vmX.
training.
incntre.
orgUsername:openflowPassword:openflowPointyourbrowserto:http://vmX.
training.
incntre.
org:8090/guacamole%pWhatisOpenFlowIt'saprotocolforcontroltheforwardingbehaviorofEthernetswitchesinaSoftwareDefinedNetworkInitiallyreleasedbytheCleanSlateProgramatStanford,itsspecificationisnowmaintainedbytheOpenNetworkingForumMostoftoday'smaterialisbasedontheOpenFlow1.
0specificationInApril2012,OpenFlow1.
3wasapproved(seealso4/2012ONFwhitepaper)EthernetSwitchTable-based(e.
g.
,TCAM/CAM)high-speedforwardingengineEmbeddedOperatingSystemDataPlaneControlPlaneFeaturesValueAddCLI,SNMP,TFTPOpenFlowControllerTable-based(e.
g.
,TCAM/CAM)high-speedforwardingengineEmbeddedOperatingSystemimplementsOpenFlowDataPlaneControlPlaneFeaturesValueAddOpenFlowProtocolOpenFlowControllerFeaturesValueAddOpenFlowProtocolEachswitchconnectsdirectlywithOFControllerFlowTableHeaderFieldsCountersActionsIngressPortEthernetSourceAddrEthernetDestAddrEthernetTypeVLANidVLANPriorityIPSourceAddrIPDestAddrIPProtocolIPToSICMPtypeICMPcodePerFlowCountersReceivedPacketsReceivedBytesDurationsecondsDurationnanoseccondsForward(All,Controller,Local,Table,IN_port,Port#Normal,Flood)EnqueueDropModify-FieldPriorityFlowTableHeaderFieldsCountersActionsIfingressport==2DroppacketifIP_addr==129.
79.
1.
1re-writeto10.
0.
1.
1,forwardport3ifEthAddr==00:45:23addVLANid110,forwardport2ifingressport==4forwardport5,6ifEthType==ARPforwardCONTROLLERIfingressport==2&&EthType==ARPforwardNORMALPriority327683276832768327683276840000SpecialPortsController(sendspackettothecontroller)Normal(sendspackettonon-openflowfunctionofswitch)Local(canbeusedforin-bandcontrollerconnection)Flood(floodthepacketusingnormalpipeline)FlowTableHeaderFieldsCountersActionsIfingressport==2DroppacketifIP_addr==129.
79.
1.
1re-writeto10.
0.
1.
1,forwardport3Priority3276832768EachFlowTableentryhastwotimers:idle_timeoutsecondsofnomatchingpacketsafterwhichtheflowisremovedzeromeansnevertimeouthard_timeoutsecondsafterwhichtheflowisremovedzeromeannevertimeoutIfbothidle_timeoutandhard_timeoutareset,thentheflowisremovedwhenthefirstofthetwoexpires.
PopulatingtheFlowTableProactiveRulesarerelativelystatic,controllerplacesrulesinswitchbeforetheyarerequired.
ReactiveRulesaredynamic.
Packetswhichhavenomatcharesenttothecontroller(packetin).
Controllercreatesappropriateruleandsendspacketbacktoswitch(packetout)forprocessing.
ControllerandSwitchCommunicationMode-Controllervs.
ListenerTCPCommunication,whoinitiatesconversationModeandPopulatingFlowTableindependentExampleapplication:topologydiscoveryOpenFlowControllerBootstrappinganewswitchSwitchrequiresminimalinitialconfiguration(e.
g.
,IPaddress,defaultGW,andOpenFlowcontroller)Switchconnectstocontroller.
Controllerrequeststhingslikealistofports,etc.
Controllerproceedstodeterminetheswitch'slocation.
BootstrappinganewswitchControllerproactivelyplacesaruleintheswitch.
Ifether_type=LLDP,actions=output:controllerThenthecontrollercreatesanLLDPpacket,sendsittotheswitch,andinstructstheswitchtosenditoutaport(repeatforallports).
Sinceallswitchesinthecontroller'snetworkhavearuletosendLLDPpacketstothecontroller,thecontrollerisabletodeterminethetopology.
OpenFlow1.
0to1.
1FlowTableHeaderFieldsCountersActionsPriorityMatchFieldsPriorityCountersInstructionsCookie1.
01.
1mediadatapacketActionSetNewDataStructureinPipelineGroupIDTypeCountersActionBuckets.
.
.
.
.
.
.
.
.
.
PacketProcessing1.
0Doespacketmatchflowtableentry,ifso,performaction.
1.
1Doespacketmatchflowtableentry,ifso,lookatinstructions.
.
.
Actionsvs.
Instructions1.
1Flowentriescontaininstructions.
Instructionsmaybeimmediateaction(s),orinstructionsmaysetactionsintheactionsetInstructionscanalsochangepipelineprocessing:GototableXGotogrouptableentryxMoreTables1.
1AllowsformultipleflowtablesIncludesagrouptablewithmultiplegrouptabletypesInstructionscanjumptoothertables,butonlyinapositivedirectionOpenFlowQoSOF1.
0Optionalaction"Enqueue"Forwardspacketthroughaqueueattachedtoaport.
ThebehaviorofthequeueisdeterminedoutsidethescopeofOF.
HeaderfieldscanincludeVLANpriorityandIPToS,sotheycanbematchedagainstandre-written.
OpenFlowQoSOF1.
3Stufffrom1.
0Newtable"MeterTable"MeterIdentifierMeterBandsCounters32bitintegerusedtoidentifythemeterlistofmeterbandseachbandspecifiesrateandbehaviorOpenFlowQoS(1.
3cont.
)MeterIdentifierMeterBandsCountersMatchFieldsPriorityCountersInstructionsTimeoutsTimeoutsCookeNewinstructionMetermeter_idBandTypeRateCountersTypeSpecificArgumentsdroporremarkDSCPkb/sburstOpenFlowQoS(1.
3cont.
)MeterIdentifierMeterBandsCountersBandTypeRateCountersTypeSpecificArgumentsdroporremarkDSCPkb/sburstOneormoreMeterBandsperMeterTableEntry"themeterappliesthemeterbandwiththehighestconfiguredratethatislowerthanthecurrentmeasuredrate"Hands-onwithOpenFlow(quickreviewofthetable)HeaderFieldsCountersActionsIngressPortEthernetSourceAddrEthernetDestAddrEthernetTypeVLANidVLANPriorityIPSourceAddrIPDestAddrIPProtocolIPToSICMPtypeICMPcodePerFlowCountersReceivedPacketsReceivedBytesDurationsecondsDurationnanoseccondsForward(All,Controller,Local,Table,IN_port,Port#Normal,Flood)EnqueueDropModify-FieldPriorityHands-onwithOpenFlowOpenFlowControllerNormallyswitchinitiatesaconnectiontoitscontrollerAlthoughnotpartoftheOFspec,manyswitchessupportapassiveOFconnection,wheretheswitchlistensforaconnection.
ovs-ofctlWe'regoingtouseovs-ofctltoquerytheswitch'sstatus.
NewerversionsofOpenVSwitchdonotsupportremotepassiveconnections.
Somehardwaresupportspassiveconnectionandsomedoesn't.
Wewilluselocalconnectionsinthishands-ondemonstrationMininetWewillbeusingMininettosimulateswitchesandhostsinanetwork.
MininetusesOpenVSwitchastheswitchandcreatesLXCContainerVMsashostsOncestarted,themininetprompt"mininet>"allowscommandstoberunonitsvirtualhosts.
Forexamplemininet>h2pingh3causeshosth2topinghosth3Hosth2IP:10.
0.
0.
2eth0Hosth3IP:10.
0.
0.
3eth0Switchs1eth1eth2dp0Tostartmininetandconstructasimplenetwork,runthefollowinginoneoftheterminalwindows:$sudomn--mac--switchovsk--controllerremoteOpenFlowSwitchPeriodicallyattemptingtoconnecttocontrolleronlo:6633Alsolisteningondp0GettingWireSharkReady(somethinginterestingcomingup)configureWireSharktocaptureonthe"lo"interfaceType"of"(withoutthequotes)intheWireSharkFilterAbitaboutovs-ofctlpackagedwithopenvswitch-commonalternativetodpctl(openflowreferencecontroller)command-lineutilitythatsendsbasicOpenflowmessagesusefulforviewingswitchportandflowstats,plusmanuallyinsertingflowentriestoolforearlydebuggingTalksdirectlytotheswitchThisdoesnotrequireacontrollerSwitchmustsupportalistenerport(normallyviaTCP,butinourcaseviadp0FirstStep!
Run:$sudoovs-ofctlshowdp0The'show'commandconnectstotheswitchandprintsoutportstateandOFcapabilitiesWhatweretheresultsType:$sudoovs-ofctldump-flowsdp0Needtosudowhenusingalocaldatapathsocket(dp0)becauseMininet/OpenVSwitchcreatesitasrootNoflowStartthepingagainusingmininetandrecheckovs-ofctl-show$sudoovs-ofctlshowdp0OFPT_FEATURES_REPLY(xid=0x1):ver:0x1,dpid:0000000000000001n_tables:255,n_buffers:256features:capabilities:0xc7,actions:0xfff1(s1-eth1):addr:3a:e2:98:4e:fe:aaconfig:0state:0current:10GB-FDCOPPER2(s1-eth2):addr:36:29:c4:d7:a4:c1config:0state:0current:10GB-FDCOPPERLOCAL(dp0):addr:ca:5d:78:2d:b6:40config:PORT_DOWNstate:LINK_DOWNOFPT_GET_CONFIG_REPLY(xid=0x3):frags=normalmiss_send_len=0ovs-ofctldump-flowssudoovs-ofctldump-flowsdp0GivesusinformationabouttheflowsinstalledRuleitselfTimeoutsActionsPacketsandbytesprocessedbyflowovs-ofctldump-flows$sudoovs-ofctldump-flowsdp01.
NXST_FLOWreply(xid=0x4):2.
cookie=0x0,duration=30.
625s,table=4,n_packets=0,n_bytes=2612,idle_timeout=180,priority=33000,in_port=1actions=output:23.
cookie=0x0,duration=22.
5s,table=4,n_packets=0,n_bytes=2612,idle_timeout=180,priority=33000,in_port=2actions=output:1ovs-ofctldump-ports$sudoovs-ofctldump-portsdp0-Givesphysicalportinformation-Rx,txcounters-Errorcounters1.
OFPST_PORTreply(xid=0x1):14ports2.
port2:rxpkts=25211,bytes=3856488,drop=0,errs=0,frame=0,over=0,crc=0txpkts=7144,bytes=767594,drop=0,errs=0,coll=03.
port5:rxpkts=18235,bytes=3142702,drop=0,errs=0,frame=0,over=0,crc=0txpkts=0,bytes=0,drop=0,errs=0,coll=0Hosth2IP:10.
0.
0.
2eth0Hosth3IP:10.
0.
0.
3eth0Switchs1eth1eth2dp0OpenFlowSwitchPeriodicallyattemptingtoconnecttocontrolleronlo:6633Alsolisteningondp0Exercise#1Solet'sseeifthenetworkisworking.
Pingh2fromh3usingthefollowingcommand:mininet>h2pingh3Afterabityoucantypecontrol-Ctostoptheping.
WhathappenedIntheotherterminalwindowsstarttheovs-controller:$sudoovs-controllerptcp:&Nowtrythepingsagain.
CheckoutWireShark!
Hosth2IP:10.
0.
0.
2eth0Hosth3IP:10.
0.
0.
3eth0Switchs1eth1eth2dp0ovs-controllerLearningSwitchOpenflowLearningSwitchCheckflowtable$sudoovs-ofctldump-flowsdp0LearningSwitchWhatisthestateoftheflowtableWhatistheovs-controllerworkflowWhathappenswhenabroadcastpacketgetssentMulticastControl-Covs-controllerInthatwindowwhereyoustartedovs-controller,enter"fg"thenacontrol-Ctokillthecontroller.
We'llgetbacktoitlater.
Exercise#2Usingovs-ofctltoinsertsimple,port-basedrulesLet'smakesureswitchhasnoexistingflows:$sudoovs-ofctldel-flowsdp0Hosth2IP:10.
0.
0.
2eth0ovs-ofctlprocess$sudoovs-ofctladd-flowdp0idle_timeout=180,priority=33000,in_port=1,actions=output:2$sudoovs-ofctladd-flowdp0idle_timeout=180,priority=33000,in_port=2,actions=output:1mininet>h2pingh3Hosth3IP:10.
0.
0.
3eth0Switchs1eth1eth2dp0Port-basedRulesDothepingsworkWhatdoyouseewith$sudoovs-ofctldump-flowsdp0DothecountersincreaseasexpectedWhat'sgoingonwiththetimeoutsExercise#3-Movingupthestack.
.
.
Firstrulewasport-based.
NextruleisIPsourceaddress-based.
type:$sudoovs-ofctladd-flowdp0idle_timeout=180,priority=33001,dl_type=0x800,nw_src=10.
0.
0.
2,actions=output:2$sudoovs-ofctladd-flowdp0idle_timeout=180,priority=33001,dl_type=0x800,nw_src=10.
0.
0.
3,actions=output:1Hosth2IP:10.
0.
0.
2eth0ovs-ofctlprocessHosth3IP:10.
0.
0.
3eth0Switchs1eth1eth2dp0IPAddress-basedRulesDothepingsworkDidtheport-basedrulestimeoutIftherearenoport-basedrules,whywouldthepingsfailCanyouverifythishypothesisbylookingatthecountersExampleofOpenFlow'sGameChangingPotentialif"FloorPlanEntropy"hasgotyourbisectionbandwidthdown,buildfattreenetworksbasedonlow-costswitchesbyprogrammingthenetworkforthedatacenterviaOpenflow(e.
g.
,PortLand)