Upload
others
View
27
Download
1
Embed Size (px)
Citation preview
Thomas Graf <[email protected]>1
Underneath OpenStack Quantum:Software Defined Networkingwith Open vSwitch
Thomas Graf <[email protected]>Principal Software EngineerRed Hat, Inc.
April 24, 2013
Thomas Graf <[email protected]>2
Part OneWhy Open vSwitch?
Open vSwitch enables Linux to become part of a Software Defined Networking architecture.
Network Operating System
Application Application Application
Switch
Switch
Switch
VM1 VM2
Open vSwitch
Thomas Graf <[email protected]>3
Switched NetworksSwitches learn from the network traffic they
observe and decide independently.Compute Node A
Bridge
Network Node B
Bridge
AlicePeter
Switch 1
Switch 2 Switch 3
Tenant1
Tenant2
Tenant3
Tenant4
Tenant5
Tenant6
L3Agent
Thomas Graf <[email protected]>4
Dynamically update flow tables in a universal language.
In the Software Defined Networking architecture, the control and data planes are decoupled, network intelligence and state are logically centralized, and the underlying network infrastructure is abstracted from the applications.
Software-Defined Networking:The New Norm for Networks
ONF White PaperApril 13, 2012
Thomas Graf <[email protected]>5
Software Defined NetworkingA logically centralized controller decides what is
best for the network based on a global view of the network.
Tenant1
Compute Node A
vSwitch 1
Network Node B
vSwitch 2
AlicePeter
Switch 1
Switch 2 Switch 3
Controller
OpenFlow
Tenant2
Tenant3
Tenant4
Tenant5
Tenant6
L3Agent
Thomas Graf <[email protected]>6
Software Defined Networking
VirtualSwitch A
Network Operating System
Application Application Application
SwitchVendor X
SwitchVendor Y
VirtualSwitch B
Open Interface (OpenFlow)
An attempt to create a well-known API for applicationsof the Network that did not succeed yet.
OpenDaylight on its way to make this happen.
Thomas Graf <[email protected]>7
OpenFlow
Match on arbitrary bits in packet (header)
Execute actions● Forward to port● Drop● Send to
controller● Mangle packet
2.2.
The Open Standard behind it.
OpenFlow enables networks to evolve, by giving a remote controller the power to modify the behavior of network devices, through a well-defined "forwarding instruction set". The growing OpenFlow ecosystem now includes routers, switches, virtual switches, and access points from a range of vendors.
ONF Website
1.1.
Thomas Graf <[email protected]>8
OpenFlow Capable Devices
● Software Switches● Open vSwitch, Cisco Nexus 1000V● VMware vSphere, NEC Hyper-V, ...
● Hardware Switches● Brocade, Cisco, HP, IBM, Juniper Networks, NEC, ...
● Switching ASICs● Indigo – Open source firmware leveraging Ethernet switch ASICs to support up to 48x 10G ports● Mellanox SwitchX-2 chip
Thomas Graf <[email protected]>9
Is it production ready?
Thomas Graf <[email protected]>10
Part TwoOpen vSwitch
Compute Node A
Open vSwitch
Network Node B
Open vSwitch
Hardware Switch
Alice Peter
Controller
Open
Flow
Ope
n F
low
Open Flow
Open vSwitch is a virtual switch for hypervisors providingnetwork connectivity to virtual machines.
Tenant1
Tenant2
Tenant3
Compute Node A
Tenant1
Tenant2
Tenant3
L3Agent
Thomas Graf <[email protected]>11
Open vSwitch Project
● Primarily used as a virtual switch for VMs
● Multi Platform (Linux, Microsoft, and Silicon)
● Developed by Nicira & Community
● Apache License (User Space), GPL (Kernel)
● OpenFlow 1.1 + extensions
● Any netdevice (physical/virtual) can be added as uplink port
Thomas Graf <[email protected]>12
How does it work?
Tenant1
Compute/Network Node
Open vSwitchQuantum OVS AgentQuantum L3 AgentQuantum DHCP Agent
Flow table
eth0
Open vSwitch maintains a flow table that defines whatto do with each flow.
Tenant2
Tenant3
Tenantn
Controllerbr-int
br-extbr-eth1
eth1
External Network
OpenFlow
To Network Node
br-tun
Patch ports
Thomas Graf <[email protected]>13
FeatureFine Grained Flow Table Control● Extensive flow matching capabilities
● Layer 1 – Tunnel ID, In Port, QoS priority, skb mark● Layer 2 – MAC address, VLAN ID, Ethernet type● Layer 3 – IPv4/IPv6 fields, ARP● Layer 4 – TCP/UDP, ICMP, ND
● Possible chain of actions● Output to port (port range, flood, mirror)● Discard, Resubmit to table x● Packet Mangling (Push/Pop VLAN header, TOS, ...)● Send to controller, Learn
Thomas Graf <[email protected]>14
FeatureSecurity / L2 Segregation
VM1
Compute Node
VM2 VM3
Open vSwitch
VLAN 1 VLAN 2
VLAN isolation enforces VLAN membership ofa VM without the knowledge of the guest itself.
# ovs-vsctl add-port ovsbr port2 tag=10
Caveat: MAX(VLAN_ID) limited
Thomas Graf <[email protected]>15
FeatureTunneling
VM1
Compute Node 1
VM2 VM3
Open vSwitch
VM4
Compute Node 2
VM5 VM6
Open vSwitch
Hardware Switch
Controller
Open
Flow
Open Flow
{ GRE | STT | VXLAN } Tunnel
VNET 1 VNET 1VNET 2 VNET 2
Tunneling provides isolation and reducesdependencies on the physical network.
Thomas Graf <[email protected]>16
FeatureVisibility
●
● NetFlow
● Port Mirroring● SPAN● RSPAN● ERSPAN
Supports industry standard technology tomonitor the use of a network.
Thomas Graf <[email protected]>17
FeatureQuality of Service
● Uses existing Traffic Control Layer● Policer (Ingress rate limiter)● HTB, HFSC (Egress traffic classes)
● Controller (Open Flow) can select Traffic Class
VM1
Virtual Host
VM2
ovsbr
VLAN 10
port1 port2
1mbit
# ovs-vsctl set Interface port2 \ ingress_policing_rate=1000
Thomas Graf <[email protected]>18
Architecture
ovsdbvswitchd
Datapath
OpenFlow
Kernel
Userspace
Management
ovs-vsctl
Flow Table
ovs-dpctl
upcall
Netlink
sFlow
To NetDeviceFrom NetDevice
Promiscuous Mode
reinject
1
2
(3)
4
5
6
7
Packet Processing
Management Workflow
ovsdb-tool
ovs-ofctl
Thomas Graf <[email protected]>19
Modifying the Flow Table
# ovs-ofctl add-flow ovsbr \ dl_src=11:22:33:44:55:66,actions=strip_vlan,output:1
# ovs-ofctl dump-flows ovsbr[...] cookie=0x0, duration=36.24s, table=0, n_packets=0, n_bytes=0, idle_age=36, dl_src=11:22:33:44:55:66 actions=strip_vlan,output:1
Strip VLAN header of all packets from MAC address11:22:33:44:55:66 and forward packet to port 1.
Thomas Graf <[email protected]>20
Questions?● Open vSwitch
● http://www.openvswitch.org/
● OpenFlow
● http://www.openflow.org/
● Open Networking Foundation
● http://www.opennetworking.org/
● sFlow
● http://www.sflow.org/
● Going with the Flow: Google’s Secret Switch to the Next Wave of Networking
● http://www.wired.com/wiredenterprise/2012/04/going-with-the-flow-google/