| | 1 | |
| | 2 | = Configure OVS With Layer 3 Routing = |
| | 3 | |
| | 4 | Open vSwitch (OVS) acts as a Layer 2 device when it's not connected to its controller (and its `fail-safe-mode` is set to standalone [default]). If we want to do Layer 3 control, we need to write the control logic in its controller. However, sometimes we want to Layer 3 control while there is other Layer 3 control. For example, we want to do firewall or NAT while there is IP routing managed by XORP or Kernel Static Routing. A straightforward solution is to write your own IP forwarding logic in your controller (Yeah, practice of writing your own XORP is fun!). This is really violating the reusability principle of software engineering. Another solution is to cross your finger and hope there is someone has written it for the controller framework you use. |
| | 5 | |
| | 6 | In this page, we are going to show you how to configure OVS to work with Linux kernel static IP routing. The method is largely from the help of Ryan Izard, rizard@g.clemson.edu, from Clemson University. |
| | 7 | |
| | 8 | The topology we want to have is shown in below figure. |
| | 9 | |
| | 10 | [[Image(OVS Routing abstract.png, 30%, nolink)]] |
| | 11 | |
| | 12 | The configuration we want to have is shown in below figure. |
| | 13 | |
| | 14 | [[Image(OVS Routing detail.png, 30%, nolink)]] |
| | 15 | |
| | 16 | In summary the idea is to create a single OVS bridge for each interface on your machine that you want to assign an IP; pass the packet between the interface and the network stack through the LOCAL port of OVS; and let Linux routing handle the rest of the part. |
| | 17 | This wiki page provides step-by-step instructions. |
| | 18 | |
| | 19 | 1. Create 2 OVS bridges. |
| | 20 | {{{ |
| | 21 | ovs-vsctl add-br OVSbr1 |
| | 22 | ovs-vsctl add-br OVSbr2 |
| | 23 | }}} |
| | 24 | |
| | 25 | 2. Zero out the IP of interfaces as you will assign it to the OVS bridges (your interface names may vary). On GENI, be careful not to bring down eth0, because it is your control interface, if you bring that interface down you won't be able to login to your host! |
| | 26 | {{{ |
| | 27 | ifconfig eth1 0 |
| | 28 | ifconfig eth2 0 |
| | 29 | }}} |
| | 30 | |
| | 31 | 3. Attach interfaces to according OVS bridges. Again, don't attach control plane interface. |
| | 32 | {{{ |
| | 33 | ovs-vsctl add-port OVSbr1 eth1 |
| | 34 | ovs-vsctl add-port OVSbr2 eth2 |
| | 35 | }}} |
| | 36 | |
| | 37 | 4.Verify the configurations by: |
| | 38 | {{{ |
| | 39 | ovs-ofctl show OVSbr1 |
| | 40 | ovs-ofctl show OVSbr1 |
| | 41 | ovs-vsctl show |
| | 42 | }}} |
| | 43 | |
| | 44 | 5. Assign the IP addresses to the OVS bridges, and add routing entries (clean up ones if needed). |
| | 45 | {{{ |
| | 46 | ifconfig OVSbr1 10.10.10.1/24 up |
| | 47 | ifconfig OVSbr2 10.10.11.1/24 up |
| | 48 | }}} |
| | 49 | These will insert the corresponding routes automatically for you, and you can verify it via: |
| | 50 | {{{ |
| | 51 | route -n |
| | 52 | }}} |
| | 53 | Alternatively, you could do: |
| | 54 | {{{ |
| | 55 | ifconfig OVSbr1 10.10.10.1 up |
| | 56 | ifconfig OVSbr1 10.10.11.1 up |
| | 57 | route add -net 10.10.10.0 netmask 255.255.255.0 dev OVSbr1 |
| | 58 | route add -net 10.10.11.0 netmask 255.255.255.0 dev OVSbr1 |
| | 59 | route -n |
| | 60 | }}} |
| | 61 | |
| | 62 | 6. When an OVS bridge is installed in the Linux OS, it is wired such that any application packets or packets routed via Linux will be sent to the LOCAL port of the OVS bridge, assuming a route to that bridge exists. And, in the reverse direction, any packets sent out an OVS bridge's LOCAL port will be received by the local networking stack. |
| | 63 | |
| | 64 | Let's do an example of how a packet would traverse our network from 10.10.10.1 to 10.10.11.1. |
| | 65 | |
| | 66 | 10.10.10.1 sends the packet with destination 10.10.11.1. The packet arrives at eth1. There is an OpenFlow flow in place on OVSbr1 between eth1 and it's LOCAL port, so the packet will match this flow and be sent out the LOCAL port of OVSbr1 (i.e. port 65534). The packet is then received by the local machine's network stack. It has a destination IP of 10.10.11.1, so the routing table we have established will send the packet to the OVSbr2 network interface. OVSbr2 will receive this packet from the local network stack via it's LOCAL port (i.e. port 65534). There is an OpenFlow flow in place on OVS2 between OVS2's LOCAL port and eth2, so this packet will match that flow and be sent out eth2. From there, it will arrive at 10.10.11.1. The same process will occur in reverse. This assumes though that you insert the flows between the physical interfaces (eth1 and eth2) and the OVS LOCAL ports. That's the key to handing packet to and receiving packets from the local OS. |
| | 67 | |
| | 68 | 7. If you want to insert these flows with OVS itself, you can do something like the following: |
| | 69 | {{{ |
| | 70 | ovs-ofctl add-flow OVSbr1 in_port=port_number_of_eth1,actions=output:LOCAL |
| | 71 | ovs-ofctl add-flow OVSbr1 in_port=LOCAL,actions=output:port_number_of_eth1 |
| | 72 | ovs-ofctl add-flow OVSbr2 in_port=port_number_of_eth2,actions=output:LOCAL |
| | 73 | ovs-ofctl add-flow OVSbr2 in_port=LOCAL,actions=output:port_number_of_eth2 |
| | 74 | }}} |
| | 75 | In some cases, you must specifically use the keyword LOCAL or the port number 65534 (both mean the same thing, but OVS is particular about it). You can determine port_number_of_eth1 via: |
| | 76 | {{{ |
| | 77 | ovs-ofctl show OVSbr1 |
| | 78 | }}} |
| | 79 | |
| | 80 | 8. If you want to insert these flows via your controller, you will need to either specify port 65534 explicitly or use whatever convention your controller uses to specify the LOCAL port of a bridge. |
| | 81 | Remember to set your controller to all OVS bridges you want to control: |
| | 82 | {{{ |
| | 83 | ovs-vsctl set-controller OVSbr1 tcp:127.0.0.1:6653 ptcp:6634:127.0.0.1 |
| | 84 | ovs-vsctl set-controller OVSbr2 tcp:127.0.0.1:6653 ptcp:6634:127.0.0.1 |
| | 85 | }}} |
| | 86 | |
| | 87 | 9. Apart from these, remember to verify IP forwarding is enabled: |
| | 88 | {{{ |
| | 89 | cat /proc/sys/net/ipv4/ip_forward |
| | 90 | echo 1 > /proc/sys/net/ipv4/ip_forward |
| | 91 | }}} |
| | 92 | |
| | 93 | For an example of using this configuration, you may want to try out the [http://groups.geni.net/syseng/wiki/JoeSandbox/OpenFlowNATExample OpenFlow NAT Example]. |
