Select Page

Technologies and Topics

  • Faucet – a Ryu-based OpenFlow Controller
  • A virtual workspace for installing and testing Faucet
  • Faucet 1.1 release that supports multiple datapaths
  • ACL security in an OpenFlow switch
  • In-Depth analysis of he six table pipeline in Faucet
  • In-Depth tutorial on ACL rule construction

Tutorial Learning Outcomes:

After working with this article you will be able to:

  • Create a Virtual Network, on  you PC, with multiple Linux base Hosts and OpenFlow switches that is controlled you the Faucet OpenFlow Controller Application.
  • Communicate the pipeline structure of Faucet and the functionality of each of the six tables.
  • Craft and implement an ACL based security policy for each Host that is implemented on the OpenFlow Switches using the faucet.yaml configuration file.
  • Articulate the structure of ACL rules and the associated Match and Action fields.
  • Designate the valid VLANs for each port on each swtich.
  • Map security ACL rules to specific switch ports.
  • Operationally test and validate planned to actual packet flow through the ACL policies installed on the switches in the virtual network.

Faucet Controller Application Technical Track

This Faucet Controller Application Technical Track is a tutorial designed to build understanding and operation expertise with Faucet.  Developed originally by REANNZ and now also supported by the Open Network Foundation plus other key contributors, Faucet is an open source SDN controller that implements a familiar learning switch with VLAN and NFV offload support. Faucet also supports NMS, IP routing, ACLs, and packet.

In a series of How-To articles, the key components of Faucet are introduced. These article build skills for infrastructure management, OpenFlow programming, security management, and realistic test operations. Each article has a specific set of Learning Objective identified and these are presented below.

The sequence of Faucet Controller Application articles presented below on this page are:

  1. Faucet in a Virtual Infrastructure
  2. Dissecting the Faucet v1.1 Pipeline
  3. Dissecting Faucet Security

How to Use this Technical Track Tutorial

The articles in this track are designed to present the technical details of a specific OpenFlow Controller Application – Faucet. If you are new to OpenFlow, or still on the path to having a sold general proficiency with OpenFlow, we strongly advise completing the Core OpenFlow Technical Track before diving into Faucet.

The first three articles in this Track (the only ones published right now) focus on the very core aspects of working with Faucet: implementing a realistic virtual workspace, in-depth undressing of the multi-table structure and L2 learning, and crafting security policies. Each article in the sequence builds on the previous material. Therefore, we strongly urge that you work through these articles in sequence

Depending on starting skills this Faucet Controller Application Technical Track is a 1 to 3 day course.

 

Faucet in a Virtual Infrastructure

In this tutorial, we will be kicking off our new Faucet Technical Track by introducing the powerful Ryu-based platform Faucet. Not only that, but we will also cover running Faucet in a zero-cost virtual infrastructure using industry standard development tools such as Mininet and Python Virtualenv. There’s no reason not to get started developing using Faucet right away, even before purchasing your first OpenFlow switch! Go to article.

Technologies and Topics

  • The Virtual Workspace introduced in the Core OpenFlow Technical Track
  • Ryu Controller and Python
  • VirtualBox with Ubuntu
  • Mininet with scripts to build realistic datacenter Networks
  • Virtualenv
  • Open vSwitch
  • Faucet L2 Controller Application
  • Faucet VLAN capabilities
  • Faucet Firewall capabilities via ACL table

Tutorial Learning Outcomes

After working through this tutorial you will be able to:

  • Install and configure VirtualBox for an OpenFlow development environment
  • Load Ubuntu Linux as the Operating System for the development VM
  • Install and configure  Python Virtual Environment to keep library dependencies local
  • Clone Faucet and install in the Virtual Environment
  • Download and install the Datacenter Mininet Typology
  • Run Faucet test to validate installation
  • Edit the Faucet YAML configuration file to support the Mininet Datacenter network
  • Edit the Faucet YAML configuration file to support multiple VLANs
  • Add simple Firewall rules to the ACL section of Faucet configuration file

In summary, you will be able to create a working faucet controller in a realistic virtual Datacenter network that supports L2 learning, VLANs and ACL based Firewall security.

Dissecting the Faucet v1.1 Pipeline

Recently, we saw the release of Faucet v1.1, which included many new features including multi-datapath support for a single controller instance. It’s time to take a deep dive into the inner workings of Faucet and explore just what makes this controller app tick. I hope you will enjoy this article and find it informative. I know I learned a lot writing it!

There is a lot more in Faucet than I can cover in a single article, so I will be primarily covering the core functionality as implemented by its use of tables and flow entries installed in the switches it controls. I am focusing less on the code this time as this article is more for those who will be working on applications working aside Faucet, in which case knowledge of its tables and flow entries is more important and I’ve already covered the Ryu API in the past, and also for those wishing to use Faucet in their network, in which case knowing the packet pipeline can help in understanding how Faucet works and how it can be configured. If you are looking for a tutorial on installing Faucet v1.1, I covered that in my last tutorial, Faucet in a Virtual Infrastructure. Go to article.

Technologies and Topics

  • Faucet 1.1 support for multi-datapath (multiple switches)
  • In-depth review of Faucet pipeline
  • Moving “state”, such as L2 learning. from Controller to Switches
  • Example packet flows
  • In-depth functional analysis of VLAN table
  • In-depth functional analysis of ACL table
  • In-depth functional analysis of Ethernet Source table
  • In-depth functional analysis of IPv4 and IPv6 tables
  • In-depth functional analysis of Ethernet Destination table
  • In-depth functional analysis of Flood table

Tutorial Learning Outcomes

After working through this tutorial you will be able to:

  • Present core design concept that make Faucet an efficient design and powerful OpenFlow L2 enhanced controller applications
  • Present the six table Faucet pipeline and the primary function of each table
  • Articulate how all of the network state, such as learned host location, are maintained in the OpenFlow switches and not in the Faucet Controller Application
  • Describe how both tagged and untagged packets are handled by a Faucet controlled OpenFlow switch
  • Describe both the security and flood efficiency of the per-port VLAN configuration functionality

Dissecting Faucet Security

Some of Faucet’s little-advertised features can have quite a large positive impact for your network security. In this tutorial, we will be covering Faucet’s security features with a large emphasis on ACLs and how they can be used to better protect your network. Go to article.

Technologies and Topics

  • Virtual network infrastructure with:
    • unrpotected Host connected to untrusted WAN
    • protected Host running public services
    • protected Host running private services
    • Unprotected Host running a trusted service
  • Security features in the Faucet YAML configuration file
  • Port configuration for VLAN tagged packet and untagged pagets
  • Structure of an ACL rule set:
    • Globally Allowed Traffic such as ARP and ICMP packets
      • Destination and Reverse traffic
    • Open destination ports on Protected Hosts
    • Allow requests, and responses,  on a specific port of a unprotected Host
    • Drop rules for unprotectred Host
  • Mapping of ACL rules set to Port(s)
  • Testing of ACLs with live virtual network
  • Documentation of ACL rule sgrucutre – All Match Fields  and Actions
  • Other Fuacet sercurity features:
    • VLAN Max Hosts
    • Prevent Unicast Floods (VLAN and Port)

Tutorial Learning Outcomes

After working through this tutorial you will be able to:

  • Configure and launch a virtual network designed for test ACL security rules.
  • Design security requirements for the test network
  • Implement the security requirements by programming the faucet.yaml AC, Port, and VLAN configuration file
  • Test the packet access to each Host in the virtual network to verify the installed ACL security
Share This