Está en la página 1de 20

Underneath OpenStack Quantum:

Software Defined Networking


with Open vSwitch
Thomas Graf <tgraf@redhat.com>
Principal Software Engineer
Red Hat, Inc.
April 24, 2013
1

Thomas Graf <tgraf@redhat.com>

Part One
Why Open vSwitch?
Open vSwitch enables Linux to become part of a
Software Defined Networking architecture.
Application

Application

Application

Network Operating System


VM1

VM2

Switch
Switch

Open vSwitch
Switch

Thomas Graf <tgraf@redhat.com>

Switched Networks
Switches learn from the network traffic they
observe and decide independently.
Compute Node A
Tenant
1

Tenant
2

Network Node B
Tenant
3

Tenant
4

Bridge

Tenant
5

Tenant
6

Bridge
L3
Agent
Switch 1

Switch 2

Switch 3

Peter
3

Alice
Thomas Graf <tgraf@redhat.com>

Dynamically update flow tables


in a universal language.
In the Software Defined Networking architecture, the
control and data planes are decoupled, network
intelligence and state are logically centralized, and
the underlying network infrastructure is abstracted
from the applications.
Software-Defined Networking:
The New Norm for Networks
ONF White Paper
April 13, 2012

Thomas Graf <tgraf@redhat.com>

Software Defined Networking


A logically centralized controller decides what is
best for the network based on a global view of the network.
Compute Node A
Tenant
1

Tenant
2

Network Node B
Tenant
3

vSwitch 1

Tenant
5

Tenant
4

Tenant
6

vSwitch 2
L3
Agent

Controller

Switch 1

OpenFlow

Switch 2

Switch 3

Peter
5

Alice
Thomas Graf <tgraf@redhat.com>

Software Defined Networking


An attempt to create a well-known API for applications
of the Network that did not succeed yet.
OpenDaylight on its way to make this happen.
Application

Application

Application

Network Operating System


Open Interface (OpenFlow)
Switch
Vendor X
Virtual
Switch A

Virtual
Switch B

Switch
Vendor Y

Thomas Graf <tgraf@redhat.com>

OpenFlow
The Open Standard behind it.

1.

Match on arbitrary
bits in packet
(header)

2.

Execute actions
Forward to port
Drop
Send to
controller
Mangle packet

OpenFlow enables networks to evolve, by giving a remote


controller the power to modify the behavior of network
devices, through a well-defined "forwarding instruction
set". The growing OpenFlow ecosystem now includes
routers, switches, virtual switches, and access points from
a range of vendors.
7

Thomas Graf <tgraf@redhat.com>

ONF Website

OpenFlow Capable Devices

Software Switches

Open vSwitch, Cisco Nexus 1000V

VMware vSphere, NEC Hyper-V, ...

Hardware Switches

Brocade, Cisco, HP, IBM, Juniper Networks, NEC, ...

Switching ASICs
Indigo Open source firmware leveraging Ethernet
switch ASICs to support up to 48x 10G ports

Mellanox SwitchX-2 chip


Thomas Graf <tgraf@redhat.com>

Is it production ready?

Thomas Graf <tgraf@redhat.com>

Part Two
Open vSwitch
Open vSwitch is a virtual switch for hypervisors providing
network connectivity to virtual machines.
Controller

Compute Node A

Open Flow

pe
n
O

Tenant
3

ow
Fl

Tenant
2

n
pe
O

Tenant
1

Network Node B
Fl
ow

Compute Node A

Open vSwitch

Tenant
1

Tenant
2

Open vSwitch
L3
Agent

Hardware Switch

Alice
10

Tenant
3

Peter

Thomas Graf <tgraf@redhat.com>

Open vSwitch Project

Primarily used as a virtual switch for VMs

Multi Platform (Linux, Microsoft, and Silicon)

Developed by Nicira & Community

Apache License (User Space), GPL (Kernel)

OpenFlow 1.1 + extensions

Any netdevice (physical/virtual) can be added as uplink


port

11

Thomas Graf <tgraf@redhat.com>

How does it work?


Open vSwitch maintains a flow table that defines what
to do with each flow.
Compute/Network Node
Tenant
1

Tenant
2

Tenant
3

Tenant
n

Controller

br-int
Open vSwitch
Quantum OVS Agent
Quantum L3 Agent
Quantum DHCP Agent

br-eth1
eth1

Flow table

Patch ports

OpenFlow
br-tun

br-ext
eth0

To Network Node
12

External Network
Thomas Graf <tgraf@redhat.com>

Feature
Fine Grained Flow Table Control

13

Extensive flow matching capabilities

Layer 1 Tunnel ID, In Port, QoS priority, skb mark

Layer 2 MAC address, VLAN ID, Ethernet type

Layer 3 IPv4/IPv6 fields, ARP

Layer 4 TCP/UDP, ICMP, ND

Possible chain of actions

Output to port (port range, flood, mirror)

Discard, Resubmit to table x

Packet Mangling (Push/Pop VLAN header, TOS, ...)

Send to controller, Learn


Thomas Graf <tgraf@redhat.com>

Feature
Security / L2 Segregation
VLAN isolation enforces VLAN membership of
a VM without the knowledge of the guest itself.
Compute Node

# ovs-vsctl add-port ovsbr port2 tag=10

VLAN 1
VM1

VLAN 2
VM2

VM3

Open vSwitch

Caveat: MAX(VLAN_ID) limited


14

Thomas Graf <tgraf@redhat.com>

Feature
Tunneling
Tunneling provides isolation and reduces
dependencies on the physical network.
Compute Node 2

Compute Node 1

Controller
VNET 1

Fl
ow
O

VM4

Open vSwitch

VM6

Open vSwitch

{ GRE | STT | VXLAN } Tunnel

Hardware Switch
15

VM5

ow
Fl

pe
n

VM3

n
pe

VM2

VNET 1

VNET 2
O

VM1

VNET 2

Thomas Graf <tgraf@redhat.com>

Feature
Visibility
Supports industry standard technology to
monitor the use of a network.

16

NetFlow

Port Mirroring

SPAN

RSPAN

ERSPAN

Thomas Graf <tgraf@redhat.com>

Feature
Quality of Service

Uses existing Traffic Control Layer

Policer (Ingress rate limiter)

HTB, HFSC (Egress traffic classes)

Controller (Open Flow) can select Traffic Class


Virtual Host

# ovs-vsctl set Interface port2 \


ingress_policing_rate=1000

VLAN 10
VM1

VM2
1mbit

port1

ovsbr
17

Thomas Graf <tgraf@redhat.com>

port2

Architecture
Management

ovs-ofctl
OpenFlow

ovs-dpctl

sFlow

ovsdb-tool
ovs-vsctl

(3)
User
space

2 upcall
vswitchd

5 reinject

Netlink

Kernel

Datapath

ovsdb

4
6
Packet Processing
Flow Table

From NetDevice

To NetDevice

Promiscuous Mode
18

Thomas Graf <tgraf@redhat.com>

Management Workflow

Modifying the Flow Table


Strip VLAN header of all packets from MAC address
11:22:33:44:55:66 and forward packet to port 1.
# ovs-ofctl add-flow ovsbr \
dl_src=11:22:33:44:55:66,actions=strip_vlan,output:1
# ovs-ofctl dump-flows ovsbr
[...]
cookie=0x0, duration=36.24s, table=0, n_packets=0,
n_bytes=0, idle_age=36, dl_src=11:22:33:44:55:66
actions=strip_vlan,output:1

19

Thomas Graf <tgraf@redhat.com>

Questions?

Open vSwitch

OpenFlow

http://www.openflow.org/

Open Networking Foundation

http://www.openvswitch.org/

http://www.opennetworking.org/

sFlow

http://www.sflow.org/

Going with the Flow: Googles Secret Switch to the Next Wave of
Networking

20

http://www.wired.com/wiredenterprise/2012/04/going-with-the-flow-google/

Thomas Graf <tgraf@redhat.com>