Faucet SDN

Brad Cowie explains the production, multivendor FAUCET deployment at WAND.https://www.youtube.com/watch?v=XrnzXye5wfYSlides:http://networkshop.aarnet.edu.au/content/uploads/2017/06/SDN-Brad-Cowie.pdf

https://hub.docker.com/r/anarkiwi/faucet-pi/Docker makes it easy to manage installations that can have a lot of dependencies (like Ryu, which FAUCET depends on). There are Docker images for FAUCET for x86 already, but there is now an experimental ... [More] Docker build for Pi as well.If you're running Raspbian, you probably need to upgrade Docker itself before you can use the image. [Less]

https://github.com/REANNZ/faucet/releases/tag/v1_5_0V1.5.0 has just been released (and a new pip package is available).This release is a significant advance over V1.4.0, benefiting from experience gained at the recent FAUCET PlugFest at LBL, and the ... [More] deployment at WAND a the University of Waikato.Among the many changes (including performance and reliability improvements to existing basic/policy based switching, and the test suite which now runs in Docker and supports python3), FAUCET now supports Prometheus, and both IPv4 and IPv6 routing are improved (the latter now supporting RAs).It is strongly recommended that you upgrade to this release.While V1.5.0 passes all systems tests under python3, testing under python3 is still not complete. You may prefer to stay python2 for now. V1.5.1 will move to python3 and drop python2 support. [Less]

https://monitoring.redcables.wand.nz/Our friends and colleagues at the WAND group, at the University of Waikato in NZ, have deployed an enterprise SDN network controlled by FAUCET, supporting two different vendor hardware switches and OVS with DPDK. ... [More] It peers with BGP, and switches and routes both IPv4 and IPv6 for wired and WiFi access.The system is managed with Ansible - configuration changes are checked (and checked in), and then pushed to NFV services and FAUCET controllers. Even upgrades of the controller software are automatically checked and pushed out.This means all configuration changes to the network - ACLs, BGP, etc are made through Ansible. There is no reason to log in to a switch directly once FAUCET has assumed control of it with OpenFlow. [Less]

Here is a quick example of configuring and using Prometheus with FAUCET.First, enable access to Prometheus to FAUCET (the Docker instructions in https://github.com/REANNZ/faucet/blob/master/docs/README_install.rst show how to enable access to port ... [More] 9244).Then install Prometheus. Under Ubuntu 16.0.4, this is as simple as: apt-get install prometheusThen configure Prometheus to scrape FAUCET. Under Ubuntu, edit /etc/prometheus/prometheus.yml, and under scrape_configs add a job for FAUCET:scrape_configs:  - job_name: 'faucet'    target_groups:        - targets: ['172.17.0.1:9244']Restart Prometheus. service prometheus restart You should now be able to browse port 9090 on your Prometheus server, and draw graphs (for example, packet in rate): [Less]

Here is a quick example of configuring and using Prometheus with FAUCET.First, enable access to Prometheus to FAUCET (the Docker instructions in https://github.com/REANNZ/faucet/blob/master/docs/README_install.rst show how to enable access to port ... [More] 9244).Then install Prometheus. Under Ubuntu 16.0.4, this is as simple as: apt-get install prometheusThen configure Prometheus to scrape FAUCET. Under Ubuntu, edit /etc/prometheus/prometheus.yml, and under scrape_configs add a job for FAUCET:scrape_configs:  - job_name: 'faucet'    target_groups:        - targets: ['172.17.0.1:9244']Restart Prometheus. service prometheus restart You should now be able to browse port 9090 on your Prometheus server, and draw graphs (for example, packet in rate): [Less]

https://blog.apnic.net/2017/05/08/tousix-project-sdn-ixps-design-production/Marc Bruyere describes his proof of concept TouSIX SDX, and plans for a FAUCET controlled exchange using Umbrella encoding, which eliminates unwanted broadcast traffic from a distributed layer 2 network.

https://www.youtube.com/watch?v=fuqzzjmcwlIJoe Stringer walks through installing FAUCET and configuring it as a router step by step, in less than 5m.If you want to get FAUCET routing and switching and have only 5m to learn how, this might be the reference for you.

https://github.com/REANNZ/faucet/blob/master/docs/vendors/ovs/README_OVS-DPDK.rstDPDK enables high performance packet processing on PC type platforms with certain supported NICs. In particular OVS has DPDK support, and can offload work to DPDK ... [More] NICs.While this is beyond the scope of what FAUCET does (it works at the OpenFlow level), getting up and running quickly with OVS + DPDK is useful. Hopefully as DPDK packaging continues to include the process will become less complex. [Less]

https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Silent_Bob_is_SilentOnce you know about a security vulnerability, you can add firewall rules to protect yourself against attacks from outside the firewall.But what about the inside? If ... [More] you have someone scanning for a vulnerable machine (or an infected machine scanning its neighbors) inside your network, your firewall may not be of much use - it probably won't be in the forwarding path of the traffic.FAUCET gives you very low level port level control, and makes it safe it easy to deploy a port level ACL (in this example, by blocking AMT access with a few TCP destination port matches).FAUCET can also block layer 2 only traffic that a firewall can't see at layer 3. [Less]