Open vSwitch: Software Defined Networking

Underneath OpenStack Quantum: Software Defined Networking with Open vSwitch Thomas Graf Principal Software Engineer Red Hat, Inc. April 24, 2013 1

Thomas Graf

Part One Why Open vSwitch? Open vSwitch enables Linux to become part of a Software Defined Networking architecture. Application

Application

Application

Network Operating System VM1

VM2

Switch Switch

Open vSwitch Switch

2

Thomas Graf

Switched Networks Switches learn from the network traffic they observe and decide independently. Compute Node A Tenant 1

Tenant 2

Network Node B Tenant 3

Tenant 4

Bridge

Tenant 5

Tenant 6

Bridge L3 Agent Switch 1

Switch 2

Switch 3

Peter 3

Alice Thomas Graf

Dynamically update flow tables in a universal language. In the Software Defined Networking architecture, the control and data planes are decoupled, network intelligence and state are logically centralized, and the underlying network infrastructure is abstracted from the applications. Software-Defined Networking: The New Norm for Networks ONF White Paper April 13, 2012

4

Thomas Graf

Software Defined Networking A logically centralized controller decides what is best for the network based on a global view of the network. Compute Node A Tenant 1

Tenant 2

Network Node B Tenant 3

vSwitch 1

Tenant 5

Tenant 4

Tenant 6

vSwitch 2 L3 Agent

Controller

Switch 1

OpenFlow

Switch 2

Switch 3

Peter 5

Alice Thomas Graf

Software Defined Networking An attempt to create a well-known API for applications of the Network that did not succeed yet. OpenDaylight on its way to make this happen. Application

Application

Application

Network Operating System Open Interface (OpenFlow) Switch Vendor X Virtual Switch A

6

Virtual Switch B

Switch Vendor Y

Thomas Graf

OpenFlow The Open Standard behind it.

1.

Match on arbitrary bits in packet (header)

2.

Execute actions ● Forward to port ● Drop ● Send to controller ● Mangle packet

OpenFlow enables networks to evolve, by giving a remote controller the power to modify the behavior of network devices, through a well-defined "forwarding instruction set". The growing OpenFlow ecosystem now includes routers, switches, virtual switches, and access points from a range of vendors. 7

Thomas Graf

ONF Website

OpenFlow Capable Devices ●

●

Software Switches ●

Open vSwitch, Cisco Nexus 1000V

●

VMware vSphere, NEC Hyper-V, ...

Hardware Switches ●

●

Brocade, Cisco, HP, IBM, Juniper Networks, NEC, ...

Switching ASICs Indigo – Open source firmware leveraging Ethernet switch ASICs to support up to 48x 10G ports ●

●

8

Mellanox SwitchX-2 chip Thomas Graf

Is it production ready?

9

Thomas Graf

Part Two Open vSwitch Open vSwitch is a virtual switch for hypervisors providing network connectivity to virtual machines. Controller

Compute Node A

Open Flow

pe n O

Tenant 3

ow Fl

Tenant 2

n pe O

Tenant 1

Network Node B Fl ow

Compute Node A

Open vSwitch

Tenant 1

Tenant 2

Open vSwitch L3 Agent

Hardware Switch

Alice 10

Tenant 3

Peter

Thomas Graf

Open vSwitch Project ●

Primarily used as a virtual switch for VMs

●

Multi Platform (Linux, Microsoft, and Silicon)

●

Developed by Nicira & Community

●

Apache License (User Space), GPL (Kernel)

●

OpenFlow 1.1 + extensions

Any netdevice (physical/virtual) can be added as uplink port ●

11

Thomas Graf

How does it work? Open vSwitch maintains a flow table that defines what to do with each flow. Compute/Network Node Tenant 1

Tenant 2

Tenant 3

Tenant n

Controller

br-int Open vSwitch Quantum OVS Agent Quantum L3 Agent Quantum DHCP Agent

br-eth1 eth1

Flow table

Patch ports

OpenFlow br-tun

br-ext eth0

To Network Node 12

External Network Thomas Graf

Feature Fine Grained Flow Table Control ●

●

13

Extensive flow matching capabilities ●

Layer 1 – Tunnel ID, In Port, QoS priority, skb mark

●

Layer 2 – MAC address, VLAN ID, Ethernet type

●

Layer 3 – IPv4/IPv6 fields, ARP

●

Layer 4 – TCP/UDP, ICMP, ND

Possible chain of actions ●

Output to port (port range, flood, mirror)

●

Discard, Resubmit to table x

●

Packet Mangling (Push/Pop VLAN header, TOS, ...)

●

Send to controller, Learn Thomas Graf

Feature Security / L2 Segregation VLAN isolation enforces VLAN membership of a VM without the knowledge of the guest itself. Compute Node

# ovs-vsctl add-port ovsbr port2 tag=10

VLAN 1 VM1

VLAN 2 VM2

VM3

Open vSwitch

Caveat: MAX(VLAN_ID) limited 14

Thomas Graf

Feature Tunneling Tunneling provides isolation and reduces dependencies on the physical network. Compute Node 2

Compute Node 1

Controller VNET 1

Fl ow O

VM4

Open vSwitch

VM6

Open vSwitch

{ GRE | STT | VXLAN } Tunnel

Hardware Switch 15

VM5

ow Fl

pe n

VM3

n pe

VM2

VNET 1

VNET 2 O

VM1

VNET 2

Thomas Graf

Feature Visibility Supports industry standard technology to monitor the use of a network. ●

16

●

NetFlow

●

Port Mirroring ●

SPAN

●

RSPAN

●

ERSPAN

Thomas Graf

Feature Quality of Service ●

●

Uses existing Traffic Control Layer ●

Policer (Ingress rate limiter)

●

HTB, HFSC (Egress traffic classes)

Controller (Open Flow) can select Traffic Class Virtual Host

# ovs-vsctl set Interface port2 \ ingress_policing_rate=1000

VLAN 10 VM1

VM2 1mbit

port1

ovsbr 17

Thomas Graf

port2

Architecture Management

ovs-ofctl OpenFlow

ovs-dpctl

sFlow

ovsdb-tool ovs-vsctl

(3) User space

2 upcall vswitchd

5 reinject

Netlink

Kernel

Datapath

ovsdb

4 6 Packet Processing Flow Table

From NetDevice

1

To NetDevice

7

Promiscuous Mode 18

Thomas Graf

Management Workflow

Modifying the Flow Table Strip VLAN header of all packets from MAC address 11:22:33:44:55:66 and forward packet to port 1. # ovs-ofctl add-flow ovsbr \ dl_src=11:22:33:44:55:66,actions=strip_vlan,output:1 # ovs-ofctl dump-flows ovsbr [...] cookie=0x0, duration=36.24s, table=0, n_packets=0, n_bytes=0, idle_age=36, dl_src=11:22:33:44:55:66 actions=strip_vlan,output:1

19

Thomas Graf

Questions? ●

Open vSwitch ●

●

OpenFlow ●

●

http://www.openflow.org/

Open Networking Foundation ●

●

http://www.openvswitch.org/

http://www.opennetworking.org/

sFlow ●

http://www.sflow.org/

Going with the Flow: Google’s Secret Switch to the Next Wave of Networking ●

●

20

http://www.wired.com/wiredenterprise/2012/04/going-with-the-flow-google/

Thomas Graf