Cloud Computing Network Virtualization Open vSwitch Open vSwitch Virtual Switch Open vSwitch architecture OpenFlow SOFTWARE-BASED VIRTAUL SWITCH HARDWARE-BASED VIRTAUL SWITCH VN-Tag VIRTUAL SWITCH INTRODUCTION Owing to the emergence of cloud computing servic e, the number of virtual switches begins to dramati
cally expand Management complexity, security issues and even perfo rmance degradation Software/hardware based virtual switch as well as integration of open-source hypervisor with virtual switch technology is exhibited 4 SOFTWARE-BASED VIRTAUL SWITCH The 80x86 hypervisors imple mented vSwitch Each VM has at least one virtu al network interface cards (vN ICs) that are sharing physical n etwork interface cards (pNICs) on the physical host through v Switch
Administrator dont have effec tive solution to separate packe ts from different VM users For VMs reside in the same ph ysical machine, their traffic vis ibility is a big issue 5 Problems of original vSwitch The original vSwitchs lack of advanced networking features such as VLAN, port mirror and port chann el etc. Nowadays, some hypervisor vSwitch vendors prov ide technologies to fix the above problems OpenvSwitch may be superior in quality for the reasons 6 SOFTWARE-BASED VIRTAUL SWITCH
HARDWARE-BASED VIRTAUL SWITCH VN-Tag VIRTUAL SWITCH HARDWARE-BASED VIRTAUL SWITCH Why hardware-based? Software virtual switches consume CPU and memory us age Possible inconsistence of network and server configurat ions may cause errors and is very hard to troubleshooti ng and maintenance Hardware-based virtual switch solution emerg es for better resource utilization and configurat ion consistence 8
Virtual Ethernet Port Aggregator (1/2) A standardization led by HP, Extreme, IBM, Brocad e and Juniper etc. An emerging technology as part of IEEE 802.1Qbg Edge Virtual Bridge (EVB) standard The main goal of VEPA is to allow traffic of VM to e xit and re-enter the same server physical port to e nable switching among VMs 9 Virtual Ethernet Port Aggregator (2/2) VEPA software update is require d for host servers in order to for ce packets to be transmitted to e xternal switches An external VEPA enabled switc h is required for communication
s between VMs in the same serv er VEPA supports hairpin mode which allows traffic to hairpin back out the same port it just rec eived it from--- requires firmwar e update to existing switches10 Pros. and Cons. for VEPA Pros Minor software/firmware update , network configuratio n maintained by external switches Cons VEPA still consumes server resources in order to perfor m forwarding table lookup 11
SOFTWARE-BASED VIRTAUL SWITCH HARDWARE-BASED VIRTAUL SWITCH VN-Tag VIRTUAL SWITCH VN-Tag(1/3) Proposed by Cisco, adopted by the IEEE as the basi s for 802.1Qbh Bridge Port Extension A VN-Tag between Layer2 and 802.1Q header is in serted to indicate what path the frame should trav el on its way to another VM The VN-Tag contains two essential fields: the sourc e virtual interface identifier (SVIF_ID) of the sendi ng host and the destination virtual interface identi fier (DVIF_ID) of the receiving host 13
VN-Tag(2/3) Ethertype Identifies the VN tag D Direction, 1 indicates that the frame is traveling from the bridge to the interface virtualizer (IV.) P Pointer, 1 indicates that a vif_list_id is included in the tag. vif_list_id A list of downlink ports to which this frame is to be forwarded (replicated). (multicast/broadcast operation) Dvif_id Destination vif_id of the port to which this frame is to be forwarded.
L Looped, 1 indicates that this is a multicast frame that was forwarded out the bridge port on which it was received. In this case, the IV must check the Svif_id and filter the frame from the corresponding port. R Reserved VER Version of the tag SVIF_ID The vif_id of the source of the frame VN-Tag(3/3) The VN-Tag capable NIC and the VN-Tag aware switch are the necessary VN-Tag capable physical NIC Insert Tag at layer2 of the data f
rame that identify a network pa cket as part of a specified VM VN-Tag aware switch Strip the tag from the frame he ader at the stage of forwarding to normal switch Convert a stripped or untagged frame, if the packet is to be tran smitted to a VM destination via a VIF port 15 Pros. and Cons. for VN-Tag Pros With VN-Tag technique, the switching will be totally per formed by external VN-Tag aware switches No forwarding decision table will be left in host servers
Cons The Ethernet frame format is modified We have to invest new host NICs and external switches i n order to recognize VN-Tag 16 Open vSwitch Virtual Switch Open vSwitch architecture OpenFlow Introduction to Open vSwitch Main components of Open vSwitch Open vSwitch Testing Case OPEN VSWITCH ARCHITECTURE
Open vSwitch A software-based solution Resolve the problems of network separation and traffic visibility, so the cloud users can be assigned VMs with el astic and secure network configurations Flexible Controller in User-Space Fast Datapath in Kernel Server Open vSwitch Controller Open vSwitch Datapath Open vSwitch Concepts(1/2) Multiple ports to physical switches A port may have one or more interfaces Bonding allows more than once interface per port Packets are forwarded by flow Visibility
NetFlow sFlow Mirroring (SPAN/RSPAN/ERSPAN) IEEE 802.1Q Support Enable virtual LAN function By attaching VLAN ID to Linux virtual interfaces, each us er will have its own LAN environment separated from ot her users Open vSwitch Concepts(2/2) Fine-grained ACLs and QoS policies L2-L4 matchingL4 matching Actions to forward, drop, modify, and queue HTB and HFSC queuing disciplines Centralized control through OpenFlow Works on Linux-based hypervisors:
Xen XenServer KVM VirtualBox Open vSwitch Contributors(Partia l) Packets are Managed as Flows(1/2) A flow may be identied by any combination of Input port VLAN ID (802.1Q) Ethernet Source MAC address Ethernet Destination MAC address IP Source MAC address IP Destination MAC address
TCP/UDP/... Source Port TCP/UDP/... Destination Port Packets are Managed as Flows(2/2) The 1rst packet of a flow is sent to the controller The controller programs the datapath's actions for a flow Usually one, but may be a list Actions include: Forward to a port or ports, mirror Encapsulate and forward to controller Drop And returns the packet to the datapath Subsequent packets are handled directly by the dat apath Introduction to Open vSwitch Main components of Open vSwitch
Open vSwitch Testing Case OPEN VSWITCH ARCHITECTURE Main Components ovsdb-serverserver Database that holds switch--L4 matchinglevel configuration Custom database with nice properties: Value constraints Weak references Garbage collection Log--L4 matchingbased Speaks management protocol(JSON--L4 matchingRPC) to man ager and ovs--L4 matchingvswitchd ovs-servervswitchd(1/2) Core component in the system:
Communicates with outside world using OpenFlow Communicates with ovsdb-L4 matchingserver using management prot ocol Communicates with kernel module over netlink Communicates with the system through netdev abstract in terface Supports multiple independent datapaths (bridges) Packet classier supports ecient ow lookup with cient ow lookup with wildcards and explodes these (possibly) wildcard r ules for fast processing by the datapath ovs-servervswitchd(2/2) Implements mirroring, bonding, and VLANs throug h modications of the same ow table exposed thr ough OpenFlow Checks datapath ow counters to handle ow expi ration and stats requests
openvswitch_mod.ko Kernel module that handles switching and tunneli ng Exact-L4 matchingmatch cache of ows Designed to be fast and simple Packet comes in, if found, associated actions executed a nd counters updated. Otherwise, sent to userspace Does no ow expiration Knows nothing of OpenFlow Implements tunnels Tunneling Required to provide true virtual networks Focus on performance Header caching Hardware ooadingoading
Supported tunneling modes GRE GRE-L4 matchingover-L4 matchingIPsec CAPWAP Migration KVM and Xen provide Live Migration With bridging, IP address migration must occur wi th in the same L2 network Open vSwitch avoids this problem using GRE tunn els Distributed Virtual Switch Introduction to Open vSwitch Main components of Open vSwitch Open vSwitch Testing Case OPEN VSWITCH ARCHITECTURE
Virtual LAN Per-Customer VLANs are desirable for security rea sons But there is a limit of 4094 VLANs Open vSwitch Testing(1/2) VM1 and VM3 belong to a user a ssigned with VLAN ID 1 through tap0 virtual interface; VM2 and VM4 belong to a user assigned with VLAN ID 2 through tap1 vir tual interface Data Network is used for VMs to transmit data packets; Managem ent Network is used for out-of-b and management and packet mi rroring On both hosts, we have to install
an OVS bridge interface (br0) fo r performing virtual switch func tion and attach it with physical 36 Data Network interface eth1 Open vSwitch Testing(2/2) Attach virtual interfaces of each VM (tap0 and tap 1) to the OVS bridge interface (br0) with proper VL AN ID as follows: Assign VM1~VM4 within the same IP range. Basica lly, VM1 and VM3 can ping each other and VM2 and VM4 can ping each other successfully VM1 cannot access VM2 and VM3 cannot access V M4 even they exist on the same host machine 37 Open vSwitch
Virtual Switch Open vSwitch architecture OpenFlow Introduction to OpenFlow OpenFlow Switching Usage models Virtualizing OpenFlow FlowVisor-based Virtualization OpenFlow references OPENFLOW OpenFlow Idealized view of a switchs datapath Centralized controller congures ow table
Lookup based on L2-L4 matchingL4 Supports full wildcarding and priorities Flows associated with actions: forward, drop, modify Missed ows go to controller Remote visibility Description of switch (supported actions, ow tables si zes, etc.) Statistics (ows, tables, ports) Nicira Extensions to OpenFlow Resubmit NXM (Extensible Match)
Tunnels Registers IPv6 Labels used by new actions Flexible tunnel tagging Multiple controllers Separate setting a QoS queue from transmitting Multipathing Dynamic Flow Aggregation on an OpenFlow Network(1/2)
Scope Different Networks want different flow granularity (ISP, Backbone,) Switch resources are limited (flow entries, memory) Network management is hard Current Solutions : MPLS, IP aggregation Dynamic Flow Aggregation on an OpenFlow Network(2/2) How do OpenFlow Help? Dynamically define flow granularity by wildcarding arbi trary header fields Granularity is on the switch flow entries, no packet rewr ite or encapsulation Create meaningful bundles and manage them using you r own software (reroute, monitor) Introduction to OpenFlow
OpenFlow Switching Usage models Virtualizing OpenFlow FlowVisor-based Virtualization OpenFlow references OPENFLOW OpenFlow Switching A way to run experiments in the networks Bring GENI to college campuses A pragmatic compromise Allow researchers to run experiments in their n etwork without requiring vendors to expose int ernal workings Basic requirements An Ethernet switch (e.g. 128-ports of 1GE) An open protocol to remotely add/remove flow entries
Experimenters Dream (Vendors Nightmare) Standard sw Network Network Processing hw Processing UserUserdefined defined Processing Processing Experimenter writes experimental code on switch/router
No obvious way Commercial vendor wont open software and hard ware development environment Complexity of support Market protection and barrier to entry Hard to build my own Prototypes are flakey Software only: Too slow Hardware/software: Fanout too small (need >100 ports for wiring closet) Furthermore, we need Isolation Regular production traffic untouched Virtualized and programmable Different flows processed in different ways Equipment we can trust in our wiring closet Open development environment for all researchers
(e.g. Linux, Verilog, etc). Flexible definitions of a flow Individual application traffic Aggregated flows Alternatives to IP running side-by-side OpenFlow Switching Controller OpenFlow Switch specification OpenFlow Switch sw Secure Channel hw Flow Table
ow l F n Ope ocol t Pro SSL PC Flow Table Entry Type 0 OpenFlow Switch Rule Action Stats Packet + byte counters
1. 2. 3. 4. Switch MAC Port src + mask MAC dst Forward packet to port(s) Encapsulate and forward to controller Drop packet Send to normal processing pipeline Eth type
VLAN ID IP Src IP Dst IP Prot TCP sport TCP dport
Examples(1/2) Switching Switch MAC Port src * MAC Eth dst type 00:1f:.. * * VLAN IP ID Src IP Dst
IP Prot TCP TCP Action sport dport * * * * IP Dst
IP Prot TCP TCP Action sport dport * * port6 Flow Switching Switch MAC Port src
MAC Eth dst type port3 00:20.. 00:1f.. 0800 VLAN IP ID Src vlan1 22.214.171.124 126.96.36.199 4 17264 80 port6 Firewall
Switch MAC Port src * * MAC Eth dst type * * VLAN IP ID Src IP Dst
IP Prot TCP TCP Action sport dport * * * * *
22 drop 51 Examples(2/2) Routing Switch MAC Port src * * MAC Eth dst type * *
VLAN IP ID Src IP Dst * 188.8.131.52 * * VLAN IP ID Src IP
Dst IP Prot vlan1 * * * TCP TCP Action sport dport port6, port7, * *
port9 * IP Prot TCP TCP Action sport dport * port6 VLAN Switching Switch MAC Port src *
* MAC Eth dst type 00:1f.. * 52 OpenFlow Type 1 Additional actions Rewrite headers Map to queue/class Encrypt More flexible header Allow arbitrary matching of first few bytes Support multiple controllers Load-balancing and reliability
Secure Channel SSL Connection, site-specific key Controller discovery protocol Encapsulate packets for controller Send link/port state to controller Server room OpenFlow OpenFlow Access Point
Controller PC OpenFlow OpenFlow-enabled Commercial Switch Normal Software Channel Channel Normal Datapath Flow Flow Table
Table Secure Secure OpenFlow Introduction to OpenFlow OpenFlow Switching Usage models Virtualizing OpenFlow FlowVisor-based Virtualization OpenFlow references OPENFLOW OpenFlow Usage Models(1/2) Experiments at the flow level User-defined routing protocols
Admission control Experiment-specific controllers Network access control Static or dynamic flow-entries Network management Energy management VOIP mobility and handoff Experiments at the packet level Slow: Controller handles packet processing Fast: Redirect flows through programmable hardware Modified routers, firewalls, NAT, congestion control Alternatives to IP Example Experiment at the flow level Mobility Lots of interesting questions Management of flows
Control of switches Access control of users and devices Tracking user location and motion The Stanford Clean Slate Program http://cleanslate.stanford.edu Experiments at the packet level Controller OpenFlow-enabled Commercial Switch Normal Software Channel Channel Normal Datapath
Flow Flow Table Table Secure Secure Laboratory NetFPGA PC OpenFlow Usage Models(2/2) Experiments at the flow level Experiments at the packet level Alternatives to IP
Flow-table is Layer-2 based e.g. new naming and addressing schemes Introduction to OpenFlow OpenFlow Switching Usage models Virtualizing OpenFlow FlowVisor-based Virtualization OpenFlow references OPENFLOW Network Virtualization Network Operators Delegate control of subsets o f network hardware and/or traffic to other Networ k Operators or Users Multiple Controllers can talk to same set of switch es
Imagine a Hypervisor for network equipment Allows experiments to be run on the network in is olation of each other and production traffic Trend App App App Windows Windows Windows (OS) (OS) (OS) Linux Linux
Linux App App App Mac Mac Mac OS OS OS Virtualization layer x86 (Computer)
Computer Industry Controller11 NOX Controller (Network OS) Controller Controller Network OS 22 Virtualization or Slicing OpenFlow Network Industry Isolated slices
App App Network Operating System 1 Many operating systems, or Many versions App App Network Operating System 2
App App App Network Operating System 3 App Network Operating System 4 Open interface to hardware Virtualization or Slicing Layer
Open interface to hardware Simple Packet Forwarding Hardware Simple Packet Forwarding Hardware Simple Packet Forwarding Hardware Simple Packet Forwarding Hardware Simple Packet Forwarding Hardware 64 Switch Based Virtualization Exists for NEC, HP switches but not flexible enough
Research VLAN 2 Flow Table Controller Research VLAN 1 Flow Table Production VLANs Controller Normal L2/L3 Processing 65 Introduction to OpenFlow OpenFlow Switching
Usage models Virtualizing OpenFlow FlowVisor-based Virtualization OpenFlow references OPENFLOW FlowVisor Network Hypervisor developed by Stanford A software proxy between the forwarding and cont rol planes of network devices FlowVisor-based Virtualization(1/2) Heidis Controller Aarons Controller
Craigs Controller Topology discovery is per slice OpenFlow OpenFlow Protocol Protocol OpenFlow Switch OpenFlow FlowVisor & Policy Control OpenFlow OpenFlow Protocol Protocol
OpenFlow Switch OpenFlow Switch 68 FlowVisor-based Virtualization(2/2) Separation not only by VLANs, but any L1-L4 pattern Broadcast Multicast OpenFlow
Protocol dl_dst=FFFFFFFFFFFF OpenFlow Switch http Load-balancer tp_src=80, or tp_dst=80 OpenFlow FlowVisor & Policy Control OpenFlow Protocol OpenFlow
Switch OpenFlow Switch 69 FlowVisor Slicing Slices are defined using a slice definition policy The policy language specifies the slices resource limits, flowspace, and controllers location in terms of IP and T CP port-pair FlowVisor enforces transparency and isolation between slices by inspecting, rewriting, and policing OpenFlow messages as they pass FlowVisor Resource Limits FV assigns hardware resources to Slices Topology
Network Device or Openflow Instance (DPID) Physical Ports Bandwidth Each slice can be assigned a per port queue with a fraction of the t otal bandwidth CPU Employs Course Rate Limiting techniques to keep new flow events from one slice from overrunning the CPU Forwarding Tables Each slice has a finite quota of forwarding rules per device Slicing FlowVisor FlowSpace FlowSpace is defined by a collection of packet hea ders and assigned to Slices
Src/Dst MAC Address VLAN ID Ethertype IP Protocol Src/Dst IP Address ToS/DSCP Src/Dst Port Number FlowVisor Slicing Policy(1/2) FV intercepts OF messages from devices FV only sends control plane messages to the Slice contr
oller if the src device is in the Slice Topology. Rewrites OF feature negotiation messages so the slice c ontroller only sees the ports in its slice Port up/down messages are pruned and only forwarded to affected slices FlowVisor Slicing Policy(2/2) FV intercepts OF messages from controllers Rewrites Flow Insertion, Deletion & Modifications so th ey dont violate the slice definition Flow definition ex. Limit Control to HTTP traffic only Actions ex. Limit forwarding to only ports in the slice Expand Flow rules into multiple rules to fit policy Flow definition ex. If there is a policy for Johns HTTP traffic and a nother for Uwes HTTP traffic, FV would expand a single rule inten ded to control all HTTP traffic into 2 rules. Actions ex. Rule action is send out all ports. FV will create one rul e for each port in the slice.
Returns action is invalid error if trying to control a por t outside of the slice FlowVisor Message Handling Alice Controller Bob Controller Cathy Controller OpenFlow Policy Check: Is this rule allowed?
Policy Check: Who controls this packet? FlowVisor OpenFlow Full Line Rate Forwarding Packet Packet OpenFlow Firmware Data Path Rule
Exception Introduction to OpenFlow OpenFlow Switching Usage models Virtualizing OpenFlow FlowVisor-based Virtualization OpenFlow references OPENFLOW OpenFlow Consortium http://OpenFlowSwitch.org Goal Evangelize OpenFlow to vendors Free membership for all researchers Whitepaper, OpenFlow Switch Specification, Reference Designs
Licensing: Free for research and commercial use OpenFlow building blocks oftrace oflops Monitoring/ debugging tools openseer Stanford Provided ENVI (GUI) NOX NOX
Maestro Maestro Slicing Software FlowVisor FlowVisor Stanford Provided Commercial Switches HP, NEC, Pronto, Juniper.. and many more Expedient Software Ref. Switch
NetFPGA Broadcom Ref. Switch OpenWRT PCEngine WiFi AP Open vSwitch OpenFlow Switches 80 Current SDN hardware Juniper MX-series
NEC IP8800 WiMax (NEC) HP Procurve 5400 Netgear 7324 PC Engines Pronto 3240/3290 Ciena Coredirector Ask your vendors 81
Commercial Switch Vendors Model Virtualize HP Procurve 5400zl or 1 OF instance 6600 per VLAN NEC IP8800 1 OF instance per VLAN Pronto 3240 or 3290 with Pica8 or Indigo
firmware 1 OF instance per switch Notes -LACP, VLAN and STP processing before OpenFlow -Wildcard rules or non-IP pkts processed in s/w -Header rewriting in s/w -CPU protects mgmt during loop -OpenFlow takes precedence -Most actions processed in hardware -MAC header rewriting in h/w
-No legacy protocols (like VLAN and STP) -Most actions processed in hardware -MAC header rewriting in h/w 82 OpenFlow Controllers Name Lang Platform(s) License Original Author
Notes OpenFlow Reference C Linux OpenFlow License Stanford/ Nicira not designed for extensibility NOX
Python, C++ Linux GPL Nicira actively developed Beacon Java Win, Mac, Linux, Android
GPL (core), David FOSS Licenses Erickson for your code (Stanford) Maestro Java Win, Mac, Linux LGPL Zheng Cai (Rice) Trema
Ruby, C Linux GPL NEC includes emulator, regression test framework RouteFlow ? Linux Apache
CPqD (Brazil) virtual IP routing as a service runtime modular, web UI framework, regression test framework 83 Growing Community Vendors and start-ups More... Note: Level of interest varies Providers and business-unit
More... 84 Related Research DIFANE Rule partitioning for controller-less flow insertion UCSD Fat Tree Series: Scalable Commodity Data Cent er, PortLand, Hedera Scale-out data centers that use OpenFlow Tesseract Centralized WAN in the 4D Architecture ONIX Fault-tolerant controller platform from Nicira, Google, NEC DevoFlow Practical scalability limits to OpenFlow and modifications t
o get around them 85 References Network Virtualization with Cloud Virtual Switch S. Horman, An Introduction to Open vSwitch, Lin uxCon Japan, Yokohama, Jun. 2, 2011. J. Pettit, J. Gross Open vSwitch Overview, Linux Co llaboration Summit, San Francisco, Apr. 7, 2011. J. Pettit, Open vSwitch: A Whirlwind Tour, Mar. 3, 2011. Access Layer Network Virtualization: VN-Tag and VEPA OpenFlow Tutorial
Find the three subtilase motifs in prosite (prosite.expasy.org) Compare the lists of proteins in which the motifs occur - what does this tell you? Similarly, compare protein structures in which the motifs occur ... Protein Sequence Analysis Last modified by:...
-TSW understand the hydrosphere including estuaries and the different species living within. -TSW understand the difference between aquatic and terrestrial organisms and how their food webs are interconnected. Essential Questions: -What is an estuary? -What is the difference between a...
dues economics news measles Singular Generalizations for forming plural nouns: Compound Nouns For most compound nouns, make the most important word plural. For a compound noun written as one word, make the last part plural. For a compound noun written...
Mark-to-market model with direct link to macro variables McKinsey's Credit Portfolio View, CPV End of Slides CreditMetrics (J.P. Morgan 1997) Transition probabilities Valuation Joint migration probabilities Many Obligors: Mapping and MCS Other Models KMV Credit Monitor CSFB Credit Risk Plus...
Coordinated School Health Programs Include an organized set of Policies Procedures And activities Designed to protect and promote the health and well-being of students and staff Health Education as Part of CSH Health Education Nutrition Family Living Personal Health Environmental...
Friday 2-13-15 . Learning objective: Structure of the DNA molecule. Entry . Task: What are the four bases present in the DNA molecule? Look at page 345 - figure 12-5 and transfer the diagram to your journal
Terminology in Health Care and Public Health Settings Unit 7 Endocrine System Unit 7 Endocrine System * The objectives for the Endocrine System are to: Define, understand and correctly pronounce medical terms related to the Endocrine System and to Describe...
Ciprofloxacina es la más activa frente a la pseudomonaaeruginosa. Actividad antibacteriana (3) Tercera generación: Tienen mejor actividad frente a gram negativos que los de la segunda generación y presentan mayor actividad frente a gram positivos, anaerobios , pseudomonaaeruginosa y ...
Ready to download the document? Go ahead and hit continue!