OpenFlow Starter Tutorial Lab #2
OpenDaylight OpenStack Integration with DevStack on Fedora 20
OpenFlow Starter Tutorial Lab #2 :This lab is to restrict two hosts to only talk to each other with source based forwarding using the static flow pusher RESTful API. You can add any field you want to make the forwarding decisions on. Remember to name the flows with unique names or else you will overwrite previously instantiated flows. Previous posts in the series have setup included. Links to those at the bottom of this post.
Figure 1. OpenFlow Starter Tutorial Lab #2 Topology
Based on source MAC address we can lock two ports into only talking to each other. This is used for security reasons today in sensitive areas. This allows for very granular port to port mapping. We are adding two flows, just as a host needs a flow setup to talk to another host it also needs a return flow to put established.
Delete old static Flows from Lab 1.
|
1 2 3 |
curl http://192.168.1.208:8080/wm/staticflowentrypusher/clear/00:00:5c:26:0a:5a:c8:b2/json |
Push the two static OpenFlow RESTful API Calls to Create Your FlowMod
|
1 2 3 4 5 6 |
#To ping from port 1 to 6 $curl -d '{"switch": "00:00:5c:26:0a:5a:c8:b2", "name":"static-flow1", "cookie":"0", "priority":"32768", "src-mac":"00:11:22:cc:cc:10","active":"true", "actions":"output=6"}' http://192.168.1.208:8080/wm/staticflowentrypusher/json #To ping from port 6 to 1 $curl -d '{"switch": "00:00:5c:26:0a:5a:c8:b2", "name":"static-flow2", "cookie":"0", "priority":"32768", "src-mac":"22:22:22:00:cc:10","active":"true", "actions":"output=1"}' http://192.168.1.208:8080/wm/staticflowentrypusher/json |
Ping the hosts from those two ports. They should only be able to ping each other not your gateway or anything else since the closets match is the static one pushed.
Once I add these may gateway no longer pings becuase the only place those to source mac addresses explicitly match on are eachothers ports. So while they can talk to each other they can not talk anywhere else.
While this is clearly not managable at scale, it should get the your wheels going on the possiblities this opens when you start thinking about how powerful this granularity can become in the security world if done programmatically from policy.
Check out the rest of the tutorials in this series:
- Getting Started OpenFlow OpenvSwitch Tutorial Lab – Setup
- OpenFlow Starter Tutorial Lab #1
- OpenFlow Starter Tutorial Lab #2
- OpenFlow Starter Tutorial Lab #3
Thanks for stopping by.
Hi Brent,
Should’nt it be that if src-mac is ”00:11:22:cc:cc:10″ then output to ovs-port 6 and similarly if src-mac is ”22:22:22:00:cc:10″ then output to ovs-port 1 as per the diagram.
Thanks.
Thanks a bunch for catching that. What I get for doing this half asleep at night after work.
Adjusted to like you pointed out. Thanks!
#To ping from port 1 to 6
$curl -d ‘{“switch”: “00:00:5c:26:0a:5a:c8:b2”, “name”:”static-flow1″, “cookie”:”0″, “priority”:”32768″, “src-mac”:”00:11:22:cc:cc:10″,”active”:”true”, “actions”:”output=6″}’ http://192.168.1.208:8080/wm/staticflowentrypusher/json
#To ping from port 6 to 1
$curl -d ‘{“switch”: “00:00:5c:26:0a:5a:c8:b2”, “name”:”static-flow2″, “cookie”:”0″, “priority”:”32768″, “src-mac”:”22:22:22:00:cc:10″,”active”:”true”, “actions”:”output=1″}’ http://192.168.1.208:8080/wm/staticflowentrypusher/json
Hi,
how can i send files bettwen the VMS?