Putting OpenFlow to Work in a Production

Network

Dan Schmiedt Executive Director, Network Services

and Telecommunications

Kuang-Ching “KC” Wang Associate Professor, Department of Electrical & Computer Engineering

Fan Yang, Aaron Rosen Graduate Students, Department of Electrical & Computer Engineering

The  big  picture  from  a  Technology  point  of  view  …  

•  OpenFlow  is  part  of  an  answer  to  the  “ossifica4on”  problem  we  see  in  networking:  it  provides  a  pla=orm  for  innova4on  and  rapid  deployment  of  new  protocols  in  real  networks.  

•  OpenFlow  can  represent  a  major  shiA  in  the  way  we  think  of  and  operate  networks:  so#ware  defined,  controller-­‐based  networking.  –  Network  devices  can  be  just  interface-­‐containing  boxes.  –  Imagine,  for  example,  how  this  could  change  the  need  for  rou4ng  protocols;  the  controllers  already  know  everything!  

Clemson  University   2  

The  big  picture  from  a  University  point  of  view…  

•  OpenFlow  provides  a  mechanism  for  the  engagement  of  IT  Staff  with  Academic  faculty  and  students.  

•  On  the  IT  side  we’re  very  busy  and  have  to  deal  with  opera4onal  reali4es.    Our  eyes  are  close  to  the  grindstone  and  it’s  oAen  hard  to  think  “out  of  the  box”.  (We  know  that  box  very  well,  thank  you!)  

•  On  the  Academic  side,  students  and  faculty  are  eager  to  solve  real  problems  and  are  not  jaded  by  the  reali4es  of  running  a  produc4on  network.  

•  So,  what  could  happen  if  we  combined  them?  

Clemson  University   3  

A  Posi=ve  Feedback  Loop  •  To  facilitate  sustained  growth  and  leverage  the  power  of  a  

University  to  stay  crea4ve,  we  need  a  new  model.  –  Students  

•  IT  funded  RAs  from  networking  research  groups  

•  University  funded  undergraduate  “Crea4ve  Inquiry”  team  

•  Proposed  Internal  Internship  program,  supported  by  the  Provost  

–  Network  engineers  •  Task  assignment/incen4ve  model  •  Internal  Faculty  sabba4cals  

Clemson  University   4  

IT  

Research   Teaching  

So,  we  just  install  the  OpenFlow  IOS  image,  give  the  students  TACACS+  userids  and  let  ‘em  rip?  

•  Ummm…:  –  OF  is  not  supported  on  Cisco  hardware  –  I’m  excited  about  all  this,  but  not  (completely)  insane  

•  We  support  KC  and  his  students  in  transpor4ng  GENI  OpenFlow  VLANs  to  GENI  projects  from  I2/NLR  and  around  campus…  

•  But,  we  wanted  to  do  something  with  produc?on  network  applica4ons  

•  KC  and  students  brainstormed  with  network  engineers  to  find  more  use  cases…  

Clemson  University   5  

OpenFlow  use  cases  in  the  produc=on  net  •  Idea:  think  of  ways  we  can  leverage  OpenFlow  with  minimal  risk  to  the  produc4on  network.  

•  The  sky  is  the  limit:  simple  python  code  and  the  NOX  OpenFlow  controller  can  tell  the  switch  how  to  forward  traffic  in  whatever  ways  we  want…  

•  Some  ideas:  

–  Data  Analysis  Network,  “DAN”    

–  Tracking  of  stolen  laptops    

Clemson  University   6  

OpenFlow  use  cases  in  the  produc=on  net  •  Data  Analysis  Network,  “DAN”      

– We  are  accumula4ng  a  plethora  of  devices  that  need  to  see  aggregate  network  traffic  at  arbitrary  points  on  the  network.    E.g.,  Coradiant,  MARS,  FireEye,  sniffers,  etc.  •  “You  know,  just  have  your  network  people  send  the  appropriate  traffic  to  our  magical  device…”  

– An  OpenFlow  DAN  would  behave  like  a  bunch  of  Gigamon  boxes  and  forward  traffic  from  SPANs  or  VACLs  to  monitoring  devices.  

Clemson  University   7  

Proposed  DAN  implementa=on    

Clemson  University   8  

Some noodling on the whiteboard…

OpenFlow  –  A  One  Slide  Overview  

Clemson  University   9  

OpenFlow  Controllers  End  Users  

Network  of    Various  Scales  

Applica=on  Servers  

•  A  soAware  defined  networking  paradigm  

•  OpenFlow-­‐enabled  commercial  switches  allow  open  access  to  their  flow  tables  by  authorized  soAware  OpenFlow  controllers  

•  Centralized,  virtualized  control  and  monitoring  of  network  

OpenFlow  use  cases  in  the  produc=on  net  •  Case  study  1:  Data  Analysis  Network  •  Case  study  2:  Tracking  Stolen  Laptops  •  Both  cases  are  implemented  with  simple  OpenFlow  controller  

(OFC)  code,  coexis4ng  with  a  produc4on  OFC  (POFC)  –  OFC  coexistence  made  possible  by  FlowVisor  soAware  

Clemson  University   10  

Distribution

Core

. . .

Access

Clemson Campus Network

IT server e.g., security/app

monitor

Host 2, e.g., app server

Host 1, e.g., user desktop FlowVisor

OFC2 POFC OFC1

OpenFlow  Data  Analysis  Network  •  The  problem:  Packet  grabbing  appliances  (Cisco  MARS,  

Coradiant,  sniffers)  need  us  to  send  traffic  of  interest  to  them.    •  The  need:  a  separate  Data  Analysis  Network  (DAN)  to  mirror  

traffic  from  arbitrary  loca4on.    Like  Gigamon,  etc.  •  The  proposed  solu4on:  Use  OF  to  duplicate  traffic  from  

anywhere  to  designated  analysis  servers  

Clemson  University   11  

User traffic Monitored traffic

OK,  so  how  do  you  DO  this?  

Clemson  University   12  

When a packet comes into the controller the controller floods the packet out all ports on the switch.

Starting with a simple example, we would turn on an OF-capable switch, enable OF for a VLAN, point it at a NOX controller, and write some simple python code.

This code makes a simple hub:

Kick  it  up  one  more  notch  and  make  a  learning  switch…  

Clemson  University   13  

Learn which ports the source MAC address is attached to.

Installs rule to switch to send packets to that port matching

the Destination MAC address.

Then, check if we know where the port the destination MAC address is.

…and  add  just  a  liQle  more  to  that  …  

Clemson  University   14  

OF command #1: install rule to

duplicate packets to mirror port from

another port on the same switch

OF command #2: controller sends a

duplicate packet to mirror port, in addition to original

forwarding action

•  7  added  lines  of  python  code  to  default  switch  controller  

Use  case  #2:  OpenFlow  Computer  Tracking    •  The  problem:  Large  number  of  student  laptops  reported  

stolen  every  year  •  The  need:  In  some  past  cases,  stolen  laptops  remained  on  

campus  and  were  accessing  campus  network  •  The  proposed  solu4on:  Leverage  OF  controller  to  detect  and  

track  lost  laptops’  loca4on  upon  network  access  

Clemson  University   15  

Reported stolen laptop FlowVisor

OFC2

Lost  laptop  DB  

Campus  switch  loca=on  

DB  

OpenFlow  controller  code  for  computer  tracker  

Clemson  University   16  

Database query #1: check MAC

address with stolen laptop database

Database query #2: upload switch/port ID to stolen laptop database

•  Two  database  queries  added  to  a  standard  controller  template  

Web  Display  Snapshot  

Clemson  University   17  

Google  Map  Snapshot  

Clemson  University   18  

Summary  and  outlook  •  We  believe  that  OpenFlow  will  drive  a  paradigm  shiA  in  networking.  

•  Universi4es  can  be  most  effec4ve  when  they  leverage  the  depth  of  their  faculty,  the  crea4vity  of  their  students,  and  the  exper4se  of  their  staff.  

•  Relax!    This  stuff  is  fun,  and  you’ll  get  smarter.  •  Build  a  partnership  with  an  academic  part  of  your  University.  

•  Commercial  support  is  a  chicken-­‐and-­‐egg  problem,  let’s  break  that  cycle.  

Clemson  University   19  

FURTHER  QUESTIONS  CONTACT:    

DAN  –  WILLYS@CLEMSON.EDU  KC  –  KWANG@CLEMSON.EDU    

Clemson  University   20  

Openflow: http://openflowswitch.org GENI: http://geni.net