Wednesday, January 31, 2018

openflow switch, openvswitch with ryu as the controller

controller ip:

*** on controller ***

1- install package
$ sudo apt-get install ryu-bin

2- configure ryu as below ( /etc/ryu/ryu.conf)
app_lists =,

wsapi_host =
wsapi_port = 8080
ofp_listen_host =
ofp_tcp_listen_port = 6633

3- restart the the controller and it ready
$ sudo /etc/init.d/ryu restart

*** switch ***
1- install package
$ sudo apt-get install openvswitch-switch

1- configure switch
$ sudo ovs-vsctl add-br br0
$ sudo ovs-vsctl set bridge br0 protocols=OpenFlow10,OpenFlow11,OpenFlow12,OpenFlow13
$ sudo ovs-vsctl set-controller br0 tcp:

-- add port and enable port
$ sudo ovs-vsctl add-port br0 enp0s8
$ sudo ovs-vsctl add-port br0 enp0s9
$ sudo ovs-vsctl add-port br0 enp0s10
$ sudo ifconfig  br0 up

$sudo ifconfig  enp0s8 up
$ sudo ifconfig  enp0s9 up
$ sudo ifconfig  enp0s10 up

now the it is operational,  clients that connect to  those3 port will be able to reach each other

****  edit an app***
for example our client has mas address, 08:00:27:d5:75:d9, and we want to hard coded on our app to drop  any packets from that client
 app file: /usr/lib/python3/dist-packages/ryu/app/  and content below
from ryu.base import app_manager
from ryu.controller import ofp_event
from ryu.controller.handler import CONFIG_DISPATCHER, MAIN_DISPATCHER
from ryu.controller.handler import set_ev_cls
from ryu.ofproto import ofproto_v1_3
from ryu.lib.packet import packet
from ryu.lib.packet import ethernet
from ryu.lib.packet import ether_types
class SimpleSwitch13(app_manager.RyuApp):
    OFP_VERSIONS = [ofproto_v1_3.OFP_VERSION]
    def __init__(self, *args, **kwargs):
        super(SimpleSwitch13, self).__init__(*args, **kwargs)
        self.mac_to_port = {}
    @set_ev_cls(ofp_event.EventOFPSwitchFeatures, CONFIG_DISPATCHER)
    def switch_features_handler(self, ev):
        datapath = ev.msg.datapath
        ofproto = datapath.ofproto
        parser = datapath.ofproto_parser
        match = parser.OFPMatch()
        actions = [parser.OFPActionOutput(ofproto.OFPP_CONTROLLER,
        self.add_flow(datapath, 0, match, actions)
    def add_flow(self, datapath, priority, match, actions, buffer_id=None):
        ofproto = datapath.ofproto
        parser = datapath.ofproto_parser
        inst = [parser.OFPInstructionActions(ofproto.OFPIT_APPLY_ACTIONS,
        if buffer_id:
            mod = parser.OFPFlowMod(datapath=datapath, buffer_id=buffer_id,
                                    priority=priority, match=match,
            mod = parser.OFPFlowMod(datapath=datapath, priority=priority,
                                    match=match, instructions=inst)
    @set_ev_cls(ofp_event.EventOFPPacketIn, MAIN_DISPATCHER)
    def _packet_in_handler(self, ev):
        if ev.msg.msg_len < ev.msg.total_len:
            self.logger.debug("packet truncated: only %s of %s bytes",
                              ev.msg.msg_len, ev.msg.total_len)
        msg = ev.msg
        datapath = msg.datapath
        ofproto = datapath.ofproto
        parser = datapath.ofproto_parser
        in_port = msg.match['in_port']
        pkt = packet.Packet(
        eth = pkt.get_protocols(ethernet.ethernet)[0]
        if eth.ethertype == ether_types.ETH_TYPE_LLDP:
        dst = eth.dst
        src = eth.src
        dpid =
        self.mac_to_port.setdefault(dpid, {})"packet in %s %s %s %s", dpid, src, dst, in_port)
        self.mac_to_port[dpid][src] = in_port
        if dst in self.mac_to_port[dpid]:
            out_port = self.mac_to_port[dpid][dst]
        elif dst == "08:00:27:d5:75:d9":
            out_port= ofproto.OFPC_FRAG_DROP
            out_port = ofproto.OFPP_FLOOD
        actions = [parser.OFPActionOutput(out_port)]
        if out_port != ofproto.OFPP_FLOOD:
            match = parser.OFPMatch(in_port=in_port, eth_dst=dst)
            if msg.buffer_id != ofproto.OFP_NO_BUFFER:
                self.add_flow(datapath, 1, match, actions, msg.buffer_id)
                self.add_flow(datapath, 1, match, actions)
        data = None
        if msg.buffer_id == ofproto.OFP_NO_BUFFER:
            data =
        out = parser.OFPPacketOut(datapath=datapath, buffer_id=msg.buffer_id,
                                  in_port=in_port, actions=actions, data=data)

to use it update our ryu.conf  with below
app_lists =,

wsapi_host =
wsapi_port = 8080
ofp_listen_host =
ofp_tcp_listen_port = 6633

now all packets from that host will be dropped

****rest command*****

-list switch
$ curl -X GET http://localhost:8080/stats/switches

-list firewall status
$ curl http://localhost:8080/firewall/module/status

-gett firewall rule from switch ip xxxxxxxxxx
$ curl -X GET http://localhost:8080/firewall/rules/000008002734600a | python -m json.tool

-add firewall rule
$ curl -X POST -d  '{"nw_src": "", "nw_dst": "", "nw_proto": "ICMP", "actions": "DENY", "priority": "10"}' http://localhost:8080/firewall/rules/000008002734600a

- delete firewall rule
$ curl -X DELETE -d '{"rule_id": "12"}' http://localhost:8080/firewall/rules/000008002734600a

- list switch flows
$ curl -X GET http://localhost:8080/stats/flow/290271735463054

-list switch description
$ curl -X GET http://localhost:8080/stats/desc/290271735463054

-list table
$ curl -X GET http://localhost:8080/stats/table/290271735463054

-list port
$ curl -X GET http://localhost:8080/stats/port/290271735463054

-list table feature
$  curl -X GET http://localhost:8080/stats/tablefeatures/8796750766090

No comments:

Post a Comment