Underneath OpenStack Quantum: Software Defined Networking with Open vSwitch Thomas Graf <[email protected]> Principal Software Engineer Red Hat, Inc. pril !", !#$% 1 Thomas Graf <[email protected]> Part One Why Open vSwitch? Open vSwitch ena(les )in*+ to (ecome part of a Software Defined Networking architecture. Application Application Application Network Operating System VM1 VM2 Switch Switch Open vSwitch Switch 2 Thomas Graf <[email protected]> Switched Networks Switches learn from the networ, traffic the- obser'e and decide independently. Compute Node A Network Node B Tenant Tenant Tenant Tenant Tenant Tenant 1 2 3 4 5 6 Bridge Bridge L3 Agent Switch 1 Switch 2 Switch 3 Peter Alice 3 Thomas Graf <[email protected]> Dynamica y update flow ta! es in a universal anguage. In the Software .efined Networ,ing architecture, the control and data planes are decoupled, networ, intelligence and state are logically centralized, and the underlying network infrastr*cture is a(stracted from the applications. Software-Defined Networking: The New Norm for Networks ONF White Paper April 13, 2012 4 Thomas Graf <[email protected]> Software Defined Networking A logically centralized controller decides what is (est for the networ, (ased on a globa view of the networ,. Compute Node A Network Node B Tenant Tenant Tenant Tenant Tenant Tenant 1 2 3 4 5 6 vSwitch 1 vSwitch 2 L3 Agent Controller Switch 1 Open$ ow Switch 2 Switch 3 Peter Alice 5 Thomas Graf <[email protected]> Software Defined Networking An attempt to create a well1,nown API for applications of the /etwor, that did not succeed yet. &pen.a-light on its wa- to ma,e this happen. Application Application Application Network Operating System Open Interface (OpenFlow) Switch Vendor X Virtual Switch B Virtual Switch A Switch Vendor Y 6 Thomas Graf <[email protected]> Open$ ow The Open Standard (ehind it. Match on ar(itrar- Execute actions (its in pac,et ● Forward to port 1. 3header4 2. ● .rop ● Send to controller ● Mangle pac,et Open5low ena(les networ,s to e'olve, (y gi'ing a remote controller the power to modify the (ehavior of networ, de'ices, thro*gh a well-defined 6forwarding instruction set6. The growing &pen5low ecosystem now includes routers, switches, 'irtual switches, and access points from a range of 'endors. 7 Thomas Graf <[email protected]> &/F Website Open$ ow Capa! e Devices ● Software Switches ● &pen 'Switch, Cisco /ex*s 1000V ● 92ware vSphere, /EC H-per-9, ... ● Hardware Switches ● :rocade, Cisco, HP, I:2, Juniper /etworks, NEC, ... ● Switching ASI8s ● Indigo – Open source firmware leveraging Ethernet switch ASI8s to s*pport up to 4=x 10G ports ● 2ellano+ SwitchX-! chip 8 Thomas Graf <[email protected]> Is it production ready? 9 Thomas Graf <[email protected]> Part Two Open vSwitch &pen 'Switch is a virtua switch for h-per'isors providing networ, connecti'ity to 'irtual machines. Controller Compute Node A Network Node B O p Tenant Tenant Tenant w e Tenant Tenant Tenant lo w n F o F 1 2 3 1 2 3 l n lo e F p w O n e Compute Node A p O Open vSwitch Open vSwitch L3 Agent Hardware Switch Alice Peter 10 Thomas Graf <[email protected]> Open vSwitch Project ● Primaril- used as a 'irtual switch for 92s ● 2*lti Platform 3)in*+, Microsoft, and Silicon4 ● .e'eloped (- /icira & Community ● pache )icense 3@ser Space4, GP) 3Aernel) ● &penFlow $.1 + e+tensions ● n- netde'ice 3physical/'irtual) can (e added as uplin, port 11 Thomas Graf <[email protected]> How does it work? &pen 'Switch maintains a f ow table that defines what to do with each flow. Compute/Network Node Tenant Tenant Tenant Tenant 1 2 3 n Controller br-int Open vSwitch Flow table Quantum OVS Agent Patch ports Quantum L3 Agent Quantum DHCP Agent OpenFlow br-eth1 br-tun br-ext eth1 eth0 To Network Node External Network 12 Thomas Graf <[email protected]> Feature $ine Grained $ ow Table Control ● Extensi'e flow matching capa(ilities ● Layer 1 – Tunnel I., In Port, QoS priority, s,( mark ● Layer 2 – M C address, VLA/ ID, Ethernet type ● Layer 3 – IP'"CIP'6 fields, RP ● Layer 4 – [email protected], I82P, N. ● Possible chain of actions ● &utput to port (port range, flood, mirror) ● Discard, Resubmit to table x ● Packet Mangling (PushCPop 9) / header, TOS, ...4 ● Send to controller, Learn 13 Thomas Graf <[email protected]> Feature Security / ,- Segregation .,/N isolation enforces .,AN membership of a VM without the ,nowledge of the guest itself. Compute Node VLAN 1 VLAN 2 # ovs-vsctl add-port ovsbr port2 tag=10 VM1 VM2 VM3 Open vSwitch 8a'eat: 2 >39) /GI.4 limited 14 Thomas Graf <[email protected]> Feature Tunneling Tunneling provides isolation and reduces dependencies on the physical networ,. Compute Node 1 Compute Node 2 Controller VNET 1 VNET 2 VNET 2 VNET 1 O p w e VM1 VM2 VM3 lo n VM4 VM5 VM6 F F n l e o p w O Open vSwitch Open vSwitch { GRE | STT | VXLAN } Tunnel Hardware Switch 15 Thomas Graf <[email protected]> Feature .isibility Supports industry standard techno ogy to monitor the use of a networ,. ● ● /etFlow ● Port Mirroring ● SP / ● RSP / ● ERSP / 16 Thomas Graf <[email protected]> Feature Qua ity of Service ● @ses existing Traffic Control Layer ● Policer (Ingress rate limiter4 ● HTB, HFSC (Egress traffic classes4 ● 8ontroller 3&pen 5low4 can select Traffic 8lass Virtual Host VLAN 10 # ovs-vsctl set Interface port2 \ VM1 VM2 ingress_policing_rate=1000 1mbit port1 port2 ovsbr 17 Thomas Graf <[email protected]> /rchitecture Management ovs-ofctl ovsdb-tool OpenFlow sFlow ovs-dpctl ovs-vsctl (3) 2 upcall User space 5reinject vswitchd ovsdb Netlink 4 6 Kernel Datapath Packet Processing Flow Table From NetDevice To NetDevice Management Workflow 1 7 Promiscuous Mode 18 Thomas Graf <[email protected]> 1odifying the $ ow Ta! e Strip VLAN header of all packets from MAC address 11:22:33:44:55:66 and forward packet to port 1. # ovs-ofctl add-flow ovsbr \ dl_src=11:22:33:44:55:66,actions=strip_vlan,output:1 # ovs-ofctl dump-flows ovsbr [...] cookie=0x0, duration=36.24s, table=0, n_packets=0, n_bytes=0, idle_age=36, dl_src=11:22:33:44:55:66 actions=strip_vlan,output:1 19 Thomas Graf <[email protected]> Questions? ● Open vSwitch ● httpFC/www.open'switch.orgC ● OpenFlow ● httpFC/www.openflow.orgC ● Open Networking Foundation ● httpFC/www.opennetwor,ing.orgC ● sFlow ● httpFC/www.sflow.orgC ● Going with the FlowF GoogleHs Secret Switch to the Next Wave of Networ,ing ● httpFC/www.wired.com/wiredenterpriseC!#$!C#"Cgoing-with-the-flow-googleC 20 Thomas Graf <[email protected]>.