Slide 1

OpenFlow/SDN Beginners TutorialJune, 20131

Srini SeetharamanDeutsche Telekom Innovation center

Before the talk starts, I would like to check with audience about the environment setup.Why SDN? What is SDN?

2Critical needs for cloud DC networksTenant virtualizationTraffic isolation, prioritization and rate limitingOverlapping IP addressing, along with IPv6 support

Speed up configuration to allow reduced time to revenue:Automatically create required network configs for new tenantsTransparently bridging a L2 network will help reduce time

Hybrid clouds with burstingAdding computational capacity (in the form of new VMs) as neededLossless live migrationVM A1HypervisorHost 1

Switch-1Switch-2Switch-3Switch-1Switch-2Switch-3

WANVLAN-101-xVLAN-101-xVLAN-101-xVLAN-101-xVLAN-101-xVLAN-101-xVLAN-101-xVLAN-101-xVLAN-101-xVLAN-101-xVLAN-101-xVLAN-101-xVM B1VMC1Million of linesof source code6000+ RFCsBarrier to entryBillions of gatesBloatedPower HungryMany complex functions baked into the infrastructureOSPF, BGP, multicast, differentiated services,Traffic Engineering, NAT, firewalls, MPLS, redundant layers,

An industry with a mainframe-mentality, reluctant to change

Welcome to the Ossified NetworkSpecialized Packet Forwarding HardwareOperatingSystemFeature

FeatureRouting, management, mobility management, access control, VPNs, 4

45Current Internet Closed to Innovations in the InfrastructureSpecialized Packet Forwarding Hardware

Service

Service

ServiceSpecialized Packet Forwarding Hardware

Service

Service

ServiceSpecialized Packet Forwarding Hardware

Service

Service

ServiceSpecialized Packet Forwarding Hardware

Service

Service

ServiceSpecialized Packet Forwarding HardwareOperatingSystemOperatingSystemOperatingSystemOperatingSystemOperatingSystem

Service

Service

ServiceClosedThe next 3 slides are a set of animation to show how we enable innovation:- Infrastructure is closed to innovation and only driven by vendors. Consumers have little say- Business model makes it hard for new features to be addedSoftware Defined Networking approach to open itSpecialized Packet Forwarding Hardware

Service

Service

ServiceSpecialized Packet Forwarding Hardware

Service

Service

ServiceSpecialized Packet Forwarding Hardware

Service

Service

ServiceSpecialized Packet Forwarding Hardware

Service

Service

ServiceSpecialized Packet Forwarding HardwareOperatingSystemOperatingSystemOperatingSystemOperatingSystemOperatingSystem

Service

Service

ServiceNetwork Operating SystemLB serviceFW serviceIP routing serviceHow do we redefine the architecture to open up networking infrastructure and the industry!By bring to the networking industry what we did to the computing worldSimple Packet Forwarding HardwareSimple Packet Forwarding HardwareSimple Packet Forwarding HardwareSimple Packet Forwarding HardwareSimple Packet Forwarding HardwareThe Software-defined NetworkLB serviceFW serviceIP routing serviceNetwork Operating SystemOpenFlow APINorth-boundinterface APIUnchanged mgmt APISwitches, routers and other middleboxes are dumbed downThe key is to have a standardized control interface that speaks directly to hardwareHow does OpenFlow work?

8

Ethernet Switch

9Data Path (Hardware)Control PathControl Path (Software)10Data Path (Hardware)Control PathOpenFlowOpenFlow ControllerOpenFlow Protocol (SSL/TCP)11Controller

PCOpenFlow usage

OpenFlow SwitchOpenFlow SwitchOpenFlow SwitchAlices codeDecision?OpenFlowProtocolAlices RuleAlices RuleAlices Rule

OpenFlow offloads control intelligence to a remote software

1212How the actual protocol worksOpenFlow Example

13

Cluster ofControllersPCHardwareLayerSoftwareLayerOpenFlow-enabled hardwareFlow TableMACsrcMACdstIPSrcIPDstTCPsportTCPdportActionOpenFlow Client (e.g., OVS)**5.6.7.8***port 1port 4port 3port 2port 11.2.3.45.6.7.8

PCSoftwareHardware

OpenFlow-enabled hardwareOpenFlowprotocolOpenFlow Basics Flow Table EntriesSwitchPortMACsrcMACdstEthtypeVLANIDIPSrcIPDstIPProtL4sportL4dportRuleActionStatsForward packet to zero or more portsEncapsulate and forward to controllerSend to normal processing pipelineModify FieldsAny extensions you add!+ mask what fields to match+ priority+ timeout (idle and hard)Packet + byte counters14VLANpcpIPToSNow Ill describe the API that tries to meet these goals.14Examples15Firewall service*SwitchPortMACsrcMACdstEthtypeVLANIDIPSrcIPDstIPProtTCPsportTCPdportAction********22dropIP Routing service*SwitchPortMACsrcMACdstEthtypeVLANIDIPSrcIPDstIPProtTCPsportTCPdportAction*****5.6.7.8***port6VLAN multicast service*SwitchPortMACsrcMACdstEthtypeVLANIDIPSrcIPDstIPProtTCPsportTCPdportAction**vlan1*****port6, port7,port900:1f..OpenFlow benefitsHardware speed, scale, and fidelity for new servicesMade possible through unified API supported by hardware platforms from multiple vendorsFlexibility and control of software and simulationVendors dont need to expose implementationLeverages hardware inside most switches today (ACL tables implemented using TCAMs)16Usage examplesNetwork VirtualizationNetwork access control/firewallLoad Balancingper flow switchingNew routing for unicast, multicast, multipathHome network managerNetwork monitoring and debugging

and much more you can create!More available at openflow.org/videos1717What is possible in the controller? Anything that needs intelligent routing of a flowAt Stanford, we have even shown how OpenFlow may be used for:VM migrationPower managementLoad balancingNetwork monitoring and debuggingEasier network visualization

OpenFlow design, architecture and protocol evolution

18Design choice 1: Modes of SDN DeploymentIn-network: Existing/green-field network fabrics upgraded to support OpenFlow

Overlay: WITHOUT changing fabric, the intelligence is added to edge-devices, as an additional appliance (e.g., bump-in-wire managed by controller)as enhanced server kernel bridge (e.g., OpenVSwitch in x86 hypervisors)

Control PathOpenFlowHardware switch

Data path (Hardware)

Figure courtesy of Martin Casada @ ONS 2012Design choice 2: Centralized vs Distributed Control

Centralized ControlOpenFlow Switch

OpenFlow Switch

OpenFlow Switch

ControllerDistributed ControlOpenFlow Switch

OpenFlow Switch

OpenFlow Switch

ControllerController

Controller

20Design choice 3: Per-Flow Routing vs. AggregationFlow-Based

Every flow is individually set up by controllerExact-match flow entriesFlow table contains one entry per flowGood for fine grain control, e.g. campus networks Aggregated

One flow entry covers large groups of flowsWildcard flow entriesFlow table contains one entry per category of flowsGood for large number of flows, e.g. backbone21Design choice 4: Reactive vs. Proactive (pre-populated)Reactive

First packet of flow triggers controller to insert flow entriesEfficient use of flow tableEvery flow incurs small additional flow setup timeIf control connection lost, switch has limited utilityProactive

Controller pre-populates flow table in switchZero additional flow setup timeLoss of control connection does not disrupt trafficEssentially requires aggregated (wildcard) rules22Design choice 5: End-to-end OpenFlow vs. HybridBased on how OpenFlow is deployed, there may be issues coexisting with legacy networksOpenFlow controller view is not always complete. For instance, what does the controller see here?

HostAXY

Non-OFswitchNon-OFswitchOFswitchOFswitchHostBHostCInternetOpenFlow Implementations(Switch and Controller)

24Open-source controllersControllerNotesRyuApache licensePythonNOX/POXGPLC++ and PythonStanfords BeaconBSD-like licenseJava-basedMaestro (from Rice Univ)GPLBased on JavaNECs TremaOpen-sourceWritten in C and RubyIncluded test harnessBig Switchs FloodlightApache licenseJava-based25Sample Commercial SwitchesModelVirtualizeNotesHP Procurve 5400zl or 66001 OF instance per VLANLACP, VLAN and STP processing before OpenFlowWildcard rules or non-IP pkts processed in s/wHeader rewriting in s/wCPU protects mgmt during loopNEC IP88001 OF instance per VLANOpenFlow takes precedenceMost actions processed in hardwareMAC header rewriting in h/wBrocade MLX routersMultiple OF instance per switchHybrid OpenFlow switch with legacy protocols and OpenFlow coexistingOpenFlow commands can override state created by legacy protocosPronto 3290 or 3780 with Pica8 or Indigo firmware1 OF instance per switchNo legacy protocols (like VLAN, STP)Most actions processed in hardwareMAC header rewriting in h/w

All support ver 1.0All have approx 1500 flow table entry limitHands-on Tutorial

27BootstrapInstall VirtualBox or Vmware player or Vmware Fusion

Import the tutorial VM appliances available at:64-bit: (Login: ubuntu, Passwd: ubuntu) http://yuba.stanford.edu/~srini/OpenFlow_tutorial_64bit.ova 32-bit: (Login: ubuntu, Passwd: ubuntu) http://yuba.stanford.edu/~srini/OpenFlow_tutorial_32bit.ova

Install X-Windows if you do not already have itMac user: Install xquartzWindows user: Install xming

Start the VM, and ssh -X to its host-only IP addressVirtualBox: Ensure the vboxnet0 interface is configured for host-onlyFile->Preferences->Network and Add host-only network button with default settings. 28Inside the Virtual Machineopenvswitch: Virtual switch programmable using OpenFlow

mininet: Network emulation platform$sudo mn --topo single,3 --mac --switch ovsk --controller remote

wireshark: Graphical tool for viewing packets with OF protocol plug-inStart wireshark: $sudo wiresharkStart capture packets going through interface lo and Decode as OFP

dpctl: Command-line utility for checking switch status and manually inserting flow entries.Check supported commands in manual: $ man dpctl

Multiple OpenFlow controllers with sample apps prepackaged NOX, POX, Ryu, and OpenDayLight29Bootstrap and setup VM should be done offline.Hands-on tutorial will includes:-- introduction to the tools-- start mininet OF network-- dpctl: checkout switch status, flow status, add flow, delete flow, etc. (ping test)--start OF ryu (do nothing): use wireshark to observe OF messages-- Ryu controller and applications. 29Mininet-based Virtual Topology #1Controllerport6633

c0OpenFlow Switchs1dpctl(user space process)h310.0.0.3h210.0.0.2h110.0.0.1virtual hostsOpenFlow Tutorial3hosts-1switchTopologyloopback(127.0.0.1:6633)loopback(127.0.0.1:6634)s1-eth0s1-eth1s1-eth2h1-eth0h2-eth0h3-eth030$ sudo mn --topo single,3 --mac --switch ovsk --controller remoteMininet-based Virtual Topology #2OpenFlow Tutorial2hosts-2switchTopology31$ sudo mn --topo linear --switch ovsk --controller remote

dpctl and wireshark workflowBefore controller is started, execute the following$ dpctl show tcp:127.0.0.1:6634$ dpctl dump-flows tcp:127.0.0.1:6634mininet> h1 ping h2

$ dpctl add-flow tcp:127.0.0.1:6634 in_port=1,actions=output:2$ dpctl add-flow tcp:127.0.0.1:6634 in_port=2,actions=output:1mininet> h1 ping h2

Start controller and check OF messages on wireshark (enabling OFP decode)Openflow messages exchanged between switch and controller: openflow/include/openflow/openflow.h/* Header on all OpenFlow packets. */ struct ofp_header { uint8_t version; /* OFP_VERSION. */ uint8_t type; /* one of the OFPT_ constants.*/ uint 16_t length; /*Length including this ofp_header. */ uint32_t xid; /*Transaction id associated with this packet..*/ };32All ports of switch shown, but no flows installed. Ping fails because ARP cannot go throughPing works now!Bootstrap and setup VM should be done offline.Hands-on tutorial will includes:-- introduction to the tools-- start mininet OF network-- dpctl: checkout switch status, flow status, add flow, delete flow, etc. (ping test)-- start OF ryu (do nothing): use wireshark to observe OF messages-- Ryu controller and applications. Summays32Top 3 features in most controllersEvent-driven modelEach module registers listeners or call-back functionsExample async events include PACKET_IN, PORT_STATUS, FEATURE_REPLY, STATS_REPLY

Packet parsing capabilitiesWhen switch sends an OpenFlow message, module extracts relevant information using standard procedures

switch.send(msg), where msg can bePACKET_OUT with buffer_id or fabricated packetFLOW_MOD with match rules and action takenFEATURE_REQUEST, STATS_REQUEST, BARRIER_REQUEST33OpenDayLight controller

34Controller Architecture35

Java, Maven, OSGi, InterfaceJava allows cross-platform execution

Maven allows easier building

OSGi:Allows dynamically loading bundlesAllows registering dependencies and services exportedFor exchanging information across bundles

Java Interfaces are used for event listening, specifications and forming patterns

36SetupINSTALL OPENDAYLIGHT (Dependency Maven, JDK1.7)git clone https://git.opendaylight.org/gerrit/p/controller.gitmv controller opendaylight; cd opendaylightcd opendaylight/distribution/opendaylight/mvn clean installcd target/distribution.opendaylight-0.1.0-SNAPSHOT-osgipackage/opendaylight/./run.sh

IMPORT OPENDAYLIGHT TO ECLIPSEInstall Eclipse with Maven Integration Version 1.2.0File => Import => Maven => Existing Maven ProjectsBrowse ~/opendaylight/opendaylight/distribution/opendaylightIn distribution.opendaylight, right click on opendaylight-assembleit.launch and select Run. Then Run opendaylight-application.launch37

OpenDayLight web interface38

Writing a new application39Clone an existing module (e.g., arphandler) in Eclipse project explorerInclude the new app in opendaylight/distribution/opendaylight/pom.xml and in the EclipseRun ConfigurationsUpdate dependencies and services exported in the new bundles pom.xmlList dependencies imported and interfaces implemented in the modules Activator.java Update set/unset bindings in the modules class so as to access other bundle objectsImplement the interface functions to handle the async events or use other bundle objects to edit stateAdd needed northbound REST API and associate with the web bundleDoneInterfacesPackage/OSGi BundleExported InterfacesDescriptionarphandlerIHostFinderIListenDataPacketComponent responsible for learning about host location by handling ARP.forwarding.staticroutingIForwardingStaticRoutingICacheUpdateAwareIfNewHostNotifyIConfigurationContainerAwareProvide the necessary hooks to inject in the area controlled by the controller, routes to reach traditional IP networks.forwardingrulesmanagerIContainerListenerISwitchManagerAwareIForwardingRulesManagerIInventoryListenerICacheUpdateAwareIConfigurationContainerAwareIFlowProgrammerListenerManager of all the Forwarding Rules, this component take care of forwarding rules and is the one that manage conflicts between them.hosttrackerISwitchManagerAwareIInventoryListenerIfIptoHostIfHostListenerITopologyManagerAwareTrack the location of the host relatively to the SDN network.40Interfaces41Package/OSGi BundleExported InterfacesDescriptionrouting.dijkstra_implementationITopologyManagerAwareIRoutingImplementation of Dijkstra routing algorithm over the network graph as seen by the topology manager. sal.implementationIReadServiceIPluginOutTopologyServiceITopologyServiceIInventoryServiceIPluginOutInventoryServiceIFlowProgrammerServiceIPluginOutFlowProgrammerServiceIPluginOutDataPacketServiceIDataPacketServiceImplements the services that SAL export to the applications using it as well to the protocol plugins.samples.loadbalancerIListenDataPacketIConfigManagerImplementation of a simple load-balancer. samples.simpleforwardingIInventoryListenerIfNewHostNotifyIListenRoutingUpdatesSample implementation of an application simulating a traditional IP network. Interfaces42Package/OSGi BundleExported InterfacesDescriptionstatisticsmanagerIStatisticsManagerComponent in charge of using the SAL ReadService to collect several statistics from the SDN network.switchmanagerIListenInventoryUpdatesISwitchManagerICacheUpdateAwareIConfigurationContainerAwareComponent holding the inventory information for all the known nodes in the controller. topologymanagerIListenTopoUpdatesITopologyManagerIConfigurationContainerAwareComponent holding the whole network graph. usermanagerICacheUpdateAwareIUserManagerIConfigurationAwareComponent taking care of user management. northboundJAXRS implementation of REST API for each module. webIDaylightWebComponent tracking the several pieces of the UI depending on bundles installed on the system. The End

43SummaryOpenFlow/SDN is evolving to facilitate an ecosystem for innovation through programmability OpenFlow/SDN is being deployed in over 100 organizations world-wideMany academic ones, but also includes service provider cloudsSDN provides a simple solution to problems with complex solutions without vendor lock-inBackup

45POX controller

46Intro to POX controllerGeneral execution: $ ~/pox/pox.py .Example: $ ~/pox/pox.py forwarding.hub

Parses messages from switch and throws following events

FlowRemovedFeaturesReceivedConnectionUpFeaturesReceivedRawStatsReplyPortStatusPacketInBarrierInSwitchDescReceivedFlowStatsReceivedAggregateFlowStatsReceivedTableStatsReceivedPortStatsReceivedQueueStatsReceivedPackets parsed by pox/lib

arpdhcpdnseapoleapetherneticmpigmpipv4llclldpmplsriptcpudpvlanExample msg sent from controller to switch

ofp_packet_out header: version: 1 type: 13 length: 24 xid: 13 buffer_id: 272 in_port: 65535 actions_len: 1 actions: type: 0 len: 8 port: 65531 max_len: 65535(A)(B)(C)Application 1: Hub(inspect file pox/pox/misc/of_tutorial.py)OF SwitchPOXHub(1)(2)(3)(4)(5)(6)

Application 2: MAC-learning switch(convert pox/pox/misc/of_tutorial.py to L2 switch)Build on your own with this logic:On init, create a dict to store MAC to switch port mappingself.mac_to_port = {}On packet_in, Parse packet to reveal src and dst MAC addrMap src_mac to the incoming portself.mac_to_port[dpid] = {}self.mac_to_port[dpid][src_mac] = in_portLookup dst_mac in mac_to_port dict to find next hopIf found, create flow_mod and sendElse, flood like hub.

Execute: pox/pox.py misc.of_tutorial49msg = of.ofp_flow_mod()msg.match = of.ofp_match.from_packet(packet)msg.buffer_id = event.ofp.buffer_id

action = of.ofp_action_output(port = out_port)msg.actions.append(action)self.connection.send(msg)Ryu controller

50Intro to RYU: OpenFlow Controller51

RYU ControllerOF SwitchOF SwitchOF SwitchTopologyViewerStatisticsFirewall

1.01.21.3Libraries:Functions called by componentsEx: OF-Config, Netflow, sFlow, Netconf, OVSDBComponents:Provides interface for control and state and generates eventsCommunicates using message passingapp_managerof_parserof_headersimple_switchofctl_restappbasecontrollerofprotocontrollerhandlerdpsetofp_eventofp_handlereventliblibquantumplugin(A)(B)(C)Application 1: Hubryu-manager --verbose ryu/ryu/app/tutorial_l2_hub.pyOF SwitchRYUHub(1)(2)(3)(4)(5)(6)

Application 2: MAC-learning switchBuild on your own with this logic:On init, create a dict to store MAC to switch port mappingself.mac_to_port = {}On packet_in, Parse packet to reveal src and dst MAC addrMap src_mac to the incoming portself.mac_to_port[dpid] = {}self.mac_to_port[dpid][src_mac] = in_portLookup dst_mac in mac_to_port dict to find next hopIf found, create flow_mod and send

Else, flood like hub.53

Pssst solution in tutorial_l2_switch.py