Open vswitch Installation and configuration

I. Introduction of Open Vswitch

1.1 Overview

Open Vswitch is a high-quality, multi-tier virtual switch that uses the open Source Apache 2.0 license Agreement, developed by Nicira Networks, to implement code as portable C code.
Its purpose is to allow large-scale network automation to be extended by programming, while still supporting standard management interfaces and protocols (e.g. NetFlow, SFlow, SPAN, RSPAN, CLI, LACP, 802.1ag). In addition, it is designed to support distributed environments spanning multiple physical servers, similar to VMware's Vnetwork distributed vswitch or Cisco Nexus V.
Open Vswitch supports a variety of Linux virtualization technologies, including Xen/xenserver, KVM, and VirtualBox.

1.2 Module Introduction

The current latest code package mainly includes the following modules and features:
Ovs-vswitchd main module to implement switch daemon, including a Linux kernel module which supports stream switching;
Ovsdb-server Lightweight database server provides OVS-VSWITCHD access to configuration information;
OVS-BRCOMPATD let Ovs-vswitch replace Linux bridge, including the Linux kernel module that gets bridge IOCTLs;
The OVS-DPCTL is used to configure the switch kernel module;
Some scripts and specs auxiliary OvS are installed on the Citrix XenServer as the default switch;
Ovs-vsctl Query and update the configuration of Ovs-vswitchd;
Ovs-appctl Send command message, run related daemon;
The Ovsdbmonitor GUI tool allows remote access to OvS databases and OpenFlow flow tables.
In addition, OvS provides feature implementations that support OpenFlow, including
Ovs-openflowd: a simple openflow switch;
Ovs-controller: a simple openflow controller;
Ovs-ofctl Query and control openflow switches and controllers;
Ovs-pki:openflow switches Create and manage public key frameworks;
Ovs-tcpundump:tcpdump Patch, parse OpenFlow message;

1.3 Operating principle

A kernel module implements multiple "Data paths" (similar to a bridge), each of which can have multiple "vports" (similar to a port inside a bridge). Each data path is also set by correlating the flow table, where the flow is the key information that user space maps based on the header and metadata, and the general operation is to forward the packet to another vport. When a packet arrives at a vport, the kernel module does the processing of extracting key information from its stream and finding the key information in the flow table. When there is a matching stream, it performs the corresponding operation. If there is no match, it sends the packet to the processing queue in the user space (as part of processing, the user space may set a stream for subsequent encounters of the same type of packet that can be performed in the kernel).

Ii. preparatory work

2.1 Description

Compiling the userspace program in the open VSwitch distribution requires the following software
-A make program, the e.g GNU make. BSD make should also work.
-The GNU C compiler. We generally test with version 4.1, 4.2, or 4.3.
-Pkg-config. We test with version 0.22.
-Libssl, from OpenSSL, was optional but recommended if you plan to connect the Open VSwitch to an OpenFlow controller. Libssl is
Required to establish confidentiality and authenticity in the connections from an Open vSwitch to an OpenFlow controller. If Libssl is installed and then Open VSwitch would automatically build with support for it.

The following software is also required to compile kernel modules in Linux. If you cannot build or install kernel modules, you can use the Userspace-only implementation.

The Open VSwitch DataPath requires bridging support (Config_bridge) to be built as a kernel module. (This is common on kernels provided by Linux distributions.) The bridge module must not being loaded or in use. If The bridge module is running (check with "Lsmod | grep bridge "), you must remove it (" Rmmod Bridge ") before starting the datapath.

2.2 Operation
Ensure that the following software is installed before installing the Open vswitch
-LIBC compatible with the libc used for build.
-Libssl compatible with the LIBSSL used for build, if OpenSSL is used for the build.
-On Linux, the same kernel version configured as part of the build.
-For optional support of ingress policing on Linux, the ' TC ' program from IPROUTE2 (part of all major distributions and a vailable at Http://www.linux-foundation.org/en/Net:Iproute2).

Perform

Apt-get Install Build-essential
Apt-get Install OpenSSL
On Linux you should ensure that/dev/urandom exists. To support TAP devices, you must also ensure That/dev/net/tun exists.

Third, install open VSwitch

3.1 Downloads

Openvswitch Bag: http://openvswitch.org/download/
[Email protected]:~# wget http://openvswitch.org/releases/openvswitch-1.9.0.tar.gz

3.2 Decompression

[email protected]: ~# tar-xzf openvswitch-1.9.0.tar.gz

3.3 Installation

To generate kernel-mode open vswitch, you need to specify the kernel source code compilation directory, the basic steps are as follows

CD openvswitch-1.9.0/
./configure--with-linux=/lib/modules/' uname-r '/build
Make && make install
Insmod Datapath/linux/openvswitch.ko

To supplement the concept of DataPath, OpenFlow is the separation of control and data forwarding, and the control side, called the controller Path, such as Floodlight, is responsible for forwarding the data of the data to the originator, called DataPath, That is, a hardware or software switch that supports OpenFlow.

Iv. Configuring the Open VSwitch

Setting up Openvswitch profiles and databases

[email protected]: ~# mkdir-p/usr/local/etc/openvswitch
[Email protected]:~# ovsdb-tool create/usr/local/etc/openvswitch/conf.db/usr/local/share/openvswitch/ Vswitch.ovsschema

Start the configuration database

[email protected]: ~# ovsdb-server--remote=punix:/usr/local/var/run/openvswitch/db.sock--remote=db:open_ Vswitch,manager_options--private-key=db:ssl,private_key--certificate=db:ssl,certificate--bootstrap-ca-cert=db: Ssl,ca_cert--pidfile--detach

If you built Open VSwitch without SSL support, omit--private-key,--certificate, and--bootstrap-ca-cert

Check the start-up situation

Initializing the database

[email protected]: ~# ovs-vsctl--no-wait Init

Just run the first time you create the database, but it's okay to run it every time.

Start the Open VSwitch daemon and connect to the same UNIX domain socket

[email protected]: ~# ovs-vswitchd--pidfile–detach

After success, there will be three processes, one ovs_ Workeq process, one ovs-vswitchd process, one ovsdb-server process

V. Upgrade the Open VSwitch

When upgrading the open vswitch, you also need to upgrade the database schema as follows:

5.1 Stop Open VSwitch daemons

Kill ' Cd/usr/local/var/run/openvswitch && cat ovsdb-server.pid ovs-vswitchd.pid '

5.2 Installing a new version

Method ibid., download, unzip, configure make do install

5.3 Upgrading the Database

Two cases are as follows
If the database does not have important information, you can delete the database file directly and recreate it with the Ovsdb-tool command, as in the same way.
If you want to keep the contents of the database, first back it up, and then use the Ovsdb-tool Convert command to upgrade, as follows
Ovsdb-tool Convert/usr/local/etc/openvswitch/conf.db/usr/local/share/openvswitch/vswitch.ovsschema

5.4 Starting Open VSwitch daemon

method as above.

Vi. Use of open VSwitch

6.1 Bridge Management

6.1.1 Non-OVSDB database operations

Add a network bridge named Br0

[email protected]: ~# ovs-vsctl add-br br0

List all bridges

[email protected]: ~# ovs-vsctl list-br

Br0

Determine if bridge BR0 exists

[email protected]: ~# ovs-vsctl br-exists br0

echo $? 0 indicates existence, otherwise does not exist

Hook the network interface eth0 to the bridge BR0

[email protected]: ~# ovs-vsctl add-port br0 eth0

List all network interfaces attached to the bridge BR0

[email protected]: ~# ovs-vsctl list-ports br0

Eth0

List the bridges that are connected to the Eth0 network interface

[email protected]: ~# ovs-vsctl port-to-br eth0
Br0

View Results

[email protected]: ~# ovs-vsctl Show
131648b5-f7a6-4949-9a39-273ed62c0922
Bridge "Br0"
Port "Br0"
Interface "Br0"
Type:internal
Port "Eth0"
Interface "Eth0"

Remove the Eth0 network interface that is hooked up on the bridge BR0

[email protected]: ~# ovs-vsctl del-port br0 eth0

To delete a bridge named Br0

[email protected]: ~# ovs-vsctl del-br br0

6.1.2 OVSDB Database Operations

Ovsdb is a very lightweight database, rather than a database, rather it is a temporary configuration cache to provide additions and deletions, and so on, because the OVSDB database is simply not using how much database technology, such as SQL language queries, stored procedures and so on. Ovsdb database through the schema file "Openvswitch-1.1.0pre2/vswitchd/vswitch.ovsschema", such as to customize the OVSDB database, can be achieved by changing the Vswitch.ovsschema file.

The general format for database operations is

Ovs-vsctl List/set/get/add/remove/clear/destroy table Record column [value]

By default, the following data tables are in OVSDB

Bridge, Controller,interface,mirror,netflow,open_vswitch,port,qos,queue,ssl,sflow
View all records in the Bridge data table

Ovs-vsctl List Bridge

Get the _uuid field value for Bridge

Ovs-vsctl Get Bridge Br0 _uuid

Set the value of the Bridge data table Datapath_type field

Ovs-vsctl Set Bridge br0 datapath_type= "System"

Clears the value of the Bridge data table Flood_vlans field

Ovs-vsctl Clear Bridge Br0 Flood_vlans or
Ovs-vsctl Remove Bridge br0 flow_tables 23

Remove the QoS records for UUID 69EE0C09-9E52-4236-8AF6-037A98CA704D

Ovs-vsctl Destroy QoS 69EE0C09-9E52-4236-8AF6-037A98CA704D

6.2 Flow Rule Management

6.2.1 Flow Rule composition

Each flow rule consists of a series of fields, which are divided into three parts: Basic field, condition field, and action field.

The basic fields include the effective time duration_sec, the owning table entry table_id, the precedence priority, the number of packets processed n_packets, the idle timeout time idle_timeout, and so on, idle timeout idle_timeout in seconds, After the idle timeout setting is exceeded, the flow rule is automatically deleted, the idle timeout setting of 0 indicates that the flow rule never expires, and Idle_timeout will not be included in the output of Ovs-ofctl dump-flows brname.
The condition field includes the input port number In_port, the source destination MAC address Dl_src/dl_dst, the source destination IP address NW_SRC/NW_DST, the packet type Dl_type, the Network layer protocol type Nw_proto, and so on, can be any combination of these fields, However, when the underlying field in the network hierarchy does not give a definite value, the upper field is not allowed to determine the value, that is, a flow rule allows the underlying protocol field to be specified as a value, the High-level protocol field is specified as a wildcard character (not specified as a match for any value), and the underlying protocol field is a wildcard (It is not specified to match any value), otherwise the flow rules in Ovs-vswitchd are lost and the network cannot connect.
The action fields include normal forwarding, directed to a switch port output:port, drop drop, change source destination MAC address Mod_dl_src/mod_dl_dst, and so on, a flow rule can have more than one action, action execution in the order of the specified sequence completed.

6.2.2 Basic Operation

View information for a virtual switch

[email protected]: ~# ovs-ofctl Show Br0
Ofpt_features_reply (xid=0x1): dpid:00004a662add9d41
n_tables:255, n_buffers:256
Capabilities:flow_stats table_stats port_stats queue_stats arp_match_ip
Actions:output set_vlan_vid SET_VLAN_PCP strip_vlan set_dl_src set_dl_dst set_nw_src SET_NW_DST SET_NW_TOS SET_TP_SRC SE T_TP_DST ENQUEUE
LOCAL (br0): addr:4a:66:2a:dd:9d:41
Config:port_down
State:link_down
speed:100 Mbps now, Mbps Max
Ofpt_get_config_reply (xid=0x3): Frags=normal miss_send_len=0

To view the status of each switch port on the BR0

[email protected]: ~# ovs-ofctl dump-ports br0
Ofpst_port reply (xid=0x1): 1 ports
Port 65534:rx pkts=0, Bytes=0, Drop=0, Errs=0, frame=0, over=0, crc=0
Tx pkts=0, Bytes=0, Drop=0, Errs=0, coll=0

Note: The results of the output include the number of packets received on each network interface, the number of bytes, the number of drops, the number of bad packets and other information
Add a flow rule: Discard all packets sent from Port 2nd

[email protected]: ~# ovs-ofctl add-flow br0 idle_timeout=120,in_port=2,actions=drop

View all flow rules on the BR0

[Email protected]:~# ovs-ofctl dump-flows br0
Nxst_flow reply (xid=0x4):
Cookie=
0x0, duration=56.824s, table=0, N_packets=0, N_bytes=0, idle_timeout=120, idle_age=56, in_port=2 Actions=drop

Delete a flow rule: Delete all flow rules that contain in_port=2 in the criteria field
[Email protected]:~# ovs-ofctl del-flows br0 in_port=2

6.3 Application Scenario Settings

6.3.1 QoS Settings

Settings for the network interface:

Set the network interface Eth4 bandwidth to 1000±100kbps

Ovs-vsctl set Interface Eth4 ingress_policing_rate=1000
Ovs-vsctl set Interface Eth4 ingress_policing_burst=100

Note:
Ingress_policing_rate: Maximum transmit rate (in Kbps per unit)
Ingress_policing_burst: Maximum floating value exceeding Ingress_policing_rate

Settings for the switch port:
The LINUX-HTB QOS,LINUX-HTB QoS created on the vif0.0 port can set the maximum minimum bandwidth for the packet flow with the specified characteristics, and within the maximum bandwidth, the packet flow of a feature can borrow the bandwidth of the other characteristic packet streams that are not exhausted.

Ovs-vsctl--Set port vif0.0 [email protected]--[email protected] Create QoS TYPE=LINUX-HTB other-config:
max-rate=100000000 [email protected],[email protected]--[email protected] Create queue other-config:min-rate= 100000000 other-config:max-rate=100000000--[email protected] Create queue other-config:min-rate=500000000

6.3.2 Port Mappings

Directs all packets destined to the eth0 port and from the eth1 port to the eth2 port

Use the Ovs-vsctl List Port command to view the UUID of the eth0, eth1, and eth2 ports, respectively:

a27e5ec3-5d78-437e-8e36-d6f81679132a
be52eece-1f03-4ccf-a4c6-b0b68cb25f8a
bc38e1c3-60a1-468e-89d7-e4b45585b533

The command is as follows

Ovs-vsctl--set Bridge br0 [email protected] [email protected] Create mirror Name=mymirror select-dst-port=a27e5ec3-5d78- 437E-8E36-D6F81679132A select-src-port=be52eece-1f03-4ccf-a4c6-b0b68cb25f8a output-port= bc38e1c3-60a1-468e-89d7-e4b45585b533

6.3.3 Other Settings

Website blocking

Block access to host 119.75.213.50 by any host managed by Open Vswitch, but only IP packets (specified by dl_type=0x0800), which means that all hosts will not be able to access all IP protocol-based services on that host, such as World Wide Web services, FTP access, etc.

Ovs-ofctl Add-flow br0 Idle_timeout=0,dl_type=0x0800,nw_src=119.75.213.50,actions=drop

Note: Abbreviated form is abbreviated as the protocol name, the current supported shorthand has IP,ARP,ICMP,TCP,UDP, and the corresponding relationship of the flow rule condition field is as follows
dl_type=0x0800 <=> IP
dl_type=0x0806 <=> ARP
Dl_type=0x0800,nw_proto=1 <=> ICMP
Dl_type=0x0800,nw_proto=6 <=> TCP
DL_TYPE=0X0800,NW_PROTO=17 <=> UDP

Packet redirection

All ICMP protocol packets (specified by dl_type=0x0800,nw_proto=1) in the switch are forwarded to port 4th, including the ICMP packets issued by Port 4th itself, which will cause the open Ping is accessed between the hosts managed by the Vswitch and the external network, but can use the World Wide Web, FTP, and other services.
Ovs-ofctl Add-flow br0 Idle_timeout=0,dl_type=0x0800,nw_proto=1,actions=output:4

Remove VLAN Tag

Remove the tag from all VLAN packets sent from Port 3rd and forward
Ovs-ofctl Add-flow br0 Idle_timeout=0,in_port=3,actions=strip_vlan,normal

Forwarding after changing the packet source IP address

Change the source IP field of all IP packets received from port 3rd to 192.168.28.225
Ovs-ofctl Add-flow br0 Idle_timeout=0,in_port=3,actions=mod_nw_src:192.168.28.225,normal

6.4 Comprehensive Application

6.4.1 Building a simple switch

A host with five network cards is made into a switch, then a host of two NICs is connected to the switch for online testing.
The result diagram is as follows

Description
Eth1 is followed by a host, ip:192.168.28.43
Eth2 is followed by a host, ip:192.168.28.209
Eth0, eth1, eth2 belong to a network card on a host computer
Execute command
[Email protected]:~# ovs-vsctl add-br br0//Build a Openvswitch Bridge
[Email protected]:~# ovs-vsctl add-port br0 eth0//eth0 Add to Br0
[Email protected]:~# ovs-vsctl add-port br0 eth1//eth1 Add to Br0
[Email protected]:~# ovs-vsctl add-port br0 eth2//eth2 Add to Br0
Verify:
192.168.28.43ping 192.168.28.209

192.168.28.209ping 192.168.28.43

Two machines can be seen to ping each other to further verify that the host behind Eth1 and eth2 can connect to the network normally.

6.4.2 Switch VLAN Partitioning

This will assign different NICs of the same bridge to different VLANs
Structure diagram:

VLAN Assignment:
vlan1:eth1,eth3
vlan2:eth2
Execute command
[email protected]:~# ovs-vsctl add-br br0// Build a openvswitch bridge
[email protected]:~# ovs-vsctl add-port br0 eth0//eth0 Add to Br0
[email  protected]:~# ovs-vsctl add-port br0 eth1 tag=1//eth1 Add to VLAN1
[email protected]:~# ovs-vsctl add-port br0 eth2 ta g=2//eth2 Add to VLAN2
[email protected]:~# ovs-vsctl add-port br0 eth3 tag=1//Eth3 Add to VLAN1
[email protect ed]:~# ovs-vsctl Show
131648b5-f7a6-4949-9a39-273ed62c0922
Bridge "br0"
Port "br0"
Interface "Br0"
Type:internal
Port "eth0"
Interface "eth0"
Port "eth2"
Tag:2
Interface "eth2"
Port "eth1"
Ta G:1
Interface "eth1"
Port "Eth3"
tag:1
Interface "Eth3"
Note:
Tag VLAN is based on IEEE 802.1Q (VLAN Standard) with vid (V LAN ID) to divide the different VLANs.
Validation
with 192.168.28.43ping192.168.28.209

Ping 192.168.28.43 with 192.168.28.209, also Ping does not pass
In addition, found that two machines also can not surf the internet, the reason can not be the kernel is not supported.
Further verification, add eth1 and eth2 to the same VLAN, as follows
[Email protected]:~# ovs-vsctl add-port br0 eth1 tag=1//eth1 Add to VLAN1
[Email protected]:~# ovs-vsctl add-port br0 eth2 tag=1//eth2 add to VLAN
The result of the mutual ping is as follows

It should be noted that the two machines connected to eth1 and eth2 are still unable to access the Internet.
Conclusion:
VLAN technology is based on the isolation between layers two and three, which can be used to group different network users and network resources and to isolate the data exchange between network devices in different groups through a VLAN-enabled switch to achieve network security. Machines on the same valn can communicate with each other, and different VLANs cannot communicate before, because they are disconnected on the data link layer and can only be accessed through a three-tier router.
6.4.3 Ovs-controller Test
Here are some operations using Openvswitch's own controller
Deployment situation:
Host 192.168.28.229 do Ovs-controller
Virtual machine 192.168.1.156 do vswitch controlled by 192.168.28.229
6.4.3.1 TCP Mode
First, execute on the 192.168.1.156.
Building a Controller
[Email protected]:~# ovs-vsctl ADD-BR br0
[Email protected]:~# ovs-vsctl Set-controller br0 tcp:192.168.28.229:6633
View Controller
[Email protected]:~# ovs-vsctl Get-controller br0
tcp:192.168.28.229:6633
View All
[Email protected]:~# ovs-vsctl Show
05d9e9e9-cb3b-4e7d-900e-e85926e6b7d3
Bridge "Br0"
Controller "tcp:192.168.28.229:6633"
Is_connected:true
Port "Br0"
Interface "Br0"
Type:internal
And then execute it on the 192.168.28.229.
[Email protected]:~# ovs-controller ptcp:6633:192.168.28.229
Finally executed on the 192.168.1.156
[Email protected]:~# ovs-controller tcp:192.168.28.229:6633
So the controller and the vswitch are connected successfully.
Verify the following

Visible 192.168.28.229 and 192.168.1.156 are connected, look closely, they established two connections, one is 229 controller and 156 vswitch, there is a 229 controller and 156 controller. Another thing is to view on 229, 192.168.1.156 's connection name is 192.168.28.1, because 192.168.28.1 is a route-free IP, and it 192.168.1.156 is the IP assigned by the wireless router, using the way is NAT.
6.4.3.1 SSL Mode
The following parameters are required when OVS-VSWITCHD is configured to connect to the Connection Manager or controller via SSL:
Private-key private Key
Specifies the Pem file, which contains the identity of the private key used by SSL to connect to the controller's virtual switch.
Certificate Certificate
Specifies that a PEM file contains a certificate signing Certificate Authority (CA) for use, proves the virtual Switch's private key, and identifies a trusted switching controller and manager.
ca-certca-Certificate
Specifies the Pem file that contains the CA certificate used to authenticate the virtual switch to a trusted controller
6.5 Code Testing
Here is a simple understanding of some of the code in the ~/openvswitch-1.7.1/tests directory of the installation package file.
6.5.1 Test-uuid
The TEST-UUID.C primarily produces UUID or checks that the UUID is correct, creates a device, or acquires a device
UUID, it will call a function similar to it, depending on the number of arguments followed to determine whether to produce a UUID or check the UUID.
The UUID format is as follows
＊＊＊＊＊＊＊＊-＊＊＊＊-＊＊＊＊-＊＊＊＊-＊＊＊＊＊＊＊＊＊＊＊＊
Total 32 bits, such as: 1E08EBDF-2005-4FC5-826A-5FE16ACC0ACC
6.5.2 TEST-STP
Stp-spanning Tree Protocol (Spanning Tree protocol) logically disconnects loops, preventing the generation of two-layer networks from broadcast storms when a line fails, the disconnected interface is activated, resuming communication, and the role of the backup line.
The principle of STP
By blocking redundant links, a loop-bridged network is trimmed into a non-loop tree topology.
STP algorithm, which is the step of STP to generate a ring network without ring topology:
Select Root Bridge (Root bridge)
Select root port (root Ports)
Select the specified port (designated Ports)
The basis of the distinction is as follows:
According to the bridge ID;
Select a port that is closest to the root bridge on the non-root bridge as the root port, based on the lowest cost of the root path, the least direct-attached (upstream) bridge ID, and the least port (upstream) ID;
by STP, select 1 specified ports (DP) on each network segment;
6.5.3 Test-netflow
Network Flow Collector Test Tool
Usage: test-netflow [OPTIONS] port[:ip]
Listen for UDP ports, IP optional.
6.5.3 Test-json
Read the JOSN information in the file, execute the file followed by the filename, the file must have the corresponding JOSN format information, if the JSON format is not correct, the execution will error, only when the file exists and the value inside is josn format, it will print out the JSON value inside the file.

SDNAP Exclusive, more SDN starter information visit the SDNAP website www.sdnap.com

Open vswitch Installation and configuration