|
|
Line 95: |
Line 95: |
| ** $ ./pox/pox.py log.level --DEBUG misc.of_tutorial | | ** $ ./pox/pox.py log.level --DEBUG misc.of_tutorial |
| ** NOTE: There are two "-" (i.e. --) used for options in mininet/pox. In the wiki, sometimes the two lines join up and show as one line. | | ** NOTE: There are two "-" (i.e. --) used for options in mininet/pox. In the wiki, sometimes the two lines join up and show as one line. |
|
| |
|
| |
| [https://wiki.net.informatik.uni-goettingen.de/w/index.php?title=exercises_firewall Exercise_Firewall]
| |
|
| |
| [https://wiki.net.informatik.uni-goettingen.de/w/index.php?title=exercises_pyretic_firewall Exercise_Pyretic_Firewall]
| |
|
| |
| [https://wiki.net.informatik.uni-goettingen.de/w/index.php?title=exercises_kinetic_pox_firewall Exercise_Kinetic_Pox_Firewall]
| |
|
| |
| [https://wiki.net.informatik.uni-goettingen.de/w/index.php?title=exercises_pyretic_debugging Exercise_Pyretic_Debugging]
| |
|
| |
|
| === 21 March === | | === 21 March === |
Line 116: |
Line 107: |
| === 22 March === | | === 22 March === |
| ==== Exercise III: Firewall ==== | | ==== Exercise III: Firewall ==== |
| * Topology is the same as that used for loadbalancing
| | [https://wiki.net.informatik.uni-goettingen.de/w/index.php?title=exercises_firewall Exercise_Firewall] |
| | |
| * (40P) Simple firewall
| |
| ** We will be using the load-balancer experiment as basis
| |
| ** put blocker.py (https://dl.dropboxusercontent.com/u/1652374/SDN_course_WS2015-2016/Exercises/ex3/blocker.py) in pox/ext/blocker.py
| |
| ** $ sudo mn --topo single,6 --mac --arp --controller remote
| |
| ** $ ./pox.py forwarding.l2_learning blocker py
| |
| *** Note that there is a space between blocker and py to enable interactive mode
| |
| *** or $ ./pox.py forwarding.l2_learning blocker.py --ports=80,8888,8000
| |
| ** start Webserver in h1
| |
| *** h1$ python -m SimpleHTTPServer 80
| |
| ** Try to perform curl or wget from h2 to h1
| |
| *** h2$ curl 10.0.0.1
| |
| ** Then block port 80 in pox controller
| |
| *** pox> block(80)
| |
| ** Now, again try the following and report what happens
| |
| *** h2$ curl 10.0.0.1
| |
| | |
| * (60P) Advanced Firewall ( I will give you hints)
| |
| ** Topology [https://dl.dropboxusercontent.com/u/1652374/SDN_course_WS2015-2016/Exercises/ex3/1.firewall-fig.pdf]
| |
| ** Aim: Implement a layer 2 firewall that runs alongside the MAC learning module on the POX OpenFlow Controller. Your firewall should be agnostic to the underlying topology. Take MAC pair list as input and install it on the switches in the network
| |
| ** Note that MAC learning can be done in conjunction with firewall. Therefore you might have to assign priority to each application.
| |
| ** Copy firewall.py from [https://dl.dropboxusercontent.com/u/1652374/SDN_course_WS2015-2016/Exercises/ex3/firewall.py] into pox/pox/misc folder
| |
| ** Start editing firewall.py
| |
| *** Write code to block h1 to h2 (Mac IDs: 00:00:00:00:00:01, 00:00:00:00:00:02)
| |
| ** Do the following to quickly test code
| |
| *** $ ./pox.py --verbose forwarding.l2_learning misc.firewall
| |
| *** $ sudo mn --topo single,3 --controller remote --mac
| |
| *** $ dpctl dump-flows tcp:127.0.0.1:6634
| |
|
| |
|
| ==== Exercise IV: Pyretic Firewall ==== | | ==== Exercise IV: Pyretic Firewall ==== |
| * Aim: Pyretic based firewall
| | [https://wiki.net.informatik.uni-goettingen.de/w/index.php?title=exercises_pyretic_firewall Exercise_Pyretic_Firewall] |
| * Topology [https://dl.dropboxusercontent.com/u/1652374/SDN_course_WS2015-2016/Exercises/ex3/1.firewall-fig.pdf]
| |
| * Put the following files([https://dl.dropboxusercontent.com/u/1652374/SDN_course_WS2015-2016/Exercises/ex4/pyretic_firewall_students.zip]) in folder: pyretic/pyretic/examples
| |
| * $ sudo mn --controller remote --topo=single,3 --mac --arp
| |
| | |
| * (20P) Run the pyretic hub example
| |
| *** $ pyretic.py –v high pyretic.examples.pyretic_hub
| |
| ** Verify that the hosts can ping each other
| |
| *** > xterm h1 h2 h3
| |
| *** h2$ tcpdump -xx -n -i h2-eth0
| |
| *** h3$ tcpdump -xx -n -i h3-eth0
| |
| *** h1$ ping -c1 10.0.0.2
| |
| ** Observe what happens when you do
| |
| *** h1$ ping -c1 10.0.0.5
| |
| ** Look into the hub code: pyretic/pyretic/examples/pyretic_hub
| |
| | |
| * (20P) Run the pyretic switch example
| |
| *** $ pyretic.py –v high pyretic.examples.pyretic_switch1
| |
| ** Verify that the hosts can ping each other
| |
| *** > xterm h1 h2 h3
| |
| *** h2$ tcpdump -xx -n -i h2-eth0
| |
| *** h3$ tcpdump -xx -n -i h3-eth0
| |
| *** h1$ ping -c1 10.0.0.2
| |
| ** Observe what happens when you do
| |
| *** h1$ ping -c1 10.0.0.5
| |
| ** Look into the switch code: pyretic/pyretic/examples/pyretic_switch1.py
| |
| | |
| * (60P) Implement a layer 2 firewall that runs alongside the MAC learning module on the pyretic OpenFlow Controller.
| |
| ** Your firewall should be agnostic to the underlying topology
| |
| ** Write code to block h1 to h2 and h2 to h1 (Mac IDs: 00:00:00:00:00:01, 00:00:00:00:00:02)
| |
| ** Start with pyretic_firewall.py
| |
| ** See in pyretic_firewall.py for instructions on how to test the code as well as how to write the code
| |
| ** To Test run:
| |
| *** sudo mn --controller remote --topo=single,3 --mac --arp
| |
| *** pyretic.py –v high pyretic.examples.pyretic_firewall
| |
| | |
| === 23 March === | | === 23 March === |
| | ==== Exercise VIII: Kinetic like firewall using pox ==== |
| | [https://wiki.net.informatik.uni-goettingen.de/w/index.php?title=exercises_kinetic_pox_firewall Exercise_Kinetic_Pox_Firewall] |
|
| |
|
| ==== Exercise VIII: Kinetic like firewall using pox ====
| |
| * Instructions: [https://dl.dropboxusercontent.com/u/1652374/SDN_Course/Exercises/pox_gardenwall.pdf instructions]
| |
| * Starting Code: [https://dl.dropboxusercontent.com/u/1652374/SDN_Course/Exercises/pox_gardenwall.py Starting_Code]
| |
| * Tips: [https://openflow.stanford.edu/display/ONL/POX+Wiki#POXWiki-ofp_flow_mod-Flowtablemodification Tutorial]
| |
|
| |
|
| ==== Exercise IX: Pyretic Debugging ==== | | ==== Exercise IX: Pyretic Debugging ==== |
| '''HINT:''' You might have to use the "$ dpctl dump-flows tcp:127.0.0.1:6634" or "mininet> dpctl dump-flows" command frequently.
| | [https://wiki.net.informatik.uni-goettingen.de/w/index.php?title=exercises_pyretic_debugging Exercise_Pyretic_Debugging] |
| ** In this debugging exercise, we take solutions available in the Internet for the gardenwall problem and try to fix bugs in it.
| |
| ** We have done kinetic firewall in exercise VII and imitated the same firewall using pox in exercise VIII. Now, we will imitate the same firewall using pyretic.
| |
| ** The basic solution is taken from the Internet [https://dl.dropboxusercontent.com/u/1652374/SDN_Course/Exercises/pyretic_gardenwall_internetsolution1.py], test if it is able to block h1 when "infected". Note that we will only use the "infected == True" for this exercise.
| |
| *** Copy the above code into /home/mininet/pyretic/pyretic/examples as gardenwall_internetsolution.py
| |
| *** start controller (in /home/mininet/pyretic folder): pyretic.py pyretic.examples.gardenwall_internetsolution
| |
| *** start mininet: sudo mn --controller=remote --topo=single,3 --mac --arp
| |
| *** check h1 ping h2
| |
| *** Now infect h1 (in /home/mininet/pyretic/pyretic/kinetic folder): python json_sender.py -n infected -l True --flow="{srcmac=00:00:00:00:00:01}" -a 127.0.0.1 -p 50001
| |
| *** check h1 ping h2. We should be able to observe that this traffic is blocked.
| |
| *** Now, we move on to the debugging part
| |
| **** check h2 ping h3, what happens?
| |
| **** Now, modify the given code to allow h2 traffic to pass through to h3, when h1 is "infected".
| |
| ** Now, check if the "exempt" case is working fine too
| |
| ** if time permits, check and improve code to allow h1 to ping h2
| |
| ** If time permits, try fixing [https://dl.dropboxusercontent.com/u/1652374/SDN_Course/Exercises/pyretic_gardenwall_internetsolution.py this] code for the "infected" case.
| |
| | |
|
| |
|
| === Additional Exercises === | | === Additional Exercises === |