Configuration

Faucet is configured with a YAML-based configuration file, faucet.yaml. The following is example demonstrating a few common features:

faucet.yaml
include:
    - acls.yaml

vlans:
    office:
        vid: 100
        description: "office network"
        acls_in: [office-vlan-protect]
        faucet_mac: "0e:00:00:00:10:01"
        faucet_vips: ['10.0.100.254/24', '2001:100::1/64', 'fe80::c00:00ff:fe00:1001/64']
        routes:
            - route:
                ip_dst: '192.168.0.0/24'
                ip_gw: '10.0.100.2'
    guest:
        vid: 200
        description: "guest network"
        faucet_mac: "0e:00:00:00:20:01"
        faucet_vips: ['10.0.200.254/24', '2001:200::1/64', 'fe80::c00:00ff:fe00:2001/64']

routers:
    router-office-guest:
        vlans: [office, guest]

dps:
    sw1:
        dp_id: 0x1
        hardware: "Open vSwitch"
        proactive_learn: True
        interfaces:
            1:
                name: "h1"
                description: "host1 container"
                native_vlan: office
                acls_in: [access-port-protect]
            2:
                name: "h2"
                description: "host2 container"
                native_vlan: office
                acls_in: [access-port-protect]
            3:
                name: "g1"
                description: "guest1 container"
                native_vlan: guest
                acls_in: [access-port-protect]
            4:
                name: "s1"
                description: "services1 container"
                native_vlan: office
                acls_in: [service-port-protect]
            5:
                name: "trunk"
                description: "VLAN trunk to sw2"
                tagged_vlans: [office]
                acls_in: [access-port-protect]
    sw2:
        dp_id: 0x2
        hardware: "Allied-Telesis"
        interfaces:
            1:
                name: "pi"
                description: "Raspberry Pi"
                native_vlan: office
                acls_in: [access-port-protect]
            2:
                name: "laptop"
                description: "Guest Laptop"
                native_vlan: guest
                acls_in: [access-port-protect]
            24:
                name: "trunk"
                description: "VLAN trunk to sw1"
                tagged_vlans: [office, guest]
acls.yaml
acls:
    office-vlan-protect:
        # Prevent IPv4 communication betwen Office/Guest networks
        - rule:
            dl_type: 0x800      # ipv4
            ipv4_src: 10.0.100.0/24
            ipv4_dst: 10.0.200.0/24
            actions:
                allow: 0        # drop
        - rule:
            actions:
                allow: 1        # allow

    access-port-protect:
        # Drop dhcp servers
        - rule:
            dl_type: 0x800      # ipv4
            nw_proto: 17        # udp
            udp_src: 67         # bootps
            udp_dst: 68         # bootpc
            actions:
                allow: 0        # drop
        # Drop dhcpv6 servers
        - rule:
            dl_type: 0x86dd     # ipv6
            nw_proto: 17        # udp
            udp_src: 547        # dhcpv6-server
            udp_dst: 546        # dhcpv6-client
            actions:
                allow: 0        # drop
        # Drop icmpv6 RAs
        - rule:
            dl_type: 0x86dd     # ipv6
            nw_proto: 58        # icmpv6
            icmpv6_type: 134    # router advertisement
            actions:
                allow: 0        # drop
        # Drop SMTP
        - rule:
            dl_type: 0x800      # ipv4
            nw_proto: 6         # tcp
            tcp_dst: 25         # smtp
            actions:
                allow: 0        # drop
        # Force DNS to our DNS server
        - rule:
            dl_type: 0x800      # ipv4
            nw_proto: 17        # udp
            udp_dst: 53         # dns
            actions:
                output:
                    dl_dst: "72:b8:3c:4c:dc:4d"
                    port: 5     # s1 container
        # Force DNS to our DNS server
        - rule:
            dl_type: 0x800      # ipv4
            nw_proto: 6         # tcp
            tcp_dst: 53         # dns
            actions:
                output:
                    dl_dst: "72:b8:3c:4c:dc:4d"
                    port: 5     # s1 container
        - rule:
            actions:
                allow: 1        # allow

    service-port-protect:
        # Drop icmpv6 RAs
        - rule:
            dl_type: 0x86dd     # ipv6
            nw_proto: 58        # icmpv6
            icmpv6_type: 134    # router advertisement
            actions:
                allow: 0        # drop
        # Drop SMTP
        - rule:
            dl_type: 0x800      # ipv4
            nw_proto: 6         # tcp
            tcp_dst: 25         # smtp
            actions:
                allow: 0        # drop
        - rule:
            actions:
                allow: 1        # allow

The datapath ID may be specified as an integer or hex string (beginning with 0x).

A port not explicitly defined in the YAML configuration file will be left down and will drop all packets.

Gauge is configured similarly with, gauge.yaml. The following is example demonstrating a few common features:

gauge.yaml
# Recommended configuration is Prometheus for all monitoring, with all_dps: True
faucet_configs:
    - '/etc/ryu/faucet/faucet.yaml'
watchers:
    port_status_poller:
        type: 'port_state'
        all_dps: True
        #dps: ['sw1', 'sw2']
        db: 'prometheus'
    port_stats_poller:
        type: 'port_stats'
        all_dps: True
        #dps: ['sw1', 'sw2']
        interval: 10
        db: 'prometheus'
        #db: 'influx'
    flow_table_poller:
        type: 'flow_table'
        all_dps: True
        interval: 60
        db: 'prometheus'
        #db: 'couchdb'
dbs:
    prometheus:
        type: 'prometheus'
        prometheus_addr: ''
        prometheus_port: 9303
    ft_file:
        type: 'text'
        compress: True
        file: 'flow_table.yaml.gz'
    influx:
        type: 'influx'
        influx_db: 'faucet'
        influx_host: 'influxdb'
        influx_port: 8086
        influx_user: 'faucet'
        influx_pwd: 'faucet'
        influx_timeout: 10
    couchdb:
        type: gaugedb
        gdb_type: nosql
        nosql_db: couch
        db_username: couch
        db_password: 123
        db_ip: 'couchdb'
        db_port: 5984
        driver: 'couchdb'
        views:
            switch_view: '_design/switches/_view/switch'
            match_view: '_design/flows/_view/match'
            tag_view: '_design/tags/_view/tags'
        switches_doc: 'switches_bak'
        flows_doc: 'flows_bak'
        db_update_counter: 2

Verifying configuration

You can verify that your configuration is correct with the check_faucet_config script:

check_faucet_config /etc/ryu/faucet/faucet.yaml

Configuration examples

For complete working examples of configuration features, see the unit tests, tests/faucet_mininet_test.py. For example, FaucetUntaggedACLTest shows how to configure an ACL to block a TCP port, FaucetTaggedIPv4RouteTest shows how to configure static IPv4 routing.

Applying configuration updates

You can update FAUCET’s configuration by sending it a HUP signal. This will cause it to apply the minimum number of flow changes to the switch(es), to implement the change.

pkill -HUP -f faucet.faucet

Configuration in separate files

Extra DP, VLAN or ACL data can also be separated into different files and included into the main configuration file, as shown below. The include field is used for configuration files which are required to be loaded, and Faucet will log an error if there was a problem while loading a file. Files listed on include-optional will simply be skipped and a warning will be logged instead.

Files are parsed in order, and both absolute and relative (to the configuration file) paths are allowed. DPs, VLANs or ACLs defined in subsequent files overwrite previously defined ones with the same name.

faucet.yaml

include:
    - /etc/ryu/faucet/dps.yaml
    - /etc/ryu/faucet/vlans.yaml

include-optional:
    - acls.yaml

dps.yaml

# Recursive include is allowed, if needed.
# Again, relative paths are relative to this configuration file.
include-optional:
    - override.yaml

dps:
    test-switch-1:
        ...
    test-switch-2:
        ...

Configuration options

Top Level

Faucet.yaml
Attribute Type Default Description
acls dictionary {} Configuration specific to acls. The keys are names of each acl, and the values are config dictionaries holding the acl’s configuration (see below).
dps dictionary {} Configuration specific to datapaths. The keys are names or dp_ids of each datapath, and the values are config dictionaries holding the datapath’s configuration (see below).
routers dictionary {} Configuration specific to routers. The keys are names of each router, and the values are config dictionaries holding the router’s configuration (see below).
version integer 2 The config version. 2 is the only supported version.
vlans dictionary {} Configuration specific to vlans. The keys are names or vids of each vlan, and the values are config dictionaries holding the vlan’s configuration (see below).

DP

DP configuration is entered in the ‘dps’ configuration block. The ‘dps’ configuration contains a dictionary of configuration blocks each containing the configuration for one datapath. The keys can either be string names given to the datapath, or the OFP datapath id.

dps/<dp name or id>/
Attribute Type Default Description
arp_neighbor_timeout type 500 ARP and neighbour timeout in seconds
description string None Description of this datapath, strictly informational
dp_id integer The configuration key the OFP datapath-id of this datapath
drop_bpdu boolean True If True, Faucet will drop all STP BPDUs arriving at the datapath. NB: Faucet does not handle BPDUs itself, if you disable this then you either need to configure an ACL to catch BDPUs or Faucet will forward them as though they were normal traffic.
drop_broadcast_source_address boolean True If True, Faucet will drop any packet from a broadcast source address
drop_lldp boolean True If True, Faucet will drop all STP BPDUs arriving at the datapath. NB: Faucet does not handle BPDUs itself, if you disable this then you either need to configure an ACL to catch BDPUs or Faucet will forward them as though they were normal traffic.
drop_spoofed_faucet_mac bool True If True, Faucet will drop any packet it receives with an ethernet source address equal to a MAC address that Faucet is using.
group_table bool False If True, Faucet will use the OpenFlow Group tables to flood packets. This is an experimental feature that is not fully supported by all devices and may not interoperate with all features of faucet.
hardware string “Open vSwitch” The hardware model of the datapath. Defaults to “Open vSwitch”. Other options can be seen in the documentation for valve.py
ignore_learn_ins integer 3 Ignore every approx nth packet for learning. 2 will ignore 1 out of 2 packets; 3 will ignore 1 out of 3 packets. This limits control plane activity when learning new hosts rapidly. Flooding will still be done by the dataplane even with a packet is ignored for learning purposes.
interfaces dictionary {} configuration block for interface specific config (see below)
interface_ranges dictionary {} contains the config blocks for sets of multiple interfaces. The configuration entered here will be used as the defaults for these interfaces. The defaults can be overwritten by configuring the interfaces individually, which will also inherit all defaults not specifically configured. For example, if the range specifies tagged_vlans: [1, 2, 3], and the individual interface specifies tagged_vlans: [4], the result will be tagged_vlans: [4]. The format for the configuration key is a comma separated string. The elements can either be the name or number of an interface or a range of port numbers eg: “1-6,8,port9”.
learn_ban_timeout integer 10 When a host is rapidly moving between ports Faucet will stop learning mac addresses on one of the ports for this number of seconds.
learn_jitter integer 10 In order to reduce load on the controller Faucet will randomly vary the timeout for learnt mac addresses by up to this number of seconds.
max_host_fib_retry_count integer 10 Limit the number of times Faucet will attempt to resolve a next-hop’s l2 address.
max_hosts_per_resolve_cycle integer 5 Limit the number of hosts resolved per cycle.
max_resolve_backoff_time integer 32 When resolving next hop l2 addresses, Faucet will back off exponentially until it reaches this value.
name string The configuration key A name to reference the datapath by.
stack dictionary {} configuration block for stacking config, for loop protection (see below)
timeout integer 300 timeout for MAC address learning
targeted_gw_resolution bool False if True, and a gateway has been resolved, target the first re-resolution attempt to the same port rather than flooding.
minimum_ip_size_check bool True If False, don’t check that IP packets have a payload (must be False for OVS trace/tutorial to work)

Stacking (DP)

Stacking is configured in the dp configuration block and in the interface configuration block. At the dp level the following attributes can be configured withing the configuration block ‘stack’:

dps/<dp name or id>/stack/
Attribute Type Default Description
priority integer 0 setting any value for stack priority indicates that this datapath should be the root for the stacking topology.

Interfaces

Configuration for each interface is entered in the ‘interfaces’ configuration block withing the config for the datapath. Each interface configuration block is a dictionary keyed by the interface name.

Defaults for groups of interfaces can also be configured under the ‘interface-ranges’ attribute within the datapath configuration block. These provide default values for a number of interfaces which can be overwritten with the config block for an individual interface. These are keyed with a string containing a comma separated list of OFP port numbers, interface names or with OFP port number ranges (eg. 1-6).

dps/<dp name or id>/interfaces/<interface name or OFP port number>/
Attribute Type Default Description
acl_in integer or string None Deprecated, replaced by acls_in which accepts a list. The acl that should be applied to all packets arriving on this port. referenced by name or list index
acls_in a list of ACLs, as integers or strings None A list of ACLs that should be applied to all packets arriving on this port. referenced by name or list index. ACLs listed first take priority over those later in the list.
description string None Description, purely informational
enabled boolean True Allow packets to be forwarded through this port.
hairpin boolean True If True it allows packets arriving on this port to be output to this port. This is necessary to allow routing between two vlans on this port, or for use with a WIFI radio port.
max_hosts integer 255 the maximum number of mac addresses that can be learnt on this port.
mirror a list of integers or strings None Mirror all packets recieved and transmitted on the ports specified (by name or by port number), to this port.
name string The configuration key. a name to reference this port by.
native_vlan integer None The vlan associated with untagged packets arriving and leaving this interface.
number integer The configuration key. The OFP port number for this port.
permanent_learn boolean False When True Faucet will only learn the first MAC address on this interface. All packets with an ethernet src address not equal to that MAC address will be dropped.
stack dictionary None configuration block for interface level stacking configuration
tagged_vlans list of integers or strings None The vlans associated with tagged packets arriving and leaving this interfaces.
unicast_flood boolean True If False unicast packets will not be flooded to this port.
output_only boolean False If True, no packets will be accepted from this port.
opstatus_reconf boolean True If True, FAUCET will reconfigure the pipeline based on operational status of the port.

Stacking (Interfaces)

Stacking port configuration indicates how datapaths are connected when using stacking. The configuration is found under the ‘stack’ attribute of an interface configuration block. The following attributes can be configured:

dps/<dp name or id>/interfaces/<interface name or port number/stack/
Attribute Type Default Description
dp integer or string None the name of dp_id of the dp connected to this port
port integer or string None the name or OFP port number of the interface on the remote dp connected to this interface.

Router

Routers config is used to allow routing between vlans. Routers configuration is entered in the ‘routers’ configuration block at the top level of the faucet configuration file. Configuration for each router is an entry in the routers dictionary and is keyed by a name for the router. The following attributes can be configured:

routers/<router name>/:
Attribute Type Default Description
vlans list of integers or strings None Enables inter-vlan routing on the given vlans

VLAN

VLANs are configured in the ‘vlans’ configuration block at the top level of the faucet config file. The config for each vlan is an entry keyed by its vid or a name. The following attributes can be configured:

vlans/<vlan name or vid>/:
Attribute Type Default Description
acl_in string or integer None Deprecated, replaced by acls_in which accepts a list. The acl to be applied to all packets arriving on this vlan.
acls_in a list of ACLs, as integers or strings None The acl to be applied to all packets arriving on this vlan. ACLs listed first take priority over those later in the list.
bgp_as integer 0 The local AS number to used when speaking BGP
bgp_local_address string (IP Address) None The local address to use when speaking BGP
bgp_neighbour_addresses list of strings (IP Addresses) None The list of BGP neighbours
bgp_neighbour_as integer 0 The AS Number for the BGP neighbours
bgp_port integer 9179 Port to use for bgp sessions
description string None Strictly informational
faucet_vips list of strings (IP address prefixes) None The IP Address for Faucet’s routing interface on this vlan
max_hosts integer 255 The maximum number of hosts that can be learnt on this vlan.
name string the configuration key A name that can be used to refer to this vlan.
proactive_arp_limit integer None Do not proactively ARP for hosts once this value has been reached (unlimited by default)
proactive_nd_limit integer None Don’t proactively discover IPv6 hosts once this value has been reached (unlimited by default)
routes list of routes None static routes configured on this vlan (see below)
unicast_flood boolean True If False packets to unknown ethernet destination MAC addresses will be dropped rather than flooded.
vid integer the configuration key The vid for the vlan.

Static Routes

Static routes are given as a list. Each entry in the list contains a dictionary keyed with the keyword ‘route’ and contains a dictionary configuration block as follows:

vlans/<vlan name or vid>/routes/[list]/route/:
Attribute Type Default Description
ip_dst string (IP subnet) None The destination subnet.
ip_gw string (IP address) None The next hop for this route

ACLs

ACLs are configured under the ‘acls’ configuration block. The acls block contains a dictionary of individual acls each keyed by its name.

Each acl contains a list of rules, a packet will have the first matching rule applied to it.

Each rule is a dictionary containing the single key ‘rule’ with the value the matches and actions for the rule.

The matches are key/values based on the ryu RESTFul API.

/acls/<acl name>/[list]/rule/actions
Attribute Type Default Description
allow boolean False If True allow the packet to continue through the Faucet pipeline, if False drop the packet.
cookie int, 0-2**16 defaults to datapath cookie value If set, cookie on this flow will be set to this value.
meter string None meter to apply to the packet
mirror string or integer None Copy the packet, before any modifications, to the specified port (NOTE: mirroring is done in input direction only)
output dict None used to output a packet directly. Details below.

The output action contains a dictionary with the following elements:

/acls/<acl name>/[list]/rule/actions/output/
set_fields list of dicts None A list of fields to set with values, eg. eth_dst: “1:2:3:4:5:6”
port integer or string None The port to output the packet to.
swap_vid integer None Rewrite the vlan vid of the packet when outputting
failover dict None Output with a failover port (see below).

Failover is an experimental option, but can be configured as follows:

/acls/<acl name>/[list]/rule/actions/output/failover/
Attribute Type Default Description
group_id integer None The OFP group id to use for the failover group
ports list None The list of ports the packet can be output through.