[mirror_ovs.git] / INSTALL.OpenFlow

            Using Open vSwitch as a Simple OpenFlow Switch
            ==============================================

Open vSwitch uses OpenFlow as its preferred method of remote flow
table configuration.  This is the simplest method of using it with an
OpenFlow controller.  The ovs-vsctl "set-controller" command can also
be used in conjunction with ovs-vswitchd to set the controller for one
or more bridges.  We recommend using OpenFlow in this manner and in this
case you should not run ovs-openflowd.  Directions for setting up
ovs-vswitchd can be found in INSTALL.Linux.

However, it is also possible to use Open vSwitch as a simple OpenFlow
switch like that provided by the OpenFlow reference implementation
[1].  The remainder of this file describes how to use it in that
manner.

What is OpenFlow?
-----------------

OpenFlow is a flow-based switch specification designed to enable
researchers to run experiments in live networks.  OpenFlow is based on a
simple Ethernet flow switch that exposes a standardized interface for
adding and removing flow entries.

An OpenFlow switch consists of three parts: (1) A "flow table" in
which each flow entry is associated with an action telling the switch
how to process the flow, (2) a "secure channel" that connects the switch
to a remote process (a controller), allowing commands and packets to
be sent between the controller and the switch, and (3) an OpenFlow
protocol implementation, providing an open and standard way for a
controller to talk to the switch.

An OpenFlow switch can thus serve as a simple datapath element that
forwards packets between ports according to flow actions defined by
the controller using OpenFlow commands.  Example actions are:

    - Forward this flow's packets to the given port(s)
    - Drop this flow's packets
    - Encapsulate and forward this flow's packets to the controller.

The OpenFlow switch is defined in detail in the OpenFlow switch
Specification [2].

Installation Procedure
----------------------

The procedure below explains how to use the Open vSwitch as a simple
OpenFlow switch. 

1. Build and install the Open vSwitch kernel modules and userspace
   programs as described in INSTALL.Linux.

   It is important to run "make install", because some Open vSwitch
   programs expect to find files in locations selected at installation
   time.

2. Load the openvswitch kernel module (which was built in step 1), e.g.:

      % insmod datapath/linux-2.6/openvswitch_mod.ko

   This kernel module cannot be loaded if the Linux bridge module is
   already loaded.  Thus, you may need to remove any existing bridges
   and unload the bridge module with "rmmod bridge" before you can do
   this.

3. Create a datapath instance.  The command below creates a datapath
   identified as dp0 (see ovs-dpctl(8) for more detailed usage
   information).

      # ovs-dpctl add-dp dp0
   
   Creating datapath dp0 creates a new network device, also named dp0.
   This network device, called the datapath's "local port", will be
   bridged to the physical switch ports by ovs-openflowd(8).  It is
   optionally used for in-band control as described in step 5.

4. Use ovs-dpctl to attach the datapath to physical interfaces on the
   machine.  Say, for example, you want to create a trivial 2-port
   switch using interfaces eth1 and eth2, you would issue the following
   commands:

      # ovs-dpctl add-if dp0 eth1
      # ovs-dpctl add-if dp0 eth2

   You can verify that the interfaces were successfully added by asking
   ovs-dpctl to print the current status of datapath dp0:

      # ovs-dpctl show dp0

5. Arrange so that the switch can reach the controller over the network.  
   This can be done in two ways.  The switch may be configured for 
   out-of-band control, which means it uses a network separate from the 
   data traffic that it controls.  Alternatively, the switch may be 
   configured to contact the controller over one of the network devices 
   under its control.  In-band control is often more convenient than 
   out-of-band, because it is not necessary to maintain two independent 
   networks.

      - If you are using out-of-band control, at this point make sure
        that the switch machine can reach the controller over the
        network.

      - If you are using in-band control, then at this point you must
        configure the dp0 network device created in step 3.  This
        device is not yet bridged to any physical network (because
        ovs-openflowd does that, and it is not yet running), so the next
        step depends on whether connectivity is required to configure
        the device's IP address:

           * If the switch has a static IP address, you may configure
             its IP address now, e.g.:

                # ifconfig dp0 192.168.1.1

           * If the switch does not have a static IP address, e.g. its
             IP address is obtained dynamically via DHCP, then proceed
             to the next step.  The DHCP client will not be able to 
             contact the DHCP server until the secure channel has 
             started.  The address will be obtained in step 7.

      - If you are using in-band control with controller discovery, no
        configuration is required at this point.  You may proceed to
        the next step.

6. Run ovs-openflowd to start the secure channel connecting the datapath to
   a remote controller.  If the controller is running on host
   192.168.1.2 port 6633 (the default port), the ovs-openflowd invocation
   would look like this:

      # ovs-openflowd dp0 tcp:192.168.1.2

   - If you are using in-band control with controller discovery, omit
     the second argument to the ovs-openflowd command.

   - If you are using out-of-band control, add --out-of-band to the
     command line.

   Using the "tcp:<controller_ip>" argument causes the switch to connect
   in an insecure manner.  Please see INSTALL.SSL for a description of
   how to connect securely using SSL.

7. If you are using in-band control with manual configuration, and the
   switch obtains its IP address dynamically, then you may now obtain
   the switch's IP address, e.g. by invoking a DHCP client.  The
   secure channel will only be able to connect to the controller after
   an IP address has been obtained.

8. The secure channel should connect to the controller within a few
   seconds.  It may take a little longer if controller discovery is in
   use, because the switch must then also obtain its own IP address
   and the controller's location via DHCP.

References
----------

    [1] OpenFlow Reference Implementation.
        <http://www.openflowswitch.org/wp/downloads/>

    [2] OpenFlow Switch Specification.
        <http://openflowswitch.org/documents/openflow-spec-latest.pdf>
Commit	Line	Data
b81411b7 JP	1	Using Open vSwitch as a Simple OpenFlow Switch
	2	==============================================
	3
3b12adda BP	4	Open vSwitch uses OpenFlow as its preferred method of remote flow
3b12adda BP	5	table configuration. This is the simplest method of using it with an
ac7f2d4b JG	6	OpenFlow controller. The ovs-vsctl "set-controller" command can also
	7	be used in conjunction with ovs-vswitchd to set the controller for one
	8	or more bridges. We recommend using OpenFlow in this manner and in this
	9	case you should not run ovs-openflowd. Directions for setting up
	10	ovs-vswitchd can be found in INSTALL.Linux.
3b12adda BP	11
	12	However, it is also possible to use Open vSwitch as a simple OpenFlow
	13	switch like that provided by the OpenFlow reference implementation
	14	[1]. The remainder of this file describes how to use it in that
	15	manner.
b81411b7 JP	16
	17	What is OpenFlow?
	18	-----------------
	19
	20	OpenFlow is a flow-based switch specification designed to enable
	21	researchers to run experiments in live networks. OpenFlow is based on a
	22	simple Ethernet flow switch that exposes a standardized interface for
	23	adding and removing flow entries.
	24
	25	An OpenFlow switch consists of three parts: (1) A "flow table" in
	26	which each flow entry is associated with an action telling the switch
	27	how to process the flow, (2) a "secure channel" that connects the switch
	28	to a remote process (a controller), allowing commands and packets to
	29	be sent between the controller and the switch, and (3) an OpenFlow
	30	protocol implementation, providing an open and standard way for a
	31	controller to talk to the switch.
	32
	33	An OpenFlow switch can thus serve as a simple datapath element that
	34	forwards packets between ports according to flow actions defined by
	35	the controller using OpenFlow commands. Example actions are:
	36
	37	- Forward this flow's packets to the given port(s)
	38	- Drop this flow's packets
	39	- Encapsulate and forward this flow's packets to the controller.
	40
	41	The OpenFlow switch is defined in detail in the OpenFlow switch
	42	Specification [2].
	43
	44	Installation Procedure
	45	----------------------
	46
	47	The procedure below explains how to use the Open vSwitch as a simple
	48	OpenFlow switch.
	49
	50	1. Build and install the Open vSwitch kernel modules and userspace
	51	programs as described in INSTALL.Linux.
	52
	53	It is important to run "make install", because some Open vSwitch
	54	programs expect to find files in locations selected at installation
	55	time.
	56
	57	2. Load the openvswitch kernel module (which was built in step 1), e.g.:
	58
	59	% insmod datapath/linux-2.6/openvswitch_mod.ko
	60
	61	This kernel module cannot be loaded if the Linux bridge module is
	62	already loaded. Thus, you may need to remove any existing bridges
	63	and unload the bridge module with "rmmod bridge" before you can do
	64	this.
	65
	66	3. Create a datapath instance. The command below creates a datapath
	67	identified as dp0 (see ovs-dpctl(8) for more detailed usage
	68	information).
	69
	70	# ovs-dpctl add-dp dp0
	71
	72	Creating datapath dp0 creates a new network device, also named dp0.
	73	This network device, called the datapath's "local port", will be
4cff83cb JP	74	bridged to the physical switch ports by ovs-openflowd(8). It is
4cff83cb JP	75	optionally used for in-band control as described in step 5.
b81411b7 JP	76
	77	4. Use ovs-dpctl to attach the datapath to physical interfaces on the
	78	machine. Say, for example, you want to create a trivial 2-port
	79	switch using interfaces eth1 and eth2, you would issue the following
	80	commands:
	81
	82	# ovs-dpctl add-if dp0 eth1
	83	# ovs-dpctl add-if dp0 eth2
	84
	85	You can verify that the interfaces were successfully added by asking
	86	ovs-dpctl to print the current status of datapath dp0:
	87
	88	# ovs-dpctl show dp0
	89
4cff83cb JP	90	5. Arrange so that the switch can reach the controller over the network.
	91	This can be done in two ways. The switch may be configured for
	92	out-of-band control, which means it uses a network separate from the
	93	data traffic that it controls. Alternatively, the switch may be
	94	configured to contact the controller over one of the network devices
	95	under its control. In-band control is often more convenient than
	96	out-of-band, because it is not necessary to maintain two independent
	97	networks.
b81411b7 JP	98
	99	- If you are using out-of-band control, at this point make sure
	100	that the switch machine can reach the controller over the
	101	network.
	102
	103	- If you are using in-band control, then at this point you must
	104	configure the dp0 network device created in step 3. This
	105	device is not yet bridged to any physical network (because
	106	ovs-openflowd does that, and it is not yet running), so the next
	107	step depends on whether connectivity is required to configure
	108	the device's IP address:
	109
	110	* If the switch has a static IP address, you may configure
	111	its IP address now, e.g.:
	112
	113	# ifconfig dp0 192.168.1.1
	114
	115	* If the switch does not have a static IP address, e.g. its
	116	IP address is obtained dynamically via DHCP, then proceed
4cff83cb JP	117	to the next step. The DHCP client will not be able to
	118	contact the DHCP server until the secure channel has
	119	started. The address will be obtained in step 7.
b81411b7 JP	120
	121	- If you are using in-band control with controller discovery, no
	122	configuration is required at this point. You may proceed to
4cff83cb	123	the next step.
b81411b7 JP	124
	125	6. Run ovs-openflowd to start the secure channel connecting the datapath to
	126	a remote controller. If the controller is running on host
	127	192.168.1.2 port 6633 (the default port), the ovs-openflowd invocation
	128	would look like this:
	129
	130	# ovs-openflowd dp0 tcp:192.168.1.2
	131
	132	- If you are using in-band control with controller discovery, omit
	133	the second argument to the ovs-openflowd command.
	134
	135	- If you are using out-of-band control, add --out-of-band to the
	136	command line.
	137
	138	Using the "tcp:<controller_ip>" argument causes the switch to connect
	139	in an insecure manner. Please see INSTALL.SSL for a description of
	140	how to connect securely using SSL.
	141
	142	7. If you are using in-band control with manual configuration, and the
	143	switch obtains its IP address dynamically, then you may now obtain
	144	the switch's IP address, e.g. by invoking a DHCP client. The
	145	secure channel will only be able to connect to the controller after
	146	an IP address has been obtained.
	147
	148	8. The secure channel should connect to the controller within a few
	149	seconds. It may take a little longer if controller discovery is in
	150	use, because the switch must then also obtain its own IP address
	151	and the controller's location via DHCP.
	152
	153	References
	154	----------
	155
	156	[1] OpenFlow Reference Implementation.
	157	<http://www.openflowswitch.org/wp/downloads/>
	158
	159	[2] OpenFlow Switch Specification.
	160	<http://openflowswitch.org/documents/openflow-spec-latest.pdf>