Putting OpenFlow to Work in a Production Network Dan Schmiedt Executive Director, Network Services...

Putting OpenFlow to Work in a Production

Network

Dan SchmiedtExecutive Director, Network Services

and Telecommunications

Kuang-Ching “KC” WangAssociate Professor, Department of Electrical & Computer Engineering

Fan Yang, Aaron RosenGraduate Students, Department of Electrical & Computer Engineering

The big picture from a Technology point of view …• OpenFlow is part of an answer to the “ossification”

problem we see in networking: it provides a platform for innovation and rapid deployment of new protocols in real networks.

• OpenFlow can represent a major shift in the way we think of and operate networks: software defined, controller-based networking.– Network devices can be just interface-containing boxes.– Imagine, for example, how this could change the need for

routing protocols; the controllers already know everything!

Clemson University 2

The big picture from a University point of view…• OpenFlow provides a mechanism for the

engagement of IT Staff with Academic faculty and students.

• On the IT side we’re very busy and have to deal with operational realities. Our eyes are close to the grindstone and it’s often hard to think “out of the box”. (We know that box very well, thank you!)

• On the Academic side, students and faculty are eager to solve real problems and are not jaded by the realities of running a production network.

• So, what could happen if we combined them?


A Positive Feedback Loop• To facilitate sustained growth and leverage the power of a

University to stay creative, we need a new model.– Students

• IT funded RAs from networking research groups• University funded undergraduate “Creative Inquiry” team• Proposed Internal Internship program, supported by the Provost

– Network engineers• Task assignment/incentive model• Internal Faculty sabbaticals


ITIT

ResearchResearch TeachingTeaching

So, we just install the OpenFlow IOS image, give the students TACACS+ userids and let ‘em rip?• Ummm…:

– OF is not supported on Cisco hardware– I’m excited about all this, but not (completely) insane

• We support KC and his students in transporting GENI OpenFlow VLANs to GENI projects from I2/NLR and around campus…

• But, we wanted to do something with production network applications

• KC and students brainstormed with network engineers to find more use cases…


OpenFlow use cases in the production net• Idea: think of ways we can leverage OpenFlow with

minimal risk to the production network.

• The sky is the limit: simple python code and the NOX OpenFlow controller can tell the switch how to forward traffic in whatever ways we want…

• Some ideas:

– Data Analysis Network, “DAN”

– Tracking of stolen laptops


OpenFlow use cases in the production net• Data Analysis Network, “DAN”

– We are accumulating a plethora of devices that need to see aggregate network traffic at arbitrary points on the network. E.g., Coradiant, MARS, FireEye, sniffers, etc.

• “You know, just have your network people send the appropriate traffic to our magical device…”

– An OpenFlow DAN would behave like a bunch of Gigamon boxes and forward traffic from SPANs or VACLs to monitoring devices.


Proposed DAN implementation


Some noodling on the whiteboard…

OpenFlow – A One Slide Overview


OpenFlow ControllersEnd Users

Network of Various Scales

Application Servers

OpenFlow-enabledCommercial Switch

FlowTable

SecureChannel

NormalSoftware

NormalDatapath

• A software defined networking paradigm• OpenFlow-enabled commercial switches allow open access to

their flow tables by authorized software OpenFlow controllers• Centralized, virtualized control and monitoring of network

OpenFlow use cases in the production net• Case study 1: Data Analysis Network• Case study 2: Tracking Stolen Laptops• Both cases are implemented with simple OpenFlow controller

(OFC) code, coexisting with a production OFC (POFC)– OFC coexistence made possible by FlowVisor software


Distribution

Core

. . .

Access

Clemson Campus Network

IT servere.g., security/app

monitor

Host 2, e.g.,app server

Host 1, e.g., user desktopFlowVisor

OFC2POFC OFC1

OpenFlow Data Analysis Network• The problem: Packet grabbing appliances (Cisco MARS,

Coradiant, sniffers) need us to send traffic of interest to them. • The need: a separate Data Analysis Network (DAN) to mirror

traffic from arbitrary location. Like Gigamon, etc.• The proposed solution: Use OF to duplicate traffic from

anywhere to designated analysis servers


Distribution

Core

. . .

Access


IT servere.g., security/app

monitor

Host 2, e.g.,app server

Host 1, e.g., user desktopFlowVisor

OFC2POFC OFC1

User trafficMonitored traffic

OK, so how do you DO this?


When a packet comes into the controller the controller floods the packet out all ports on the switch.

Starting with a simple example, we would turn on an OF-capable switch, enable OF for a VLAN, point it at a NOX controller, and write some simple python code.

This code makes a simple hub:

Kick it up one more notch and make a learning switch…


Learn which ports the source MAC address is attached to.

Installs rule to switch to send packets to that port matching

the Destination MAC address.

Then, check if we know where the port the destination MAC address is.

…and add just a little more to that …


OF command #1: install rule to

duplicate packets to mirror port from

another port on the same switch

OF command #2: controller sends a

duplicate packet to mirror port, in addition to original

forwarding action

• 7 added lines of python code to default switch controller

Use case #2: OpenFlow Computer Tracking • The problem: Large number of student laptops reported

stolen every year• The need: In some past cases, stolen laptops remained on

campus and were accessing campus network• The proposed solution: Leverage OF controller to detect and

track lost laptops’ location upon network access


Distribution

Core

. . .

Access


Reported stolen laptopFlowVisor

OFC2

Lost laptop

DB

Lost laptop

DB

Campus switch

location DB

Campus switch

location DB

OpenFlow controller code for computer tracker


Database query #1: check MAC

address with stolen laptop database

Database query #2: upload switch/port ID to stolen laptop database

• Two database queries added to a standard controller template

Web Display Snapshot


Google Map Snapshot


Summary and outlook• We believe that OpenFlow will drive a paradigm shift

in networking.• Universities can be most effective when they

leverage the depth of their faculty, the creativity of their students, and the expertise of their staff.

• Relax! This stuff is fun, and you’ll get smarter.• Build a partnership with an academic part of your

University.• Commercial support is a chicken-and-egg problem,

let’s break that cycle.


FURTHER QUESTIONSCONTACT:

DAN – [email protected] – [email protected]


Openflow: http://openflowswitch.orgGENI: http://geni.net

Putting OpenFlow to Work in a Production Network Dan Schmiedt Executive Director, Network Services...

Documents

Transcript of Putting OpenFlow to Work in a Production Network Dan Schmiedt Executive Director, Network Services...