OpenFlow技术原理介绍

OpenFlow技术原理介绍目录01OpenFlow发展的背景02OpenFlow的基本概念03OpenFlow的工作机制04OpenFlow的基本配置及 方案 气瓶 现场处置方案 .pdf气瓶 现场处置方案 .doc见习基地管理方案.doc关于群访事件的化解方案建筑工地扬尘治理专项方案下载 介绍Copyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com22OpenFlow背景厂商主要研发目标：厂商依赖性控网络规模和设备功能复杂：管控能力减弱制功与能转各厂商的命令不一样：网络维护不方便发分设备只能通过命令行接口：低扩展性离架构各自的控制逻辑：网络架构复杂Copyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com33RCP架构RCP(routingcontrolplatform)逻辑中央平台路由控制服务器IBGP逻辑中央平台路由控制服务器仅实现BGP路由决策集中管理IBGPCopyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com444D架构4D(decision,dissemination,discovery,data)决策平面数据平面分发平面Decision发现平面网络Dissemination直接视图控制Discovery仅仅是理论和功能建模DataCopyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com55Ethane架构Ethane中央控制器Ethane交换机中央控制器?Ethane交换机奠定OpenFlow技术基础Copyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com66SDN架构SDN应用层应用层应用程序控制层基础设施层APIAPIAPI控制层SDN控制软件网络服务openflowopenflowOpenFlow诞生网络设备网络设备基础设施层网络设备网络设备Copyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com77目录01OpenFlow发展的背景02OpenFlow的基本概念03OpenFlow的工作机制04OpenFlow的基本配置及方案介绍Copyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com88OpenFLow组件OpenFlow主要组件ScopeofOpenFlowSwitchSpecificationOpenFlow控制器OpenFlow交换机OpenFlowOpenFlow交换机组成SwitchControllerOpenFlow一个或多个流表&组表&meter表SecureProtocal到控制器的OpenFlow的信道(安全通道)ChannelSSLOpenFlow 协议 离婚协议模板下载合伙人协议 下载渠道分销协议免费下载敬业协议下载授课协议下载 安全通道FlowTable使用TCP进行连接默认TCP目的端口号6633Copyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com99OpenFlow交换机OpenFlow交换机类别：OpenFlow-Only交换机Controller1Controller2OpenFlow-Hybrid交换机OpenFlowprotocolOpenFlowprotocolSecureSecureOpenFlow实例类型：ChannelChannel全局实例Instance1Instance2VLAN实例FlowTableFlowTable接口实例OpenFlowSwitchCopyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com1010FlowTableOpenFlow流表由流表项构成。流表项的结构随着OpenFlow版本的演进不断丰富，不同协议版本的流表项结构如下:HeaderCountersActionsV1.0FiledMatchInstructiCountersV1.1&V1.2FieldsonsMatchV1.3PriorityCountersInstructionsTimeoutsCookieFieldsCopyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com1111FlowRemoval流表删除某个流表表项长时间不匹配报文则idle_timeout字段设置为非0某个流表表项一定时间过后，无论是否匹配报文则hard_timeout字段设置为非0当任意一个timeouts字段超时后，交换机会移除该流表表项控制器可以发送删除流表表项修改报文来移除交换机的流表表项可以设置交换机在移除表项后发送流移除报文到控制器Copyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com1212Instructions指令:指导报文如何处理Write-Actions写入动作必选的Goto-Table指示处理管道中的下个表Meter指示报文到指定的meterApply-Actions不改变动作集，立即执行动作可选的Clear-Actions立即清空动作集Write-Metadata写入隐藏的元数据13Copyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com1313Action&ActionSet每个报文均分配一个动作集，动作集里面包含多个动作Output转发到指定的OpenFlow端口必选Drop无直接动作，指令集中无output动作则丢的弃该报文Group处理报文到指定GroupSet-Queue设置报文的队列idPush-Tag写入/弹出标签例如VLAN,MPLS等可选/Pop-Tag的Set-Field修改报文的头字段Change-TTL修改TTL，HopLimit等字段Copyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com1414OpenFlow端口物理端口(以太网接口等)逻辑端口(环回接口,聚合接口等)保留端口(使用支持的行动来定义）ALL代表交换机所有可以用来转发特定报文的端口CONTROLLER代表OpenFlow控制器的控制信道TABLE代表OpenFlow管道的起点IN_PORT代表报文的进入端口ANY用于某些命令的特殊值,出入端口不能设为anyLOCAL代表交换机本地网络的堆栈和管理堆栈NORMAL代表传统的非OpenFlow交换机管道FLOOD代表传统的非OpenFlow交换机泛洪Copyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com1515OpenFlowProcessingPipelineOpenFlow管道处理 流程 快递问题件怎么处理流程河南自建厂房流程下载关于规范招聘需求审批流程制作流程表下载邮件下载流程设计 Packet+PacketIngressIngressport+PacketExecuteinportmetadataPacketOutTableTableTableAction01nActionOpenFlow管道ActionActionSetSet=0setsetNote:管道处理只会向前不会倒退报文无匹配表项则为Table-MissCopyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com1616TableMiss每一个流表都需要支持一个匹配流表失败的表项来处理匹配失败Table-Miss表项会定义如何处理匹配失败的报文。比如送到控制器处理，丢弃报文或直接送往下一个流表Table-Miss表项的优先级为0如果Table-Miss表项不存在，默认行为是丢弃报文Copyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com1717OpenFlow组表组表（Group）使OpenFlow可以支持额外的转发行为。组表含有以下组件：GroupIdentierGroupTypeCountersActionBucketsOpenflow定义的GroupType：ALL、Indirect、Select、FastfailoverAll执行所有动作桶。这个Group通常用于组播或者广播。Indirect执行Group中定义的一个桶。Select选取一个动作桶来执行。Fastfailover执行第一个有效的动作桶。Copyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com1818MeterTableMeter用于测量分配给它的报文的速率，以达到启用QoS的目的Meter直接和流表项相关联MeterIdentifierMeterBandsCountersMeterIdentifier：用于识别meter的32bits长的唯一整数MeterBands:指定速率范围和处理报文的方式Counters:当报文被meter处理时更新计数器Copyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com1919CountersOpenFlow交换机必须支持上表的计数器类型循环指的是该组件出现在OpenFlow交换机上的时间计数器Bits流表参考统计(启用的表项)32流表项循环(秒)32接收到报文数64接口传输的报文数64循环(秒)32传输的报文数64队列循环(秒)32组循环(秒)32流量循环(秒)32Copyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com2020目录01OpenFlow发展的背景02OpenFlow的基本概念03OpenFlow的工作机制04OpenFlow的基本配置及方案介绍Copyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com2121OpenFlow信道OpenFlow信道是连接控制器和每一个OpenFlow交换机的接口,控制器通过该信道设置，管理交换机通过OpenFlow信道的报文都是根据OpenFlow协议定义的。通常采用TLS加密，但也支持简单的TCP直接传输OpenFlow协议目前支持三种报文类型：controller-to-switchAsynchronoussymmetric22Copyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com2222OpenFlow消息Controller-to-switch消息Feature，控制器向交换机请求交换机openflow能力Modify-state，控制器管理交换机流表项和端口状态Packet-out，控制器通过交换机指定端口发送报文同步symmetric消息Hello，用于控制器与交换机建立连接Echo，交换机和控制器均可以向对方发送echo消息，接受者需要回复reply来测量延迟和保活异步asynchronous消息Packet-in，交换机发送数据报文给控制器Port-status，交换机端口状态发生变化时，触发该消息，通知控制器Flow-removed，交换机中流表项被删除时，触发该消息Error，交换机发送错误时触发该消息Copyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com2323OpenFlow信道连接controllerSYNon6633OFswitchSYN,ACKhelloFailsecureOpenFlow连Featurerequestmode接建立成功Featurereply交换机echo互相发送hello报文否OpenFlow信是根据交协商成功Echo道连接正常运换机设版本行超时置失败功能请求（FeatureRequest）功能响应（Featurereply）Fail终止连接standalonemode交换机Copyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com2424报文上送控制器的处理过程Receive报文提取报文的下发Flow-mode有无匹配流Packetin上no特征信息消息到交换机，表项送控制器（mac、ip等）添加流表项yes下发packetout按照匹配的报文，动作为流表项转发out到tableCopyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com2525报文上送控制器的处理过程Copyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com2626单播报文流表转发报文从表0开始yes更新计数器：执行指yes匹配令前往表N•更新动作集表M•更新报文/匹配集no字段•更新元数据no未匹yes配执行动作集no丢弃27Copyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com2727单播报文流表转发7.7.7.1OFSW1OFSW29.9.9.128Copyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com2828组播报文转发终端发出组播报文后，控制器为网络下发指导查询组表的流表流表与组表关联Copyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com2929目录01OpenFlow发展的背景02OpenFlow的基本概念03OpenFlow的工作机制04OpenFlow的基本配置及方案介绍Copyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com3030OpenFlow基本配置创建OpenFlow实例，并进入OpenFlow实例视图[Switch]openflowinstanceinstance-id配置OpenFlow实例的类型为全局类型[Switch-of-inst-instance-id]classificationglobal配置OpenFlow实例对应的VLAN[Switch-of-inst-instance-id]classificationvlanvlan-id[maskvlan-mask][loosen]配置带内管理VLAN[Switch-of-inst-instance-id]in-bandmanagementvlanvlan-listCopyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com3131OpenFlow基本配置配置TableMiss表项的缺省动作Switch-of-inst-instance-id]defaulttable-misspermit配置连接中断模式[Switch-of-inst-instance-id]fail-openmode{secure|standalone}配置连接控制器[Switch-of-inst-instance-id]controlleridaddressipip-addresslocaladdressiplocal-ip-address}激活OpenFlow实例[Switch-of-inst-instance-id]activeinstanceCopyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com3232OpenFlow基本配置查看OpenFlow连接是否建立[H3C]disopenflowinstance1controllerInstance1controllerinformation:Reconnectinterval:60(s)Echointerval:5(s)ControllerID:1ControllerIPaddress:99.1.1.22Controllerport:6633LocalIPaddress:99.1.1.9Localport:8661Controllerrole:MasterConnecttype:TCPConnectstate:EstablishedPacketssent:49509Packetsreceived:50312SSLpolicy:--VRFname:--Copyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com3333SDN实现场景VxLAN第三方云平台/Openstack/iMCVTEPVxLANGWNFVManagerVCFControllerVxLANIPWANGWCluster虚拟化管理平台ServiceVxLANIPGWOpenFlow+NetconfServiceOpenFlow+OVSDBVxLANNetwork接入交换接入交换VxLANGW接入交换机机机SR-IOVSR-IOVvSwitchvSwitchvSwitchAdptAdptvSwitchvSwitchServerVMVMVMVMVMVMVMVMVMNFVNFVHypervisorHypervisorHypervisorKVMKVMOpenFlow+NetconfServiceCopyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com3434初始流表的下发OVS和Controller建立连接后，Controller需要给OVS下发初始流表，否则进入OVS的报文查找不到流表项，做丢弃处理。控制器上初始的流表如下：Copyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com3535初始流表的下发OVS上的下发的初始流表：displayopenflowinstance1flow-table……Flowentry5information:cookie:0x2c324757415057,priority:61000,hardtime:0,idletime:0,flags:flow_send_rem,bytecount:0,packetcount:0Matchinformation:Ethernettype:0x0800IPprotocol:17UDPsourceport:67,mask:0xffffUDPdestinationport:68,mask:0xffffInstructioninformation:Writeactions:Outputinterface:Controller,sendlength:65509bytes……Copyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com3636初始流表的下发S6800交换机上的下发的初始流表：displayopenflowinstance1flow-tableTable1information:Tabletype:Extensibility,flowentrycount:5,totalflowentrycount:5Flowentry4information:cookie:0x2c324757415057,priority:61000,hardtime:0,idletime:0,flags:flow_send_rem,bytecount:12392,packetcount:17701Matchinformation:Ethernettype:0x0806Instructioninformation:Writeactions:Outputinterface:Controller,sendlength:65509bytes……Copyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com3737VXLANGW流表下发VM上线时，虚拟端口将相关VM信息上报VCFCVCFC通过OpenFlow协议给硬件网关或VSR下发相应的流表匹配字段是目的IP为虚拟端口所连VM的IPoutput端口为硬件网关（例如125x）或者VSR与虚拟端口所在OVS之间的tunnel口打上VXLAN的VNI，即流表中的tunnelid报文目的MAC地址改为虚拟的三层网关地址0016-3faa-aaaaCopyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com3838VXLANGW流表下发在VCFC上通过流表查看：Output：8960对应的出口是tunnel257:Copyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com3939VXLANGW流表下发displayopenflowinstance1flow-tableInstance1flowtableinformation:Table0information:Tabletype:MAC-IP,flowentrycount:1,totalflowentrycount:1Flowentry1information:cookie:0x4c324757415057,priority:30000,hardtime:0,idletime:0,flags:check_overlap,bytecount:--,packetcount:--Matchinformation:Ethernettype:0x0800IPv4destinationaddress:173.0.0.2,mask:255.255.255.255Experimenter:AddressID:2//匹配VLANInstructioninformation:Writeactions:Outputinterface:Tun8960Setfield:EthernetdestinationMACaddress:0016-3faa-aaaaTunnelID:0x1Table1information:Tabletype:Extensibility,flowentrycount:0,totalflowentrycount:0Copyright©2016NEWH3CGroup.Allrightsreserved.www.h3c.com4040