To Use only in the M2 CCN Course Part 3:Open SwitchVirtual Software Université Université d’Evry Val d’Essonne Networks N.AGOULMINE Master 2017/2018 2 CCN 2 Defined

To Use only in the M2 CCN Course • • • • • • • Hybrid Open Swith Virtual GRE Lisp sFlow OvS: Open Switch Virtual Server Virtualisation and Switches Virtual Background Entreprise Networks and VLAN

Syllabus Syllabus Course 3 Software Defined Networks Software Defined

2

To Use only in the M2 CCN Course Background: Enterprise Networks and VLANs Software Defined Networks Software Defined

3

To Use only in the M2 CCN Course • Single Single 1.2.3.1 – – – Single address IP block Gateway the to Internet Hubs and switches 1.2.3.5 1.2.3.76 L2 subnet L2 Simple Enterprise Design

S

S

Software Defined Networks Software Defined S

1.2.3.150 •

S server

Local services DHCP

– – G DNS DHCP

1.2.3.0/24 0.0.0.0/0

server Internet DNS

4

To Use only in the M2 CCN Course • 1.2.3.1 Scalability – – – Broadcast (ARP, DHCP) Flooding overhead Large switch tables Limitations Limitations of Simple Design 1.2.3.5 1.2.3.76

S

S

Software Defined Networks Software Defined S

1.2.3.150 • • Security Performance server DHCP – – –

S No No isolation No access control Spanning tree

G

1.2.3.0/24 0.0.0.0/0

server Internet

DNS

5

To Use only in the M2 CCN Course Ethernet Bridging - - - - •

Forwarding along a tree Flooding Self Flat addressing

1.2.3.192/26 Hybrid Hybrid of Switches and Routers L2 and L3 subnet L3 and L2 - learning

1.2.3.128/26

R

Software Defined Networks Software Defined R 1.2.3.0/26

IP Routing - - - -

Forwarding along shortest paths Host configuration Subnet configuration Hierarchical addressing R

1.2.3.64/26 R

R

Internet

6

To Use only in the M2 CCN Course • • • Independent of their location their of Independent TreatLAN a single as them Group hosts related – – – – – – No No control access Single broadcast domain Single addressIPblock All Same role (e.g., vs.faculty students) Same company Virtual Virtual Local Area Networks WiFi Rewire the network in software!in networkRewirethe

users

Software Defined Networks Software Defined

7

To Use only in the M2 CCN Course R

Switches Switches forward needed traffic as Red VLAN R R R R

Example: Two VLANs O

O

and and O Software Defined Networks Software Defined

R Orange VLAN O

R

O

R

O O O O

R

8

To Use only in the M2 CCN Course • • • Approaches Approaches to mapping access links to VLANs Bridges/switches trunk links Changing the Ethernet header – – – – – – Each Each MAC address has a VLAN “color” Each interface has a VLAN “color” Say which VLANs are accessible which via interfaces Implemented on the bridges/switches Adding a for field a VLAN tag … but … but can interoperate with old Ethernet cards Making VLANs Work Software Defined Networks Software Defined

9

To Use only in the M2 CCN Course • • • Tagging packets of Switch Hybrid deployment – – – – – VLAN header as a virtual “tag” on packets Using legacy protocols Separate VLAN Remaining traffic using legacy protocols VLAN for SDN adopters - controller communication VLANs SDNin

Software Defined Networks Software Defined

10

To Use only in the M2 CCN Course Server Virtualization and and Virtual Switches Software Defined Networks Software Defined

11

To Use only in the M2 CCN Course

Virtual Virtual Machines (VMs) Software Defined Networks Software Defined

12

To Use only in the M2 CCN Course • • Hypervisor (virtual machine Hypervisor machine monitor) (virtual Virtual machine – – – – – – – Executes privileged instructions Subdivides the hardware resources Manages execution of the guest OSes Creates and runs virtual machines Devices, interrupts, memory, page tables, etc. With interface identical to bare hardware Software implementation of a computer Virtual Virtual Machine (VM)

Software Defined Networks Software Defined

13

To Use only in the M2 CCN Course • • • • • VM introspection state system Snapshotting Fast serversnew provisioningof host a Sharing single systems Diverseoperating – – – – – – – – Identify configuration compromises mistakes or Identify configuration Track settings configuration Migrating a machine host different to a VM and redeploymentBackup customers/tenants or Isolation of applications (lower cost,Server consolidation energy) Research, experimentation,testing and platforms obsolete Running for software Motivations Motivations for VMs

Software Defined Networks Software Defined

14

To Use only in the M2 CCN Course • • • • Strong isolation between tenants Mobility Greater context For Networking, what is for VMComputing – – – – Machine start/stop/move events Multicast membership Host identifiers (UUID) MAC/IP addresses Network Virtualisation

Software Defined Networks Software Defined

15

To Use only in the M2 CCN Course • • • • Open Flow An implementation of Fast Datapath in Kernel Space Flexible Controllerin User Multi -

Layer Virtual Switch

Virtual Virtual Switches Software Defined Networks Software Defined

-

16

To Use only in the M2 CCN Course • • • • • • Shared headers aredual Kernel (datapath) is under the GPLv2 license User Announce, discussion development and mailing lists Development code is available in git Available from openvswitch.org Virtual Virtual Switches Availability - space space (controller and tools) is under the Apache

Software Defined Networks Software Defined - licensed

17

To Use only in the M2 CCN Course An Overview of the various licenses Required? Legal Information Required? Notice Changes of Required? Copy of License Disclaimers Required? Required? Copyright Notice Under a differentLicense? Distribute Derivatives code? without providing source Distribute ObjectCode Copyleft Copyleft GPL: License GNU General Public

?

demands demands that be any changed released open source as software

BSD Yes Yes Yes Yes No No No No

Software Defined Networks Software Defined Apache Yes Yes Yes Yes Yes Yes No No

Strong GPLv2 Yes Yes Yes Yes No No No

Lesser GPL LGPL Weak Yes Yes Yes Yes No No No

Strong GPLv3 Yes Yes Yes Yes No No No

18

To Use only in the M2 CCN Course • • be be granted. software, Copyleft licenses require permission that to withhold to permission copy, modify, or distribute Where copyright law allows the copyright owner to whether the license is considered “copyleft” or not. A major difference between Open Source is licenses Copyleft vs. Non

Software Defined Networks Software Defined - Copyleft

19

To Use only in the M2 CCN Course Open Open Software Defined Networks Software Defined v Switch

( OvS )

20

To Use only in the M2 CCN Course • • • • • • • Open source, commercial Support Support fromkernelmodule. a in entirely operateCan also including Works Linux multiple on control. and extension to programmatic functions forwarding the opens and interfaces management standard Supports switch edge Advanced • VxLAN

multiple tunneling protocolstunneling multiple OpenFlow Xen Open Open , Ethernet over GRE, / XenServer

protocol Software Defined Networks Software Defined v

Switch - ,KVM, and based virtualization technologies technologies virtualization based - friendly friendly

userspace IPsec , GRE over

licence

VirtualBox (

OvS

without assistance without Ipsec .

)

.

21

To Use only in the M2 CCN Course • A flow may identified be bycombination any of – – – – – – – – – – – – – – – ARP/ND hardwaredestination address ARP/ND source hardware address IP IP Protocol or lower bits 8 of ARP Ethernet destination address Ethernet TCP/UDP destination port TCP/UDP source port VLAN ID (802.1Q) Ethernet frame type Input port IPv4 or IPv6 destination address IPv4 or IPv6 source address IPv6 ND target Tunnel ID ToS

(DSCP field) source

Flow Identification

address

Software Defined Networks Software Defined

ppcode

22

To Use only in the M2 CCN Course • • • • datapath Subsequent packets are handled directly by the And returns the packet to the datapath flow The controller programs the datapath’s actions for a The first packet flow a of is sent to controller the – – Actions Actions include: Usually one, but may be a list • • •

Forward or port aports,to mirror Drop Encapsulate andforward controllerto

Flow Forwarding

Software Defined Networks Software Defined

23

To Use only in the M2 CCN Course • • • • IEEE Support 802.1Q Visibility Packets are forwarded flowby Multiple to physical ports switches – – – – – – own own LAN environment separated from other users By attaching VLAN ID to Linux virtual interfaces, each user will have its Enable virtual LAN function Mirroring (SPAN/RSPAN/ERSPAN) sFlow NetFlow A port may have one or more interfaces • Bonding allows more thanone interface port per Open Open vSwitch Concepts

Software Defined Networks Software Defined

24

To Use only in the M2 CCN Course • • • across Layer 3 domains. (GRE) for capturedall traffic and allows to beit extended Encapsulated RSPAN: VLAN that is dedicatedfor the RSPAN session traffic from the source an port of RSPAN session onto a source distributed overports multiple switches. It mirrors the Remote SPAN(RSPAN): the switch one to Local SPAN: Open Open Mirrors traffic from one or more on interface or vSwitch more interfaces on the sameswitch Software Defined Networks Software Defined

use generic use routing encapsulation

Allows to monitor Allows to monitor traffic from

Concepts

.

.

25

To Use only in the M2 CCN Course First Packet Controler is is to Sent

Flow Forwarding Controller Controller programs actions actions flow a for the the Software Defined Networks Software Defined datapath’s

All All packetsfollowing are handled are handled directly of same flow the by by the Packet returned to the the datapath datapath

26

To Use only in the M2 CCN Course • • • • Open Open vSwith (OvS) Management UNIX socket or JSON database may be controlled locally using a reconfigured Database actions won’t return the until controller is across reboots Database thus and database Open vSwitch

controller is configured JSONvia a remotely using TLS (SSL) the configuration configuration the Software Defined Networks Software Defined

is persistent is persistent

27

To Use only in the M2 CCN Course Contributors(Partial) Open Open Software Defined Networks Software Defined vSwitch

28

To Use only in the M2 CCN Course OpenvSwith Software Defined Networks Software Defined

( OvS ) Architecture

29

To Use only in the M2 CCN Course

Open Open vSwitch Software Defined Networks Software Defined

Main Main Components

30

To Use only in the M2 CCN Course • • • • manager manager and ovs Speaks management protocol (JSON Log Custom with database nice properties: Database holds that switch – – – Garbage Garbage collection Weak references Value constraints - Open Open vSwitch ovsdb based

- vswitchd Software Defined Networks Software Defined

- level configuration

- - RPC) RPC) to server

31

To Use only in the M2 CCN Course • • • rules for processing fast by the datapath wildcards and “explodes” (possibly) these wildcard Packet e supports classifier Supports multiple independent (bridges) datapaths Core component in the system: Open Open vSwitch ovs – – – – Communicates with the system through netdev abstract interface Communicates with kernel module over netlink Communicates with ovsdb Communicates with outside world using OpenFlow Software Defined Networks Software Defined - server server using management protocol ffi - cient cient flowlookup with vswitchd(1/2)

32

To Use only in the M2 CCN Course • • Open Open vSwitch ovs expiration expiration and stats requests Checks datapath flow counters to handle flow OpenFlow modifications of the same flow table exposed through Implements mirroring, bonding, and throughVLANs

Software Defined Networks Software Defined -

vswitchd (2/2)

33

To Use only in the M2 CCN Course • • • • Implements tunnels Designed to be fast and simple Exact Kernel module handles that and switching tunneling – – – Knows nothing of OpenFlow Does no flow expiration updated. Otherwise, sent to userspace Packet comes in, if found, associated actions executed and counters - match match cache of flows openvswitch_mod.ko Open Open vSwitch Software Defined Networks Software Defined

34

To Use only in the M2 CCN Course • • • • • • • • infrastructure ovs switches and controllers. ovs vSwitch ovs ovs ovs Red Hat Enterprise Linux. Scripts and specs for building RPMs for Citrix ovs queries to obtain its configuration. ovsdb companion Linux kernel module for flow ovs ------pki ofctl appctl vswitchd vsctl dpctl vswitchd - server, a lightweight database server that , a utility for creating and managing the public

daemons. , a utility for querying and controlling , a utility for querying and updating the configuration of , a tool for configuring the switch kernel module. , a utility that sends commands to running Open openvswitch_mod.ko . , a daemon that implements the switch, along with a

Open Open vSwitch

Software Defined Networks Software Defined

- based based switching. XenServer OpenFlow ovs -

vswitchd - key

and and

35

To Use only in the M2 CCN Course • • • Supported tunneling modes Focus on performance Required to provide networks “true” virtual – – – – – CAPWAP GRE GRE Hardware o Header caching ‐ over ‐

IPsec ffl oading

Tunneling Software Defined Networks Software Defined

36

To Use only in the M2 CCN Course • • • Open Open within With bridging, address IP migration must occur KVM and vSwitch the same same networkthe L2 Xen

provide avoids this problem using GRE tunnels Migration Software Defined Networks Software Defined VM Live

Migration

37

To Use only in the M2 CCN Course Distributed Distributed Virtual Switch Software Defined Networks Software Defined

VM VM 5

38

To Use only in the M2 CCN Course • • • Add port to abridge Create a bridge Ensure that Open

Basic OvS Configuration ovs ovs /etc/ - - vsctl vsctl init.d

vSwitch

Software Defined Networks Software Defined -- -- /

openvswitch may may - - exist exist add exist add

is is running

- switch start - - port port br0 eth0 br

br0

39

To Use only in the M2 CCN Course • • • Remove a bridge Remove froma port bridge a Ensure that Open Basic de

ovs ovs /etc/ - - vsctl vsctl init.d -

Configuration OvS Configuration vSwitch

Software Defined Networks Software Defined -- -- / openvswitch

-- -- if if - - exists exists del exists del

is is running

- switch start - - br port eth0 br0

br0

40

To Use only in the M2 CCN Course • • • L2 or L3 tunnelling. and to direct it to aremote switch using respectively allows to extend duplication the to an entire network Remote SPAN(RSPAN) and Encapsulated RSPAN Useful for ports to be on duplicated a different port Allows frames sent to or received on or moreone Port Port Mirroring (SPAN) debugging Software Defined Networks Software Defined

41

To Use only in the M2 CCN Course • • • target interface the mirroredpacketsto to output mirrorConfigurethe interface target the of Find UUID the Createmirrora Port Mirroring Configuration output_port ovs ... uuid ovs -- -- ovs id=@m createmirrorname=mirror0

add bridge br0 mirrors @m br0 mirrorsbridge add - - - vsctl vsctl vsctl

: 4d5ed382

list port dummy0 list port \ set mirror mirror0set mirror

=4d5ed382 - a0c3 Software Defined Networks Software Defined (Target) - 4453 - a0c3 -

ab3c - \ 4453

- 58e1e7f603b0

- ab3c \ -

58e1e7f603b0

42

To Use only in the M2 CCN Course • • • • interest Mirror packets sent to and received from the interface of ... mirrored Find the UUID the of port or ports whose packets should be All flooded packets will go to dummy0 dummy0 All packets sent to or received from tap0 will be mirrored on

Port Mirroring Configuration select ovs select ovs uuid :d624f5b1 ovs

- - - vsctl vsctl list port tap0 vsctl vsctl set mirror mirror0 vsctl set mirror mirror0

\ \ _src _dst (Selected Sources) \ \ _port=d624f5b1 _port=d624f5b1 - f5e3 Software Defined Networks Software Defined - 4f85

- a907 - - f5e3 f5e3 \ \

- bd209b5463aa - - 4f85 4f85

- - a907 a907 - - bd209b5463aa bd209b5463aa

43

To Use only in the M2 CCN Course • • ovs All switch packets will godummy0 to Port Mirroring Configuration - vsctl vsctl set mirror mirror0 select_all=1 (All Sources) Software Defined Networks Software Defined

44

To Use only in the M2 CCN Course • • To test during labs Open vSwitch QoS capabilities – – Port QoS policy Interface rate limiting

Software Defined Networks Software Defined QoS

45

To Use only in the M2 CCN Course • networks. (sFlow.org). performance monitoring high speed switched Flow® standard an industry is technology for sFlow and OvS Software Defined Networks Software Defined

46

To Use only in the M2 CCN Course • • • • interface. different hypervisors over the tunneling same lisp An hypervisor may communicate with several VMs are on hosted different hypervisors. VMs over IPv4. LISP a is layer 3 tunneling to connect mechanism two RFC 6830: Separation Locator/ID Protocol (LISP LISP LISP Tunnelling Using OvS

Software Defined Networks Software Defined

)

47

To Use only in the M2 CCN Course • • protocol. Generic encapsulation of any protocol over another RFC 2784: Generic Routing Encapsulation (GRE) GRE GRE Tunnelling using OvS

Software Defined Networks Software Defined

48

To Use only in the M2 CCN Course • • put wire. the on the softwareVPN chance a the data encrypt beforeto it gets A the network stack and Tun Linux bridge to forward frames Ethernet is.as it Tap machines network ports only can process Ethernet frames Tap typical typical use interfaces are special software entities which the tell

interface: Interface: TAP and TUN Interfaces is to is to establish a Like

works their their physical counterparts, virtual Software Defined Networks Software Defined is at at the IP level or layer three level of usually point VPN connection connection

- to - point point connections. since gives it

.

49

To Use only in the M2 CCN Course • • Hybrid Hybrid Problemsof Software – – – – – Data Plane Development Kit (DPDK) Data Development Plane twoparts into switch of virtual roles the Separate Low performance kernel OS the with Tightly coupled resources hardware the utilize fully Cannot • • • • • • • • • Hybrid Hybrid OpenvSwitch (1/3) Shared Shared data access between threads Massive RX interrupts handling for NIC device Increase the management complexity E.g., OVS only exploits single CPU core Fast network I/O in user space Incorporate with x86 CPU A set of libraries and drivers for fast packet processing Software: switch abstraction (e.g., flow table) Hardware: pure packet processing OpenFlow

Switch Software Defined Networks Software Defined - based Switch based



competition competition makes bottleneck http://dpdk.org/doc/guides/index.html

50

To Use only in the M2 CCN Course • Features of Hybrid – – – – pa c Lockless Reduction of # of access in I/O and memory Core assignment Polling ket 2. 1.

•

s

Inter hand y Hybrid Hybrid OpenvSwitch (2/3) stem Assign Assign corethe task a polling dedicated CPUto - r Pure Pure Software based based packet handling upt l - ing queue, batch processing

call call (

&

DMA NIC Ethernet skb_buf So vs r ead) w c

ket itch

memory API

D - based based Switch bu pac ri v er f fer k

API et

3. 4. OpenFlow

Software Defined Networks Software Defined

s

DMA y stem

call call ( space Kernel User Dri v w

er

space rite)



less switching contextless

Switch Hybrid Switch withIntel DPDK U 1.

NIC Ethernet vs ser

DPDK Read w - m itch ode

Libra

D

I/O bu pa ri

v er

c f & r fer ket y

API H

AL

Write packet Pollin

g -

handling

base

51

To Use only in the M2 CCN Course N N N N • RX RX I I RX I RX I C C C C

4 3 2 1

Packet Processing Multi using CoreCPUs NIC RX – – – Explicit Explicit thread assignment to CPU core Decouple I/O processing and flow processing Exploit many core CPUs

b uf Hybrid Hybrid f er

I/O I/O C C P P U0 U1 RX RX RX RX

R i n g OpenvSwitch b uf f er

Software Defined Networks Software Defined

pa pa pa pa cke cke cke cke Flow Flow Flow Flow C CP C t t t C t

p p

p p P look look look P P look r r r U4 U3 U2 r U5 oc oc oc oc

e e e e u u u u ss ss ss ss p p p p

i i i i n n n n g g g g

R

i n g b

uf (1/3) f er

I/O I/O CP C P U7 U6

T T X X

NIC T X

b uf f er

N N N N 52 I I TX TX I I C C TX TX C C

2 1

4 3 To Use only in the M2 CCN Course • • • • DPDK, VPP/FD.io and Accelerated Open vSwitch Running a VNF Application with DPDK Launch Open vSwitch Build Open vSwitch DPDK and Preparewith to Intel Development Plane Data Kit Video Intel Intel Lab Software Defined Networks Software Defined

53