Lab #1: Lab Setup and Network Architecture - ackSec/DC26 GitHub Wiki

Lab #1: Lab Setup / Network Architecture

build env

Synopsis: In this section, we will be working on (as a class) the following SDN architecture topics that were discussed earlier in the presentation:

A) Setting up a SDN Topology - We will be going through what a Software Defined Network topology looks like and walking through it's components.

B) Blocking Traffic - This exercise will show you how to block and unblock traffic between two (2) hosts on the network.

C) Packet Analysis - We will be capturing and analyzing the packets between the controller and the switch.

D) Tearing down a SDN - We will be learning how to properly and safely tear down a SDN.

A) Setting Up a SDN

Throughout this exercise, your “Workstation” will be used to build the SDN and interact with the “Controller”. You will not be able to directly interact with the “Controller”.

• Click on the “Workstation” under “All Connections”. You will be presented with the following screen:

Jumpbox Dashboard

• Run the following command to setup the SDN topology:

sudo mn --switch ovs --controller=remote,ip=$CONTROLLER_IP,port=6653 --topo tree,depth=2,fanout=8

build env

Once the command has run completely, type the following command to verify that all hosts (h) and switches (s), exist in the environment:

pingall

build env

**Note: Do not exit out of the workstation. Please keep that tab open.

Next, go back to the Workshop main page (see screenshot below) and click on the "Floodlight SDN Dashboard". You will be promoted for your user credentials.

build env

Once you are in the Floodlight SDN Dashboard, click on "Topology", which is located in the left pane. Once you click on it, you will see the following topology that was created using the command you entered in the step above. You now have a Software Defined Network!

build env

build env

B) Blocking Traffic

**Please keep all tabs (in your browser) open from the previous exercise. **

Go back to the "Workshop" tab and click on "SSH (Jumpbox). Then click on "Workstation". Once you click on "Workstation", a new tab with the workstation terminal will be opened and should look like the following screenshot. Yes, you will have two separate tabs open with the workstation terminal. One tab is from the previous exercise (has "mininet" or "containernet" running) and the other tab is for this exercise.

build env

It is time for you to get creative! You will be running the command below (in the new workstation tab) to block traffic flow between two (2) hosts in your environment. Navigate to the "Workstation" tab in your browser that is not using mininet / containnernet. As you are typing in the command below, please make sure to edit the following sections:

  • Replace "insert switch mac address" with the switch mac address of your choice (e.g., "00:00:00:00:00:00:00:02")
  • Replace "insert source host IP" with the host of your choice (e.g., 10.0.0.2)
  • Replace "insert destination host IP" with the host of your choice (e.g., 10.0.0.15)
  • Please make sure your source an destination IPs are talking to different switches. They should not be talking to the same switch.

curl -X POST -d '{"switch":"insert switch mac address", "name":"flow-mod-1", "cookie":"0", "priority":"32768", "eth_type":"0x0800", "ipv4_src":"insert source host IP", "ipv4_dst":"insert destination host IP", "active":"true", "actions":""}' http://$CONTROLLER_IP:8080/wm/staticentrypusher/json

  • NOTE: If your command does not run, please copy / paste the following command in the terminal.

curl -X POST -d '{"switch":"00:00:00:00:00:00:00:02", "name":"flow-mod-1", "cookie":"0", "priority":"32768", "eth_type":"0x0800", "ipv4_src":"10.0.0.2", "ipv4_dst":"10.0.0.15", "active":"true", "actions":""}' http://$CONTROLLER_IP:8080/wm/staticentrypusher/json

Your terminal should look like the following:

build env

Once the command has run completely, navigate to the Floodlight SDN dashboard and click on "Switch" in the left pane. Then click on the switch that you referenced in the command above. You should see "SEND_FLOW_REM" in the "Flow Table" flags. This confirms that your block flow was pushed to the controller.

build env

Additionally, navigate to the workstation terminal that is running mininet / containnernet and type the command below to verify that the links between the source and destination hosts no longer exist. Once you type in the command, you will notice an "X" where the "ipv4_src" tries communicating with the "ipv4_dst" that you include in the command above.

pingall

build env

After going through the output of "pingall", go to the workstation tab that is NOT running mininet / containernet. Please type the following command to clear the block flows that were just implemented:

curl http://$CONTROLLER_IP:8080/wm/staticentrypusher/clear/all/json

build env

For further verification, navigate to "Floodlight SDN Dashboard", click on "Switches" in the left pane. Then click on the switch you selected for this exercise and scroll down to the "Flow Table". You will no longer see "SEND_FLOW_REM" as a flag. Your flow tables should look like the following:

build env

C) Hello Packet Inspection

**Please keep all tabs (in your browser) open from previous exercises. **

Navigate to the "Workstation" tab that does not have mininet / containernet running. Type in the command below. This command will show you the "Hello" packets between the controller and a switch. Please make sure to let the command run for at least 30 seconds.

sudo tshark -i eth0 -T json -V -P -O openflow -d tcp.port==6653,openflow host $CONTROLLER_IP | grep openflow

Your results should look like the following:

build env

We will be reviewing the packet capture in class.

D) Tearing Down an SDN

Navigate to the "Workstation" tab that is running mininet / containernet.

Enter the following commands:

exit

  • This will tear down the SDN infrastructure. Once the command is completely run, type the following command:

sudo mn -c

  • This command is used as a catchall to ensure that everything gets torn down in the environment. It is used for good measure.

Your terminal should look like the following:

build env

Let's move on to the next section!