Underneath OpenStack Quantum: Software Defined Networking with Open vSwitch
Underneath OpenStack Quantum: Software Defined Networking with Open vSwitch
Underneath OpenStack Quantum: Software Defined Networking with Open vSwitch
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
1<br />
<strong>Underneath</strong> <strong><strong>Open</strong>Stack</strong> <strong>Quantum</strong>:<br />
<strong>Software</strong> <strong>Defined</strong> <strong>Networking</strong><br />
<strong>with</strong> <strong>Open</strong> <strong>vSwitch</strong><br />
Thomas Graf <br />
Principal <strong>Software</strong> Engineer<br />
Red Hat, Inc.<br />
April 24, 2013<br />
Thomas Graf
2<br />
Part One<br />
Why <strong>Open</strong> <strong>vSwitch</strong>?<br />
<strong>Open</strong> <strong>vSwitch</strong> enables Linux to become part of a<br />
<strong>Software</strong> <strong>Defined</strong> <strong>Networking</strong> architecture.<br />
VM1 VM2<br />
<strong>Open</strong> <strong>vSwitch</strong><br />
Thomas Graf <br />
Application Application Application<br />
Network Operating System<br />
Switch<br />
Switch<br />
Switch
3<br />
Switched Networks<br />
Switches learn from the network traffic they<br />
observe and decide independently.<br />
Peter<br />
Compute Node A<br />
Tenant<br />
1<br />
Tenant<br />
2<br />
Bridge<br />
Tenant<br />
3<br />
Switch 1<br />
Switch 2 Switch 3<br />
Thomas Graf <br />
Network Node B<br />
Tenant<br />
4<br />
L3<br />
Agent<br />
Tenant<br />
5<br />
Bridge<br />
Tenant<br />
6<br />
Alice
4<br />
Dynamically update flow tables<br />
in a universal language.<br />
In the <strong>Software</strong> <strong>Defined</strong> <strong>Networking</strong> architecture, the<br />
control and data planes are decoupled, network<br />
intelligence and state are logically centralized, and<br />
the underlying network infrastructure is abstracted<br />
from the applications.<br />
Thomas Graf <br />
<strong>Software</strong>-<strong>Defined</strong> <strong>Networking</strong>:<br />
The New Norm for Networks<br />
ONF White Paper<br />
April 13, 2012
5<br />
<strong>Software</strong> <strong>Defined</strong> <strong>Networking</strong><br />
A logically centralized controller decides what is<br />
best for the network based on a global view of the network.<br />
Controller<br />
Peter<br />
Compute Node A<br />
Tenant<br />
1<br />
Tenant<br />
2<br />
<strong>vSwitch</strong> 1<br />
Switch 2<br />
Tenant<br />
3<br />
Switch 1<br />
Thomas Graf <br />
Network Node B<br />
Tenant<br />
4<br />
Switch 3<br />
Tenant<br />
5<br />
<strong>vSwitch</strong> 2<br />
L3<br />
Agent<br />
Tenant<br />
6<br />
Alice<br />
<strong>Open</strong>Flow
6<br />
<strong>Software</strong> <strong>Defined</strong> <strong>Networking</strong><br />
An attempt to create a well-known API for applications<br />
of the Network that did not succeed yet.<br />
<strong>Open</strong>Daylight on its way to make this happen.<br />
Application Application Application<br />
Virtual<br />
Switch A<br />
Network Operating System<br />
<strong>Open</strong> Interface (<strong>Open</strong>Flow)<br />
Switch<br />
Vendor X<br />
Thomas Graf <br />
Switch<br />
Vendor Y<br />
Virtual<br />
Switch B
7<br />
1.<br />
Match on arbitrary<br />
bits in packet<br />
(header)<br />
<strong>Open</strong>Flow<br />
The <strong>Open</strong> Standard behind it.<br />
2.<br />
Thomas Graf <br />
Execute actions<br />
● Forward to port<br />
● Drop<br />
● Send to<br />
controller<br />
● Mangle packet<br />
<strong>Open</strong>Flow enables networks to evolve, by giving a remote<br />
controller the power to modify the behavior of network<br />
devices, through a well-defined "forwarding instruction<br />
set". The growing <strong>Open</strong>Flow ecosystem now includes<br />
routers, switches, virtual switches, and access points from<br />
a range of vendors.<br />
ONF Website
8<br />
<strong>Open</strong>Flow Capable Devices<br />
● <strong>Software</strong> Switches<br />
● <strong>Open</strong> <strong>vSwitch</strong>, Cisco Nexus 1000V<br />
● VMware vSphere, NEC Hyper-V, ...<br />
● Hardware Switches<br />
● Brocade, Cisco, HP, IBM, Juniper Networks, NEC, ...<br />
● Switching ASICs<br />
● Indigo – <strong>Open</strong> source firmware leveraging Ethernet<br />
switch ASICs to support up to 48x 10G ports<br />
● Mellanox SwitchX-2 chip<br />
Thomas Graf
9<br />
Is it production ready?<br />
Thomas Graf
10<br />
Part Two<br />
<strong>Open</strong> <strong>vSwitch</strong><br />
<strong>Open</strong> <strong>vSwitch</strong> is a virtual switch for hypervisors providing<br />
network connectivity to virtual machines.<br />
Compute Node A<br />
Tenant<br />
1<br />
Tenant<br />
2<br />
Compute Node A<br />
<strong>Open</strong> <strong>vSwitch</strong><br />
Tenant<br />
3<br />
<strong>Open</strong> Flow<br />
Controller<br />
<strong>Open</strong> Flow<br />
<strong>Open</strong> Flow<br />
Hardware Switch<br />
Alice Peter<br />
Thomas Graf <br />
Network Node B<br />
Tenant<br />
1<br />
Tenant<br />
2<br />
<strong>Open</strong> <strong>vSwitch</strong><br />
L3<br />
Agent<br />
Tenant<br />
3
11<br />
<strong>Open</strong> <strong>vSwitch</strong> Project<br />
● Primarily used as a virtual switch for VMs<br />
● Multi Platform (Linux, Microsoft, and Silicon)<br />
● Developed by Nicira & Community<br />
● Apache License (User Space), GPL (Kernel)<br />
● <strong>Open</strong>Flow 1.1 + extensions<br />
● Any netdevice (physical/virtual) can be added as uplink<br />
port<br />
Thomas Graf
12<br />
How does it work?<br />
<strong>Open</strong> <strong>vSwitch</strong> maintains a flow table that defines what<br />
to do <strong>with</strong> each flow.<br />
Compute/Network Node<br />
Tenant<br />
1<br />
<strong>Open</strong> <strong>vSwitch</strong><br />
<strong>Quantum</strong> OVS Agent<br />
<strong>Quantum</strong> L3 Agent<br />
<strong>Quantum</strong> DHCP Agent<br />
br-eth1<br />
eth1<br />
To Network Node<br />
Tenant<br />
2<br />
br-int<br />
br-tun<br />
Tenant<br />
3<br />
Patch ports<br />
Tenant<br />
n<br />
br-ext<br />
Flow table<br />
eth0<br />
Thomas Graf <br />
<strong>Open</strong>Flow<br />
Controller<br />
External Network
13<br />
Feature<br />
Fine Grained Flow Table Control<br />
● Extensive flow matching capabilities<br />
● Layer 1 – Tunnel ID, In Port, QoS priority, skb mark<br />
● Layer 2 – MAC address, VLAN ID, Ethernet type<br />
● Layer 3 – IPv4/IPv6 fields, ARP<br />
● Layer 4 – TCP/UDP, ICMP, ND<br />
● Possible chain of actions<br />
● Output to port (port range, flood, mirror)<br />
● Discard, Resubmit to table x<br />
● Packet Mangling (Push/Pop VLAN header, TOS, ...)<br />
● Send to controller, Learn<br />
Thomas Graf
14<br />
Feature<br />
Security / L2 Segregation<br />
VLAN isolation enforces VLAN membership of<br />
a VM <strong>with</strong>out the knowledge of the guest itself.<br />
# ovs-vsctl add-port ovsbr port2 tag=10<br />
Caveat: MAX(VLAN_ID) limited<br />
Thomas Graf <br />
Compute Node<br />
VLAN 1 VLAN 2<br />
VM1<br />
VM2 VM3<br />
<strong>Open</strong> <strong>vSwitch</strong>
15<br />
Feature<br />
Tunneling<br />
Tunneling provides isolation and reduces<br />
dependencies on the physical network.<br />
Compute Node 1<br />
VM1<br />
VM2 VM3<br />
<strong>Open</strong> <strong>vSwitch</strong><br />
Controller<br />
Thomas Graf <br />
Compute Node 2<br />
VNET 1 VNET 1<br />
VNET 2 VNET 2<br />
<strong>Open</strong> Flow<br />
<strong>Open</strong> Flow<br />
Hardware Switch<br />
VM4<br />
{ GRE | STT | VXLAN } Tunnel<br />
VM5 VM6<br />
<strong>Open</strong> <strong>vSwitch</strong>
16<br />
●<br />
● NetFlow<br />
● Port Mirroring<br />
● SPAN<br />
● RSPAN<br />
Feature<br />
Visibility<br />
Supports industry standard technology to<br />
monitor the use of a network.<br />
● ERSPAN<br />
Thomas Graf
17<br />
Feature<br />
Quality of Service<br />
● Uses existing Traffic Control Layer<br />
● Policer (Ingress rate limiter)<br />
● HTB, HFSC (Egress traffic classes)<br />
● Controller (<strong>Open</strong> Flow) can select Traffic Class<br />
# ovs-vsctl set Interface port2 \<br />
ingress_policing_rate=1000<br />
Thomas Graf <br />
Virtual Host<br />
VM1<br />
ovsbr<br />
VLAN 10<br />
VM2<br />
port1 port2<br />
1mbit
18<br />
Management<br />
User<br />
space<br />
Kernel<br />
From NetDevice<br />
1<br />
Promiscuous Mode<br />
ovs-dpctl<br />
2<br />
5<br />
Datapath<br />
Architecture<br />
upcall<br />
reinject<br />
Netlink<br />
To NetDevice<br />
ovs-ofctl<br />
<strong>Open</strong>Flow<br />
(3)<br />
6<br />
7<br />
vswitchd<br />
4<br />
Flow Table<br />
Thomas Graf <br />
sFlow<br />
ovsdb-tool<br />
ovs-vsctl<br />
ovsdb<br />
Packet Processing<br />
Management Workflow
19<br />
Modifying the Flow Table<br />
Strip VLAN header of all packets from MAC address<br />
11:22:33:44:55:66 and forward packet to port 1.<br />
# ovs-ofctl add-flow ovsbr \<br />
dl_src=11:22:33:44:55:66,actions=strip_vlan,output:1<br />
# ovs-ofctl dump-flows ovsbr<br />
[...]<br />
cookie=0x0, duration=36.24s, table=0, n_packets=0,<br />
n_bytes=0, idle_age=36, dl_src=11:22:33:44:55:66<br />
actions=strip_vlan,output:1<br />
Thomas Graf
20<br />
● <strong>Open</strong> <strong>vSwitch</strong><br />
● http://www.openvswitch.org/<br />
● <strong>Open</strong>Flow<br />
● http://www.openflow.org/<br />
● <strong>Open</strong> <strong>Networking</strong> Foundation<br />
● sFlow<br />
● http://www.opennetworking.org/<br />
● http://www.sflow.org/<br />
Questions?<br />
● Going <strong>with</strong> the Flow: Google’s Secret Switch to the Next Wave of<br />
<strong>Networking</strong><br />
● http://www.wired.com/wiredenterprise/2012/04/going-<strong>with</strong>-the-flow-google/<br />
Thomas Graf
Change language