Tuesday, April 25, 2017

design pattern - labels as metadata

FAUCET now allows you to push, via the ACL language, multiple VLAN headers.

    - rule:
        dl_dst: "01:02:03:04:05:06"
        actions:
            output:
                dl_dst: "06:06:06:06:06:06"
                vlan_vids: [123, 456]
                port: acloutport
See https://github.com/REANNZ/faucet/pull/517/commits/117ed988c8d42dab7e2ce2d154d520b1fd79810e for caveats.

Why is this useful? Apart from being a tunneling mechanism, it also allows you add metadata to a packet for a downstream NFV application. For example, you might push an additional VLAN header onto a packet, based on an ACL entry that identifies a particular user or application known to match the ACL conditions.

In particular, you could also push a VLAN representing the input port number, on top of another header that tells you the input VLAN. For example, an ACL could tag a packet on untagged VLAN 100, on port 2, with VLAN 100, then VLAN 2 (so that a "mirroring" application can know what VLAN and port the packet came from).

In the future, FAUCET will make more use of this design pattern as an alternative to packet in. It will be able to alternatively use PBB or MPLS labels in a similar way.



Testing the CPN (and TLS support)

Unit testing the dataplane is important, but so is testing control plane connectivity.

FAUCET now supports, when testing hardware, that TLS can be used by FAUCET to secure the OpenFlow connection to the switch.

To configure FAUCET for TLS, follow the Ryu instructions at https://github.com/osrg/ryu/blob/master/doc/source/tls.rst.

To test that it works with your hardware, see the the new TLS fields in https://github.com/REANNZ/faucet/blob/master/tests/hw_switch_config.yaml.

There will be additional control plane testing added to the FAUCET test suite over time.



Tuesday, March 21, 2017

FAUCET @ OpenStack 2017

https://www.openstack.org/summit/boston-2017/summit-schedule/events/18638/open-vswitch-lightning-talks

Joe Stringer will present "Deploying an OVS-based feature switch in 5 minutes or less", a demo showing how to quickly deploy the Faucet open source OpenFlow controller as a drop-in replacement for a network switch.

Joe Stringer will present "Cyber RFP!" about the strategy that the Faucet open source OpenFlow controller uses to validate a switch's OpenFlow support using a comprehensive, easy to use testsuite.

Monday, March 13, 2017

Inter VLAN routing

FAUCET now supports routing between VLANs, in a way similar to non-SDN switch/routers

In this example, hosts in VLAN 100 can reach hosts in VLAN 200, using FAUCET as a gateway (FAUCET of course presents a gateway in each VLAN).

In the future, FAUCET will allow you to configure routing between just the VLANs you specify, rather than all or none.

vlans:
    100:
        faucet_vips: ["10.100.0.254/24"]
    200:
        faucet_vips: ["10.200.0.254/24"]
routers:
    router-1:
        vlans: [100, 200]
dps:
    faucet-1:
        hardware: "Open vSwitch"
        dp_id: 0x1
        interfaces:
            1:
                native_vlan: 100
            2:
                native_vlan: 200