The OpenFlow practice based on open vswitch

The Open VSwitch (hereinafter referred to as OVS) is a virtual switch run on a virtualized platform (such as Kvm,xen), which is led by Nicira Networks. On the virtualization platform, OVS can provide 2-layer switching function for dynamically changing endpoints, and it is very good to control access policies, network isolation, traffic monitoring and so on in the virtual network.

OVS complies with the Apache 2.0 license and can support multiple standard management interfaces and protocols simultaneously. OVS also provides support for the OpenFlow protocol, which allows the user to control the OVS remotely using any controller that supports the OpenFlow protocol.

Open VSwitch Overview

In OVS, there are several very important concepts:

• The Bridge:bridge represents an Ethernet switch that can create one or more Bridge devices in a single host.
• Port: Ports are similar to the port concept for physical switches, and each port is attached to a Bridge.
• Interface: The network interface device that is connected to Port. In general, Port and Interface are one-to-one relationships, and port and Interface are a-to-many relationships only after the port is configured for Bond mode.
• Controller:openflow Controller. OVS can accept management of one or more OpenFlow controllers at the same time.
• DataPath: In OVS, DataPath is responsible for performing the data exchange, which is to match the packets received from the receive port in the flow table and perform the matching action.
• Flow table: Each datapath is associated with a "flow table", and when DataPath receives the data, OVS looks for a matching flow in the flow table, performing the corresponding action, such as forwarding the data to another port.

Open VSwitch Experimental Environment configuration

OVS can be installed in the mainstream Linux operating system, users can choose to install the compiled package directly, or download the source code to compile and install.

In our experimental environment, the operating system used is 64-bit Ubuntu Server 12.04.3 LTS, and the source is compiled by the way the Open VSwitch is installed 1.11.0

$ Lsb_release-ano LSB modules is available. Distributor ID:UbuntuDescription:Ubuntu 12.04.3 Ltsrelease:12.04codename:precise

OVS source code compiled installation method can refer to the official document how to install Open vSwitch on Linux, FreeBSD and NetBSD.

After installation, check the operation of the OVS:

$ Ps-ea | grep ovs12533?        00:00:00 ovs_workq12549?        00:00:04 ovsdb-server12565?        00:00:48 ovs-vswitchd12566?        00:00:00 Ovs-vswitchd

To view OVS version information, we installed the version of 1.11.0

$ ovs-appctl--versionovs-appctl (Open vSwitch) 1.11.0Compiled Oct 28 2013 14:17:16

View the version of the OpenFlow protocol supported by OVS

$ ovs-ofctl--versionovs-ofctl (Open vSwitch) 1.11.0Compiled Oct 14:17:17openflow versions 0x1:0x4

The OpenFlow practice based on Open VSwitch

OpenFlow is the protocol used to manage the switch flow tables, and Ovs-ofctl is the command-line tool provided by OvS. In a mode where the OpenFlow controller is not configured, users can use the OVS-OFCTL command to connect OvS through the OpenFlow protocol, create, modify, or delete flow table entries in OvS, and dynamically monitor the health of OvS.

Figure 1. OpenFlow's matching process

Flow Syntax Description

In OpenFlow's white paper, flow is defined as a specific network traffic. For example, a TCP connection is a flow, or a packet sent from an IP address, which can be considered a flow. Switches that support the OpenFlow protocol should include one or more flow tables, with entries in the flow table containing information about the header, instructions and statistics to be executed after the match is successful.

When the packet enters OVS, the stream table entry in the packet and flow table is matched, and if a matching flow table entry is found, the instruction set in the Flow table entry is executed. Conversely, if the packet does not find any matches in the flow table, OVS sends the packet to the OpenFlow controller via the control channel.

In OVS, the flow table entry is used as the Ovs-ofctl parameter in the following format: field = value. If you have multiple fields, you can separate them with commas or spaces. Some of the commonly used fields are listed below:

Table 1. Flow table characters commonly used segment

Field name	Description
In_port=port	OpenFlow port number of the port that passed the packet
Dl_vlan=vlan	VLAN tag Value of the packet, range is 0-4095,0XFFFF represents a packet that does not contain VLAN tag
Dl_src=<mac> Dl_dst=<mac>	Match the MAC address of the source or destination 01:00:00:00:00:00/01:00:00:00:00:00 on behalf of broadcast address 00:00:00:00:00:00/01:00:00:00:00:00 represents a unicast address
Dl_type=ethertype	Match the Ethernet protocol type, where: dl_type=0x0800 represents IPV4 Agreement DL_TYPE=0X086DD represents IPV6 Agreement dl_type=0x0806 on behalf of the ARP protocol A complete list of types can be found in the Ethernet protocol type list
Nw_src=ip[/netmask] Nw_dst=ip[/netmask]	When dl_typ=0x0800, match the source or destination of the IPV4 address, you can make IP address or domain name
Nw_proto=proto	Used in conjunction with the Dl_type field. When dl_type=0x0800, match IP protocol number When DL_TYPE=0X086DD represents the IPV6 agreement number The full IP protocol number can be found in the IP protocol number list
Table=number	Specifies the number of the stream table to use, with a range of 0-254. If not specified, the default value is 0. By using the Flow table number, you can create or modify flow in multiple tables
Reg<idx>=value[/mask]	The value of the register in the switch. When a packet enters the switch, all registers are zeroed, and the user can modify the value in the register via the Action's instruction.

For the three commands add−flow,add−flows and mod−flows, you also need to specify the action to be performed: Actions=[target][,target ...]

There may be multiple actions in a flow rule that are executed in the order specified.

Common operations include the following:

• Output:port: Outputs the packet to the specified port. Port refers to the OpenFlow port number
• Mod_vlan_vid: Modifying VLAN tag in a packet
• Strip_vlan: Removing VLAN tags from a packet
• Mod_dl_src/mod_dl_dest: Modify MAC address information for source or destination
• MOD_NW_SRC/MOD_NW_DST: Modifying IPV4 address information for a source or destination
• Resubmit:port: Replace the In_port field of the flow table and re-match
• Load:value−>dst[start. END]: Writes data to the specified field

Practice Operation OpenFlow Command

In this example, we will create a OVS switch that is not connected to any controller and demonstrate how to manipulate the OpenFlow flow table using the Ovs-octl command.

Create a new OVS switch

$ ovs-vsctl ADD-BR Ovs-switch

Create a port P0, set port p0 OpenFlow Port number 100 (if you do not specify a OpenFlow port number when you create the port, OVS automatically generates one).

$ ovs-vsctl add-port ovs-switch p0--set Interface p0 ofport_request=100

Set the network interface device type to "internal". For internal types of network interfaces, OVS also creates an analog network device in the Linux system that can be used to send and receive data. We can configure the IP address, data monitoring and so on for this network device.

$ ovs-vsctl Set Interface p0 type=internal$ ethtool-i p0driver:openvswitchversion:firmware-version:bus-info:supports- Statistics:nosupports-test:nosupports-eeprom-access:nosupports-register-dump:no

In order to avoid the address on the network interface and the network address conflict, we can create a virtual network space NS0, move the P0 interface into the network space NS0, and configure the IP address to 192.168.1.100

$ IP netns Add ns0$ IP link set p0 netns ns0$ IP netns exec ns0 IP addr add 192.168.1.100/24 dev p0$ ip netns exec ns0 IFC Onfig P0 Promisc up

Use the same method to create ports P1, p2

Table 2. The port information created

Port	Description
P0	IP Address: 192.168.1.100/24 Network Name space: NS0 Network interface MAC Address: 66:4e:cc:ae:4d:20 OpenFlow Port number:100
P1	IP Address: 192.168.1.101/24 Network Name space: ns1 Network interface MAC Address: 46:54:8a:95:dd:f8 OpenFlow Port number:101
P2	IP Address: 192.168.1.102/24, Network Name space: NS2 Network interface MAC Address: 86:3b:c8:d0:44:10 OpenFlow Port number:102

After creating all the ports, view the information for the OVS switch

$ ovs-vsctl show30282710-d401-4187-8e13-52388f693df7    Bridge ovs-switch        Port "P0"            Interface "P0                " Type:internal        Port "P2"            Interface "P2"                type:internal        Port "P1"            Interface "P1"                type: Internal        Port ovs-switch            Interface ovs-switch                type:internal

To create and test the OpenFlow command using OVS-OFCTL

1. View the port information in the Open VSwitch. From the output, you can get the DataPath ID (dpid) for the switch, as well as the OpenFlow port number, port name, current status, and so on for each port.

   $ ovs-ofctl Show ovs-switchofpt_features_reply (xid=0x2): dpid:00001232a237ea45n_tables:254, N_buffers : 256capabilities:flow_stats table_stats port_stats queue_stats arp_match_ipactions:output SET_VLAN_VID SET_VLAN_PCP Strip_vlan set_dl_src set_dl_dst set_nw_src set_nw_dst set_nw_tos set_tp_src set_tp_dst ENQUEUE (p0): addr : 54:01:00:00:00:00     config:     port_down State     :      link_down     speed:0 Mbps now, 0 Mbps Max 101 (p1): Addr : 54:01:00:00:00:00     config:     port_down State     :      link_down     speed:0 Mbps now, 0 Mbps Max 102 (p2): addr : 54:01:00:00:00:00     config:     port_down State     :      link_down     speed:0 Mbps now, 0 Mbps Max LOCAL ( Ovs-switch): addr:12:32:a2:37:ea:45     config:     0 State     :      0     speed:0 Mbps now, 0 Mbps Maxofpt_get _config_reply (xid=0x4): Frags=normal miss_send_len=0

   If you want to get the OpenFlow number of the network interface, you can also query in the OVS database

   $ ovs-vsctl Get Interface p0 ofport100

   View DataPath's information

   $ ovs-dpctl show[email protected]:lookups:hit:12173 missed:712 lost:0flows:0port 0:ovs-system (internal) port 1:ovs-swi TCH (internal) port 2:p0 (internal) port 3:P1 (internal) port 4:P2 (internal)

3. Masking data Packets

   Block all Ethernet broadcast packets entering the OVS

   $ ovs-ofctl add-flow ovs-switch "table=0, dl_src=01:00:00:00:00:00/01:00:00:00:00:00, Actions=drop"

   Broadcast packet masking for STP protocol

   $ ovs-ofctl add-flow ovs-switch "table=0, dl_dst=01:80:c2:00:00:00/ff:ff:ff:ff:ff:f0, Actions=drop"

5. Modify the packet

   To add a new OpenFlow entry, modify the source address of the packet received from Port P0 to 9.181.137.1

   $ ovs-ofctl Add-flow Ovs-switch "Priority=1 idle_timeout=0, In_port=100,actions=mod_nw_src:9.181.137.1,normal" 

   from port P0 (192.168.1.100) Send test data to Port P1 (192.168.1.101)

   $ IP netns exec ns0 ping 192.168.1.101 

   P1 monitoring data on the receive port, discovering that the source of the received packet has been modified to 9.181.137.1

   $ IP netns exec ns1 tcpdump-i p1 icmptcpdump:verbose output suppressed, use-v OR-VV for full Protocol decodelistening on P1, Link-type en10mb (Ethernet), capture size 65535 bytes15:59:16.885770 IP 9.181.137.1 > 1 92.168.1.101:ICMP echo request, id 23111, seq 457, length 6415:59:17.893809 IP 9.181.137.1 > 192.168.1.101:icmp echo Request, id 23111, seq 458, length 

7. REDIRECT Packets

   Add a new OpenFlow entry, redirect all ICMP packets to port P2

   $ ovs-ofctl Add-flow Ovs-switch idle_timeout=0,dl_type=0x0800,nw_proto=1,actions=output:102

   Send data from Port P0 (192.168.1.100) to Port P1 (192.168.1.101)

   $ IP netns exec ns0 ping 192.168.1.101

   monitoring data on port P2, discovery packets have been forwarded to port P2

   $ IP netns exec ns3 tcpdump-i p2 icmptcpdump:verbose output suppressed, use-v OR-VV for full protocol decodelistening  On P2, Link-type EN10MB (Ethernet), capture size 65535 bytes16:07:35.677770 IP 192.168.1.100 > 192.168.1.101:icmp echo  Request, id 23147, seq, length 6416:07:36.685824 IP 192.168.1.100 > 192.168.1.101:icmp echo request, id 23147, seq 64, length

8. Modify VLAN Tag for a packet

   In addition to using Linux commands such as "ping", "tcpdump" and "Iperf", we can also use the Ovs-appctl Ofproto/trace tool provided by OVS to test the forwarding status of OVS packets. Ovs-appctl Ofproto/trace can be used to generate test simulation packets, and step-by-step to demonstrate OvS the flow of the packet processing process. In the following example, we demonstrate how to use this command:

   Modify the VLAN tag of Port P1 to 101 so that port P1 becomes a port that belongs to VLAN 101

   $ ovs-vsctl Set Port p1 tag=101

   Now, because ports P0 and P1 belong to different VLANs, data exchange between them is not possible. We use Ovs-appctl ofproto/trace to generate a packet sent from the port P0 to the Port P1, which does not contain any VLAN tags, and observes the process of OvS

   $ ovs-appctl ofproto/trace ovs-switch In_port=100,dl_src=66:4e:cc:ae:4d:20,dl_dst=46:54:8a:95:dd:f8-generateflow: METADATA=0,IN_PORT=100,VLAN_TCI=0X0000,DL_SRC=66:4E:CC:AE:4D:20, Dl_dst=46:54:8a:95:dd:f8,dl_type=0x0000rule: Table=0 cookie=0 Priority=0openflow Actions=normalno learned MAC for destination, floodingfinal Flow:unchangedrelevant F Ields:skb_priority=0,in_port=100,vlan_tci=0x0000/0x1fff,dl_src=66:4e:cc:ae:4d:20,dl_dst=46:54:8a:95:dd:f8,dl_ Type=0x0000,nw_frag=nodatapath actions:4,1

   In the first line of output, the field after "Flow:" describes the information for the stream entered. Because we do not specify too much information, multiple fields (such as Dl_type and VLAN_TCI) are OVS set to null values.

   In the output of the second row, the field after "Rule:" describes the flow table entry that matches successfully.

   In the output of the third row, the fields after "OpenFlow actions" describe the actions that were actually performed.

   The last field starting with "final Flow" is a summary of the entire process, and "Datapath actions:4,1" represents the packets being sent to ports 4 and 1th of Datapath.

   Create a new Flow: for packets that enter the switch from Port P0, if it does not contain any VLAN tag, it is automatically added VLAN tag 101

   $ ovs-ofctl add-flow ovs-switch "Priority=3,in_port=100,dl_vlan=0xffff,actions=mod_vlan_vid:101,normal"

   Try again to send a packet from port P0 that does not contain any VLAN tag, and when the packet enters Port P0, it is added to the VLAN tag101 and forwarded to the port P1

   $ ovs-appctl ofproto/trace ovs-switch In_port=100,dl_src=66:4e:cc:ae:4d:20,dl_dst=46:54:8a:95:dd:f8–generateflow: Metadata=0,in_port=100,vlan_tci=0x0000,dl_src=66:4e:cc:ae:4d:20,dl_dst=46:54:8a:95:dd:f8,dl_type=0x0000rule: Table=0 cookie=0 Priority=3,in_port=100,vlan_tci=0x0000openflow actions=mod_vlan_vid:101,normalforwarding to Learned Portfinal flow:metadata=0,in_port=100,dl_vlan=101,dl_vlan_pcp=0,dl_src=66:4e:cc:ae:4d:20,dl_dst=46:54:8a : 95:dd:f8,dl_type=0x0000relevant fields:skb_priority=0,in_port=100,vlan_tci=0x0000/0x1fff,dl_src=66:4e:cc:ae:4d : 20,dl_dst=46:54:8a:95:dd:f8,dl_type=0x0000,nw_frag=nodatapath actions:3

   In turn, the packet is sent from Port P1, since P1 is now a port of type access with VLAN tag 101, so after the packet enters Port P1, it is OVS added VLAN Tag 101 and sent to the port P0

   $ ovs-appctl ofproto/trace ovs-switch in_port=101,dl_dst=66:4e:cc:ae:4d:20,dl_src= 46:54:8a:95:dd:f8-generateflow:metadata=0,in_port=101,vlan_tci=0x0000,dl_src=46:54:8a:95:dd:f8,dl_dst=66:4e:cc : ae:4d:20,dl_type=0x0000rule:table=0 cookie=0 Priority=0openflow actions=normalforwarding to learned portFinal flow: Unchangedrelevant Fields:skb_priority=0,in_port=101,vlan_tci=0x0000,dl_src=46:54:8a:95:dd:f8,dl_dst=66:4e:cc:ae : 4d:20,dl_type=0x0000,nw_frag=nodatapath Actions:push_vlan (Vid=101,pcp=0), 2 

• Other OpenFlow common operations

  View all the Table in the switch

  Ovs-ofctl Dump-tables Ovs-switch

  View all flow table entries in the switch

  Ovs−ofctl dump−flows Ovs-switch

  Delete all flow table entries on a port numbered 100

  Ovs-ofctl del-flows ovs-switch "in_port=100"

  To view port information on a switch

  Ovs-ofctl Show Ovs-switch

  This article is reproduced from http://www.ibm.com/developerworks/cn/cloud/library/1401_zhaoyi_openswitch/index.html

The OpenFlow practice based on open vswitch