Figure 1: Hybrid Programmable Forwarding Planes |
sudo apt-get install apache2Install the sFlow-RT integrated hybrid OpenFlow controller, either on the Mininet virtual machine, or on a different system (Java 1.6+ is required to run sFlow-RT):
Continue reading
sflow enableFor each interface:
sflow agent-ip 10.0.0.252
sflow collector-ip 10.0.0.50
sflow sampling-rate 10000
sflow counter-poll-interval 30
interface ethernet 1/1 sflow enableA previous posting discussed the selection of sampling rates. Additional information can be found on the Mellanox web site.
Figure 1: ISP/IX Market Segment |
Figure 2: Novel DDoS Mitigation solution using Real-time SDN Analytics |
// Define large flow Continue reading
Figure 1: Fabric: A Retrospective on Evolving SDN |
ONS2014 Announces Finalists for SDN Idol 2014 provides some sFlow related trivia relating to the finalists.An expert panel of judges selected the finalists:
Figure 1: Marking large flows |
Figure 2: Large flow marking controller results |
ping -f 10.0.0.238 -s 1400Figure 2 shows the results, the left half of the chart shows traffic when the controller is disabled and the right half shows traffic when the controller is enabled. The blue line trends the largest unmarked flow seen in the network and the gold line shows the largest marked flow. When controller is disabled, none of the traffic is marked. When the controller is enabled, sFlow-RT detects the large flow Continue reading
Figure 1: Best of Velocity 2012, The sFlow Standard |
Figure 1: Controller using HTTP / REST API |
Figure 2: Performance aware software defined networking |
Figure 3: OmniSwitch controller using hybrid OpenFlow |
Figure Continue reading |
Performance Aware SDN describes the theory behind analytics driven orchestration. The talk describes how fast controller response, programmatic configuration interfaces and consistent instrumentation of all the elements being orchestrated are pre-requisites for feedback control.This article uses an Alcatel-Lucent OmniSwitch 6900 as an example. The switch has hardware sFlow support for line rate visibility on all ports, and support for OpenFlow and a RESTful configuration API to deploy control actions. In this example a basic DDoS mitigation filtering function will be triggered when large flood attacks are detected. The script is based on the version described in the article Integrated hybrid OpenFlow, but modified to use the OmniSwitch RESTful API.
sflow agent ip 10.0.0.235The switches also support the sFlow MIB for configuration.
sflow receiver 1 name InMon address 10.0.0.1 udp-port 6343
sflow sampler 1 port 1/1-20 receiver 1 rate 512
sflow poller 1 port 1/1-20 receiver 1 interval 30
$ wget https://jenkins.opendaylight.org/controller/job/controller-merge/lastSuccessfulBuild/artifact/opendaylight/distribution/opendaylight/target/distribution.opendaylight-osgipackage.zipNext start Mininet.
unzip distribution.opendaylight-osgipackage.zip
sudo mn --topo single,3 --controller=remote,ip=127.0.0.1Enable sFlow on the switch:
sudo ovs-vsctl -- --id=@sflow create sflow agent=eth0 target="127.0.0.1:6343" sampling=10 polling=20 -- -- set bridge s1 sflow=@sflowStart OpenDaylight.
cd opendaylightConfirm that the controller is running and has discovered the switch by connecting a browser to port 8080 on the testbed - the screen shot at the start of the article shows the OpenDaylight Devices tab with the switch 00:00:00:00:00:00:00:01 shown in the Nodes Learned list and in the map (the default credentials to log into the OpenDaylight interface are User:admin, Password:admin).
./run.sh
include('extras/json2.js');
var flowkeys = 'ipsource';
var value = 'frames';
var filter = 'outputifindex!=discard&direction=ingress&sourcegroup=external';
var threshold = 1000;
var groups = {'external':['0.0.0.0/0'],'internal':['10.0.0.2/32']};
var metricName = 'ddos';
var controls = {};
var enabled = true;
var Continue reading
This is my third and probably last installment of an ongoing story about our quest for OpenFlow 1.0 capable switches with a specific requirement - the capability to modify L3 destination addresses. The background of why Sakura Internet needs such switches for the purpose of DDoS attack mitigation is explained in my first article, along with […]
The post Centec V330: My Kind of OpenFlow Switch appeared first on Packet Pushers Podcast and was written by Tamihiro Yuzawa.
This article is meant to serve in part as an appendix to my previous post on PacketPushers.net. Therefore, please take a moment to read this introduction of Sakura Internet’s DDoS detection and mitigation app if you haven’t already. At Sakura, we are in the process of implementing source-and-destination-based DDoS packet filtering that should be effective and […]
The post Wanted: OpenFlow Switch With ofp_action To Modify The Destination L3 Address appeared first on Packet Pushers Podcast and was written by Tamihiro Yuzawa.
Sakura Internet operates several data centers across Japan, including this one, and my team is in charge of building and taking care of our IP backbones. In this article, I will introduce the ongoing process of upgrading our DDoS mitigation solution, which happens to be a down-to-earth, if not widely applicable, use case for OpenFlow. […]
The post OpenFlow 1.0 Actual Use-Case: RTBH of DDoS Traffic While Keeping the Target Online appeared first on Packet Pushers Podcast and was written by Tamihiro Yuzawa.