Thank you! Now it works. I want two distinct controllers because I suppose that in a very large network a centralized controller should analyze a huge number of sources and it risks a sort of overload. It's for security issues.
Thanks again! bests, 2013/12/10 Murphy McCauley <murphy.mccau...@gmail.com> > The second option would be my preference. As for how C1 knows enough > about the core network to do the first hop correctly... the first thing I'd > do is figure out if it was reasonable to just statically configure it. > > Still... are two distinct controllers really required? Why not one > controller which treats the access switch differently than the core > switches? There may well be a good reason, but it's a question worth > asking. > > As to the specific issues in your second email... I think it may actually > be two problems. > > The cause of the warning is explained in the second entry of the POX FAQ. > > The OpenFlow error is most commonly seen either there's a loop, or when > you've sent two flow-mods/packet-outs referencing the same buffer_id (often > from two different packet-in handlers). The specified buffer has already > been used/discarded. See the OpenFlow spec for more on OFPBRC_BUFFER_EMPTY. > > -- Murphy > > On Dec 10, 2013, at 3:51 AM, Silvia Fichera <fichera....@gmail.com> wrote: > > > I'm trying to follow the second option. > > The forwarding process is working just one way. > > I would like prepare the switch to forward the ack response from the > host, so I want to install a proctive rule. > > I've tried to do it in this way: > > > > actions2=[] > > actions2.append(of.ofp_action_dl_addr.set_dst(mac2)) > > actions2.append(of.ofp_action_output(port=inport)) > > match = of.ofp_match() > > match.in_port=1 > > match.dl_src=mac > > match.dl_dst=mac2 > > match.nw_proto=6 > > match.nw_src=dstaddr > > match.nw_dst=srcaddr > > msg=of.ofp_flow_mod(command=of.OFPFC_ADD, > > #idle_timeout=FLOW_IDLE_TIMEOUT, > > hard_timeout=of.OFP_FLOW_PERMANENT, > > buffer_id=event.ofp.buffer_id, > > actions=actions2,match=match) > > event.connection.send(msg.pack()) > > > > where: > > mac = self.arpTable[dpid][dstaddr].mac #dst host mac addr > > mac2 = self.arpTable[dpid][srcaddr].mac #src host mac addr > > dstaddr = packet.next.dstip > > srcaddr = packet.next.srcip > > > > the in port is setted 1 because it's the default port to/from core > network. > > > > When I try this implementation I've got this error: > > > > WARNING:libopenflow_01:Fields ignored due to unspecified prerequisites: > nw_dst nw_src nw_proto > > > > ERROR:openflow.of_01:[00-00-00-00-00-01 3] OpenFlow Error: > > [00-00-00-00-00-01 3] Error: header: > > [00-00-00-00-00-01 3] Error: version: 1 > > [00-00-00-00-00-01 3] Error: type: 1 (OFPT_ERROR) > > [00-00-00-00-00-01 3] Error: length: 76 > > [00-00-00-00-00-01 3] Error: xid: 17 > > [00-00-00-00-00-01 3] Error: type: OFPET_BAD_REQUEST (1) > > [00-00-00-00-00-01 3] Error: code: OFPBRC_BUFFER_EMPTY (7) > > [00-00-00-00-00-01 3] Error: datalen: 64 > > [00-00-00-00-00-01 3] Error: 0000: 01 0e 00 60 00 00 00 11 00 10 00 12 > 00 01 76 57 |...`..........vW| > > [00-00-00-00-00-01 3] Error: 0010: 3b c6 e3 37 de c9 a5 fe 9c ee 00 00 > 00 00 00 00 |;..7............| > > [00-00-00-00-00-01 3] Error: 0020: 00 00 00 00 00 00 00 00 00 00 00 00 > 00 00 00 00 |................| > > [00-00-00-00-00-01 3] Error: 0030: 00 00 00 00 00 00 00 00 00 00 00 00 > 00 00 80 00 |................| > > > > What's wrong? > > > > Thank you. > > > > > > > > > > 2013/12/10 Silvia Fichera <fichera....@gmail.com> > > Hi Murphy, > > > > I would like to have controller C1 connected only to the access network. > It checks if the source is honest pretending the mechanism of 3WHS if the > source is unknown. So when it receives a SYN request it answers with the > SYN ACK and, only if the source sends the ACK it is added to a whitelist, > and it's allowed to send packet in the network. If the source is in > whitelist when it wants send packet sends againg SYN but this time is a > controller C0 that install the forwarding rules because it's connected to > all switches of the network. C0 and C1 could share a list of valid source > or malicious source (whitelist and blacklist). > > > > Another solution could be connect C1 only to the access network and C0 > to the core network, > > > > After the mechanism of 3WHS check, C1 installs the rule to forward the > packet through the port connected to the core network (a sort of default > gateway). When the packet arrives on the switch belonging to the core > network C0 will install forwanding rules to the destination (that is never > in my access network). > > But here the problem is have a mechanism to know a priori the output > port of all access switches or to set it when I build the network. > > > > Have you got any suggestions? > > > > Bests, > > > > > > 2013/12/9 Murphy McCauley <murphy.mccau...@gmail.com> > > So you want to have two controllers which communicate with the same > switch, but that do different things? There's no straightforward way to do > this with straight OpenFlow 1.0, but it may be possible with some of the > Open vSwitch extensions related to multiple controllers. You should look > into those OVS features (controller role, controller ID, etc.). > > > > I assume you have a good reason for wanting to use two separate > controllers. From your description, it's not obvious. > > > > -- Murphy > > > > On Dec 9, 2013, at 4:11 AM, Silvia Fichera <fichera....@gmail.com> > wrote: > > > > > Hi all, > > > I've a l3_learning controller that check if a TCP request connection > is valid. > > > In a tree topology I would like that this one checks only the edge > switches and, if the connection if valid, another controller will install > flow rule on the switches. > > > > > > So, if I receive a tcp SYN packet first of all the switch talks to my > controller, it checks the "honesty" of the source: > > > - if it's not honest "install" a drop rule on the switch > > > - else I would that the switch forwards the connection request to the > regular controller that install flows. > > > > > > How can I contact the regular controller from the switch? > > > > > > Thank you > > > > > > -- > > > Silvia Fichera > > > > > > > > -- > > Silvia Fichera > > > > > > > > -- > > Silvia Fichera > > -- Silvia Fichera
