In this exercise you will learn how to manipulate FlowVisor. You will achieve this by creating different types of slicing. First, you will create topology based slicing. Then you will create protocol based slicing. In both cases some programs have been prepared to enable to verify whether your slicing is correct. Therefore it is essential that you do you exercise work in the FlowVisor directory which has been prepared. For example, for topology exercise, use the directory flowvisor/flowvisor-topo.
Download the VM here.
The username and password for the VM are both openflow.
Before jumping into the exercises perhaps we should recall the FlowVisor API calls which can be reached by using the command fvctl as shown below:
openflow@TutorialVM:~/flowvisor/flowvisor-topo/scripts$ ./fvctl.sh listSlices
Displays the currently configured slices.
Displays the slicename's controller URL, contact information, and who created this slice.
Creates a new slice. Note that the slicename cannot contain
any of the following characters: !:= or new lines. The controller
URL is of the form tcp:hostname[:port] so "tcp:controller.myco.com"
or "tcp:127.0.0.1:12345", with the default port being 6633. The email
is used as the administrive contact point if there is a problem with
Allow a slice user to change values associated with their slice.
Currently only "contact_email", "controller_host" and "controller_port"
Deletes a slice and removed all of the flowspace corresponding to the
Change the password for slice slicename.
Lists the FlowVisor's flow-based slice policy rules, i.e., the flowspace.
Removes rule with id=ID.
Creates a new rule and returns the new rule's ID. See below for the format of DPID, FLOW_MATCH, and SLICEACTIONS.
Replaces rule ID with a new rule with the specificed parameters. See below for the format of DPID, FLOW_MATCH, and SLICEACTIONS.
The following field assignments describe how a flow matches a packet. If any of these assignments is omitted from the flow syntax, the field is treated as a wildcard; thus, if all of them are omitted, the resulting flow matches all packets. The string all
or any is used to specify a flow that matches all packets.
Matches physical port port_no. Switch ports are numbered as displayed by fvctl getDeviceInfo DPID.
Matches IEEE 802.1q virtual LAN tag vlan. Specify 0xffff as vlan to match packets that are not tagged with a virtual LAN; otherwise, specify a number between 0 and 4095, inclusive, as the 12-bit VLAN ID to match.
Matches Ethernet source address mac, which should be specified as 6 pairs of hexadecimal digits delimited by colons, e.g. 00:0A:E4:25:6B:B0.
Matches Ethernet destination address mac.
Matches Ethernet protocol type ethertype, which should be specified as a integer between 0 and 65535, inclusive, either in decimal or as a hexadecimal number prefixed by 0x, e.g. 0x0806 to match ARP packets.
Matches IPv4 source address ip, which should be specified as an IP address, e.g. 192.168.1.1. The optional netmask allows matching only on an IPv4 address prefix. The netmask is specificed "CIDR-style", i.e., 192.168.1.0/24.
Matches IPv4 destination address ip.
Matches IP protocol type proto, which should be specified as a decimal number between 0 and 255, inclusive, e.g. 6 to match TCP packets.
Matches ToS/DSCP (only 6-bits, not modify reserved 2-bits for future use) field of IPv4 header tos/dscp, which should be specified as a decimal number between 0 and 255, inclusive.
Matches transport-layer (e.g., TCP, UDP, ICMP) source port port, which should be specified as a decimal number between 0 and 65535 (in the case of TCP or UDP) or between 0 and 255 (in the case of ICMP), inclusive, e.g. 80 to match packets originating
from a HTTP server.
Matches transport-layer destination port port.
Slice actions is a comma separated list of slices that have control over a specific FlowSpace. Slice actions are of the form "Slice:slicename1=perm[Slice:slicename2=perm[...]]". Each slice can have three types of permissions over a flowspace: DELEGATE,
READ, and WRITE. Permissions are currently a bitmask specified as an integer, with DELEGATE=1, READ=2, WRITE=4. So, "Slice:alice=5,bob=2" would give Alice's slice DELEGATE and WRITE permissions (1+4=5), but Bob only READ permissions. Improving this inter?
face is on the TODO list. For example,
fvctl addFlowSpace all 2 any Slice:slice1=4,Slice:slice2=2
In this exercise we are going to cut up the topology and each slice will have a subset of the full topology given here.
The mininet topology given will create this topology, to start it run:
openflow@TutorialVM:~/flowvisor/flowvisor-topo$ sudo mn --custom topo.py --topo fvtopo --mac --controller=remote
The sudo password is openflow
Since we have included a slice visualizer here, there are few guidelines to follow to ensure that everything works:
* create three slices named respectively "first", "second", and "third"
* At a minimum when adding flowspace you must at least specify the DPID and the in_port, otherwise the visualizer will be confused. ;)
From this point on, you are on your own. Go ahead and create the slices and flowspace. Once you think you have something which is working do the following:
Then point your browser on your host operating system to http://192.168.56.101:8000
You should see a webpage containing something similar to below.
If you mouseover the router in your browswer you should be able to see the DPID of the device.
Try various port-based slices. See how creative you can be. If you are feeling adventurous, you can add more switches in the topo.py file and restart mininet.
Here, we will create protocol based slices as shown in the diagram below:
A mininet script file has been prepared to build this topology. Moreover, it has been augmented such that each mininet host is running an ssh, http, and telnet daemon. To start this mininet setup run:
openflow@TutorialVM:~/flowvisor/flowvisor-proto$ sudo python proto.py
Then create your slices make sure you place your hosts in the correct slice. Then, point each slice to a controller. This could be multiple NOX instances simply running on different ports. It fine to have them run a simple learning switch each. For example start NOX in a new terminal by running:
openflow@TutorialVM:~/nox/build/src$ ./nox_core -i ptcp:6634 pyswitch
Note that there are multiple ways to configure FlowVisor here. Some are more naive than others. _Hint:_ You can use an extra slice to make you configuration of your protocol based slices simpler.
Once you think you have correctly sliced your network, you can start an xterm for each mininet host by running
mininet> xterm h10
at the mininet terminal where h10 is the name of the host. Change that to get a shell for another host.
If you have configured everything correctly you should see the following your your telnet slice:
root@TutorialVM:~/flowvisor/flowvisor-proto# telnet 10.0.0.15 Trying 10.0.0.15... Connected to localhost. Escape character is '^]'. Telnet Server> win Welcome winner!!! Telnet Server>
and for the ssh slice:
root@TutorialVM:~/flowvisor/flowvisor-proto# ssh email@example.com Welcome to h13, enjoy your sliced SSH network firstname.lastname@example.org's password:
and finally for the http slice (you can use lynx or wget, firefox will not work):
root@TutorialVM:~/flowvisor/flowvisor-proto# wget 10.0.0.14 --2012-07-27 07:18:57-- http://10.0.0.14/ Connecting to localhost|10.0.0.14|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 101 [text/html] Saving to: `index.html' 100%[======================================>] 101 --.-K/s in 0s 2012-07-27 07:18:57 (16.0 MB/s) - `index.html' saved [101/101] root@TutorialVM:~/flowvisor/flowvisor-proto# cat index.html <!DOCTYPE html> <html> <body> <h1>Cool! Come on in!</h1> <p>Access granted!</p> </body> </html> root@TutorialVM:~/flowvisor/flowvisor-proto#
If you have not configured FlowVisor correctly and you end up somehow logging into the wrote machine a nasty message will be waiting for you ;).