OpenFlow

OpenFlow is supported in the FIPS mode as well as the non-FIPS mode.

Note that there is a limit of 3 controllers that can be configured.

The following configuration sets up openflow controller with the FIPS enable system: 
scp sc-privkey.pem <crypto-officer>@<device-ip-address>:sslclientprivkey
scp sc-cert.pem <crypto-officer>@<device-ip-address>:sslclientcert

device# configure terminal
device(config)# openflow enable ofv130 
Warning: Please configure [system-max openflow-flow-entries #] to accept any flows
Warning: Please configure [system-max openflow-pvlan-entries #] to accept Protected VLANs for Hybrid ports
Warning: Please configure [system-max openflow-unprotectedvlan-entries #] to accept Configured Unprotected VLANs for Hybrid ports
device(config)# openflow controller ip-address 10.20.180.87  port 600


STEP 2:Now run the below command on the controller(10.20.180.87) -- root/pass
----------------------------------------------------------------------
[root@centos-180-87 ~]# ./openvswitch-2.3.0/tests/test-controller pssl:600 -p /usr/local/var/lib/openvswitch/pki/controllerca/ctl-privkey.pem -c /usr/local/var/lib/openvswitch/pki/controllerca/ctl-cert.pem -C /usr/local/var/lib/openvswitch/pki/switchca/cacert.pem -O OpenFlow13  -v^C
[root@centos-180-87 ~]# pwd
/root
[root@centos-180-87 ~]# 

STEP 3:Observe the below console message and the show command output
----------------------------------------------------------------------
device(config)# logging console
SYSLOG: <13>Jul 26 19:32:13 OpenFlow: Established active connection with controller 10.20.180.87 port 600.

device(config)#
device# show openflow controller 
Openflow controller information

--------------------------------------------------------------------------------
  Controller   Mode      TCP/SSL   IP-address        Port   Status              
--------------------------------------------------------------------------------
  1  (Equal)   active    SSL       10.20.180.87      600    OPENFLOW_ESTABLISHED

device# show ip ssl
Session  Protocol Source IP                              Source Port  Remote IP                              Remote Port  
0        TLS_1_2  10.20.81.103                           633          10.20.180.87                           600          

STEP 4: Perform wireshark captures on the management interfaces for different tls versions for different ciphers

HTTPS-based File Copy

The copy https command is supported in the Extreme NetIron 6.0.00aa release. The syntax of the command is: copy https flash <https-server-ip.address> <remote-port(443)> <remote-file-location> <local-file-location>

The command is supported on different ciphers for different TLS versions as listed below.
  • TLS 1.1 version
    • CIPHERSUITE_RSA_WITH_AES_128_CBC_SHA
    • CIPHERSUITE_RSA_WITH_AES_256_CBC_SHA
    • CIPHERSUITE_DHE_RSA_WITH_AES_128_CBC_SHA
    • CIPHERSUITE_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS 1.2 version
    • CIPHERSUITE_RSA_WITH_AES_128_CBC_SHA
    • CIPHERSUITE_RSA_WITH_AES_256_CBC_SHA
    • CIPHERSUITE_DHE_RSA_WITH_AES_128_CBC_SHA
    • CIPHERSUITE_DHE_RSA_WITH_AES_256_CBC_SHA
    • CIPHERSUITE_RSA_WITH_AES_128_CBC_SHA256
    • CIPHERSUITE_RSA_WITH_AES_256_CBC_SHA256
    • CIPHERSUITE_DHE_RSA_WITH_AES_128_CBC_SHA256
    • CIPHERSUITE_DHE_RSA_WITH_AES_256_CBC_SHA256
9037139-00 Rev AA