Can an OpenFlow Switch Replace a Tap Aggregator?

I had an interesting conversation during lunch about the future of network taps and aggregators now that OpenFlow switches can do many of the same types of operations.  In my testing I have used Pica8 switches to replicate traffic, lots of traffic, using static OpenFlow commands.  For example, here is a design where I take 10G of  traffic and mirror it across 5 ports.

 

OpenFlow Tap Aggregation 1 to 5

Here is the configuration I use for a Pica8 3922 to do the replication a 10G stream to 5 ports.

This configuration assumes that you have already configured the switch to run in OpenFlow mode.

First we setup a new bridge, br0 and add the interfaces (1-6) to it.

# Add Bridge br0 - for PCAP Replication - 1st Port
##############################
# te-1/1/1 is input te-1/1/2, te-1/1/3, te-1/1/4, te-1/1/5, te-1/1/6 are output
#-------------------------------------------------------------------------------------
$VSCTL add-br br0 -- set bridge br0 datapath_type=pica8 other-config=datapath-id=100
$VSCTL add-port br0 te-1/1/1 -- set interface te-1/1/1 type=pica8
$VSCTL add-port br0 te-1/1/2 -- set interface te-1/1/2 type=pica8
$VSCTL add-port br0 te-1/1/3 -- set interface te-1/1/3 type=pica8
$VSCTL add-port br0 te-1/1/4 -- set interface te-1/1/4 type=pica8
$VSCTL add-port br0 te-1/1/5 -- set interface te-1/1/5 type=pica8
$VSCTL add-port br0 te-1/1/6 -- set interface te-1/1/6 type=pica8

Next we remove the default flow so that we can program the ports specifically.

# Remove Default Flow (not treating this as HUB!)
ovs-ofctl del-flows br0
# Add replication flow 1 -> 2,3,4,5,6
ovs-ofctl add-flow br0 in_port=1,dl_dst="*",dl_src="*",dl_type="*",dl_vlan_pcp="*",dl_vlan="*",actions=output:2,3,4,5,6

Finally we drop all of the ingress traffic from the ports that the mirror traffic is going out of.

# Drop ingress traffic from mirror ports
ovs-ofctl add-flow br0 in_port=2,dl_dst="*",dl_src="*",dl_type="*",dl_vlan_pcp="*",dl_vlan="*",actions=drop
ovs-ofctl add-flow br0 in_port=3,dl_dst="*",dl_src="*",dl_type="*",dl_vlan_pcp="*",dl_vlan="*",actions=drop
ovs-ofctl add-flow br0 in_port=4,dl_dst="*",dl_src="*",dl_type="*",dl_vlan_pcp="*",dl_vlan="*",actions=drop
ovs-ofctl add-flow br0 in_port=5,dl_dst="*",dl_src="*",dl_type="*",dl_vlan_pcp="*",dl_vlan="*",actions=drop
ovs-ofctl add-flow br0 in_port=6,dl_dst="*",dl_src="*",dl_type="*",dl_vlan_pcp="*",dl_vlan="*",actions=drop

This same configuration can be extended to include more ports, repeated to mirror different traffic to other ports, etc.

In the next post, I will cover filtering traffic to better control egress data.

About Steven Noble

Founder and Chief Analyst at Router Analysis, Steven has over 20+ years of experience designing and running large networks. Since 1996 he has been heavily involved in writing and executing test plans for networking devices. His professional experience includes CTO of Sideband Networks (Current), VP of Technology at XDN Inc, Technical Leader at Cisco and Procket Networks and Fellow - Network Architecture at Exodus Communications.
Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *