SDN Lab 01140.117.164.12/data/SDN_NFV_class/SDN_Lab1.pdf · 2016. 2. 1. · controller...
Transcript of SDN Lab 01140.117.164.12/data/SDN_NFV_class/SDN_Lab1.pdf · 2016. 2. 1. · controller...
-
SDN Lab 01助教:林賢哲、林佳瑩
2015.10.08
-
Introduction
• OpenFlow
• Mininet
• Open-vSwitch
• OpenDayLight controller
2
-
Grading
• Install Mininet (20 pt)
• Install OpenDaylight (30 pt)
• Connect Mininet to ODL controller (10 pt)
• Create a Specified Network Topology (10 pt)
• Add Flow Entries to Open-vSwitch via OpenDaylight
• Block (15 pt)
• Modify Header [basic] (15 pt)
• Modify Header [Advanced] (10pt)
• Connect mininet network to the Internet (15 pt)
• Block Youtube (10 pt)
3
-
4
OpenFlow
-
5
OpenFlow
-
6
OpenFlow
-
7
OpenFlow
-
• Mininet
• An Instant Virtual Network on your Laptop (or other PC)
• Open-vSwitch
• It is designed to enable massive network automation through programmatic extension, while still supporting standard management interfaces and protocols
• OpenDayLight
• a highly available, modular, extensible, scalable and multi-protocol controller infrastructure built for SDN deployments on modern heterogeneous multi-vendor networks
8
Introduction
-
9
Environment
-
10
Environment
Windows 7 Host
Ubuntu 14.04 Host
-
• Step I : Install git
$ sudo apt-get update
$ sudo apt-get install -y git
• Step II : Download Mininet installer
cd to a directory you are happy with to download the installer
$ git clone git://github.com/mininet/mininet
11
Mininet - Installation
-
• Step III : Install Mininet
$ mininet/util/install.sh -a
• -a : install everything, including Mininet VM, Open vSwitch, wireshark, controller POX, etc.
• Step IV : Test the basic Mininet functionality
$ sudo mn --test pingall
ref : Install Mininet (option 2)
12
Mininet - Installation (cont.)
http://mininet.org/download/
-
• Run default Mininet, entering Mininet CLI
$ sudo mn
• Help
mininet> help
• Display nodes
mininet> nodes
13
Mininet - Basic commands
-
• Display links
mininet> net
• Dump information about all nodes
mininet> dump
• Let the virtual hosts ping each other
mininet> pingall
14
Mininet - Basic commands (cont.)
-
• Let host1 ping host2
mininet> h1 ping h2
• Show h1’s network interface
mininet> h1 ifconfig
• Use “sh” to execute shell command
mininet> sh echo “check the ref http://mininet.org/walkthrough”
15
Mininet - Basic commands (cont.)
-
• Clean the Mininet after exiting
$ mn -c
16
Mininet - Basic commands (cont.)
-
• Show TA h1’s IP address and h2’s MAC address (20 pt)
17
Mininet - Grading
-
• Step I : Install java 7 (already done for you)
$ sudo apt-get install openjdk-7-jdk openjdk-7-jre
• Step II : Download ODL release Lithium-SR1 Tar File (267 MB)
Done for you too. It’s located at ~/lab1
• Step III : Extract it
$ tar -zxvf
18
OpenDaylight - Installation
https://www.opendaylight.org/software/downloads/lithium-sr1
-
• Step IV : Run Karaf with OpenFlow1.3, entering its CLI
$ .//bin/karaf -of13
• Step V : Install features (Karaf distribution has no features enabled by default)
• odl-mdsal-clustering : provides support for operating a cluster of ODL instances. It’s marked “special” according to the guidance. MUST install clustering before other features are installed.
• odl-restconf : Enables REST API access
19
OpenDaylight - Installation (cont.)
-
• Step V : Install features (cont.)
• odl-l2switch-switch-ui : Provides L2 (Ethernet) forwarding across connected OpenFlow switches and support for host tracking
• odl-dlux-all : including odl-dlux-core, odl-dlux-node, odl-dlux-yangui, odl-dlux-yangvisualizer. You’ll see them on the left panel in the index web.
opendaylight-user@root> feature:install odl-mdsal-clustering odl-restconf odl-l2switch-switch-ui odl-dlux-all
20
OpenDaylight - Installation (cont.)
-
• Step VI : Open the ODL web UI at the Host IP where ODL installed (127.0.0.1) with port 8181
http://:8181/index.html
account : admin
password : admin
Ps. This URL would successfully access the web UI only if “./karaf” has run long enough, by TAs’ experience, 2~6 minutes.
• Official Documents can be found at Lithium-SR1
21
OpenDaylight - Installation (cont.)
https://www.opendaylight.org/software/downloads/lithium-sr1
-
• Run OpenDaylight successfully (15pt)
22
OpenDaylight - Grading
-
• Launch OpenDaylight web UI and login (15pt)
23
OpenDaylight - Grading (cont.)
-
• Step I : Disable ovs-controller daemon
Ovs-controller daemon listens to port 6633. When ODL is running, it listens to port 6633 as well. This means if the two services run at the same host, at the same time, it causes confliction. All you need to do is check whether ovs-controller is running. If it does, disable it.
$ ps -e | grep ovs #ovs-controller
$ sudo service openvswitch-controller stop
24
Connect Mininet to ODL Controller
-
• Step II : Connect Mininet to ODL
• $ sudo mn --topo linear,3 --controller remote --switch ovsk,protocols=OpenFlow13 --mac
• --topo [single | linear | tree], : Specify topology
• --controller remote[,ip=,port=] : Use a remote controller instead of default one. If ip and port not specified, 127.0.0.1:6633 will be used by default.
• --switch ovs,protocols=OpenFlow13 : Choose Open-vSwitch supporting OpenFlow1.3
• --mac : Make the virtual hosts’ MAC address easy to read. Use “ifconfig” to check.
25
Connect Mininet to ODL Controller (cont.)
-
• Step III : Observation
Before virtual hosts send any packet through a switch, a switch doesn’t get information from virtual hosts connected to it. The web UI doesn’t show any virtual hosts nodes but switches nodes only.
Once a switch starts to receive packets from these virtual hosts, it knows the MAC address of them. Then the virtual hosts appear on the topology graph.
26
Connect Mininet to ODL Controller (cont.)
-
• Check the topology on the web UIhttp://:8181/index.html (10 pt)
27
Connect Mininet to ODL - Grading
-
• You are able to specify different topology as mentioned earlier.
$ mn --topo [single | linear | tree],
• --topo single,2 : Single switch with 2 virtual hosts
• --topo linear,4 : 4 switches connected as a line, and each switch has a virtual host attached to it
• --topo tree,3 : There are 7 switches arranged as a binary tree with depth=3. Each leaf switch has two virtual hosts
28
Topology
-
• Program your own custom topology via python.
• Check the example, we believe it’s easy to understand.
$ vim mininet/custom/topo-2sw-2host.py
Note that last line of the example defines a toponame, marked as red below, which will be used in Mininet command later.
topos = { 'mytopo': ( lambda: MyTopo() ) }
29
Topology - Custom
-
• Test it
$ mn --custom mininet/custom/topo-2sw-2host.py --topo mytopo --controller remote
• Your missions : Create a topology with two interconnected switches (s1 and s2). There are two virtual hosts (h1, h2) connected to s1 and three virtual hosts (h3, h4, h5) connected to s2.
• ref : Custom Topology30
Topology - Custom (cont.)
http://mininet.org/walkthrough/#custom-topologies
-
• Show your topology via web UI (10 pt)
31
Topology - Grading
-
• We have learned basic concepts of OpenFlow at the beginingof the course.
• In this part, we are going to add some flows on ourOpenDayLight controller by using OpenFlow version 1.3.0 asinterface.
• You can find the introduction of OpenFlow version 1.3.0 in the documentbelow.https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-spec-v1.3.0.pdf
• After adding a flow on the controller, switch can handle an unknownpacket by asking controller the flow rules.
• Let’s start with the task of blocking a specific ip by using YangUI in OpenDayLight.
32
Flows
https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-spec-v1.3.0.pdf
-
• Step I :Open the web UI of OpenDayLight(http://:8181/index.html)
and choose Yang UI on the side menu.
33
Flows
-
34
Flows
propose action directory
Add Flow PUT config/opendaylight-inventory:nodes/node/openflow:1/table/0/flow/1
Delete Flow DELETE config/opendaylight-inventory:nodes/node/openflow:1/table/0/flow/1
Get Flow Config GET config/opendaylight-inventory:nodes/node/openflow:1/table/0
Get Flow
Operational
GET operational/opendaylight-inventory:nodes/node/openflow:1/table/0
GET Inventory GET operational/opendaylight-inventory:nodes/
GET Topology GET operational/network-topology:network-topology/
Reference : OpenDaylight OpenFlow Plugin:End to End Flows
OpenDaylight User Guide
• Step II :According to your propose you can find the directory andaction in the table below.(the blue part must be filled with theswitch, table and flow you want to setup)
https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:End_to_End_Flowshttps://www.opendaylight.org/sites/opendaylight/files/bk-user-guide.pdf
-
35
Flows
• Step III :Find the directory, and start to manage flows. Take “Add Flow”for example(config/opendaylight-inventory:nodes/node/openflow:1/table/0/flow/1)
-
• Step IV :After click “flow {id}”, youcan add new flow in thebottom of web site.
• Use “+” button and expandfolders to setup values.
• Click the triangle buttom, like“▼”, to Expand or collapse theoptions.
36
Flows
-
37
Flows
• Setting:
• Click “+” to add a flow
• Expand “match”
-
38
Flows
-
• Ethernet-match
• Ethernet-source/destination : MAC address
• Ethernet-type: (wiki)
• You can find what ethernet-type that openflow support in different versions here.
39
Flows
https://en.wikipedia.org/wiki/EtherTypehttp://flowgrammable.org/sdn/openflow/classifiers/#tab_ofp_1_3_0
-
• Layer-3-match
• Arp-match
• Arp-op(more…)
• Arp-source/target-transport-address
• IPv4 address
• Arp-source/target hardware-address
• Mac address
40
Flows
http://www.iana.org/assignments/arp-parameters/arp-parameters.xhtml
-
• Layer-3-match
• Ipv4-source/destination
41
Flows
-
• Click “+” to add an instruction list
• There are many instruction you can choose.(reference)
42
Flows
http://flowgrammable.org/sdn/openflow/actions/#tab_ofp_1_3
-
• Choose “apply-action-case”, and add action list Item
• You can find many actions.
43
Flows
-
• Actions(reference)
44
Flows
action description
Drop-action-case Discards packet
Output-action-case Output-node-connector : NORMAL (forward)
Set-dl-dst-action-case Set destination MAC address
Set-dl-src-action-case Set source MAC address
Set-nw-dst-action-case Set destination IP address
Set-nw-src-action-case Set source IP address
Set-field-case Set many different type setting, including ethernet,
ip etc.
http://flowgrammable.org/sdn/openflow/actions/#tab_ofp_1_3
-
• You can have more than one actions in a flow. The actions willbe executed in increasing order.(Ex. The order 0 action is thefirst action)
• The Yellow one means the one you modify now.
45
Flows
-
• Priority
• The higher number have higher precedence. (0~65535)
• table id : must be the same as you setup in the url.
46
Flows
-
•
•
• 2
• Foo
•
•
•
• 2048
•
•
• 10.0.10.2/24
47
Flows
• More detail about content of flow:( for more exmaple Editing OpenDaylight OpenFlow Plugin:End to End Flows:Example Flows)
https://wiki.opendaylight.org/view/Editing_OpenDaylight_OpenFlow_Plugin:End_to_End_Flows:Example_Flows#IPv4_Dest_Address
-
48
Flows
• 1
• 0
•
•
• 0
•
•
• 0
•
•
•
•
•
•
• You can use web UI in openDayLightor Restful API tools (reference) , suchas postman(a chrome extension) orrestful plugin in Firefox, to edit flows.
https://github.com/BRCDcomm/BVC/blob/master/docs/SDN-Controller-2.0.1-User-Guide.pdf
-
• Create a network topology. There are more than 3 virtual hosts in your topology. You can either use your custom topology or use built in topo pattern.
• Task A : Block There is one host cannot communicate with the other hosts, and the other hosts are mutually communicable. You can block its port, MAC or IP. (15pt)
• Task B : Modify header[basic] When h1 ping h2, modify thesrc ip from h1, use wireshark to monitor the interface of h2 toverify your revise.(10pt)
• Task C (bonus) : Modify header[advanced] All packets coming from h1 to h2, substitute these packets’ src IP from h1 to a IP which doesn’t belong to any host, let’s say X, in this network. Then, change the destination IP of the packets, which come from h2 to X, back to h1’s IP. (10pt)
49
Flows
-
• Task A : Block(15pt)
• Block source from h1
• Use `ovs-ofctl –O OpenFlow13 dump-flows s1` to check whether s1 havethe flow we send or not.
• Pingall to check the status of network.
50
Flows
-
• Task B : Modify header[basic](15pt)
• Modify source ip from 10.0.0.1 to 10.0.0.100
• Use wireshark to check the packets on the interface of s1-h2
51
Flows
-
• Task C (bonus) : Modify header[advanced]
• First, we need to downgrade ubuntu’s kernel, then we can updateopenvswitch to version 2.3.1
• Downgrade ubuntu’s kernel : Just follow the instructions on this website Ubuntu 12.04 LTS Kernel 降級
• Update openvswitch : Just follow the instructions on this website編譯 OpenvSwitch v2.3.1 on Ubuntu 14.04.1 LTS
52
Flows
http://roan.logdown.com/posts/183081-ubuntu-1204-lts-kernel-downgradehttp://roan.logdown.com/posts/220671-compile-openvswitch-v230-on-ubutnu-14041-lts
-
• Task C (bonus) : Modify header[advanced]
• Flow of ping
53
Flows
H1
(10.0.0.1) switchH2
(10.0.0.2)
[Arp]where is 10.0.0.2?
Tell 10.0.0.1[Arp]where is 10.0.0.2?
Tell 10.0.0.100
[Arp]10.0.0.2 is at MAC2[Arp]10.0.0.2 is at MAC2
[ICMP]10.0.0.1 requst
10.0.0.2
[ICMP]10.0.0.100
request 10.0.0.2
[ICMP]10.0.0.2 reply
10.0.0.1
[ICMP]10.0.0.2 reply
10.0.0.100
-
• Error : There are no interfaces on which a capture can be done.
• Solution
• Step 1 : Allow Non-Superusers to Capture Packets
$ sudo dpkg-reconfigure wireshark-common
In this configuration, select .
This setting creates a wireshark group.
54
Wireshark
-
• Step 2 : Add User to Wireshark Group
$ sudo usermod -a -G wireshark $USER
• Step 3 : Re-Login
• You can reboot,
• $ sudo reboot
• or logout if using Ubuntu Desktop
• $ gnome-session-quit --logout --no-prompt
55
Wireshark
-
• Create a virtual network with default topology connecting to ODL controller.
$ sudo mn --mac --switch ovs,protocols=OpenFlow13 --controller remote
56
Connect to the Internet - Bonus (15 pt)
-
57
Connect to the Internet
TCP/IP
Stack Applications
S1h1
h2
eth0
s1-eth1
s1-eth2
h1-eth0
h2-eth0
s1
ping outside world
-
• Create a virtual network with default topology connecting to ODL controller.
• Ubuntu host can access outside world
mininet> sh ping 8.8.8.8
• Check out routing table
mininet> sh route
58
Connect to the Internet
-
• h1 has no way to access outside world via s1
mininet> h1 ping 8.8.8.8
• Check h1’s IP address and routing table
59
Connect to the Internet
-
• Step I : Attach eth0 to s1, make it as a port of the ovs
mininet> sh ovs-vsctl add-port s1 eth0
mininet> sh ovs-vsctl show
60
Connect to the Internet
-
61
Connect to the Internet
TCP/IP
Stack Applications
S1h1
h2
eth0 s1-eth1
s1-eth2
h1-eth0
h2-eth0
s1
-
• Now even your Ubuntu host can’t ping to outside world.
mininet> sh ping 8.8.8.8 # no response
• That’s because Ubuntu host tried to access the Internet via eth0. But eth0 acts like a port of ovs.
• We are expecting Ubuntu host can access outside world through s1.
62
Connect to the Internet
-
• Step II : Remove eth0’s IP, and then make s1 as a client of DHCP server so that s1 would be the default interface. But first, set a flow to make ovs act as a traditional switch.
Add a flow with actions=NORMAL via ODL
63
Connect to the Internet
-
The command dhclient requests DHCP server for a valid IP address. In your environment, virtualbox takes the role as DHCP server. Since eth0 and s1 both have the same MAC address, the interface which queries the IP after the other one that did will fail to get valid IP. That’s why we remove eth0’s IP before s1 get its own. dhclient automatically sets the default gateway and default interface.
mininet> sh ifconfig eth0 0
mininet> sh dhclient s1
mininet> sh route
64
Connect to the Internet
-
65
Connect to the Internet
TCP/IP
Stack Applications
S1h1
h2
eth0 s1-eth1
s1-eth2
h1-eth0
h2-eth0
s1
-
• Ubuntu host can ping out now but virtual host still can’t.
• After checking h1’s IP and routing table, we know h1 doesn’t belong to the network of Ubuntu host’s default gateway.
• We can get h1 a IP of Ubuntu Host’s network and default gateway via the same way works on s1.
66
Connect to the Internet
-
• Step III : Get h1 a IP from DHCP
mininet> h1 ifconfig h1-eth0 0
mininet> h1 dhclient h1-eth0
67
Connect to the Internet
-
68
Connect to the Internet
TCP/IP
Stack Application
S1h1
h2
eth0 s1-eth1
s1-eth2
h1-eth0
h2-eth0
s1
-
• Give it a snapshot !!
69
Connect to the Internet
-
• If you want to ping google.com, you need to edit this file /etc/resolv.conf and add a nameserver, 8.8.8.8 for example.
• $ sudo vim /etc/resolv.conf
70
Connect to the Internet
-
• Goal : block Youtube from ubuntu host, which means your ubuntu host cannot watch youtube video while virtual hosts, such as h1 and h2, still can ping youtube.com
• Step I : Find out youtube’s IP
mininet> sh nslookup youtube.com
• Step II : You’ve got the target IP. Block it !
• If you accidentally block google.com as well, that’s acceptable in this lab…
71
Block Youtube - Bonus (10 pt)
-
Take a
picture
72
Block Youtube - Bonus (10 pt)
-
• Install Mininet
• ODL release
• ODL installation
• ODL features
• Mininet Walkthrough
• Introduction to OpenFlow (video)
• Introduction to OVS (video)
73
References
http://mininet.org/download/https://www.opendaylight.org/downloadshttps://wiki.opendaylight.org/view/Install_On_Ubuntu_14.04http://yhhuanglab.blogspot.tw/2015/08/mininetopendaylight.htmlhttp://mininet.org/walkthrough/#custom-topologieshttps://www.youtube.com/watch?v=l25Ukkmk6Skhttps://www.youtube.com/watch?v=rYW7kQRyUvA