Monday, July 18, 2016

Policy based forwarding with FAUCET

Sometimes, you want certain traffic to be taken out of the dataplane, and entirely diverted to another system (for example, you want to redirect all DHCP request broadcasts to only one DHCP server, or you want a DDoS system to perform deeper analysis).



FAUCET allows you to configure an ACL to divert any packet that can be matched by OpenFlow, to a port, and optionally have the destination address rewritten.


acls:
    1:
        - rule:
            dl_dst: "01:02:03:04:05:06"
            actions:
                output:
                    dl_dst: "06:06:06:06:06:06"
                    port: 2


In this example, any traffic with an Ethernet destination of 01:02:03:04:05:06, will be intercepted, will have its destination address rewritten to be 06:06:06:06:06:06, and then output port 2.

The match expression can match anything OpenFlow can; for example, you could match source or destination IP address.

Here's another example that matches DHCP requests and redirects them to port 1:


acls:
    1:
        - rule:
            dl_dst: "ff:ff:ff:ff:ff:ff"
            dl_type: 0x800
            nw_proto: 17
            nw_src: "0.0.0.0"
            nw_dst: "255.255.255.255"
            tp_src: 68
            tp_dst: 67
            actions:
                output:
                    port: 1


And output from an Allied Telesis switch that shows it working:

awplus#show openflow rules |include table_id=1
table_id=1, duration=69s, n_packets=1, n_bytes=377, priority=9099,udp,in_port=23,dl_dst=ff:ff:ff:ff:ff:ff,nw
_src=0.0.0.0,nw_dst=255.255.255.255,tp_src=68,tp_dst=67,actions=output:1
table_id=1, duration=69s, n_packets=8590, n_bytes=11026081, priority=9098,in_port=23,actions=goto_table:2
table_id=1, duration=69s, n_packets=0, n_bytes=0, priority=0,actions=drop

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.