SDN in Practice: Building a Programmable Network with OpenFlow, OVS, and Ryu

Table of Contents

Why Traditional Networking is Breaking

Managing a network used to involve a tedious cycle: SSH into 50 different switches, navigate 50 proprietary CLIs, and manually punch in VLAN or ACL configs. This hardware-centric approach is a massive bottleneck for modern data centers. When a new app needs specific policies, waiting three days for a manual configuration change is no longer an option.

I remember a specific nightmare early in my career involving a “split-brain” configuration. One switch in a cluster had a 1500 MTU setting while the others were at 9000. Finding that single mismatch took four hours of downtime. Software-Defined Networking (SDN) fixes this by separating the brain (Control Plane) from the muscle (Data Plane).

Since switching to an SDN-based infrastructure six months ago, my workflow has shifted from manual CLI entry to writing programmable logic. In production, this setup has remained rock-solid. It handles automated tenant isolation and dynamic traffic engineering that would be impossible with standard hardware.

The Stack: OpenFlow, OVS, and Ryu

To build a functional SDN environment, we need three components to work together. Understanding their interaction is vital before we write a single line of code.

1. The Data Plane: Open vSwitch (OVS)

Open vSwitch is a multilayer virtual switch designed for massive automation. In environments like Proxmox or KVM, OVS lives inside the hypervisor. It handles the heavy lifting of moving packets between virtual machines. Unlike a basic Linux bridge, OVS supports OpenFlow, which means an external controller can remotely manage its forwarding table.

2. The Protocol: OpenFlow

OpenFlow is the language the controller uses to speak to the switch. Instead of the switch making independent decisions based on MAC addresses, it asks the controller: “I see a packet with these headers; what do I do?” The controller then pushes a “flow entry” to the switch’s memory. This tells the switch to forward, drop, or modify similar packets in the future.

3. The Control Plane: Ryu Controller

Ryu is a Python-based SDN framework. I prefer Ryu over heavier alternatives like ONOS because it is lightweight and developer-friendly. If you know basic Python, you can write network logic. It provides a clean API that makes creating custom firewall rules or load balancers straightforward.

Hands-on Implementation

For this setup, use a clean Ubuntu 22.04 LTS environment. We will use Mininet to simulate our network. It is the industry standard for prototyping SDN topologies without needing a rack of physical switches.

Step 1: Installation

Start by updating your system and installing the core networking tools.

sudo apt update
sudo apt install -y openvswitch-switch mininet python3-pip

Now, install the Ryu framework. While a virtual environment is usually better, a direct installation works fine for a dedicated lab machine.

pip3 install ryu

Step 2: Building a Learning Switch

Let’s write a Python script to make OVS behave like a smart Learning Switch. This logic ensures the switch remembers which MAC address lives on which port. Save this as my_switch.py.

from ryu.base import app_manager
from ryu.controller import ofp_event
from ryu.controller.handler import CONFIG_DISPATCHER, MAIN_DISPATCHER
from ryu.controller.handler import set_ev_cls
from ryu.ofproto import ofproto_v1_3
from ryu.lib.packet import packet
from ryu.lib.packet import ethernet

class MySwitch(app_manager.RyuApp):
    OFP_VERSIONS = [ofproto_v1_3.OFP_VERSION]

    def __init__(self, *args, **kwargs):
        super(MySwitch, self).__init__(*args, **kwargs)
        self.mac_to_port = {}

    @set_ev_cls(ofp_event.EventOFPSwitchFeatures, CONFIG_DISPATCHER)
    def switch_features_handler(self, ev):
        datapath = ev.msg.datapath
        ofproto = datapath.ofproto
        parser = datapath.ofproto_parser

        # Install table-miss flow entry
        match = parser.OFPMatch()
        actions = [parser.OFPActionOutput(ofproto.OFPP_CONTROLLER,
                                          ofproto.OFPCML_NO_BUFFER)]
        self.add_flow(datapath, 0, match, actions)

    def add_flow(self, datapath, priority, match, actions):
        ofproto = datapath.ofproto
        parser = datapath.ofproto_parser
        inst = [parser.OFPInstructionActions(ofproto.OFPIT_APPLY_ACTIONS, actions)]
        mod = parser.OFPFlowMod(datapath=datapath, priority=priority,
                                match=match, instructions=inst)
        datapath.send_msg(mod)

    @set_ev_cls(ofp_event.EventOFPPacketIn, MAIN_DISPATCHER)
    def _packet_in_handler(self, ev):
        msg = ev.msg
        datapath = msg.datapath
        ofproto = datapath.ofproto
        parser = datapath.ofproto_parser
        in_port = msg.match['in_port']

        pkt = packet.Packet(msg.data)
        eth = pkt.get_protocols(ethernet.ethernet)[0]
        dst = eth.dst
        src = eth.src

        dpid = datapath.id
        self.mac_to_port.setdefault(dpid, {})

        # Learn the MAC address to avoid flooding next time
        self.mac_to_port[dpid][src] = in_port

        if dst in self.mac_to_port[dpid]:
            out_port = self.mac_to_port[dpid][dst]
        else:
            out_port = ofproto.OFPP_FLOOD

        actions = [parser.OFPActionOutput(out_port)]

        if out_port != ofproto.OFPP_FLOOD:
            match = parser.OFPMatch(in_port=in_port, eth_dst=dst)
            self.add_flow(datapath, 1, match, actions)

        data = None
        if msg.buffer_id == ofproto.OFP_NO_BUFFER:
            data = msg.data

        out = parser.OFPPacketOut(datapath=datapath, buffer_id=msg.buffer_id,
                                  in_port=in_port, actions=actions, data=data)
        datapath.send_msg(out)

Step 3: Testing the Network

Open two terminal windows. In the first, launch the Ryu controller with your script:

ryu-manager my_switch.py

In the second terminal, use Mininet to create a topology with one switch and three hosts. We will point it to our local Ryu controller:

sudo mn --topo single,3 --mac --controller remote,ip=127.0.0.1,port=6633 --switch ovsk,protocols=OpenFlow13

Once the Mininet CLI (mininet>) is ready, run a connectivity test:

mininet> pingall

The first ping typically shows higher latency (around 50-100ms) as the controller processes the unknown MAC address. Subsequent pings will drop to sub-millisecond levels. This happens because OVS is now handling the traffic in the kernel, bypassing the controller entirely.

Peeking Under the Hood

The best part of SDN is the visibility. To see exactly how the switch is making decisions, open a third terminal and run:

sudo ovs-ofctl -O OpenFlow13 dump-flows s1

You will see a rule like priority=1,in_port=1,eth_dst=00:00:00:00:00:02 actions=output:2. This is the exact instruction the Ryu controller sent to the switch hardware. Unlike traditional “black box” switches, you can see every single rule determining a packet’s fate.

Real-World Deployment Lessons

Moving from a lab to a production cluster requires focusing on high availability. When I first deployed OVS with Ryu in a staging environment, I realized that the controller is a single point of failure. If the controller crashes, your switches become “dumb” and stop forwarding traffic.

To solve this, I now use a 3-node Ryu cluster behind a load balancer. I also configure OVS to use multiple controller IPs. This ensures that even during a software update, the data plane stays up. In over six months of operation, we haven’t seen a single network-wide outage caused by the SDN logic.

Final Thoughts

Building an SDN moves the complexity from thick hardware manuals to manageable Python code. This shift allows you to prototype features like custom firewalls or automated network slicing in hours rather than weeks. While you have to learn flow-based logic, the flexibility is worth the effort. If you want to automate your infrastructure, these three tools are the best place to begin.