Topics like Infrastructure Automation / Orchestration, Cloud, and Software Defined Networks are on everyones tongue and nearly all network vendors who think highly of themselves provide products and maybe even solutions in this sphere of buzzwords. Within the last years there has been a paradigm shift towards host and segment routing – think »IP Fabric« – as well as a focus on open protocols and standards like OSPF, IS-IS, BGP & MPLS not only in the data center. This even brought us some new standards like VXLAN and a bunch of open source based “open networking” platforms. Now we aren't always locked to the operating systems of a networking vendor but can choose the control plane software from a variety of Linux based solutions which can be managed and orchestrated by lots of different means. Thanks to the Linux basis and the Open Source spirit of some vendors, some features (VRFs, MPLS forwarding plane, …) today are part of the upstream Linux kernel and available for everyone! Most notable are the contributions of the Debian Linux based platform from Cumulus Networks, which include the VRF support for Linux, some MPLS patches for FRR and ifupdown2 (which is written in Python :-)). Putting a bunch of these technologies and ideas together will open up a lot of powerful options for building low budget yet mighty networks. This talk will lay out how to build a SDN based service provide like infrastructure with the help of Salt Stack, some 1000 lines of Python and a bunch of affordable hardware where overlay networks and anycast aren't things to be scared of. The Freifunk Hochstift network and server infrastructure will be used as an example. The target audience mainly consists of (Linux-) system and network engineers / architects, who already have some experience with the other world. A positive attitude towards automation and magic is a plus.

1. Building your own SDN
with Debian Linux, Salt Stack and Python
PyCON.de 2017
Maximilian Wilhelm
<max@sdn.clinic>
@BarbarossaTM

2. 2
Who am I?
● Maximilian Wilhelm
– @BarbarossaTM
● Senior Infrastructure Architect, Uni Paderborn
● Infrastructure Archmage, Freifunk Hochstift
● Fanboy of
– (Debian) Linux
– ifupdown2
● Networker
● OpenSource Hacker

3. Agenda
● Contemporary Linux Networking
– Batteries included
– ifupdown2
– Salt Stack
● DIY-SDN
– Python modules
● Putting it all together
4

4. Why bother building an SDN?

5. 5
FFHO WiFi backbone (planned)

6. root@Stretch:~$ ifconfig
-bash: ifconfig: command not found
root@Stretch:~$ route
-bash: route: command not found
root@Stretch:~$ arp
-bash: arp: command not found
● vconfig
● ifenslave

7. ● iproute2 – Swiss Army knife for networkers
● Functions cleanly separated into subcommands
● ip link – L2: MTU, VLANs, LAGs, bridges
● ip addr – L3 addresses
● ip neigh – ARP/ND
● ip route – Routing + MPLS

8. 8
VXLAN
● “Ethernet over UDP”
– Or: “Poor mans approach to MPLS”
● Designed as Layer2 overlay for DCs
– Multi-tenant Overlay over IP-Fabric
– 24Bit VNI => 16M Instances
– Unicast/Multicast communication
● Read: VLL / VPLS
– Endpoints = VTEP (VXLAN Tunnel End Point)
● RFC7348

9. 9
And even more awesome stuff...
● Latest networking additions
– VRFs
– MPLS forwarding plane
– VLAN-aware-bridges
● Tunneling
– GRE
– IPsec
– OpenVPN
– Wireguard
Used for L2-PTP-VPNs
Used for external links
Used on KVM hypervisors
Links to AS201701

10. 10
Network interface configuration
● Classic ifupdown not easily automated
● Generating /etc/network/interfaces simple
● How to reload?
– »service networking restart« disruptive
– No tool for “reload” present
– Isn't trivial to build
➔ CumulusNetworks Ifupdown2
– Rewrite of ifupdown in Python
– https://github.com/CumulusNetworks/ifupdown2

11. 11
ifupdown2
● No full feature parity with ifupdown
● Shipped with batteries included
– dependency resolution
– ifreload
– VRFs
– VXLAN
– VLAN-aware bridges
● Not (yet) supported:
– ppp

12. 12
ifupdown2 Patches
● Easy to extend, thanks to Python
● Upstream open for ideas (Hi Julien & Roopa)
● Added support for
– B.A.T.M.A.N. interfaces
– Tunnel (GRE, SIT, IPIP, GRETAP)
● Open Pull-Requests for
– Condoning bridge interfaces for configuration
– Setting phys-dev for VXLAN
– Setting vEth peer name

13. 13
VXLAN / VTEPs with ifupdown2
# vx_v2001_padcty
auto vx_v2001_padcty
iface vx_v2001_padcty
vxlan-id 1310977
vxlan-physdev vlan2001
vxlan-svcnodeip 225.20.1.1
#
hwaddress f2:00:c1:01:20:01
mtu 1560

14. 14
About that routing thing
● Protocols
– OSPF
– IS-IS
– BGP
● Implentations:
– Bird
– QuaggaFRR
– GoBGP
– ExaBGP (Written in Python :-))
Used for OSPF / iBGP + eBGP

15. 15
Automation

16. 16
Salt Stack
● Continuous Management
– (De)install packages
– Generate and manage config files
– Manage system services/units
– Configure the network
– Distribute Host Certificates
– ...
● Written in Python
● Extensible by own Python modules

17. 17
States
● Represent state $something should have
● Usually YAML format
● Bunch of definitions of..
– Packages to (de)install
– Services to (de)activate
– File contents
– Users
– …
● Allows definition of dependencies

18. 18
State example (bird excerpt)
https://github.com/FreifunkHochstift/ffho-
salt-public/blob/master/bird/init.sls

19. 19
Pillar
● Structured key value store
● Usually YAML format
– Eval Jinja2 → Read YAML
● Data can be read from templates
– As data structures. Yay.
● Predestined for
– Keys
– Host specific configuration
– Any other configuration data

20. 20
Pillar Example (TE excerpt)

21. 21
Templating - Jinja2
● Default language: Jinja2
– Yay, Python again – kind of
● Usable within file templates and states

22. 22
Jinja2 state example

23. 23
Modules
● No regex support in Jinja2 though. D’oh.
➔ 1. highly complex extension module:
# ffho.py
import re
def re_replace (pattern, replacement, string):
return re.sub (pattern, replacement, string)
def re_search (pattern, string, flags = 0):
return re.search (pattern, string, flags)

24. 24
Hello regular expressions
# /etc/bird/bird.d/l3-access.conf
protocol direct l3_access {
{%- for iface in salt['pillar.get']('nodes:' ~
grains['id'] ~ ':ifaces') %}
{%- if salt['ffho.re_search']('^vlan3dd$',
iface) %}
interface "{{ iface }}";
{%- endif %}
{%- endfor %}
}

25. 25
Jinja or real Python?
● Templating is cool
● Complex code within Jinja2 is not
● Why not move this to modules?
– Use full Python potential
– Structure code into nice functions
– Functions callable from Jinja2
– Profit

26. 26
The SDN part
#SDN
Disclaimer: Font on special request of AbraXXL

27. 27
ffho_net.py
● Generate / compute
– Interfaces config (for /etc/network/interfaces)
– Bird OSPF configuration
– Bird BGP configuration
● iBGP / eBGP peerings / Traffic Engineering routes
– B.A.T.M.A.N. + VXLAN overlay ifaces
● Uniquie MAC addresses for B.A.T.M.A.N. ifaces
– DNS entries from interface configuration
https://github.com/FreifunkHochstift/ffho-
salt-public/blob/master/_modules/ffho_net.py

28. 28
Python networking modules
from ipaddress import ip_address,ip_network
# Calculate DNS PTR name
ip = ip_address (u'%s' % prefix.split ('/')[0])
ptr = ip.reverse_pointer
# Calculate network address
net_h = ip_network (u'%s' % prefix, strict = False)
network = str (net_h.network_address)

29. 29

30. 30
Pillar Example (node config)
bbr-vega.in.ffho.net:
id: 198
sysLocation: Vega
roles:
- router
- batman
- bbr
sites:
- pad-cty
Quelle für Loopback-IP
Bird config (OSPF + iBGP)
Source for Loopback-IP
Generate Batman interfaces
Batman instances

31. 31
Pillar Example (node config) contd.
ifaces:
bond0:
bond-slaves: "eth0 eth1"
vlan1002:
desc: "<-> gw04"
vlan-raw-device: bond0
prefixes:
- 10.132.253.58/31
- 2a03:2260:2342:fe1c::1/126
batman_connect_sites: pad-cty
[...]
Source for /etc/network/interfaces
Generate VXLAN
overlay

32. 32
IPoBATMANoVXLANoIPoVLANoRF
● Wait, what?
Ethernet (RF / Kabel)
Vlan
IP
VXLAN
B.A.T.M.A.N. Adv.
VXLAN
IP

33. 33
Hardware
● Zoo of sponsored Hardware
– Servers, Switches, WiFi, ..
➔ Unify hardware pool
– PCengines APU2
– Netonix WISP Switches
– Ubiquiti Networks
● PowerBeam
● LiteBeam
● AC Mesh Pro

34. 34
Before / After (PaderHalle)

35. 35
We can do 19” as well

36. 36
What’s next?
● Migrate IPAM from RackTables to NetBox
– Netbox as a nifty API
– Query nodes and interfaces life from NetBox
● Finish DNS anycast setup
● Activate BGP ADD-PATH for iBGP (RFC7911)
● Achieve world domination

37. 37
Freifunkromantik

38. 38
More Freifunkromantik

39. 39
Further Reading
● #routingdays – Learn to build the Internet
– https://blog.sdn.clinic/2017/09/ffrl-routingdays-
learn-to-build-the-internet/
–
● Salt-Orchestrated Software Defined (Freifunk)
Network (german)
– https://www.slideshare.net/BarbarossaTM/software
-defined-freifunk-backbones-78288014
– https://blog.sdn.clinic/category/freifunk/ffho/https://
blog.sdn.clinic/category/freifunk/ffho/

40. 40
Questions? Remarks?
Thank you :-)
Maximilian Wilhelm
<max@elitepeer.de>
@BarbarossaTM

41. 41
SDN ingredients
ifupdown2