SDN Lab 01助教：林賢哲、林佳瑩

sdn@imslab.org

2015.10.08

Introduction

• OpenFlow

• Mininet

• Open-vSwitch

• OpenDayLight controller

2

Grading

• Install Mininet (20 pt)

• Install OpenDaylight (30 pt)

• Connect Mininet to ODL controller (10 pt)

• Create a Specified Network Topology (10 pt)

• Add Flow Entries to Open-vSwitch via OpenDaylight

• Block (15 pt)

• Modify Header [basic] (15 pt)

• Modify Header [Advanced] (10pt)

• Connect mininet network to the Internet (15 pt)

• Block Youtube (10 pt)

3

4

OpenFlow

5

OpenFlow

6

OpenFlow

7

OpenFlow

• Mininet

• An Instant Virtual Network on your Laptop (or other PC)

• Open-vSwitch

• It is designed to enable massive network automation through programmatic extension, while still supporting standard management interfaces and protocols

• OpenDayLight

• a highly available, modular, extensible, scalable and multi-protocol controller infrastructure built for SDN deployments on modern heterogeneous multi-vendor networks

8

Introduction

9

Environment

10

Environment

Windows 7 Host

Ubuntu 14.04 Host

• Step I : Install git

$ sudo apt-get update

$ sudo apt-get install -y git

• Step II : Download Mininet installer

cd to a directory you are happy with to download the installer

$ git clone git://github.com/mininet/mininet

11

Mininet - Installation

• Step III : Install Mininet

$ mininet/util/install.sh -a

• -a : install everything, including Mininet VM, Open vSwitch, wireshark, controller POX, etc.

• Step IV : Test the basic Mininet functionality

$ sudo mn --test pingall

ref : Install Mininet (option 2)

12

Mininet - Installation (cont.)

http://mininet.org/download/

• Run default Mininet, entering Mininet CLI

$ sudo mn

• Help

mininet> help

• Display nodes

mininet> nodes

13

Mininet - Basic commands

• Display links

mininet> net

• Dump information about all nodes

mininet> dump

• Let the virtual hosts ping each other

mininet> pingall

14

Mininet - Basic commands (cont.)

• Let host1 ping host2

mininet> h1 ping h2

• Show h1’s network interface

mininet> h1 ifconfig

• Use “sh” to execute shell command

mininet> sh echo “check the ref http://mininet.org/walkthrough”

15

Mininet - Basic commands (cont.)

• Clean the Mininet after exiting

$ mn -c

16

Mininet - Basic commands (cont.)

• Show TA h1’s IP address and h2’s MAC address (20 pt)

17

Mininet - Grading

• Step I : Install java 7 (already done for you)

$ sudo apt-get install openjdk-7-jdk openjdk-7-jre

• Step II : Download ODL release Lithium-SR1 Tar File (267 MB)

Done for you too. It’s located at ~/lab1

• Step III : Extract it

$ tar -zxvf

18

OpenDaylight - Installation

https://www.opendaylight.org/software/downloads/lithium-sr1

• Step IV : Run Karaf with OpenFlow1.3, entering its CLI

$ .//bin/karaf -of13

• Step V : Install features (Karaf distribution has no features enabled by default)

• odl-mdsal-clustering : provides support for operating a cluster of ODL instances. It’s marked “special” according to the guidance. MUST install clustering before other features are installed.

• odl-restconf : Enables REST API access

19

OpenDaylight - Installation (cont.)

• Step V : Install features (cont.)

• odl-l2switch-switch-ui : Provides L2 (Ethernet) forwarding across connected OpenFlow switches and support for host tracking

• odl-dlux-all : including odl-dlux-core, odl-dlux-node, odl-dlux-yangui, odl-dlux-yangvisualizer. You’ll see them on the left panel in the index web.

opendaylight-user@root> feature:install odl-mdsal-clustering odl-restconf odl-l2switch-switch-ui odl-dlux-all

20

OpenDaylight - Installation (cont.)

• Step VI : Open the ODL web UI at the Host IP where ODL installed (127.0.0.1) with port 8181

http://:8181/index.html

account : admin

password : admin

Ps. This URL would successfully access the web UI only if “./karaf” has run long enough, by TAs’ experience, 2~6 minutes.

• Official Documents can be found at Lithium-SR1

21

OpenDaylight - Installation (cont.)

https://www.opendaylight.org/software/downloads/lithium-sr1

• Run OpenDaylight successfully (15pt)

22

OpenDaylight - Grading

• Launch OpenDaylight web UI and login (15pt)

23

OpenDaylight - Grading (cont.)

• Step I : Disable ovs-controller daemon

Ovs-controller daemon listens to port 6633. When ODL is running, it listens to port 6633 as well. This means if the two services run at the same host, at the same time, it causes confliction. All you need to do is check whether ovs-controller is running. If it does, disable it.

$ ps -e | grep ovs #ovs-controller

$ sudo service openvswitch-controller stop

24

Connect Mininet to ODL Controller

• Step II : Connect Mininet to ODL

• $ sudo mn --topo linear,3 --controller remote --switch ovsk,protocols=OpenFlow13 --mac

• --topo [single | linear | tree], : Specify topology

• --controller remote[,ip=,port=] : Use a remote controller instead of default one. If ip and port not specified, 127.0.0.1:6633 will be used by default.

• --switch ovs,protocols=OpenFlow13 : Choose Open-vSwitch supporting OpenFlow1.3

• --mac : Make the virtual hosts’ MAC address easy to read. Use “ifconfig” to check.

25

Connect Mininet to ODL Controller (cont.)

• Step III : Observation

Before virtual hosts send any packet through a switch, a switch doesn’t get information from virtual hosts connected to it. The web UI doesn’t show any virtual hosts nodes but switches nodes only.

Once a switch starts to receive packets from these virtual hosts, it knows the MAC address of them. Then the virtual hosts appear on the topology graph.

26

Connect Mininet to ODL Controller (cont.)

• Check the topology on the web UIhttp://:8181/index.html (10 pt)

27

Connect Mininet to ODL - Grading

• You are able to specify different topology as mentioned earlier.

$ mn --topo [single | linear | tree],

• --topo single,2 : Single switch with 2 virtual hosts

• --topo linear,4 : 4 switches connected as a line, and each switch has a virtual host attached to it

• --topo tree,3 : There are 7 switches arranged as a binary tree with depth=3. Each leaf switch has two virtual hosts

28

Topology

• Program your own custom topology via python.

• Check the example, we believe it’s easy to understand.

$ vim mininet/custom/topo-2sw-2host.py

Note that last line of the example defines a toponame, marked as red below, which will be used in Mininet command later.

topos = { 'mytopo': ( lambda: MyTopo() ) }

29

Topology - Custom

• Test it

$ mn --custom mininet/custom/topo-2sw-2host.py --topo mytopo --controller remote

• Your missions : Create a topology with two interconnected switches (s1 and s2). There are two virtual hosts (h1, h2) connected to s1 and three virtual hosts (h3, h4, h5) connected to s2.

• ref : Custom Topology30

Topology - Custom (cont.)

http://mininet.org/walkthrough/#custom-topologies

• Show your topology via web UI (10 pt)

31

Topology - Grading

• We have learned basic concepts of OpenFlow at the beginingof the course.

• In this part, we are going to add some flows on ourOpenDayLight controller by using OpenFlow version 1.3.0 asinterface.

• You can find the introduction of OpenFlow version 1.3.0 in the documentbelow.https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-spec-v1.3.0.pdf

• After adding a flow on the controller, switch can handle an unknownpacket by asking controller the flow rules.

• Let’s start with the task of blocking a specific ip by using YangUI in OpenDayLight.

32

Flows

https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-spec-v1.3.0.pdf

• Step I :Open the web UI of OpenDayLight(http://:8181/index.html)

and choose Yang UI on the side menu.

33

Flows

34

Flows

propose action directory

Add Flow PUT config/opendaylight-inventory:nodes/node/openflow:1/table/0/flow/1

Delete Flow DELETE config/opendaylight-inventory:nodes/node/openflow:1/table/0/flow/1

Get Flow Config GET config/opendaylight-inventory:nodes/node/openflow:1/table/0

Get Flow

Operational

GET operational/opendaylight-inventory:nodes/node/openflow:1/table/0

GET Inventory GET operational/opendaylight-inventory:nodes/

GET Topology GET operational/network-topology:network-topology/

Reference : OpenDaylight OpenFlow Plugin:End to End Flows

OpenDaylight User Guide

• Step II :According to your propose you can find the directory andaction in the table below.(the blue part must be filled with theswitch, table and flow you want to setup)

https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:End_to_End_Flowshttps://www.opendaylight.org/sites/opendaylight/files/bk-user-guide.pdf

35

Flows

• Step III :Find the directory, and start to manage flows. Take “Add Flow”for example(config/opendaylight-inventory:nodes/node/openflow:1/table/0/flow/1)

• Step IV :After click “flow {id}”, youcan add new flow in thebottom of web site.

• Use “+” button and expandfolders to setup values.

• Click the triangle buttom, like“▼”, to Expand or collapse theoptions.

36

Flows

37

Flows

• Setting:

• Click “+” to add a flow

• Expand “match”

38

Flows

• Ethernet-match

• Ethernet-source/destination : MAC address

• Ethernet-type: (wiki)

• You can find what ethernet-type that openflow support in different versions here.

39

Flows

https://en.wikipedia.org/wiki/EtherTypehttp://flowgrammable.org/sdn/openflow/classifiers/#tab_ofp_1_3_0

• Layer-3-match

• Arp-match

• Arp-op(more…)

• Arp-source/target-transport-address

• IPv4 address

• Arp-source/target hardware-address

• Mac address

40

Flows

http://www.iana.org/assignments/arp-parameters/arp-parameters.xhtml

• Layer-3-match

• Ipv4-source/destination

41

Flows

• Click “+” to add an instruction list

• There are many instruction you can choose.(reference)

42

Flows

http://flowgrammable.org/sdn/openflow/actions/#tab_ofp_1_3

• Choose “apply-action-case”, and add action list Item

• You can find many actions.

43

Flows

• Actions(reference)

44

Flows

action description

Drop-action-case Discards packet

Output-action-case Output-node-connector : NORMAL (forward)

Set-dl-dst-action-case Set destination MAC address

Set-dl-src-action-case Set source MAC address

Set-nw-dst-action-case Set destination IP address

Set-nw-src-action-case Set source IP address

Set-field-case Set many different type setting, including ethernet,

ip etc.

http://flowgrammable.org/sdn/openflow/actions/#tab_ofp_1_3

• You can have more than one actions in a flow. The actions willbe executed in increasing order.(Ex. The order 0 action is thefirst action)

• The Yellow one means the one you modify now.

45

Flows

• Priority

• The higher number have higher precedence. (0~65535)

• table id : must be the same as you setup in the url.

46

Flows

•

•

• 2

• Foo

•

•

•

• 2048

•

•

• 10.0.10.2/24

47

Flows

• More detail about content of flow:( for more exmaple Editing OpenDaylight OpenFlow Plugin:End to End Flows:Example Flows)

https://wiki.opendaylight.org/view/Editing_OpenDaylight_OpenFlow_Plugin:End_to_End_Flows:Example_Flows#IPv4_Dest_Address

48

Flows

• 1

• 0

•

•

• 0

•

•

• 0

•

•

•

•

•

•

• You can use web UI in openDayLightor Restful API tools (reference) , suchas postman(a chrome extension) orrestful plugin in Firefox, to edit flows.

https://github.com/BRCDcomm/BVC/blob/master/docs/SDN-Controller-2.0.1-User-Guide.pdf

• Create a network topology. There are more than 3 virtual hosts in your topology. You can either use your custom topology or use built in topo pattern.

• Task A : Block There is one host cannot communicate with the other hosts, and the other hosts are mutually communicable. You can block its port, MAC or IP. (15pt)

• Task B : Modify header[basic] When h1 ping h2, modify thesrc ip from h1, use wireshark to monitor the interface of h2 toverify your revise.(10pt)

• Task C (bonus) : Modify header[advanced] All packets coming from h1 to h2, substitute these packets’ src IP from h1 to a IP which doesn’t belong to any host, let’s say X, in this network. Then, change the destination IP of the packets, which come from h2 to X, back to h1’s IP. (10pt)

49

Flows

• Task A : Block(15pt)

• Block source from h1

• Use `ovs-ofctl –O OpenFlow13 dump-flows s1` to check whether s1 havethe flow we send or not.

• Pingall to check the status of network.

50

Flows

• Task B : Modify header[basic](15pt)

• Modify source ip from 10.0.0.1 to 10.0.0.100

• Use wireshark to check the packets on the interface of s1-h2

51

Flows

• Task C (bonus) : Modify header[advanced]

• First, we need to downgrade ubuntu’s kernel, then we can updateopenvswitch to version 2.3.1

• Downgrade ubuntu’s kernel : Just follow the instructions on this website Ubuntu 12.04 LTS Kernel 降級

• Update openvswitch : Just follow the instructions on this website編譯 OpenvSwitch v2.3.1 on Ubuntu 14.04.1 LTS

52

Flows

http://roan.logdown.com/posts/183081-ubuntu-1204-lts-kernel-downgradehttp://roan.logdown.com/posts/220671-compile-openvswitch-v230-on-ubutnu-14041-lts

• Task C (bonus) : Modify header[advanced]

• Flow of ping

53

Flows

H1

(10.0.0.1) switchH2

(10.0.0.2)

[Arp]where is 10.0.0.2?

Tell 10.0.0.1[Arp]where is 10.0.0.2?

Tell 10.0.0.100

[Arp]10.0.0.2 is at MAC2[Arp]10.0.0.2 is at MAC2

[ICMP]10.0.0.1 requst

10.0.0.2

[ICMP]10.0.0.100

request 10.0.0.2

[ICMP]10.0.0.2 reply

10.0.0.1

[ICMP]10.0.0.2 reply

10.0.0.100

• Error : There are no interfaces on which a capture can be done.

• Solution

• Step 1 : Allow Non-Superusers to Capture Packets

$ sudo dpkg-reconfigure wireshark-common

In this configuration, select .

This setting creates a wireshark group.

54

Wireshark

• Step 2 : Add User to Wireshark Group

$ sudo usermod -a -G wireshark $USER

• Step 3 : Re-Login

• You can reboot,

• $ sudo reboot

• or logout if using Ubuntu Desktop

• $ gnome-session-quit --logout --no-prompt

55

Wireshark

• Create a virtual network with default topology connecting to ODL controller.

$ sudo mn --mac --switch ovs,protocols=OpenFlow13 --controller remote

56

Connect to the Internet - Bonus (15 pt)

57

Connect to the Internet

TCP/IP

Stack Applications

S1h1

h2

eth0

s1-eth1

s1-eth2

h1-eth0

h2-eth0

s1

ping outside world

• Create a virtual network with default topology connecting to ODL controller.

• Ubuntu host can access outside world

mininet> sh ping 8.8.8.8

• Check out routing table

mininet> sh route

58

Connect to the Internet

• h1 has no way to access outside world via s1

mininet> h1 ping 8.8.8.8

• Check h1’s IP address and routing table

59

Connect to the Internet

• Step I : Attach eth0 to s1, make it as a port of the ovs

mininet> sh ovs-vsctl add-port s1 eth0

mininet> sh ovs-vsctl show

60

Connect to the Internet

61

Connect to the Internet

TCP/IP

Stack Applications

S1h1

h2

eth0 s1-eth1

s1-eth2

h1-eth0

h2-eth0

s1

• Now even your Ubuntu host can’t ping to outside world.

mininet> sh ping 8.8.8.8 # no response

• That’s because Ubuntu host tried to access the Internet via eth0. But eth0 acts like a port of ovs.

• We are expecting Ubuntu host can access outside world through s1.

62

Connect to the Internet

• Step II : Remove eth0’s IP, and then make s1 as a client of DHCP server so that s1 would be the default interface. But first, set a flow to make ovs act as a traditional switch.

Add a flow with actions=NORMAL via ODL

63

Connect to the Internet

The command dhclient requests DHCP server for a valid IP address. In your environment, virtualbox takes the role as DHCP server. Since eth0 and s1 both have the same MAC address, the interface which queries the IP after the other one that did will fail to get valid IP. That’s why we remove eth0’s IP before s1 get its own. dhclient automatically sets the default gateway and default interface.

mininet> sh ifconfig eth0 0

mininet> sh dhclient s1

mininet> sh route

64

Connect to the Internet

65

Connect to the Internet

TCP/IP

Stack Applications

S1h1

h2

eth0 s1-eth1

s1-eth2

h1-eth0

h2-eth0

s1

• Ubuntu host can ping out now but virtual host still can’t.

• After checking h1’s IP and routing table, we know h1 doesn’t belong to the network of Ubuntu host’s default gateway.

• We can get h1 a IP of Ubuntu Host’s network and default gateway via the same way works on s1.

66

Connect to the Internet

• Step III : Get h1 a IP from DHCP

mininet> h1 ifconfig h1-eth0 0

mininet> h1 dhclient h1-eth0

67

Connect to the Internet

68

Connect to the Internet

TCP/IP

Stack Application

S1h1

h2

eth0 s1-eth1

s1-eth2

h1-eth0

h2-eth0

s1

• Give it a snapshot !!

69

Connect to the Internet

• If you want to ping google.com, you need to edit this file /etc/resolv.conf and add a nameserver, 8.8.8.8 for example.

• $ sudo vim /etc/resolv.conf

70

Connect to the Internet

• Goal : block Youtube from ubuntu host, which means your ubuntu host cannot watch youtube video while virtual hosts, such as h1 and h2, still can ping youtube.com

• Step I : Find out youtube’s IP

mininet> sh nslookup youtube.com

• Step II : You’ve got the target IP. Block it !

• If you accidentally block google.com as well, that’s acceptable in this lab…

71

Block Youtube - Bonus (10 pt)

Take a

picture

72

Block Youtube - Bonus (10 pt)

• Install Mininet

• ODL release

• ODL installation

• ODL features

• Mininet Walkthrough

• Introduction to OpenFlow (video)

• Introduction to OVS (video)

73

References

http://mininet.org/download/https://www.opendaylight.org/downloadshttps://wiki.opendaylight.org/view/Install_On_Ubuntu_14.04http://yhhuanglab.blogspot.tw/2015/08/mininetopendaylight.htmlhttp://mininet.org/walkthrough/#custom-topologieshttps://www.youtube.com/watch?v=l25Ukkmk6Skhttps://www.youtube.com/watch?v=rYW7kQRyUvA