Scipass

Mellanox SciPass evaluation.

A compelling use cases for whitebox switching is the area of Science DMZ’s. One possible implementation of this is the SciPass project ( https://globalnoc.iu.edu/sdn/scipass.html ) run by the IU GlobalNoc. This project is open source, and provides the capabilities of load balancing traffic that is passing through the switch to ids cluster groups, and taking the results of the ids screening in addition to white and black list policies to route specific traffic on the fly around a firewall. SciPass uses OpenFlow 1.0 and 1.3 to steer the traffic through the switch.

As 100G network links are getting more and more common, we wanted to verify whether 100G whitebox switches can be fulfill this use case. We decided to do so using the Mellanox SN2700 switch (more switch details). The SN2700 is a 1U, low latency, 32 port datacenter switch. The switch ports optionally support 10/25/40/50/56/100GbE.

In our lab, we rebuild a science dmz scenario using vms connected to the Mellanox switch. The scenario consisted of a WAN and LAN side, a firewall, two sensors for simulating the idses, and a Controller running Scipass. Our work focused on verifying that the switch is able to execute on all the commands the SciPass controller send, we did not verify performance parameters at this time. The switch was connected with the simulation environment through 10G breakout cables, one for each link needed. We used tcp-replay to inject “real world” traffic on the LAN to WAN link, so load balancing would be active, and the corresponding flow rules got pushed down to the switch.

Configuration of the SN2700 switch was straight forward. We had to put the 100G ports into 4*10G mode for use with the breakout cables, and force 10G speed on these ports.

On the openflow side we had to enable openflow globally, and put our ports into the openflow domain. After configuring the openflow controller as our SciPass controller, the application started to work without any further configuration on the switch side. OpenFlow version 1.3 was negotiated, and the correct flow entries installed.

We verified with test traffic that we injected into the system that load balancing across sensor nodes and traffic forwarding worked as expected.

All in all, the switch proves to be a very cost effective solution for a 100G ScienceDMZ implementation.