[Reprinted] openflow practices based on open vswitch

Overview of open vswitch

Open vswitch (ovs) is a virtual switch dominated by nicira networks that runs on a virtualization platform (such as KVM and xen. On the virtualization platform, ovs can provide a layer-2 switching function for dynamically changing endpoints to control access policies, network isolation, and traffic monitoring in virtual networks.

Ovs complies with the Apache 2.0 license and supports a variety of standard management interfaces and protocols. Ovs also provides support for the openflow protocol. You can use any controller that supports the openflow protocol to remotely manage and control ovs.

Overview of open vswitch

There are several important concepts in ovs:

• Bridge: A Bridge represents an Ethernet switch. One or more bridge devices can be created on a host.
• Port: similar to the port concept of a physical switch, each port belongs to a bridge.
• Interface: the network interface device connecting to the port. In general, the port and interface are one-to-one relationships. The port and interface are one-to-multiple relationships only after Port is configured in bond mode.
• Controller: openflow controller. Ovs can manage one or more openflow controllers at the same time.
• Datapath: In ovs, datapath performs data exchange, that is, matching the packets received from the receiving port in the stream table and performing the matching action.
• Flow table: Each datapath is associated with a "flow table". After datapath receives the data, ovs searches for the matching flow in the flow table and performs corresponding operations, for example, forward data to another port.

Open vswitch lab environment Configuration

Ovs can be installed in mainstream Linux operating systems. You can choose to directly install the compiled software package or download the source code for compilation and installation.

In our experimental environment, the operating system is 64-bit Ubuntu server 12.04.3 LTS, and open vswitch 1.11.0 is installed through source code compilation.

$ lsb_release -aNo LSB modules are available.Distributor ID:UbuntuDescription:Ubuntu 12.04.3 LTSRelease:12.04Codename:precise

For how to compile and install ovs source code, refer to the official document "how to install Open vswitch on Linux, FreeBSD and NetBSD.

After the installation is complete, check the ovs running status:

$ ps -ea | grep ovs12533 ?        00:00:00 ovs_workq12549 ?        00:00:04 ovsdb-server12565 ?        00:00:48 ovs-vswitchd12566 ?        00:00:00 ovs-vswitchd

View the version information of ovs. The installed version is 1.11.0.

$ ovs-appctl --versionovs-appctl (Open vSwitch) 1.11.0Compiled Oct 28 2013 14:17:16

View the version of the openflow protocol supported by ovs

$ ovs-ofctl --versionovs-ofctl (Open vSwitch) 1.11.0Compiled Oct 28 2013 14:17:17OpenFlow versions 0x1:0x4

Back to Top

Openflow practices based on open vswitch

Openflow is a protocol used to manage vswitch flow tables, while ovs-ofctl is a command line tool provided by ovs. In the mode where the openflow controller is not configured, you can use the ovs-ofctl command to connect to ovs through the openflow protocol and create, modify, or delete stream table items in ovs, it also dynamically monitors the running status of ovs.

Figure 1. openflow matching flow syntax description

In the openflow White Paper, flow is defined as a specific network traffic. For example, a TCP connection is a flow or a packet sent from an IP address. A vswitch that supports the openflow protocol should include one or more stream tables. The entries in the stream table include the packet header information, commands to be executed after successful matching, and statistical information.

When a data packet enters ovs, it will match the data packet with the stream table items in the stream table. If a matching stream table item is found, the instruction set in the stream table item is executed. On the contrary, if no matching is found in the stream table, ovs sends the data packet to the openflow controller through the control channel.

In ovs, the stream table item is used as the parameter of ovs-ofctl in the following format: field = value. If multiple fields exist, separate them with commas (,) or spaces. Some common fields are listed as follows:

Table 1. Common fields in a stream table

Field name	Description
In_port = port	Openflow Port Number of the port for transmitting data packets
Dl_vlan = VLAN	The VLAN tag value of the packet. The value ranges from 0 to. The value 0 xFFFF indicates the packet that does not contain the VLAN tag.
Dl_src = <Mac> Dl_dst = <Mac>	Match the source or target MAC address 01: 00: 00: 00: 00: 00/01: 00: 00: 00: 00: 00: 00 represents the broadcast address. 00: 00: 00: 00: 00: 00/01: 00: 00: 00: 00: 00: 00 represents the unicast address.
Dl_type = ethertype	Match the Ethernet protocol type, where: Dl_type = 0x0800 indicates IPv4 protocol Dl_type = 0x086dd stands for IPv6 protocol Dl_type = 0x0806 represents the ARP Protocol For the complete type list, see the Ethernet protocol type list.
Nw_src = IP [/netmask] Nw_dst = IP [/netmask]	When dl_typ = 0x0800, the IPv4 address of the source or target matches the IP address or domain name.
Nw_proto = proto	It is used together with the dl_type field. When dl_type = 0x0800, the IP protocol number is matched. When dl_type = 0x086dd represents the IPv6 Protocol Number For the complete IP protocol number, see IP Protocol Number list.
Table = Number	ID of the stream table to be used. The value range is 0-254. If this parameter is not specified, the default value is 0. You can use the stream table number to create or modify the flow in multiple tables.
Reg <idx> = value [/mask]	The value of the Register in the vswitch. When a data packet enters the switch, all registers are cleared. You can use the Action Command to modify the value in the register.

For add? Flow, add? Flows and mod? The three flows commands also need to specify the action to be executed: Actions = [target] [, target...]

A stream rule can have multiple actions that are executed in the specified sequence.

Common Operations include:

• Output: Port: output data packets to the specified port. Port refers to the openflow Port Number of the port.
• Mod_vlan_vid: Modify the VLAN tag in the packet
• Strip_vlan: Remove VLAN tags from data packets.
• Mod_dl_src/mod_dl_dest: Modify the MAC address information of the source or target.
• Mod_nw_src/mod_nw_dst: Modify the IPv4 address information of the source or target
• Resubmit: Port: Replace the in_port field of the stream table and rematch it.
• Load: Value?> DST [start .. end]: writes data to the specified field.

Openflow commands

In this example, we will create an ovs switch that is not connected to any controller and demonstrate how to use the ovs-octl command to operate the openflow flow table.

Create a new ovs Switch

$ ovs-vsctl add-br ovs-switch

Create a port P0 and set the openflow port number of port p0 to 100 (if the openflow port number is not specified when the port is created, ovs will automatically generate one ).

$ ovs-vsctl add-port ovs-switch p0 -- set Interface p0 ofport_request=100

Set the network interface device type to "internal ". For internal network interfaces, ovs will also create a simulated network device in Linux that can be used to send and receive data. We can configure IP addresses and perform data monitoring for this network device.

$ ovs-vsctl set Interface p0 type=internal$ ethtool -i p0driver: openvswitchversion: firmware-version: bus-info: supports-statistics: nosupports-test: nosupports-eeprom-access: nosupports-register-dump: no

To avoid conflicts between the addresses on the network interface and the existing network addresses on the local machine, we can create a virtual network space ns0, move the P0 interface to the network space ns0, and configure the IP address as 192.168.1.100

$ ip netns add ns0$ ip link set p0 netns ns0$ ip netns exec ns0 ip addr add 192.168.1.100/24 dev p0$ ip netns exec ns0 ifconfig p0 promisc up

Use the same method to create ports P1 and P2

Table 2. Created port information

Port	Description
P0	IP Address: 192.168.1.100/24 Network namespace: ns0 Network Interface MAC address: 66: 4E: CC: AE: 4d: 20 Openflow port number: 100
P1	IP Address: 192.168.1.101/24 Network namespace: NS1 Network Interface MAC address: 46: 54: 8A: 95: DD: F8 Openflow port number: 101
P2	IP Address: 192.168.1.102/24, Network namespace: NS2. Network Interface MAC address: 86: 3B: C8: D0: 44: 10 Openflow port number: 102

After creating all the ports, view the ovs switch Information

$ ovs-vsctl show30282710-d401-4187-8e13-52388f693df7    Bridge ovs-switch        Port "p0"            Interface "p0"                type: internal        Port "p2"            Interface "p2"                type: internal        Port "p1"            Interface "p1"                type: internal        Port ovs-switch            Interface ovs-switch                type: internal

Use ovs-ofctl to create and test openflow commands

1. View the port information in open vswitch. In the output, you can obtain the datapath ID (dpid) corresponding to the vswitch, And the openflow port number, Port name, and current status of each port.

   $ ovs-ofctl show ovs-switchOFPT_FEATURES_REPLY (xid=0x2): dpid:00001232a237ea45n_tables:254, n_buffers:256capabilities: FLOW_STATS TABLE_STATS PORT_STATS QUEUE_STATS ARP_MATCH_IPactions: OUTPUT SET_VLAN_VID SET_VLAN_PCP STRIP_VLAN SET_DL_SRC SET_DL_DST SET_NW_SRC SET_NW_DST SET_NW_TOS SET_TP_SRC SET_TP_DST ENQUEUE 100(p0): addr:54:01:00:00:00:00     config:     PORT_DOWN     state:      LINK_DOWN     speed: 0 Mbps now, 0 Mbps max 101(p1): addr:54:01:00:00:00:00     config:     PORT_DOWN     state:      LINK_DOWN     speed: 0 Mbps now, 0 Mbps max 102(p2): addr:54:01:00:00:00:00     config:     PORT_DOWN     state:      LINK_DOWN     speed: 0 Mbps now, 0 Mbps max LOCAL(ovs-switch): addr:12:32:a2:37:ea:45     config:     0     state:      0     speed: 0 Mbps now, 0 Mbps maxOFPT_GET_CONFIG_REPLY (xid=0x4): frags=normal miss_send_len=0

   If you want to obtain the openflow Number of the network interface, you can also query it in the ovs database.

   $ ovs-vsctl get Interface p0 ofport100

   View datapath Information

   $ ovs-dpctl show[email protected]:lookups: hit:12173 missed:712 lost:0flows: 0port 0: ovs-system (internal)port 1: ovs-switch (internal)port 2: p0 (internal)port 3: p1 (internal)port 4: p2 (internal)

2. SHIELD data packets

   Shield all Ethernet broadcast packets entering ovs

   $ ovs-ofctl add-flow ovs-switch "table=0, dl_src=01:00:00:00:00:00/01:00:00:00:00:00, actions=drop"

   Shield broadcast data packets of the STP protocol

   $ ovs-ofctl add-flow ovs-switch "table=0, dl_dst=01:80:c2:00:00:00/ff:ff:ff:ff:ff:f0, actions=drop"

3. Modify data packets

   Add a new openflow entry and modify the source address of the packet received from Port p0 to 9.181.137.1.

   $ ovs-ofctl add-flow ovs-switch "priority=1 idle_timeout=0,    in_port=100,actions=mod_nw_src:9.181.137.1,normal"

   Send test data from Port P0 (192.168.1.100) to port P1 (192.168.1.101)

   $ ip netns exec ns0 ping 192.168.1.101

   When receiving the P1 monitoring data, the source of the received data packet has been changed to 9.181.137.1.

   $ ip netns exec ns1 tcpdump -i p1 icmptcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on p1, link-type EN10MB (Ethernet), capture size 65535 bytes15:59:16.885770 IP 9.181.137.1 > 192.168.1.101: ICMP echo request, id 23111, seq 457, length 6415:59:17.893809 IP 9.181.137.1 > 192.168.1.101: ICMP echo request, id 23111, seq 458, length 64

4. Redirect data packets

   Add new openflow entries to redirect all ICMP packets to port p2

   $ ovs-ofctl add-flow ovs-switch idle_timeout=0,dl_type=0x0800,nw_proto=1,actions=output:102

   Send data from Port P0 (192.168.1.100) to port P1 (192.168.1.101)

   $ ip netns exec ns0 ping 192.168.1.101

   Monitoring data on port P2 found that the data packet has been forwarded to port p2

   $ ip netns exec ns3 tcpdump -i p2 icmptcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on p2, link-type EN10MB (Ethernet), capture size 65535 bytes16:07:35.677770 IP 192.168.1.100 > 192.168.1.101: ICMP echo request, id 23147, seq 25, length 6416:07:36.685824 IP 192.168.1.100 > 192.168.1.101: ICMP echo request, id 23147, seq 26, length 64

5. Modify the VLAN tag of a data packet

   In addition to Linux commands such as ping, tcpdump, and iperf, we can also use the ovs-appctl ofproto/Trace tool provided by ovs to test the ovs packet forwarding status. Ovs-appctl ofproto/trace can be used to generate simulated data packets for testing and demonstrate the stream processing process of ovs data packets step by step. In the following example, we will demonstrate how to use this command:

   Modify the VLAN tag of port P1 to 101 so that port P1 becomes a port belonging to VLAN 101.

   $ ovs-vsctl set Port p1 tag=101

   Because port P0 and port P1 are different VLANs, data exchange cannot be performed between them. We use ovs-appctl ofproto/trace to generate a packet from Port p0 to port P1. This packet does not contain any VLAN tag and observes the ovs processing process.

   $ ovs-appctl ofproto/trace ovs-switch in_port=100,dl_src=66:4e:cc:ae:4d:20,dl_dst=46:54:8a:95:dd:f8 -generateFlow:metadata=0,in_port=100,vlan_tci=0x0000,dl_src=66:4e:cc:ae:4d:20, dl_dst=46:54:8a:95:dd:f8,dl_type=0x0000Rule: table=0 cookie=0 priority=0OpenFlow actions=NORMALno learned MAC for destination, floodingFinal flow: unchangedRelevant fields: skb_priority=0,in_port=100,vlan_tci=0x0000/0x1fff,dl_src=66:4e:cc:ae:4d:20,dl_dst=46:54:8a:95:dd:f8,dl_type=0x0000,nw_frag=noDatapath actions: 4,1

   In the first line of output, the fields after "Flow:" describe the information of the input stream. Because too much information is not specified, most fields (such as dl_type and vlan_tci) are set to null by ovs.

   In the output of the second row, the field after "rule:" describes the stream table items that match successfully.

   In the output in the third line, the field after "openflow actions" describes the actual operation.

   The last field starting with "final flow" is the summary of the entire processing process. "datapath actions:" indicates that the data packet is sent to ports 4 and 1 of datapath.

   Create a new flow: For packets that enter the switch from the P0 port, if it does not contain any VLAN tag, it will automatically add VLAN tag 101

   $ ovs-ofctl add-flow ovs-switch "priority=3,in_port=100,dl_vlan=0xffff,actions=mod_vlan_vid:101,normal"

   Try again to send a packet that does not contain any VLAN tag from Port P0. After the packet enters port P0, it will be added with VLAN tag101 and forwarded to port P1.

   $ ovs-appctl ofproto/trace ovs-switch in_port=100,dl_src=66:4e:cc:ae:4d:20,dl_dst=46:54:8a:95:dd:f8 –generateFlow: metadata=0,in_port=100,vlan_tci=0x0000,dl_src=66:4e:cc:ae:4d:20,dl_dst=46:54:8a:95:dd:f8,dl_type=0x0000Rule: table=0 cookie=0 priority=3,in_port=100,vlan_tci=0x0000OpenFlow actions=mod_vlan_vid:101,NORMALforwarding to learned portFinal flow: metadata=0,in_port=100,dl_vlan=101,dl_vlan_pcp=0,dl_src=66:4e:cc:ae:4d:20,dl_dst=46:54:8a:95:dd:f8,dl_type=0x0000Relevant fields: skb_priority=0,in_port=100,vlan_tci=0x0000/0x1fff,dl_src=66:4e:cc:ae:4d:20,dl_dst=46:54:8a:95:dd:f8,dl_type=0x0000,nw_frag=noDatapath actions: 3

   In turn, packets are sent from port P1. Since P1 is now an access port with VLAN tag 101, after the packets enter port P1, ovs adds VLAN tag 101 and sends it to port P0.

   $ ovs-appctl ofproto/trace ovs-switch in_port=101,dl_dst=66:4e:cc:ae:4d:20,dl_src=46:54:8a:95:dd:f8 -generateFlow: metadata=0,in_port=101,vlan_tci=0x0000,dl_src=46:54:8a:95:dd:f8,dl_dst=66:4e:cc:ae:4d:20,dl_type=0x0000Rule: table=0 cookie=0 priority=0OpenFlow actions=NORMALforwarding to learned portFinal flow: unchangedRelevant fields: skb_priority=0,in_port=101,vlan_tci=0x0000,dl_src=46:54:8a:95:dd:f8,dl_dst=66:4e:cc:ae:4d:20,dl_type=0x0000,nw_frag=noDatapath actions: push_vlan(vid=101,pcp=0),2

6. Other common openflow operations

   View all tables in the vswitch

   ovs-ofctl dump-tables ovs-switch

   View All flow table items in the vswitch

   ovs?ofctl dump?flows ovs-switch

   Delete all flow table entries on port 100

   ovs-ofctl del-flows ovs-switch "in_port=100"

   View port information on a vswitch

   ovs-ofctl show ovs-switch

Back to Top

Use floodlight to manage ovs

1. The openflow controller can connect to any vswitch that supports openflow through the openflow protocol. The controller can control the data flow by exchanging flow table rules with the vswitch. On the other hand, the openflow Controller provides users with interfaces that allow users to dynamically modify the network architecture and modify the flow table rules of vswitches. Floodlight is an enterprise-level openflow controller developed using Java based on the Apache protocol. The following example demonstrates how to install floodlight and connect to and manage ovs.

The Installation Process of floodlight is very simple. On another machine, download the floodlight source code and compile it.

$ git clone git://github.com/floodlight/floodlight.git$ cd floodlight/$ ant$ java -jar target/floodlight.jar

Run floodlight

$ java -jar floodlight.jar

On the node where the ovs switch is installed, configure the ovs switch ovs-switch and use floodlight as the controller. By default, floodlight listens on port 6633. We use the ovs-vsctl command to configure the ovs switch to connect to floodlight using the TCP protocol (the IP address is 9.181.137.182, and the port number is 6633 ). For an ovs switch, one or more controllers can be configured at the same time.

$ Ovs-vsctl set-controller ovs-switch TCP: 9.181.137.182: 6633

When the ovs switch is connected to the floodlight controller, theoretically all the flow table rules should be handed over to the Controller for creation. Because ovs switches and controllers transmit data through network communication, network connection failure may affect the establishment of flow. In this case, ovs provides two processing modes:

• Standlone: default mode. If the ovs switch cannot connect to the openflow controller more than three times, the ovs switch creates a flow table. In this mode, ovs is similar to common L2 switches. At the same time, ovs will continue to try to connect to the Controller. Once the network connection is restored, ovs will switch to the Controller again for stream table management.
• Secure: in secure mode, if ovs cannot connect to the openflow controller normally, ovs will constantly try to establish a connection with the controller instead of creating its own stream table.

Set the connection mode of ovs to secure.

$ ovs-vsctl set Bridge ovs-switch fail-mode=secure

View the ovs status. "is_connected: True" indicates that ovs has successfully connected to floodlight.

$ ovs-vsctl show30282710-d401-4187-8e13-52388f693df7    Bridge ovs-switch        Controller "tcp:9.181.137.182:6633"            is_connected: true        Port ovs-switch            Interface ovs-switch                type: internal        Port "p0"            Interface "p0"                type: internal        Port "p1"            tag: 101            Interface "p1"                type: internal        Port "p2"            Interface "p2"                type: internal

Access the Web Management Interface http: // Figure 2. floodlight Main Interface

Select an openflow switch to view the port list and flow table information.

Figure 3. view the details of the openflow Switch

Use the restapi of floodlight to add two new rules so that the ports P0 and P1 can communicate with each other. Note: Replace the switch ID in the command line with the datapath ID of the switch.

curl -d ‘{"switch": "00:00:0e:f9:05:6b:7c:44", "name":"my-flow1", "cookie":"0","priority":"32768","ingress-port":"100","active":"true", "actions":"output=flood"}‘ http://9.181.137.182:8080/wm/staticflowentrypusher/jsoncurl -d ‘{"switch": "00:00:0e:f9:05:6b:7c:44", "name":"my-flow2", "cookie":"0","priority":"32768","ingress-port":"101","active":"true", "actions":"output=flood"}‘ http://9.181.137.182:8080/wm/staticflowentrypusher/json

Verify whether data packets can be sent to P1 from Port P0

$ ip netns exec ns0 ping -c4 192.168.1.101PING 192.168.1.101 (192.168.1.101) 56(84) bytes of data.64 bytes from 192.168.1.101: icmp_req=1 ttl=64 time=0.027 ms64 bytes from 192.168.1.101: icmp_req=2 ttl=64 time=0.018 ms64 bytes from 192.168.1.101: icmp_req=3 ttl=64 time=0.023 ms64 bytes from 192.168.1.101: icmp_req=4 ttl=64 time=0.022 ms--- 192.168.1.101 ping statistics ---4 packets transmitted, 4 received, 0% packet loss, time 2998msrtt min/avg/max/mdev = 0.018/0.022/0.027/0.005 ms

On the ovs end, we can also see that the stream table rule has been synchronized to the local by ovs.

$ ovs-ofctl dump-flows ovs-switchNXST_FLOW reply (xid=0x4): cookie=0xa0000000000000, duration=335.122s, table=0, n_packets=347, n_bytes=28070,   idle_age=1, in_port=100 actions=FLOOD cookie=0xa0000000000000, duration=239.892s, table=0, n_packets=252, n_bytes=24080,   idle_age=0, in_port=101 actions=FLOOD

View the flow table rules on the vswitch through the floodlight restapi

curl http://9.181.137.182:8080/wm/staticflowentrypusher/list/00:00:0e:f9:05:6b:7c:44/json

Use floodlight restapi to delete flow table rules on a vswitch

curl http://9.181.137.182:8080/wm/staticflowentrypusher/clear/00:00:0e:f9:05:6b:7c:44/json

Back to Top

Summary

Through the introduction and experiment in this article, we have learned about the basic concepts of open vswitch and openflow, and modified the stream table items in open vswitch through the openflow protocol, finally, it demonstrates how to use floodlight to connect to open vswitch and manage it.