12/10/2017 OpenFlow: Introduction Arie Bregman

OpenFlow: Introduction
NOVEMBER 30, 2016 / BREGMAN / 0 COMMENTS

What is OpenFlow?
If we tried to explain what OpenFlow is, a possible de nition would be: OpenFlow is a
protocol for controlling and interacting with forwardingbehaviors of switches. It
allows us to dynamically control the behavior of the switches in our network. Many
SDN (software de ned network) and Open Source projects use OpenFlow or support
it as a plugin, such as OpenStack Neutron and OpenDaylight.

But Its hard to grasp what it is, what it solves and how it works only using this brief
description. In order to truly understand what is OpenFlow, we need to start from the
beginning, before SDN era.

Note: Ill not deep diveintoSDN as this post is not about what is SDN, but Ill cover it
quickly since its crucial for the understanding of why OpenFlow is needed and what
it is used for.

Before SDN
Before talks about software de ned network started, a traditional network would
look something like this:
http://abregman.com/2016/11/30/openflow-introduction/ 1/18
12/10/2017 OpenFlow: Introduction Arie Bregman

You can see four switches while the control plane and data planare local to the
devices.

Acontrol planeconsidered to be thebrain of the device. Its responsible for all the
data plane activities, which are not related to the end-user data packets. Such
activities are creating/managing local routing tables and setting packet handling
policies.

Thedata planeis how packets are forwarded through the device. For example, a
packet arriving the rst device, needs to know how to continue its journey to the
destination (e.g. through which port to exit).

So in a traditional network each device has its own brain (control plane)and a data
plane. There is no single device who can see theentire network. From an
administration point of view, you would need toconnect to every device in your
system (in the drawing, its only two, but in reality it can reach thousands of devices)
and con gure each one of them, in some cases, manually.

To move traf c, each device would need to communicate with other devices to get an
updated view on the network topology and choose the best way to forward the
packet.

Beginning of a new era SDN

One of the main concepts SDN introduced, was to centralizeall the control planes
into one device which is called the controller. The controller hasthe visibility of all
http://abregman.com/2016/11/30/openflow-introduction/ 2/18
12/10/2017 OpenFlow: Introduction Arie Bregman

the network and this visibility allows it to make smart decisionson how to forward
packets. So the controller can send instructions to the different switches, to tell them
what to do with incoming packets (e.g. drop, forward throughport X).

It is also called SDN controller.

Note: regarding SDN, this is really just the tip of the iceberg. To learn more about
SDN, I recommend towatch some of the videos I gathered righthere.

Why we need OpenFlow?

So we understand why we need or more importantly why we want one centralized
controller, but how will this controller communicate with all the switches? the answer
is OpenFlow.

OpenFlow has several roles in this new structure:

It makes sure to create a logical representation of the switches in our network so

the controller can process this information.

It allows the controller to communicate with the switches in a secure manner.

http://abregman.com/2016/11/30/openflow-introduction/ 3/18
12/10/2017 OpenFlow: Introduction Arie Bregman

It de nes the ow tables and ow entries to change the behavior of a switch and
de ne howpackets are handled (dropped, forwarded, stripped, etc.)

OpenFlow Switch
Lets have a look atOpenFlow switch components:

Well cover each one of them in more detail.

Flow Tables and Flow entries

An OpenFlow switch holdsone or more ow tables.

When a packet arrives to theswitch it processed by the rst table. If the packet
doesnt match any ow entry, its called a table miss. The packet can then either be
dropped or passed to another table. It depends on con guration.

Each ow table consists of ow entries. Three important componentsof a ow entry:

1. Match Fields these elds used to match against a packet. Some of the elds:
VLAN id, MAC src address, MAC dest address, IP src address, IP dest address,

http://abregman.com/2016/11/30/openflow-introduction/ 4/18
12/10/2017 OpenFlow: Introduction Arie Bregman

switch port and a lot more elds that can be found in OpenFlow speci cation.

2. Priority what is the priority of the ow entry. When a packet matches several
ow entries, the entry with the highest priority is used.

3. Instructions what should be done in case of a match. Instructions can change:

a. The Packet itself remove headers, change headers ( set VLAN header, change
TTL, push MPLS header)

b. Processing movepacket totable X

c. Flow outputpacket through port 5, drop packet

It can be one of them or a combination (e.g. change the packet, and move it to table X)

There are additional elds such as counters and ags, but Match elds and priority
are what makes a ow entry a unique one.

Group Table
Group table is like a special ow table. It consists of group entries which include
action buckets and an identi er.

The identi er is an 32bit integer to uniquely identify the group table and the action
bucket is a set of actions to execute.

Multiple ow entries can point to the same group entry. So you can have500 ow
entries pointing to one group entry with the action of send out through port4. Once
you change the group entry to send out through port 10, it changes the behavior for
500 ow entries in one effective command.

SecureChannel ( aka OpenFlow Channel)

This component used for communication between the controller and the
OpenFlowswitch. It uses the OpenFlow protocol for the communication. The
communication can be periodic health messages, status information, ow
modi cation, packet-in, packet-out. By default it will use TCP for the communication,
but can also use TLS for encrypted communication.

http://abregman.com/2016/11/30/openflow-introduction/ 5/18
12/10/2017 OpenFlow: Introduction Arie Bregman

Scenario
Example: Access a web server
Tobetter understand how it looks when a OpenFlowswitch is used, well use an
example of a ow in which we are reaching out to aweb server (Host 3) from Host 1.

Notes aboutthe ow:

In step 2, the lack of match between the packet, and an entry ow is also called
atable miss

In step 3 if the packet-in referencing just some of the packet headers, then it
probably also includes a buffer id. The buffer id means that the original packet is
entirely buffered in the switch and the buffer id can be then used by the controller
to instruct the switch on what to do with the packet this buffer id belongsto.

In step 4 its the same idea. It can use the entire packet, or reference it with the
buffer id.

http://abregman.com/2016/11/30/openflow-introduction/ 6/18
12/10/2017 OpenFlow: Introduction Arie Bregman

Note thatthe controller might choose to send a ow modi cation message to

instruct the switch to install a new entry ow so similar packets in the future
would be handled the sameway and they wont need to redirect the packets to
the controller.

Now lets review the reply ow from Host 3 to Host 1

Notes aboutthe ow:

The entry ow installed in the previous drawing/ ow is not the same one as for
this ow, since then it was Host 1 -> Host 3 and this drawing is about Host 3 ->
Host 1, this is why once again, the packet encapsulated and sent to the controller.

In step 3 the buffer id will be different for the same reason the packet sent to the
controller not the same ow.

In step 4, as in the previous drawing, the controller might send a ow modi cation
to install ow entry for future similar packets

http://abregman.com/2016/11/30/openflow-introduction/ 7/18
12/10/2017 OpenFlow: Introduction Arie Bregman

After a packet sent from Host 1 to Host 3 and a reply received from Host 3 byHost 1,
any future communication can be done using the ow entries installed by the
controller. There is no need to send more packets to the controller unless there is a
new type of communication.

You dont even needto contact the controller if the ows are inserted before the
communication starts. Well see in a second how to insert new ow entries by
ourselves.

Open vSwitch and OpenFlow

Many solutions/products today use Open vSwitch together with OpenFlow. Take for
exampleOpenStack and OpenDaylight.

In order to understand the network ows and to be ableto troubleshoot issues in

such environments, you need to be familiar with Open vSwitch and OpenFlow related
commands. Open vSwitch already covered in previous posts. In the next following
lines, Im going to cover ovs-ofctl speci cally.

ovs-ofctl
ovs-ofctl is how you manage, operate and monitor OpenFlow switches.

ovs-ofctl show
First command you want to be familiar with is ovs-ofctl show <switch_name>. It will
print information on the switch and its ports in addition to limits such as number of
tables and number of buffers.

Lets see an example from a TripleO setup

1 > ovs-ofctl show br-ctlplane

2
3 OFPT_FEATURES_REPLY (xid=0x2): dpid:0000fa163e9839ce
4 n_tables:254, n_buffers:256
5 capabilities: FLOW_STATS TABLE_STATS PORT_STATS QUEUE_STATS ARP
6 actions: output enqueue set_vlan_vid set_vlan_pcp strip_vlan mod_dl_src mod_
7 1(eth1): addr:fa:16:3e:98:39:ce
8 config: 0
9 state: 0
http://abregman.com/2016/11/30/openflow-introduction/ 8/18
12/10/2017 OpenFlow: Introduction Arie Bregman

10 speed: 0 Mbps now, 0 Mbps max

11 2(phy-br-ctlplane): addr:22:62:b2:72:3b:d6
12 config: 0
13 state: 0
14 speed: 0 Mbps now, 0 Mbps max
15 LOCAL(br-ctlplane): addr:fa:16:3e:98:39:ce
16 config: 0
17 state: 0
18 speed: 0 Mbps now, 0 Mbps max
19 OFPT_GET_CONFIG_REPLY (xid=0x4): frags=normal miss_send_len=0

It gives us a lot of information such as switch capabilities (note that it supports

FLOW_STATS), actions and ports. We have 2ports, the same youll see if using ovs-
vsctl show but here the information is a little bit different (MAC address, con g, state
and the speed of each port). The third one is the switch itself.

ovs-ofctladd- ow
Lets add our rst ow.

1 > ovs-vsctl add-br my_switch

2 > ovs-ofctl add-flow my_switch action=normal

We added one entry ow without any match elds and with the action normal. The
normal means our switch will act as a traditional layer 2 switch.

Now lets add a ow with some match elds. Lets say that we every incoming packet
through port 1, to send it through port 2.

1 > ovs-ofctl add-flow my_switch priority=400, in_port=1,actions=output:2

We added a new ow. This ow has a priority of 400, so if a packet matched several
ow entries, with lower priorities, it will be processed by the one we added. We also
set a match eld in_port=1 which means packets that arrived through port 1. The
action is to output the packet through port 2 (actions=output:2). To verify it actually
works, I recommend to test it by sending something to port 1 and see it gothrough
port 2 by looking on the counter or snif ng the network with tcpdump.

Now lets try layer 2 matching

1 > ovs-ofctl add-flow my_switch dl_src=01:00:00:01:00:00,dl_dst=02:00:00:02:00:0

http://abregman.com/2016/11/30/openflow-introduction/ 9/18
12/10/2017 OpenFlow: Introduction Arie Bregman

We used dl_src to match on the source MAC address and dl_dst to match on
destination MAC address. So everything coming from 01:00:00:01:00:00 will be sent
to 02:00:00:02:00:00 through port 2.

ovs-ofctl del- ows

To removeall the ows

1 > ovs-ofctl del-flows my_switch

You can specify a speci c ow you want to remove, right after the name of a switch.

ovs-ofctldump- ows
Prints all the ow entries inthe speci ed switch tables. Lets again add a simple ow
(after we removed everything) and see how it looks in our switch

1 > ovs-ofctl add-flow my_switch action=normal

2
3 > ovs-ofctl dump-flows my_switch
4 NXST_FLOW reply (xid=0x4):
5 cookie=0x0, duration=556.040s, table=0, n_packets=0, n_bytes=0, idle_age=556
6 cookie=0x0, duration=499.348s, table=0, n_packets=0, n_bytes=0, idle_age=499

You can see two ow entries. One was there by default when the switch created (the
with idle_age=556).The second is the one we added earlier.

For each ow entry you can see the duration of the time its there. To which table
number if belongs (table=0) how many packets matched the entry ow (0), the
idle_age which represents the age of the entire ow without being matched to any
packet, the priority (if speci ed. we haventspeci ed one when adding the ow) and
the actions.

That looks pretty empty and boring for a new switch, right? lets look on the switch
TripleO created (speci cally br-ctlplane)

1 > ovs-ofctl dump-flows br-ctlplane

2
3 NXST_FLOW reply (xid=0x4):
4 cookie=0x8e67bd412a95a3fb, duration=5662.610s, table=0, n_packets=61, n_by
5 cookie=0x8e67bd412a95a3fb, duration=5679.407s, table=0, n_packets=3, n_byt
6 cookie=0x8e67bd412a95a3fb, duration=5679.641s, table=0, n_packets=777925

http://abregman.com/2016/11/30/openflow-introduction/ 10/18
12/10/2017 OpenFlow: Introduction Arie Bregman

Three ow entries, still one table, but look how many packets matched each ow,
especially the third one (779256). We can also see new actions. For example, rst
entry which includes now strip vlan, so whenever apacket hits this entry, its vlan
header will be stripped off. For the second ow entry, we have drop which means
that when a packet matches this entry, it will be dropped.

OpenFlow Speci cation

Finally, I really recommend to read the OpenFlow speci cation. Its great and has very
detailed information on OpenFlow.

Here is the speci cation for 1.5.1. Make sure to check if a newer version is available.

Share this:

Related

Open vSwitch: Introduction - Networking: Self-Study Open vSwitch: Introduction -

Part 2 Resources Collection Part 1
October 19, 2016 November 30, 2016 October 18, 2016
In "Linux" In "Networking" In "Linux"

Linux, Networking

FLOW ENTRY FLOW TABLE OPEN FLOW OPENFLOW OVS OVS-OFCTL

SDN

PREVIOUS POST NEXT POST

Networking: Self-Study Resources Collection Python: check if one string is a rotation of

another string

Leave a Reply
http://abregman.com/2016/11/30/openflow-introduction/ 11/18
12/10/2017 OpenFlow: Introduction Arie Bregman

Your email address will not be published.

Name

Email

Website

Post Comment

Notify me of follow-up comments by email.

Notify me of new posts by email.

Search form SEARCH

RECENT POSTS

http://abregman.com/2016/11/30/openflow-introduction/ 12/18
12/10/2017 OpenFlow: Introduction Arie Bregman

Algorithms: Basic Exercises Part 1

Linear Programming: Graphical Method

jQuery Datatable Ajax: Change cells HTML after data is processed

Python: Working with Jinja2 templates

Ajax Datatable: changing row color based on the data

RECENT COMMENTS

Satya on Ansible: write and run your rst playbook

vamshi on Ansible: write and run your rst playbook

Viju on Ansible: write and run your rst playbook

Martin on Python: Objects comparison

Justin C. on Linux: Ulimit And Maximum Number Of Open Files

2017 ARIE BREGMAN UP

http://abregman.com/2016/11/30/openflow-introduction/ 13/18
12/10/2017 OpenFlow: Introduction Arie Bregman

http://abregman.com/2016/11/30/openflow-introduction/ 14/18
12/10/2017 OpenFlow: Introduction Arie Bregman

http://abregman.com/2016/11/30/openflow-introduction/ 15/18
12/10/2017 OpenFlow: Introduction Arie Bregman

http://abregman.com/2016/11/30/openflow-introduction/ 16/18
12/10/2017 OpenFlow: Introduction Arie Bregman

http://abregman.com/2016/11/30/openflow-introduction/ 17/18
12/10/2017 OpenFlow: Introduction Arie Bregman

http://abregman.com/2016/11/30/openflow-introduction/ 18/18