OPEN VIRTUAL SWITCH

Lab 4: Open vSwitch Flow Table

Document Version: 06-29-2021

Award 1829698
“CyberTraining CIP: Cyberinfrastructure Expertise on High­throughput
Networks for Big Science Data Transfers”
Lab 4: Open vSwitch Flow Table

Contents

Overview ............................................................................................................................. 3
Objectives............................................................................................................................ 3
Lab settings ......................................................................................................................... 3
Lab roadmap ....................................................................................................................... 3
1 Introduction ................................................................................................................ 3
1.1 Introduction to OpenFlow .................................................................................... 4
1.2 OpenFlow architecture ........................................................................................ 4
1.3 OpenFlow flow table and packet matching ......................................................... 5
2 Lab topology................................................................................................................ 6
2.1 Lab settings........................................................................................................... 6
2.2 Loading a topology ............................................................................................... 6
2.3 Loading the configuration file .............................................................................. 8
3 Verifying IP addresses on the hosts ............................................................................ 9
4 Enabling traditional switch forwarding operation .................................................... 11
5 Enabling traffic forwarding using layer 1 data .......................................................... 13
6 Enabling traffic forwarding using layer 2 data .......................................................... 14
7 Enabling traffic forwarding using layer 3 data .......................................................... 16
8 Enabling traffic forwarding using layer 4 data .......................................................... 18
9 Setting match priority ............................................................................................... 20
References ........................................................................................................................ 24

Page 2
Lab 4: Open vSwitch Flow Table

Overview

The lab discusses the concept of OpenFlow, a protocol designed to manage and direct
traffic among routers and switches manufactured by various vendors. This lab aims to
demonstrate how to manage flows manually in an Open Virtual Switch (Open vSwitch)
connected to two emulated hosts.

Objectives

By the end of this lab, you should be able to:

1. Understand the behavior of the OpenFlow protocol.

2. Inspect the flow table entries.
3. Enable packet forwarding by inserting flow rules manually.
4. Set match priorities over existing flows.

Lab settings

The information in Table 1 provides the credentials to access the Client’s virtual machine.

Table 1. Credentials to access Client’s virtual machine.

Device Account Password

Client admin password

Lab roadmap

This lab is organized as follows:

1. Section 1: Introduction.
2. Section 2: Lab topology.
3. Section 3: Verifying IP addresses on the hosts.
4. Section 4: Enabling traditional switch forwarding operation.
5. Section 5: Enabling traffic forwarding using layer 1 data.
6. Section 6: Enabling traffic forwarding using layer 2 data.
7. Section 7: Enabling traffic forwarding using layer 3 data.
8. Section 8: Enabling traffic forwarding using layer 4 data.
9. Section 9: Setting match priority.

1 Introduction

Page 3
Lab 4: Open vSwitch Flow Table

• Pass the packet to the controller.

The flows can be installed manually within the switch if there is no controller connected
to the switch. The flows are installed in Open vSwitch daemon (Open vSwitch­vSwitchd)
that controls the switch and implements the OpenFlow protocol. ovs-ofctl command
line tool is required for monitoring and administering switches that support OpenFlow
protocol.

Figure 2 shows the basic functions of an OpenFlow switch and its relationship to a
controller. When the data plane does not match the incoming packet, it sends a
PACKET_IN message to the controller. The control plane runs routing and switching
protocols and other logic to determine the forwarding tables and logic in the data plane.
Consequently, when the controller has a data packet to forward out through the switch,
it uses the OpenFlow PACKET_OUT message. The flow entry is then stored in the flow
table located in the switch. If there is no controller connected to the switch, the switch
will look up in its flow table and takes action based on the flow entries manually stored in
the switch. If there is no match in the flow table, the switch will drop the packet.

OpenFlow controller

PACKET_IN PACKET_OUT

OpenFlow protocol

OpenFlow switch

Packet­matching
Flow table
function

Port 1 Port 2 Port 3 Port 4 Port 5 Port 6

Figure 2. OpenFlow packet forwarding architecture.

1.3 OpenFlow flow table and packet matching

Each flow table contains a set of flow entries that consist of match fields, counters, and a
set of instructions. An Open vSwitch may contain more than one flow table. The switch
starts matching at the first flow table and continues to check additional flow tables to find
a match. By default, all the flow entries are stored in the first table (table 0) if the table
number is not specified for an entry. Packets match against the packet header fields such
as switch input port, VLAN ID, Ethernet source/destination addresses, IP

Page 5
Lab 4: Open vSwitch Flow Table

Figure 4. MiniEdit shortcut.

Step 2. On MiniEdit’s menu bar, click on File then open to load the lab’s topology. Locate
the Lab4.mn topology file in the default directory, /home/ovs/OVS_Labs/lab4 and click
on Open.

Figure 5. MiniEdit’s Open dialog.

Figure 6. MiniEdit’s topology.

Page 7
Lab 4: Open vSwitch Flow Table

Step 3. To proceed with the emulation, click on the Run button located in the lower left­
hand side.

Figure 7. Starting the emulation.

Step 4. Click on Mininet’s terminal, i.e., the one launched when MiniEdit was started.

Figure 8. Opening Mininet’s terminal.

Step 5. Issue the following command to display the interface names and connections.

links

Figure 9. Displaying network interfaces.

In Figure 9, the link displayed within the gray box indicates that interface eth0 of host h1
connects to interface eth1 of switch s1 (i.e., h1­eth0<­>s1­eth1).

2.3 Loading the configuration file

Step 1. Open the Linux terminal.

Figure 10. Opening Linux terminal.

Page 8
Lab 4: Open vSwitch Flow Table

Step 2. Click on the Linux’s terminal and navigate into OVS_Labs/lab4 directory by issuing
the following command.

cd OVS_Labs/lab4

Figure 11. Entering to the OVS_Labs/lab4 directory.

Step 3. This folder contains a configuration file that will assign easy­to­read Media Access
Control (MAC) addresses to the hosts’ interfaces. To execute the shell script, type the
following command. When prompted for a password, type password .

./setMACs.sh

Figure 12. Executing the shell script to load the configuration.

Step 4. Type the following command to exit from the lab4 directory and go back to the
home directory.

cd

Figure 13. Exiting from the directory.

3 Verifying IP addresses on the hosts

In this section, you will verify that the IP addresses on the hosts are assigned according to
table 2.
Page 9
Lab 4: Open vSwitch Flow Table

Step 1. Hold right­click on host h1 and select Terminal. This opens the terminal of host h1
and allows the execution of commands on that host.

Figure 14. Opening a terminal on host h1.

Step 2. In host h1 terminal, type the following command to verify that the IP address was
assigned successfully. You will verify the host interface, h1­eth0 is configured with the IP
address 10.0.0.1 and the subnet mask 255.0.0.0. You will also verify the MAC address,
00:00:00:00:00:01.

ifconfig

Figure 15. Verifying the IP address, subnet mask, and MAC address of the host.

Step 3. In host h2 terminal, type the following command to verify that the IP address was
assigned successfully. You will verify the host interface, h2­eth0 is configured with the IP
address 10.0.0.2 and the subnet mask 255.0.0.0. You will also verify the MAC address,
00:00:00:00:00:02.

ifconfig

Page 10
Lab 4: Open vSwitch Flow Table

Figure 16. Verifying the IP address, subnet mask, and MAC address of the host.

Step 4. On host h1 terminal, test the connectivity between host h1 and host h2 using
the ping command. To stop the test, press Ctrl+c .

ping 10.0.0.2

Figure 17. Output of ping command.

Hosts cannot ping each other as the fail_mode of the switch is secure and the flow table
in the switch is empty at this point. In secure fail_mode, the flow table in the switch will
not be populated if there is no connection to the controller.

4 Enabling traditional switch forwarding operation

In this section, you will enable the traditional switch forwarding operation in switch s1.

Step 1. Type the following command to add a flow in switch s1. The ovs-ofctl program
is a command­line tool for monitoring and administering OpenFlow switches. An action of
a flow indicates an action to take when a packet matches the flow entry. A normal action
allows the device to conduct normal layer 2/layer 3 packet processing.

Page 11
Lab 4: Open vSwitch Flow Table

sudo ovs-ofctl add-flow s1 action=normal

Figure 18. Adding normal flow in switch s1.

Step 2. On host h1 terminal, test the connectivity between host h1 and host h2 using
the ping command.

ping 10.0.0.2

Figure 19. Output of ping command.

The figure shows a successful connectivity test. To stop the test, press Ctrl+c .

Step 3. Type the following command to verify the flow installation. This command prints
the flow table entries in switch s1. The output depicts the configuration parameters when
the forwarding action is set to normal.

sudo ovs-ofctl dump-flows s1

Figure 20. Verifying flow in switch s1.

Consider the figure above. The normal action allows the switch to conduct normal layer
2/layer 3 packet processing like a traditional switch.

Step 4. Type the following command to delete all existing flows in switch s1 so that you
can add another flow entry in the following section.

sudo ovs-ofctl del-flows s1

Page 12
Lab 4: Open vSwitch Flow Table

Figure 21. Deleting existing flows from switch s1.

5 Enabling traffic forwarding using layer 1 data

In this section, you will work at the physical ports level. You will program the switch so
that everything that comes at switch s1 from port 1 is sent out to port 2, and vice versa.

Step 1. Type the following command to add a flow in switch s1. The command indicates
the traffic coming from port 1 (s1­eth1) has to be forwarded to port 2 (s1­eth2).

sudo ovs-ofctl add-flow s1 in_port=1,action=output:2

Figure 22. Adding a port forwarding flow entry.

Step 2. Type the following command to add a flow in switch s1. The command indicates
the traffic coming from port 2 (s1­eth2) has to be forwarded to port 1 (s1­eth1).

sudo ovs-ofctl add-flow s1 in_port=2,action=output:1

Figure 23. Adding a port forwarding flow entry.

Step 3. On host h1 terminal, test the connectivity between host h1 and host h2 using
the ping command.

ping 10.0.0.2

Page 13
Lab 4: Open vSwitch Flow Table

Figure 24. Output of ping command.

The figure shows a successful connectivity test. To stop the test, press Ctrl+c .

Step 4. Type the following command to verify the flow installation. This command prints
the flow table entries in switch s1.

sudo ovs-ofctl dump-flows s1

Figure 25. Verifying flows in switch s1.

You will notice two flow rules installed on the switch. Packets coming from port s1­eth1
are sent out to port s1­eth1, and vice versa.

Step 5. Type the following command to delete all existing flows in switch s1 so that you
can add another flow entry in the following section.

sudo ovs-ofctl del-flows s1

Figure 26. Deleting existing flows from switch s1.

6 Enabling traffic forwarding using layer 2 data

In this section, you will create flow entries based on the MAC addresses of the hosts.

Step 1. Type the following command to insert a flow entry in switch s1.

Page 14
Lab 4: Open vSwitch Flow Table

sudo ovs-ofctl add-flow s1 dl_dst=00:00:00:00:00:01,action=output:1

Figure 27. Adding a MAC based flow entry.

Consider the figure above. The flow specifies that the switch will match against MAC
destination address. Traffic going to the destination host h1 will be forwarded to switch
port s1­eth1.

Step 2. Type the following command to insert a flow entry in switch s1.

sudo ovs-ofctl add-flow s1 dl_dst=00:00:00:00:00:02,action=output:2

Figure 28. Adding a MAC based flow entry.

Consider the figure above. The flow specifies that the switch will match against MAC
address. Traffic going to the destination host h2 will be forwarded to switch port s1­eth2.

Hosts cannot ping at this moment since ping works at the IP level. Initially, Address
Resolution Protocol (ARP) is required to find out the MAC address of a different host. You
will add a flow that allows ARP requests in the following step in order to get successful
connectivity between hosts.

Step 3. Type the following command to add a flow to allow ARP requests.

sudo ovs-ofctl add-flow s1 arp,action=normal

Figure 29. Adding a flow to allow ARP requests.

Consider the figure above. The command adds a flow that sends ARP requests to all the
switch ports.

Step 4. In host h1 terminal, test the connectivity between host h1 and host h2 using
the ping command.

Page 15
Lab 4: Open vSwitch Flow Table

ping 10.0.0.2

Figure 30. Output of ping command.

The figure shows a successful connectivity test. To stop the test, press Ctrl+c .

Step 5. Type the following command to delete all existing flows in the switch s1 so that
you can add another flow entry in the following section.

sudo ovs-ofctl del-flows s1

Figure 31. Deleting existing flows from switch s1.

7 Enabling traffic forwarding using layer 3 data

In this section, you will create flow entries based on IP addresses.

Step 1. Type the following command to insert a flow entry in switch s1.

sudo ovs-ofctl add-flow s1 ip,nw_dst=10.0.0.1,action=output:1

Figure 32. Adding an IP­based flow entry.

Consider the figure above. The flow specifies that the switch will match against
destination IP 10.0.0.1. Traffic going to the destination 10.0.0.1 will be forwarded to
switch port s1­eth1.

Step 2. Type the following command to insert a flow entry in switch s1.

Page 16
Lab 4: Open vSwitch Flow Table

sudo ovs-ofctl add-flow s1 ip,nw_dst=10.0.0.2,action=output:2

Figure 33. Adding an IP­based flow entry.

Consider the figure above. The flow specifies that the switch will match against
destination IP 10.0.0.2. Traffic going to the destination 10.0.0.2 will be forwarded to
switch port s1­eth2.

Step 3. Type the following command to add a flow to allow ARP requests.

sudo ovs-ofctl add-flow s1 arp,action=normal

Figure 34. Adding an ARP flow entry.

Step 4. In host h1 terminal, test the connectivity between host h1 and host h2 using
the ping command.

ping 10.0.0.2

Figure 35. Output of ping command.

The figure shows a successful connectivity test. To stop the test, press Ctrl+c .

Step 5. Type the following command to verify the flow installation in switch s1.

sudo ovs-ofctl dump-flows s1

Page 17
Lab 4: Open vSwitch Flow Table

Figure 36. Verifying flow in switch s1.

Consider the figure above. IP based flow entries are installed in the flow table.

Step 6. Type the following command to delete all existing flows in switch s1 so that you
can add another flow entry in the following section.

sudo ovs-ofctl del-flows s1

Figure 37. Deleting existing flows from switch s1.

8 Enabling traffic forwarding using layer 4 data

In this section, you will work at the application layer. A simple python web server will
be executed in host h2, and host h1 will connect to that server that runs at port 80.

Step 1. Type the following command to start an HTTP server in host h2 named
SimpleHTTPServer which is listening to port 80.

python -m SimpleHTTPServer 80 &

Figure 38. Starting a python web server.

The figure shows that host h2 is serving as an HTTP server, listening to port 80.

Step 2. Type the following command to insert an ARP flow in switch s1.

sudo ovs-ofctl add-flow s1 arp,action=normal

Page 18
Lab 4: Open vSwitch Flow Table

Figure 39. Adding a flow to allow ARP requests.

Consider the figure above. The command adds a flow that sends ARP requests to all the
switch ports.

Step 3. Type the following command to add a flow rule that forwards all TCP traffic with
destination port 80 (tp_dst=80), to the switch port s1­eth2.

sudo ovs-ofctl add-flow s1 tcp,tp_dst=80,action=output:2

Figure 40. Adding a flow entry.

Step 4. Type the following command to add a flow in switch s1.

sudo ovs-ofctl add-flow s1 ip,nw_src=10.0.0.2,action=output:1

Figure 41. Adding a flow entry.

Consider the figure above. The IP based flow will be matched against source address.
Traffic generating from source IP 10.0.0.2 will be forwarded to switch port s1­eth1.

Step 5. In host h1 terminal, issue an HTTP request to host h2 using curl command.

curl 10.0.0.2

Page 19
Lab 4: Open vSwitch Flow Table

Figure 42. Output of curl command.

Consider the figure above. This is a basic example of curl command that simulates a GET
request for a website URL. This command shows output of the HTTP response from host
h2 in HTML format.

Step 6. In host h2 terminal, see the output for the curl command.

Figure 43. Output of curl command.

The figure shows the response sending to host h1 (10.0.0.1).

Step 7. Type the following command to delete all existing flows in switch s1 so that you
can add another flow entry in the following section.

sudo ovs-ofctl del-flows s1

Figure 44. Deleting existing flows from switch s1.

9 Setting match priority

Page 20
Lab 4: Open vSwitch Flow Table

In OpenFlow, packets are matched against flow entries based on prioritization. A priority
has a value of 0 to 65535. Higher priority entries must match before lower priority ones.
In this section, you will add a flow that has priority over an existing flow and verify how
the higher priority works over the lower ones.

Step 1. Type the following command to add a MAC based flow entry in switch s1 with a
priority. The command indicates that the traffic going to the destination host h2 will be
forwarded to the port s1­eth2.

sudo ovs-ofctl add-flow s1

priority=400,dl_dst=00:00:00:00:00:02,action=output:2

Figure 45. Adding a MAC based flow entry.

Step 2. Type the following command to insert a MAC based flow entry in switch s1 with a
priority. The command indicates that the traffic going to the destination host h1 will be
forwarded to the port s1­eth1.

sudo ovs-ofctl add-flow s1

priority=400,dl_dst=00:00:00:00:00:01,action=output:1

Figure 46. Adding a MAC based flow entry.

Step 3. Type the following command to add an IP based flow entry in switch s1 with higher
priority. The command indicates that the traffic going to the destination host h2 will be
dropped.

sudo ovs-ofctl add-flow s1 ip,priority=500,nw_dst=10.0.0.2,action=drop

Figure 47. Adding a flow in switch s1.

Consider the command above. The priority has been set to 500, greater than the previous
flow (400). Based on the flow definition, there will be no connectivity between hosts h1
and h2 since the flow has a higher priority.
Page 21
Lab 4: Open vSwitch Flow Table

Step 4. Type the following command to insert an ARP flow in switch s1.

sudo ovs-ofctl add-flow s1 arp,action=normal

Figure 48. Adding a flow to allow ARP requests.

Step 5. Type the following command to verify flow installation in switch s1.

sudo ovs-ofctl dump-flows s1

Figure 49. Verifying flows in switch s1.

The figure above shows flows with different priorities.

Step 6. In host h1 terminal, test the connectivity between hosts h1 and h2 using the ping
command. There is no connectivity between hosts h1 and h2 since the switch is dropping
the traffic. To stop the test, press Ctrl+c .

ping 10.0.0.2

Figure 50. Output of ping command.

Step 7. Type the following command to delete an existing flow with higher priority.

sudo ovs-ofctl del-flows s1 ip

Page 22
Lab 4: Open vSwitch Flow Table

Figure 51. Deleting an existing flow from switch s1.

Consider the figure above. We can delete flows from the flow table based on match
priorities. The command indicates to delete all the IP based flows. The IP based flow with
priority 500 should be deleted from the flow table.

Step 8. Type the following command to verify flow installation in switch s1.

sudo ovs-ofctl dump-flows s1

Figure 52. Verifying flows in switch s1.

Consider the figure above. The IP based flow with priority 500 does not exist in the flow
table anymore. Only MAC based flows with priority 400 are present in the table. Hosts h1
and h2 should have successful connectivity between them at this point.

Step 9. In host h1 terminal, test the connectivity between host h1 and host h2 using
the ping command.

ping 10.0.0.2

Figure 53. Output of ping command.

The figure shows a successful connectivity test. To stop the test, press Ctrl+c .

This concludes Lab 4. Stop the emulation and then exit out of MiniEdit and the Linux
terminal.

Page 23
 Lab 4: Open vSwitch Flow Table

References

1. Zehua Guo, Yang Xu, Ruoyan Liu, Andrey Gushchin, Kuan­yin Chen, Anwar Walid, H.
Jonathan Chao, “Balancing flow table occupancy and link utilization in software­defined
networks”, Dec 2018.
2. Linux Foundation, “Open vSwitch”, [Online]. Available: http://openvSwitch.org.
3. RFC 7047, “The open vSwitch database management protocol”, Dec 2013.
4. IBM, “Archived | Virtual networking in Linux”, [Online]. Available:
https://developer.ibm.com/tutorials/l­virtual­networking/
5. Mininet walkthrough, [Online]. Available: http://mininet.org.
6. N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S.
Shenker, and J. Turner. “OpenFlow: enabling innovation in campus networks.” ACM
SIGCOMM Computer Communication Review 38, no.2 (2008):69­74.
7. Aria Zhu, “OpenFlow switch: what is it and how does it work?”, [Online]. Available:
https://medium.com/@AriaZhu/openflow­switch­what­is­it­and­how­does­it­work­
7589ea7ea29c#:~:text=OpenFlow%20switch%20is%20designed%20to,hardware%20it
%27s%20intended%20to%20control.
8. Open Networking Foundation, “OpenFlow Switch Specification”, [Online]. Available:
https://opennetworking.org/wp­content/uploads/2013/04/openflow­spec­v1.3.1.pdf

Page 24