OpenFlow Starter Tutorial Lab #2

OpenFlow Starter Tutorial Lab #2

OpenFlow Lab

OpenFlow Starter Tutorial Lab #2
For a more up to date tutorial as anything more then 6 months old is outdated in the world of SDN Please see:
OpenDaylight OpenStack Integration with DevStack on Fedora 20

OpenFlow Starter Tutorial Lab #2 :This lab is to restrict two hosts to only talk to each other with source based forwarding using the static flow pusher RESTful API. You can add any field you want to make the forwarding decisions on. Remember to name the flows with unique names or else you will overwrite previously instantiated flows. Previous posts in the series have setup included. Links to those at the bottom of this post.

OpenFlow Tutorial Lab

Figure 1. OpenFlow Starter Tutorial Lab #2 Topology

Based on source MAC address we can lock two ports into only talking to each other. This is used for security reasons today in sensitive areas. This allows for very granular port to port mapping. We are adding two flows, just as a host needs a flow setup to talk to another host it also needs a return flow to put established.

Delete old static Flows from Lab 1.

Push the two static OpenFlow RESTful API Calls to Create Your FlowMod

Ping the hosts from those two ports. They should only be able to ping each other not your gateway or anything else since the closets match is the static one pushed.

Once I add these may gateway no longer pings becuase the only place those to source mac addresses explicitly match on are eachothers ports. So while they can talk to each other they can not talk anywhere else.

While this is clearly not managable at scale, it should get the your wheels going on the possiblities this opens when you start thinking about how powerful this granularity can become in the security world if done programmatically from policy.


Check out the rest of the tutorials in this series:


Thanks for stopping by.

About the Author

Brent SalisburyBrent Salisbury works as a Network Architect, CCIE #11972. He blogs at NetworkStatic.net with a focus on disruptive technologies, that have a focus on operational efficiencies. Brent can be reached on Twitter @NetworkStatic.View all posts by Brent Salisbury →

  1. anon.coderanon.coder09-09-2012


    Hi Brent,

    Should’nt it be that if src-mac is ”00:11:22:cc:cc:10″ then output to ovs-port 6 and similarly if src-mac is ”22:22:22:00:cc:10″ then output to ovs-port 1 as per the diagram.

    Thanks.

    • Brent SalisburyBrent Salisbury09-09-2012


      Thanks a bunch for catching that. What I get for doing this half asleep at night after work.

      Adjusted to like you pointed out. Thanks!

      #To ping from port 1 to 6
      $curl -d ‘{“switch”: “00:00:5c:26:0a:5a:c8:b2″, “name”:”static-flow1″, “cookie”:”0″, “priority”:”32768″, “src-mac”:”00:11:22:cc:cc:10″,”active”:”true”, “actions”:”output=6″}’ http://192.168.1.208:8080/wm/staticflowentrypusher/json
      #To ping from port 6 to 1
      $curl -d ‘{“switch”: “00:00:5c:26:0a:5a:c8:b2″, “name”:”static-flow2″, “cookie”:”0″, “priority”:”32768″, “src-mac”:”22:22:22:00:cc:10″,”active”:”true”, “actions”:”output=1″}’ http://192.168.1.208:8080/wm/staticflowentrypusher/json

  2. patriciopatricio11-21-2012


    Hi,
    how can i send files bettwen the VMS?