BROCADE SDN

CONTROLLER

OPERATIONS AND SUPPORT

1

2015 Brocade Communications Systems, Inc. Company Proprietary Information 1

Legal Disclaimer

All or some of the products detailed in this presentation may still be

under development and certain specifications, including but not limited
to, release dates, prices, and product features, may change. The
products may not function as intended and a production version of the
products may never be released. Even if a production version is
released, it may be materially different from the pre-release version
discussed in this presentation.
Nothing in this presentation shall be deemed to create a warranty of
any kind, either express or implied, statutory or otherwise, including
but not limited to, any implied warranties of merchantability, fitness for
a particular purpose, or non-infringement of third-party rights with
respect to any products and services referenced herein.
ADX, AnyIO, Brocade, Brocade Assurance, the B-wing symbol, DCX,
Fabric OS, ICX, MLX, MyBrocade, OpenScript, VCS, VDX, and Vyatta are
registered trademarks, and HyperEdge, The Effortless Network, and
The On-Demand Data Center are trademarks of Brocade
Communications Systems, Inc., in the United States and/or in other
countries. Other brands, products, or service names mentioned may be
trademarks of their respective owners.
2015 Brocade Communications Systems, Inc. Company Proprietary Information 2
Module 0: SDN Overview
What is SDN ? What can I do with it ?

2015 Brocade Communications Systems, Inc. Company Proprietary Information 3

Where did SDN originate ?

2015 Brocade Communications Systems, Inc. Company Proprietary Information 4

A Brief History of Networking
1990s: PCs and Networking: Switches

Distributed control
Independent, Control
Switch
Switch
Intelligent, Data
Control
Control Forwarding
Switch
Switch
and Autonomous Switch
Switch
Data
Forwarding
Network Devices Data
Forwarding

Control
Switch
Switch
Data
Control
Forwarding
Switch
Switch
Data
Forwarding
A Brief History of Networking
2015: PCs, laptops, tablets, phones, cloud, datacenters,
virtualization, ...
Distributed control
Independent, Control
Switch
Switch
Intelligent, Data
Control
Control Forwarding
Switch
Switch
and Autonomous Switch
Switch
Data
Forwarding
Network Devices Data
Forwarding

Control
Switch
Switch
Data
Control
Forwarding
Switch
Switch
Data
Forwarding
Why are we still here?
Well it seemed like a good idea at the time...

2/8/17 7
ForCES
Forwarding and Control Separation

Control
Control Blade
Blade Control
Control Blade
Blade
CE
CE CE
CE
Circa 2003

IETF standards Switch

Switch Fabric
Fabric Backplane
Backplane

Separation of
Forwarding and
Control Router
Router Blade
FE
FE
Blade Router
Router Blade
FE
FE
Blade
Router
Router Blade
FE
FE
Blade

Planes

2/8/17 8
Clean Slate Program
Starting Over

Circa 2005: Network-level

Network-level Control
Control and
and Management
Management
Objectives
Objectives System Network-wide
Network-wide Views
Views
System
Research:
Clean slate

Forwarding at edge
Network Element Network Element Network Element

Control at central Forwarding

Forwarding Tables
Tables Forwarding
Forwarding Tables
Tables
... Forwarding
Forwarding Tables
Tables
management system

2/8/17 9
Ethane
Complete SDN(ish) System

Registration
Registration
Circa 2007:
Policies
Policies Network
Research: Clean Slate Ethane
Ethane Controller
Controller Network Topology
Topology
implementation
Bindings
Bindings
Simple forwarding
devices
Network Element Network Element Network Element
Central controller
Flow
Flow Tables
Tables Flow
Flow Tables
Tables
Flow
Flow Tables
Tables
Forwarding
Forwarding Plane
Plane Forwarding
Forwarding Plane
Plane Forwarding
Forwarding Plane
Plane

2/8/17 10
OpenFlow Protocol
Evolves from prior work

Openflow evolves from Ethane protocol

Openflow switch implementations: Late 2007

Openflow Proposed: March 2008

First Openflow specification: Dec 2008

2/8/17 11
Why SDN ?

2015 Brocade Communications Systems, Inc. Company Proprietary Information 12

Fundamental Issue
Closed System

App
App App
App App
App App
App App
App
App
App
Operating
Operating System
System
App
App App
App

Operating
Operating System
System

Open Environments Closed

2/8/17 13
Why is this bad?

Stupid static, rigid, and

inflexible networks!

Restricted opportunities Vendor hegemony and Result: Static, rigid, and

for innovation lock-in inflexible networks

2/8/17 14
Cloud & Mobile Timeline
What was Driving the Networking Market

Facebook Twitter Facebook

AWS Reaches Reaches Reaches
Launches 100M Users 50M Users 1B Users

2006 Aug 26, 2008 Aug 2009 Sept 14, 2012

Jun 29, 2007 2010 July 2012 2013

First iPhone 200M VMware YouTube uploads

Released Smartphones acquires Reach
Sold Nicira for 100 hours/minute
$1.21B
Data Centers
The straw that broke the camels back

Massive scale of DCs and cloud threaten to break many network

technologies:
MAC table issues: overflowing
Spanning tree issues: unused links
VLAN issues: 4K not enough for multi-tenant clouds
Inter Data Center Traffic Engineering: how to handle massive traffic
loads
MAC Address Table Overflow

Overflowing MAC table causes device to flood packets onto the network,
with significant performance implications

Switch
Switch MACs
MACs
...
...
...
...
...
...
...
...
...
...
...
...

MAC Address Table full, causing incoming

packets to fail their match, resulting in the
packet getting flooded to all ports

2/8/17 17
Spanning Tree Inefficiency

Spanning Tree issues:

Inefficiency: wasting bandwidth
due to Blocked
Switch Switch
blocked links
Latency: delays
introduced due to Blocked
Switch
re-convergence Switch

after change Blocked

Switch
Forwarding
Switch
Forwarding
Blocked

2/8/17 18
VLAN Exhaustion

When VLANs are used up, no

more tenants can be supported
802.1Q
802.1Q Tag
Tag in that network domain
TPID:
TPID: 0x8100
0x8100 CoS
CoS VLAN
VLAN IDID
16
Besides, who would ever need
16 bits
bits 3
3 bits
bits 12
12 bits
bits
more than 4096 VLANs?

Cant change the tag itself because

hardware has been built to expect tags
like this for the last decade or more

2/8/17 19
Optimal Traffic Engineering

Shortest Path

Data Data
Forwarding Forwarding
Traffic
Traffic
Open
Open SDN
SDN Congestion
Controller Path
Path
Controller Congestion

Network visibility and Data

Data Forwarding
traffic data allows
Forwarding
controller to make
optimal path
decisions Data Data

Optimal Path Forwarding

Forwarding Forwarding

2/8/17 20
Data Centers

Networking became the Hammer

Pants of data centers
No Agility: to quickly move
networks
from one physical location to
another
No Automation: to
useprogrammatic
methods to make changes
No Virtualization: to instantly
create,
destroy, and move network
resources
Pre-SDN attempts to address datacenter needs
Solving Data Center Issues
Management

Different attempts have been made to make datacenter networking more

agile and able to adapt to changes:
Orchestration solutions
VM Management Plug-in solutions
RADIUS solutions
Orchestration Solutions
Vendor
Vendor X
X
Vendor
Vendor YY
Network attributes updated by CLI &
SNMP
Orchestration
Orchestration

Aggregation
Aggregation Switch
Scripting to automate Switch

certain common tasks

TOR
TOR Switch
Switch A
A TOR
TOR Switch
Switch B
B

Good for firmware updates

Physical
Physical Server
Server A
A Physical
Physical Server
Server B
B

Hypervisor
Hypervisor A Hypervisor
Hypervisor B
Not dynamic enough for A B

datacenter automation
VM VM VM VM VM VM
needs VM
A1
A1
VM
A2
A2
VM
A3
A3
VM
A1
A1
VM
B1
B1
VM
B2
B2

Move VM A1 to Physical Server B

2/8/17 24
VM Plug-in Solutions
Plug-in
Plug-in
VM
VM Network attributes updated
Management
Management by CLI & SNMP

Aggregation
Aggregation Switch
Switch
Linked to server virtualization
platform TOR
TOR Switch
Switch A
A TOR
TOR Switch
Switch B
B

Responds to adds, moves, Physical

Physical Server
Server A
A Physical
Physical Server
Server B
B
changes, deletes Hypervisor
Hypervisor A
A Hypervisor
Hypervisor B
B

Still must use CLI or SNMP VM

VM VM
VM VM
VM VM
VM VM
VM VM
VM
for network changes A1
A1 A2
A2 A3
A3 A1
A1 B1
B1 B2
B2

Move VM A1 to Physical Server B

2/8/17 25
RADIUS Solutions
RADIUS
RADIUS
Server
Server
Network attributes updated by RADIUS
Policy
Policy

Aggregation
Aggregation
Switch
Switch
Automatic based on server
TOR
TOR Switch
Switch A
A TOR
TOR Switch
Switch B
B
changes
Physical
Physical Server
Server A
A Physical
Physical Server
Server B
B
Dynamic network re-configuration
Hypervisor
Hypervisor A
A Hypervisor
Hypervisor B
B
using RADIUS attributes
VM
VM VM
VM VM
VM VM
VM VM
VM VM
VM
Untrusted A1
A1 A2
A2 A3
A3 A1
A1 B1
B1 B2
B2

Move VM A1 to Physical Server B

2/8/17 26
Enough Said

2/8/17 27
Solving Data Center Issues
Tunnels

Different attempts have been made to make networking better able to

handle datacenter issues such as MAC address table and VLAN
exhaustion using tunnels:
Virtual Networking solutions using tunnels
Spanning Tree replacement protocols
Network Virtualization
VXLAN

MAC-in-IP tunnel UDP (VXLAN port 8472)

Unicast between switches 224 Virtual Networks

Outer
Outer MAC
MAC // IP
IP // UDP
UDP Header
Header VXLAN
VXLAN Header
Header Outer
Outer Payload
Payload
Original
Original Packet
Packet
UDP

Dest Source Source Dest Src

Src UDP Dst
Dst UDP VXLAN
UDP

Dest Source Source Dest UDP UDP VXLAN

Dest
Dest Source
Source
MAC
MAC MAC
MAC IP
IP IP
IP Port
Port 8472
8472 Net
Net ID
ID Payload
Payload
MAC
MAC MAC
MAC

Source / Dest VXLAN UDP 24-bit

Original Host Dest & Source
MAC & IP of switch tunnel Port = 8472 Network Identifier and Payload
endpoints

2/8/17 29
Network Virtualization
NVGRE

MAC-in-IP tunnel GRE (IP Protocol 0x2F)

Unicast between switches 224 Virtual Networks

Outer
Outer MAC
MAC // IP
IP // UDP
UDP Header
Header GRE
GRE Header
Header Outer
Outer Payload
Payload
Original
Original Packet
Packet
GRE

Dest Source Source Dest Virtual

GRE

Dest Source Source Dest Virtual

Dest
Dest Source
Source
MAC
MAC MAC
MAC IP
IP IP
IP Subnet
Subnet ID
ID Payload
Payload
MAC
MAC MAC
MAC

Source / Dest 24-bit

Original Host Dest & Source
MAC & IP of switch tunnel Network Identifier and Payload
endpoints

2/8/17 30
Network Virtualization
STT

MAC-in-IP tunnel TDP (STT port 7471)

Unicast between switches 64 bits of Context ID

Outer
Outer MAC
MAC // IP
IP // UDP
UDP Header
Header STT
STT Header
Header Outer
Outer Payload
Payload
Original
Original Packet
Packet
Dest Source Source Dest Src
Src TCP Dst
Dst TCP Context
TCP

Dest Source Source Dest TCP TCP Context

TCP

Dest
Dest Source
Source
MAC
MAC MAC
MAC IP
IP IP
IP Port
Port 7471*
7471* ID
ID Payload
Payload
MAC
MAC MAC
MAC

Source / Dest STT TDP 64-bit

Original Host Dest & Source
MAC & IP of switch tunnel Port = 7471* Context Identifier and Payload
endpoints *=currently

2/8/17 31
Network Virtualization
Orchestration Anyone ?

Multiple tunnels per physical

server
100,000 physical servers
Who is going to configure all of
those tunnels ?
Solving Data Center Issues
Protocols

Different attempts have been made to overcome datacenter networking

issues, especially spanning tree, using new protocols
Trill (MAC-in-MAC)
Shortest Path Bridging (Q-in-Q, MAC-in-MAC)
Trill

Transparent Interconnection of I hope that we shall one day see

Lots of Links A graph more lovely than a tree.
MAC-in-MAC encapsulation A graph to boost efficiency
IS-IS link-state protocol for determining While still configuration-free.
best path A network where RBridges can
No spanning tree
Route packets to their target LAN.
The paths they find, to our elation,
Are least cost paths to destination!
With packet hop counts we now
see,
The network need not be loop-free!
RBridges work transparently,
Without a common spanning tree.
SPB(V): USING Q-IN-Q

Inserts another VLAN tag into

packet
Q-in-Q Outer Tag: Metro Tag | PE-VLAN |
PE-VLAN: Provider Edge VLAN
S-VID S-VID: Service VLAN ID
Q-in-Q Inner Tag: C-VID C-VID: Customer VLAN ID

MAC MAC Eth

Src Dst Type
Payload Untagged packet

MAC MAC Eth 802.1Q VLAN-tagged packet

802.1Q
802.1Q Tag
Tag Payload
Src Dst Type

MAC
MAC MAC
MAC 802.1Q
802.1Q 802.1Q
802.1Q Eth
Eth 802.1ad Q-in-Q packet
Payload
Payload
Src
Src Dst
Dst Outer
Outer Tag
Tag Inner
Inner Tag
Tag Type
Type

2/8/17 35
SPB(M): USING MAC-IN-MAC

Inserts a new MAC header at the beginning

of the packet

Eth
Eth
SA
SA DA
DA Payload
Payload Untagged packet
B-SA: Backbone SA Type
Type
B-DA: Backbone DA
B-VID: Backbone VID 802.1Q VLAN-
I-SID: Service ID SA
SA DA
DA
802.1Q
802.1Q Tag
Tag Eth
Eth Payload
Payload tagged packet
(VID)
(VID) Type
Type

802.1Q
802.1Q 802.1Q
802.1Q Eth
Eth
B-SA
B-SA B-DA
B-DA B-VID
B-VID I-SID
I-SID SA
SA DA
DA Payload
Payload
(S-VID)
(S-VID) (C-VID)
(C-VID) Type
Type

2/8/17 36
Distributed vs. Central

Why do I want my Ethernet switches to relearn where every VM is

located in the data center every 5 minutes when my orchestration
system knows exactly where each VM is and no VM moves without my
orchestration system telling it to move.
-- Cloud Datacenter Architect
Orchestration
Closed Systems vs Open Systems

Orchestration inherently involves

lots of scaffolding
Your infrastructure is the
foundation for that scaffolding
Do you want to build your data
center on closed infrastructure ?

Infrastructure
SDN Definitions: Will the real SDN please stand up?
SDN Definitions
Depends who you ask...

Neurologist

Sexually
Dimorphic
Nucleus

2/8/17 40
OpenFlow-based SDN
Separate Control & Forwarding Planes
Moving control functionality to centralized controller

Remove control software from

device and place in a controller
Device handles the
forwarding and data plane Controller

functionality Control
Control
Controller handles
the control plane Control
Control
functionality
Forwarding
Forwarding Device
Open Networking via SDN

Simplified devices App

App App
App App
App App
App

Centralized controller OpenFlow

Controller
Controller
Enforcement implemented
by devices
Open environment Forwarding
Forwarding
for innovation Forwarding

Forwarding

Forwarding
SDN: The Big Picture

A network operating
system App
App App
App App
App App
App App
App
Application
Application
A suite of network
Network
Network Operating
Operating System
System
applications Control
Control

Communication Openflow protocol

between controller
and devices via Forwarding
Forwarding
OpenFlow protocol
Forwarding
Forwarding

Forwarding
Data
Data Plane
Plane
Inside Networking Devices Today

Proprietary, vendor-specific control software in network device

Network
Network Device
Device
SOFTWARE
SOFTWARE

Services
Agent
Services
SNMP

Agent
SNMP

Web
Web

ACLs
CLI

ACLs

QoS
CLI

QoS
Routing
Routing
Security
Security
Virus
Virus Spanning
Spanning
CONFIG
CONFIG Snooping
Snooping Access
Access Control
Control
Throttling
Throttling Tree
Tree
Low-level
Low-level ASIC
ASIC interface
interface

ASIC
ASIC L3
L3 Table
Table L2
L2 Table
Table TCAM
TCAM

2/8/17 45
Inside Networking Devices
With OpenFlow

Move software off the device, up to the controller

Network
Network Device
Device
SOFTWARE
SOFTWARE

to Controller
Services
Agent
SNMP

Web

ACLs
CLI

QoS
Routing
Security

Virus Spanning
CONFIG Snooping
Openflow Access Control
Throttling Openflow Tree

Low-level
Low-level ASIC
ASIC interface
interface

ASIC
ASIC L3
L3 Table
Table L2
L2 Table
Table TCAM
TCAM
API-based SDN
API-based SDN
Overview User
User Application
Application

Providing APIs to programmatically

control the behavior of the network Application API
API

Device APIs Policy

Policy
Superior to SNMP or CLI
E.g. onePK, NETCONF, REST
API
API
Controller APIs
Controller
Controller
Open northbound API Controller

Proprietary southbound

Policy APIs API

API
Predefined policy-based APIs
Device Control
Control
Proprietary southbound
Forwarding
Forwarding
Note: Not mutually exclusive
SDN APIs:
Device-Level
Ability for applications to be written
to control or modify device App
App App
App App
App App
App
configuration or packet
forwarding behavior. Proprietary Controller
Controller

Replacement of older protocols

(CLI, SNMP) with newer ones,
e.g. NETCONF, REST, onePK. (*)
Control
Control
Legacy device support. (*) Control
Forwarding
Forwarding Forwarding
Centralized
control of network. (*)
Examples: Cisco, Juniper, Control Control

Brocade, Arista, Forwarding Forwarding

Alcatel-Lucent, ...
(*) In most cases
SDN APIs
Controller-Level
Ability for applications to be Open but controller-specific
written to interact with controller App
App App
App App
App App
App
in order to modify or control
device
Controller
Controller
configuration or packet
forwarding behavior.
Controller API is open to network
applications, Control
Control
but the API is specific to the Control
Forwarding

controller, Forwarding Forwarding

and often to devices as well.

Southbound protocol can be Control Control API
open or proprietary. Forwarding Forwarding

Examples: OpenDaylight,
OpenContrail, Brocade-ODL,
SDN APIs
Policy-Level Open but policy-specific
App
App App
App App
App App
App
Ability for applications to be
written to interact with policy
layer on Policy
Policy
controller, to manage and Controller
Controller
control
the policy behavior of the
network.
Control
Policy API is open to network Control
Forwarding
Control

applications, Forwarding Forwarding

but the API is specific to the

controllers
API
policy-based functionality. Control Control

Southbound protocol can be Forwarding Forwarding

open or proprietary.
Overlay-based SDN
Overlays

Overlay Networks
Completely
virtualized networks Overlay
Overlay Overlay
Overlay
Overlay
Overlay
Network
Network Network
Network Network
Network

Completely
independent of
equipment below

Physical Network
Network
Network Device
Device Network
Network Device
Device

Network
Network Device
Device Network
Network Device
Device Network
Network Device
Device

2/8/17 53
Overlays

Implemented in

Overlay Networks
hypervisor Physical
Physical Server
Server Physical
Physical Server
Server Physical
Physical Server
Server

Doesnt touch the

physical network Hypervisor
Hypervisor Hypervisor
Hypervisor Hypervisor
Hypervisor

Still must deal with

physical network
issues
Network
Physical
Network
Network Device
Device Network
Network Device
Device

Network
Network Device
Device Network
Network Device
Device Network
Network Device
Device

2/8/17 54
Overlay Tunneling Alternatives

VXLAN (Cisco), NVGRE (Microsoft), STT (Nicira)

Use MAC-in-IP tunneling

MAC header IP header UDP* header Payload

Tunnel header MAC header IP header Payload

2/8/17 55
Overlay Tunneling Operation

Tunnels exist between

tunnel endpoint devices
VTEP
VTEP
(e.g. vSwitches)
VTEP
VTEP VTEP
VTEP
Encapsulated traffic sent
VTEP-to-VTEP
VTEP
VTEP VTEP
VTEP

VTEP
VTEP

2/8/17 56
SDN Operation
Anatomy of an SDN Device

Hardware to Controller

L2 & L3 forwarding tables

TCAMs for matching fields
other than MAC and IP address Switch
Switch

API
API
Operation OpenFlow
OpenFlow NETCONF
NETCONF

Handle matching flows Abstraction

Abstraction Layer
Layer
Tables
locally FlowTables
Flow
Flow
Flow
Tables
Tables
Tables
Tables

Drop or forward non-matching

HW
HW
flows to controller and await
L3
L3 Fwd
Fwd L2
L2 Fwd
Fwd TCAM
TCAM
instructions

2/8/17 58
Anatomy of a Software SDN Device

Software Switches to Controller

Slower no hardware
acceleration
Switch
Switch
Simpler no issues
API
API OpenFlow
OpenFlow NETCONF
NETCONF
related to HW table sizes
and processing limitations Abstraction
Abstraction Layer
Layer
Tables
FlowTables
Flow
Flow
Flow
Tables
Tables
Tables
Tables

SW
SW
Packet
Packet Processing
Processing

2/8/17 59
SDN Device: Hybrid Modes
SDN Device Hybrid functionality: OpenDaylight
Multiple meanings Controller

Switch Mode: Different parts of the

switch do Openflow, other parts Hybrid OpenFlow Switch
do non-Openflow, designated by port
or VLAN

Firrmware
STP OSPF MAC Learning ACLs OpenFlow Agent
Forwarding Mode: Support for
FORWARD_NORMAL Openflow VLAN L2 L3 ACL OpenFlow Table
action, put packet through normal
processing pipeline

Ports
Port Mode: If no matching flow
entry exists in table, default to
normal switch/router processing
Normal OpenFlow
SDN Controller Overview

Controller Components: Learning

Learning
GUI
GUI Router
Router Other
Other
Switch
Switch
Northbound API
Controller
Controller
Communication with applications
Northbound
Northbound
API REST
REST API Java
Java API
Southbound API API API

Communication with devices Modules

Modules
Topo
Device Topo
Disco
Disco &
& Device Flows
Mgr Flows
Modules Topo
Topo Mgr Stats
Stats

Functionality and storage Southbound

Southbound
Openflow
Openflow NETCONF
NETCONF Other
Other
Applications
Advanced functionality
Northbound API

Northbound API Events

Not available from REST
Application
Application
Switch & user device events
Methods, functions,
Packet events API calls
Events

Northbound API Functions Controller

Controller
Add, delete, or modify flows Northbound
Northbound
REST
REST API
API Java
Java API
API
Actions to take in response to API
API

events received
Drop, modify, forward packet
Add, delete, modify flows
SDN Controller Applications

Standard applications Learning

Learning
GUI
GUI Router
Router Other
Other
Switch
Switch
GUI
Learning Switch Controller
Controller

Routing Northbound
Northbound
API REST
API REST API
API Java
Java API
API

Additional applications
Modules
Modules
Load balancer Disco
Disco &
&
Device
Device
Topo
Topo
Flows
Flows
Mgr
Mgr
Firewall Topo
Topo Stats
Stats

Southbound
Southbound
Openflow
Openflow NETCONF
NETCONF Other
Other

2/8/17 63
SDN Controller Considerations

No standard
Northbound API
Controller
Controller
Coordination between
Northbound
Northbound
applications API
API REST
REST API
API Java
Java API
API

Scalability, Modules
Modules
High-availability, Disco
Disco &
&
Device
Device
Topo
Topo
Flows
Flows
Mgr
Mgr
Performance Topo
Topo Stats
Stats

Southbound
Southbound
Openflow
Openflow NETCONF
NETCONF Other
Other

2/8/17 64
OpenFlow Protocol
OpenFlow Basics
Flow Entries and Tables
Match Fields Stats Actions

Controller
Controller
Flow Entries
Match fields: matching incoming
packets
Stats: keeping tally of packet
matches
Actions: what to do if the packet
Flow
Flow Table
Table
matches
Forwarding
Forwarding
Flow Tables
Match: perform associated
action/instruction
No match: forward to controller
OpenFlow Basics
Match Fields

Match Fields:
Controller
Controller - Basic 12-tuple (OpenFlow 1.0)
- MAC src/dst, IP src/dst, VLAN,
TCP/UDP ports, physical switch
port...
- Wildcards
Flow
Flow Table
Table TCP/ TCP/
Ingress MAC MAC Eth VLAN VLAN IP IP IP IP
Forwarding UDP UDP
Forwarding Port Src Dst Type Id Prior Src Dst Prot ToS
sport dport

2/8/17 67
OpenFlow 1.0
Flow Entries

Packet
Packet Packet
Packet Flow
Flow
Matches
Matches Actions
Actions Stats
Stats

Pkts Pkts Duration Duration

Recvd Xmitd (sec.) (nano sec.)

Forward Drop Enqueue* Modify Field* * Optional

ALL CNTRL LOCAL TABLE IN_PORT NORMAL* FLOOD*

TCP/ TCP/
Ingress MAC MAC Eth VLAN VLAN IP IP IP IP
UDP UDP
Port Src Dst Type Id Prior Src Dst Prot ToS
sport dport

2/8/17 68
OpenFlow 1.0
Tables

Prioritized list of Flow Entries

Evaluated in order, execute first match found
Each flow has a timeout (idle and hard)

Priority Match Fields Actions Stats Timers

Priority Match Fields Actions Stats Timers

Priority Match Fields Actions Stats Timers

...
Priority Match Fields Actions Stats Timers

2/8/17 69
OpenFlow 1.0
Tables (cont.)

Flow Entries can be installed Proactively or Reactively

Proactive Flows are set permanently or by default, and typically do

not age out
Reactive Flows are set dynamically, set in reaction to device/state
changes, and typically age out after some inactivity
OpenFlow 1.0
Flow Entry Examples

TCP / TCP /
Ingress MAC MAC Eth VLAN VLAN IP IP IP IP
Port Src Dst Type Id Prior Src Dst Prot ToS
UDP
sport
UDP
dport Action

3 * * * * * * * * * * * Output: Port 5

08:2c:67: Output: Port 23

* * 81:3f:06 * * * * * * * * *

10.2.8.0 Output: Port 82

* * * * * * * /24 * * * *

2/8/17 71
OpenFlow 1.0
Flow Entry Examples

TCP / TCP /
Ingress MAC MAC Eth VLAN VLAN IP IP IP IP
Port Src Dst Type Id Prior Src Dst Prot ToS
UDP
sport
UDP
dport Action

08:2c:67:81 Modify-field:
* :3f:06 * * * * * * * * * * VLAN Id = 22

Modify-field:
* * * * 85 * * * * * * * VLAN Pri = 7

0x0800 0x06 80 Modify-field:

* * * * * * * * * IP ToS = 0x22
(IP) (TCP) (HTTP)

2/8/17 72
OpenFlow
Ports

Physical ports
Correspond to actual ports on the switch Tunnels

Logical ports
Link
Higher-level abstractions, e.g. LAGs, Tunnels, Aggregation

Switch
Switch
Reserved ports
ALL, CONTROLLER, LOCAL, NORMAL, FLOOD,
Flood

OpenFlow 1.1
Changes from 1.0

Multiple Tables
Each table can have a different purpose, different match fields
Metadata passed from table to table to retain context
Actions added cumulatively to Action Sets

Tables:
Authentication
Authentication QoS
QoS Rate-Limits
Rate-Limits

Actions:
Add: Set VLAN-Id Set VLAN-Id Set VLAN-Id
Set VLAN-Pri
Add: Set VLAN-Pri Set ToS
Add: Set ToS
Add: Set Rate

2/8/17 74
OpenFlow 1.1
Changes from 1.0 (cont.)

Match Fields Stats Actions OpenFlow 1.0

Match Fields Stats Instructions OpenFlow 1.1

Actions Instructions
OF 1.0: Each flow entry is associated with zero or more Actions
OF 1.1: Each flow entry is associated with a set of Instructions:
Changes packet (Apply- or Clear-Action(s))
Changes Action Set (Write-Action)
Changes pipeline processing (Write-Metadata or Goto-Table)
2/8/17 75
OpenFlow 1.1
Changes from 1.0 (cont.)

TCP / TCP /
Ingress MAC MAC Eth VLAN VLAN IP IP IP IP
Port Src Dst Type Id Prior Src Dst Prot ToS
UDP UDP OF 1.0
sport dport

TCP / TCP /
Ingress Meta MAC MAC Eth VLAN VLAN MPLS MPLS IP IP IP IP
Port data Src Dst Type Id Prior label class Src Dst Prot ToS
UDP UDP OF 1.1
sport dport

New Match Fields

Metadata: For communication passed between tables
MPLS Label: Matches on outermost MPLS tag
MPLS Traffic Class: Matches on outermost MPLS tag

2/8/17 76
OpenFlow 1.1
Changes from 1.0 (cont.)

Push / Pop VLAN tags (QinQ)

Push / Pop MPLS tags (MPLS)
Inserted as the outermost tag
Tag-stacking encapsulation by ISPs

PE-VLAN:
PE-VLAN: Provider
Provider Edge
Edge VLAN
VLAN
MAC MAC Eth S-VID:
S-VID: Service
Service VLAN
VLAN ID
ID
Src Dst Type
Payload Untagged packet
C-VID:
C-VID: Customer
Customer VLAN
VLAN ID
ID

MAC MAC Eth

802.1Q
802.1Q Tag
Tag Payload
Src Dst Type 802.1Q VLAN-tagged packet

MAC
MAC MAC
MAC 802.1Q
802.1Q 802.1Q
802.1Q Eth
Eth 802.1ad Q-in-Q packet
Payload
Payload
Src
Src Dst
Dst Outer
Outer Tag
Tag Inner
Inner Tag
Tag Type
Type

2/8/17 77
OpenFlow 1.1
Changes from 1.0 (cont.)

Group ID Group Type Stats Action Buckets

Group Tables
Flows can point to a Group rather than to a specific Action
Group Type defines the action to take:
All: Execute all action buckets, for broadcast & multicast; packet cloned for
each bucket
Select: Execute one bucket in the group, based on switch-computed
mechanism
Indirect: Execute the one defined bucket in the group
Fast Failover: Execute the first live bucket

2/8/17 78
OpenFlow 1.2
Changes from 1.1

Extensibility within the standard

Type Len Value
Allows adding your own new,
vendor-specific match fields IN Len Value
SA Len Value
Extensible Matching: TLVs New Way
DA Len Value
Extensions for Actions: Eth Len Value

re-uses TLV match structure VLAN Len Value

No backwards compatibility ...

New Len Value

Old Way Ingress MAC MAC Eth VLAN VLAN IP IP IP IP

TCP / TCP /
UDP UDP
Port Src Dst Type Id Prior Src Dst Prot ToS
sport dport

2/8/17 79
OpenFlow 1.2
Changes from 1.1 (cont.)

Adds IPv6 support

Match on IPv6 source/destination address
Match on IPv6 type, code, neighbor discovery
Match on IPv6 flow label

2/8/17 80
OpenFlow 1.3
Changes from 1.2

PBB - Inserts a new MAC header at the beginning of the packet

B-SA: Backbone Eth

Eth
B-SA: Backbone SASA SA
SA DA
DA Payload
Payload Untagged packet
Type
Type
B-DA:
B-DA: Backbone
Backbone DADA
B-VID:
B-VID: Backbone
Backbone VID
VID
I-SID:
I-SID: Service
Service ID
ID 802.1Q
802.1Q Tag
Tag Eth
Eth 802.1Q VLAN-
SA
SA DA
DA Payload
Payload
(VID)
(VID) Type
Type tagged packet

802.1Q
802.1Q 802.1Q
802.1Q Eth
Eth
B-SA
B-SA B-DA
B-DA B-VID
B-VID I-SID
I-SID SA
SA DA
DA Payload
Payload
(S-VID)
(S-VID) (C-VID)
(C-VID) Type
Type

2/8/17 81
NETCONF
NETCONF
Comparison to OpenFlow

OpenFlow NETCONF
Hardware: Program device Software: Configure device
hardware software
Low-level: Operates at low-level High-level: Operates at high-
of the network device. level of the network device.
Controller
Controller Controller
Controller

Device
Device Device
Device

Security
Security Policy
Policy ...
... Etc
Etc

Device
Device Software
Software
Openflow
Openflow Tables
Tables

HW
HW HW
HW
2/8/17 83
NETCONF
Basics

Configuration: A protocol for configuring network devices.

Network Management: Intended to be used by network management
systems, as a successor to SNMP.
Data Types: NETCONF separates
Network
Network Management
Management
data into Configuration (static)
and Operational (dynamic).
RPCs: Specify APIs that can be Device
Device
called to invoke operations on Security
Security Policy
Policy ...
... Etc
Etc
the device.
Notifications: Specify events to Device
Device Software
Software
be sent under certain conditions.
HW
HW
NETCONF
Compared to SNMP & CLI
CLI SNMP NETCONF
Unstructured Structured data Structured data model
data model (SMI) (YANG)

Get/Set data Get/Set data Get/Set config data

Get operational data

SNMP traps Notifications

RPCs

Agent Server
NETCONF and YANG

YANG:
Data Definition Language
YANG is the data definition language used primarily with NETCONF.
SMI: YANG is to NETCONF as SMI is to SNMP.
Operations: Configuration and Operational data, RPCs, and
Notifications.
Hierarchical: Tree with branches and leaf nodes (SNMP MIB).
Node Types:
Container: Major holder of large amounts of data.
Leaf-List: Array of like items.
List: Structure of multiple types of items.
Leaf: Actual data.
Network Device NETCONF Data

Depends on the device and what it supports, but in general...

Policy:
Match: Can match packets on ingress for the normal fields such as
MAC/IP source and destination, IP protocol, UDP/TCP port.
Policy: Can set policy on packet in form of Cos, QoS, VLAN, etc.
Security:
ACLs: Can set PERMIT or DENY based on match fields listed above, in
order to create firewall-type functionality.
Forwarding:
Routes: Can set routing behavior including static routes and forwarding
to tunnels.
Use Cases
Google WAN
Without OpenFlow

Automonomous competition for paths

Only one wins, others retry
Repeat until everybody has a path
1. Link failure detected, other
devices informed
Data
Forwarding
Data
Forwarding

Data Data Data

Forwarding Forwarding Forwarding

Data Best route

Forwarding
2. Devices autonomously compete for best path,
all but one lose, then repeat
Google WAN
With OpenFlow

Optimal path computation

Repeatable path computation Central TE
Traffic
Topo
Controller Policy
2. TE calculates routes and informs
devices 1. Link failure detected, TE
informed
Data
Forwarding
Data
Forwarding

Data Data Data

Forwarding Forwarding Forwarding

Data Best route

Forwarding
3. No autonomous trial-and-error
by routers
Routed Networks and SDN

Labor-intensive CLI or GUI

Topo
Maintaining consistency
Controller Policy
among routers
Traffic
Quickly adapting to
changes and/or failures
Data Data
Forwarding Forwarding

Data
Forwarding Data
Forwarding

Many of the same patterns Data

Forwarding
and issues as the datacenter
2/8/17 91
Carrier Networks and SDN

Many boundaries requiring encapsulation

Traffic engineering required: Customers only pay
for what they actually use CE

Quickly adapting to changes

and/or failures
CE PE PE

Multiple customers, domains, layers, geographies

Monetization: Squeezing costs, NFV
2/8/17 92
Load Balancing and SDN
Load-balancing well-suited for SDN
Flow-based forwarding decisions
SDNs agility and automation Pattern Action
1.1.1.5 1
Challenges for SDN Switch
Load Balancer
1.1.1.7 2
Switch
1.1.1.2 3
Stateful needs
1.1.1.4 1
Deep packet inspection needs 1.1.1.9 2
Firewalls and SDN
Firewalls well-suited to SDN
Block/allow IP addresses
Block/allow TCP/UDP ports Pattern Action
HTTPS Allow

Challenges for SDN Switch

Firewall
Switch
HTTP Allow
Exchange... Allow
Complex/stateful firewall rules Other Svcs Allow

Deep packet inspection needs * Deny

Switch
Switch
Firewall
Campus Environments and SDN
Access control solutions today are expensive, error-prone, complicated, and
cumbersome

SDN simplifies the solution

o MAC authentication via Openflow Switch or AP
o Redirection to support BYOD

Challenges for SDN

o Flow table sizes Guest
o Co-existence with 802.1X Company
laptops
Employee's iPad
Company iPad
SDN Survey
Survey of SDN Activities
SDN
Open Networking Foundation
Open Source SDN Controllers
OpenDaylight
Cisco (OnePK, XNC, APIC-DC, APIC-EM, Tail-f)
Juniper (Contrail, OpenContrail)
VMware (Nicira, NSX)
HP (VAN SDN Controller)
NEC (Programmable Flow Controller)
BigSwitch, PLUMgrid, Embrane, Ciena, Vello, etc.

NFV
End of SDN Overview