Demo of Open vSwitch and OpenFlow using Network Namespaces

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome to this demo so in this demo i'm going to show you how you can play with open vswitch and open flow flow rules so let's to start so here i have a virtual machine uh and it is a mininate mininet vm it is a network uh virtualization emulation operating system that you can download from mininet.org so um if you're watching this uh what we are going to do next is we are going to create a virtual bridge then create a couple of network namespaces and connect those through the bridge and see how the connectivity works as well as play with some ovs command line tools obs dash vsctl and ofctl and that will allow us to modify the flows or show the existing flows that way we can actually see how we can use open flow rules on open v switch to restrict the flow of traffic so let's get started so first i'm going to create a bridge but before that i have already created a plot net config diagram using this plot config program and this is what it looks like right now all we have right now is a look back and eat zero excuse me so in each zero um this is where we are connected to right now so if i show you right now here uh this is how we can see the ip address and this is the diagram of that plot net config is a great small utility that you can use to visualize your network so as soon as i use this command obsctl adbridge vr0 and i run the approachment config again i can see that now i have a new item added here which is br0 openv switch and obs system openv switch you can ignore this obs system because it there's i think a kernel uh placeholder for open vswitch and it gets automatically created as soon as you create a switch and it can get deleted as soon as you delete a switch so next thing that we are going to see here is we are going to [Music] set this bridge to come up and if we do that and see the diagram we can actually see that the diagram shows the bridge is green and now that means it is up next thing we want to see is we are going to uh see if we can connect our heath 0 to go through that bridge instead of directly uh going out through each zero so before that i am going to show you what it looks like right now if i run the ip iris command this is what we see we have obs system we have h0 we have br0 br0 is set to unknown when we set it to come up and that's expected and what we want to do next is we want to flush the ip address of this 0 and connect that to br0 and get a ip address for br0 so for that i'm going to exit out of this shell and i'm going to go back to vm actually the vm console through virtual machine manager and if you cannot see this i apologize in advance but i couldn't actually find a good way to make it bigger any further than this but here what we are going to do is we are going to do obs the sctl add port br 0 0 what that does is if you look at it we will have uh not really we will not really see anything here but i'll show you the diagram in a minute but it is essentially connected 0 to br0 and we can verify that using obs vs ctl show vr show and you can see each zero port is connected to the bridge and interface is also named it 0. next we want to do ip address flush device 0 so ip address command will not show any ip address for if 0 anymore although the interface is still up now we use the eh client vr 0 to acquire a new ip address once we do that we run the ip address command we can see it has gotten a new ip address and it is set to 125.117 contrary to the one previously we had previously so we will do 125.117 and we are in the vm again so now we can go back to this better screen and now if i were to see the diagram i have to update the address here again and i could potentially try assigning the same address as previous by using static addressing but i just was lazy to try that out and i just thought dhlan would help us so that's all we do here and now we have br0 up and each zero is connected to it and vr zero actually has the ip address so now the traffic is going out of br0 and um now we since we were able to ssh into the system that means that we are already connected and traffic is flowing as expected next we are going to do is we are going to use ip net ns command and what that will do is it will tell us if there are any existing network namespaces there are none so we are going to create two of them one is called red another one is called blue and then for each of those let's see what our diagrams shows so if you look at the diagram diagram is getting a little bigger now we have blue and red as two network name spaces and they are shown here in a square a rectangular container and a container unintended because this is how probably container runtimes create the network namespaces to to hold the container container networking in an isolated environment from the host operating system now once we move that out of our way we need to first bring up the loopback interfaces on these and that's because if you look at the current status of it the loopback interfaces are set to gray so they are currently not active so if i were to actually go into one of these namespaces and look at the bash um sorry if you've got the namespaces blue and i'm inside the namespace and all we have here is look back and it's currently set to down if i do ping c2 localhost it says network is unreachable or if i even use 0.1 can't do any of that now so because we have the network unreachable error we first need to make sure that we bring up the interfaces so we are going to do that using um using these commands where we just use uh to use ip link set device loop back up and we executed that using ipnet ns exec inside the blue namespace as well as inside the random space now if we see our diagram again both of the interfaces are up now if i if you're seeing this give me one second one now if we actually go back into the one of the names namespaces and we actually run the ping localhost it works so that proves that we just brought up the interfaces now exiting out of the namespace again so as you can see we are out of the namespace we are in the root namespace here next we are going to do is we are going to actually create a pair of ethernet cable a virtual ethernet cable that will allow us to connect from this blue and red name spaces to br0 respectively so to do that we need to create a virtual ethernet pair and that can be done using these commands so i just created two ethernet cables so we b1 b2 with r1 r2 and these are the names of the two end of the ethernet of a single ethernet cable so imagine that if you have a single physical ethernet cable in the hand it has two two ends to it and both of those probably like rj45 connectors one is going to go into the namespace and other one is going to go into the bridge and we have we are currently naming those interfaces as b1 b2 and r1 r2 so that we can identify and operate on those so if i refresh the diagram again now we can see that we actually have these two name spaces uh sorry we we eat pairs connect created here so v8 r1 r2 b1 v2 but they are currently not connected to anywhere they are not doing anything they are down so first thing we want to do is take the r1 and b1 ends of those and put them into the namespace and r2 and b2 ends of those and connect those to the br0 so we will do that using this command ip link set with r1 and with v1 to netines red and blue refresh our diagram and we see that the ethernet pairs are connected now the next thing we do is we take the other end of the cable and plug that into the bridge br0 when we do that and refresh our diagram again we can see that visually that we just took those pair of cables and attached them to the bridge and the network namespaces respectively now the next thing we would want to do is bring those up and add some ip addresses on those so that we can actually allow the communication to happen to and from uh these namespaces and the host namespace so this is the root namespace in which we have two other name spaces that are isolated from the host network namespace host network namespace is the primary networks namespace on your system um and these are the isolated ones that we created just now um for containers virtual machines probably they use something similar on the backend that we are seeing here today in the demo now let's go ahead and take care of the bringing those up so i'm gonna run all these four commands um so as you can see i just ran these four commands and they two of them executed in the uh host namespace and other to execute in the network name spaces and we refresh our diagram and we see that now all of these are green that means they're up and once we are done with that we assign ip addresses to them so we go here and we run this command and with the ip addresses and diagram refreshed we can actually see that everything is an ib address now we have ip addresses to these r1 r2 and v1 v2 interfaces and now if we were to try to ping all of them we should be able to do that and for that i am going to run ping c2 for all four of them uh back to back so let's do that see um we have been able to ping one six nine six five one two two seven five one one nine six four and one two two seven four so we are able to ping these interfaces uh from the host operating system now what we want to do is uh from the host namespace we can actually jump into one of these uh namespaces so let's go for blue namespace so we are here right now if we say ip address we can see we have the same ip address that we see here and let's try to ping the other uh other end which is 1 92 168 122.74 and sure we can do that so that means our networking is uh properly set up and the next thing we are going to do is we are going to actually see the next demo next section of the demo where we have the open flow and in this open flow demo what we are going to do is we are going to see existing flows that exist in this flow table table 0 and that that is on this switch br 0 and we can see there is only one entry cookie is a field you can probably ignore because that's what i've heard from some people in openshift networking and one of the meeting recordings that i saw a duration is how long the switch has had this particular rule present on the switch then number of packets it has processed and number of bytes in those packets it has processed priority is set to zero zero is a kind of lowest priority or very low priority as you can see uh the higher the priority the more uh importance that rule gets when a packet arrives and action is set to normal so right now this switch even though it is open v switch it's not doing anything special it's acting like any other switch and it is actually forwarding the traffic uh on all of its ports so now we are going to uh do some uh add some new rules so first we can also see that if we use obs ofctl show br 0 we can actually see what ports of this bridge are connected to what interfaces so port number 1 is connected to each 0 port 2 is weak r2 or 3 is width b2 and local itself is br0 this is a good command to see the port ids because in some of the flow rules you need to use something like action equal to output on port 2 or port 4 or whatever that could be that's part of the syntax you can look it up in the man pages but for now i'm going to add some simple rules and let's see now i can actually ping again 192 168 122.74 let's try to use a flow rule to stop that and using this rule now if i check these dump flows command i see a new rule that is added with priority 10 it's still in the same table table zero and it says that if the icmp traffic or a ping is coming uh with a network destination of 192.168.122.74 then action is to drop that packet let's see what happens if we ping there you go we sent two packets of icmp type and it's not returning any of that let's exit out of that and let's see the dump flows here's some interesting fact about the dump flows command it can actually show you number of packets processed and number of bytes and here it's telling you it sent it has seen two packets that match this rules and those packets comprised of together of 196 byte in total and it dropped those we could not get the ping response and this the duration says that this rule has been active or i was added about 47 seconds ago or if i check again 79 seconds ago now but now let's see how the priorities work now if i were to say that i don't want to uh i want to add a new rule with higher priority of priority 11 instead of priority 10 as you can see here and that rule would actually allow the icmp packets and things should start working again so here's that rule so we just added another rule in the flow entry in the uh float table and that says uh at priority 11 so it has higher priority if icmp packet comes in uh with the network destination of 122.74 action is normal so no longer dropping the packets and sure enough we get our packets flowing

Info

Channel: Kedar Kulkarni

Views: 692

Rating: 4.6923075 out of 5

Keywords: Openvswitch, ovs, ovn, openflow, networking, sdn, linux, bridges, switches, software-defined networking, open virtual network, open source, ubuntu

Id: ibsacGP59HU

Channel Id: undefined

Length: 19min 3sec (1143 seconds)

Published: Tue Feb 23 2021