Staged Deployment

It is recommended that you adopt a staged deployment procedure. In this, you will create one OpenFlow instance, verify it, and then move on to creating the next instance, and then to slicing the network.

Stage 0: Setup Non-OpenFlow VLANs

In the basic stage, we prepare the switch and configure non-OpenFlow legacy network. We setup two non-OpenFlow VLANs, VLAN999 and VLAN10. We'll assign an IP address to each switch on VLAN999 so that the operator can login to switch. It will be used for OpenFlow control as well in the following stages.

Switch Configuration

NEC IP8800

• Connect to the switch using serial cable (Baud rate: 9600, Data: 8bit, Parity: none, Stop: 1bit, Flow Control: none).
• At the command login as "operator". There is no password for that. Then type "en" to become superuser.
• Enter config mode by typing command "config"
• Create separate management VLAN and add the port that will be used for management to it.

(config)# vlan 999
(config-vlan)# name "MGMT_VLAN"
(config-vlan)# exit
(config)# interface gigabitethernet 0/48
(config-if)# switchport access vlan 999
(config-if)# exit
(config)# interface vlan 999
(config-if)# ip address <IP address> <mask>
(config-if)# exit
(config)# ip route 0.0.0.0 0.0.0.0 <gateway>

• Now telnet to the switch and start creating the non-OpenFlow network.

nec1#config
nec1(config)#vlan 10
nec1(config-vlan)# name "legacy_vlan"
nec1(config-vlan)# exit
nec1(config)#interface range gigabitethernet 0/5
nec1(config-if-range)#switchport mode access
nec1(config-if-range)#switchport access vlan 10
nec1(config-if-range)#exit
nec1(config)#interface range gigabitethernet 0/48
nec1(config-if-range)#switchport mode trunk
nec1(config-if-range)#switchport trunk allowed 10,999
nec1(config-if-range)#exit
nec1(config)#write
nec1(config)#exit

Pronto (Indigo firmware)

• Connect to the switch using serial cable (Baud rate: 115200, Data: 8bit, Parity: none, Stop: 1bit, Flow Control: none).
• At the appropriate moment, access the boot menu using Control-B. You will receive a "==>" prompt
• Check output of "printenv", and then assign the necessary IP address (gateway, subnet mask) using "setenv" command
• Store the necessary images in the /tftpboot of the TFTP server
• Copy image over TFTP

=> copy -k tftp://<tftp server>/uImage
=> copy -r tftp://<tftp server>/uInitrd2m
=> copy -d tftp://<tftp server>/LB9A.dtb (only if Pronto 3290)
=> setenv flash_bootcmd 'setenv bootargs root=/dev/ram console=ttyS0,$baudrate rw \
   ip=$ipaddr:$serverip:$gatewayip:$netmask:$hostname:$netdev DEV_ADDR=$ipaddr; \
   bootm ffd00000 ff000000 ffee0000'
=> setenv cfcard_bootcmd 'setenv bootargs root=/dev/ram console=ttyS0,$baudrate rw \
   ip=$ipaddr:$serverip:$gatewayip:$netmask:$hostname:$netdev DEV_ADDR=$ipaddr; \
   ext2load ide 0:1 0x1000000 /uImage;ext2load ide 0:1 0x2000000 /uInitrd2m; \
   ext2load ide 0:1 0x400000 /LB9A.dtb; bootm 1000000 2000000 400000'
=> setenv bootcmd 'run flash_bootcmd'
=> saveenv
=> reset

• The boot process continues and stops at "$" prompt of the kernel

HP Procurve

• Connect to the switch using serial cable (Baud rate: 9600, Data: 8bit, Parity: none, Stop: 1bit, Flow Control: none).
• Enter config mode by typing command "config"
• Create separate management VLAN and add the port that will be used for management to it.

(config)# vlan 999
(vlan-999)# name MGMT_VLAN
(vlan-999)# ip address  255.255.255.0 
(vlan-999)# tagged A1,A4,A24
(vlan-999)# exit
(config)# vlan
(config)# ip route 0.0.0.0 0.0.0.0 
(config)# ip ssh filetransfer
(config)# exit
# boot system flash secondary

• After rebooting system into secondary flash, copy over the firmware to the switch using scp. This is the easiest option.

scp /path/to/image root@switch:/os/primary

• Sometimes the SSH session will not finish cleanly, and the switch will complain. Wait a minute or two and the connection will timeout.
• After wait time, login to the switch over telnet and issue following command to reset the switch into the OpenFlow firmware.

#boot system flash primary

• Once the switch is rebooted, login to the switch over the management interface and creates the non-OpenFlow network:

  #config (config)# vlan 10 (vlan-10)# name legacy_vlan (vlan-10)# tagged A1,A4,A24 (vlan-10)# untagged A8,A9 (vlan-10)# exit (config)# exit # write memory 

Stage 1: Add an OpenFlow VLAN

In the first stage, we pick a switch with existing legacy network and add a new OpenFlow instance (i.e., OpenFlow VLAN). We point this instance to NOX controller (Note: We only mention the additional commands needed to add the new instance).

Switch Configuration

NEC IP8800

• After procuring the switch, add the firmware and openflow.conf onto the SD card. Load this SD card in the front left slot of the switch. Ensure that the newlines are CRLF in the conf file. After this, execute the following commands in "config" mode:

nec1(config)#interface range gigabitethernet 0/1
nec1(config-if-range)#switchport mode access
nec1(config-if-range)#switchport access vlan 110
nec1(config-if-range)#exit
nec1(config)#interface range gigabitethernet 0/48
nec1(config-if-range)#switchport trunk allowed vlan 10,999,110
nec1(config-if-range)#exit
nec1(config)#write
nec1#setvsi 110 1,48.110 tcp <controller ip>:6633 dpid 0x001234567890 max-backoff 15 wildcardlimit 50

Pronto (Indigo firmare)

• Next you can edit the configuration files and start the OF protocol on the Pronto switch. For more instructions, click here

HP Procurve

(config)# vlan 110
(vlan-110)# name expt_vlan
(vlan-110)# tagged A1
(vlan-110)# untagged A2,A5
(vlan-110)# exit
(config)# openflow 110 controller tcp:<controller ip>:6633 enable
(config)# exit
# write memory

OpenFlow Controller (NOX) Setup

• Now that the switches have been configured, you need to install a controller application. NOX is the most basic controller that is freely available.
• Download and install NOX onto the dedicated server using the following steps. More instructions specific to different environments can be found in this manual

git clone git://noxrepo.org/noxcore
cd noxcore/
./boot.sh
mkdir build/
cd build/
../configure --with-python=yes
make
make check

• Once compiled, you can now run NOX on port 6633 of that dedicated server, with just the simple routing module.

./nox_core -i ptcp:6633 routing

• At this point, traffic must start flowing in the new OpenFlow instance. Conduct the basic test described in the Basic Testing manual.

Stage 2: Add more OpenFlow VLANs

In the second stage, we add more OpenFlow instances (i.e., OpenFlow VLANs) that are externally reachable (e.g., VLAN 120 in our example). This will be controlled by SNAC controller and will serve as the Production Network for your users. OpenFlow traffic is trunked in the HP switch to make it reach the external Internet. (Note: Only NEC and HP support adding more VLANs. With Pronto and other pure-OF switches, the whole switch acts as 1 large VLAN)

Switch Configuration

NEC IP8800

nec1(config)#interface range gigabitethernet 0/2-3
nec1(config-if-range)#switchport mode access
nec1(config-if-range)#switchport access vlan 120
nec1(config-if-range)#exit
nec1(config)#interface range gigabitethernet 0/48
nec1(config-if-range)#switchport mode trunk
nec1(config-if-range)#switchport trunk allowed vlan 10,999,110,120
nec1(config-if-range)#exit
nec1(config)#write
nec1#setvsi 120 2-3,48.120 tcp <controller ip>:7733 dpid 0x001234567891 max-backoff 15 wildcardlimit 50

HP Procurve

(config)# vlan 120
(vlan-120)# name prod_openflow_vlan
(vlan-120)# tagged A1,A24
(vlan-120)# untagged A6,A7
(vlan-120)# exit
(config)# openflow 120 controller tcp:<controller ip>:7733 enable
(config)# exit
# write memory

Controller (SNAC) Setup

• Download the SNAC binary on the dedicated server. SNAC binary requires that you have a Debian system (The packages were built on Debian stable lenny)
• Install the required dependencies

$ sudo apt-get update
$ sudo apt-get install openssl libboost-test1.34.1 libboost-filesystem1.34.1 libboost-serialization1.34.1 libxerces-c28 python2.5 python-twisted python-simplejson python-mako python-openssl tmpreaper

• Unzip and Install the binaries

$ tar xvfz snac_packages.tar.gz
$ sudo dpkg -i *.deb

• SNAC will starts automatically listening tcp port 6633. If you want to change the port, you need to configure the installation by editing /etc/default/noxcore:

OF_LISTEN="-i ptcp:6633"

• Start SNAC by running command "sudo /etc/init.d/noxcore restart".
• Visit https://controller-IP-address/ and login as “admin” with no password.
• All new switches will appear in the list of switches as “unregistered”. You must register each by clicking on “Register Switch”, after which they start being switches using SNAC

• At this point, traffic must start flowing in the new OpenFlow instance. Conduct the basic test described in the Basic Testing manual.

Stage 3: Insert FlowVisor Virtualization

In the last stage, we enable the infrastructure to allow running multiple experiments (or OpenFlow networks). For this purpose, we use the FlowVisor software. FlowVisor is a special purpose OpenFlow controller that acts as a transparent proxy between OpenFlow switches and multiple OpenFlow controllers. Thus, it creates slices of network resources and delegates control of each slice to a different controller. Slices can be defined by any combination of switch ports (layer 1), src/dst ethernet address or type (layer 2), src/dst IP address or type (layer 3), and src/dst TCP/UDP port or ICMP code/type (layer 4).

FlowVisor Download & Compile

To instantiate the different slices, undertake the following steps:

• Download and compile OpenFlow switch software (for sake of dependency)

 $ git clone git://openflowswitch.org/openflow.git
 $ cd openflow
 $ git checkout -b openflow_089_rev4 origin/release/0.8.9 
 $ ./boot.sh
 $ ./configure 
 $ make

• Download and compile latest code of FlowVisor while being in user mode:

$ git clone git://openflowswitch.org/flowvisor.git 
$ cd flowvisor
$ git checkout -b fv0.4_of1.0 origin/deprecated/of-0.89
$ ./boot.sh
$ ./configure --with-openflow-src-dir=/path/to/openflow 
$ make

Create FlowVisor Policy File

• Once installed, you need to create the ./flowvisor-conf.d directory for listing the different policy configurations. Current flowvisor implementation requires that you add the default.switch and at least one controller.guest policy file:

$cd <flowvisor src dir>
$mkdir flowvisor-conf.d
$cat  >  flowvisor-conf.d/default.switch
Default: 1
ID: 9999

$cat >  flowvisor-conf.d/snac.guest
Name: snac
ID: 1
Host: tcp:localhost:8888
FlowSpace: deny:  tp_src: 80  limit: 10000
FlowSpace: deny:  tp_dst: 80  limit: 10000
FlowSpace: allow:  limit: 10000

• The above configuration means that the FlowVisor will forward ALL control messages, except that belonging to HTTP traffic, to the SNAC instance running on the localhost port number 8888.

Change SNAC Running Port

• The SNAC installed in the previous step is currently using port 7733. That needs to be moved over to the new port number of 8888 and then restarted. For that, perform the two following steps:
  • Change OF_LISTEN="-i ptcp:8888" in /etc/default/noxcore
  • Restart SNAC by running command: "sudo /etc/init.d/noxcore restart"

Run

• Run FlowVisor from user mode with the following command.

$./flowvisor ptcp:7733

• Thus, we have successfully inserted the FlowVisor inbetween the switches and SNAC.
• It is possible to start a new guest slice by adding another guest file in the directory and restarting FlowVisor:

$cat >  flowvisor-conf.d/http.guest
Name: http
ID: 2
Host: tcp:localhost:8890
FlowSpace: allow:  tp_src: 80  limit: 10000
FlowSpace: allow:  tp_dst: 80  limit: 10000

This creates two slices: one for the production traffic (managed by SNAC), and one for the experimental HTTP traffic (possibly managed by NOX). This is the simplest case. To slice the network in more finer grain, please refer to the FlowVisor manual.

Summary of configurations

Refer to following setup pages for a complete list of configurations needed: Switch setup, Controller setup