Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

How to use OpenFlow based on Open vSwitch

2025-04-05 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)05/31 Report--

Editor to share with you how to use OpenFlow based on Open vSwitch, I believe most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

Overview of Open vSwitch

Open vSwitch (hereinafter referred to as OVS) is a virtual switch that is dominated by Nicira Networks and runs on a virtualized platform such as KVM,Xen. On the virtualization platform, OVS can provide layer 2 switching function for dynamically changing endpoints, and well control the access policy, network isolation, traffic monitoring and so on in the virtual network.

OVS is licensed under Apache 2.0 and supports multiple standard management interfaces and protocols at the same time. OVS also provides support for OpenFlow protocol, and users can use any controller that supports OpenFlow protocol to remotely manage and control OVS.

Overview of Open vSwitch

In OVS, there are several very important concepts:

Bridge: Bridge represents an Ethernet switch (Switch), and one or more Bridge devices can be created in a host.

Port: Port is similar to the port concept of a physical switch, in that each Port belongs to a Bridge.

Interface: a network interface device connected to a Port. In general, Port and Interface have an one-to-one relationship, and only when Port is configured in bond mode, Port and Interface have an one-to-many relationship.

Controller: OpenFlow controller. OVS can be managed by one or more OpenFlow controllers at the same time.

Datapath: in OVS, datapath is responsible for performing data exchange, that is, matching packets received from the receiving port in the flow table and performing matching actions.

Flow table: each datapath is associated with a "flow table". When the datapath receives the data, the OVS looks for a matching flow in the flow table and performs the corresponding action, such as forwarding the data to another port.

Open vSwitch lab environment configuration

OVS can be installed in the mainstream Linux operating system, and users can choose to install the compiled software package directly, or download the source code for compilation and installation.

In our experimental environment, the operating system is 64-bit Ubuntu Server 12.04.3 LTS, and Open vSwitch 1.11.0 is installed by source code compilation.

$lsb_release-aNo LSB modules are available.Distributor ID:UbuntuDescription:Ubuntu 12.04.3 LTSRelease:12.04Codename:precise

For the source code compilation and installation of OVS, please refer to the official documents How to Install Open vSwitch on Linux, FreeBSD and NetBSD.

After installation, check the operation of OVS:

$ps-ea | grep ovs12533? 00:00:00 ovs_workq12549? 00:00:04 ovsdb-server12565? 00:00:48 ovs-vswitchd12566? 00:00:00 ovs-vswitchd

Check the version information of OVS. We installed version 1.11.0.

$ovs-appctl-- versionovs-appctl (Open vSwitch) 1.11.0Compiled Oct 28 2013 14:17:16

View the version of the OpenFlow protocol supported by OVS

$ovs-ofctl-- versionovs-ofctl (Open vSwitch) 1.11.0Compiled Oct 28 2013 14:17:17OpenFlow versions 0x1:0x4

Go back to the top of the page

OpenFlow practice based on Open vSwitch

OpenFlow is a protocol for managing switch flow tables, and ovs-ofctl is a command line tool provided by OVS. In the mode without configuring OpenFlow controller, users can use ovs-ofctl command to connect OVS through OpenFlow protocol, create, modify or delete flow table entries in OVS, and dynamically monitor the operation of OVS.

Figure 1. Matching process of OpenFlow

Flow syntax description

In OpenFlow's white paper, Flow is defined as a specific network traffic. For example, a TCP connection is a Flow, or a packet from an IP address can be considered a Flow. A switch that supports the OpenFlow protocol should include one or more flow tables, and the entries in the flow table contain information about the packet header, instructions to be executed after a successful match, and statistics.

When the packet enters the OVS, the packet is matched with the flow table entry in the flow table, and if a matching flow table entry is found, the instruction set in the flow table entry is executed. Conversely, if the packet does not find any match in the flow table, OVS sends the packet to the OpenFlow controller through the control channel.

In OVS, the flow table item, as a parameter of ovs-ofctl, is in the following format: field = value. If you have multiple fields, you can separate them with commas or spaces. Some commonly used fields are listed as follows:

Table 1. The field name commonly used in the flow table describes the VLAN Tag value of the OpenFlow port number dl_vlan=vlan packet of the port on which the in_port=port passes the packet. The range is 0-4095. 0xffff represents the packet dl_src= that does not contain VLAN Tag.

Dl_dst=

Match the MAC address of the source or destination

01Plex 00Rd 00Rd 00Rod 01Rod 00Rod 01Rod 00Rod 00Rod 00Rod 00Rd 00Rod 00Rod 00Rod 00 represents broadcast address.

00VOUR 00GOUR 00GONING 01GRAPHY 01GRAPHY 01GRAPHY 01GRAPHING 00GRAPHY represents the unicast address dl_type=ethertype that matches the Ethernet protocol type, where:

Dl_type=0x0800 stands for IPv4 protocol

Dl_type=0x086dd stands for IPv6 protocol

Dl_type=0x0806 stands for ARP protocol

For a complete list of types, see the list of Ethernet protocol types nw_src= IP [/ netmask]

Nw_dst= IP [/ netmask] when dl_typ=0x0800, match the IPv4 address of the source or destination, so that the IP address or domain name nw_proto=proto and dl_type fields can be used together.

When dl_type=0x0800, match the IP protocol number

When dl_type=0x086dd represents the IPv6 protocol number

The complete IP protocol number can be found in the IP protocol number list table=number specifies the number of the flow table to be used, in the range of 0-254. If not specified, the default value is 0. By using flow table numbers, you can create or modify the values of registers in Flowreg= value [/ mask] switches in multiple Table. When a packet enters the switch, all registers are cleared, and the user can modify the values in the registers through Action instructions.

For the three commands add − flow,add − flows and mod − flows, you also need to specify the action to be performed: actions= [target] [, target...]

There may be multiple actions in a flow rule that are executed in the specified order.

Common operations are:

Output:port: outputs the packet to the specified port. Port refers to the OpenFlow port number of the port

Mod_vlan_vid: modify the VLAN tag in the packet

Strip_vlan: remove VLAN tag from a packet

Mod_dl_src/ mod_dl_dest: modify the MAC address information of the source or destination

Mod_nw_src/mod_nw_dst: modify the IPv4 address information of the source or destination

Resubmit:port: replace the in_port field of the flow table and rematch it

Load:value − > dst [start..end]: writes data to the specified field

Practice the OpenFlow command

In this example, we will create an OVS switch that is not connected to any controller and demonstrate how to use the ovs-octl command to manipulate the OpenFlow flow table.

Create a new OVS switch

$ovs-vsctl add-br ovs-switch

Create a port p0 and set the OpenFlow port number of port p0 to 100 (if the OpenFlow port number is not specified when the port is created, OVS will automatically generate one).

$ovs-vsctl add-port ovs-switch p0-- set Interface p0 ofport_request=100

Set the type of network interface device to "internal". For internal-type network interfaces, OVS also creates an analog network device in the Linux system that can be used to send and receive data. We can configure the IP address for this network device, monitor data, and so on.

$ovs-vsctl set Interface p0 type=internal$ ethtool-I p0driver: openvswitchversion: firmware-version: bus-info: supports-statistics: nosupports-test: nosupports-eeprom-access: nosupports-register-dump: no

To avoid conflicts between the address on the network interface and the existing local network address, we can create a virtual network space ns0, move the p0 interface into the network space ns0, and configure the IP address as 192.168.1.100

$ip netns add ns0 $ip link set p0 netns ns0 $ip netns exec ns0 ip addr add 192.168.1.100 24 dev p0 $ip netns exec ns0 ifconfig p0 promisc up

Create ports p1 and p2 using the same method

Table 2. The created port information port description p0IP address: 192.168.1.100ax 24

Network namespace: ns0

Network interface MAC address: 66:4e:cc:ae:4d:20

OpenFlow Port Number: 100p1IP address: 192.168.1.101 Universe 24

Network namespace: ns1

Network interface MAC address: 46:54:8a:95:dd:f8

OpenFlow Port Number: 101p2

IP address: 192.168.1.102

Network namespace: ns2

Network interface MAC address: 86:3b:c8:d0:44:10

OpenFlow Port Number: 102

After creating all the ports, view the information of the OVS switch

$ovs-vsctl show30282710-d401-4187-8e13-52388f693df7 Bridge ovs-switch Port "p0" Interface "p0" type: internal Port "p2" Interface "p2" type: internal Port "p1" Interface "p1" type: internal Port ovs-switch Interface ovs-switch type: internal

Create and test OpenFlow commands using ovs-ofctl

View the port information in Open vSwitch. From the output, you can get the corresponding datapath ID (dpid) of the switch, as well as the OpenFlow port number, port name, current status of each port, and so on.

$ovs-ofctl show ovs-switchOFPT_FEATURES_REPLY (xid=0x2): dpid:00001232a237ea45n_tables:254 N_buffers:256capabilities: FLOW_STATS TABLE_STATS PORT_STATS QUEUE_STATS ARP_MATCH_IPactions: OUTPUT SET_VLAN_VID SET_VLAN_PCP STRIP_VLAN SET_DL_SRC SET_DL_DST SET_NW_SRC SET_NW_DST SET_NW_TOS SET_TP_SRC SET_TP_DST ENQUEUE 100 (p0): addr:54:01:00:00:00:00 config: PORT_DOWN state: LINK_DOWN speed: 0 Mbps now 0 Mbps max 101 (p1): addr:54:01:00:00:00:00 config: PORT_DOWN state: LINK_DOWN speed: 0 Mbps now, 0 Mbps max 102 (p2): addr:54:01:00:00:00:00 config: PORT_DOWN state: LINK_DOWN speed: 0 Mbps now 0 Mbps max LOCAL (ovs-switch): addr:12:32:a2:37:ea:45 config: 0 state: 0 speed: 0 Mbps now, 0 Mbps maxOFPT_GET_CONFIG_REPLY (xid=0x4): frags=normal miss_send_len=0

If you want to get the OpenFlow number of the network interface, you can also query it in the OVS database.

$ovs-vsctl get Interface p0 ofport100

View the information of datapath

$ovs-dpctl showsystem@ovs-system:lookups: hit:12173 missed:712 lost:0flows: 0port 0: ovs-system (internal) port 1: ovs-switch (internal) port 2: p0 (internal) port 3: P1 (internal) port 4: p2 (internal)

Mask packet

Block all Ethernet broadcast packets entering OVS

$ovs-ofctl add-flow ovs-switch "table=0, dl_src=01:00:00:00:00:00/01:00:00:00:00:00, actions=drop"

Block broadcast packets of STP protocol

$ovs-ofctl add-flow ovs-switch "table=0, dl_dst=01:80:c2:00:00:00/ff:ff:ff:ff:ff:f0, actions=drop"

Modify packet

Add a new OpenFlow entry and modify the source address of packets received from port p0 to 9.181.137.1

$ovs-ofctl add-flow ovs-switch "priority=1 idle_timeout=0,\ in_port=100,actions=mod_nw_src:9.181.137.1,normal"

Send test data from port p0 (192.168.1.100) to port p1 (192.168.1.101)

$ip netns exec ns0 ping 192.168.1.101

Monitoring data on the receiving port p1, it is found that the source of the received packet has been modified to 9.181.137.1.

$ip netns exec ns1 tcpdump-I p1 icmptcpdump: verbose output suppressed, use-v or-vv for full protocol decodelistening on p1, link-type EN10MB (Ethernet), capture size 65535 bytes15:59:16.885770 IP 9.181.137.1 > 192.168.1.101: ICMP echo request, id 23111, seq 457, length 6415 ICMP echo request 59 IP 9.181.137.1 > 192.168.1.101: ICMP echo request, id 23111, seq 458, length 64

Redirect packet

Add a new OpenFlow entry to redirect all ICMP packets to port p2

$ovs-ofctl add-flow ovs-switch idle_timeout=0,dl_type=0x0800,nw_proto=1,actions=output:102

Send data from port p0 (192.168.1.100) to port p1 (192.168.1.101)

$ip netns exec ns0 ping 192.168.1.101

Monitor the data on port p2 and find that the packet has been forwarded to port p2

$ip netns exec ns3 tcpdump-I p2 icmptcpdump: verbose output suppressed, use-v or-vv for full protocol decodelistening on p2, link-type EN10MB (Ethernet), capture size 65535 bytes16:07:35.677770 IP 192.168.1.100 > 192.168.1.100 > 192.168.1.101: ICMP echo request, id 23147, seq 25, length 6416 use 07use 36.685824 IP 192.168.1.100 > 192.168.1.101: ICMP echo request, id 23147, seq 26, length 64

Modify the VLAN Tag of a packet

In addition to using Linux commands such as "ping", "tcpdump" and "iperf", we can also use the ovs-appctl ofproto/trace tool provided by OVS to test the forwarding of OVS packets. Ovs-appctl ofproto/trace can be used to generate simulated data packets for testing and to show step by step how OVS processes the flow of data packets. In the following example, we demonstrate how to use this command:

Modify the VLAN tag of port p1 to 101so that port p1 becomes a port belonging to VLAN 101s

$ovs-vsctl set Port p1 tag=101

Now, because ports p0 and p1 belong to different VLAN, there is no data exchange between them. We use ovs-appctl ofproto/trace to generate a packet sent from port p0 to port p1, which does not contain any VLAN tag, and observe the processing of OVS

$ovs-appctl ofproto/trace ovs-switch in_port=100,dl_src=66:4e:cc:ae:4d:20,dl_dst=46:54:8a:95:dd:f8-generateFlow:metadata=0,in_port=100,vlan_tci=0x0000,dl_src=66:4e:cc:ae:4d:20, dl_dst=46:54:8a:95:dd:f8,dl_type=0x0000Rule: table=0 cookie=0 priority=0OpenFlow actions=NORMALno learned MAC for destination, floodingFinal flow: unchangedRelevant fields: skb_priority=0,in_port=100,vlan_tci=0x0000/0x1fff,\ dl_src=66:4e:cc:ae:4d:20 Dl_dst=46:54:8a:95:dd:f8,dl_type=0x0000,nw_frag=noDatapath actions: 4,1

In the first line of output, the field after "Flow:" describes the information of the input stream. Since we don't specify much information, most of the fields (such as dl_type and vlan_tci) are set to null by OVS.

In the output of the second line, the field after "Rule:" describes the flow table item that matches successfully.

In the third line of output, the field after "OpenFlow actions" describes what is actually done.

The last field that begins with "Final flow" is a summary of the entire process, with "Datapath actions: 4jue 1" indicating that the packet is sent to ports 4 and 1 of datapath.

Create a new Flow: for packets entering the switch from port p0, if it does not contain any VLAN tag, automatically add VLAN tag 101to it

$ovs-ofctl add-flow ovs-switch "priority=3,in_port=100,dl_vlan=0xffff,\ actions=mod_vlan_vid:101,normal"

Try again to send a packet that does not contain any VLAN tag from port p0 and find that after entering port p0, the packet will be VLAN tag101 and forwarded to port p1

$ovs-appctl ofproto/trace ovs-switch in_port=100,dl_src=66:4e:cc:ae:4d:20,dl_dst=46:54:8a:95:dd:f8-generateFlow: metadata=0,in_port=100,vlan_tci=0x0000,dl_src=66:4e:cc:ae:4d:20,dl_dst=46:54:8a:95:dd:f8,dl_type=0x0000Rule: table=0 cookie=0 priority=3,in_port=100,vlan_tci=0x0000OpenFlow actions=mod_vlan_vid:101,NORMALforwarding to learned portFinal flow: metadata=0,in_port=100,dl_vlan=101,dl_vlan_pcp=0 Dl_src=66:4e:cc:ae:4d:20,dl_dst=46:54:8a:95:dd:f8,dl_type=0x0000Relevant fields: skb_priority=0,in_port=100,vlan_tci=0x0000/0x1fff,dl_src=66:4e:cc:ae:4d:20,dl_dst=46:54:8a:95:dd:f8,dl_type=0x0000,nw_frag=noDatapath actions: 3

In turn, packets are sent from port p1. Since p1 is now a port of Access type with VLAN tag 101, after entering port p1, the packet is added by OVS to VLAN tag 101and sent to port p0.

$ovs-appctl ofproto/trace ovs-switch in_port=101,dl_dst=66:4e:cc:ae:4d:20,dl_src=46:54:8a:95:dd:f8-generateFlow: metadata=0,in_port=101,vlan_tci=0x0000,dl_src=46:54:8a:95:dd:f8,dl_dst=66:4e:cc:ae:4d:20,dl_type=0x0000Rule: table=0 cookie=0 priority=0OpenFlow actions=NORMALforwarding to learned portFinal flow: unchangedRelevant fields: skb_priority=0,in_port=101,vlan_tci=0x0000,dl_src=46:54:8a:95:dd:f8 Dl_dst=66:4e:cc:ae:4d:20,dl_type=0x0000,nw_frag=noDatapath actions: push_vlan (vid=101,pcp=0), 2

Other operations commonly used in OpenFlow

View all Table in the switch

Ovs-ofctl dump-tables ovs-switch

View all flow table entries in the switch

Ovs − ofctl dump − flows ovs-switch

Delete all flow table entries on port number 100

Ovs-ofctl del-flows ovs-switch "in_port=100"

View port information on the switch

Ovs-ofctl show ovs-switch

Go back to the top of the page

Manage OVS through Floodlight

On the one hand, the OpenFlow controller can connect to any switch that supports OpenFlow through the OpenFlow protocol, and the controller controls the flow of data by exchanging flow table rules with the switch. On the other hand, the interface or interface provided by the OpenFlow controller to the user, the user can dynamically modify the network architecture, modify the flow table rules of the switch and so on. Floodlight is an enterprise-class OpenFlow controller based on Apache protocol and developed with Java. In the following example, we demonstrate how to install Floodlight and connect to the process of managing OVS.

The installation of Floodlight is very simple. On another machine, download the Floodlight source code and compile it.

$git clone git://github.com/floodlight/floodlight.git$ cd floodlight/$ ant$ java-jar target/floodlight.jar

Run Floodlight

$java-jar floodlight.jar

On the node where the OVS switch is installed, configure the OVS switch ovs-switch, using Floodlight as the controller. By default, Floodlight listens on port 6633, and we use the ovs-vsctl command to configure the OVS switch to connect to Floodlight using the TCP protocol (IP address is 9.181.137.182, port number 6633). For an OVS switch, one or more controllers can be configured at the same time

$ovs-vsctl set-controller ovs-switch tcp:9.181.137.182:6633

When the OVS switch is connected to the Floodlight controller, theoretically all flow table rules should be handed over to the controller to establish. Because data is transmitted between OVS switch and controller through network communication, the failure of network connection will affect the establishment of Flow. In response to this situation, OVS provides two processing modes:

Standlone: default mode. If the OVS switch fails to connect to the OpenFlow controller more than three times, the OVS switch itself is responsible for establishing the flow table. In this mode, OVS is similar to a common L2 switch. At the same time, OVS will continue to try to connect to the controller, and once the network connection is restored, OVS will again switch to using the controller for flow table management.

Secure: in secure mode, if the OVS does not connect to the OpenFlow controller properly, OVS will keep trying to reconnect to the controller instead of establishing the flow table itself.

Set the connection mode of OVS to secure mode

$ovs-vsctl set Bridge ovs-switch fail-mode=secure

Check the status of OVS. "is_connected:true" indicates that OVS has successfully connected to Floodlight.

$ovs-vsctl show30282710-d401-4187-8e13-52388f693df7 Bridge ovs-switch Controller "tcp:9.181.137.182:6633" is_connected: true Port ovs-switch Interface ovs-switch type: internal Port "p0" Interface "p0" type: internal Port "p1" tag: 101 Interface "p1" type: internal Port "p2" Interface "p2" type: internal

By accessing the Web management interface http://:8080/ui/index.html provided by Floodlight, we can view the status of the Floodlight controller and a list of all switches connected to the Floodlight

Figure 2. Floodlight main interface

Select an OpenFlow switch to view the port list and flow table information in it

Figure 3. View the details of the OpenFlow switch

Through Floodlight's RESTAPI, add two new rules to allow ports p0 and p1 to communicate with each other. Note: replace the ID of switch in the command line with the datapath ID of the switch

Curl-d'{"switch": "00:00:0e:f9:05:6b:7c:44", "name": "my-flow1", "cookie": "0", "priority": "32768", "ingress-port": "100th", "active": "true", "actions": "output=flood"} 'http://9.181.137.182:8080/wm/staticflowentrypusher/jsoncurl-d' {"switch": "00:00:0e:f9:05:6b:7c:44" "name": "my-flow2", "cookie": "0", "priority": "32768", "ingress-port": "32768", "active": "true", "actions": "output=flood"} 'http://9.181.137.182:8080/wm/staticflowentrypusher/json

Verify that packets can be sent from port p0 to p1

$ip netns exec ns0 ping-c4 192.168.1.101PING 192.168.1.101 (192.168.1.101) 56 (84) bytes of data.64 bytes from 192.168.1.101: icmp_req=1 ttl=64 time=0.027 ms64 bytes from 192.168.1.101: icmp_req=2 ttl=64 time=0.018 ms64 bytes from 192.168.1.101: icmp_req=3 ttl=64 time=0.023 ms64 bytes from 192.168.1.101: icmp_req=4 ttl=64 time=0.022 ms--- 192.168.1.101 ping statistics-- 4 packets transmitted 4 received, 0 packet loss, time 2998msrtt min/avg/max/mdev = 0.018, 0.022, 0.027, 0.005 ms

On the OVS side, you can also see that the flow table rules have been synchronized locally by OVS.

$ovs-ofctl dump-flows ovs-switchNXST_FLOW reply (xid=0x4): cookie=0xa0000000000000, duration=335.122s, table=0, n_packets=347, n_bytes=28070, idle_age=1, in_port=100 actions=FLOOD cookie=0xa0000000000000, duration=239.892s, table=0, n_packets=252, n_bytes=24080, idle_age=0, in_port=101 actions=FLOOD

View the flow table rules on the switch through the RestAPI of Floodlight

Curl http://9.181.137.182:8080/wm/staticflowentrypusher/list/00:00:0e:f9:05:6b:7c:44/json

Delete the flow table rules on the switch through the RestAPI of Floodlight

Curl http://9.181.137.182:8080/wm/staticflowentrypusher/clear/00:00:0e:f9:05:6b:7c:44/json above is all the content of this article "how to use OpenFlow based on Open vSwitch". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Servers

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report