Saturday, December 7, 2013

ovs-ofctl

The ovs-ofctl command line tool that ships with Open vSwitch provides a very convenient way to interact with OpenFlow forwarding rules, not just with Open vSwitch, but with any switch that can be configured to accept passive connections from an OpenFlow controller.

This article looks takes the example in Integrated hybrid OpenFlow and repeats it without an OpenFlow controller, using ovs-ofctl instead.

First start Mininet without a controller and configure the switch to listen for OpenFlow commands: 
sudo mn --topo single,3 --controller none --listenport 6633
Next use enable normal forwarding in the switch: 
ovs-ofctl add-flow tcp:127.0.0.1 priority=10,action=normal
The following command blocks traffic from host 1 (10.0.0.1): 
ovs-ofctl add-flow tcp:127.0.0.1 priority=11,dl_type=0x0800,nw_src=10.0.0.1,action=drop
The following command removes the block: 
ovs-ofctl --strict del-flows tcp:127.0.0.1 priority=11,dl_type=0x0800,nw_src=10.0.0.1
Finally, modify the controller script with the following block() and allow() functions: 
function addFlow(spec) {
  runCmd(['ovs-ofctl','add-flow','tcp:127.0.0.1',spec.join(',')]);
}

function removeFlow(spec) {
  runCmd(['ovs-ofctl','--strict','del-flows','tcp:127.0.0.1',spec.join(',')]);
}

function block(address) {
  if(!controls[address]) {
     addFlow(['priority=11','dl_type=0x0800','nw_src=' + address,'action=drop']);
     controls[address] = { action:'block', time: (new Date()).getTime() };
  }
}

function allow(address) {
  if(controls[address]) {
     removeFlow(['priority=11','dl_type=0x0800','nw_src=' + address]);
     delete controls[address];
  }
}
Moving from Mininet to a production setting is simply a matter of modifying the script to connect to the remote switch, configuring the switch to listen for OpenFlow commands, and configuring the switch to send sFlow data to sFlow-RT.

DDoS mitigation is only one use case for large flow control, others described on this blog include: ECMP / LAG load balancing, traffic marking and packet capture. This script can be modified to address these different use cases. The Mininet test bed provides a useful way to test hybrid OpenFlow control schemes before moving them into production using physical switches that support integrated hybrid OpenFlow and sFlow.
Posted by Peter at 3:06 PM
Labels: , , , ,

3 comments:

  1. sagarMarch 12, 2014 at 12:36 AM

    I am getting one error
    ovs-ofctl : connectiong to tcp:127.0.0.1 (connection refused). I am using openvswitch.

    ReplyDelete
    Replies
    1. Huynh NangOctober 28, 2014 at 8:43 AM

      I think you shoud use: ovs-ofctl add-flow card_bridge (example: xenbr0)

      Delete
  2. UnknownAugust 7, 2018 at 7:14 PM

    I am trying to add flows for torus topology with pox in order to ping all the hosts in mininet. Here is my add flow command.

    sudo mn --custom=sflow-rt/extras/sflow.py --link tc,bw=10 --topo torus,3,3 --controller remote --switch ovsk,stp=1 --mac

    sudo ovs-ofctl add-flow s1x1 priority=65535,arp,in_port=1,vlan_tci=0x0000,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02,arp_spa=10.0.0.1,arp_tpa=10.0.0.2,arp_op=2 actions=output:1

    sudo ovs-ofctl add-flow s1x2 priority=65535,arp,in_port=1,vlan_tci=0x0000,dl_src=00:00:00:00:00:02,dl_dst=00:00:00:00:00:01,arp_spa=10.0.0.2,arp_tpa=10.0.0.1,arp_op=2,actions=output:1

    sudo ovs-ofctl add-flow s1x1 priority=65535,icmp,in_port=1,vlan_tci=0x0000,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02,nw_src=10.0.0.1,nw_dst=10.0.0.2,nw_tos=0,icmp_type=8,icmp_code=0,actions=output:1

    sudo ovs-ofctl add-flow s1x2 priority=65535,icmp,in_port=1,vlan_tci=0x0000,dl_src=00:00:00:00:00:02,dl_dst=00:00:00:00:00:01,nw_src=10.0.0.2,nw_dst=10.0.0.1,nw_tos=0,icmp_type=8,icmp_code=0,actions=output:1

    Even after adding, I am still unable to ping the hosts. Can you please help me?

    ReplyDelete

Subscribe to: Post Comments (Atom)