Pruebas con Open vSwitch y Facuet

Instalación Faucet

apt-get install python-dev
apt-get install python3-pip
pip3 install faucet

mkdir -p /etc/ryu/faucet
mkdir -p /var/log/ryu/faucet
mkdir -p /var/log/ryu/gauge
touch /etc/ryu/faucet/gauge.yaml

Archivo de configuración Faucet

cat << 'EOF' > /etc/ryu/faucet/faucet.yaml
dps:
switch-1:
dp_id: 0x1
timeout: 3600
arp_neighbor_timeout: 3600
interfaces:
1:
native_vlan: 10
2:
native_vlan: 10
3:
native_vlan: 20
4:
native_vlan: 20
vlans:
10:
20:
EOF

Iniciar Open vSwitch

ovs-vsctl add-br br0 \
-- set bridge br0 other-config:datapath-id=0000000000000001 \
-- add-port br0 p1 -- set interface p1 ofport_request=1 \
-- add-port br0 p2 -- set interface p2 ofport_request=2 \
-- add-port br0 p3 -- set interface p3 ofport_request=3 \
-- add-port br0 p4 -- set interface p4 ofport_request=4 \
-- set-controller br0 tcp:127.0.0.1:6653 \
-- set controller br0 connection-mode=out-of-band

Iniciamos Faucet y observamos el log

ryu-manager faucet.faucet –verbose

root@vm:~# cat /var/log/ryu/faucet/faucet.log
Dec 20 16:05:57 faucet INFO Add new datapath DPID 1 (0x1)
Dec 20 16:06:05 faucet INFO DPID 1 (0x1) connected
Dec 20 16:06:05 faucet.valve INFO DPID 1 (0x1) Cold start configuring DP
Dec 20 16:06:05 faucet.valve INFO DPID 1 (0x1) Configuring VLAN 10 vid:10 ports:Port 1,Port 2
Dec 20 16:06:05 faucet.valve INFO DPID 1 (0x1) Configuring VLAN 20 vid:20 ports:Port 3,Port 4
Dec 20 16:06:05 faucet.valve INFO DPID 1 (0x1) Port 1 up, configuring
Dec 20 16:06:05 faucet.valve INFO DPID 1 (0x1) Port 2 up, configuring
Dec 20 16:06:05 faucet.valve INFO DPID 1 (0x1) Port 3 up, configuring
Dec 20 16:06:05 faucet.valve INFO DPID 1 (0x1) Port 4 up, configuring

Tablas

Tabla 0 para ACL basado en puertos. Redirige el tráfico hacia la tabla 1

ubuntu@vm:~/openvswitch-2.8.1/tutorial$ dump-flows br0 | head -n5
priority=9099,in_port=p1 actions=goto_table:1
priority=9099,in_port=p2 actions=goto_table:1
priority=9099,in_port=p3 actions=goto_table:1
priority=9099,in_port=p4 actions=goto_table:1
priority=0 actions=drop

Tabla 1

Esta tabla se encarga del manejo de etiquetas VLAN.

ubuntu@vm:~/openvswitch-2.8.1/tutorial$ dump-flows br0 | grep table=1
table=1, priority=9099,dl_dst=01:80:c2:00:00:00 actions=drop
table=1, priority=9099,dl_dst=01:00:0c:cc:cc:cd actions=drop
table=1, priority=9099,dl_type=0x88cc actions=drop
table=1, priority=9000,in_port=p1,vlan_tci=0x0000/0x1fff actions=push_vlan:0x8100,set_field:4106->vlan_vid,goto_table:3
table=1, priority=9000,in_port=p2,vlan_tci=0x0000/0x1fff actions=push_vlan:0x8100,set_field:4106->vlan_vid,goto_table:3
table=1, priority=9000,in_port=p3,vlan_tci=0x0000/0x1fff actions=push_vlan:0x8100,set_field:4116->vlan_vid,goto_table:3
table=1, priority=9000,in_port=p4,vlan_tci=0x0000/0x1fff actions=push_vlan:0x8100,set_field:4116->vlan_vid,goto_table:3
table=1, priority=0 actions=drop

Tabla 2

Esta tabla se encarga de el ACL a nivel de VLAN. La tabla esta vacia ya que no especificamos ningún parámetro.

Tabla 3

Se encarga del procesamiento en capa 2 y aprender direcciones MAC.

ubuntu@vm:~/openvswitch-2.8.1/tutorial$ dump-flows br0 | grep table=3
table=3, priority=9099,dl_src=ff:ff:ff:ff:ff:ff actions=drop
table=3, priority=9001,dl_src=0e:00:00:00:00:01 actions=drop
table=3, priority=0 actions=drop
table=3, priority=9000 actions=CONTROLLER:96,goto_table:7

Tablas 4,5,6

Se usan para ruteo. Están vacías ya que no configuramos ruteo.

Tablas 7 y 8

La tabla 7 se usa para redirigir paquetes a direcciones MAC aprendidas. La tabla 8 implementa flooding, broadcast y multicast.

Generar trafico

Con la herramienta ofproto/trace podemos observar el camino que toma un paquete

ubuntu@vm:~$ ovs-appctl ofproto/trace br0 in_port=p1,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02 -generate
Flow: in_port=1,vlan_tci=0x0000,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02,dl_type=0x0000

bridge(“br0”)
————-
0. in_port=1, priority 9099, cookie 0x5adc15c0
goto_table:1
1. in_port=1,vlan_tci=0x0000/0x1fff, priority 9000, cookie 0x5adc15c0
push_vlan:0x8100
set_field:4106->vlan_vid
goto_table:3
3. priority 9000, cookie 0x5adc15c0
CONTROLLER:96
goto_table:7
7. priority 9000, cookie 0x5adc15c0
goto_table:8
8. in_port=1,dl_vlan=10, priority 9000, cookie 0x5adc15c0
pop_vlan
output:2

Final flow: unchanged
Megaflow: recirc_id=0,eth,in_port=1,vlan_tci=0x0000,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02,dl_type=0x0000
Datapath actions: push_vlan(vid=10,pcp=0),pop_vlan,2
This flow is handled by the userspace slow path because it:
– Sends “packet-in” messages to the OpenFlow controller.

Observamos en el log de faucet una nueva entrada perteneciente a la mac aprendida

Dec 20 21:14:48 faucet.valve INFO DPID 1 (0x1) L2 learned 00:00:00:00:00:01 (L2 type 0x0000, L3 src None) on Port 1 on VLAN 10 (2 hosts total)

También verificamos un nuevo flujo en la tabla 3 del switch

ubuntu@vm:~$ dump-flows br0 | grep table=3
table=3, priority=9099,dl_src=ff:ff:ff:ff:ff:ff actions=drop
table=3, priority=9001,dl_src=0e:00:00:00:00:01 actions=drop
table=3, hard_timeout=3599, priority=9098,in_port=p1,dl_vlan=10,dl_src=00:00:00:00:00:01 actions=goto_table:7 # Nueva Entrada
table=3, priority=0 actions=drop
table=3, priority=9000 actions=CONTROLLER:96,goto_table:7

Repetimos el comando pero en dirección contraria. El paquete es enviado al controlador

ubuntu@vm:~$ ovs-appctl ofproto/trace br0 in_port=p2,dl_src=00:00:00:00:00:02,dl_dst=00:00:00:00:00:01 -generate
Flow: in_port=2,vlan_tci=0x0000,dl_src=00:00:00:00:00:02,dl_dst=00:00:00:00:00:01,dl_type=0x0000

bridge(“br0”)
————-
0. in_port=2, priority 9099, cookie 0x5adc15c0
goto_table:1
1. in_port=2,vlan_tci=0x0000/0x1fff, priority 9000, cookie 0x5adc15c0
push_vlan:0x8100
set_field:4106->vlan_vid
goto_table:3
3. priority 9000, cookie 0x5adc15c0
CONTROLLER:96
goto_table:7
7. dl_vlan=10,dl_dst=00:00:00:00:00:01, priority 9099, cookie 0x5adc15c0
pop_vlan
output:1

Final flow: unchanged
Megaflow: recirc_id=0,eth,in_port=2,vlan_tci=0x0000,dl_src=00:00:00:00:00:02,dl_dst=00:00:00:00:00:01,dl_type=0x0000
Datapath actions: push_vlan(vid=10,pcp=0),pop_vlan,1
This flow is handled by the userspace slow path because it:
– Sends “packet-in” messages to the OpenFlow controller.

Repetimos el comando. El paquete es enviado al puerto 1, sin necesidad de enviarlo al controlador

Ruteo

dps:
switch-1:
dp_id: 0x1
timeout: 3600
arp_neighbor_timeout: 3600
interfaces:
1:
native_vlan: 10
2:
native_vlan: 10
3:
native_vlan: 20
4:
native_vlan: 20
vlans:
10:
faucet_vips: ["10.0.1.254/24"]
20:
faucet_vips: ["10.0.2.254/24"]
routers:
router-1:
vlans: [10,20]

Observamos en la tabla 3 la instalación de nuevos flujos para manejar paquetes ARP. Los paquetes son enviados a la
tabla 6 que se encarga de el procesamiento de paquetes IP. También vemos dos flujos que envían paquetes IP destinados
a una dirección MAC usada por el router a la tabla 4, que maneja el redireccionamiento a nivel capa 3.


ubuntu@vm:~$ dump-flows br0 | grep table=3
table=3, priority=9131,arp,dl_vlan=10 actions=goto_table:6 # Manejo de ARP
table=3, priority=9131,arp,dl_vlan=20 actions=goto_table:6 # Manejo de ARP
table=3, priority=9099,dl_src=ff:ff:ff:ff:ff:ff actions=drop
table=3, priority=9001,dl_src=0e:00:00:00:00:01 actions=drop
table=3, priority=9099,ip,dl_vlan=10,dl_dst=0e:00:00:00:00:01 actions=goto_table:4 # Paquete ip que llegan al router
table=3, priority=9099,ip,dl_vlan=20,dl_dst=0e:00:00:00:00:01 actions=goto_table:4 # Paquete ip que llegan al router
table=3, priority=0 actions=drop
table=3, priority=9000 actions=CONTROLLER:96,goto_table:7

En la tabla 4 aparecen los paquetes que Faucet puede rutear

ubuntu@vm:~$ dump-flows br0 | grep table=4
table=4, priority=9131,ip,dl_vlan=10,nw_dst=10.0.1.254 actions=goto_table:6
table=4, priority=9131,ip,dl_vlan=20,nw_dst=10.0.2.254 actions=goto_table:6
table=4, priority=9123,ip,dl_vlan=20,nw_dst=10.0.1.0/24 actions=goto_table:6
table=4, priority=9123,ip,dl_vlan=10,nw_dst=10.0.1.0/24 actions=goto_table:6
table=4, priority=9123,ip,dl_vlan=20,nw_dst=10.0.2.0/24 actions=goto_table:6
table=4, priority=9123,ip,dl_vlan=10,nw_dst=10.0.2.0/24 actions=goto_table:6
table=4, priority=0 actions=drop

Esta tabla envia los paquetes ARP destinados al router hacia el controlador. Ademas envia los paquetes broadcast a la tabla 8

nicolas@nicolas-vm:~$ dump-flows br0 | grep table=6
table=6, priority=9133,arp,arp_tpa=10.0.1.254 actions=CONTROLLER:128
table=6, priority=9133,arp,arp_tpa=10.0.2.254 actions=CONTROLLER:128
table=6, priority=9132,arp,dl_dst=ff:ff:ff:ff:ff:ff actions=goto_table:8
table=6, priority=9131,arp actions=goto_table:7
table=6, priority=9130,ip actions=CONTROLLER:128
table=6, priority=0 actions=drop

Simulamos un paquete broadcast desde un host en el puerto 1 con ip 10.0.0.1. El paquete es enviado al controlador

nicolas@nicolas-vm:~$ ovs-appctl ofproto/trace br0 "in_port=p1 dl_src=00:00:00:00:00:01 dl_dst=ff:ff:ff:ff:ff:ff \
dl_type=0x806 arp_spa=10.0.1.1 arp_tpa=10.0.1.254 arp_sha=00:00:00:00:00:01 \
arp_tha=ff:ff:ff:ff:ff:ff arp_op=1" -generate
Flow: arp,in_port=1,vlan_tci=0x0000,dl_src=00:00:00:00:00:01,dl_dst=ff:ff:ff:ff:ff:ff,arp_spa=10.0.1.1,arp_tpa=10.0.1.254,arp_op=1,arp_sha=00:00:00:00:00:01,arp_tha=ff:ff:ff:ff:ff:ff

bridge(“br0”)
————-
0. in_port=1, priority 9099, cookie 0x5adc15c0
goto_table:1
1. in_port=1,vlan_tci=0x0000/0x1fff, priority 9000, cookie 0x5adc15c0
push_vlan:0x8100
set_field:4106->vlan_vid
goto_table:3
3. arp,dl_vlan=10, priority 9131, cookie 0x5adc15c0
goto_table:6
6. arp,arp_tpa=10.0.1.254, priority 9133, cookie 0x5adc15c0
CONTROLLER:128 #El paquete es reconocido como un paquete ARP y es enviado al controlador

Final flow: arp,in_port=1,dl_vlan=10,dl_vlan_pcp=0,vlan_tci1=0x0000,dl_src=00:00:00:00:00:01,dl_dst=ff:ff:ff:ff:ff:ff,arp_spa=10.0.1.1,arp_tpa=10.0.1.254,arp_op=1,arp_sha=00:00:00:00:00:01,arp_tha=ff:ff:ff:ff:ff:ff
Megaflow: recirc_id=0,eth,arp,in_port=1,vlan_tci=0x0000/0x1fff,dl_dst=ff:ff:ff:ff:ff:ff,arp_tpa=10.0.1.254
Datapath actions: push_vlan(vid=10,pcp=0)
This flow is handled by the userspace slow path because it:
– Sends “packet-in” messages to the OpenFlow controller.

Algunos campos

arp_tpa, ARP target protocol address

arp_spa, ARP sender protocol address

arp_sha, ARP sender hardware address

arp_tha, ARP target hardware address

En el log de faucet podemos ver las direcciones MAC aprendidas y el mapeo MAC-IP

ubuntu@vm:/var/log/ryu/faucet# cat faucet.log
...
Dec 22 16:07:18 faucet.valve INFO DPID 1 (0x1) Adding new route 10.0.1.1/32 via 10.0.1.1 (00:00:00:00:00:01) on VLAN 10
Dec 22 16:07:18 faucet.valve INFO DPID 1 (0x1) Responded to ARP request for 10.0.1.254 from 10.0.1.1 (00:00:00:00:00:01) on VLAN 10
Dec 22 16:07:18 faucet.valve INFO DPID 1 (0x1) L2 learned 00:00:00:00:00:01 (L2 type 0x0806, L3 src 10.0.1.1) on Port 1 on VLAN 10 (1 hosts total)
...