OpenFlow

This section describes Arista's OpenFlow implementation. Topics in this section include:

OpenFlow Introduction

Arista EOS supports OpenFlow 1.0 controlled by OpenFlow controllers for filtering and redirecting traffic.

OpenFlow Description

OpenFlow is a programmable network protocol that manages and directs traffic among Ethernet switches, routers, and wireless access points over the network in support of Software-Defined Networking (SDN) applications.

OpenFlow can be used for traffic flow management in metro, WAN, and data center networks, and also security management in enterprise and campus data center applications, and other applications with the appropriate use of OpenFlow controllers.

OpenFlow Controller

The Arista device supports an active controller connection for which the Arista device will initiate (seek) the TCP connection to a given OpenFlow Controller address.

Figure 1. Reactive and proactive modes

The controller can be any standard OpenFlow controller.

Switch consists of three parts:

  • A flow table, to tell the switch how to process the flow.
  • A channel that connects the switch to a remote controller, allowing commands and packets to be sent between a controller and the switch.
  • The OpenFlow Protocol, which provides a way for a controller to communicate with a switch.

An OpenFlow-enabled device supports an OpenFlow Client (control plane software), which communicates with an OpenFlow Controller using the OpenFlow protocol. The OpenFlow Controller runs on a server or a server cluster. OpenFlow-enabled devices support the abstraction of a flow table, which is manipulated by the OpenFlow Controller. A flow is a collection of packets where some selected header fields match particular values for those fields. The flow table is sorted by flow priority, which is defined by the controller.

Flow table

Forwarding decisions for incoming packets are decided by a simple lookup on its flow-table entries. Packets that dont match any flow entry are dropped by default. Every flow entry in the flow-table contains:

  • Header fields to match against packets: Each entry contains a specific value, or ANY, which matches any value.

    Ingress Port

    Ether Source

    Ether Dst

    Ether Type

    VLAN Id

    IP Proto

    Src Port

    Dst Port
  • Counters to update for matching packet: These counters are used for statistics purposes, in order to keep track of the number of packets and bytes for each flow and the time that has elapsed since the flow initiation.
  • Actions to apply to matching packets: The action specifies the way in which the packets of a flow will be processed. An action can be one of the following: 1) forward the packet to a given port or ports, after optionally rewriting some header fields, 2) drop the packet 3) forward the packet to the controller.

Channel

The channel is the interface that connects each OpenFlow switch to a controller. Through this interface the controller exchanges messages with the switches in order to configure and manage them

OpenFlow Modes

Bind modes

The switch can be configured to divide traffic entering the switch in either of two ways:

  • By interface, so that only packets arriving on certain interfaces are processed by OpenFlow (interface bind mode, the default).
  • By VLAN, so that only packets associated with certain VLAN IDs are processed by OpenFlow (VLAN bind mode).

Other packets are forwarded normally according to the MAC address table, filtered by ACLs, mirrored to other ports.

Note: The hybrid mode of operation is experimental.

The switch can also be configured to apply a limited set of OpenFlow actions to any packets, regardless of ingress interface or VLAN, as well as forward the packets normally (monitor bind mode).

Interface bind mode

When the switch is configured in interface bind mode, the ingress interface of a packet is processed according to entries in the OpenFlow table.

Only interfaces bound to OpenFlow are mapped to OpenFlow ports and exposed to the controller via features reply and port status messages. Output actions in flow table entries and in packet out messages can refer only to mapped ports. Use theshow openflow portscommand to see which interfaces the switch maps to OpenFlow ports and exposes to the controller.

  • In OpenFlow configuration mode, use the bind mode (OpenFlow) command to select interface bind mode.
  • In the OpenFlow configuration mode, use the bind interface command to bind one or more interfaces to OpenFlow.

When an interface is bound to OpenFlow, certain switch functions are disabled on the interface, including spanning tree protocol (STP). The OpenFlow controller and application must ensure that flow table entries do not allow traffic to loop in the network.

Only Ethernet and Port-Channel interfaces can be bound to OpenFlow. If an Ethernet interface is configured as a member of a LAG, attempting to bind the interface to OpenFlow has no effect. However, the Port-Channel interface of which it is a member may itself be bound to OpenFlow.

VLAN bind mode

When a packet arrives at a switch interface, the switch assigns it a VLAN for internal processing, based on the switchport configuration of the ingress interface and on the packet's VLAN tag (if any). If the switch is configured in VLAN bind mode, the internal VLAN determines whether the packet is processed according to entries in the OpenFlow table and whether the packet is matched by a given entry in the OpenFlow table. After the switch has processed the packet, the switchport configuration of each potential egress interface controls whether the packet is transmitted tagged with the internal VLAN ID, transmitted untagged, or filtered.

Several configuration commands affect whether packets received on a given interface are processed by OpenFlow, and whether packets directed to an interface via an OpenFlow output action are transmitted or filtered:

Use the VLAN configuration mode command to create the VLANs to be accepted by the switch and processed by OpenFlow.

In the interface configuration mode, use switchport commands to configure the interface as either an access port or a trunk port. For an access port, set the VLAN to an OpenFlow VLAN; for a trunk port, configure which OpenFlow VLANs are allowed.

In OpenFlow configuration mode, use the bind mode (OpenFlow) command to select VLAN bind mode, and use the bind vlan (OpenFlow) command to bind one or more VLANs to OpenFlow.

Untagged packet processing in VLAN bind mode

The OpenFlow protocol also allows a flow table entry to explicitly match untagged packets, or to strip the VLAN tag from matched packets. Since the switch actually assigns a VLAN internally to packets received without a tag, the OpenFlow function on the switch must be configured with a single "native" VLAN ID in order to make sense of such flow entries. When an OpenFlow native VLAN is configured:

  • A flow table entry defined to match untagged packets actually matches packets whose internal VLAN is the OpenFlow native VLAN.
  • A flow table entry with a strip VLAN tag action actually sets the packet's internal VLAN to the OpenFlow native VLAN.
  • Packets sent to the controller via a packet-in message are sent untagged if they are assigned to the native VLAN, and tagged otherwise.
  • Untagged packets received from the controller via a packet-out message are assigned to the native VLAN.

In contrast, when no OpenFlow native VLAN is configured:

  • Flow table entries defined to match untagged packets or with a strip VLAN tag action are rejected.
  • All packets sent to the controller via a packet-in message are sent tagged.
  • Untagged packets received from the controller via a packet-out message are dropped.

There is no explicit command to configure the OpenFlow native VLAN. To configure a VLAN as the OpenFlow native VLAN:

  • Use the VLAN configuration mode command.
  • Every interface handling the OpenFlow traffic, in interface configuration mode, uses switchport commands to configure the interface as either an access port or a trunk port. For an access port, set the access VLAN to N; for a trunk port, either set the native VLAN to N or configure the interface to drop untagged frames.
  • In OpenFlow configuration mode, use the bind vlan (OpenFlow) command to assign VLAN N to OpenFlow.

Configuring two interfaces as access ports with different OpenFlow-bound VLANs, or as trunk ports with different native OpenFlow-bound VLANs, violates these constraints and causes the OpenFlow function to behave as no OpenFlow native VLAN is configured.

Use the show openflowcommand to see whether an OpenFlow native VLAN has been configured.

Spanning Tree Protocol in VLAN bind mode

STP can operate on OpenFlow-bound VLANs. The switch default STP configuration is one multiple spanning tree (MST) instance containing all VLANs, including OpenFlow-bound VLANs. When STP is configured on OpenFlow-bound VLANs, packets received from or sent to blocked ports are dropped, regardless of the rules defined in the OpenFlow flow table.

For some applications, you may want to disable STP on OpenFlow-bound VLANs. Before doing so, be sure that the OpenFlow controller and application is configured properly to manage multiple redundant paths through the network without allowing traffic to loop.

To ensure proper operation of STP on the switch and to support OpenFlow applications that inter-operate with STP, OpenFlow forwards inbound STP packets both to the spanning tree agent on the switch and to the OpenFlow controller as packet-in messages. This behavior overrides any flow table entries that might otherwise match STP packets, and is not configurable.

Monitor bind mode

Unlike interface and VLAN bind modes, monitor bind mode is tailored for specific applications. The switch both forwards traffic normally and selectively mirrors packets under OpenFlow control.

When the switch is configured in monitor bind mode, all traffic entering the switch is forwarded normally, regardless of ingress interface or internal VLAN. All Ethernet and Port-Channel interfaces are mapped to OpenFlow ports and exposed to the controller (except LAG members and mirror destination ports). In this mode, the entire switch is bound to OpenFlow, and OpenFlow processing is applied to packets in addition to the normal forwarding behavior.

Currently the only actions that can be performed on packets in monitor bind mode are:

  • Output normally
  • Copy to mirror destination port

In monitor bind mode, the default action taken on packets that are not matched by any flow table entry is output normally. The switch rejects flow entries not conforming to these restrictions.

Routing Between the OpenFlow and Non-OpenFlow Domain

The switch can be configured to perform standard IP routing of traffic processed by OpenFlow. From the controller's point of view, the switch appears to have a virtual port 40000 (OpenFlowRouter) in addition to the physical ports.

Packets sent out the OpenFlowRouter port can undergo standard IP routing into a different IP subnet. After routing, those packets can either exit the switch or be processed by OpenFlow again.

Port mapping

For switches that support QSFP+ modules, a 40G interface can be configured as four 10G ports. These Ethernet interfaces are mapped to OpenFlow ports according to the formula port = M * 200 + N for EthernetM/N. For example, interface Ethernet1/1 is mapped to OpenFlow port 201; Ethernet1/2 to OpenFlow port 202, Ethernet16/1 to OpenFlow port 3201, Ethernet16/2 to OpenFlow port 3202, and so on.

When IP routing is configured, the OpenFlow Router interface is mapped to OpenFlow port 40000.

Port-Channel (LAG) interfaces are mapped to OpenFlow ports according to the formula port = 40000 + N for Port-ChannelN. For example, interface Port-Channel23 is mapped to OpenFlow port 40023.

The OpenFlow virtual ports all and flood refer to all Ethernet interfaces on the switch, but normal VLAN egress policies apply: a packet tagged with a given OpenFlow-bound VLAN (or untagged, if a native OpenFlow VLAN is configured) will egress a given interface only if the interface is configured to handle traffic for that VLAN. If an interface is not configured to handle traffic for any OpenFlow-bound VLAN, then no packets sent to all or flood will egress on that interface.

Queue mapping

All multicast transmit queues that are configured to be mapped from a QoS traffic class are mapped to OpenFlow. OpenFlow-mapped queues can be used by the enqueue action in flow table entries and are included in queue stats reply messages. By default, all the multicast queues 0 to 3 are mapped.

Use the show qos maps command to view the current mapping of traffic class to multicast transmit queue, and use the qos map traffic-class to mc-tx-queue configuration command to modify it. If no traffic class is mapped to a given multicast transmit queue, the queue will not be mapped to OpenFlow and will be unavailable for use by the enqueue action.

Table size

The switch supports one flow table. OpenFlow packet processing is performed in hardware; software forwarding (via the switch CPU) is not supported.

The switch advertises the table size for the l2-match profile. This should be taken as an approximation, as other switch features such as ACLs can consume hardware resources shared with OpenFlow. If the controller attempts to add a flow entry but there are insufficient resources to implement it in hardware, the switch returns an error message.

Match fields

A flow table entry can specify an exact value or wildcard for any of the following fields:

  • L2 source and destination addresses
  • VLAN ID (and untagged packets, if the native OpenFlow VLAN is configured)
  • VLAN priority
  • L2 frame type
  • IPv4 source and destination addresses with subnet masking
  • IPv4 TOS/DSCP field
  • IPv4 protocol
  • TCP/UDP source and destination port numbers

Matching the IPv4 source or destination address within an ARP message is not supported, nor is matching the ARP opcode.

Actions

In VLAN and interface bind modes, the following flow entry actions are supported:

  • Copy packet on ingress to a mirror destination port (vendor-specific extension)
  • Set L2 source and destination addresses
  • Set VLAN ID
  • Strip VLAN tag (if the native OpenFlow VLAN is configured)
  • Set VLAN priority
  • Set IPv4 TOS/DSCP
  • Output or enqueue to physical port (see OpenFlow Limitations for restrictions on multiple output actions)
  • Output or enqueue to all or flood (see OpenFlow Limitations)
  • Output to controller (buffering not supported; entire packet contents are always sent)
  • Drop (no action)
  • Copy packet on egress to a mirror destination port (vendor-specific extension)

In monitor bind mode, only the following actions are supported:

  • Copy packet on ingress to a mirror destination port (vendor-specific extension)
  • Output per normal forwarding (this action is required in every flow entry)
  • Copy packet on egress to a mirror destination port (vendor-specific extension)

OpenFlow Limitations

Consider the following when using OpenFlow:

  • OpenFlow is supported on both the 7050 and 7050X series of switches.
  • OpenFlow Hybrid mode is not supported.
  • Output to an ingress port is silently dropped. Flow table entries with an output to ingress port action are accepted by the switch, but matching packets are not actually forwarded via the ingress port. (But for packet-out, the output to ingress port action is supported.)
  • Output/enqueue actions must follow modify actions. The switch will return an error if a modify action follows an output/enqueue action.
  • Each action can be performed at most once. The switch will return an error if the same action appears more than once. Output and enqueue actions may appear at most once per port.
  • Support output to only one queue. The switch will return an error if multiple enqueue actions appear with different queue ids, or if both enqueue and output actions appear.
  • Packet is sent at most once per port even if there are overlapping output or enqueue actions. For example, the switch will accept a rule with actions output to all ports and output to a specific port 12, but will transmit the packet on port 12 only once even though it is contained in both actions.
  • Flow entry priority is always respected, even for exact-match flow entries. The switch does not force exact-match flow entries to be processed at the highest priority.
  • For packet-out messages, only output actions are supported (to a physical port, or to all, flood, or ingress port). The switch will return an error if a packet-out message is received with any other action.
  • The switch-to-controller connection is plain TCP. The switch does not support encrypted TLS connections to the controller.
  • Matching source and destination IP and operation code in ARP packets is not supported. Flow entries with matching the ARP Ethernet type are accepted by the switch, but the source and destination IP and protocol (opcode) match field values are ignored (i.e. the fields are wildcarded).
  • A flow mod message with modify or modify_strict command does not modify the cookie value of existing flow entries. If the modify is treated as an add, however, the new entry will be assigned the specified cookie value.
  • Matching all 802.3 packets without SNAP headers is not supported. The switch does not treat a dl_type value of 0x5ff as special.
  • The port_mod message is not supported. It is not possible to modify the behavior of physical ports via the port_mod message. In particular, the no_flood port_config bit cannot be used to exclude ports from the flood virtual output port set.
  • Changing the list of controllers causes the current controller connection to be dropped. When the OpenFlow feature is enabled and the list of controllers is changed in any fashion (e.g. by adding or deleting a controller), the current controller connection will be dropped.
  • When adding a large number of flow table entries, add higher-priority entries before lower-priority entries. Due to hardware limitations, the switch will take much longer to add a new flow entry if the table already contains many entries with lower priority.

OpenFlow Configuration

By default, the OpenFlow feature is disabled on Arista devices. You must first enable the OpenFlow feature on the device.These sections describe OpenFlow configuration tasks:

Enabling Basic OpenFlow

Configure the management interface. Assign an IP address to the interface and set the default gateway IP address, allowing the OpenFlow function on the switch establish a TCP connection with the OpenFlow controller.

The following commands turn on OpenFlow pointing to a controller, ready to receive flow setup messages to be programmed in hardware for all traffic.

  • The openflow command places the switch in OpenFlow configuration mode.
    switch(config)#openflow
switch(config-OpenFlow)#
  • The controller (OpenFlow) command points to the primary OpenFlow controller. Others can be configured as a standby list.
    switch(config)#OpenFlow
switch(config-OpenFlow)#controller tcp:15.16.15.16:6633
switch(config-OpenFlow)#

  • The bind vlan (OpenFlow) command dictates what VLAN or interfaces are tied to OpenFlow. Since hybrid mode is not supported, Arista recommends binding all VLANs or all interfaces to OpenFlow.

    switch(config)#openflow
switch(config-openflow)#controller tcp:1.2.3.4:6633
switch(config-openflow)#bind mode vlan
switch(config-openflow)#bind vlan 1

  • The shutdown (Openflow) command determines if the configuration takes effect or not. The following command enables OpenFlow on the switch.

    switch(config-OpenFlow)#no shutdown
switch(config-OpenFlow)#

Optional OpenFlow Commands

Keepalive

The keepalive (OpenFlow) command allows you to set the interval for switch to controller keepalives (default of 10 seconds scales best for large scale multi-node OpenFlow switch networks). After three consecutive reply (from the controller) misses, the switch will try to connect to the second configured controller, if configured.

switch(config-OpenFlow)#keepalive
switch(config-OpenFlow)#

Profile

The profile (OpenFlow) command determines the type of flows. To double flow table size (in case all flows are L2 only), setting a profile of l2-match is best suited. Default is full-match (includes L3/4 field match).

switch(config-OpenFlow)#profile l2-match
switch(config-OpenFlow)#

Default-action

The default-action (OpenFlow) command tells the Arista OpenFlow agent the action that needs to be taken for packets (drop or send-to-controller) that dont match any existing flows programmed locally on the hardware. 

switch(config-OpenFlow)#default-action drop
switch(config-OpenFlow)#

Displaying OpenFlow Configurations

Show commands display the state of OpenFlow running on the Arista switch.

  • The show openflowcommand displays the configuration state of the OpenFlow feature and the flows that are actively installed in the hardware of the Arista switch.

    switch(config)# show openflow
OpenFlow configuration: Enabled
DPID: 0x0000001c73111a92
Description: sw3-Arista
Controllers:
configured: tcp:172.22.28.228:6633
connected: tcp:172.22.28.228:6633
connection count: 3
keepalive period: 10 sec
Flow table state: Enabled
Flow table profile: full-match
Bind mode: VLAN
VLANs: 1-2
native VLAN: 1
IP routing state: Disabled
Shell command execution: Disabled
Total matched: 7977645 packets

  • The show openflow flowscommand show the default flow that is installed when OpenFlow is enabled.

    switch(config)# show OpenFlow flows
Flow flow00000000000000000005:
priority: 100
cookie: 45035996453121666 (0xa000000ab1ae82)
match:
ingress interface: Ethernet3
Ethernet type: IPv4
source IPv4 address: 10.0.0.0/255.255.255.0
actions:
output interfaces: Ethernet11
matched: 0 packets, 0 bytes
Flow __default__:
priority: -1
cookie: 0 (0x0)
match:
actions:
output to controller
matched: 5519922 packets, 433188045 bytes

OpenFlow Command Descriptions

OpenFlow Global Configuration Mode

Openflow Configuration Commands

OpenFlow Display and Clear Commands

bind interface (OpenFlow)

When the switch is configured in interface bind mode, the ingress interface of a packet determines whether the packet is processed according to entries in the OpenFlow table or forwarded normally by the switch.

Only interfaces bound to OpenFlow are mapped to OpenFlow ports and exposed to the controller via features reply and port status messages. Output actions in flow table entries and in packet out messages can refer only to mapped ports. Use the show openflow ports command to see which interfaces the switch maps to OpenFlow ports and exposes to the controller.

In the OpenFlow configuration mode, use the bind mode interface command to select the interface bind mode.

When an interface is bound to OpenFlow, certain switch functions are disabled on the interface, including spanning tree protocol (STP). The OpenFlow controller and application must ensure that flow table entries do not allow traffic to loop in the network.

Only Ethernet and Port-Channel interfaces can be bound to OpenFlow. If an Ethernet interface is configured as a member of a LAG, attempting to bind the interface to OpenFlow has no effect. However, the Port-Channel interface of which it is a member may itself be bound to OpenFlow.

The no bind interface and default bind interface commands revert the specified list configuration to its default by removing the corresponding bind interface command from running-config.

Command Mode

OpenFlow Configuration

Command Syntax

bind interface INTF

no bind interface [INTF]

default bind interface [INTF]

Parameters

  • INTFInterface that are tied to OpenFlow. Options include:

    • ethernet e_range Ethernet interfaces specified by e_range.
    • port-channel p_rangeport channel interfaces specified by p_range.

Valid e_range and p_range formats include number, range, or comma-delimited list of numbers and ranges.

Example
  • This command binds Ethernet 1 to OpenFlow.
    switch(config)# openflow
switch(config-openflow)#bind interface ethernet 1

bind mode (OpenFlow)

The bind mode command controls the way packets are divided on ingress between OpenFlow processing and normal switch processing.

The switch can be configured to divide traffic entering the switch in the following ways:

  • Interface bind mode: Packets entering the switch from certain interfaces are only processed by OpenFlow according to flow table entries; packets entering from other interfaces are forwarded normally. (interface bind mode is the default).
  • VLAN bind mode: Only packets associated with certain VLAN IDs are processed by OpenFlow.
  • Monitor bind mode: All packets are forwarded normally, and are also processed by OpenFlow; a restricted set of actions are applied to packets matching a flow table entry.

Other packets are forwarded normally according to the MAC address table, filtered by ACLs, mirrored to other ports.

The switch can also be configured to apply a limited set of OpenFlow actions to any packets, regardless of ingress interface or VLAN, as well as forward the packets normally (monitor bind mode).

The no bind mode and default bind mode commands revert the specified list configuration to its default by removing the corresponding bind mode command from running-config.

Command Mode

Open flow Configuration

Command Syntax

bind mode METHOD

no bind mode

default bind mode

Parameters

  • METHODbind interfaces to OpenFlow. Options include:

    • interfaceOnly packets arriving on certain interfaces are processed by OpenFlow.
    • monitorAll packets are forwarded normally, and are also processed by OpenFlow.
    • vlanOnly packets associated with certain VLAN IDs are processed by OpenFlow.
Example

  • In this example, packets received without VLAN tags are assigned to the default VLAN 1 upon entering the switch and are processed by OpenFlow. All VLAN-tagged packets are dropped.

    switch#enable
switch#configure
switch(config)#interface et1-48
switch(config-if-Et1-48)#switchport mode access
switch(config-if-Et1-48)#switchport access vlan 1
switch(config-if-Et1-48)#exit
switch(config)#openflow
switch(config-openflow)#controller tcp:1.2.3.4:6633
switch(config-openflow)#bind mode vlan
switch(config-openflow)#bind vlan 1

bind vlan (OpenFlow)

The bind vlan command adds one or more VLAN IDs to the set of VLANs that are processed by OpenFlow in VLAN bind mode. The VLANs must be created separately using the VLAN configuration mode commands.

If you specify a nonexistent VLAN with the bind vlan command, the binding will be stored in the running configuration but will not take effect until the VLAN is created.

A range of VLANs may be passed to the bind vlan command to add more than one at a time.

The number of VLANs that may be bound to OpenFlow depends on available hardware resources, which are shared with other features including IP routing and ACLs. On the 7050 Series switches the maximum number is 1024.

Use the show openflow command to verify which VLANs are bound to OpenFlow; this command reflects the actual hardware state rather than the configuration.

The no bind vlan and default bind vlan commands removes one or more VLANs from the set of VLANs that are processed by OpenFlow in VLAN bind mode.

Command Mode

OpenFlow Configuration

Command Syntax

bind vlan [v_range]

no bind vlan [v_range]

default bind vlan [v_range]

Parameters

  • v_range VLAN list. VLAN numbers range from 1 to 4094.

Examples

  • These command bind VLANs 1 and 2 to OpenFlow.

    switch(config-openflow)#bind mode vlan
switch(config-openflow)#bind vlan 1,2

clear openflow statistics

The clear openflow statistics command resets the flow statistics for OpenFlow.

Command Mode

Privileged EXEC

Command Syntax

clear openflow statistics

Example

  • This command resets the OpenFlow counters.

    switch #clear openflow statistics
switch#

controller (OpenFlow)

The controller command adds the address of an OpenFlow controller to which the switch should connect. The parameter must take the form tcp:1.2.3.4:6633 where 1.2.3.4 is the IP address of the controller and 6633 is the TCP port number.

The controller command may be used multiple times to add multiple controllers. The switch will attempt to connect to the first controller in the list of controllers. If the connection attempt fails, or the current connection terminates, the switch will try the next controller in that list, and so on. If the switch cannot connect to the last controller in the list, it will retry with the first controller in the list.

The order in which controllers are added is the order that the switch uses to establish controller connections. This ordering can be seen in the output of the show openflowcommand.

The no controller command either removes the specified controller from the list of controllers if a controller address is given as a parameter, or removes all controllers from the list of controllers if no parameter is given. If there are no controllers remaining after this command is executed, the OpenFlow function is effectively disabled.

Note: Adding or removing a controller will cause the current controller connection to be dropped. The switch will then attempt to connect to the first controller in the list of controllers, then second controller, and so on.

The no controller and default controller commands delete s the controller statement from running-config.

Command Mode

OpenFlow Configuration

Command Syntax

controller tcp:ip_address:tcp_port

no controller tcp:ipaddress:tcp_port

default controller tcp:ipaddress:tcp_port

Parameters

  • ip_addressip address used for OpenFlow. Dotted decimal location.
  • tcp_port name of the TCP port used for OpenFlow. Value ranges from 0 to 65535.
Example
  • These commands enable OpenFlow and sets the controller for an OpenFlow instance.
    switch(config)#openflow
switch(config-OpenFlow)#controller tcp:1.2.3.4:6633

default-action (OpenFlow)

The default-action command sets the action for the default flow table entry. This entry is automatically added by the switch. It has the lowest priority, and matches packets that are not matched by any other entry.

Use default-action drop to change the default entry's action to drop packets instead of sending them to the controller. (Note: In this mode, the switch deviates from the OpenFlow specification.)

The no default-action command restores the default entry's action to send packets to the controller.

Command Mode

OpenFlow Configuration

Command Syntax

default-action ACTION_TYPE

no default-action

default default-action

Parameters

  • ACTION_TYPEAction for the default flow table entry. Options include:
    • controllerSets the default entry's action to send packets to the controller.
    • dropChanges the default entry's action to drop packets instead of sending them to the controller.
Example
  • This command sets the default entry's action to drop packets instead of sending them to the controller.
    switch(config)#openflow
switch(config-OpenFlow)#default-action drop

description (OpenFlow)

The description command allows overriding the switch description string (normally the switch hostname) sent to the controller.

The no description and default description commands remove the description text for the switch hostname from running-config.

Command Mode

OpenFlow Configuration

Command Syntax

description label_text

no description

default description

Parameters

  • label_text character string up to 256 characters assigned to describe the switch.
Examples
  • These commands add the description test to the switch
    switch(config-openflow)#description test
switch(config-openflow)#

keepalive (OpenFlow)

The keepalive command alters how often the switch sends an OpenFlow echo request to the currently connected controller (every 10 seconds by default). If an echo reply is not received after three successive echo requests, the switch disconnects from the controller. It then attempts to establish a new controller connection depending on the controller configuration.

The no keepalive command restores the default keepalive period by removing the keepalive command from the running-config.

Command Mode

OpenFlow Configuration

Command Syntax

keepalive keep_alive_time

no keepalive

default keepalive

Parameters

  • keep_alive_timekeepalive period, in seconds. Value ranges from 1 to 100000. Default value is 10 seconds.
Example
  • This command sets the keepalive time for OpenFlow to 30 seconds.
    switch(config)#openflow
switch(config-openflow)#keepalive 30
switch(config-openflow)#

openflow

The openflow command places the switch in OpenFlow configuration mode.

The no openflow and default openflow commands delete the openflow configuration mode statements from running-config.

OpenFlow configuration mode is not a group change mode; running-config is changed immediately upon entering commands. Exiting OpenFlow configuration mode does not affect running-config. The exit command returns the switch to global configuration mode.

Command Mode

Global Configuration

Command Syntax

openflow

no openflow

default openflow

Commands Available in OpenFlow Configuration Mode

Examples:
  • This command places the switch in OpenFlow configuration mode:
    switch(config)#openflow
switch(config-openflow)#
  • This command returns the switch to global management mode:
    switch(config-openflow)#exit
switch(config)#

profile (OpenFlow)

The profile command sets an alternate flow table profile. Use the show openflow profilescommand to see the flow table profiles supported by the switch.

The no profile and default profile commands restores the default flow table profile by removing the profile command from the from running-config.

Command Mode

OpenFlow Configuration

Command Syntax

profile FIELD_TYPE

no profile

default profile

Parameters

  • FIELD_TYPE Profiles supported by the switch for the active bind mode. Options include:
    • full-matchSupports matching the full set of OpenFlow match fields.
    • l2-match Supports matching only a subset but with a larger maximum number of flow table entries.
Example
  • This command advertises the table size for the full-match flow table profile.
    switch#(config-openflow)#profile full-match
switch#(config-openflow)#

routing recirculation-interface (OpenFlow)

The routing recirculation-interfacecommand designates a switch interface to recirculate routed OpenFlow traffic for a second pass of processing. Exactly one recirculation interface must be configured to use routing, regardless of the number of VLANs being routed.

Any Ethernet or Port-Channel interface can be used for OpenFlow routing recirculation.

When an interface is configured for OpenFlow routing recirculation:

  • The switch programs the hardware into a special MAC loopback mode, so the interface cannot be used to carry normal traffic.
  • The link LED turns green and the recirculation function works even if a transceiver is not present or a cable is not inserted.
  • The link speed is forced to the maximum.
  • Interface configuration commands such as switchport and shutdown are ineffective, although they are preserved in the running configuration and become effective again when the interface is no longer configured for OpenFlow routing recirculation.

The routing recirculation-interface and default routing recirculation-interface commands revert the t configuration to its default by removing the corresponding routing recirculation-interface command from running-config.

Command Mode

OpenFlow Configuration

Command Syntax

bind interface INTF

no bind interface [INTF]

default bind interface [INTF]

Parameters

  • INTF Options include:
    • ethernet e_range Ethernet interfaces specified by e_range.
    • port-channel p_range port channel interfaces specified by p_range.

Valid e_range and p_range formats include number, range, or comma-delimited list of numbers and ranges.

Example
  • This command recirculates traffic routed to and from VLAN 1 via the routed transit VLAN 401.
    switch(config-openflow)#bind mode vlan
switch(config-openflow)#bind vlan 1
switch(config-openflow)#routing recirculation-interface et48
switch(config-openflow)#routing vlan 1 routed-vlan 401
switch(config-openflow)#enable

routing vlan (OpenFlow)

The routing vlan command enables IP routing of traffic processed by OpenFlow for a specific VLAN.

The no routing vlan and default routing vlan command disables IP routing of traffic processed by OpenFlow for a VLAN.

Command Mode

OpenFlow Configuration

Command Syntax

routing vlan VLAN_ID routed-vlan vlan_transit

no routing vlan VLAN_ID

default routing vlan VLAN_ID

Parameters

  • VLAN_IDOptions include
    • v_numThe full form of the command is routing vlan 123 routed-vlan 456, where 123 is the VLAN of the OpenFlow traffic to be routed, and 456 is a (non-OpenFlow-bound) VLAN configured for standard IP routing.
    • untaggedTo route untagged OpenFlow traffic. use the command routing vlan untagged routed-vlan 456.
Examples
  • This command associates the VLAN with an untagged VLAN 22 to match during the OpenFlow pass. 
    switch(config-openflow #routing vlan untagged routed-vlan 22

shell-command allowed (OpenFlow)

The shell-command allowed command allows the controller to run shell or CLI vendor extension commands on the switch.

When this extension is enabled, the switch will execute any CLI command sent by the controller, bypassing normal access controls, so enable it only if the controller is trusted.

The no shell-command allowed and default shell-command allowed commands disables the corresponding shell-command allowed from the running-config.

Command Mode

OpenFlow Configuration

Command Syntax

shell-command allowed

no shell-command allowed

default shell-command allowed

Example
  • This command allows the controller to run arbitrary CLI commands on the switch.
    switch(config)#openflow
switch(config-openflow)#shell-command allowed
switch(config-openflow)#

show openflow flows

The show openflow flows command displays the contents of the flow table, showing each entry with its match rules, actions, packet counters, and timeouts.

The default flow table entry is automatically created by the switch. It always has the lowest priority, and matches packets that are not matched by any other entry. The default entry's action is to send the packet to the controller.

Command Mode

EXEC

Command Syntax

show openflow flows

Example
  • This command displays the contents of the flow table.
    switch# show openflow flows
Flow flow00000000000000000002:
priority: 0
cookie: 0 (0x0)
idle timeout: 60.0 sec
match:
ingress interface: Ethernet2
source Ethernet address: 00:a9:87:65:43:21
destination Ethernet address: 00:12:34:56:78:9a
untagged/native VLAN ID
VLAN PCP: 0
Ethernet type: IPv4
source IPv4 address: 10.0.1.1
destination IPv4 address: 10.0.1.2
IPv4 TOS: 0
IPv4 protocol: ICMP
source TCP/UDP port or ICMP type: 8
destination TCP/UDP port or ICMP code: 0
actions:
output interfaces: OpenFlowRouter
matched: 4 packets, 408 bytes
Flow __default__:
priority: -1
cookie: 0 (0x0)
match:
actions:
output to controller
switch#

show openflow ports

The show openflow ports command displays the mapping between OpenFlow port number and switch interface.

In interface bind mode, all OpenFlow-bound interfaces (except routed ports and LAG members) are mapped to OpenFlow ports and exposed to the controller.

In VLAN bind mode, Ethernet and Port-Channel interfaces (except routed ports and LAG members) configured to carry traffic for one or more OpenFlow-bound VLANs are mapped to OpenFlow ports and exposed to the controller.

In monitor bind mode, all Ethernet and Port-Channel interfaces (except routed ports and LAG members) are mapped to OpenFlow ports and exposed to the controller.

Command Mode

EXEC

Command Syntax

show openflow ports

Example
  • This command displays which interfaces the switch maps to OpenFlow ports.
    switch# show openflow ports
Port 1: Ethernet1
Port 15: Ethernet15
switch#

show openflow profiles

The show openflow profiles command displays the flow table profiles supported by the switch for the active bind mode. For each profile, it shows:

  • Which fields can be matched by a flow table entry and which can be wildcarded
  • Which actions are supported for matched packets (in monitor bind mode, only normal and mirror actions are supported)
  • The maximum number of entries that can be added to the flow table

The hardware resources available to OpenFlow are shared with other switch features like ACLs, so the actual maximum number of flow entries may be lower than the number shown by show openflow profilescommand.

On Series 7050 switches, two profiles are available: the full-match profile supports matching the full set of OpenFlow match fields with a maximum of 750 flow table entries, while the l2-match profile supports matching only a subset but with a larger maximum number of flow table entries (1500).

Command Mode

EXEC

Command Syntax

show openflow profiles

Example
  • This command displays the flow table profiles.
    switch#show openflow profiles
full-match:
Match fields:
ingress interface
source Ethernet address
destination Ethernet address
VLAN ID
VLAN PCP
Ethernet type
source IPv4 address
destination IPv4 address
IPv4 TOS
IPv4 protocol
source TCP/UDP port or ICMP type
destination TCP/UDP port or ICMP code
Wildcard fields:
ingress interface
source Ethernet address
destination Ethernet address
VLAN ID
VLAN PCP
Ethernet type
source IPv4 address
destination IPv4 address
IPv4 TOS
IPv4 protocol
source TCP/UDP port or ICMP type
destination TCP/UDP port or ICMP code
Actions:
copy ingress to mirror dest interfaces
forward normally
copy egress to mirror dest interfaces
Table size: 750 entries max
l2-match:
Match fields:
ingress interface
source Ethernet address
destination Ethernet address
VLAN ID
VLAN PCP
Ethernet type
Wildcard fields:
ingress interface
source Ethernet address
destination Ethernet address
VLAN ID
VLAN PCP
Ethernet type
source IPv4 address
destination IPv4 address
IPv4 TOS
IPv4 protocol
source TCP/UDP port or ICMP type
destination TCP/UDP port or ICMP code
Actions:
copy ingress to mirror dest interfaces
forward normally
copy egress to mirror dest interfaces
Table size: 1500 entries max
switch#

show openflow queues

The show openflow queues command displays the queues exposed to the OpenFlow controller for each switch interface, and packet and byte counters for each queue.

Command Mode

EXEC

Command Syntax

show openflow queues

Example
  • This command displays the packet and byte counters for each queue on the active OpenFlow interfaces.
    switch#show openflow queues
Port 1 (Ethernet1):
Queue 0: 0 packets (0 bytes) transmitted, 0 dropped
Queue 1: 0 packets (0 bytes) transmitted, 0 dropped
Queue 2: 0 packets (0 bytes) transmitted, 0 dropped
Queue 3: 0 packets (0 bytes) transmitted, 0 dropped
Port 15 (Ethernet15):
Queue 0: 0 packets (0 bytes) transmitted, 0 dropped
Queue 1: 0 packets (0 bytes) transmitted, 0 dropped
Queue 2: 0 packets (0 bytes) transmitted, 0 dropped
Queue 3: 0 packets (0 bytes) transmitted, 0 dropped
switch#

show openflow statistics

The show openflow statistics command displays statistics sampled every 5 seconds over the past 5 minutes:

  • Number of entries in the flow table
  • Number of flow_mod, packet_out and packet_in messages processed in the 5-second interval

  • Number of packet_out messages dropped in the 5-second interval (the OpenFlow agent starts dropping packet_out messages when the transmit queue of the controller TCP connection exceeds 50% of capacity)

Command Mode

EXEC

Command Syntax

show openflow statistics

Example
  • This command displays statistics sampled every 5 seconds.
    switch# show openflow statistics
 table messages processed last 5 sec dropped
 entries (flow_mod)(packet_out) (packet_in) last 5 sec
2013-08-16 14:48:064 0 0 0 0
2013-08-16 14:48:014 2 2 2 0
2013-08-16 14:47:560 0 2 2 0
2013-08-16 14:47:514 0 0 0 0
2013-08-16 14:47:464 0 0 0 0
2013-08-16 14:47:414 0 0 0 0
2013-08-16 14:47:364 0 0 0 0
2013-08-16 14:47:314 2 2 2 0
2013-08-16 14:47:260 0 0 0 0
2013-08-16 14:47:214 0 0 0 0
2013-08-16 14:47:164 0 0 0 0
2013-08-16 14:47:114 0 0 0 0
2013-08-16 14:47:064 0 0 0 0
2013-08-16 14:47:014 2 2 2 0
2013-08-16 14:46:564 2 2 2 0
2013-08-16 14:46:514 0 0 0 0
2013-08-16 14:46:460 0 0 0 0
2013-08-16 14:46:414 0 2 2 0
2013-08-16 14:46:364 0 2 2 0
2013-08-16 14:46:314 0 0 0 0
2013-08-16 14:46:264 0 0 0 0
2013-08-16 14:46:214 2 2 2 0
2013-08-16 14:46:164 2 2 2 0
2013-08-16 14:46:114 0 2 2 0
2013-08-16 14:46:060 0 0 0 0
2013-08-16 14:46:010 0 0 0 0
2013-08-16 14:45:560 0 0 0 0
2013-08-16 14:45:510 0 0 0 0
2013-08-16 14:45:460 0 0 0 0
2013-08-16 14:45:410 0 0 0 0
2013-08-16 14:45:360 0 0 0 0
2013-08-16 14:45:310 0 0 0 0
2013-08-16 14:45:260 0 0 0 0
2013-08-16 14:45:214 0 0 0 0
switch#

show openflow

The show openflow command shows the effective OpenFlow configuration parameters.

Command Mode

EXEC

Command Syntax

show openflow

Example
  • This command displays the actual hardware state of OpenFlow.
    switch# show openflow
OpenFlow configuration: Enabled
DPID: 0x000000123456789a
Description: My awesome OpenFlow switch
Controllers:
configured: tcp:1.2.3.4:6633 tcp:5.6.7.8:6633
connected: tcp:1.2.3.4:6633
attempted connection count: 24
successful connection count: 1
keepalive period: 10 sec
Flow table state: Enabled
Flow table profile: full-match
Bind mode: interface
interfaces: Ethernet2, Ethernet4, Ethernet6, Ethernet8
IP routing state: Enabled
recirculation interface: Ethernet44
VLAN untagged: routed to/from VLAN 3636
Shell command execution: Disabled
Total matched: 4601 packets
switch#

shutdown (Openflow)

The shutdown command, in OpenFlow mode, disables OpenFlow on the switch. OpenFlow is disabled by default.

The no shutdown and default shutdown commands re-enable OpenFlow by removing the shutdown command from running-config.

Command Mode

Openflow Configuration

Command Syntax

shutdown

no shutdown

default shutdown

Example
  • These commands enable OpenFlow on the switch.
    switch(config)#openflow
switch(config-openflow)#no shutdown
switch(config-openflow)#
  • This command disables OpenFlow.
    switch(config-openflow)#shutdown