Native VS OpenFlow ports

  • 8 Replies
  • 4304 Views
*

d22hanson

  • Newbie
  • *
  • 2
    • View Profile
Native VS OpenFlow ports
« on: March 06, 2016, 11:10:05 AM »
I attempted to plug port 4 (vlan-type native) into my home network and I could see the switch show up in my controller.  I attempted to plug a pc into port 1 and then port 2 into my home network and this immediately created a loop.  This didn't make sense to me because there were only two ports from the switch connected to my home network and they were on two different vlans.  Port 4 is vlan 200 and port 2 is vlan 100.  If I connect port 4 to 3 (just as a test) I see the lights flashing and this creates a loop on the switch.  Why does this create a loop if they are assigned to different vlans?  Or are they actually 802.1Q ports and the assigned VLAN is untagged?

I am also confused about the function of the vlan-type native.  I thought this would be used to connect to the controller for management but I noticed all ports attempt to connect to the controller on TCP 6633.  The difference I see is ports 1-3 (vlan-type openflow) will send a SYN frame to the controller but the switch responds to the SYN ACK from the controller with a RST.  Only port 4 will establish a connection.  I'm confused why the openflow ports are attempting to connect to the controller.

Thanks,
Dave
 

*

Paul Zanna

  • Moderator
  • Sr. Member
  • *****
  • 370
    • View Profile
    • Northbound Networks
Re: Native VS OpenFlow ports
« Reply #1 on: March 06, 2016, 03:11:49 PM »
Hi Dave,

I'll explain how the Zodiac works then between us maybe we can work out what the problem is.

The switching chip (KSX8795CLX) is actually a 5 port managed switch with 4 ports connected to external ports and the 5th connected to the CPU. Any port configured as "native" remains a standard switch port and the switching is handled in the KSX8795CLX, the CPU port (5) is always a native port. If a port is set as an "openflow" port then the KSX8795CLX is configured using the 802.1x trap functionality to bypass the internal switching and forward the packet directly to the CPU via port 5.
As a packet enters the CPU it checks which port the packet came in from, if it was from a "native" port it is send to the TCP stack and if it was from an "openflow" port then it is processed by the OpenFlow engine. When a packet is sent from the CPUs own TCP stack it goes out port 5 and is processed by the KSX8795CLXs internal hardware, ports in 802.1x trap mode are excluded from the process. If the packet is from the CPUs OpenFlow engine it is sent directly out the port based on the flows output action.

So if you connect port 4 (native) to port 3 (openflow), the CPU is sending a SYN packet out to the controller via port 4 and back into port 3 which goes to the CPU but because there is no controller connection the packet is dropped. So the traffic does physically go out one port and into the other but goes nowhere after that. The thing I find really strange in your description is that SYN packets for the controller are coming out the OpenFlow ports, that should not happen. It is actually the reason it can't support output to port NORMAL because all traffic, both in and out, is blocked by the 802.1x function else you specifically set the output port from the CPU.

I'll see if I can reproduce the problem and work out what the issue is.

Regards,
Paul     

*

d22hanson

  • Newbie
  • *
  • 2
    • View Profile
Re: Native VS OpenFlow ports
« Reply #2 on: March 07, 2016, 05:05:59 AM »
Thanks for the detailed explanation of the switch. 

I took another look this morning so here's an update.  If I plug in any openflow port all I see is ARP requests from the switch for the controller.  The controller responds but it appears the switch ignores the response and continues to ARP for the controller.  If I plug in a native port and create the ARP entry, I can then unplug the native port and move the cable to openflow port.  I then see the behavior I mentioned yesterday.  I see an attempt to establish a new connection.  A SYN from the switch to the controller followed by a SYN ACK from the controller and then a RST from the switch.  Sometimes the RST is sent before the SYN ACK.  The connection doesn't establish but it does attempt if the switch has an ARP entry. 

The only reason I noticed this behavior was due to me trying to troubleshoot the loop.   I only had two connections from the switch into my network (one vlan) and the native port was defined for vlan 200 and the openflow ports were defined for vlan 100.   With a traditional switch a loop would not occur.   These would appear to the switch as two access ports on two different vlans and no traffic would flow between them.   How is traffic sent from the physical ports (1-4) to the cpu switch port 5?  Since I can create a loop by just plugging in one native port into an openflow port (but not two openflow ports) it almost appears port 5 is bridging the traffic even though this is coming from two different vlans. 

My home network is flat with only one vlan.  I was trying to connect port 4 (native) into my home network where I have my controller and then take another machine and plug it into port 1 (openflow) and then port 2 (openflow) into my home network so I could watch the flows.   Do I have to create a separate lan for the native ports and move my controller over to that?

Thanks,
Dave
« Last Edit: March 08, 2016, 03:26:20 PM by d22hanson »

*

ncme

  • Newbie
  • *
  • 1
    • View Profile
Re: Native VS OpenFlow ports
« Reply #3 on: March 18, 2016, 03:23:54 AM »
Hi Paul and Dave,

we just got our Zodiacs (Rev A) here in the lab with the shipped firmware version 0.57 and we observe very similar results to those reported by Dave.

We confirmed all settings were on default as stated by the user guide and only adapted the ip-adress and gateway to our setup - a simple switched environment with one switch which the controller and zodiac are connected to. The output of show ports and show vlans are as the user guide suggests, openflow is enabled and in save mode and there are no flows present.

The unexpected behavior we observed:

Broadcast and some multicast traffic (mainly arp) from port 4 gets sent out to all other ports, even if they have openflow enabled.
This means if port 4 is connected to the controller connecting any of the other ports to another results in a loop of arp packets from the controller.
However, with a controller and only one host connected, these packets don't generate packet_in events. Only if a loop is created from one openflow port to another, the packets are forwarded the the openflow handler.

This also results in the effect Dave explained, where connecting an openflow port to the same environment as the controller results in looping behavior.

The expected behavior would be that native broadcast and multicast handling of the KSZ8795 should not apply to openflow ports (as they are not native) and thus no traffic from the switched controller environment should leak into the openflow environment.

I hope this helps you reproduce and fix the bug, because having to completely separate your environments does make debugging controller functionality a pain.

Regards,
Niko

*

Paul Zanna

  • Moderator
  • Sr. Member
  • *****
  • 370
    • View Profile
    • Northbound Networks
Re: Native VS OpenFlow ports
« Reply #4 on: March 18, 2016, 09:28:15 AM »
Hi Niko and Dave,

I tried to reproduce the problem when Dave first mentioned it but couldn't see any arp packets coming from the OpenFlow ports. Can you please describe the setup you are using and I'll try it the same way and so what we get.

Regards,
Paul

*

ssb

  • Newbie
  • *
  • 1
    • View Profile
Re: Native VS OpenFlow ports
« Reply #5 on: March 19, 2016, 07:28:36 PM »
Broadcast and some multicast traffic (mainly arp) from port 4 gets sent out to all other ports, even if they have openflow enabled.

Hi all,

It is hard to say but I think I am experiencing the same thing with OpenFlow configured ports. I've received my ZodiacFX and have not configured anything else different, except for the OF controller and the Zodiac's IP address and it's name.

Just an example here, from a port connected on Port 1 of the Zodiac to my ovs:

Code: [Select]
root@openvswitch-core:~# tcpdump -i eth2 -P in
19:00:44.332577 STP 802.1d, Config, Flags [none], bridge-id 8000.e0:5f:b9:9c:33:e3.8004, length 43
19:00:45.666070 LLDP, length 67
19:00:45.666287 de:ad:be:ef:ba:11 (oui Unknown) > Broadcast, ethertype Unknown (0x8942), length 81:
        0x0000:  0207 0470 b3d5 6cd0 8104 0502 0000 0003  ...p..l.........
        0x0010:  0602 0078 fe12 a423 0501 4f4e 4f53 2044  ...x...#..ONOS.D
        0x0020:  6973 636f 7665 7279 fe17 a423 0502 6f66  iscovery...#..of
        0x0030:  3a30 3030 3037 3062 3364 3536 6364 3038  :000070b3d56cd08
        0x0040:  3100 00                                  1..
19:00:46.332627 STP 802.1d, Config, Flags [none], bridge-id 8000.e0:5f:b9:9c:33:e3.8004, length 43
19:00:48.332820 STP 802.1d, Config, Flags [none], bridge-id 8000.e0:5f:b9:9c:33:e3.8004, length 43
19:00:48.766994 LLDP, length 67
19:00:48.767276 de:ad:be:ef:ba:11 (oui Unknown) > Broadcast, ethertype Unknown (0x8942), length 81:
        0x0000:  0207 0470 b3d5 6cd0 8104 0502 0000 0003  ...p..l.........
        0x0010:  0602 0078 fe12 a423 0501 4f4e 4f53 2044  ...x...#..ONOS.D
        0x0020:  6973 636f 7665 7279 fe17 a423 0502 6f66  iscovery...#..of
        0x0030:  3a30 3030 3037 3062 3364 3536 6364 3038  :000070b3d56cd08
        0x0040:  3100 00                                  1..
19:00:50.354769 STP 802.1d, Config, Flags [none], bridge-id 8000.e0:5f:b9:9c:33:e3.8004, length 43
19:00:51.641034 ARP, Request who-has 192.168.11.15 tell 192.168.11.158, length 46
19:00:51.866480 LLDP, length 67
19:00:51.866683 de:ad:be:ef:ba:11 (oui Unknown) > Broadcast, ethertype Unknown (0x8942), length 81:
        0x0000:  0207 0470 b3d5 6cd0 8104 0502 0000 0003  ...p..l.........
        0x0010:  0602 0078 fe12 a423 0501 4f4e 4f53 2044  ...x...#..ONOS.D
        0x0020:  6973 636f 7665 7279 fe17 a423 0502 6f66  iscovery...#..of
        0x0030:  3a30 3030 3037 3062 3364 3536 6364 3038  :000070b3d56cd08
        0x0040:  3100 00                                  1..
19:00:52.352988 STP 802.1d, Config, Flags [none], bridge-id 8000.e0:5f:b9:9c:33:e3.8004, length 43
19:00:52.548904 ARP, Request who-has 192.168.11.15 tell 192.168.11.158, length 46
19:00:53.549035 ARP, Request who-has 192.168.11.15 tell 192.168.11.158, length 46
19:00:54.353582 STP 802.1d, Config, Flags [none], bridge-id 8000.e0:5f:b9:9c:33:e3.8004, length 43
19:00:54.966090 LLDP, length 67
19:00:54.966275 de:ad:be:ef:ba:11 (oui Unknown) > Broadcast, ethertype Unknown (0x8942), length 81:
        0x0000:  0207 0470 b3d5 6cd0 8104 0502 0000 0003  ...p..l.........
        0x0010:  0602 0078 fe12 a423 0501 4f4e 4f53 2044  ...x...#..ONOS.D
        0x0020:  6973 636f 7665 7279 fe17 a423 0502 6f66  iscovery...#..of
        0x0030:  3a30 3030 3037 3062 3364 3536 6364 3038  :000070b3d56cd08
        0x0040:  3100 00                                  1..
<snip>

I'm not expecting to see arp broadcasted for 192.168.11.15 which is a server at home, on behalf of 192.168.11.158 which is is my desktop connected to my main home network, where my controller lives and where the Native port is connected to.
19:00:52.548904 ARP, Request who-has 192.168.11.15 tell 192.168.11.158, length 46
19:00:53.549035 ARP, Request who-has 192.168.11.15 tell 192.168.11.158, length 46


Along with another frame that should not be forwarded to the OpenFlow ports are the spanning tree frames from my home Cisco router, part of the 192.168.11.0/24 network.
19:00:50.354769 STP 802.1d, Config, Flags [none], bridge-id 8000.e0:5f:b9:9c:33:e3.8004, length 43

The other sampled packets are expected (LLDP and BDDP).

The port where tcpdump sampled is connected to the Openflow port on Port 1 of the ZodiacFX.

Here's some additional information that may be useful:

Code: [Select]
Firmware version: 0.57

-------------------------------------------------------------------------

Port 1
 Status: UP
 VLAN type: OpenFlow
 VLAN ID: 100
 RX Bytes: 13730
 TX Bytes: 34011
 RX Packets: 166
 TX Packets: 138
 RX Dropped Packets: 0
 TX Dropped Packets: 0
 RX CRC Errors: 0

Port 2
 Status: DOWN
 VLAN type: OpenFlow
 VLAN ID: 100
 RX Bytes: 0
 TX Bytes: 0
 RX Packets: 0
 TX Packets: 0
 RX Dropped Packets: 0
 TX Dropped Packets: 0
 RX CRC Errors: 0

Port 3
 Status: DOWN
 VLAN type: OpenFlow
 VLAN ID: 100
 RX Bytes: 0
 TX Bytes: 0
 RX Packets: 0
 TX Packets: 0
 RX Dropped Packets: 0
 TX Dropped Packets: 0
 RX CRC Errors: 0

Port 4
 Status: UP
 VLAN type: Native
 VLAN ID: 200
 RX Bytes: 70833
 TX Bytes: 57840
 RX Dropped Packets: 0
 TX Dropped Packets: 0
 RX CRC Errors: 0

-------------------------------------------------------------------------
« Last Edit: March 19, 2016, 08:11:47 PM by ssb »

*

Xandaros

  • Newbie
  • *
  • 4
    • View Profile
Re: Native VS OpenFlow ports
« Reply #6 on: March 21, 2016, 08:28:33 PM »
Can you please describe the setup you are using and I'll try it the same way and so what we get.

Hello Paul,

I'm working with Niko on this project and I just tried one of the simplest setups I could imagine. There's the Zodiac FX, my Laptop connected to port 1 and a dumb switch connected to port 4. The dumb switch is connected to the rest of the lab network to generate some traffic on port 4.
I completely disabled the wireless connection on my Laptop - it shouldn't interfere, but I wanted to make sure to separate things as much as possible.
I disconnected the controller from the network and did a power cycle on the Zodiac FX.

In theory, whatever I do, I should be completely separated from the main network. However, when I had wireshark listen on the Ethernet port, this is what I got:


I have previously noticed other kinds of multicast traffic arriving, as well, so it's not limited to ARP. It's just the most prominent. Also note that I'm not actually reachable via any kind of unicast. I can't ping anything on the main network, nor is the main network able to ping me.
(Though, to be completely fair, the routers of the main network don't have any routes to me)

Sincerely,
Martin

*

Paul Zanna

  • Moderator
  • Sr. Member
  • *****
  • 370
    • View Profile
    • Northbound Networks
Re: Native VS OpenFlow ports
« Reply #7 on: March 21, 2016, 10:36:07 PM »
Hi Guys,

I think I have isolated the problem:

I have used the 802.1x functionality of the KSZ8795 in trap mode to capture packets entering the the OpenFlow ports and forward them directly to the CPU for processing. On the way back out  the CPU sends them directly to the out port as per the flow actions. It looks like the KSZ8795 may still allow some layer 2 traffic (at a hardware level) to go out the trapped port so that 802.1x clients can authenticate.

I'll look into others ways of isolating the ports and let you know soon.

Regards,
Paul


*

Paul Zanna

  • Moderator
  • Sr. Member
  • *****
  • 370
    • View Profile
    • Northbound Networks
Re: Native VS OpenFlow ports
« Reply #8 on: April 23, 2016, 05:19:11 PM »
This issue should now have been fixed in the v0.58 update.

Can I please ask you test and confirm that it does indeed solve the issue you found.

Also make sure you run the "factory reset" command after the update as the config ROM alignment has changed.

Regards,
Paul