wiki:GENIExperimenter/Tutorials/OpenFlowNetworkDevices/Firewall

Version 17 (modified by nriga@bbn.com, 9 years ago) (diff)

--

OpenFlow Firewall

This exercise is based on as assignment by Sonia Famy, Ethan Blanton and Sriharsha Gangam of Purdue University.

For this experiment we will run an OpenFlow Firewall.

http://groups.geni.net/geni/raw-attachment/wiki/GENIExperimenter/Tutorials/OpenFlowNetworkDevices/Firewall/Firewall-2.png

  1. Log into switch and run the following commands to download and run the firewall controller:
    sudo apt-get install python-pip python-dev libxml2-dev libxslt-dev zlib1g-dev
    sudo pip install oslo.config
    
  2. Run a simple learning switch controller:
    cd /tmp/ryu
    ./bin/ryu-manager --verbose ryu/app/simple_switch.py
    
  3. Verify simple connectivity by logging into right ping left
    ping left
    
    Notice the printouts of the ryu simple switch controller.
  4. Make your switch into a firewall by downloading and running the appropriate Ryu controller:
    wget http://www.gpolab.bbn.com/exp/OpenFlowExampleExperiment/ryu/gpo-ryu-firewall.tar.gz
    tar xvfz gpo-ryu-firewall.tar.gz
    cd gpo-ryu-firewall/
    /tmp/ryu/bin/ryu-manager simple_firewall.py
    
  5. Log into right and run a nc server:
    nc -l 5001
    
  6. Log into left and run a nc client:
    nc 10.10.11.1 5001
    
  7. Type some text in left and it should appear in right and vise versa.
  8. In the terminal for switch you should see messages about the flow being passed or not:
    Extracted rule {'sport': '57430', 'dport': '5001', 'sip': '10.10.10.1', 'dip': '10.10.11.1'}
    Allow Connection rule {'dport': '5001', 'dip': '10.10.11.1', 'sip': '10.10.10.1', 'sport': 'any'}
    
  9. CTRL-C to kill nc in each terminal.
  10. Run a nc server on port 5002, then 5003.
    • Compare the observed behavior to the contents of ~/gpo-ryu-firewall/fw.conf. Does the behavior match the configuration file?
    • Stop the Firewall controller and run a simple switch controller. Is there any traffic being blocked now?
    • Feel free to modify the configuration file to block other traffic.

Return to the main page

Attachments (2)

Download all attachments as: .zip