Extreme Networks Px Series Manual de usuario

Openflow in a dayIndiana Center for Network Translational Research and Educationthe research arm of

OpenFlow's Owner:Open Networking FoundationONF members:A10 Networks, Alcatel-Lucent, Argela, Big Switch Networks, Broadcom, Brocade, Ciena, Cisco

Open Networking FoundationMembership-based 30K a year.Members agree to share IP on reasonable terms.Working group evolve the standard.Not like IETF, I

OpenFlow's Oxygen(hype is adrenaline, not oxygen)Large data center operators can roll their own. They make their own servers, their own data cent

OVS in the data centerProblem - need to provided an automated approach to multi-tenant isolation, VM migration, automated provisioning, hi-bisection b

Reducing the oxygen requirementMerchant Silicon: “off the shelf” chips that perform packet processing at high speed vs. vertically integrated custom d

What is OpenFlow?● It's a protocol for control the forwarding behavior of Ethernet switches in a Software Defined Network● Initially released by

Ethernet Switch Table-based (e.g., TCAM/CAM) high-speed forwarding engineEmbedded Operating SystemData PlaneControl PlaneFeatures Value AddCLI, SNMP,

OpenFlow ControllerTable-based (e.g., TCAM/CAM) high-speed forwarding engineEmbedded Operating System implements OpenFlowData PlaneControl PlaneFeatur

OpenFlow ControllerFeaturesValue AddOpenFlow ProtocolEach switch connects directly with OF Controller

Flow TableHeader Fields Counters ActionsIngress PortEthernet Source AddrEthernet Dest AddrEthernet TypeVLAN idVLAN PriorityIP Source AddrIP Dest AddrI

InstructorsSteven WallaceUwe DahlmannRon MilfordChris Small

Flow TableHeader Fields Counters ActionsIf ingress port == 2 Drop packetif IP_addr == 129.79.1.1re-write to 10.0.1.1, forward port 3if Eth Addr == 00:

Special PortsController (sends packet to the controller)Normal (sends packet to non-openflow function of switch)Local (can be used for in-band control

Flow TableHeader Fields Counters ActionsIf ingress port == 2 Drop packetif IP_addr == 129.79.1.1re-write to 10.0.1.1, forward port 3Priority3276832768

Populating the Flow TableProactiveRules are relatively static, controller places rules in switch before they are required.ReactiveRules are dynamic. P

Controller and Switch Communication● Mode - Controller vs. Listener○ TCP Communication, who initiates conversation● Mode and Populating Flow Table ind

Example application:topology discoveryOpenFlow Controller

Bootstrapping a new switchSwitch requires minimal initial configuration (e.g., IP address, default GW, and OpenFlow controller)Switch connects to cont

Bootstrapping a new switchController proactively places a rule in the switch.If ether_type = LLDP, actions=output:controllerThen the controller create

OpenFlow 1.0 to 1.1

Flow TableHeader Fields Counters Actions PriorityMatch Fields Priority Counters Instructions Cookie1.01.1media data packet Action SetNew Data Structur

Tools that we'll be using today...Amazon Web ServicesMininet - virtual network environment, includes OpenFlow capable switchOpen VSwitch - the Op

Packet Processing1.0Does packet match flow table entry, if so, perform action.1.1Does packet match flow table entry, if so, look at instructions...

Actions vs. Instructions1.1● Flow entries contain instructions.● Instructions may be immediate action(s), or● instructions may set actions in the acti

More Tables1.1● Allows for multiple flowtables● Includes a group table with multiple group table types● Instructions can jump to other tables, but onl

Group Table Typesall - execute each bucket (each bucket gets copy of packet, used for flooding, multicast, etc.)select - execute one bucket in group (

OpenFlow QoSOF 1.0● Optional action "Enqueue"Forwards packet through a queue attached to a port. The behavior of the queue is determined out

OpenFlow QoSOF 1.3● Stuff from 1.0● New table "Meter Table"Meter Identifier Meter Bands Counters32 bit integerused to identify the meterlist

OpenFlow QoS (1.3 cont.)Meter Identifier Meter Bands CountersMatch Fields Priority Counters Instructions TimeoutsTimeouts CookeNew instructionMeter me

OpenFlow QoS (1.3 cont.)Meter Identifier Meter Bands CountersBand TypeRateCountersType Specific Argumentsdroporremark DSCPkb/sburstOne or more Meter B

OpenFlow QoS (1.3 cont.)Matching Flow Table Entry Includes instruction: apply Meter IDCollect Stats /Determine which Meter Band AppliesDrop PacketCol

OpenFlow Example Implementations● HP/NEC switches run in hybrid Openflow mode○ can act as a regular switch or as an openflow switch○ implemented on a

Teaching HTML to explain the WWW<h1>OpenFlow's promise is its application,not its internal workings</h1>Yet much of today is about Op

HP Switch Configuration● Enter configuration mode○ # configure● Create a VLAN for your Openflow instance○ # vlan 10● Add ports to the VLAN○ In our cas

HP Switch Configuration● Now to enable Openflow on the VLAN○ # openflow vlan 10 enable● Tell the Openflow instance to actively connect to an Openflow

HP Switch Configuration● Lastly, we want the ability to manually connect to the switch to check and set state○ the openflow instance on the vlan will

Actual Switch ConfigurationRunning configuration:; J9470A Configuration Editor; Created on release #K.15.06.5008; Ver #02:10.0d:1fhostname "sw-1&

Hands-on with OpenFlow(quick review of the table)Header Fields Counters ActionsIngress PortEthernet Source AddrEthernet Dest AddrEthernet TypeVLAN idV

Hands-on with OpenFlowOpenFlow ControllerNormally switch initiates a connection to its controllerAlthough not part of the OF spec, many switches suppo

MininetWe will be using Mininet to simulate switches and hosts in a network.Mininet uses OpenVSwitch as the switch and creates LXC Container VMs as ho

Host h2IP:10.0.0.2eth0Host h3IP:10.0.0.3eth0Switch s1eth1eth2dp0To start mininet and construct a simple network, run the following in one of the termi

Getting WireShark Ready (something interesting coming up)configure WireShark to capture on the "lo" interfaceType "of" (without th

A bit about ovs-ofctl● packaged with openvswitch-common● alternative to dpctl (openflow reference controller)● command-line utility that sends basic O

OpenFlow's ValueEnterpriseData CenterWAN

First Step!● Run:$ sudo ovs-ofctl show dp0 The 'show' command connects to the switch and prints out port state and OF capabilities● What we

ovs-ofctl - show$ sudo ovs-ofctl show dp0OFPT_FEATURES_REPLY (xid=0x1): ver:0x1, dpid:0000000000000001n_tables:255, n_buffers:256features: capabilitie

ovs-ofctl dump-flows● sudo ovs-ofctl dump-flows dp0○ Gives us information about the flows installed○ Rule itself○ Timeouts○ Actions○ Packets and bytes

ovs-ofctl dump-flows$ sudo ovs-ofctl dump-flows dp01. NXST_FLOW reply (xid=0x4):2. cookie=0x0, duration=30.625s, table=4, n_packets=0, n_bytes=2612, i

ovs-ofctl dump-ports$ sudo ovs-ofctl dump-ports dp0- Gives physical port information- Rx, tx counters- Error counters 1. OFPST_PORT reply (xid=0x1)

ovs-ofctl del-flows● we can remove all or individual flows from the switch$ sudo ovs-ofctl del-flows <expression>○ ex. $ sudo ovs-ofctl del-flow

Host h2IP:10.0.0.2eth0Host h3IP:10.0.0.3eth0Switch s1eth1eth2dp0OpenFlow SwitchPeriodically attempting to connect to controller on lo:6633Also listeni

Openflow Learning SwitchCheck flow table$sudo ovs-ofctl dump-flows dp0

Control-C ovs-controllerIn that window where you started ovs-controller, enter "fg" then a control-C to kill the controller. We'll get

Exercise #2Using ovs-ofctl to insert simple, port-based rulesLet's make sure switch has no existing flows:$sudo ovs-ofctl del-flows dp0

What can OpenFlow bring to the enterprise● Automated configuration of new equipment in your enterprise network (think controller-based wireless)● Choo

Host h2IP:10.0.0.2eth0ovs-ofctl process$sudo ovs-ofctl add-flow dp0 idle_timeout=180,priority=33000,in_port=1,actions=output:2$sudo ovs-ofctl add-flow

Do the pings work?What do you see with $ sudo ovs-ofctl dump-flows dp0Do the counters increase as expected?What's going on with the timeouts?

Exercise #3 - Moving up the stack...First rule was port-based.Next rule is IP source address-based.

type:$ sudo ovs-ofctl add-flow dp0 idle_timeout=180,priority=33001,dl_type=0x800,nw_src=10.0.0.2,actions=output:2$ sudo ovs-ofctl add-flow dp0 idle_ti

Do the pings work?Did the port-based rules timeout?If there are no port-based rules, why would the pings fail?Can you verify this hypothesis by lookin

Learning Switch What is the state of the flow table?What is the ovs-controller workflow?What happens when a broadcast packet gets sent? Multicast?

Host h2IP:10.0.0.2eth0Host h3IP:10.0.0.3eth0Switch s1eth1eth2dp0ovs-controllerLearning Switch

FlowVisorFlowVisorOpenFlow ControllerOpenFlow ControllerOpenFlow ControllerOpenFlow ControllerOpenFlow ControllerOpenFlow ControllerOpenFlow Controlle

FlowVisor Header FieldsIngress PortEthernet Source AddrEthernet Dest AddrEthernet TypeVLAN idVLAN PriorityIP Source AddrIP Dest AddrIP ProtocolIP ToSI

Host h2IP:10.0.0.2eth0ovs-ofctl processHost h3IP:10.0.0.3eth0Switch s1eth1eth2dp0FlowVisorController ALet's make a fresh topology in mininetquit

What can OpenFlow bring to the data center● Standard API for network provisioning (i.e. orchestration)● Integration with VM-based switches (e.g. Open

Need to start FlowVisor$ sudo /etc/init.d/flowvisor startThe default port for OpenFlow is 6633. The current OF decoder for wireshark is hardcoded to 6

Creating SlicesExample: $ fvctl --passwd-file=/etc/flowvisor/fvpasswd createSlice slicename controller_url emailActual:$ fvctl --passwd-file=/etc/flow

Adding FlowspaceYou need to find the DPID of your switch$ fvctl --passwd-file=/etc/flowvisor/fvpasswd listDevicesExample of addFlowSpace$fvctl --passw

Add Flowspace (cont.)(continued from previous page)$fvctl --passwd-file=/etc/flowvisor/fvpasswd addFlowSpace 00:00:00:00:00:00:00:01 100 dl_type=0x800

Create some flows to push into a switchuse pico, vi, emacs, or whatever...to create a text file that contains flow entries in the same format as the o

What happened?What do you see in debug output?Did a switch connect to the controller?What shows up on wireshark?

Does the ping work???$ sudo ovs-ofctl dump-flows dp0How did these rules:priority=33000,in_port=1,actions=output:2priority=33000,in_port=2,actions=outp

listFlowSpace● verify the flowspace that you added$ fvctl --passwd-file=/etc/flowvisor/fvpasswd listFlowSpace

OpenFlow "peering"GENI model - slices from multiple networks point to a single controllerOE-SS model - interdomain is limited to abstraction

If OpenFlow was your only tool...iPadHP PrinterWiFi NetworkOF SwitchOF SwitchRouterThe printer is on my desk, why can't I print??UserNetwork engi

What can OpenFlow bring to the wide area network● Standard API for network provisioning of bandwidth-on-demand services (e.g. Internet2 OS3E)● Standar

If OpenFlow was your only tool...OF SwitchTrusting user (is there any other kind)UserBad GuySwitched Ethernet is no problem for man in the middle atta

If OpenFlow was your only tool...UpdateServerOF SwitchRouterPC ZzzzzzPC ZzzzzzPC ZzzzzzPC ZzzzzzPC ZzzzzzPCs sleeping, soundly, waiting for their wake

OF-Config 1.1"OF-CONFIG frames an OpenFlow datapath as an abstraction called an OpenFlow Logical Switch. The OF-CONFIG protocol enables configura

OF-Config uses NETCONF protocol (4) as its transport

OF-CONFIG 1.1 is focused on the following functions:● The assignment of one or more OpenFlow controllers● The configuration of queues and ports● The a

OpenFlow Origin Clean Slate Program at Stanford○ Early work on SANE circa 2006 (security architecture)○ inspired Ethane circa 2007, which lead to Open