Monday, May 30, 2016

FAUCET quickstart

FAUCET, developed originally by REANNZ (and supported by the Open Network Foundation among others) is an open source SDN controller that implements a familiar learning switch with VLAN and NFV offload support (NMS, NFV, IP routing, ACLs, mirroring, and other features,will be described in future posts), and has unit tests. FAUCET is compatible with OpenFlow switches that support OpenFlow 1.3 and multiple tables, and implements all functionality using OpenFlow exclusively (ie. non "hybrid" mode). 

The switch does all the forwarding based on the flows the controller decides - which means new network functionality (for example, network security features) can be introduced by changing the controller, not the switch. The controller does no forwarding itself, and so can be upgraded/restarted with potentially no impact on forwarding. While FAUCET is in regular office use at several organizations around the world (including REANNZ, and the Open Network Foundation), it is also suitable for lab experimentation and teaching.

In this post, we will set up FAUCET to provide switching for an untagged VLAN with two hosts - the most simple possible configuration. You will need two hosts, a third host to run the FAUCET controller on, and a supported switch. Included here is configuration for an Allied Telesis switch (search for SUPPORTED_HARDWARE in the FAUCET code, which has a list of switches and vendors known by the community to work - an OpenFlow 1.0 switch, or a switch that does not support multitable will absolutely not work - any standards based OpenFlow 1.3 switch with multitable should work). 


Network diagram

+---------------------------------------------+
|                                             |
|  FAUCET untagged VLAN 2001                  |
|                                             |
|                                             |
|                                             |
|           +------------------+  +------------------------------+
|           |                  |  |           |                  |
|           |            +---+ |  |  +---+    |                  |
|           |  Host #1   |   +-------+ 1 |    |                  |
|           |            +---+ |  |  +---+    |                  |
|           |                  |  |           |                  |
|           +------------------+  |           |                  |
|           +------------------+  |           |                  |
|           |                  |  |           |                  |
|           |            +---+ |  |  +---+    |                  |
|           |  Host #2   |   +-------+ 2 |    |                  |
|           |            +---+ |  |  +---+    |                  |
+---------------------------------------------+                  |
            +------------------+  |                              |
                                  |      Hardware OpenFlow 1.3   |
                                  |      switch with multitable  |
                                  |                              |
                                  |                              |
+----------------------------------------------+                 |
|           +------------------+  |            |                 |
|           |                  |  |            |                 |
|           |            +---+ |  |  +----+    |                 |
|           |  FAUCET    |   +-------+ 24 |    |                 |
|           |  (Linux)   +---+ |  |  +---++    |                 |
|           |                  |  +------------------------------+
|           +------------------+               |
|                                              |
|                                              |
|                                              |
|                                              |
|  Control Plane Network (CPN)                 |
+----------------------------------------------+


Physically, there is a direct Ethernet connection between the computer where FAUCET runs, and the switch. Some OpenFlow switches have a dedicated CPN port for OpenFlow; others repurpose a conventional dataplane port (as the Allied Telesis switch does).


Configuring the OpenFlow switch


You will first need to physically install and configure your OpenFlow switch, and test (switch ports 1 and 2)/controller (switch port 24) hosts. You will (of course) need to adjust the configuration depending on your switch/vendor.

!
! 10.0.0.1 is the IP address assigned to the controller machine
openflow controller tcp 10.0.0.1 6633
! This switch reserves for implementation reasons a VLAN for
! OpenFlow control
openflow native vlan 4090
!
! This switch requires VLAN tags to be reserved in advance.
! We reserve 2001-2999.
vlan database
 vlan 1234,2001-2999,4090 state enable
!
interface port1.0.1-1.0.2
 openflow
 switchport
 switchport mode access
!
! port 24 used for CPN
interface port1.0.24
 switchport
 switchport mode access
 switchport access vlan 1234
!
interface vlan1234
 ip address 10.0.0.2/24
!


Writing a configuration file


FAUCET reads a YAML configuration file. This file (typically faucet.yaml) describes the network, and should contain the following:

version: 2
vlans:
    2001:
        name: "VLAN 2001"
dps:
    faucet-1:
        dp_id: 0x0000eccd6df72de7 # change for your switch!!
        hardware: "Allied-Telesis" # see SUPPORTED_HARDWARE
        interfaces:
            1:
                native_vlan: 2001
                name: "port1.0.1"        
            2:
                native_vlan: 2001
                name: "port1.0.2"

Note in particular dp_id (DataPath ID). This must be configured to match your switch. Some switches allow you to configure the DPID on the switch, on others it is hard coded (on the Allied Telesis switch, you can get the DPID from show openflow status).

Note also that YAML is very sensitive about whitespace (and tabs in particular). Be sure to use spaces and matching indentation.


Installing the controller


FAUCET is based on the python Ryu SDN framework. This means that the FAUCET controller is just a python process that reads a configuration file (described below), and listens for an OpenFlow connection initiated by the switch, and installs flows as required. Install and run docker using the instructions provided. At the time of writing Ubuntu 14.0.4 LTS server is known to work well.

Testing and troubleshooting


You now have a switch! Test host 1, should now be able to ping test host 2 (provided you configured them with IP addresses, of course). You will be able to see flows installed in the switch as FAUCET learns the MAC address of each host. For example, on an Allied Telesis switch, shows that a host has been learned on port 1:

awplus#show openflow rules| include b8:ae:ed:73:20:90
table_id=2, duration=103s, n_packets=688, n_bytes=107825, priority=9099,in_port=1,dl_vlan=2002,dl_src=b8:ae:ed:73:20:90,actions=goto_table:3
table_id=2, duration=68s, n_packets=22488, n_bytes=30528441, priority=9099,in_port=1,dl_vlan=2001,dl_src=b8:ae:ed:73:20:90,actions=goto_table:3
table_id=2, duration=61s, n_packets=126, n_bytes=15768, priority=9099,in_port=1,dl_vlan=2003,dl_src=b8:ae:ed:73:20:90,actions=goto_table:3
table_id=3, duration=103s, n_packets=790, n_bytes=205376, priority=9001,dl_vlan=2002,dl_dst=b8:ae:ed:73:20:90,actions=output:1
table_id=3, duration=68s, n_packets=469, n_bytes=87522, priority=9001,dl_vlan=2001,dl_dst=b8:ae:ed:73:20:90,actions=output:1
table_id=3, duration=61s, n_packets=10097, n_bytes=13714852, priority=9001,dl_vlan=2003,dl_dst=b8:ae:ed:73:20:90,actions=output:1

If your test hosts can't reach each other, check that the switch and FAUCET controller can reach each other (ie. that the switch can make a successful OpenFlow connection via TCP to the controller). Check that your YAML file has correct indentation and that your DPID matches.


Where next?

Take a look at FAUCET's unit tests to see what features have been implemented and how they are configured. We'll go into detail in future posts.







No comments:

Post a Comment

Note: Only a member of this blog may post a comment.