Underneath OpenStack Quantum: Software Defined Networking with Open vswitch Principal Software Engineer Red Hat, Inc. April 24, 2013 1
Part One Why Open vswitch? Open vswitch enables Linux to become part of a Software Defined Networking architecture. Application Application Application Network Operating System VM1 VM2 Switch Switch Open vswitch Switch 2
Switched Networks Switches learn from the network traffic they observe and decide independently. Compute Node A Network Node B 1 2 3 4 5 6 Bridge Bridge L3 Agent Switch 1 Switch 2 Switch 3 Peter Alice 3
Dynamically update flow tables in a universal language. In the Software Defined Networking architecture, the control and data planes are decoupled, network intelligence and state are logically centralized, and the underlying network infrastructure is abstracted from the applications. Software-Defined Networking: The New Norm for Networks ONF White Paper April 13, 2012 4
Software Defined Networking A logically centralized controller decides what is best for the network based on a global view of the network. Compute Node A Network Node B 1 2 3 4 5 6 vswitch 1 vswitch 2 L3 Agent Controller Switch 1 OpenFlow Peter Switch 2 Switch 3 Alice 5
Software Defined Networking An attempt to create a well-known API for applications of the Network that did not succeed yet. OpenDaylight on its way to make this happen. Application Application Application Network Operating System Open Interface (OpenFlow) Switch Vendor X Virtual Switch B Virtual Switch A Switch Vendor Y 6
OpenFlow The Open Standard behind it. 1. 2. Match on arbitrary Execute actions bits in packet Forward to port (header) Drop Send to controller Mangle packet OpenFlow enables networks to evolve, by giving a remote controller the power to modify the behavior of network devices, through a well-defined "forwarding instruction set". The growing OpenFlow ecosystem now includes routers, switches, virtual switches, and access points from a range of vendors. 7 ONF Website
OpenFlow Capable Devices Software Switches Open vswitch, Cisco Nexus 1000V VMware vsphere, NEC Hyper-V,... Hardware Switches Brocade, Cisco, HP, IBM, Juniper Networks, NEC,... Switching ASICs Indigo Open source firmware leveraging Ethernet switch ASICs to support up to 48x 10G ports Mellanox SwitchX-2 chip 8
Is it production ready? 9
Part Two Open vswitch Open vswitch is a virtual switch for hypervisors providing network connectivity to virtual machines. Compute Node A Controller Network Node B 1 2 Compute Node A 3 Open Flow Open Flow Open Flow 1 2 3 Open vswitch Open vswitch L3 Agent Hardware Switch Alice Peter 10
Open vswitch Project Primarily used as a virtual switch for VMs Multi Platform (Linux, Microsoft, and Silicon) Developed by Nicira & Community Apache License (User Space), GPL (Kernel) OpenFlow 1.1 + extensions Any netdevice (physical/virtual) can be added as uplink port 11
How does it work? Open vswitch maintains a flow table that defines what to do with each flow. Compute/Network Node 1 2 3 n Open vswitch Quantum OVS Agent Quantum L3 Agent Quantum DHCP Agent br-eth1 br-int Patch ports br-tun br-ext Flow table OpenFlow Controller eth1 eth0 To Network Node External Network 12
Feature Fine Grained Flow Table Control Extensive flow matching capabilities Layer 1 Tunnel ID, In Port, QoS priority, skb mark Layer 2 MAC address, VLAN ID, Ethernet type Layer 3 IPv4/IPv6 fields, ARP Layer 4 TCP/UDP, ICMP, ND Possible chain of actions Output to port (port range, flood, mirror) Discard, Resubmit to table x Packet Mangling (Push/Pop VLAN header, TOS,...) Send to controller, Learn 13
Feature Security / L2 Segregation VLAN isolation enforces VLAN membership of a VM without the knowledge of the guest itself. Compute Node # ovs-vsctl add-port ovsbr port2 tag=10 VLAN 1 VLAN 2 VM1 VM2 VM3 Open vswitch Caveat: MAX(VLAN_ID) limited 14
Feature Tunneling Tunneling provides isolation and reduces dependencies on the physical network. Compute Node 1 Controller Compute Node 2 VNET 1 VNET 1 VNET 2 VNET 2 VM1 VM2 VM3 Open Flow Open Flow VM4 VM5 VM6 Open vswitch Open vswitch { GRE STT VXLAN } Tunnel Hardware Switch 15
Feature Visibility Supports industry standard technology to monitor the use of a network. NetFlow Port Mirroring SPAN RSPAN ERSPAN 16
Feature Quality of Service Uses existing Traffic Control Layer Policer (Ingress rate limiter) HTB, HFSC (Egress traffic classes) Controller (Open Flow) can select Traffic Class # ovs-vsctl set Interface port2 \ ingress_policing_rate=1000 Virtual Host VM1 VLAN 10 VM2 1mbit port1 ovsbr port2 17
Architecture Management ovs-ofctl ovs-dpctl OpenFlow sflow ovsdb-tool ovs-vsctl (3) User space 2 5 upcall reinject vswitchd ovsdb Netlink 4 Kernel Datapath 6 Packet Processing From NetDevice 1 To NetDevice 7 Flow Table Management Workflow Promiscuous Mode 18
Modifying the Flow Table Strip VLAN header of all packets from MAC address 11:22:33:44:55:66 and forward packet to port 1. # ovs-ofctl add-flow ovsbr \ dl_src=11:22:33:44:55:66,actions=strip_vlan,output:1 # ovs-ofctl dump-flows ovsbr [...] cookie=0x0, duration=36.24s, table=0, n_packets=0, n_bytes=0, idle_age=36, dl_src=11:22:33:44:55:66 actions=strip_vlan,output:1 19
Questions? Open vswitch http://www.openvswitch.org/ OpenFlow http://www.openflow.org/ Open Networking Foundation sflow http://www.opennetworking.org/ http://www.sflow.org/ Going with the Flow: Google s Secret Switch to the Next Wave of Networking http://www.wired.com/wiredenterprise/2012/04/going-with-the-flow-google/ 20