1 簡介
FlowVisor是樹立在OpenFlow之上的網絡虛構化平臺,它可以將物理網絡分成多個邏輯網絡,從而實現開放軟件定義網絡(SDN)。它爲管理員供給了普遍定義規矩來管理網絡而不是通過調劑路由器和交流機來管理網絡。網絡虛擬化的本質是要能夠抽象底層網絡的物理拓撲,能夠在邏輯上對網絡資源進行分片或者整合,從而滿足各種應用對於網絡的不同需求。爲了達到網絡分片的目的,FlowVisor實現了一種特殊的OpenFlow Controller,可以看作其他不同用戶或應用的Controllers與網絡設備之間的一層代理。因此,不同用戶或應用可以使用自己的Controllers來定義不同的網絡拓撲,同時FlowVisor又可以保證這些Controllers之間能夠互相隔離而互不影響。
2 安裝
安裝FlowVisor之前必須先解決FlowVisor的依賴關係,FlowVisor的編譯運行需要系統已安裝了JDK和ant,然後通過git獲取FlowVisor源碼再進行編譯、安裝和運行。
2.1 安裝依賴
l 安裝jdk:
官網源碼包中的INSTALL文件中要求jdk版本要在V1.6及以下,但實際的安裝過程中使用OpenJDK V1.7也是完全沒有問題的。輸入以下命令完成安裝:
$sudo apt-get install openjdk-7-jdk openjdk-7-jre openjdk-7-jre-lib
配置環境變量:
$sudo vim /etc/profile
在文件最末位添加以下內容:
export JAVA_HOME=/usr/lib/jvm/java-7-openjdk-amd64 export JRE_HOME=/usr/lib/jvm/java-7-openjdk-amd64jre export CLASSPATH=.:$JAVA_HOME/lib:$JRE_HOME/lib:$CLASSPATH export PATH=$JAVA_HOME/bin:$JRE_HOME/bin:$PATH |
l 安裝ant:
INSTALL文件中並沒有對ant的版本限制,所以直接輸入以下命令:
$sudo apt-get install ant
l 編譯安裝FlowVisor
使用git下載源碼包:
$git clone git://github.com/OPENNETWORKINGLAB/flowvisor.git
下載完畢之後cd到controller目錄中並編譯:
$cd controller
$make
編譯成功之後進行安裝:
$sudo make install
下圖中的sono爲ubuntu上原有的用戶:
安裝完成之後運行:
$nohup flowvisor /etc/openflow/config.json > /dev/null &
這樣就能後臺運行(&)將控制檯的輸出流導入/dev/null(不在控制檯輸出任何信息)
3 Fvctl命令行工具
3.1 命令參數
l -h: 指定主機名,默認“localhost”
l -p: 指定端口名,默認“8080”
l -u:FlowVisor的管理用戶,默認“fvadmin”
l -f:FlowVisor的密碼文件,默認“none”
l -v:版本信息
l --help:幫助信息
3.2 簡述:
Fvctl是一個配置、調試、監控、管理運行FlowVisor實例的命令行工具。它可以展示當前FlowVisor的狀態信息,包括特點、配置和flowspace條目。
每個FlowVisor示例都會運行一個JSONROC服務並接受以下(3 命令)API的調用。Fvctl就是一個能夠調用這些api的命令行客戶端。
3.3 命令
add-flowspace:創建一個流空間(flowspace)規則
add-slice:創建一個切片
get-config:顯示通用FlowVisor配置參數
list-datapath-info:顯示已連接設備的信息
list-datapath-stats:顯示已連接設備統計信息
list-datapaths:顯示設備信息
list-flowspace:顯示流空間
list-fv-health:報告所有FlowVisor的的健康信息
List-links:顯示所有的拓撲結構
List-slice-health:報告所有切片的健康信息
List-slice-info:顯示切片信息
List-slice-stats:顯示切片的統計信息
List-slices:顯示已配置的切片
List-version:顯示FlowVisor版本信息
Remove-flowspace:刪除一個流空間規則
Remove-slice:刪除一個切片
Save-config:保存FlowVisor的配置信息
Set-config:設置通用FlowVisor配置參數
Update-amin-password:更新管理密碼
Update-flowspace:改變流空間規則參數
Update-slice:改變切片參數
Update-slice-passwd:改變切片密碼
List-datapath-flowdb:如果流跟蹤開啓,顯示流數據塊的內容
List-datapath-flowrewritedb:顯示已經應用的重寫或擴展的FlowVisor
Unregisterevent-callback:從FlowVisor註銷服務
*注:可以通過“fvctl help <command>”命令獲得更多命令細節
3.3.1 slice操作
(1)創建slice
使用如下命令創建新的切片,並指向控制器:
$fvctl -p 8888 add-sclice s1 tcp:192.168.119.130:6666 [email protected]
以上命令中的[email protected]是adminContent,隨便填即可
創建新的切片會要求輸入fvadmin密碼和設置新的slice密碼,後者可不填。
(2)查看slice
查看slice的具體信息:
$fvctl -p 8888 list-slice-info s1 s1
查看slice的健康信息,如果沒有連接到控制器,則會顯示500服務器錯誤:
$fvctl -p 8888 list-slice-health
查看slice的統計,這裏通過mininet>pingall命令執行之後可以查看到統計信息,若沒有數據在網絡中傳輸過,則沒有信息。
$fvctl -p 8888 list-sclice-stats
(3)修改slice
修改slice的端口和控制器IP地址:
$fvctl -p 8888 update-slice s1 -n 192.168.5.79 -p 6633
(4)刪除slice
可以批量刪除slice,但需要注意的是一個slice只能對應一個控制器:
$fvctl -p 8888 remove-slice s1 s2
3.3.2 flowspace操作
(1)Flowspace包含下面字段:
字段名 |
含義 |
priority |
優先級,0-65535 |
in_port |
進入端口 |
dl_vlan |
Vlan id, 0xffff 表示匹配非vlan包,否則指定爲 0 - 4095表示12位的vlan id |
dl_vpcp |
Vlan優先級, 最外層VLAN頭的PCP域 |
dl_src |
Ethernet 源Mac地址 |
dl_dst |
Ethernet 目的Mac地址 |
dl_type |
Ethernet 協議類型, 採用0 – 65535表示 |
nw_src |
源IP地址 |
nw_dst |
目的IP地址 |
nw_proto |
IP協議類型,十進制數0-255 |
nw_tos |
IP Tos位,採用0-255表示 |
tp_src |
TCP/UDP 源端口 |
tp_dst |
TCP/UDP 目的端口 |
wildcards |
匹配規則,掩碼 |
actions |
切片行爲,指的是slice對這個flowspace擁有的權限, DELEGATE=1, READ=2, WRITE=4.actions的值爲這3個的組合,所有取值範圍爲1-7 |
priority :值0:2^31
slice-perm:值0:7,Delegate=1,Read=2,Write=4
(2)創建flowspace
$fvctl -p 8888 add-flowspace fs1 all 100 dl_dst=78:45:c4:2d:72:51 s1=5(match對應的操作可以使用any來進行全匹配)
注:flowspace的名字可以重名。
(3)查看flowspace
查看flowspace規則
$fvctl -p 8888 list-flowspace
注:也可以帶-s參數,查看指定slcie的flowspace。
(4)修改flowspace
修改fs1的priority值
$fvctl -p 8888 update-flowspace -p 200 fs1
(5)刪除flowspace
刪除多個flowspace
$fvctl -p 8888 remove-flowspace fs1 fs2
3.4 匹配語法(未完成)
部分fvctl命令可以接受描述一個或多個流的參數,這種流描述包含一系列用逗號隔開的字段=賦值。
下面的字段賦值描述了流如何匹配數據包。如果這些賦值在流語法中省略,這些字段就會被當作通配符;因此,如果所有字段都被省略,所得到的流將匹配所有的數據包。該字符的全部或者部分用來指定一個流,這個流匹配所有的數據包。
The following field assignments describe how a flow matches a packet.
If any of these assignments is omitted from the flow syntax, the field
is treated as a wildcard; thus, if all of them are omitted, the result‐
ing flow matches all packets. The string all or any is used to specify
a flow that matches all packets.
in_port=port_no
Matches physical port port_no. Switch ports are numbered as
displayed by fvctl getDeviceInfo DPID.
dl_vlan=vlan
Matches IEEE 803.1q virtual LAN tag vlan. Specify 0xffff as
vlan to match packets that are not tagged with a virtual LAN;
otherwise, specify a number between 0 and 4095, inclusive, as
the 12-bit VLAN ID to match.
dl_src=mac
Matches Ethernet source address mac, which should be specified
as 6 pairs of hexadecimal digits delimited by colons, e.g.
00:0A:E4:25:6B:B0.
dl_dst=mac
Matches Ethernet destination address mac.
dl_type=ethertype
Matches Ethernet protocol type ethertype, which should be speci‐
fied as a integer between 0 and 65535, inclusive, either in dec‐
imal or as a hexadecimal number prefixed by 0x, e.g. 0x0806 to
match ARP packets.
nw_src=ip[/netmask]
Matches IPv4 source address ip, which should be specified as an
IP address, e.g. 193.168.1.1. The optional netmask allows
matching only on an IPv4 address prefix. The netmask is speci‐
ficed "CIDR-style", i.e., 193.168.1.0/24.
nw_dst=ip[/netmask]
Matches IPv4 destination address ip.
nw_proto=proto
Matches IP protocol type proto, which should be specified as a
decimal number between 0 and 255, inclusive, e.g. 6 to match TCP
packets.
nw_tos=tos/dscp
Matches ToS/DSCP (only 6-bits, not modify reserved 2-bits for
future use) field of IPv4 header tos/dscp, which should be spec‐
ified as a decimal number between 0 and 255, inclusive.
tp_src=port
Matches transport-layer (e.g., TCP, UDP, ICMP) source port port,
which should be specified as a decimal number between 0 and
65535 (in the case of TCP or UDP) or between 0 and 255 (in the
case of ICMP), inclusive, e.g. 80 to match packets originating
from a HTTP server.
tp_dst=port
Matches transport-layer destination port port.
DPID
The datapath identifier (DPID) is a unique ID to name and identify
OpenFlow devices. With fvctl, DPIDs are 8 bytes and can be specified
as a decimal number or as 8 hex octets, e.g., 00:00:00:23:10:35:ce:a5.
The DPID ff:ff:ff:ff:ff:ff:ff is a "wildcard" DPID that matches all
DPIDs. It can be specified using any of the following short cuts: all,
any, or ALL_DPIDS.
SLICE-PERM
Slice actions is a comma separated list of slices that have control
over a specific FlowSpace. Slice actions are of the form "slice‐
name1=perm[slicename2=perm[...]]". Each slice can have three types of
permissions over a flowspace: DELEGATE, READ, and WRITE. Permissions
are currently a bitmask specified as an integer, with DELEGATE=1,
READ=2, WRITE=4. So, "alice=5,bob=2" would give Alice's slice DELEGATE
and WRITE permissions (1+4=5), but Bob only READ permissions. Improv‐
ing this interface is on the TODO list. For example,
fvctl add-flowspace myflowspace all 2 any slice1=4,slice2=2
DELEGATE
A slice can delegate control of this flowspace to another slice.
It also has permissions to un-delegate/reclaim the flowspace.
READ A slice receives packet_in's matching this flow entry, can send
LLDP messages and stats to switches in this flow entry, but can‐
not write to or change the switch's flow table. This is useful
for implementing a monitoring slice.
WRITE A slice has all of the permissions of READ but can also write to
the flow table if the flow_mod matches this flow entry. FlowVi‐
sor will try to rewrite a flow_mod (if necessary) as the logical
intersection of a slice's flow_mod and the union of its FlowS‐
pace.