Configuring Open Virtual Switch

 

Open vSwitch is a virtual switch that enables network automation, while supporting standard management interfaces and protocols, like NetFlow. Open vSwitch also supports distribution across multiple physical servers.

In an Open vSwitch implementation, OVS uses a database server and a switch daemon. The OVSDB protocol is used in a control cluster, along with other managers and controllers, to supply configuration information to the switch database server. Controllers use OpenFlow to identify details of the packet flows through the switch. Each switch may receive directions from multiple managers and controllers, and each manager and controller can direct multiple switches.

 

Configuring OVSDB using Netvisor

Netvisor requires a number of steps required to configure OVSDB using Netvisor OS.

1. Configure the VNET with the number of private VLANs, VXLANs, and managed ports:

CLI network-admin@switch > vnet-create name name-string vlans vlan-range num-private-vlans integer vxlans vxlan-id managed-ports port-list 

2. Configure the underlay network:

CLI network-admin@switch > vrouter-create name-string vnet name-string router type hardware

CLI network-admin@switch > vrouter-interface-add vrouter-name name-string vlan vlan-id ip ip-address netmask netmask 

3. Configure the tunnel:

CLI network-admin@switch > vnet-tunnel-network-add name name-string network ip-address netmask netmask 

CLI network-admin@switch > trunk-modify name name-string trunk-id trunk-id port port-list 

4. Create the SSL/TLS certificate:

CLI network-admin@switch > cert-create name name-string country country-string state state-string city city-string organization organization-string organizational-unit organizational-unit-string common-name common-name-string container zone name-string

5. Configure OVSDB:

CLI network-admin@switch > openvswitch-create name name-string vnet name-string global-vtep tunnel-ip ip-address dedicated-service cert-name name-string

CLI network-admin@switch > openvswitch-interface-add ovs-name name-string ip ip-address netmask netmask if data|mgmt vlan vlan-id

Configuring the interface as data or management depends on the location of the controller, on the data network or the management network.

If the controller resides on a Layer 3 network several hops away, use openvswitch-modify to configure a gateway IP address. Netvisor requires this in order for the configuration to work properly.

6. Add the hardware VTEP manager:

CLI network-admin@switch > opensvswitch-hwvtep-manager-add name name-string manager-type odl|nsx connection-method ssl ip ip-address username username-string password password-string port port-number

Netvisor automatically establishes the VXLAN tunnel between the local and remote hardware and software VTEPs.

If you connect to VMware NSX controllers, you must use SSL or TLS to securely connect with the hardware VTEP.

Using OpenSSL TLS Certificates for OVSDB and other Services

This feature provides a common Transport Layer Socket (TLS) within Netvisor you can use for any service such as the Open vSwitch Database Management Protocol (OVSDB) or a Web service. Netvisor services requires TLSfor any SSL connection. For OVSDB, Netvisor needs to connect to a controller using SSL. For HTTPS communication between a REST API client and the Tomcat application server which running a switch, you need to configure and deploy a server certificate for a Tomcat server.

You can create one common certificate for all Netvisor OS services or create multiple named certificates. Each service uses a different certificate identified by name or container name or zone.

The Certificate facility keeps track of certificate use by using various applications. The facility notifies the applications when a certificate updates and it also prevents a certificate from being deleted if an application uses it.

There are two ways to generate certificates:

Self-signed Certificate

To generate a self-signed certificate use the cert-create command. This command creates a server certificate and self-signs it.

Certificate signed by a Certificate Authority (CA)

To generate a certificate that is signed by a CA, follow these steps:

1. Create a certificate signing request.

2. Export the certificate signing request and send it to the CA administrator.

3. Import the certificate received from CA administrator against the right certificate signing request.

4. Import the intermediate root and root certificate to the switch, if not done already.

CLI Commands

These commands allow you to manage TLS certificates. You can also use these commands for REST API.

Create a server certificate that self-signs using the cert-create command:

CLI network-admin@switch > cert-create country country-string state state-string city city-string organization organization-string organizational-unit organization-unit-string common-name common-name-string name name-string [container/zone name]

cert-create

Creates a server certificate and self-sign.

 country country-string

Specify a country name (two letter code).

 state state-string

Specify a state or province name.

 city city-string

Specify a city name.

 organization organization-string

Specify an organization name.

 organizational-unit organizational-unit-string

Specify an organizational unit name.

 common-name common-name-string

Specify a common name.

 name name-string

Specify a certificate name.

any of the following options:

 

 container zone name

Specify a certificate zone name.

Delete a certificate using the cert-delete command:

CLI network-admin@switch > cert-delete name name-string [container/zone name]

cert-delete

Deletes a certificate.

 name name-string

Specify a country name (two letter code).

any of the following options:

 

 container zone name

Specify a certificate zone name.

Import a CA certificate file using the cert-import command:

CLI network-admin@switch > cert-import name name-string file-ca file-ca-string [container zone name][file-inter file-inter-string]

cert-import

Imports certificates from the SFTP directory.

 name name-string

Specify a certificate name.

 file-ca file-ca-string

Specify the name of CA certificate file.

 file-server file-server-string

Specify the name of server certificate file.

any of the following options:

 

 container zone name

Specify a certificate zone name.

any of the following options:

 

file-inter file-inter-string

Specify the name of intermediate CA certificate file.

Import a server certificate file using the cert-import command:

CLI network-admin@switch > cert-import name name-string file-server file-server-string [container zone name][file-ca file-ca-string]file-inter file-inter-string]

cert-import

Imports certificates from SFTP directory.

 name name-string

Specify the certificate name.

 file-server file-server-string

Specify the name of server certificate file.

at least 0 of the following options:

 

 container zone name

Specify a certificate zone name.

any of the following options:

 

 file-ca file-ca-string

Specify the name of the CA certificate file.

file-inter file-inter-string

Specify the name of the intermediate CA certificate file.

Create a certificate signing request using the cert-request-create command:

CLI network-admin@switch > cert-request-create name name-string [container/zone name]

cert-request-create

Create a certificate signing request from an existing server certificate.

 name name-string

Specify the certificate name.

at least 0 of the following options:

 

 container zone name

Specify a certificate zone container name.

Display a certificate signing request using the cert-request-show command:

CLI network-admin@switch > cert-request-show name name-string [container/zone name]cert-request cert-request-name

----------------------------------------------------------------

-----BEGIN CERTIFICATE REQUEST-----                              

MIICnDCCAYQCAQEwVzELMAkGA1UEBhMCdXMxCzAJBgNVBAgMAmNhMQswCQYDVQQH

DAJtcDELMAkGA1UECgwCcGwxDTALBgNVBAsMBGVuZ2cxEjAQBgNVBAMMCXBsdXJp

YnVzMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMrE6Jowg0VKUw2M

NlL8vp1N8dYE/UL5pvu8FKYWgwG7tC2fjHunZCI0XmssFtZysQul/r9nk+edA5tt

0zIWRmqTB60wnWmzl6uGymeAsC9OSm0ZHFc9zZfUxKjRM/n1dOri3Pw/rODbCjM9

qwO5hsvZc/c1o3ajYFrj1yMlKDIiPW1td1VTpc5TL6wCwnDM697Yb9oQ0cbLKTDl

w5AjQSgJK29rLUl8ptAZXIUkeendpE4MCYrl6Hd+ziOJHXncj65MJyfANTZMrtGD

IJD3m+JsKZt882vMw3AZ3C9WEuE0OZrbabGBHqVKARik2qFhu2bGjlbuj/M6TOf5

Jj1WROUCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQCh1YhXRNwkwmw3FVH4H0Xi

rczy0FkyHkdSbIUIf+6n3qroRpBpcEdrx8fREyiw8hLUks9OcUlT+nSshsWIitI7

R5dcFlyo5HUVjqQQVMlSq3j4fM9XE8y8KRMZ3mfLXRTmuFPxbBuE3ZGjlBSLnBgK

ODqHF1gVa4u7l9mO3TRXczLQiAPaw38/kxEwkh4erJp4jjXf8K0h9JMGvYONYWeI

1PbiZpjIWDLNbg6sKqqrPAxEAjzGNMgNPIMXRepmEmnC/BaLVA04noZran8LRLNp

Id41o3TnlXiAodF/Mc7H5fI1hYf0YzWDSfz3PNufn6Dusu5M2ma7jtWlEdBW8huH

-----END CERTIFICATE REQUEST-----

 

Display certificates using the cert-show command:

CLI network-admin@switch > cert-show [cert-type ca|intermediate|server] [subject subject-string] [issuer issuer-string] [serial-number serial-number-number] [valid-from valid-from-string] [valid-to valid-to-string] [country country-string] [state state-string] [city city-string] [organization organization-string] [organizational-unit organizational-unit-string] [common-name common-name-string] [ name name-string] [container/zone name]

name  used-by cert-type container subject                                    

----- ------- --------- --------- ------------------------------------------

cert3         ca                  /C=us/ST=ca/L=mp/O=pl/OU=engg/CN=pluribus1

cert3         server              /C=us/ST=ca/L=mp/O=pl/OU=engg/CN=pluribus1

cert1 ovs     ca                  /C=US/ST=CA/L=PA/O=ovs/OU=ou/CN=Pluribus   

cert1 ovs     server              /C=US/ST=CA/L=PA/O=ovs/OU=ou/CN=Pluribus   

 

 

Configuring Openvswitch for Certificates

The following openvswitch-create and openvswitch-modify command options allow you to specify a certificate name when creating an OpenvSwitch configuration.

CLI network-admin@switch > openvswitch-create name name-string [cert-name cert-name string[ [ca-cert-name ca-cert-name-string] [cert-location none|global|container]

openvswitch create

Create an OpenvSwitch configuration.

any of the following options:

 

cert-name cert-name-string

Specify the certificate name for SSL connections.

ca-cert-name ca-cert-name-string

Specify the CA Certificate name for SSL connection.

cert-location none|global|container

Specify the certificate location - global or within the container.

CLI network-admin@switch > openvswitch-modify name name-string [cert-name cert-name string[ [ca-cert-name ca-cert-name-string] [cert-location none|global|container]

cert-name cert-name-string

Specify the certificate name for SSL connections.

ca-cert-name ca-cert-name-string

Specify the certificate name for SSL connections.

cert-location none|global|container

Specify the certificate location - global or within the container.

Open Virtual Switch Database (OVSDB) Error Reporting

Netvisor OS now supports an error-reporting mechanism for OVSDB and VTEPs. When an error occurs, Netvisor OS sends a schema change to the OVSDB controller.

As Netvisor adds more functionality for OVSDB, OVSDB error reporting adds new errors to support the new functionality.