[pox-dev] Multiple controllers
Murphy McCauley
murphy.mccauley at gmail.com
Tue Dec 10 12:34:13 PST 2013
The second option would be my preference. As for how C1 knows enough about the core network to do the first hop correctly... the first thing I'd do is figure out if it was reasonable to just statically configure it.
Still... are two distinct controllers really required? Why not one controller which treats the access switch differently than the core switches? There may well be a good reason, but it's a question worth asking.
As to the specific issues in your second email... I think it may actually be two problems.
The cause of the warning is explained in the second entry of the POX FAQ.
The OpenFlow error is most commonly seen either there's a loop, or when you've sent two flow-mods/packet-outs referencing the same buffer_id (often from two different packet-in handlers). The specified buffer has already been used/discarded. See the OpenFlow spec for more on OFPBRC_BUFFER_EMPTY.
-- Murphy
On Dec 10, 2013, at 3:51 AM, Silvia Fichera <fichera.sil at gmail.com> wrote:
> I'm trying to follow the second option.
> The forwarding process is working just one way.
> I would like prepare the switch to forward the ack response from the host, so I want to install a proctive rule.
> I've tried to do it in this way:
>
> actions2=[]
> actions2.append(of.ofp_action_dl_addr.set_dst(mac2))
> actions2.append(of.ofp_action_output(port=inport))
> match = of.ofp_match()
> match.in_port=1
> match.dl_src=mac
> match.dl_dst=mac2
> match.nw_proto=6
> match.nw_src=dstaddr
> match.nw_dst=srcaddr
> msg=of.ofp_flow_mod(command=of.OFPFC_ADD,
> #idle_timeout=FLOW_IDLE_TIMEOUT,
> hard_timeout=of.OFP_FLOW_PERMANENT,
> buffer_id=event.ofp.buffer_id,
> actions=actions2,match=match)
> event.connection.send(msg.pack())
>
> where:
> mac = self.arpTable[dpid][dstaddr].mac #dst host mac addr
> mac2 = self.arpTable[dpid][srcaddr].mac #src host mac addr
> dstaddr = packet.next.dstip
> srcaddr = packet.next.srcip
>
> the in port is setted 1 because it's the default port to/from core network.
>
> When I try this implementation I've got this error:
>
> WARNING:libopenflow_01:Fields ignored due to unspecified prerequisites: nw_dst nw_src nw_proto
>
> ERROR:openflow.of_01:[00-00-00-00-00-01 3] OpenFlow Error:
> [00-00-00-00-00-01 3] Error: header:
> [00-00-00-00-00-01 3] Error: version: 1
> [00-00-00-00-00-01 3] Error: type: 1 (OFPT_ERROR)
> [00-00-00-00-00-01 3] Error: length: 76
> [00-00-00-00-00-01 3] Error: xid: 17
> [00-00-00-00-00-01 3] Error: type: OFPET_BAD_REQUEST (1)
> [00-00-00-00-00-01 3] Error: code: OFPBRC_BUFFER_EMPTY (7)
> [00-00-00-00-00-01 3] Error: datalen: 64
> [00-00-00-00-00-01 3] Error: 0000: 01 0e 00 60 00 00 00 11 00 10 00 12 00 01 76 57 |...`..........vW|
> [00-00-00-00-00-01 3] Error: 0010: 3b c6 e3 37 de c9 a5 fe 9c ee 00 00 00 00 00 00 |;..7............|
> [00-00-00-00-00-01 3] Error: 0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
> [00-00-00-00-00-01 3] Error: 0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 |................|
>
> What's wrong?
>
> Thank you.
>
>
>
>
> 2013/12/10 Silvia Fichera <fichera.sil at gmail.com>
> Hi Murphy,
>
> I would like to have controller C1 connected only to the access network. It checks if the source is honest pretending the mechanism of 3WHS if the source is unknown. So when it receives a SYN request it answers with the SYN ACK and, only if the source sends the ACK it is added to a whitelist, and it's allowed to send packet in the network. If the source is in whitelist when it wants send packet sends againg SYN but this time is a controller C0 that install the forwarding rules because it's connected to all switches of the network. C0 and C1 could share a list of valid source or malicious source (whitelist and blacklist).
>
> Another solution could be connect C1 only to the access network and C0 to the core network,
>
> After the mechanism of 3WHS check, C1 installs the rule to forward the packet through the port connected to the core network (a sort of default gateway). When the packet arrives on the switch belonging to the core network C0 will install forwanding rules to the destination (that is never in my access network).
> But here the problem is have a mechanism to know a priori the output port of all access switches or to set it when I build the network.
>
> Have you got any suggestions?
>
> Bests,
>
>
> 2013/12/9 Murphy McCauley <murphy.mccauley at gmail.com>
> So you want to have two controllers which communicate with the same switch, but that do different things? There's no straightforward way to do this with straight OpenFlow 1.0, but it may be possible with some of the Open vSwitch extensions related to multiple controllers. You should look into those OVS features (controller role, controller ID, etc.).
>
> I assume you have a good reason for wanting to use two separate controllers. From your description, it's not obvious.
>
> -- Murphy
>
> On Dec 9, 2013, at 4:11 AM, Silvia Fichera <fichera.sil at gmail.com> wrote:
>
> > Hi all,
> > I've a l3_learning controller that check if a TCP request connection is valid.
> > In a tree topology I would like that this one checks only the edge switches and, if the connection if valid, another controller will install flow rule on the switches.
> >
> > So, if I receive a tcp SYN packet first of all the switch talks to my controller, it checks the "honesty" of the source:
> > - if it's not honest "install" a drop rule on the switch
> > - else I would that the switch forwards the connection request to the regular controller that install flows.
> >
> > How can I contact the regular controller from the switch?
> >
> > Thank you
> >
> > --
> > Silvia Fichera
>
>
>
> --
> Silvia Fichera
>
>
>
> --
> Silvia Fichera
More information about the pox-dev
mailing list