OpenFlow and Software Defined Networking presented by Greg Ferro OpenFlow Functions and Flow Tables
would like to thank Greg Ferro and Ivan Pepelnjak for giving us the opportunity to sponsor to this educational webinar on OpenFlow and SDN, technologies core to our offering. More information at: www.bigswitch.com Contact us at: contact@bigswitch.com
More Data Center Webinars Data Center Fabric Architectures OpenFlow Data Center Interconnects VMware Networking Data Center 3.0 for Networking Engineers Next-Generation IP Services Intro to Virtualized Networking Availability Live sessions Recordings of individual webinars Yearly subscription Other options Customized webinars ExpertExpress On-site workshops Inter-DC More information FCoE has very @ http://www.ipspace.net/webinars limited use and requires no bridging
More Virtualization Webinars Coming in 2012 Coming in 2012 vsphere 5 Update Virtual Networking Security Spring 2012 VXLAN Deep Dive OpenFlow VMware Networking Cloud Computing Networking Introduction to Virtualized Networking Availability Live sessions Recordings of individual webinars Yearly subscription Other options Customized webinars ExpertExpress On-site workshops Inter-DC More information FCoE has very @ http://www.ipspace.net/webinars limited use and requires no bridging
New Dawn OPENFLOW FUNCTIONS Nerd Up - Details to Follow 41
FLOW TABLES 42
OPENFLOW signalling from controller-to-switch asynchronous protocol symmetric Specifies MATCH and ACTIONS to be applied to a frame / packet. 43
MATCH FIELDS / CLASSIFY Ingress Port Metadata Ether src Ether dst Ether type VLAN id VLAN priority MPLS label, MPLS traffic class 44 IPv4 SRC, IPv4 DST IPv4 proto ( ARP opcode, IPv4 ToS bits) TCP/ UDP / SCTP src port, ICMP Type TCP/ UDP / SCTP dst port ICMP Code OpenFlow 1.2 - may have changed
Field Bits When applicable Notes Ingress Port 32 All packets Metadata 64 Table 1 and above Numerical representation of incoming port, starting at 1. (physical or virtual port) Ethernet source address 48 All packets on enabled ports Can use arbitrary bitmask Ethernet destination address 48 All packets on enabled ports Can use arbitrary bitmask Ethernet type 16 All packets on enabled ports Ethernet type of the OpenFlow packet payload, after VLAN tags. 802.3 frames have special handling. VLAN id 12 All packets with VLAN tags VLAN identifier of outermost VLAN tag. VLAN priority 3 All packets with VLAN tags VLAN PCP field of outermost VLAN tag. MPLS label 20 All packets with MPLS tags Match on outermost MPLS tag. MPLS traffic class 3 All packets with MPLS tags Match on outermost MPLS tag. IPv4 source address 32 All IPv4 and ARP packets Can use subnet mask or arbitrary bitmask IPv4 destination address 32 All IPv4 and ARP packets Can use subnet mask or arbitrary bitmask IPv4 protocol / ARP opcode 8 All IPv4 and IPv4 over Ethernet, ARP packets Only the lower 8 bits of the ARP op- code are used IPv4 ToS bits 6 All IPv4 packets Specify as 8- bit value and place ToS in upper 6 bits. Transport source port / ICMP Type 16 All TCP, UDP, SCTP, and ICMP packets Only lower 8 bits used for ICMP Type Transport destination port / ICMP Code 16 All TCP, UDP, SCTP, and ICMP packets45 Only lower 8 bits used for ICMP Code
Apply-s actions :Applies the specific actions immediately. ACTIONS Clear-s: Clears all the actions in the action set immediately. Write-s actions: Merges the specified actions into the current action set Write-Metadata metadata / mask: Writes the masked metadata value into the metadata field. 46
PIPELINE PROCESSING Frame In Table 0 Table 1.. Table n Frame Egress Group Table Buckets Buckets Set Set OpenFlow Enabled Switch Set Buckets Frame In Table 0 Table 1.. Table n Frame Egress Set Set Set 47 OpenFlow Enabled Switch
PIPELINE PROCESSING Crack Good idea. Easy to implement in software. Difficult to implement in hardware / TCAM. To be addressed in future versions. 48
STATISTICS Productivity Lowers OpenFlow tables maintain counters against rules. 20% Rules could exist just to count frames / packets (no actions). 20% 60% Different to NetFlow/SFlow but functionally equivalent. Workers Managers Managers of Managers (Executives) 49
OPENFLOW PROTOCOL Describes the data delivery from Controller to Device. Conceptually equal to SNMP. SSL Connection Controller discovery protocol Switch can signal link/port state to controller. Many gaps, many features planned. 50
WHAT CAN FLOW TABLES DO? 51
FLOW TABLES - WILDCARDS MAC SRC MAC DST SRC IP IP DST TCP Dport TCP SPort Count * 00:02:. * * * Port1 250 * * * 10.2.2.1 80 * Port 3 320 * * 192.* * * * drop 890 * * 192.* * * * * * * * * * 52 local Controll er 100 11
FLOW TABLES - L3 ROUTING Flows has destination IP subnets only MAC SRC MAC DST SRC IP IP DST TCP Dport TCP SPort Count * * * 10.1.1.0/24 * * Port1 250 Destination Routing * * * 10.1.2.0/24 * * Port 2 320 Routing Port 2 * * * * * * Port 3 890 Default Route 53
FLOW TABLES - SWITCHING Gather MAC addresses in network MAC SRC Set flows with wildcards but for destination MAC address. MAC DST SRC IP IP DST TCP Dport TCP SPort Count * 0000.dead.beef * * * * Port1 250 * 0000.cafe.beda * * * * Port 2 320 * * * * * * Controller 320 MAC Learning 54
VIRTUAL SWITCHING No tagging needed i.e. no MPLS Combine MAC Addresses into flow groups 55
FLOW TABLES - FIREWALL Firewalls does: Permit or Deny by SRC/DST IP Address Perform Reverse Path Forwarding ie. check inbound and outbound interfaces Maintain state for reverse flow. Controller location will be important (Future problem) 56
FLOW TABLES - FIREWALL MAC SRC MAC DST SRC IP IP DST TCP Dport TCP SPort Count * * 10.1.1.1 10.2.1.5 80 Drop DROP THIS 250 * * 10.1.1.2 10.2.2.1 80 * Port 3 ALLOW THIS 320 * * 192.* 10.2.4.* * * Port 2 890 * * * * * * Drop 100 DENY ALL * * * * * * Controller 11 STATEFUL PACKET INSPECTION 57
FLOW TABLES - MULTIPATH MAC SRC MAC DST SRC IP IP DST TCP Dport TCP SPort Count * * 10.1.1.2 10.2.2.1 80 * Port 3 320 * * 192.* 10.2.4.* Path * 1 * Port 2 890 Path 2 * * 192.* * * * local 100 Stay Local * * * * * * Controller 11 58
FLOW TABLES - L2 FAILOVER Flow via Port 1 normally, but Port 3 during failure (assumes flow removed or disabled if Port 1 fails!) MAC SRC MAC DST SRC IP IP DST TCP Dport TCP SPort Count * 0000.dead.beef * * * * Port1 250 L2 Switch - 1 * 0000.cafe.beda * * * * Port 2 320 L2 Switch - 2 * * * * * * Port 3 0 L2 Switch - Everything else? 59
FLOW TABLES - POLICY ROUTING MAC SRC MAC DST SRC IP IP DST TCP Dport TCP SPort Count * * 10.1/16 192.168/24 * * Port1 250 * * 10.1/16 172.16/16 * * Port 2 320 * * * * * * Port 3 0 Performance improvement 60
LOAD BALANCING MAC SRC MAC DST SRC IP IP DST TCP Dport TCP SPort * * 10.1/16 192.168/24 * * * * 10.1/16 172.16/16 * * Rewrite Header Rewrite Header Count 250 Pipeline 320 * * * * * * Port 3 0 Pipeline In * * 10.1.1.1 192.168.1.1 * * Port 1 250 * * 10.1.1.2 192.168.1.2 * * Rewrite Header 250 61
BUSINESS CASES I want my SAP traffic to have priority. But no more than 20%. If my Hadoop cluster is running then allocate a set of dedicated of paths through the network for it for. Move all other traffic to other links/services provided it doesn t reduce below an SLA. Every IP flow has a matching security policy as a flow entry. 62
OPENFLOW IS DUMB OpenFlow is an API and protocol from controller to the network device! What does the controller do? EVERYTHING UI Controller 'OpenFlow' Controller Network Model more about that soon. OpenFlow Network 63
FLOWS - TYPICAL MISTAKES I don t need a flow entry for every MAC or IP Address or TCP Protocol. Subnet to Subnet is usually enough. In some designs, the forwarding entries will rarely change. Cascading Flow Tables for alternate paths from most specific to less specific. Devices could handle large numbers of OF updates. But why? Updating flow tables is a difficult and will take time to prove reliability. Seen as major problem. 64
FLOW ROUTING VS AGGREGATION Flow Routing Every flow setup by controller Exact match Flow Entries Fine grained control Edge / Access Layer Aggregate Control Wildcard Flow Entries Flow table has limited entries per flow group Core / Backbone Layer Routing / Switching Firewall / Load Balancing 65
REACTIVE / PROACTIVE FLOW GENERATION REACTIVE First frame/packet triggers controller for flow entry creation Small Flow Table Flow setup latent Controller availability vital PROACTIVE Controller generates flow table for architecture Lower latency Less flexible/dynamic Wildcard Flow Entries 66
DISCUSSION POINTS May offers some freedom from hardware. Possible to buy very cheap, very dumb hardware for parts of your network that have OpenFlow support. Also possible to buy very complex, feature rich Firmware including OpenFlow Support (ala IOS and Junos) 67
You can find more information about our company and our offering at www.bigswitch.com Our open source solutions are posted at www.openflowhub.org If you have any further question please do not hesitate to contact us at: contact@bigswitch.com 114
THANKS http://packetpushers.net http://www.bigswitch.com http://ipspace.net 116