Flexible Campus VLAN System Flexible Campus VLAN System Based on OpenFlow Yasuhiro Yamasaki Yoshinori Miyamoto Junichi Yamato * Yasuhiro Yamasaki, Yoshinori Miyamoto, Junichi Yamato , Hideaki Goto, Hideaki Sone Tohoku University, Japan * NEC Corporation, Japan APAN31, HONGKONG, 24 Feb. 2011 1
Contents 1 Backgrounds 1. Backgrounds 2. Campus VLAN p 3. Our Approach 1 OpenFlow overview 1. OpenFlow overview 2. Proposed system 3. Prototype 4. Summary 4. Summary 2
1. Backgrounds g • Campus Networks Campus Networks – Campus network system requires a lot of VLANs • for separating the access networks form other networks p g • for realizing a sophisticated access control. • Problems of a lot of VLANs – IEEE802.1Q has some limitations. – The system configuration work is laborious. Th fi i k i l b i • Our approach • Our approach – Flexible access management system for campus VLANs based on OpenFlow based on OpenFlow 3
2. Campus VLAN p • Using a lot of VLANs in campus networks g p – Department, Floor , Gest-/home-users and so on • For example, roaming system such as eduroam – The number of VLAN is (SSID/AP × Area). The number of VLAN is (SSID/AP × Area) VLAN[N-1]: University internal user University … VLAN[A-2]: eduroam home user private private VLAN[A 3]: eduroam guest user VLAN[A-3]: eduroam guest user VLAN[A-1]: University internal user network VLAN[A-4]: Local user Gateway VLAN[A-2]: eduroam home user etc VLAN[A-3]: eduroam guest user SSID: University eduroam VLAN[A-4]: Local user home user SSID: eduroam etc SSID: University network Floor A Floor A SSID l SSID: local A l A SSID: eduroam …etc eduroam Floor A SSID: Local A g guest user …etc network 4 There are some system besides eduroam in campus networks.
2. Campus VLAN p • Packets are forwarded based on VLAN tag Packets are forwarded based on VLAN tag – Each network must be set to each VLAN configuration. – Each special field such as VLAN tag is necessary in the header of packet. Setting VLAN VLAN VLAN VLAN VLAN VLAN VLAN VLAN Config Config Config Config tag tag tag tag Ch Check tag k Ch Check tag k Check tag Ch k Add Add tag 5
2. Campus VLAN / Problems p • IEEE802 1Q has some limitations IEEE802.1Q has some limitations. – ID field of VLAN is 12bits (= 4096 ID) – It is difficult to manage multi stacked VLAN g • The system configuration work is laborious. y g – It is necessary to set configuration to all network nodes It is difficult to manage the network using a lot of VLANs and many switch nodes i l f VLAN d i h d 6
3.1 OpenFlow overview p • Network node: dumb but fast Network node: dumb but fast • Control server: intelligent as is expected New Function C Configuration fi ti Control New Function New Function New Function New Function OpenFlow protocol Configuration Configuration Control Control Forwarding Forwarding F di F di Forwarding Forwarding F di F di Normal network Normal network OpenFlow OpenFlow difficult easy 7
3.2 Proposed system p y • The access management function(AMF) equal with g ( ) q The system configuration becomes lighter The system configuration becomes lighter authentication VLAN is added to OpenFlow Controller • Group IDs are only used in OpenFlow Controller The number of ID isn t restricted The number of ID isn’t restricted – No special field is necessary in the header of packets i i i i Radius Tree Basic functionNew function (AMF) Accept Accept Dst check Dst check P Path cal Authentication Authentication QoS etc or GID-DB User-DB Src check MAC/GID reject Network OS Radius OpenFlow Controller OpenFlow Network OpenFlow Network 8
3.3 Prototype yp Flexible Access Management System NEC’s OpenFlow Controller + Access management function FreeRadius2.1.9 + Reporting function DHCP DHCP User AT-TQ2403 GID=D (GID=A) GID=C reject accept GID=B NEC’s OpenFlow Switch GID=A (1Gbps × 24ports+10Gbps × 2ports) C Contents Server S No special field is necessary in the header of packets 9
3.3 Prototype yp • Information of DB in our OpenFlow controller Information of DB in our OpenFlow controller 10
4. Summary y • Our system : Flexible access management system Our system : Flexible access management system – Approach • Based on OpenFlow architecture Based on OpenFlow architecture • OpenFlow controller judges communication access from GID of src-/dst-address – Benefit • The number of ID isn’t restricted • The system configuration becomes lighter Th fi i b li h – Prototype • Some performance measurement • Some performance measurement – Future works • Experiments in actual campus network • Experiments in actual campus network 11
12 Thank you for your kind attention. i ki d f k Th
Flow table of OpenFlow p Rule Action Stats Packet/Byte counters 1. Forward packet to port 2. Encapsulate and forward to controller 3. Drop packet 4. Send to normal processing pipeline Switch Src Dst Ether Src Dst Protocol Src Dst VLAN port MAC MAC Type IP IP Type Port Port 13
Recommend
More recommend