Monday, May 22, 2017

FAUCET @ WAND: inside a live enterprise FAUCET deployment

https://monitoring.redcables.wand.nz/

Our friends and colleagues at the WAND group, at the University of Waikato in NZ, have deployed an enterprise SDN network controlled by FAUCET, supporting two different vendor hardware switches and OVS with DPDK. It peers with BGP, and switches and routes both IPv4 and IPv6 for wired and WiFi access.

The system is managed with Ansible - configuration changes are checked (and checked in), and then pushed to NFV services and FAUCET controllers. Even upgrades of the controller software are automatically checked and pushed out.

This means all configuration changes to the network - ACLs, BGP, etc are made through Ansible. There is no reason to log in to a switch directly once FAUCET has assumed control of it with OpenFlow.


Sunday, May 14, 2017

Using Prometheus with FAUCET

Here is a quick example of configuring and using Prometheus with FAUCET.

First, enable access to Prometheus to FAUCET (the Docker instructions in https://github.com/REANNZ/faucet/blob/master/docs/README_install.rst show how to enable access to port 9244).

Then install Prometheus. Under Ubuntu 16.0.4, this is as simple as:


apt-get install prometheus

Then configure Prometheus to scrape FAUCET. Under Ubuntu, edit /etc/prometheus/prometheus.yml, and under scrape_configs add a job for FAUCET:

scrape_configs:
  - job_name: 'faucet'

    target_groups:

       - targets: ['172.17.0.1:9244']

Restart Prometheus.


service prometheus restart

You should now be able to browse port 9090 on your Prometheus server, and draw graphs (for example, packet in rate):


Wednesday, May 10, 2017

TouSIX, Umbrella and FAUCET

https://blog.apnic.net/2017/05/08/tousix-project-sdn-ixps-design-production/

Marc Bruyere describes his proof of concept TouSIX SDX, and plans for a FAUCET controlled exchange using Umbrella encoding, which eliminates unwanted broadcast traffic from a distributed layer 2 network.

Installing, testing and routing with FAUCET and OVS in less than 5m

https://www.youtube.com/watch?v=fuqzzjmcwlI

Joe Stringer walks through installing FAUCET and configuring it as a router step by step, in less than 5m.

If you want to get FAUCET routing and switching and have only 5m to learn how, this might be the reference for you.

FAUCET controlling OVS + DPDK

https://github.com/REANNZ/faucet/blob/master/docs/vendors/ovs/README_OVS-DPDK.rst

DPDK enables high performance packet processing on PC type platforms with certain supported NICs. In particular OVS has DPDK support, and can offload work to DPDK NICs.

While this is beyond the scope of what FAUCET does (it works at the OpenFlow level), getting up and running quickly with OVS + DPDK is useful. Hopefully as DPDK packaging continues to include the process will become less complex.

Sunday, May 7, 2017

It's good to have access port control

https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Silent_Bob_is_Silent

Once you know about a security vulnerability, you can add firewall rules to protect yourself against attacks from outside the firewall.

But what about the inside? If you have someone scanning for a vulnerable machine (or an infected machine scanning its neighbors) inside your network, your firewall may not be of much use - it probably won't be in the forwarding path of the traffic.

FAUCET gives you very low level port level control, and makes it safe it easy to deploy a port level ACL (in this example, by blocking AMT access with a few TCP destination port matches).

FAUCET can also block layer 2 only traffic that a firewall can't see at layer 3.

Monday, May 1, 2017

FAUCET now supports Prometheus

FAUCET now supports Prometheus monitoring (set the FAUCET_PROMETHEUS_PORT environment variable, and FAUCET will export internal statistics via HTTP).

Over time, FAUCET will expose more state (for example, which host has been learned on what port in what VLAN).

For more details, see the patch at https://github.com/REANNZ/faucet/commit/daf00020387226874a46e03a4570459123b5bf30

For more on what Prometheus can do, see https://prometheus.io/