[PPT]Slide 1 - McKeown Groupyuba.stanford.edu/~srini/tutorial/Beginners_OpenFlow... · Web...
Transcript of [PPT]Slide 1 - McKeown Groupyuba.stanford.edu/~srini/tutorial/Beginners_OpenFlow... · Web...
OpenFlow/SDN Beginner’s Tutorial
June, 2013
1
Srini SeetharamanDeutsche Telekom Innovation center
Why SDN? What is SDN?
2
Critical needs for cloud DC networks1. Tenant virtualization
– Traffic isolation, prioritization and rate limiting
– Overlapping IP addressing, along with IPv6 support
2. Speed up configuration to allow reduced time to revenue:
– Automatically create required network configs for new tenants
– Transparently bridging a L2 network will help reduce time
3. Hybrid clouds with bursting– Adding computational capacity (in the form
of new VMs) as needed– Lossless live migration
VM A1
Hypervisor
Host 1
Switch-1 Switch-2 Switch-3
Switch-1 Switch-2 Switch-3
WAN
VLAN-101-x VLAN-101-x VLAN-101-x
VLAN-101-x
VLAN-101-x
VLAN-101-x
VLAN-101-x VLAN-101-x
VLAN-101-x VLAN-101-x
VLAN-101-x VLAN-101-x
VM B1
VMC1
Million of linesof source code
6000+ RFCs Barrier to entry
Billions of gates Bloated Power Hungry
Many complex functions baked into the infrastructureOSPF, BGP, multicast, differentiated services,Traffic Engineering, NAT, firewalls, MPLS, redundant layers, …
An industry with a “mainframe-mentality”, reluctant to change
Welcome to the Ossified Network
Specialized Packet Forwarding Hardware
OperatingSystem
Feature Feature
Routing, management, mobility management, access control, VPNs, …
4
5
Current Internet Closed to Innovations in the Infrastructure
Specialized Packet Forwarding Hardware
Service Service Service
Specialized Packet Forwarding Hardware
Service Service Service
Specialized Packet Forwarding Hardware
Service Service Service
Specialized Packet Forwarding Hardware
Service Service Service
Specialized Packet Forwarding Hardware
OperatingSystem
OperatingSystem
OperatingSystem
OperatingSystem
OperatingSystem
Service Service Service
Closed
“Software Defined Networking” approach to open it
Specialized Packet Forwarding Hardware
Service Service Service
Specialized Packet Forwarding Hardware
Service Service Service
Specialized Packet Forwarding Hardware
Service Service Service
Specialized Packet Forwarding Hardware
Service Service Service
Specialized Packet Forwarding Hardware
OperatingSystem
OperatingSystem
OperatingSystem
OperatingSystem
OperatingSystem
Service Service Service
Network Operating System
LB service
FW service
IP routing service
Simple Packet Forwarding Hardware
Simple Packet Forwarding Hardware
Simple Packet Forwarding Hardware
Simple Packet Forwarding Hardware Simple Packet
Forwarding Hardware
The “Software-defined Network”LB
serviceFW
serviceIP routing service
Network Operating System
OpenFlow API
North-boundinterface API
Unchanged mgmt API
How does OpenFlow work?
8
Ethernet Switch
9
Data Path (Hardware)
Control PathControl Path (Software)
10
Data Path (Hardware)
Control Path OpenFlow
OpenFlow Controller
OpenFlow Protocol (SSL/TCP)
11
Controller
PC
OpenFlow usage
OpenFlow Switch
OpenFlow Switch
OpenFlow Switch
Alice’s code
Decision?OpenFlowProtocol
Alice’s Rule
Alice’s Rule
Alice’s Rule
OpenFlow offloads control intelligence to a remote software
OpenFlow Example
13
Cluster ofControllers
PC
HardwareLayer
SoftwareLayer
OpenFlow-enabled hardware
Flow Table
MACsrc
MACdst
IPSrc
IPDst
TCPsport
TCPdport Action
OpenFlow Client (e.g., OVS)
**5.6.7.8*** port 1
port 4port 3port 2port 1
1.2.3.45.6.7.8
PC
SoftwareHardware
OpenFlow-enabled hardware
OpenFlowprotocol
OpenFlow Basics Flow Table Entries
SwitchPort
MACsrc
MACdst
Ethtype
VLANID
IPSrc
IPDst
IPProt
L4sport
L4dport
Rule Action Stats
1. Forward packet to zero or more ports2. Encapsulate and forward to controller3. Send to normal processing pipeline4. Modify Fields5. Any extensions you add!
+ mask what fields to match+ priority+ timeout (idle and hard)
Packet + byte counters
14
VLANpcp
IPToS
Examples
15
Firewall service
*
SwitchPort
MACsrc
MACdst
Ethtype
VLANID
IPSrc
IPDst
IPProt
TCPsport
TCPdport Action
* * * * * * * * 22 drop
IP Routing service
*
SwitchPort
MACsrc
MACdst
Ethtype
VLANID
IPSrc
IPDst
IPProt
TCPsport
TCPdport Action
* * * * * 5.6.7.8 * * * port6
VLAN multicast service
*
SwitchPort
MACsrc
MACdst
Ethtype
VLANID
IPSrc
IPDst
IPProt
TCPsport
TCPdport Action
* * vlan1 * * * * *port6, port7,port9
00:1f..
OpenFlow benefits• Hardware speed, scale, and fidelity for new services
– Made possible through unified API supported by hardware platforms from multiple vendors
• Flexibility and control of software and simulation• Vendors don’t need to expose implementation• Leverages hardware inside most switches today
(ACL tables implemented using TCAMs)
16
Usage examples
– Network Virtualization– Network access
control/firewall– Load Balancing– per flow switching– New routing for unicast,
multicast, multipath– Home network manager– Network monitoring and
debugging
… and much more you can create!
More available at openflow.org/videos
OpenFlow design, architecture and protocol evolution
18
Design choice 1: Modes of SDN Deployment1. In-network: Existing/green-field network fabrics upgraded to support OpenFlow
2. Overlay: WITHOUT changing fabric, the intelligence is added to edge-devices, – as an additional appliance (e.g., bump-in-wire managed by controller)– as enhanced server kernel bridge (e.g., OpenVSwitch in x86 hypervisors)
Control Path OpenFlowHardware switch Data path
(Hardware)
Figure courtesy of Martin Casada @ ONS 2012
Design choice 2: Centralized vs Distributed Control
Centralized Control
OpenFlow Switch
OpenFlow Switch
OpenFlow Switch
Controller
Distributed Control
OpenFlow Switch
OpenFlow Switch
OpenFlow Switch
Controller
Controller
Controller
20
Design choice 3: Per-Flow Routing vs. Aggregation
Flow-Based
• Every flow is individually set up by controller
• Exact-match flow entries• Flow table contains one
entry per flow• Good for fine grain
control, e.g. campus networks
Aggregated
• One flow entry covers large groups of flows
• Wildcard flow entries• Flow table contains one
entry per category of flows• Good for large number of
flows, e.g. backbone
21
Design choice 4: Reactive vs. Proactive (pre-populated)
Reactive
• First packet of flow triggers controller to insert flow entries
• Efficient use of flow table• Every flow incurs small
additional flow setup time• If control connection lost,
switch has limited utility
Proactive
• Controller pre-populates flow table in switch
• Zero additional flow setup time
• Loss of control connection does not disrupt traffic
• Essentially requires aggregated (wildcard) rules
22
Design choice 5: End-to-end OpenFlow vs. Hybrid
• Based on how OpenFlow is deployed, there may be issues coexisting with legacy networks
• OpenFlow controller view is not always complete. For instance, what does the controller see here?
HostA
X YNon-OFswitch
Non-OFswitch
OFswitch
OFswitch
HostB
HostCInternet
OpenFlow Implementations(Switch and Controller)
24
Open-source controllersController NotesRyu •Apache license
•Python
NOX/POX •GPL•C++ and Python
Stanford’s Beacon •BSD-like license•Java-based
Maestro (from Rice Univ)
•GPL•Based on Java
NEC’s Trema •Open-source•Written in C and Ruby•Included test harness
Big Switch’s Floodlight •Apache license•Java-based
25
Sample Commercial SwitchesModel Virtualize Notes
HP Procurve 5400zl or 6600
1 OF instance per VLAN
-LACP, VLAN and STP processing before OpenFlow-Wildcard rules or non-IP pkts processed in s/w-Header rewriting in s/w-CPU protects mgmt during loop
NEC IP8800 1 OF instance per VLAN
-OpenFlow takes precedence-Most actions processed in hardware-MAC header rewriting in h/w
Brocade MLX routers
Multiple OF instance per switch
-Hybrid OpenFlow switch with legacy protocols and OpenFlow coexisting-OpenFlow commands can override state created by legacy protocos
Pronto 3290 or 3780 with Pica8 or Indigo firmware
1 OF instance per switch
-No legacy protocols (like VLAN, STP)-Most actions processed in hardware-MAC header rewriting in h/w
Hands-on Tutorial
27
28
Bootstrap1. Install VirtualBox or Vmware player or Vmware Fusion
2. Import the tutorial VM appliances available at:– 64-bit: (Login: ubuntu, Passwd: ubuntu) http://yuba.stanford.edu/~
srini/OpenFlow_tutorial_64bit.ova – 32-bit: (Login: ubuntu, Passwd: ubuntu)
http://yuba.stanford.edu/~srini/OpenFlow_tutorial_32bit.ova
3. Install X-Windows if you do not already have it– Mac user: Install xquartz– Windows user: Install xming
4. Start the VM, and “ssh -X” to its host-only IP address– VirtualBox: Ensure the vboxnet0 interface is configured for “host-only”
• File->Preferences->Network and “Add host-only network” button with default settings.
29
Inside the Virtual Machine• openvswitch: Virtual switch programmable using OpenFlow
• mininet: Network emulation platform– $sudo mn --topo single,3 --mac --switch ovsk --controller remote
• wireshark: Graphical tool for viewing packets with OF protocol plug-in– Start wireshark: $sudo wireshark– Start capture packets going through interface “lo” and Decode as OFP
• dpctl: Command-line utility for checking switch status and manually inserting flow entries.– Check supported commands in manual: $ man dpctl
• Multiple OpenFlow controllers with sample apps prepackaged – NOX, POX, Ryu, and OpenDayLight
Mininet-based Virtual Topology #1
Controllerport6633 c0
OpenFlow Switchs1 dpctl
(user space process)
h310.0.0.3
h210.0.0.2
h110.0.0.1
virtual hosts
OpenFlow Tutorial3hosts-1switchTopology
loopback(127.0.0.1:6633)
loopback(127.0.0.1:6634)
s1-eth0 s1-eth1 s1-eth2
h1-eth0 h2-eth0 h3-eth0
30$ sudo mn --topo single,3 --mac --switch ovsk --controller remote
Mininet-based Virtual Topology #2
OpenFlow Tutorial2hosts-2switchTopology
31$ sudo mn --topo linear --switch ovsk --controller remote
32
dpctl and wireshark workflow• Before controller is started, execute the following
$ dpctl show tcp:127.0.0.1:6634$ dpctl dump-flows tcp:127.0.0.1:6634mininet> h1 ping h2
$ dpctl add-flow tcp:127.0.0.1:6634 in_port=1,actions=output:2$ dpctl add-flow tcp:127.0.0.1:6634 in_port=2,actions=output:1mininet> h1 ping h2
• Start controller and check OF messages on wireshark (enabling OFP decode)– Openflow messages exchanged between switch and controller:
openflow/include/openflow/openflow.h/* Header on all OpenFlow packets. */ struct ofp_header { uint8_t version; /* OFP_VERSION. */ uint8_t type; /* one of the OFPT_ constants.*/ uint 16_t length; /*Length including this ofp_header. */ uint32_t xid; /*Transaction id associated with this packet..*/ };
All ports of switch shown, but no flows installed. Ping fails because ARP
cannot go through
Ping works now!
33
Top 3 features in most controllersA. Event-driven model
– Each module registers listeners or call-back functions– Example async events include PACKET_IN, PORT_STATUS,
FEATURE_REPLY, STATS_REPLY
B. Packet parsing capabilities– When switch sends an OpenFlow message, module extracts
relevant information using standard procedures
C. switch.send(msg), where msg can be– PACKET_OUT with buffer_id or fabricated packet– FLOW_MOD with match rules and action taken– FEATURE_REQUEST, STATS_REQUEST, BARRIER_REQUEST
OpenDayLight controller
34
35
Controller Architecture
36
Java, Maven, OSGi, Interface• Java allows cross-platform execution
• Maven allows easier building
• OSGi:– Allows dynamically loading bundles– Allows registering dependencies and services exported– For exchanging information across bundles
• Java Interfaces are used for event listening, specifications and forming patterns
37
SetupINSTALL OPENDAYLIGHT (Dependency Maven, JDK1.7)• git clone https://git.opendaylight.org/gerrit/p/controller.git• mv controller opendaylight; cd opendaylight• cd opendaylight/distribution/opendaylight/• mvn clean install• cd
target/distribution.opendaylight-0.1.0-SNAPSHOT-osgipackage/opendaylight/
• ./run.sh
IMPORT OPENDAYLIGHT TO ECLIPSE• Install Eclipse with Maven Integration Version 1.2.0• File => Import => Maven => Existing Maven Projects• Browse ~/opendaylight/opendaylight/distribution/opendaylight• In distribution.opendaylight, right click on opendaylight-assembleit.launch
and select “Run”. Then “Run” opendaylight-application.launch
38
OpenDayLight web interface
39
Writing a new application
Clone an existing module (e.g., arphandler) in
Eclipse project explorer
Include the new app in opendaylight/distribution/opendaylight/pom.xml and in the Eclipse“Run Configurations”
Update dependencies and services exported
in the new bundle’s pom.xml
List dependencies imported and interfaces
implemented in the module’s Activator.java
Update set/unset bindings in the module’s
class so as to access other bundle objects
Implement the interface functions to handle the
async events or use other bundle objects to edit state
Add needed northbound REST API and associate with the web bundle
Done
40
InterfacesPackage/OSGi Bundle Exported Interfaces Description
arphandler •IHostFinder•IListenDataPacket
Component responsible for learning about host location by handling ARP.
forwarding.staticrouting
•IForwardingStaticRouting•ICacheUpdateAware•IfNewHostNotify•IConfigurationContainerAware
Provide the necessary hooks to inject in the area controlled by the controller, routes to reach traditional IP networks.
forwardingrulesmanager
•IContainerListener•ISwitchManagerAware•IForwardingRulesManager•IInventoryListener•ICacheUpdateAware•IConfigurationContainerAware•IFlowProgrammerListener
Manager of all the Forwarding Rules, this component take care of forwarding rules and is the one that manage conflicts between them.
hosttracker
•ISwitchManagerAware•IInventoryListener•IfIptoHost•IfHostListener•ITopologyManagerAware
Track the location of the host relatively to the SDN network.
41
InterfacesPackage/OSGi Bundle Exported Interfaces Description
routing.dijkstra_implementation
•ITopologyManagerAware•IRouting
Implementation of Dijkstra routing algorithm over the network graph as seen by the topology manager.
sal.implementation
•IReadService•IPluginOutTopologyService•ITopologyService•IInventoryService•IPluginOutInventoryService•IFlowProgrammerService•IPluginOutFlowProgrammerService•IPluginOutDataPacketService•IDataPacketService
Implements the services that SAL export to the applications using it as well to the protocol plugins.
samples.loadbalancer •IListenDataPacket•IConfigManager
Implementation of a simple load-balancer.
samples.simpleforwarding
•IInventoryListener•IfNewHostNotify•IListenRoutingUpdates
Sample implementation of an application simulating a traditional IP network.
42
InterfacesPackage/OSGi Bundle Exported Interfaces Description
statisticsmanager •IStatisticsManagerComponent in charge of using the SAL ReadService to collect several statistics from the SDN network.
switchmanager•IListenInventoryUpdates•ISwitchManager•ICacheUpdateAware•IConfigurationContainerAware
Component holding the inventory information for all the known nodes in the controller.
topologymanager•IListenTopoUpdates•ITopologyManager•IConfigurationContainerAware
Component holding the whole network graph.
usermanager•ICacheUpdateAware•IUserManager•IConfigurationAware
Component taking care of user management.
northbound JAXRS implementation of REST API for each module.
web •IDaylightWebComponent tracking the several pieces of the UI depending on bundles installed on the system.
The End
43
Summary• OpenFlow/SDN is evolving to facilitate an ecosystem
for innovation through programmability • OpenFlow/SDN is being deployed in over 100
organizations world-wide– Many academic ones,
but also includes service provider clouds• SDN provides a simple solution to problems with
complex solutions without vendor lock-in
Backup
45
POX controller
46
Intro to POX controllerGeneral execution: $ ~/pox/pox.py <dir>.<name>Example: $ ~/pox/pox.py forwarding.hub
Parses messages from switch and throws following events
FlowRemovedFeaturesReceivedConnectionUpFeaturesReceivedRawStatsReplyPortStatusPacketInBarrierInSwitchDescReceivedFlowStatsReceivedAggregateFlowStatsReceivedTableStatsReceivedPortStatsReceivedQueueStatsReceived
Packets parsed by pox/lib
arpdhcpdnseapoleapetherneticmpigmpipv4llclldpmplsriptcpudpvlan
Example msg sent from controller to switch
ofp_packet_out header: version: 1 type: 13 length: 24 xid: 13 buffer_id: 272 in_port: 65535 actions_len: 1 actions: type: 0 len: 8 port: 65531 max_len: 65535
(A)
(B)
(C)
Application 1: Hub(inspect file pox/pox/misc/of_tutorial.py)
OF Switch
POX
Hub
(1)
(2)
(3) (4)
(5)
(6)
49
Application 2: MAC-learning switch(convert pox/pox/misc/of_tutorial.py to L2 switch)• Build on your own with this logic:
– On init, create a dict to store MAC to switch port mapping• self.mac_to_port = {}
– On packet_in, • Parse packet to reveal src and dst MAC addr• Map src_mac to the incoming port
– self.mac_to_port[dpid] = {}– self.mac_to_port[dpid][src_mac] = in_port
• Lookup dst_mac in mac_to_port dict to find next hop• If found, create flow_mod and send• Else, flood like hub.
• Execute: pox/pox.py misc.of_tutorial
msg = of.ofp_flow_mod()msg.match = of.ofp_match.from_packet(packet)msg.buffer_id = event.ofp.buffer_id
action = of.ofp_action_output(port = out_port)msg.actions.append(action)self.connection.send(msg)
Ryu controller
50
Intro to RYU: OpenFlow Controller
51
RYU Controller
OF Switch
OF Switch
OF Switch
TopologyViewer
StatisticsFirewall
1.01.2
1.3
Libraries:– Functions called by components– Ex: OF-Config, Netflow, sFlow,
Netconf, OVSDB
Components:– Provides interface for control and state and
generates events– Communicates using message passing
app_manager
of_parser of_header
simple_switch
ofctl_rest
app
base
controller
ofproto
controller
handler dpset
ofp_event ofp_handler
event
lib
lib
quantumplugin
(A)
(B)
(C)
Application 1: Hubryu-manager --verbose ryu/ryu/app/tutorial_l2_hub.py
OF Switch
RYU
Hub
(1)
(2)
(3) (4)
(5)
(6)
53
Application 2: MAC-learning switch• Build on your own with this logic:
– On init, create a dict to store MAC to switch port mapping• self.mac_to_port = {}
– On packet_in, • Parse packet to reveal src and dst MAC addr• Map src_mac to the incoming port
– self.mac_to_port[dpid] = {}– self.mac_to_port[dpid][src_mac] = in_port
• Lookup dst_mac in mac_to_port dict to find next hop• If found, create flow_mod and send
• Else, flood like hub.
Pssst… solution in tutorial_l2_switch.py