Tutorial: An Introduction to OpenFlow using POX

Sponsored by the National Science Foundation

Tutorial: An Introduction to OpenFlow using POX

Vic Thomas, Niky Riga– GPO

Summercamp July 2014

Sponsored by the National Science Foundation 2SC July 2014

Tutorial Tips …

• For this tutorial you will need• Omni• ability to login through ssh• a text editor

• Optional• Basic understanding of python• xterm support (MAC, linux, cygwin are ok)

http://tinyurl.com/geniof


Switch Architecture


Moving Control out of the Switch


OpenFlow is an API

Modified slide from : http://www.deutsche-telekom-laboratories.de/~robert/GENI-Experimenters-Workshop.ppt

• Control how packets are forwarded

• Implementable on COTS hardware

• Make deployed networks programmable– not just configurable

• Makes innovation easier


OpenFlow

Switch

Data Path (Hardware)

Control Path OpenFlow

Any Host

OpenFlow Controller

OpenFlow Protocol (SSL/TCP)


• The controller is responsible for populating forwarding table of the switch

• In a table miss the switch asks the controller


OpenFlow in action

Switch



Any HostOpenFlow Controller



• Host1 sends a packet• If there are no rules

about handling this packet– Forward packet to the

controller– Controller installs a flow

• Subsequent packets do not go through the controller

host1 host2


OpenFlow BasicsFlow Table Entries

SwitchPort

MACsrc

MACdst

Ethtype

VLANID

IPSrc

IPDst

IPToS

TCPsport

TCPdport

Rule Action Stats

1. Forward packet to port(s)2. Encapsulate and forward to controller3. Drop packet4. Send to normal processing pipeline5. Modify Fields

+ mask what fields to match

Packet + byte counters

slide from : http://www.deutsche-telekom-laboratories.de/~robert/GENI-Experimenters-Workshop.ppt

IPProt

VLANPCP


Use Flow Mods• Going through the controller on every packet is

inefficient• Installing Flows either proactively or reactively is

the right thing to do:• A Flow Mod consists of :

– A match on any of the 12 supported fields– A rule about what to do matched packets– Timeouts about the rules:

• Hard timeouts• Idle timeouts

– The packet id in reactive controllers


OpenFlow common Pitfalls• Controller is responsible for all traffic, not just your

application!– ARPs– DHCP– LLDP

• Reactive controllers– UDP

• Performance in hardware switches– Not all actions are supported in hardware

• No STP– Broadcast storms


GENI Rack Campuses

• Each rack has an OpenFlow-enabled switch


Core Networks

• Internet2 adding 10GbE paths to Advanced Layer 2 Services (AL2S) at 4 of 5 OpenFlow meso-scale/ProtoGENI Pops

• GENI Aggregate Manager in Internet2 AL2S and dynamic stitching coming soon

Internet2 SDN networks


OpenFlow datapaths

Switch



Any HostOpenFlow Controller

OpenFlow Protocol

Different OpenFlow modes– switches in pure OF mode are

acting as one datapath– Hybrid VLAN switches are one

datapath per VLAN– Hybrid port switches are two

datapaths (one OF and one non-OF)

OpenFlow switches are usually referred to as datapaths with a unique dpid

Each Datapath can point to only one controller!

It is not necessary that 1 physical switch corresponds to 1 dpid


FlowVisor• FlowVisor is a proxy

controller that can support multiple controllers

FlowSpace describes packet flows :

– Layer 1: Incoming port on switch

– Layer 2: Ethernet src/dst addr, type, vlanid, vlanpcp

– Layer 3: IP src/dst addr, protocol, ToS

– Layer 4: TCP/UDP src/dst port

Switch



Any Host

FlowVisor


Any Host

OpenFlow Controller

Any Host

OpenFlow Controller



FOAM• An OpenFlow Aggregate Manager

• It’s a GENI compliant reservation service– Helps experimenters reserve flowspace in the

FlowVisor

• Speaks AM API v1 and AM API v2

• RSpecs GENI v3, OpenFlow v3 extension


Sharing of OpenFlow resources

In GENI:– Slice by VLAN for exclusive VLANs– Slice by IP subnet and/or eth_type for shared VLANs

In FIRE:• On iMinds testbed

– Slice by inport• On OFELIA testbed

– Slice by VLAN

Today


FOAM RSpecs

<rspec … type="request"> <openflow:sliver > <openflow:controller url="tcp:192.168.1.1:6633" type="primary"/> <openflow:group name="missouri-instageni-openflow-1750"> <openflow:datapath component_id="urn:publicid:IDN+openflow:foam:foam.instageni.rnet.missouri.edu+datapath+06:d6:2c:59:e5:6a:02:00" component_manager_id="urn:publicid:IDN+openflow:foam:foam.instageni.rnet.missouri.edu+authority+am"/> </openflow:group> <openflow:match> <openflow:use-group name="missouri-instageni-openflow-1750"/> <openflow:packet> <openflow:dl_type value="0x800,0x806"/> <openflow:nw_dst value=”10.10.10.0/24"/> <openflow:nw_src value=”10.10.10.0/24"/> </openflow:packet> </openflow:match> </openflow:sliver></rspec>


OpenFlow Experiments

Debugging OpenFlow experiments is hard: – Network configuration debugging requires coordination– Many networking elements in play– No console access to the switch

Before deploying your OpenFlow experiment test your controller.

http://mininet.github.com/http://openvswitch.org/


Run an OpenFlow experiment

1 Xen VM running the OF controller1 Xen VM as OVS switch3 OpenVZ VMs connected to OVS

• Setup OVS• Write simple controllers

– e.g. divert traffic to a different server

– Use Python controller PoX

Host1 Host2

Host3

OVS

Controller


• Part I: Design/Setup– Obtain Resources

• Part II: Execute– Configure and Initialize Services– Execute Experiment

• Part III: Finish– Teardown Experiment


Obtain ResourcesTwo slices

1. Running your controller• “XEN VM Pox Ctrl”

2. Your OpenFlow topology• “OF OVS Tutorial with Xen & OpenVZ”

Host1 Host2

Host3

OVSController

slice 2

slice 1Use the aggregate

on your worksheet!


Configure OVS

OVS is a virtual switch running on a Xen VM

• The dataplane intf of VM are the ports of the switch– Configure an Ethernet bridge (done)– Add all dataplane ports to the switch

• Make it an OpenFlow switch– Point OVS switch to the controller address and port

• Use your controller eth0 IP– Turn off default forwarding

• Kernel space OVS


Configure and Initialize OVS• Log in to OVS host and configure software switch:

$ ifconfig$ sudo ifconfig eth1 0$ sudo ifconfig eth2 0$ sudo ifconfig eth3 0$ sudo ovs-vsctl add-port br0 eth1$ sudo ovs-vsctl add-port br0 eth2$ sudo ovs-vsctl add-port br0 eth3$ sudo ovs-vsctl list-ports br0$ sudo ovs-vsctl set-controller br0 tcp:<ctrl_ip>:6633$ sudo ovs-vsctl set-fail-mode br0 secure$ sudo ovs-vsctl show

Host1 Host2

Host3

OVS

eth1

eth3

eth2Turn off IP

Add data ports to switch

Point switch to controller


• Part I: Design/Setup– Obtain Resources– What is OpenFlow, what can I do with Openflow?– Demo: Using OpenFlow in GENI




Debugging your Controller

1. Use debugging messages in your controller

2. Use tcpdump to verify that packets flow in the right intf– Between hosts– Between switch and controller

3. Use ovs-ofctl, ovs-dpctl, ovs-vsctl– to check connectivity to controller– to see installed flows

4. Use tcpdump, wireshark– Dissector for OpenFlow

• Allows to see OpenFlow messages being exchanged on the wire


Experiments

1. Use a Learning Switch Controller to see that traffic does not flow without it

2. Write a controller that duplicates traffic out a port

3. Write a controller that implements port forwarding on one host

4. Write a controller that implements a proxy forwarding

Hint: Controller solutions are given, just remove my (e.g. useProxy instead of myProxy)


• Part I: Design/Setup– Obtain Resources



Using Hardware Switches


Obtain Resources

Delete Slice 2 (not 1), recreate it with a hardware switch

1. Your OpenFlow topology• Download and modify rspec

Host1 Host2

Host3

Controller

slice 2

slice 1

Use the aggregate on

your worksheet!

keep!


Part III: Finish Experiment

When your experiment is done, you should always release your resources.

– Normally this is when you would archive your data– Delete your slivers at each aggregate

slice

projectaggregate

RSpecuserresourcesliv

er

AM API

slivercredentials

certificate

Tutorial: An Introduction to OpenFlow using POX

Documents

ok http

packetforward packet

controller host1host2sponsored

switch architecture

apimodified slide

tutorial tips

forwarding table

geni rack campuseseach