################################################################################ ### SDN-VPN: a prototype SDN controller to set up VPN services. ### ### This software has been developed by Gabriele Lospoto and Benedetto Gabriele ### Vignoli within the research line described at ### http://www.dia.uniroma3.it/~compunet/www/view/topic.php?id=sdn ### ### Last update: 17 Oct 2014 ################################################################################ This file describes how to quickly set up an emulated network that runs VPN services based on our SDN controller. The associated virtual machine includes all the required software pieces to carry on such an experiment, including: Mininet, Open vSwitch, Ryu, and, of course, our controller. We also provide a set of readily usable network topologies and VPN configurations. If you want to create your own network topology and/or VPN configurations instead, please refer to file "README-customization.txt". If required, credentials to log in inside the provided virtual machine are as follows: Username: sdn Password: sdn === GETTING STARTED === 1. Pick a network topology Enter directory "SDN-VPN-controller/bin", select one of the provided topologies, and execute it by typing: $ sudo ./topology-name.py The Mininet prompt should then be displayed (for information about the available commands in Mininet, see http://mininet.org). The names of the supplied topologies should be quite self-explanatory, but here is a short list for reference: clothes.py A topology consisting of 2 hosts each connected to a PE router. The two PE routers are connected by 3 independent paths each consisting of a chain of 10 routers. Useful for stressing the impact of topology changes on packet losses. one-simple-vpn.py A topology consisting of 2 hosts, each connected to a PE router. The two PE routers are arbitrarily interconnected by a network of 5 nodes and 6 links. one-vpn-and-nat.py Same topology as above, but with an additional host that models the Internet and is connected to an additional PE that performs NAT. two-vpns.py A topology consisting of 4 hosts, each connected to a different PE router. The 4 PE routers are arbitrarily interconnected by a network consisting of 5 nodes and 6 links. one-complex-vpn.py A topology consisting of 4 hosts, 2 of which connected to a PE router and the other 2 connected to another PE router. There is also a PE router that is meant to perform NAT and is attached to a host that models the Internet. The PE routers are arbitrarily interconnected by a network consisting of 5 nodes and 6 links. one-vpn-in-big-network.py A topology consisting of 2 hosts, each connected to a different PE router, and of a total of 7 PE routers, 2 of which perform NAT. PE routers are interconnected by a network of 12 nodes and 20 links. two-vpn-in-big-network.py Same topology as above, with two additional hosts, each connected to a PE router (different from those to which the other 2 hosts are connected). two-vpns-and-nat-in-big-network.py Same topology as above, with two additional PE routers that perform NAT, one of which is connected to a host that models the Internet. 2. Update the SDN-VPN controller configuration file All the configuration of our SDN-based VPN controller (both system-wide and specific for the VPNs) is located in the "SDN-VPN-controller/conf" folder. Before being able to start the controller a little bit of setup is required. Edit file "SDN-VPN-controller/conf/system.conf" and alter it as follows: - Parameter "vpn-config-file" must point to a file containing VPN configurations; for the provided examples, there is a .py file for starting the topology and an equally named .xml file inside "SDN-VPN-controller/conf/vpns" with matching VPN settings. You should therefore set "vpn-config-file" to the .xml file that corresponds to the topology launched at step 1 of this procedure. - For each VPN in the selected .xml file, a PE-to-PE path composition policy for that VPN must be specified. At present, the only implemented policy is ShortestPath. Therefore, for each VPN defined in the .xml file (VPN definitions start with a tag ''), a line similar to the following must be added to the "system.conf" file: vpn_name = ShortestPath Note that, for each network topology in "SDN-VPN-controller/bin", a matching VPN configuration file exists in "SDN-VPN-controller/conf/vpns": in order to avoid problems, make sure to load the appropriate VPN configuration file for the topology you chose to use. 3. Start the SDN-VPN controller Enter directory "SDN-VPN-controller" and run the following command: $ ./start-controller.sh 4. Test the network You can now interact with Mininet to check if the network works correctly (for further information about Mininet commands, visit http://mininet.org). The simplest possible interaction is a ping among different hosts, which is expected to work or not depending on whether the hosts belong to the same VPN and is supposed to trigger MPLS encapsulation of packets traveling from a PE router to another. A ping can be simply performed from the Mininet prompt in the following way: mininet> h1 ping h2 The virtual machine also contains a preinstalled version of Wireshark with an OpenFlow dissector, which can be used to observe control packets traveling between the switches and the controller or traffic packets traveling between switches. === NOTES === - This prototype controller only implements egress NAT. - This prototype controller understands a VPN configuration language that is slight different from the one we originally designed. - Experimenting with other network services and tools such as iperf and apache is of course possible. However, care should be taken to consider the fact that the larger packets generated by these services may exceed MTU limits when they are encapsulated in MPLS. In order to cope with these limits it is enough to lower the MTU on the hosts, which can be achieved in Mininet by using a command similar to the following: mininet> h1 ifconfig h1-eth0 mtu 1400 1400 is a good value to get things working. - The userspace mode of operation of Open vSwitch, which is used in our sample network scenarios, may suffer from serious performance limits. Unfortunately, it is required to use such mode because MPLS labels are not correctly handled otherwise.