wiki:Internal/OpenFlow/Firmware

Flashing NEC Switches

NEC provides two models of switch that supports OpenFlow, the IP8800/S3640-24T2XW and the IP8800/S3640-48T2XW.
The switches must be manually flashed with OpenFlow capable firmware to make them OpenFlow capable. NEC provides instructions on flashing the switch, but there are a few things that are useful to know that they don't mention. This article is a summary of the instructions, with those unmentioned caveats thrown in.

UPDATE: Go here for the instructions for the newest firmware (11.1.C.Ae)

Materials Needed

The SD card must contain the following for the switch to be able to boot off of it:

  • OpenFlow capable firmware (k.img)
  • Software license for OpenFlow capable firmware (license.dat)
  • Configuration file for OpenFlow specific features (openflow.conf)

In order to use SSL for the secure channel between the switch and the controller, the following three should also be on the card:

  • CA certificate (ca_cert.pem)
  • Certificate for the switch (sw_cert.pem)
  • secret key for switch (sw_key.pem)

General steps

These are the general steps required to get the switch up and running as an OpenFlow device:

  1. Log into switch (this assumes you have already configured everything so you can talk to your switch)
  2. Disable Spanning Tree Protocol (command spanning-tree disable under configuration prompt)
  3. Create VLANs
  4. Create openflow.conf
  5. Save k.img, license.dat, openflow.conf, and if using SSL, the .pem files, onto SD card
  6. Cold boot switch off of SD card (the manual says a reboot is sufficient, but this was not the case)
  7. Enjoy

The Caveats

The SD card

NEC provides a certified SD card with the switch. They recommend that you only use this card.

The License

Each license is specific to a certain switch; a switch will not boot properly if the license is missing, misnamed, or if the license for the wrong switch is used. The license must always be named "license.dat" for the switch to boot properly.

When you get more than one license, each license will be named by the serial number of the switch you're supposed to use the license on instead of being named "license.dat." In that case, the serial number can be found on a silver sticker on the front of the switch, or by typing show version at the terminal:

# show ver
Date 2000/01/09 01:20:34 UTC
Model: AX3640S-48T2XW
S/W: OS-L3L Ver. 10.7 
H/W: Main board
       AX-3640-48T2XW-L [WA03CL48T2XWS0E0693K007:80330300:111:1B514-1B512]    
     Module slot1 PS-M(AC)
       AX-F2430-PSA01 [WA0PSA010000C110093D006]
     Module slot2 FAN-M
       AX-F2430-FAN01 [WA1FAN010000C140093D004]

In this case, "WA03CL48T2XWS0E0693K007" (in the first entry under "H/W: Main board) is the serial number and matches the name of the correct license for this specific switch.

openflow.conf

openflow.conf is a text file that contains configurations specific to virtual switching. The details about the commands that can be used in the file are on pages 12-13 of the NEC manual. Following are a few notes about the commands.

no-save

Specifying this parameter in openflow.conf will prevent you from configuring virtual switches through the CLI (i.e, create new virtual switches). Because the firmware does not include text editors, once you have this parameter on your .conf file you will have to edit your file on a PC if you want to change anything. Basically, if you are planning to change things around after the switch has been booted into OpenFlow, it is better not to specify this command.

double-wide-mode

When specified, all ten OpenFlow specific header fields will be matched.

setvsi

Creates an instance of a virtual switch on a VLAN.

setvsi is followed by several parameters:

setvsi <vlan id> <list of ports> <tcp|ssl> <controller ip address[:port]> [<cacert> <my cert> <my private key>] [dpid <datapath id>] [hwlimit <max entrynum>] [max-backoff <backoff time>] [echo-interval <interval time>]

not all parameters need to be used with setvsi. The following are the minimal parameters you need to get a virtual switch going:

setvsi <vlan id> <list of ports> <tcp|ssl> <controller ip address[:port]> [dpid <datapath id>]

when booted, openflow.conf lives in /mnt/. This is the first functional openflow.conf file that was used on the switch:

setvsi 1 1,3,5,7,9,11,13,15,2.1 tcp 172.16.4.224 dpid 0x0123456789ab
setvsi 2 17,19,21,23,25,27,29,31,2.2 tcp 172.16.4.180 dpid 0x012345678abc
setvsi 3 33,35,37,39,41,43,45,47,2.3 tcp 172.16.4.64 dpid 0x01234567abcd

In this case, the three virtual switches each take up the top row of a block of ports, and share a trunk port (port 2), as denoted by the 2.1, 2.2, and 2.3 at the end of the lists of ports. the syntax is

<port number of trunk>.<VLAN>

The VLAN assignments were made to match up with the port assignments of the virtual switches. The virtual switch can overlay across a portion of the ports of any given VLAN, but not overlay across ports belonging to different VLANS.

editing openflow.conf from the CLI versus editing it from a computer

Once the switch is booted from the card, the two CLI commands you can use to manipulate openflow.conf are:

  • setvsi - adds virtual switches using the exact same syntax as in openflow.conf
  • deletevsi - removes virtual switches

Even though the switch will boot without anything written in openflow.conf, and you can add the virtual switches later, you can't add any of the other choices i.e. no-save or double-wide-mode from the command line. In order to add the other parameters to openflow.conf, you will have to edit the file on a text editor.

The details of configuring VLANs and virtual switches on an OpenFlow capable switch are here:
wiki:Documentation/OpenFlow/VirtualSwitch

Upgrading to 11.1.C.Ae

This is the production version of the OpenFlow capable firmware for the IP8800. Unlike the experimental version, once you upgrade you don't need the SD card. Before beginning, make sure the switch is booted off of the SD card with the experimental OpenFlow firmware (ver. 11.1.C) and has sdmem0a mounted at /mnt:

sw-sb-02> /sbin/mount
/dev/md0a on / type ffs (local)
...
/dev/sdmem0a on /mnt type msdos (synchronous, local)

1. Firmware upgrade

The firmware should have an extension of '.gz'. The easiest way to upgrade is to run ppupdate after copying the firmware onto the SD card using tftp:

sw-sb-02# tftp 10.50.0.42
tftp> get nec.gz /mnt/nec.gz
getting from 10.50.0.42:nec.gz to /mnt/nec.gz [octet]
Received 20973752 bytes in 100.7 seconds [1666237 bits/sec]
tftp> quit

This will take a good 1.5 minutes. After this step, /mnt should contain nec.gz:

sw-sb-02# ls -al
total 45153
drwxrwxrwx   1 root  wheel     16384 Jan  1  1980 .
drwxr-xr-x  26 root  wheel       512 Aug  5 18:19 ..
-rwxrwxrwx   1 root  wheel  25214752 Jun  9  2010 k.img
-rwxrwxrwx   1 root  wheel        66 Jul  7  2010 license.dat
-rwxrwxrwx   1 root  wheel  20973752 Aug  5 18:30 nec.gz

Now run ppupdate as admin, specifying the full path to the new firmware:

sw-sb-02# ppupdate /mnt/nec.gz

Software update start

Broadcast Message from operator@sw-sb-02
        (??) at 18:31 UTC...

***********************************************
** UPDATE IS STARTED.                        **
***********************************************

Current version is 11.1.C
New version is 11.1.C.Ae
Automatic reboot process will be run after installation process.
Do you wish to continue? (y/n)

And let the switch do the work. The whole process should take a minute or two, showing you this once complete:

100% |***********************************************************************************| 20482 KB    1.23 MB/s    00:00 ETA

Update done.

Broadcast Message from operator@sw-sb-02
        (??) at 18:32 UTC...

***********************************************
** UPDATE IS FINISHED SUCCESSFULLY.          **
***********************************************


The switch will reboot unless given the no-reload flag with ppupgrade. The bootloader will search for .img files to load to memory upon startup. If you want the switch to boot into the new firmware when it reboots after the upgrade, you can either:

  1. Issue ppupdate with the no-reload command. Run reload stop to halt the OS, and restart the switch after you (safely) remove the card 1.
  2. Rename k.img to something else so it is not recognized as a bootable image.

2. OpenFlow configuration commands

The OpenFlow components of the new firmware have been integrated into the CLI. There are contexts for OpenFlow (conveniently called openflow) under the show and configure contexts.

sw-gp# show openflow ?
  controller-session  Display the session of OpenFlow Controller
  detail              Display the detailed OpenFlow information
  openflow-id         Specifies OpenFlow ID
  statistics          Display the OpenFlow statistics information
  table               Display the flow table information
  <cr>
sw-gp(config)# openflow openflow-id [id]
  real-switch     OpenFlow ID 1 specified for real-switch ( When real-switch is set, virtual-switch can't be set )
  virtual-switch  OpenFlow ID 1 to 16 specified for virtual-switch ( When virtual-switch is set, real-switch can't be set )
  <cr>
sw-gp(config)# openflow openflow-id 1 virtual-switch
!sw-gp(config-of)# ?

  connect               Specify the time to connect the OpenFlow Controller
  controller            Specify the OpenFlow Controller
  dpid                  Specify the data path ID
  echo-reply            Specify the max time of receiving Echo-Reply frame from the OpenFlow Controller
  echo-request          Specify the interval time of sending Echo-Request frame to the OpenFlow Controller
  emergency-mode        Specify enable or disable of the emergency mode
  enable                Enable OpenFlow
  end                   Exit from configure mode
  exit                  Return to previous mode
  flow-statistics-mode  Specify the collection type of the flow statistics mode information
  mac-learning          Specify enable or disable of MAC learning
  maxflow               Specify the number of the upper limits of flow
  mishit-action         Specify the process when the mishit-action occurred
  no                    Delete configurations
  openflow-vlan         Specify the VLAN which it belongs to Virtual Switch
  outbound              Specify the band limit of the output rate of VLAN on interface
  port-modify-access    Specify set permission of the access port change from Controller. (reason down of the port)
  port-modify-trunk     Specify set permission of the trunk port change from Controller. (reason down of the port)
  quit                  Return to previous mode
  save                  Save configuration file
  show                  View configurations
  status                Show configure status
  top                   Change to global configuration mode
  wildcard-hwaccel      Specify the priority when wildcard entry is written in hardware
  write                 Save configuration file

Not sure what this means. Yet.

sw-gp(config)# openflow openflow-id 1 real-switch
openflow : Specified switch type is not revokable.

3. Configuration example

The following is a virtual switch on an IP8800 running the new firmware:

sw-gp(config)# openflow openflow-id 1
!sw-gp(config-of)# sh                 
openflow openflow-id 1
  controller controller-name nox-gp 1 172.16.0.240 port 6633
  connect timeout 10
  connect timeout retry 3
  openflow-interface gigabitethernet 0/17-32, gigabitethernet 0/48
  l2-inband-secure-channel vlan 1 gigabitethernet 0/48
  enable

The basic steps are the following:

  1. A real or virtual OpenFlow switch can be instantiated with the `openflow openflow-id [id] context. [id] is a value of up to 16.
  2. As seen above, step 1 takes you into the (config-of) context. Once an OpenFlow switch (VSI) is instantiated, ports are added to it with the openflow-interface [add] context, which follows similar syntax to trunk configurations.
  3. If a port that is part of a VSI is to be used as the control channel, specify it with the l2-inband-secure-channel context. You must specify the VLAN the controller is in.
  4. The controller is specified with the controller context. The command will force you to give a human-readable name to the controller (nox-gp in the example above), and an IP address and port where the controller process can be reached.
  5. The switch must be enabled with the enable option.

In addition to the basics, several specific aspects of the VSI can be configured. The above example shows the timeout parameters of the VSI have been changed so that:

  • connect timeout 10 = The VSI detects controller disconnection in 10 seconds, and
  • connect timeout retry 3 = When disconnected, the VSI attempts to re-connect with the controller thrice before giving up.

The full list of knobs are shown in the previous section, third block quote.

SSL stuff

The page refrenced to create the .pem files: http://www.debian-administration.org/article/Creating_and_Using_a_self_signed__SSL_Certificates_in_debian



Return to the OpenFlow index

1. Part of bootup involves decompressing and copying the firmware to memory, so it should be fine to remove the card while the machine is running. It is, however, still mounted while the switch is running, so you chance corrupting the contents of the card if you do this.
2. renaming nec.gz to k.img will allow you to boot into the firmware as with the experimental one, from the SD card, although switches booted using the new firmware this way will unmount the SD card.

Last modified 9 years ago Last modified on Aug 8, 2011, 10:22:31 PM
Note: See TracWiki for help on using the wiki.