OpenFlow flow entries on Open vSwitch (OVS)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this video we will look at working the flow entries on open beasts which I'll demonstrate using the OVS of' kettle command to manually add flow entries to OVS the low entries on an open flow table will switch like OVS control the behavior of packets arriving at that switch flow entries would usually be installed dynamically using an SDN controller however installing the manually greatly helps us understand the concepts of flow entries everything I cover here is found in the OVS of' kettle main page which can also be found at open V search org in their documentation section if you're not already familiar with open V switch open flow or mini net I'll link to the source organizations websites for much more information also you can watch my introduction videos to all three topics on my youtube channel i'll use mini knit to emulate a simple network with one oviya switch as well as three emulated hosts the host will be h1 through h6 s1 e1 e2 and e3 something very important here is that although our system sees these port names we need to know how these partners map to open flow port numbers which in this diagram can be seen our open flow ports 1 2 & 3 in a moment I'll show a way to check this mapping here I'm running mini net in a virtual machine downloaded from mini org and I'm running the VM in VirtualBox from a hypervisor I'll launch the topology just shown with sudo MN - typo equals single comma 3 - - controller equals none - - Mac the controller equals none option is there because I don't want min yet to use the default controller since I'll be adding flow entry is manually not with the help of an SDN controller also use the Mac option this gives me easy to read MAC addresses which you will see later let's check our topology dump and I see the nodes as expected net and I see the links between the nodes are as expected from the diagram as I noted before we will need to know how these ports s1 F 1 F 2 and E 3 map to open flow port numbers OVS ofc TL show s1 shows me these mappings by the way in this video you'll see me use SH from the reading that prompt a lot this is for commands need to be run from the system shell not from the meaning that prompt SH lets me avoid flipping back and forth between the system shell and the mignonette prompt normal action fluent tree so let's add our first flow entry in this first example I have not specified any match conditions I only provided an action this means we will match every packet the action I specified the normal action means traditional L to switch behavior so all I'm doing here is telling switch s1 to just do normal l to switch forwarding let's test this out with ping all this looks good all three hosts can return another let's ask switch s1 to tell us all of its flow entries with Shi OVS of' kettle dump flows s1 here's the single flow entry and we can see twenty four packets covering sixteen hundred and eighty bytes have hit this rule we also see how long this flow entry has been in the table 31 seconds and how long it's been since a packet has actually hit this rule which is the idle age seven seconds here now I'll delete this entry with a VSO of kettle de l - flows s1 this command means to delete all flow entries on s1 here there's just one but keep in mind this command deletes all of them if we do dump flows again we see there are no longer any flow entries ping all and we see we no longer have connectivity since there are no rules remaining here's h1 timing out in h2 timing up layer one matching now let's do some actual matching I'll start with that layer one match and just say anything that arrives at open flow port one send that out open flow port two also the reverse anything in port to send to port one back to the main net prompt I'll add to flow entries now so anything import one goes support to anything in part two goes to part one and match on ingress ports with a an underscore port a specify an output port or ports with output a : and the output ports so let's check this h1 painting I'll do a count of 2 H 2 and we see H 1 and H 2 can reach each other however note I didn't put in any rules for port 3 where H 3 is uplink so if I tried to ping from H 3 2 H 2 you can see this timeout let's do dump flows again ovie sof kettle dump flows s 1 and we can see our two flows and they both have hits to them on these two flows had to find a priority of 500 priority is a critical concept if a packet arrives at an open flow switch and I have 20 flow entries that all match that packet only the flow entry with the highest priority will be used all others will be ignored if you are familiar with traditional switch ACLs this is the same idea where the first match is acted on and all other matches later in ACL would be ignored let's quickly test this priority concept with a new flow entry this flow entry has a higher priority 32,768 that happens to be the default priority when you don't specify one the action here is to drop also there are no match conditions listed which means this rule match every packet h1 paying h2 again so we tried to see pain we can see I've cut off my connection between h1 h2 if you do a dump flows again we'll see the new drop rule getting hits and preventing any connectivity also look how priority isn't listed for that rule that's because it has the default priority of 32,768 priorities can range from 0 to 65,535 now let's remove only that wild card flow so I'll do the O V SOF kettle DL flow is s1 but now I'm using the - - a strict option that says to only remove that one wild card flow dump flows again and we see the drop roll is gone while the original flow is remain if you try to ping again you'll see that we have connectivity once more layer two matching now let's do a layer to match if you recall when I launched the mini net I used the - - Mac option that's why I have these easy to read MAC addresses here for my flow entries I'll say anything from the MAC address of h1 to the MAC address of each - should go out port - also the reverse anything from the Mac of each - to the Mac of h1 should go out open flow port 1 let's add these flow entries like I cut off a little at the end there but deal underscore source and deal underscore destination are used to match on layer 2 so in this case to match on source and destination MAC addresses so these rules cover the behavior just described the first rule from h1 to h2 s Mac we see we send output to to and from Institute each one's Mac output to port 1 so I have my later to matching however there's an outstanding issue I also have to account for ARP otherwise these hosts won't be able to learn each other's MAC addresses we call that ARP requests are broadcast messages so these two flow entries won't work because they don't cover layer 2 broadcasts our replies are unicast so these rules actually will cover for our pre PI's so to match our requests I'm using some new fields DL underscore type equals hex 8:06 this is the ethertype value for ARP also ARP code one is for ARP requests so I use MW underscore proto equals one and that takes care of that in the comments I'll list the common DL type in NW proto fields my action here is flood just to make this easy for now flood means to send a packet out all ports except the one it arrived on like normal switch flooding let's make sure this worked of ping all and we can see h1 h2 can reach one another but no one can reach h3 this is expected since I didn't put in any flow entries to send package to h3 if we do break out of there we do dump flow as on s1 will see our three rules and that we have hits to all three rules later three matching now let's match on IP addresses at layer 3 I'll let all the hosts talk to one another in this example also I'll do a packet modification I'll give all packets coming from h3 a dscp value of 46 so maybe I want to do this for quality of service to mark packets from h3 for expedited forwarding let's clean up our old flows and now I'll add some layer three rules so first title out anything in 10.0.0.0 / 24 to talk to one another I'm matching here with NW underscore SRC for source IP and NW underscore DST for destination IPS the action is the normal action I'm using deal underscore type equals hex 800 which corresponds to IP version 4 in the second rule instead of saying DL type I'm now showing the use of a keyword IP you can use keywords instead of trying to remember DL types and NW proto numbers again I'll list many of these in the comment section now a critical point here when defining matches at layer 3 layer 4 you have to follow what the.oh V SOF Ketel man page called normal form what that means if you're trying to match on a layer 3 field you are required to specify the dl type like hex 800 in this example or use an appropriate keyword like the IP keyword if you leave DL type out OVS will ignore your specification of network source and network destination and it turns those fields into a wild card or match any so again when you're calling out later three fields you have to specify the DL type also when you're measuring earlier for fields like TCP or UDP ports you have to specify both the DL type as well as NW underscore proto which we stopped previously and we will see you again shortly if you don't do this if you don't follow the quote normal form you will get the results you expect okay back to my second flow here I'm doing a modification now I want any IP packets coming from 10.00 at 3:00 to get a DHCP value of decimal 46 the type of service our toss field is 8 bits but the first two bits are reserved for explicit congestion notification or ecn so have to take the DHCP value at 146 and multiply that by 4 to get 1 84 with packet modifications you have various options like modifying MAC addresses IP addresses MPLS tags or VLAN tags in a video on using multiple tables I will do some of those other types of packet modifications ok let's allow ARP again this time in a different way from the layer 2 matching example now I'm using the ARP keyword instead of DL type to make my life a little easier and I'm saying specifically where to send our requests and replies but comm using NW underscore DST just like I did for IP packets but now I use the ARP keyword rest before IP met destination IP nations's said our time talking about the later 3 target for our requests and the source of the request in ARP reply is so you can see I'm using the field NW underscore DST in a different context that I think should give an idea about the normal form requirement I mentioned before or you have to specify a deal type another interesting thing with my art world's above is I'm not flooding ARP requests I'm telling switch s1 where to send each of our requests versus normal art which is flooded out every port this is pretty cool ok a quick check and we see ping all works fine if we do dump flows UC hits to all of our flow entries and just to prove my dscp marking word there is a Wireshark rupture you see Packers have a DHCP set to 46 layer four matching let's wrap up with some matches on therefore for this I'm going to start a Python web server in h3 and then let h1 and h2 connect to h3 on port 80 deleting all flows again or flow entries rather I'll start the web server on h3 and let's put in our rules first you need ARP again so for our poor really easy flow entry this time just doing the normal art behavior because I don't want to focus on that here now the layer 4 matching here I'm saying IP again by using DL type X 800 I also use NW proto 6 which corresponds to TCP also I have a new match field TP underscore DST that's for the transport layer destination part which will be 80 something interesting here note I didn't call out any specific IP addresses so actually I'm sending all port 80 traffic to port 3 regardless of the destination IP in this scenario it doesn't make much sense but imagine if you wanted to send a certain type of traffic through a firewall some kind of rule like this could accomplish that so I still need to permit return traffic so let's do that any IP packets from 1000 at 3 we'll just take the normal action let's see this in action of the h1 curl h3 and we see that works let's try H to curl h3 and that looks good as well that wraps up this video I hope this was helpful to get acquainted with flow entries if you want to see more content like this please subscribe to my youtube channel also I'd love to hear from folks watching these videos if you'd like to connect you can reach me through LinkedIn at linkedin.com slash I an slash David Muller
Info
Channel: David Mahler
Views: 66,567
Rating: 4.9819818 out of 5
Keywords: Open vSwitch, OVS, OpenFlow, SDN, flow entries, ovs-ofctl
Id: FyV4MoQ3T0I
Channel Id: undefined
Length: 14min 23sec (863 seconds)
Published: Mon Feb 17 2014
Related Videos
Introduction to Open vSwitch (OVS)
David Mahler
309K
How to get Mininet nodes to ping outside nodes and vice versa
Mike Wittie
2.1K
SDN and OpenFlow Overview - Open, API and Overlay based SDN
David Bombal
154K
One of the Greatest Speeches Ever | Steve Jobs
Motivation Ark
10M
Windows 11: The Good, the Bad & the Ugly
ExplainingComputers
365K
The Simplest Math Problem No One Can Solve - Collatz Conjecture
Veritasium
13M
VxLAN | Part 5 - Bridging Configuration
Network Direction
68K
GNS3 Open vSwitch OVS
Mon Goose
4.6K
esperanza spalding quartet "jazz sous les pommiers 2008"
I See The Land
243K
Inside the mind of a master procrastinator | Tim Urban
TED
44M
Basic DHCP Setup on Windows Server 2012
Eli the Computer Guy
738K
User Tutorial: The Basic Operations Guide for OpenDaylight
OpenDaylight Project
28K
VXLAN overlay networks with Open vSwitch.
David Mahler
81K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.