FLOW TABLE

 Flow Table" plays a crucial role in the data plane of network devices,
particularly in switches.
 The Flow Table is where rules for packet forwarding are stored and
processed.
Functionality:
 The Flow Table is a fundamental component of SDN switches. It's parallel
to a database where rules, known as flow entries, are stored.
 Each flow entry consists of match fields and corresponding actions
Match Fields:
 These fields define the characteristics of packets that the switch will
examine to determine whether they match a particular flow entry.
 Common match fields include source and destination addresses, ports,
VLAN tags, and packet header information (e.g., IP protocol, TCP/UDP
ports
Actions:
 Once a packet matches a flow entry, the switch executes specific actions associated with that
entry.
 Actions can include forwarding the packet out a particular port, dropping the packet,
modifying packet headers, or sending the packet to the controller for further processing.
Priority and Wildcard Entries:
 Flow entries in the table have priorities assigned to them. When a packet matches multiple
flow entries, the entry with the highest priority is selected.
 Additionally, wildcard entries can match multiple packets based on common criteria,
simplifying rule management.
Flow Table Lookup:
 When a packet arrives at the switch, it is compared against the flow entries in the table using
the match fields.
 This process is known as a flow table lookup. If a match is found, the corresponding actions
are executed.
 If no match is found (a table miss), the packet is often forwarded to the controller for further
handling
Flow Table Management:
 The SDN controller is responsible for managing the flow table entries.
 It can dynamically add, modify, or remove entries based on network
conditions, policies, or events.
 This dynamic control allows for flexible and programmable packet
forwarding behavior.

Flow Table Capacity:

 The capacity of the flow table varies depending on the capabilities of the
switch hardware and the SDN controller's software.
 Larger capacity allows for more complex forwarding behavior and support
for a greater number of concurrent flows.
Flow Table Aging and Eviction:
 Flow entries may have a limited lifetime, after which they are removed
from the table.
 This process, known as aging, helps manage resource usage and ensures
that the flow table remains up-to-date.
 Entries may also be evicted to make room for new entries when the table
reaches its capacity.
Performance Considerations:
 Efficient flow table lookup is crucial for maintaining network performance.
 Switches employ various techniques, such as caching and hardware
acceleration, to optimize lookup speed and reduce latency
Security and Policy Enforcement:
 The flow table is a central point for enforcing network security policies.
 By carefully configuring flow entries, administrators can control traffic
flows, implement access control policies, and moderate security threats
Match fields: Used to select packets that match the values in the fields.
 Priority: Relative priority of table entries. This is a 16-bit field with 0
corresponding to the lowest priority. In principle, there could be 216 = 64k
priority levels.
 Counters: Updated for matching packets. The OpenFlow specification
defines a variety of counters.
 Instructions: Instructions to be performed if a match occurs.
 Timeouts: Maximum amount of idle time before a flow is expired by the
switch
Match Fields Component
Ingress port: The identifier of the port on this switch on which the packet
arrived. This may be a physical port or a switch-defined virtual port. Required
in ingress tables.
Egress port: The identifier of the egress port from action set. Required in
egress tables.
Ethernet source and destination addresses: Each entry can be an exact
address, a bitmasked value for which only some of the address bits are checked,
or a wildcard value
IPv4 or IPv6 source address, and destination address: Each entry can be an
exact address, a bitmasked value, a subnet mask value, or a wildcard value.
TCP source and destination ports: Exact match or wildcard value.
UDP source and destination ports: Exact match or wildcard value.
Physical port: Used to designate underlying physical port when packet is
VLAN ID and VLAN user priority: Fields in the IEEE 802.1Q virtual LAN
header. SDN support for VLANs is discussed in Chapter 8, “NFV
Functionality.”
SCTP source and destination ports: Exact match or wildcard value for
Stream Transmission Control Protocol.
ICMP type and code fields: Exact match or wildcard value.
IPv6 neighbor discovery target address: In an IPv6 Neighbor Discovery
message.
 OpenFlow can be used with network traffic involving a variety of protocols
and network services
 OpenFlow as currently defined cannot control Layer 2 traffic over wireless
networks.
 Each of the fields in the match fields component either has a specific value
or a wildcard value, which matches any value in the corresponding packet
header field
Flow Table Pipeline
 A switch includes one or more flow tables.
 If there is more than one flow table, they are organized as a pipeline, with
the tables labeled with increasing numbers starting with zero.
 The use of multiple tables in a pipeline, rather than a single flow table,
provides the SDN controller with considerable flexibility.
The OpenFlow specification defines two stages of processing:
Ingress processing
 Ingress processing always happens, beginning with Table 0, and uses the
identity of the input port.
 Table 0 may be the only table, in which case the ingress processing is
simplified to the processing performed on that single table, and there is no
egress processing
Egress processing
 Egress processing is the processing that happens after the determination of
the output port. It happens in the context of the output port