127  SDN OpenFlow Protocol

In 60 Seconds

OpenFlow is the standard protocol between SDN controllers and switches. Flow table entries match packets on 15+ header fields (MAC, IP, port, VLAN), apply actions (forward, drop, modify, enqueue), and expire via idle timeouts (no matching traffic) or hard timeouts (absolute lifetime). A typical IoT switch holds 2,000-8,000 TCAM flow entries – design wildcard rules to aggregate flows and avoid table overflow.

Prerequisites: SDN Architecture Fundamentals | Networking Basics

This enables: SDN IoT Applications | SDN Data Centers and Security

127.1 Learning Objectives

By the end of this chapter, you will be able to:

  • Configure OpenFlow Rules: Construct flow table entries with match fields, priorities, actions, and timeouts for IoT traffic management
  • Analyze Flow Table Structure: Describe how flow entries use match fields, counters, instructions, and cookies to process packets
  • Trace Packet Processing: Follow a packet through single-table and multi-table OpenFlow switch pipelines to predict forwarding behavior
  • Evaluate TCAM Constraints: Assess flow table capacity limitations and apply wildcard aggregation and controller placement strategies

Software-Defined Networking (SDN) separates the brain of a network (the control plane) from the muscles (the data plane). Think of a traffic management center: instead of each traffic light making its own decisions, a central system monitors all intersections and coordinates them for optimal flow. SDN brings this same centralized intelligence to IoT networks.

OpenFlow is like a recipe book that tells kitchen workers exactly what to do with each ingredient!

127.1.1 The Sensor Squad Adventure: The Recipe Book

Remember Connie the Controller from the traffic jam story? Well, Connie needed a way to give instructions to ALL the network switches. It was like being a head chef in a giant kitchen - how do you tell hundreds of cooks what to do?

“I’ll use a recipe book!” Connie announced. “It’s called OpenFlow!”

Here’s how it works: Connie writes recipes (called “flow rules”) and sends them to each switch. The recipe says things like:

  • “If you see a message from Thermo (temperature sensor), send it to Port 5”
  • “If you see an emergency message, forward it immediately - highest priority!”
  • “If you don’t know what to do, ask me!”

Power Pete was curious: “What happens when a new message arrives that doesn’t match any recipe?”

“Great question!” said Connie. “The switch says ‘PACKET_IN!’ which means ‘Chef, I got a new ingredient I don’t recognize!’ Then I write a new recipe and send a ‘FLOW_MOD’ message which means ‘Here’s how to handle that from now on!’”

Now ALL the switches in the network use the same recipe book, and they all know exactly what to do!

127.1.2 Key Words for Kids

Word What It Means
Flow Rule A recipe that tells a switch what to do when it sees a specific type of message
PACKET_IN When a switch says “Help! I don’t know what to do with this!”
FLOW_MOD When the controller says “Here’s a new recipe for you!”
Flow Table The recipe book stored in each switch

Key Concepts

  • SDN (Software-Defined Networking): An architectural approach separating the network control plane (routing decisions) from the data plane (packet forwarding), centralizing control in a software controller for programmable network management
  • Control Plane: The network intelligence layer making routing and forwarding decisions, centralized in an SDN controller rather than distributed across individual switches as in traditional networking
  • Data Plane: The network forwarding layer physically moving packets based on rules installed by the control plane — in SDN, this is the switch hardware executing OpenFlow flow table entries
  • OpenFlow: The foundational SDN protocol enabling communication between an SDN controller and network switches, allowing the controller to install, modify, and delete flow table entries that govern packet forwarding
  • Match Fields: The packet header attributes (Ethernet source/destination MAC, IP source/destination, TCP/UDP port, VLAN tag, MPLS label) used by OpenFlow flow entries to classify packets for different forwarding actions
  • Action Set: The sequence of operations applied to a matching packet in an OpenFlow flow entry — output to port, drop, modify header (VLAN push/pop, TTL decrement, DSCP marking), or send to controller
  • Flow Entry Priority: A 16-bit value determining match order when multiple flow entries match the same packet — highest priority entry wins; entries with identical priority produce undefined behavior and must be avoided

127.2 Introduction

~12 min | Advanced | P04.C31.U04

OpenFlow is the standardized southbound protocol for communication between SDN controllers and switches. It defines how controllers program switch forwarding behavior through flow rules.

OpenFlow protocol architecture showing control plane with SDN controller communicating via OpenFlow messages with data plane switches for centralized network programming

OpenFlow Protocol Architecture
Figure 127.1: OpenFlow protocol architecture showing control plane and data plane separation

127.3 OpenFlow Switch Components

OpenFlow switch components showing packet processing pipeline: incoming packets match against flow table, execute actions via group/meter tables to output ports, or send PACKET_IN to controller via secure channel for new flow rules
Figure 127.2: OpenFlow Switch Packet Processing Pipeline with Flow, Group, and Meter Tables

127.3.1 Switch Components

An OpenFlow switch contains several key components:

1. Flow Tables

  • Store match-action rules
  • Multiple tables form a pipeline
  • Each table processed sequentially

2. Group Tables

  • Enable multicast (one packet to multiple ports)
  • Fast failover (backup paths)
  • Load balancing (select action)

3. Meter Tables

  • Rate limiting per flow
  • QoS enforcement
  • Bandwidth management

4. Secure Channel

  • TLS-encrypted connection to controller
  • Handles OpenFlow messages

127.4 Flow Table Entry Structure

Each flow entry contains the following fields:

1. Match Fields (Packet Header Fields): - Layer 2: Source/Dest MAC, VLAN ID, Ethertype - Layer 3: Source/Dest IP, Protocol, ToS - Layer 4: Source/Dest Port (TCP/UDP) - Input Port - Metadata

2. Priority:

  • Higher priority rules matched first
  • Allows specific rules to override general rules

3. Counters:

  • Packets matched
  • Bytes matched
  • Duration

4. Instructions/Actions:

  • Forward to port(s)
  • Drop
  • Modify header fields (MAC, IP, VLAN)
  • Push/Pop VLAN/MPLS tags
  • Send to controller
  • Go to next table

5. Timeouts:

  • Idle Timeout: Remove rule if no matching packets for N seconds
  • Hard Timeout: Remove rule after N seconds regardless of activity

6. Cookie:

  • Opaque identifier set by controller

Example Flow Rule:

Match: src_ip=10.0.0.5, dst_ip=192.168.1.10, protocol=TCP, dst_port=80
Priority: 100
Actions: output:port3, set_vlan=100
Idle_timeout: 60
Hard_timeout: 300

127.5 OpenFlow Messages

OpenFlow defines several message types for controller-switch communication:

127.5.1 Controller-to-Switch Messages

Message Purpose
FLOW_MOD Add, modify, or delete flow rules
PACKET_OUT Send packet out specific port
BARRIER Request confirmation that prior messages processed
GET_CONFIG Query switch configuration
SET_CONFIG Modify switch configuration
MULTIPART_REQUEST Request statistics

127.5.2 Switch-to-Controller Messages

Message Purpose
PACKET_IN Send packet to controller (no matching rule)
FLOW_REMOVED Notify controller of expired/deleted flow
PORT_STATUS Notify controller of port state changes
ERROR Report errors

127.5.3 Symmetric Messages

Message Purpose
HELLO Connection establishment
ECHO_REQUEST/REPLY Keepalive, latency measurement
EXPERIMENTER Vendor extensions

127.6 SDN Challenges

~12 min | Advanced | P04.C31.U05

127.6.1 Rule Placement Challenge

SDN rule placement strategies showing flow table with match fields and actions, illustrating TCAM-based fast lookup and the challenge of fitting thousands of IoT device rules into limited switch memory
Figure 127.3: Rule placement strategies in SDN switches for efficient flow management

Problem: Switches have limited TCAM (Ternary Content-Addressable Memory) for storing flow rules.

TCAM Characteristics:

  • Fast lookup (single clock cycle)
  • Expensive ($15-30 per Mb)
  • Limited capacity (few thousand entries)
  • Power-hungry

Challenges:

  • How to select which flows to cache in TCAM?
  • When to evict rules (LRU, LFU, timeout-based)?
  • How to minimize PACKET_IN messages to controller?

Solutions:

  • Wildcard Rules: Match multiple flows with single rule
  • Hierarchical Aggregation: Aggregate at network edge
  • Rule Caching: Intelligent replacement algorithms
  • Hybrid Approaches: TCAM + DRAM for overflow

127.6.2 Controller Placement Challenge

Flat SDN architecture showing single centralized controller connected to all OpenFlow switches in a star topology, simple to manage but vulnerable to single point of failure
Figure 127.4: Flat SDN architecture with single controller tier
Hierarchical SDN architecture with root controller at top coordinating local controllers in middle tier that manage OpenFlow switch clusters at bottom tier
Figure 127.5: Hierarchical SDN architecture with multi-tier controller deployment

Problem: Where to place controllers for optimal performance?

Considerations:

  • Latency: Controller-switch delay affects flow setup time
  • Throughput: Controller capacity (requests/second)
  • Reliability: Controller failure impacts network
  • Scalability: Number of switches per controller

Architectures:

Three SDN controller placement architectures: centralized (single controller managing all switches), distributed (multiple synchronized controllers for redundancy), and hierarchical (root controller coordinating regional controllers managing switch groups)
Figure 127.6: SDN Controller Deployment Models: Centralized, Distributed, and Hierarchical

Placement Strategies:

  • K-median: Minimize average latency to switches
  • K-center: Minimize maximum latency (worst-case)
  • Failure-aware: Ensure backup controller coverage

This variant shows what happens during a controller failure in a distributed deployment, demonstrating the failover process that maintains network operation.

Controller failover sequence showing primary controller failure detection via heartbeat timeout, backup controller promotion through leader election, state synchronization from shared datastore, switch reconnection to new primary, and flow table refresh, with timeline showing total failover of approximately 3-5 seconds
Figure 127.7: This sequence illustrates SDN’s resilience through distributed controllers. Key insight: existing flow rules in switch memory continue forwarding traffic during controller failover, only new flows are delayed. The 3-5 second failover time comes from heartbeat timeout (3s) plus state synchronization (1-2s). Production deployments use techniques like pre-computed backup paths and proactive rule installation to minimize even this brief disruption.

This variant presents controller architecture selection as a decision matrix, helping students choose the right approach for their IoT deployment scale.

Decision matrix for SDN controller architecture selection showing Centralized best for less than 100 switches with simple management but single point of failure, Distributed best for 100-1000 switches with high availability but complex synchronization, and Hierarchical best for more than 1000 switches across geographic regions with scalability but multiple failure domains to manage
Figure 127.8: This decision matrix guides architecture selection based on network scale. Key insight: IoT deployments often start centralized for simplicity, then migrate to distributed as device count grows. Hierarchical architectures are primarily for city-scale or carrier deployments where regional autonomy is essential. The trade-off is always between operational simplicity (centralized) and resilience/scale (distributed/hierarchical).

127.7 Knowledge Check

127.9 Worked Example: Flow Table Sizing for a Smart Building

Scenario: A 15-storey commercial office building in Singapore deploys SDN to manage network traffic from 3,200 IoT devices. Each floor has an OpenFlow switch with 4,000-entry TCAM (Ternary Content-Addressable Memory) flow tables.

Device Inventory:

Device Type Per Floor Total (15 floors) Flows per Device
Wi-Fi access points 8 120 3 (mgmt, data, guest)
IP cameras (1080p) 12 180 2 (video stream, control)
Environmental sensors (HVAC) 20 300 1 (periodic telemetry)
BLE gateways 4 60 2 (upstream, beacon mgmt)
Smart lighting controllers 15 225 1 (control commands)
Door access controllers 6 90 2 (auth, logging)
Digital signage 3 45 1 (content stream)
Total 68 1,020

Flow Table Calculation per Floor:

Flow Category Rules Needed Type
Per-device forwarding (68 devices x avg 1.7 flows) 116 Exact match
VLAN segmentation (4 VLANs: IoT, corporate, guest, mgmt) 8 Wildcard
ACL security rules (inter-VLAN blocking) 24 Wildcard
QoS marking (camera priority, sensor best-effort) 12 Wildcard
Multicast groups (firmware OTA, broadcast) 6 Group table
Default/miss rules 4 Wildcard
Total per switch 170
TCAM utilization 170 / 4,000 = 4.3%

The Problem – Idle Timeout Explosion:

During a fire drill, 800 employees reconnect their phones to Wi-Fi simultaneously across all floors. Each phone generates 5 new flows (DNS, DHCP, HTTP, HTTPS, corporate VPN):

Event New Flows Per-Floor Impact Total Building
800 phones x 5 flows 4,000 267 flows/switch 4,000 new flows
+ existing 170/switch 437 total 6,555 total
TCAM headroom 437/4,000 = 10.9% Safe

But with a naive idle_timeout=300s (5 min), all 4,000 flows remain in TCAM even after the drill ends. If another spike occurs before timeout expires:

  • Existing: 170 + first spike: 267 + second spike: 267 = 704 rules/switch (17.6%)

Solution – Tiered Timeout Strategy:

Flow Type idle_timeout hard_timeout Rationale
IoT devices (static) 0 (permanent) 0 (permanent) Proactively installed, never expires
Employee phones 60 sec 300 sec Short idle clears unused flows fast
Guest devices 30 sec 120 sec Aggressive cleanup for transient devices
Camera streams 0 (permanent) 3600 sec Reinstalled hourly for stats refresh

With tiered timeouts, the post-drill TCAM settles to baseline within 60 seconds instead of 5 minutes, keeping per-switch utilization under 6% even during peak events.

Key Insight: TCAM is the scarcest resource in OpenFlow switches. A 4,000-entry table sounds large, but without timeout discipline, transient flows from mobile devices can consume 50%+ of capacity during spikes. Proactive rule installation for known IoT devices (permanent flows) combined with aggressive idle timeouts for transient traffic keeps utilization predictable.

Place these steps in the correct order for how a packet is processed through an OpenFlow 1.3 multi-table pipeline.

Common Pitfalls

Installing flow entries with the same priority that match overlapping packet sets. When two equal-priority entries match the same packet, the switch behavior is implementation-defined — some switches pick the first installed entry, others pick the most specific match. Always use different priorities for overlapping matches.

Implementing IoT multicast by installing separate flow rules for each destination device. At 1,000 subscriber devices per multicast group, this creates 1,000 flow entries per group. Use OpenFlow group tables (OFPGT_ALL type) to replicate packets to multiple ports with a single flow entry.

Not using OpenFlow meter tables to rate-limit IoT device traffic, relying instead on individual host-level rate limiting configured manually. Meter tables in OpenFlow 1.3+ provide per-flow rate limiting in switch hardware — use them for scalable IoT traffic policing without controller intervention per device.

Specifying exact IP address matches for device groups instead of using CIDR-masked wildcard matches. An IoT device subnet of 10.0.1.0/24 requires a wildcard match (10.0.1.0 with mask 0.0.0.255) — exact IP matching requires 256 separate flow entries for a /24 subnet.

127.10 Summary

This chapter covered the OpenFlow protocol and SDN challenges:

Key Takeaways:

  1. OpenFlow Switch Components: Flow tables for match-action rules, group tables for multicast/failover, meter tables for rate limiting, and secure channel for controller communication

  2. Flow Table Entry Structure: Match fields (L2-L4 headers), priority, counters, instructions/actions, timeouts (idle and hard), and cookie

  3. OpenFlow Messages: Controller-to-switch (FLOW_MOD, PACKET_OUT), switch-to-controller (PACKET_IN, FLOW_REMOVED), and symmetric (HELLO, ECHO)

  4. Rule Placement Challenge: TCAM limitations require wildcard rules, hierarchical aggregation, and intelligent caching strategies

  5. Controller Placement: Centralized (simple, single point of failure), distributed (high availability, sync complexity), and hierarchical (massive scale, regional autonomy)

Understanding OpenFlow mechanics is essential for implementing and troubleshooting SDN deployments in IoT environments.

127.11 What’s Next

If you want to… Read this
Study OpenFlow architecture OpenFlow Architecture
Learn OpenFlow core concepts OpenFlow Core Concepts
Explore the OpenFlow protocol series OpenFlow Protocol (SDN-OF)
Try the OpenFlow hands-on lab OpenFlow Hands-On Lab
Study SDN OpenFlow challenges SDN OpenFlow Challenges