Changes between Version 3 and Version 4 of GENIExperimenter/Tutorials/OpenFlowOVS/Execute


Ignore:
Timestamp:
06/22/13 19:51:25 (6 years ago)
Author:
nriga@bbn.com
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • GENIExperimenter/Tutorials/OpenFlowOVS/Execute

    v3 v4  
    1717
    1818
    19 == 4.  Configure and Initialize ==
    20 
    21 == 5.  Execute Experiment ==
    22 
    23 == 6.  Analyze Experiment ==
     19== 2.  Configure and Initialize ==
     20Although OVS is installed and initialized on the host that is meant to act as a software switch, it has not been configured yet.
     21There are two main things that need to be configured : ''create your software switch with the interfaces as ports'' and ''point the switch to an OpenFlow controller''.
     22
     23In order to configure our switch, we first need to login to the host that will be used as an OpenFlow switch.
     24
     25===2a. Login to OVS host ===
     26{{{
     27#!html
     28<table border="0">
     29      <tr>
     30        <td >
     31        <img border="0" src="http://groups.geni.net/geni/attachment/wiki/GENIExperimenter/Tutorials/OpenflowOVS/Graphics/ovs-login.png?format=raw" alt="Login information for a VM"  height="120" title="Login information for a VM" /> </a>
     32       </td>
     33       <td >
     34         <ol>
     35           <li><FONT COLOR="black">Return to the Slice page. Press the <b>Details</b> button in the row of the slice table for <i>Utah ProtoGENI</i>.</font></li>
     36           <li>Click on the ssh link. If you have installed <a target="https://addons.mozilla.org/en-us/firefox/addon/firessh/"> FireSSH </a> a new tab will open up.</li>
     37           <li> In the window that will pop up :
     38                <ul>
     39                  <li> in the password field type in your passphrase</li>
     40                  <li> in the private key, browse to the file that has your private key
     41                   <li>  Press OK </li>
     42                </ul>
     43             </li>
     44             <li> If you don't have FireSSH installed, open a new terminal window. Copy the command to the right of Login into that terminal window. </li>
     45             <li> You are now logged in to the OVS host. </li>
     46         
     47          </ol>
     48       </td>
     49    </tr>
     50 </table>
     51}}}
     52
     53== 2b. Configure  the Software Switch ==
     54Now that you are logged in, we need first to configure OVS. To save time in the tutorial we have already started OVS and we have added an ethernet bridge that will act as our software switch. Try:
     55{{{
     56sudo ovs-vsctl list-br
     57}}}
     58You should see only on bridge `br0`. Now we need to add the interfaces to this bridge that will act as ports of our software switch.
     59
     60{{{
     61#!html
     62<table border="0">
     63      <tr >
     64       <td width = "500">
     65         <ol>
     66           <li>List all the interfaces of the node
     67            <ul> <li> <code>ifconfig</code> </ul></li>
     68           </li> <br/>
     69           <li> Be careful <b> not to bring down eth0</b>. This is your control interface, if you bring that interface down you <b> won't be able to login</b> to your host!. For all interfaces other than <code>eth0</code> and <code> l0</code>, remove the IP from the interfaces: <br/>
     7091                            <ul><li> <code> sudo ifconfig &lt data_interface_name &gt 0 </code> </li></ul>
     71             <li> Add all the data interfaces to your switch (bridge):Be careful <b> not to add interface eth0</b>. This is your control interface. You should see three interfaces that start with VLAN, these are your data interfaces.
     72                <ul><li> <code> sudo  ovs-vsctl add-port br0 &lt data_interface_name &gt </code> </li></ul>
     73             </li>
     74          </ol>
     75       </td>
     76        <td>
     77        <img border="0" src="http://groups.geni.net/geni/attachment/wiki/GENIExperimenter/Tutorials/OpenflowOVS/Graphics/ovs-interfaces.png?format=raw" alt="Login information for a VM"  height="250" title="Login information for a VM" /> </a>
     78       </td>
     79    </tr>
     80 </table>
     81}}}
     82 
     83Congratulations! You have configured your software switch, which three ports, let's see them. Run:
     84{{{
     85sudo ovs-vsctl list-ports br0
     86}}}
     87
     88=== 2c. Point your switch to a controller ===
     89An OpenFlow switch will not forward any packet, unless instructed by a controller. Basically the forwarding table is empty, until an external controller inserts forwarding rules. The OpenFlow controller communicates with the switch over the control network and it can be anywhere in the Internet as long as it is reachable by the OVS host. For the purpose of this tutorial and in order to minimize the resources we have reserved we are going to run OpenFlow controller at the same host as the OVS switch. This is '''merely''' for convenience reasons, the controller could have been anywhere on the Internet.
     90
     91In order to point our software OpenFlow switch to the controller run:
     92{{{
     93sudo ovs-vsctl set-controller br0 tcp:127.0.0.1:6633
     94}}}
     95
     96=== `standalone` vs `secure` mode ===
     97The OpenFlow controller is responsible for setting up all flows on the switch, which means that when the controller is not running there should be no packet switching at all. Depending on the setup of your network, such a behavior might not be desired. It might be best that when the controller is down, the switch should default back in being a learning layer 2 switch. In other circumstances however this might be undesirable. In OVS this is a tunable parameter, called `fail-safe-mode` which can be set to the following parameters:
     98  * `standalone` [default] : in which case OVS will take responsibility for forwarding the packets if the controller fails
     99  * `secure` : in which case only the controller is responsible for forwarding packets, and if the controller is down all packets are going to be dropped.
     100
     101In OVS when the parameter is not set it falls back to the `standalone` mode. For the purpose of this tutorial we will set the `fail-safe-mode` to `secure`, since we want to be the ones controlling the forwarding. Run:
     102{{{
     103sudo ovs-vsctl set-fail-mode br0 secure
     104}}}
     105
     106== 3. Execute Experiment ==
     107Now that our switch is up and running we are ready to start working on our controller. For this tutorial we are going to use the [http://www.noxrepo.org/pox/about-pox/ PoX controller]. The software that is installed in the OVS host for running Pox can be found [http://www.gpolab.bbn.com/experiment-support/gec16/oftut/gec16-of.tar.gz here].
     108
     109=== 3a. Login to your hosts ===
     110{{{
     111#!html
     112<table border="0">
     113      <tr>
     114        <td >
     115        <img border="0" src="http://groups.geni.net/geni/attachment/wiki/GENIExperimenter/Tutorials/OpenflowOVS/Graphics/hosts-login.png?format=raw" alt="Login information for a VM"  width="350" title="Login information for a VM" /> </a>
     116       </td>
     117       <td >
     118         <ol>
     119           <li><FONT COLOR="black">Return to the Portal browser tab.</font></li>
     120           <li>Click on the ssh link for each of your hosts.  If you have installed <a target="https://addons.mozilla.org/en-us/firefox/addon/firessh/"> FireSSH </a> a new tab will open up.</li>
     121           <li> In the window that will pop up :
     122                <ul>
     123                  <li> in the password field type in your passphrase</li>
     124                  <li> in the private key, browse to the file that has your private key
     125                   <li>  Press OK </li>
     126                </ul>
     127             </li>
     128             <li> If you don't have FireSSH installed, open a new terminal window. Copy the command to the right of Login for each of your hosts into that terminal window. </li>
     129             <li> You are now logged in to the all your hosts. </li>
     130             <li> For the tutorial you will need the following terminals: 2 OVS, 1 host1, 2 host2, 1 host3 </li>
     131         
     132          </ol>
     133       </td>
     134    </tr>
     135 </table>
     136}}}
     137
     138All of the hosts are in the `10.10.1.0/24` subnet. From `host1` try pinging `host2`:
     139{{{
     140ping 10.10.1.2
     141}}}
     142
     143This ping should timeout, since there is no controller running.
     144
     145=== 3b. Use a Learning Switch Controller ===
     146We have installed the PoX controller under `/tmp/pox`. On the terminal of the OVS host run:
     147{{{
     148cd /local/pox
     149}}}
     150PoX comes with a set of example modules that you can use out of the box. One of the modules is a learning switch. Let's start the controller:
     151{{{
     152./pox.py --verbose forwarding.l2_learning
     153}}}
     154Go back to the terminal of `host1` and try to ping `host2` again:
     155{{{
     156ping 10.10.1.2
     157}}}
     158Now the ping should work.
     159
     160Go back to your OVS host and take a look at the print outs. You should see that your controller installed flows based on the mac addresses of your packets. Kill your controller by pressing `Ctrl-C`. Notice what will happen to your ping.
     161
     162==== Soft vs Hard Timeouts ====
     163All rules on the switch have two different timeouts:
     164  * '''Soft Timeout''': This determines for how long the flow will remain at the forwarding table of the switch, if there no packets received that match the specific flow. As long as packets from that flow are received the flow remains on the flow table.
     165  * '''Hard Timeout''': This determines the total time that a flow will remain at the forwarding table, independent of whether packets that match the flow are received; i.e. the flow will be removed after the hard timeout expires.
     166
     167Can you tell now why there were packets flowing even after you killed your controller?
     168
     169== Useful Tips for writing your controller ==
     170In order to make this first experience of writing controller easier, we wrote some helpful functions that will abstract some of the  particularities of PoX away.
     171These functions are locates at `/local/pox/ext/utils.py`, so while you write your controller consult this file for details.
     172
     173Functions that are implemented include:
     174  * packetIsIP : Test if the packet is IP
     175  * packetIsARP : Test if the packet is ARP
     176  * packetIsRequestARP : Test if this is an ARP Request packet
     177  * packetIsReplyARP : Test if this is an ARP Reply packet
     178  * packetArpDstIp : Test what is the destination IP in an ARP packet
     179  * packetArpSrcIp : Test what is the sources IP in an ARP packet
     180  * packetIsTCP : Test if a packet is TCP
     181  * packetDstIp : Test the destination IP of a packet
     182  * packetSrcIp : Test the source IP of a packet
     183  * packetDstTCPPort : Test the destination TCP port of a packet
     184  * packetSrcTCPPort : Test the source TCP port of a packet
     185  * createOFAction : Create one OpenFlow action
     186  * getFullMatch : get the full match out of a packet
     187  * createFlowMod : create a flow mod
     188  * createArpRequest : Create an Arp Request for  a different destination IP
     189  * createArpReply : Create an Arp Reply for  a different source IP
     190
     191=== 3c. Run a traffic duplication controller ===
     192In the above example we ran a very simple controller. The power of OpenFlow comes from the fact that you can decide to forward the packet anyway you want based on the supported OpenFlow actions. A very simple but powerful modification you can do, is to duplicate all the traffic of the switch out a specific port. This is very useful for application and network analysis. You can imagine that at the port where you duplicate traffic you connect a device that does analysis. Our hosts are VMs so we are going
     193to verify the duplication by doing a `tcpdump`  on the port on the ovs switch.
     194
     195  1. Open two new terminals to the OVS switch.
     196
     197  2. Look at the sliver details page in the portal and see what interfaces are bound to OVS:if1 and OVS:if2, use the MAC address of the interface to figure this out. Run tcpdump on these interfaces; one in each of the new terminals you opened. This will allow you to see all traffic going out the interfaces
     198  {{{
     199  sudo tcpdump -i <data_interface_name>
     200  }}}
     201
     202  2. In the other ovs host go under the `/local/pox/ext` directory:
     203  {{{
     204   cd ext
     205  }}}
     206
     207  2. There you would see two files :
     208     i. myDuplicateTraffic.py : this is the file that has instructions about how to complete the missing information, go ahead and try to implement your first controller.
     209     ii. !DuplicateTraffic.py : this has the actual solution you can just run this if you don't want to bother with writing a controller.
     210
     211   To run the controller do (while at /local/pox directory) where the <data_interface_name> should be the one that corresponds to OVS:if2 :
     212    {{{
     213    ./pox.py --verbose myDuplicateTraffic \
     214                  --duplicate_port=<data_interface_name>
     215    }}}
     216   
     217    To test it go to the terminal of host1 and try to ping host2:
     218    {{{
     219    ping 10.10.1.2
     220    }}}
     221
     222
     223    If your controller is working you the packets registering in both terminals that you run tcpdump.
     224
     225== Run a port forward Controller ==
     226Now let's do a slightly more complicated controller. OpenFlow gives you the power to overwrite fields of your packets at the switch, for example the TCP source or destination port and do port forwarding. You can have clients trying to contact a server at port 5000, and the OpenFlow switch can redirect your traffic to a service listening on port 6000.
     227
     228Under the `ext` directory there are two files !PortForwarding.py and myPortForwarding.py that are similar like the previous exercise. Both of these controller are configured by a configuration file at `ext/port_forward.config`.
     229
     230To run the controller do (while at /local/pox directory)
     231    {{{
     232    ./pox.py --verbose myPortForwarding
     233    }}}
     234
     235To test your controller we are going to use netcat. Go to the two terminals of host2. In one terminal run:
     236{{{
     237nc -l 5000
     238}}}
     239
     240and in the other terminal run
     241{{{
     242nc -l 6000
     243}}}
     244
     245Now first start the simple layer 2 forwarding controller:
     246{{{
     247ovs:/local/pox% ./pox.py --verbose forwarding.l2_learning
     248}}}
     249
     250Go to the terminal of host1 and connect to host2 at port 5000:
     251{{{
     252nc 10.10.1.2 5000
     253}}}
     254   
     255Type something and you should see it at the the terminal of host2 at port 5000.
     256
     257Start your controller and do the same, now your text should appear on the other terminal of host2.
     258
     259== Run a server proxy Controller ==
     260As our last exercise, instead of diverging the traffic to a different server running on the same host, we will diverge the traffic to a server running on a different host and on a different port.
     261
     262Under the `ext` directory there are two files Proxy.py and myProxy.py that are similar like the previous exercise. Both of these controllers are configured by a configuration file at `ext/proxy.config`.
     263 
     264  1. On the terminal of `host3` run a netcat server:
     265  {{{
     266  nc -l 7000
     267  }}}
     268  2. On your OVS host open the myProxy.py file, and edit it to implement a controller that will diverge traffic destined for `host2` to `host3`. Before you start implementing think about what are the side effects of diverging traffic to a different host.
     269     * Is it enough to just change the IP address?
     270     * Is it enough to just modify the TCP packets?
     271   If you want to see the solution, its in file Proxy.py.py file. 
     272  3. To test your controller run:
     273  {{{
     274  ./pox.py --verbose myProxy
     275  }}}
     276  6. Go back to the terminal of `host1` and try to connect to `host2` port 5000
     277  {{{
     278  nc 10.10.1.2 5000
     279  }}}
     280  If your controller works correctly you should see your text showing up on the terminal of `host3`.
    24281
    25282----