wiki:GENIExperimenter/Tutorials/OpenFlowNetworkDevices

Version 5 (modified by sedwards@bbn.com, 4 years ago) (diff)

--

Wiki Home Welcome GENI Experimenters Sign Up For a GENI Account Run Hello GENI example Image Map

OpenFlow Firewall and NAT Devices

Overview:

This is a very simple tutorial with two topologies demonstrating an OpenFlow Firewall and an OpenFlow NAT.
Hello GENI topology
   

Prerequisites:

For this tutorial you need a GENI Experimenter Portal account and be a member of at least one project.
  • If you have a ProtoGENI (emulab) account, then you can follow this version of the tutorial.
  • If you don't have an account yet sign up!

Tools:

All the tools will already be installed at your nodes. For your reference we are going to use:
   

Where to get help:

For any questions or problem with the tutorial please email geni-users@googlegroups.com

Step-by-step Instructions

Design/Setup

Step 1: Get Ready:

The first thing we need to do is login to the portal.
  1. Go to the GENI Experimenter Portal press the Use GENI button
  2. and from the Drop Down menu select your institution. If you got an account through the GENI Identity Provider, please select GENI Project Office.
    Tip: Start typing the name of your institution and see the list become smaller.
  • You will be transferred to the Login Page of your institution. Fill in your username and password.
  • Step 2: Launch your experiment:

    1. At the portal home page press the create slice from your project.
      Tip: If you are not a member of any project and you don't know how to procede, email us
    2. Name your slice something like xxxopenflow (where xxx are your initials)
    3. Once the slice page loads, click the Add Resources button placed at the top left part of the screen.
      NOTE: If you get a warning about not having uploaded ssh keys just follow the instructions on providing an ssh key before you proceed.
    4. In the Choose RSpec section, choose the Hello GENI choice, which should contain: http://www.gpolab.bbn.com/exp/HelloGENI/hellogeni.rspec.
    5. You will need to choose an aggregate where you want this topology to be instantiated. Click on the Site 0 box and a panel on the left side of the canvas will appear. Choose any aggregate with InstaGENI in it's name.
    6. Click on the Reserve Resources button on them bottom left part of the screen.
    7. Wait while your resources are being reserved. This will take several minutes so be patient. The nodes will turn green to signify that your resources are ready.
    Add Aggregate
    Execute

    Step 3: Firewall

    For this experiment we will run an OpenFlow Firewall.
    1. Log into switch and run the following commands to download and run the firewall controller:
      wget https://www.dropbox.com/s/wc4szossxjeairn/gpo-ryu-firewall.tar.gz
      gunzip gpo-ryu-firewall.tar.gz 
      tar xvf gpo-ryu-firewall.tar
      /tmp/ryu/bin/ryu-manager simple_firewall.py loading app simple_firewall.py
      
    2. Log into right and run a nc server:
      nc -l 5001
      
    3. Log into left and run a nc client:
      nc 10.10.11.1 5001
      
    4. Type some text in left and it should appear in right and vis versa.
    5. In the terminal for switch you should see messages about the flow being passed or not:
      Extracted rule {'sport': '57430', 'dport': '5001', 'sip': '10.10.10.1', 'dip': '10.10.11.1'}
      Allow Connection rule {'dport': '5001', 'dip': '10.10.11.1', 'sip': '10.10.10.1', 'sport': 'any'}
      
    6. CTRL-C to kill nc in each terminal.
    7. Run a nc server on port 5002, then 5003. Compare the observed behavior to the contents of ~/gpo-ryu-firewall/fw.conf. Does the behavior match the configuration file? Feel free to modify the configuration file to block other traffic.

    Step 4: NAT

    While conducting experiments in GENI, you will often want to run commands directly on the nodes. In this optional step, you will log in to a node and issue commands directly to it.
    1. Follow these instructions and log in to the client node
    2. When you have successfully logged in, run this command:
      iperf -c server -P 2
      This task shouldn't take more than 30 seconds. Change the number after the ` -P ` argument and watch how the performance is affected while you change the number of parallel TCP connections.
    3. Scroll all the way down the server iperf log, and look at the logs for your transfers
    Execute

    Step 5: Cleanup experiment:

    After you are done with your experiment, you should always release your resources so that other experimenters can use the resources. In order to cleanup your slice :
    1. Press the Delete button in the bottom of your Jacks canvas.
    Wait and after a few moments all the resources will have been released and you will have an empty canvas again. Notice that your slice is still there. There is no way to delete a slice, it will be removed automatically after its expiration date, but remember that a slice is just an empty container so it doesn't take up any resources.

    What's next?

    Congratulations! You have finished your first GENI Experiment. Now that you are more familiar with GENI concepts you can:

    Attachments (1)

    Download all attachments as: .zip