The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This module describes how to enable and configure OpenFlow on a device.
The device must be booted up in OpenFlow mode. (OpenFlow mode is enabled when you configure the boot mode openflow command on a device. All ports will be in this mode, and the device will not support any regular Cisco IOS XE features.)
When enabling OpenFlow mode on a device, erase all prior configurations, and delete the vlan.dat and stby-vlan.dat files from the flash filesystem.
When the device is in Openflow mode, do not enable other control plane protocols, Border Gateway Protocol (BGP), Spanning Tree Protocol (STP), Port Channels, StackWise Virtual, and so on that work when the device is in normal mode.
The following sections provide more information about the feature.
OpenFlow is a specification from the Open Networking Foundation (ONF) that defines a flow-based forwarding infrastructure and a standardized application-programmatic interface. OpenFlow allows a controller to direct the forwarding functions of a device through a secure channel.
OpenFlow is the protocol between a controller (control plane) and an Ethernet switch (data plane). The switch has flow tables arranged in a pipeline. Flows are rules to examine packets that reach these tables.
An OpenFlow agent on the switch communicates with the controller using the OpenFlow protocol. The agent supports both OpenFlow 1.0 (wire protocol 0x1) and OpenFlow 1.3 (wire protocol 0x4). It can have up to eight controller connections. These connections are not preserved across a switchover, and the controller will have to reconnect to the agent after a switchover.
The OpenFlow implementation on Cisco Catalyst 9400 Series Switches is stateless, and nonstop forwarding (NSF) is not supported. The standby supervisor does not synchronize with the flow database.
The OpenFlow controller is an entity that interacts with an OpenFlow switch using the OpenFlow protocol. In most cases, a controller is a software that manages many OpenFlow logical switches. Controllers offer a centralized view of the network, and enable administrators to dictate to the underlying systems (switches and routers) on how to handle the network traffic. A controller typically runs on a Linux server, and must have IP connectivity to OpenFlow-capable switches.
A controller manages a switch, and inserts and deletes the flows on the switch. These flows support a subset of OpenFlow 1.3 and 1.0 match and action criteria.
The switch connects to the controller using the management port. The management port is in the management virtual routing and forwarding (VRF) instance, and hence provides a secure connection to the controller. To connect a controller to the switch, configure the IP address and port number on which the controller can be reached.
A flow entry is an element in a flow table that is used to match and process packets. It contains priority levels for matching precedence, a set of match fields for matching packets, a set of instructions to apply, and packet and byte counters. A timeout is also associated with each flow (a hard timeout or an inactivity timeout), which is used to automatically remove flows.
A maximum of 32 flow tables are supported.
Each flow provides the following information:
Priority: High-priority flows are matched first. A flow update requires all the flows to be prioritized based on the configured priority.
Match fields: A part of a flow entry against which a packet is matched. Match fields can match the various packet header fields. If no match information is provided for a field, a wildcard is used.
Action: An operation that acts on a packet.
An OpenFlow pipeline is a set of linked flow tables that provide matching, forwarding, and packet modification in an OpenFlow switch. A port is where packets enter and exit the pipeline.
Packets are received on an ingress port and processed by the OpenFlow pipeline that forwards it to output ports. The packet ingress port is owned by the packet throughout the pipeline, and represents the port on which the packet was received into the switch. Note that the ingress port can also be used as a match field in a flow.
Flow actions allow packets to be sent to subsequent tables in the pipeline for further processing, and allow information to be communicated between tables. Pipeline processing stops when the action associated with a matching flow entry does not specify the next table. At this point, the packet is usually modified and forwarded. The packet can also be dropped.
Flow tables of an OpenFlow switch are sequentially numbered, starting from 0. Pipeline processing always starts by matching the packet against flow entries of flow table 0. Other flow tables can be used depending on the outcome of the match and actions in the first table, which could result in matching the packet against flow entries in subsequent tables.
Match Field is a field against which a packet is matched, including packet headers, and the ingress port. A match field can be a wildcard (match any value) and have a bit mask to match selected bits of the field.
Action is an operation that forwards a packet to a port or subsequent tables, or modifies a packet field. Actions can be specified as part of the instructions associated with a flow entry, or an action bucket associated with a group entry. A group entry is a collection of actions that can be shared by multiple flows.
The action specified in one or more flow entries can direct packets to a base action called a group action. The purpose of the group action is to share a set of actions among multiple flows. A group consist of one or more buckets, and in turn, a bucket can have a set of actions (set, pop, or output). Cisco Catalyst 9000 Series Switches support the group types all and indirect.
The following table lists the supported match fields and actions:
|
Header Field |
Prerequisite |
Maskable Entrie |
Example Value |
|---|---|---|---|
|
Ethernet destination MAC address |
— |
Yes |
01:80:c2:00:00:00/ ff:ff:ff:00:00:00 (with mask) de:f3:50:c7:e2:b2 (without mask) |
|
Ethernet source MAC address |
— |
Yes |
0e:00:00:00:00:019 (without mask) |
|
Ethernet type |
— |
— |
ARP (0x0806), IPv4 (0x0800), IPv6 (0x86dd), and so on |
|
VLAN ID |
— |
0x13f |
|
|
ARP target protocol address |
Ethernet type should be set to 0x0806 |
Yes |
— |
|
IP protocol |
Ethernet type should be set to 0x0800 or 0x86dd |
— |
ICMP (0x01), TCP (0x06), UDP (0x11), and so on |
|
IPv4 source address |
Ethernet type should be set to 0x0800 |
Yes |
10.0.0.0/24 (with mask) |
|
IPv4 destination address |
Ethernet type should be set to 0x0800 |
Yes |
10.0.0.254 (without mask) |
|
IPv6 source address |
Ethernet type should be set to 0x08dd |
Yes |
2001:DB8::1 (without mask) |
|
IPv6 destination address |
Ethernet type should be set to 0x08dd |
Yes |
2001:DB8:0:ABCD::1/48 (with mask) |
|
Neighbor discovery target |
Ethernet type should be set to 0x08dd and IP protocol should be set to 0x01 |
— |
ND target |
|
ICMPv6 type |
Ethernet type should be set to 0x08dd and IP protocol should be set to 0x01 |
— |
— |
|
UDP/TCP source port |
Ethernet type should be set to 0x0800 or 0x86dd and protocol should be set to 0x06 or 0x11 |
— |
— |
|
UDP/TCP destination port |
Ethernet type should be set to 0x0800 or 0x86dd and protocol should be set to 0x06 or 0x11 |
— |
— |
|
Incoming interface |
— |
— |
— |
A flow can send a packet to:
The controller.
Any interface of the switch (including the incoming interface).
A subsequent flow table (after Table 0) for another lookup.
A group.
The switch CPU for local processing. Only Cisco Discovery Protocol and Link Layer Discovery Protocol (LLDP) packets can be sent for local processing.
A flow can add (push) or remove (pop) a VLAN tag. If a packet is an IP packet, the flow can decrement the Time to Live (TTL) header field.
The ability to modify the packet fields are defined as Set-Field action. A flow can also modify the following header fields of a packet:
|
Header Field |
Scale |
|---|---|
|
Ethernet destination MAC address |
1k |
|
Ethernet source MAC address |
256 |
|
VLAN ID |
4k |
In Cisco IOS XE Bengaluru 17.4.1, the support to rewrite the following fields has been added:
|
Field |
Scale |
|---|---|
|
ipv4_src |
4k |
|
ipv4_dst |
4k |
|
icmpv4_type |
256 |
|
tcp_src/udp_src |
4k (shared by both fields) |
|
tcp_dst/udp_dst |
4k (shared by both fields) |
|
ip_dscp |
64 |
The IP_DSCP field is part of the IPv4 type of service (ToS) field and the IPv6 traffic class field.
|
Cisco Catalyst 9300 Series Switches |
Cisco Catalyst 9400 Series Switches, and Cisco Catalyst 9500 Series Switches |
Cisco Catalyst 9500 High-Performance Series Switches |
|
|---|---|---|---|
|
Total number of flows |
18K/9K |
54K/27K |
54K/27K |
This section describes the operations that take place when a flow is sent by the controller to be programmed in the OpenFlow device.
Typically a device has flow tables arranged in a pipeline. The pipeline capabilities information specifies the structure of the pipeline, such as the number of tables or stages, what each stage is capable of doing (match or actions), and the size of each table.
When the controller sends a flow request, the OpenFlow agent verifies whether the flow can be handled by the hardware. It compares the flow against the capabilities of the hardware that are defined when the switch is booted up. If the flow is valid, it is programmed in the appropriate flow table.
If the new pipeline is validated (whether the hardware can support the pipeline), it becomes the new set of capabilities used to check if a flow can be installed or not.
After the pipeline is instantiated and flows are installed, packets are forwarded by the switch. Ingress packets are matched against the flows in each flow table, until the highest-priority matching flow entry is found. Packet matching may be exact (match all fields of the table exactly), or partial (match some or all fields, and fields with bit masks may be partially matched). Packets can be modified or forwarded based on the configured actions. Actions can be applied in the pipeline at any time. An action can determine the next flow table to match, the set of egress ports for the packet, and whether the packet should be routed to the controller.
OpenFlow table feature request messages allow an OpenFlow controller to query the capabilities of existing flow tables of an OpenFlow-managed device, or configure these tables to match the supplied configuration.
All the tables can be configured with a subset of the match and action capabilities. Table sizes can also be modified at runtime. When a new flow table configuration is successfully applied, flow entries from old flow tables are removed without any notification. Dynamically configured flow tables are not persistent across reboot. The default pipeline comes up when the device boots up.
While configuring a new flow table based on a request from the OpenFlow controller, ongoing traffic, if any, flowing through the existing flows are dropped.
OpenFlow supports Power over Ethernet (PoE). For PoE to work, configure either Cisco Discovery Protocol or LLDP on the device so that Cisco Discovery Protocol packets or LLDP packets are processed (and sent) by the device. Note that no OpenFlow-specific configuration is required for PoE to work with OpenFlow.
On the OpenFlow controller, configure a flow with the output-to-local action to ensure that packets are sent to the device CPU for local processing.
For more information about PoE, see the Configuring POE chapter.
The following sections provide information about the various OpenFlow configuration tasks.
If the switch is operating in normal mode, we recommend that you configure the write erase command to delete the previous configuration.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 3 |
boot mode openflow Example: |
Enables OpenFlow forwarding mode. |
|
Step 4 |
exit Example: |
Exits global configuration mode and enters privileged EXEC mode. |
|
Step 5 |
write erase Example: |
Erases all the files in the NVRAM.
|
|
Step 6 |
Example: |
|
|
Step 7 |
reload Example: |
Reloads the switch and enables OpenFlow forwarding mode for the switch. |
|
Step 8 |
enable Example: |
Enables privileged EXEC mode.
|
|
Step 9 |
show boot mode Example: |
Displays information about the device's forwarding mode. |
Device# show boot mode
System initialized in openflow forwarding mode
System configured to boot in openflow forwarding mode
To go back to normal mode, configure the no boot mode openflow command and then reload the device.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 3 |
feature openflow Example: |
Enables the OpenFlow feature. |
|
Step 4 |
openflow Example: |
Enables OpenFlow configuration and enters OpenFlow configuration mode. |
|
Step 5 |
switch 1 pipeline 1 Example: |
Configures a logical switch and pipeline, and enters OpenFlow switch configuration mode. |
|
Step 6 |
controller ipv4 ip-address port port-number vrf vrf-name security {none | tls} Example: |
Connects to a controller.
|
|
Step 7 |
datapath-id ID Example: |
(Optional) Sets the OpenFlow logical switch ID.
|
|
Step 8 |
tls trustpoint local name remote name Example: |
(Optional) Configures an OpenFlow switch Transport Layer Security (TLS) trustpoint. |
|
Step 9 |
end Example: |
Exits OpenFlow switch configuration mode and returns to privileged EXEC mode. |
You can configure either a Layer 2 or Layer 3 interface in OpenFlow mode. When using a Layer 3 interface, configure the no switchport command in interface configuration mode. Perform the following task when using a Layer 2 interface.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 3 |
feature openflow Example: |
Enables the OpenFlow feature. |
|
Step 4 |
interface type number Example: |
Configures an interface and enters interface configuration mode. |
|
Step 5 |
switchport mode trunk Example: |
Sets the trunking mode of the Layer 2-switched interface to trunk. |
|
Step 6 |
switchport nonnegotiate Example: |
Specifies that the device will not engage in negotiation protocol on this interface. |
|
Step 7 |
no keepalive Example: |
Disables keepalive packets. |
|
Step 8 |
spanning-tree bpdufilter enable Example: |
Enables bridge protocol data unit (BPDU) filtering on the interface. |
|
Step 9 |
end Example: |
Exits interface configuration mode and returns to privileged EXEC mode. |
|
Step 1 |
enable Enables privileged EXEC mode.
Example: |
|
Step 2 |
show openflow hardware capabilities Displays the hardware capabilities of an OpenFlow device. Example: |
|
Step 3 |
show openflow switch 1 controller Displays information about the controller connected to the switch. Example: |
|
Step 4 |
show openflow switch 1 ports Displays information about the ports on an OpenFlow switch. Example: |
|
Step 5 |
show openflow switch 1 flows list Displays OpenFlow entries. The following sample output displays a flow that is available in Table 0, where match any goes to Table 1. (match any means that all the packets go to Table 1.) In Table 1, the destination MAC address 00:00:01:00:00:01 is matched, and the output port is set to 36. Example: |
The following example shows how to enable OpenFlow:
Device> enable
Device# configure terminal
Device(config)# boot mode openflow
Device(config)# exit
Device# write erase
Device# delete flash:vlan.dat
Device# reload
Device> enable
Device# show boot mode
The following example shows how to configure OpenFlow:
Device# configure terminal
Device(config)# feature openflow
Device(config)# openflow
Device(config-openflow)# switch 1 pipeline 1
Device(config-openflow-switch)# controller ipv4 10.2.2.2 port 6633 vrf Mgmt-vrf security tls
Device(config-openflow-switch)# datapath-id 0x12345678
Device(config-openflow-switch)# tls trustpoint local trustpoint1 remote trustpoint1
Device(config-openflow-switch)# end
| Related Topic | Document Title |
|---|---|
|
OpenFlow commands |
|
|
Open Network Foundation |
|
|
Faucet OpenFlow controller |
|
|
PoE |
|
| Description | Link |
|---|---|
|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.|
Feature Name |
Release |
Feature Information |
|---|---|---|
|
OpenFlow |
Cisco IOS XE Fuji 16.9.1 |
OpenFlow is a Software-Defined Network (SDN) standard. It defines a communication protocol in SDN environments that enables an SDN controller to directly interact with the forwarding plane of network devices such as switches and routers. This feature was implemented on the following platforms:
|
|
Cisco IOS XE Gibraltar 16.10.1 |
Table feature message support on Catalyst 9500 Series High Performance Switches was introduced. |
|
|
OpenFlow Power over Ethernet |
Cisco IOS XE Gibraltar 16.12.1 |
PoE is supported on OpenFlow ports. This feature was implemented on the following platforms:
|
Feedback