[pox-dev] Multiple controllers

Silvia Fichera fichera.sil at gmail.com
Mon Dec 9 23:47:32 PST 2013 

Hi Murphy,

I would like to have controller C1 connected only to the access network. It
checks if the source is honest pretending the mechanism of 3WHS if the
source is unknown. So when it receives a SYN request it answers with the
SYN ACK and, only if the source sends the ACK it is added to a whitelist,
and it's allowed to send packet in the network. If the source is in
whitelist when it wants send packet sends againg SYN but this time is a
controller C0 that install the forwarding rules because it's connected to
all switches of the network. C0 and C1 could share a list of valid source
or malicious source (whitelist and blacklist).

Another solution could be connect C1 only to the access network and C0 to
the core network,

After the mechanism of 3WHS check, C1 installs the rule to forward the
packet through the port connected to the core network (a sort of default
gateway). When the packet arrives on the switch belonging to the core
network C0 will install forwanding rules to the destination (that is never
in my access network).
But here the problem is have a mechanism to know a priori the output port
of all access switches or to set it when I build the network.

Have you got any suggestions?

Bests,


2013/12/9 Murphy McCauley <murphy.mccauley at gmail.com>

> So you want to have two controllers which communicate with the same
> switch, but that do different things?  There's no straightforward way to do
> this with straight OpenFlow 1.0, but it may be possible with some of the
> Open vSwitch extensions related to multiple controllers.  You should look
> into those OVS features (controller role, controller ID, etc.).
>
> I assume you have a good reason for wanting to use two separate
> controllers.  From your description, it's not obvious.
>
> -- Murphy
>
> On Dec 9, 2013, at 4:11 AM, Silvia Fichera <fichera.sil at gmail.com> wrote:
>
> > Hi all,
> > I've a l3_learning controller that check if a TCP request connection is
> valid.
> > In a tree topology I would like that this one checks only the edge
> switches and, if the connection if valid, another controller will install
> flow rule on the switches.
> >
> > So, if I receive a tcp SYN packet first of all the switch talks to my
> controller, it checks the "honesty" of the source:
> > - if it's not honest "install" a drop rule on the switch
> > - else I would that the switch forwards the connection request to the
> regular controller that install flows.
> >
> > How can I contact the regular controller from the switch?
> >
> > Thank you
> >
> > --
> > Silvia Fichera
>



-- 
Silvia Fichera
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.noxrepo.org/pipermail/pox-dev-noxrepo.org/attachments/20131210/8da80e64/attachment-0002.htm>

More information about the pox-dev mailing list