Hierarchical Rate Limiting in an ODL Orchestrated Virtualized DC

Vishal Thapar, Ericsson Deepthi V V, Ericsson Faseela K, Ericsson

How to Enforce Rate Limiting at admin specified levels of aggregation in an SDN Controller orchestrated Data Center?

Agenda • Challenges • OpenFlow Meters

• OF Meter basics • Meters based Solution • Advantages • Proposal – Hierarchical Rate Limiter

• Orchestration Layer • Rate Calculator • Rate Enforcer

• Next Steps • Demo? • Q&A

Challenges

• Distributed VMs • Lack of centralized logic to manage

bandwidth • Dynamic adjustment of rate limits based on

traffic conditions • Monitoring malicious VMs within the same

DC • Avoid traffic all the way to gateway only to

be dropped

OpenFlow Meters

OpenFlow Meters

• OpenFlow 1.3 • Defines Per Flow Meters • Specified in instruction set • Multiple meters for the same packet • Controls rate of aggregate of all flows

attached to a meter

OpenFlow Meters (cntd)

• Meter Identifier : unique identifier • Meter Bands : rate of the band and way to

process the packet • Counters : updated when packet processed

by the meter

Meter Identifier Meter Bands Counters

OpenFlow Meters - Bands

• Band Type: Defines how pkts are processed • Drop – We use this for Rate Limiter • DSCP Remark

• Rate: Lowest rate at which band can apply • Burst: Granularity of meter • Counters • Type specific arguments: Optional

arguments for some band types

Band Type

Rate Burst Counters Type-specific args

Meters based Solution

• Chaining of metered Flows • Orchestration layer communicates to SDNc

the various bandwidth restrictions of VMs • SDNc programs the required METER table

entries and flow entries to enforce the rate limiting

• When new VMs are spawned under the same levels of aggregation, rate limit calculator within SDNc redistributes the rates

Meter Table - Example Meter Identifier Meter Bands Counters

Tenant A 2Gbps 0

Tenant A : Network 1 1.5Gbps 0

Tenant A : Network 2 0.5Gbps 0

Tenant A : Network 1 : vpn1 0.2Gbps 0

Tenant A : Network 1 : vpn2 0.2Gbps 0

Tenant A : Network 1 : vpn1 : port 1 500Kbps 0

Control Flow

Rate Limiter NSF

OpenStack

vSwitch1

GBP

vSwitch2 vSwitch3

VM1 VM2 VM3 VM4 VM5 VM6

In_port = 1, apply meter : TenantA:Network1:vpn1:port1, goto network flow table

Meter1: Tenant A rate : 1Gbps Meter2: Tenant B rate : 2Gbps Meter3: TenantA:Network1:vpn1 -> rate 1Mbps Meter4: TenantA:Network1:vpn1:port1 -> rate 500kbps

Network = 1, vpn = 1, apply meter TenantA:Network1:vpn1, goto tenant flow table

Tenant = A, apply meter Tenant A

Tenant Flow Table

Port Flow Table

Meter Table

Vpn Flow Table

Advantages

• Rate Limiting applied at compute node • Avoids multiple calculations for different

levels of aggregation

Sample Heirarchical Rate Limiter

Key Components

• Orchestration Layer • Rate Limit Calculator • Rate Limit Enforcer

Orchestration Layer

• Communicates the bandwidth requirements at various levels of aggregation

• Northbound can be OpenStack, GBP or any other cloud orchestration layer already existing within ODL.

• Cloud orchestration layer is instructed to setup the datapath for the VM

• Checks the various rate limiting groups the VM belongs to

Rate Calculator • Another module of Rate Limiter NSF • Gets Rate Limits (policies) to be applied from

Orchestration Layer • Calculates the distributed rates to be applied at

each virtual switch • Uses aggregated bandwidth available and the

number of virtual instances belonging to this entity.

• Monitors the statistics of each of the VM meters.

• If there are overprovisioned VMs on a node under the same aggregation level, re-caculates their rate limits

Rate Enforcer

• Gets rates calculated from Rate Limit Calculator

• Creates different entries in the Meter Table for each of these rate limiting aggregations based on calculations.

• Modifies flows/meters as per instructions from Rate Calculator

Sample Architecture

Orchestration Layer

Rate Calculator

OpenStack

Rate Enforcer

Node1

GBP

Node1 Node3

Next Steps

Where do we go from here? • Distributed Rate Limit Calculator and Rate

Limit Enforcer as ODL NSFs • Working PoC of Hierarchical Rate Limiter • More OF switches with OF13 Meters

support

• Hierarchical Rate Limiter as ODL Project

Q&A