Documentation in English - OverFlowJAMK/General GitHub Wiki

Building Software Defined Network

Some devices from operator's room:

OverFlow

OpenStack- nodes of OverFlow- company. The OpenStack consists by three different nodes including one Controller-node and two Compute-nodes. Those nodes are in isolated management- network.

OVS-mylly
OVS-device of the company. There are a virtual switch and a controller of the Software Defined Network running in the OVS-device.

Reititin + NAT- kone Router-device with NAT:

A new device were installed as a router between a Labranet (and through that to Internet) and OVS-device. The device is also configured for making NAT-translations.

Raspberry Pi A Raspberry Pi-device and it's graphical user interface. A purpose of the Raspberry Pi is to collect data about sewers of IoT-city. At the moment Raspberry Pi only works to test network connections.

Dummy:

From plug-in a individual part was disabled so that no flows is going to be created.

Openswitch- agent In /etc/neutron/plugins/ml2/openswitch_agent.ini- file in compute1, A native value were set to "of_interface"- spot during an installation of a controller, because otherwise dummy-value is going to be used as an interface.

With command sudo service neutron-openvswitch-agent stop a ovs-agent of neutron is going to be stopped. If the agent would not be stopped, the controller would keep it's own settings, and that would prevent an installation of new controller, and that's why it needs to be disabled.

Installation of the controller:

A next step is to install a controller. That is done with command sudo ovs-vsctl set-controller br-int tcp:192.168.142.40:6633 && sudo ovs-vsctl set-controller br-provider tcp:192.168.142.40:6633. That's how controller is installed to both switches.

Authentication of working controllers With command sudo ovs-vsctl show It authenticates that the controllers are working. The spots Bridge br-int and Bridge br-provider it is shown that the controllers are supervised and that they are connected. A GRE-tunnel has been created.

After that the ovs-agent of the neutron is going to be enabled again.

Finally the dummy-value is going to be set as an interface from the file /etc/neutron/plugins/ml2/openswitch_agent.ini.

GRE- tunnel:

GRE- tunnel was created with commands sudo ovs-vsctl add-port br0 gre1 – set interface gre1 type=gre options:df_default=false options:remote_ip=20.0.0.1, which were set to the Controller-node of Open Stack, and sudo ovs-vsctl add-port br-provider gre0 – set interface gre0 type=gre options:df_default=false options:remote_ip=20.0.0.3, which were set to the Compute1-node of Open Stack.

Change the following files in compute1 and Controller as they are presented below (look at dummy):

/usr/lib/python2.7/dist-packages/neutron/plugins/ml2/drivers/openvswitch/agent/main.py

# _main_modules = {
    'ovs-ofctl': 'neutron.plugins.ml2.drivers.openvswitch.agent.openflow.'
                 'ovs_ofctl.main',
    'native': 'neutron.plugins.ml2.drivers.openvswitch.agent.openflow.'
                 'native.main',
    'dummy': 'neutron.plugins.ml2.drivers.openvswitch.agent.openflow.'
                 'dummy.main',
}

and... /usr/lib/python2.7/dist-packages/neutron/plugins/ml2/drivers/openvswitch/agent/common/config.py

# cfg.StrOpt('of_interface', default='ovs-ofctl',
       choices=['ovs-ofctl', 'native', 'dummy'],
       help=_("OpenFlow interface to use.")),

Disabling Openstack Firewall

People usually want to do this because the anti-spoofing rules are dropping packets transmitted by Nova instances that do not have the source MAC or IP address that was allocated to the instance.

But Nova needs a security groups API or it will refuse to start instances. It needs to be configured to use its own or Neutron's. Here we configure it to use the Nova security groups API, but disable nova-compute (and the Neutron L2 agent - just to be sure) from applying any iptables rules.

On each controller and compute node, change:

# /etc/neutron/plugins/ml2/ml2_conf.ini
[securitygroup]
enable_security_group = False
firewall_driver = neutron.agent.firewall.NoopFirewallDriver

To stop nova-compute from creating the iptables rules, configure it to use its Noop driver:

# /etc/nova/nova.conf
[DEFAULT]
security_group_api = nova
firewall_driver = nova.virt.firewall.NoopFirewallDriver

Restart all neutron-server, neutron-openvswitch-agent, nova-api and nova-compute services.

Connections to other classrooms:

OverFlow is a service provider, and is providing Software Defined Network- solution to Kumos- company and for general working room.

Pohjakuva Verkkoportti 407-luokassa The connections between networks of different classrooms were implemented by switching a port 41.H01.21 from SDN-operator's room (D406) to a port 41.H13.11 from Kumos- company's room (D421). The ports used for connection between SDN-operator and general working room (D407) were 41.H01.23 in SDN- operator's room and 41.H03.06 in general working room, and later also another connection were established between those classrooms, 41.H01.13 in operator's room, and 41.H04.12 in general classroom.

If set-controller- command is performed after del-controller- command, and no connection is established ((connection_is = true) is not shown), a flow needs to be installed manually with command ovs-ofctl add-flow br0 action=normal.

Network topology

![Topology] (https://github.com/OverFlowJAMK/General/blob/master/Topologia15072016.png)