HP VAN SDN Controller 2.3 Administrator Guide Abstract This guide is intended for network administrators and support personnel involved in: • configuring and managing HP VAN SDN (Virtual Area Network Software-Defined Networking) Controller installations • registering and activating HP VAN SDN Controller licenses The information in this guide is subject to change without notice.
© Copyright 2013, 2014 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Contents 1 Introduction...............................................................................................8 1.1 Supported switches and OpenFlow compatibility ....................................................................9 1.1.1 OpenFlow requirements.................................................................................................9 1.1.2 IPv6 traffic...................................................................................................................
3.7.2.5 Authentication manager......................................................................................27 3.7.2.6 Controller manager............................................................................................27 3.7.2.7 Link manager....................................................................................................28 3.7.2.8 Log manager.....................................................................................................28 3.7.2.
3.13.6 Filtering the OpenFlow trace log in a CSV file..............................................................47 3.13.7 Changing the OpenFlow trace interval .......................................................................48 3.14 OpenFlow classes display.................................................................................................49 3.14.1 About OpenFlow classes............................................................................................49 3.14.
.3.2 Configuring controller settings to support hybrid mode...................................................75 6.4 Controller packet-forwarding when hybrid mode is disabled...................................................77 6.4.1 Controller packet forwarding when hybrid mode is enabled............................................78 6.4.2 Learning more about hybrid mode...............................................................................78 7 Team configuration .................................
11.7 Path diagnostic application via REST command line API .....................................................104 11.7.1 Communication problems.........................................................................................104 11.7.2 Packet generator troubleshooting..............................................................................104 11.7.2.1 Packet generator troubleshooting procedure........................................................104 11.7.2.2 Run the packet generator process.
1 Introduction This document describes the configuration and management of the HP VAN Controller in standalone and team modes. The HP VAN SDN Controller is a Java-based OpenFlow controller enabling SDN solutions such as network controllers for the data center, public cloud, private cloud, and campus edge networks. This includes providing an open platform for developing experimental and special-purpose network control protocols using a built-in OpenFlow controller.
Native application are well suited when the application needs frequent and low latency interactions with network devices. External applications can be developed in any language and are deployed on a platform outside the controller platform or on the same platform as the controller. External applications interact with the controller using the REST API services exported and advertised by the controller platform, and by native applications deployed on the controller.
2 Understanding the embedded applications 2.1 Link manager The Link Manager builds information about links between network elements in the controller domain. This application maintains a table of source and destination devices and ports, and transmits discovery packets to ports on attached datapaths. Link Manager • Learns and maintains all inter-switch links in the control domain. • Provides data used by the controller topology module to construct end-to-end paths. • Deciphering port state changes.
The Path Daemon application is responsible for pushing end-to-end flows for all ARP and IPv4 flow misses that arrive at the controller. By default, Path Daemon is responsible for Layer-2 forwarding only. This component depends on other network service components like Node manager and Topology manager. Path Daemon does the following: • Registers with the controller as a Director. Directors are allowed to send a packet out. • Registers for ARP packets and IPv4 packets.
Figure 1 Path daemon flowchart 2.4 Path diagnostics The path diagnostics application determines and verifies the path taken by a specific packet from a source host to destination host. 12 • Evaluates flows configured across the switches in the control domain for diagnosis. • Creates ‘Observation posts’ on every switch in the path that the packet would take. • Tallys packet_in messagess from the observation posts to detect where a path is broken. • Lists neighbors for any given device.
2.5 Topology manager The topology manager computes the broadcast tree to avoid loops and broadcast storms. On a given switch it also does the following: • Provides a list of discovered ports on a given switch. • Indicates whether a switch port is an edge port (connection point) or part of a link. • Indicates whether a port is in a blocked or open state by determining whether ingress broadcast traffic is allowed through the port. • Verifies whether a path exists between two nodes.
3 Navigating the controller user interface 3.1 Starting the SDN controller console UI 1. Use a supported browser, such as Google Chrome, to access the controller's GUI at the controller IP address: GUI https://controller_ip_addr:8443/sdn/ui Example https://192.0.2.1:8443/sdn/ui 2. Enter user name and password credentials, then select Login. Example Default user name: sdn Default password:skyline 3. The main controller screen appears with the Alerts screen displayed.
Figure 2 Screen topography 1 2 3 4 Banner: Identifies the user interface. Contains the alert notification counter and links to the navigation menu, alert information, and the SDN User window. Alert notification counter: Displays the current number of active alerts. Clicking this icon displays the Alerts as of Today window box.
Screen component Description The number next to the icon is the “alert notification counter” (page 20), which provides a count of the current active alerts. Expands or collapses the “SDN User” (page 17) window. 3.2.2 Changing column widths To change the column widths, drag the column head borders. For example: • To narrow the Severity column width, click the border to the left of Date/Time and drag it to the left.
Screen component Description When the navigation menu is displayed as a widow pane on the console, exactly one navigation tree can be expanded. To collapse a navigation tree for the controller or an application, click the expand icon for a different navigation tree. Collapses the navigation window when it is displayed as an overlay window on the console screen. 3.3.3 Expanding or collapsing the navigation menu The navigation menu is displayed as a navigation pane by default.
3.4.1 User window screen details Figure 3 SDN user window Screen component Description Logout Logs the user out of the controller. Links: Links to websites outside of the controller: Name Description SDN Information Library Links to the information library on the HP Software-Defined Networking website. The HP SDN information library provides links to the technical documentation for the HP VAN SDN Controller and the HP SDN applications.
3.4.3 Collapsing the SDN user window To collapse the SDN User window, do one of the following: • In the SDN User window, click • From the top banner, click . . 3.4.4 Logging out of the controller To log out of the controller UI: • From the SDN User window, select Logout. 3.5 Alerts screen 3.5.1 About alerts Alerts give notification of events that affect controller operation, and in some cases indicate that some action is needed to correct a condition.
3.5.3 Alert notification counter The alert notification counter is displayed in top banner and appears on all controller screens. This counter indicates the number of active alerts: • The controller increments this counter when each new alert occurs. • The controller decrements this controller when you acknowledge an alert or when the controller deletes an alert according to the “alert age-out policy” (page 21) . Figure 4 Alert notification counter 3.5.
Screen component Description Origin Indicates which component or application generated the alert. Topic Indicates of the category for this alert. Multiple origins can contribute alerts to the same topic. Controller ID Identifies the controller that generated the alert. The controller is represented as a hexadecimal number. When you use controller teaming, this ID enables you to identify which controller in the team generated the alert. 3.5.
3.6 Applications screen 3.6.1 About the application manager The Application Manager supports default and add-on network services, and enables installing, upgrading, enabling (starting), disabling (stopping), and uninstalling SDN applications. Application manager and controller teams When controllers are operating in a team, actions performed on one controller are propagated to the other controllers in the team.
Screen component Description Version The version number of the application State The most common states are listed in the following table. State Description ACTIVE The application has been started and is servicing requests. STAGED A new application has been downloaded to the controller and is ready to be installed. DISABLED The application has been stopped. Applications in this state are not restarted when the controller restarts. 3.6.
4. Click Deploy. The new application then appears by name on the Applications screen as ACTIVE. 3.6.5 Disabling (stopping) or enabling (starting) an application This procedure temporarily stops an active application from servicing requests, but retains the application on the system. The application remains present on the system and can be restarted when needed. (The application does not automatically restart when the controller restarts.) Procedure 1 Disabling an application using the UI 1. 2.
3. Click Enable button to activate the application. The application starts or resumes operation and the application state is changed to ACTIVE. 3.6.6 Uninstalling an application This procedure completely removes an application from the controller. To later restore the removed application, see Adding or upgrading an application. Use the following procedure to uninstall an application using the UI. 1. In the Applications screen, select the application you want to uninstall. 2. Click Uninstall. 3.
Configurations and controller teams When controllers are operating in a team, configuration changes on one active controller propagate to the other active controllers in the team. 3.7.1.1 About component keys Each configuration component contains one or more component keys, each of which identify a configurable property of the component. CAUTION: Inappropriate changes to key values can result in severely degraded system performance.
3.7.2.3 Alert post manager Component name com.hp.sdn.api.impl.AlertPostManager Description The AlertPostManager uses the HTTP(s) protocol to send alert data as a a JSON string to registered alert topic listeners. Component keys Information about the configurable component keys, including descriptions, current values, suggested ranges, and default values are available from: • The Configuration screen of the controller UI. • The controller Configs REST API. 3.7.2.4 Audit log manager Component name com.hp.
Component keys Information about the configurable component keys, including descriptions, current values, suggested ranges, and default values are available from: • The Configuration screen of the controller UI. • The controller Configs REST API. 3.7.2.7 Link manager Component name com.hp.sdn.ctl.linkdisco.impl.LinkManager Description The LinkManager provides parameters used for discovering links between network elements.
Component keys Information about the configurable component keys, including descriptions, current values, suggested ranges, and default values are available from: • The Configuration screen of the controller UI. • The controller Configs REST API. 3.7.2.10 Node manager Component name com.hp.sdn.ctl.nodemgr.impl.NodeManager Description The NodeManager provides parameters for discovering and maintaining end host locations in the network.
Description The RestPerfProvider reports performance data for the REST API. Component keys Information about the configurable component keys, including descriptions, current values, suggested ranges, and default values are available from: • The Configuration screen of the controller UI. • The controller Configs REST API. 3.7.2.14 Role assert manager Component name com.hp.sdn.adm.role.impl.
Component keys Information about the configurable component keys, including descriptions, current values, suggested ranges, and default values are available from: • The Configuration screen of the controller UI. • The controller Configs REST API. 3.7.2.18 End-Host discovery via ARP protocol Component name com.hp.sdn.disco.of.node.impl.OfArpDiscoveryComponent Description OpenFlow end-host discovery via the ARP protocol. 3.7.2.19 End-Host discovery via DHCP protocol Component name com.hp.sdn.disco.of.
3. 4. Enter new values for each of the keys you want to modify. Do one of the following: • To save your changes and close the dialog box, click Apply. • To close the dialog box without saving changes, click Cancel. 3.8 Audit log screen 3.8.1 About the audit Log The audit log is available through both the controller GUI and the REST API, and records events related to activities, operations, and configuration changes initiated by an authorized user.
Screen component Description Data Detailed information about the log entry. Controller ID A hexadecimal number that identifies controller that generated the log entry. When you use controller teaming, this ID enables you to identify which controller in the team generated the alert. For example, the audit log displays software license and teaming activity: Figure 5 Audit Log screen example with licensing and teaming activity 3.8.3 Deleting a log entry You cannot delete or modify a log entry.
3.9.2 Licenses screen details Screen component Description Refresh Updates the screen with the latest license information. Add Adds and activates the specified license key on this controller. Deactivate Deactivates the selected license. Install ID Contains the installation identifier for this controller. Serial# Product Licensed For Qty Type Status Expire By Uninstall Key 3.9.
3.10.2 Support logs screen details Screen component Description Refresh Displays a listing of the most recent log messages, as determined by the currently configured queue size. For example, with a queue size of 100, Refresh lists the 100 most recent log messages. Export Gathers the set of support log file data from the standalone controller or all active controllers in the team, and stores the data as a single compressed archive. Level The severity level for the entry.
1. 2. From the Configurations screen, under Component, select the com.hp.sdn.adm.mgr.impl.AppManager component. Click Modify. The Modify Configuration dialog box appears. 3. 4. Change the “verifyZips” key value to “False” to enable checking. Click Apply. NOTE: To download an application with this check enabled, the public certificate used to recognize the signed zip file must be installed in the sdnjar_trust.jks truststore. See “Adding certificates to the jar-signing truststore ” (page 68). 3.10.
3.11.2 OpenFlow monitor screen details 3.11.2.1 Main display Screen component Description Refresh Updates the information displayed on the screen. Summary Displays the “Summary for data path view” (page 37) for the selected data path. Ports Displays the “Ports for data path display” (page 37) for the selected data path. Flows Displays the “Flows for data path display” (page 38) for the selected data path. Groups Displays the Groups view for the selected data path.
Figure 8 Ports view for a specific OpenFlow device 3.11.2.4 Flows for data path display This view includes the current flows on the selected OpenFlow device. For a given flow, traffic meeting the requirements specified in the "Matches" field is directed as specified in the corresponding "Actions/Instructions" field. Figure 9 Flows view for a specific OpenFlow device NOTE: The Table ID applies to OpenFlow 1.3 and greater, but not to OpenFlow 1.0. 3.11.
3.12 OpenFlow topology screen The OpenFlow screen displays a topology of discovered switches and end nodes in the controller domain. The viewer creates and updates a graph of the network, and computes the broadcast tree to avoid loops and broadcast storms. The shortest path is computed using Dijkstra’s graph search algorithm. The viewer: • Displays a topology of discovered switches and end nodes. • Identifies the ports discovered on a given switch. • Identifies the shortest path between two nodes.
Figure 11 Default topology view with switch and end-nodes 3.12.1.1 Configuring how the OpenFlow network topology is displayed Both of the following tools provide control for different parts of the OpenFlow Topology display: • The • The View menu for: icon for a list of keyboard shortcuts you can use to change the display.
Figure 12 End-node IP address labeling Press N again to display the end-node MAC addresses as labels in the topology diagram: Figure 13 End-node MAC addresses as labels Press N again to return to the unlabeled end-node view. Switches are always labelled with their data path ID. You can also: • Add port labels to the links between switches and between switches and end nodes. • Identify flow details and options. (See “Identifying flow details and flow options” (page 43).) 3.
• "Pin" the switches and end nodes in the topology display. • "Collapse" the topology display to show only the number of end nodes connected to each switch, instead of showing all end nodes (the default) which can present a cluttered display where a large number of end nodes are connected to the OpenFlow switches. In the topology display: • To display or remove port numbers for the links, press P or select View→Ports. • To pin or unpin the switches and end nodes, press X or select View→Pin All.
2. Select the destination node and press D or click Dst. The controller displays the path between the two nodes as a red line (see Figure 16 (page 43)). Figure 16 Locating the shortest path between two nodes To exchange source and destination nodes, press A. To clear the source and destination flags, press Z. 3.12.1.
Figure 17 Flow details for the selected source-destination end nodes Using the fields in the Abstract Packet window, search for flow rules for packets having criteria dictating a path other than shortest path, for example, by entering port 80 for HTTP packets. Figure 18 Searching for flows for specific packet types 3.13 OpenFlow trace display This troubleshooting tool logs OpenFlow conversations captured in messages to and from the controller and the OpenFlow devices it manages.
3.13.2 OpenFlow trace display details Screen component Description Starts trace logging. In the default configuration, the trace stops after ten seconds have passed. (To change the trace interval, see “Changing the OpenFlow trace interval ” (page 48).) Stops trace logging before the end of the configured trace interval. Trace logging stops automatically at the end of the configured trace interval. Multiple consecutive traces can be held in the trace log.
Figure 19 Displaying event details 3. To close the Event Detail window, click Close. 3.13.5 Exporting the OpenFlow trace log Exporting an OpenFlow Trace Log places the trace content in a CSV file that is stored in the default downloads folder specified in your web browser settings. For more information about CSV files, see RFC 4180. NOTE: This section shows how to export and access OpenFlow Trace Log files using Google Chrome.
3.13.6 Filtering the OpenFlow trace log in a CSV file 1. Open the CSV file in the default folder. For example, using Google Chrome, open the menu adjacent to the file name (of-trace.csv) and select Show in folder. Figure 20 Accessing the stored CSV file In the resulting folder listing, locate the of-trace.csv file and open it using an application, such as Excel, that enables you to read the log messages and configure a filter. For example, to investigate the messages collected for data path 00.00.00.00.
Figure 23 Applying the filter 5. In the resulting display, only the data filtered to data path 00:00:00:00:00:00:00:02 appears. Figure 24 Filtered trace log 3.13.7 Changing the OpenFlow trace interval The 1. 2. 3. 48 default trace interval is ten seconds. To change the interval: From the navigation menu, select Configurations. Open the com.hp.sdn.ctl.of.impl.TraceManager component. Click Modify.
4. 5. In the Value field, enter the desired duration in seconds for active trace recording. Click Apply to set the new time span for active trace recording, and return to the OpenFlow Trace view. 3.14 OpenFlow classes display The OpenFlow classes display shows the OpenFlow classes that applications have registered with the controller. For more information about OpenFlow classes, see “About OpenFlow classes” (page 49). 3.14.
3.14.2 Controller enforcement levels for OpenFlow classes The following table lists the enforcement levels that the controller can use for applications that send flows to switches. Enforcement level Description none The controller does not manage flow modification priorities or validate flow modification requests: • Applications that do not register OpenFlow classes with the controller are permitted to send flow modifications to switches.
3.14.4 Changing the enforcement levels for OpenFlow classes To change the enforcement level the controller applies to applications sending flows to switches, change the value for the flow.mod.enforcement key of the com.hp.sdn.ctl.of.impl.ControllerManager configuration component. For more information about configuration components, see “Configurations screen” (page 25). For information about the enforcement levels the controller can apply, see “Controller enforcement levels for OpenFlow classes” (page 50).
4 License Registration and Activation 4.1 Overview NOTE: SDN applications can require licenses that are separate from the licenses for the controller. Typically, you must have both a license for the controller and a license for each application. For HP SDN applications, you register the license, obtain the license key, and activate the license on the controller using the same methods you use to register and activate controller licenses.
4.2 Preparing for license registration 4.2.1 Verifying registration prerequisites Before beginning the license registration and activation process, be sure you have: • Obtained an HP My Networking portal user account. • Obtained the order number or product registration ID, and e-mail address from your HP VAN SDN Controller license order confirmation. • Installed the HP VAN SDN Controller software and have the controller running, as described in the HP VAN SDN Controller Installation Guide. 4.2.
3. Enter your order number or registration ID in the field provided (above), and then click Next. • If you enter a registration ID, go to “step 5” (page 54). • If you enter an order number, the Email field appears, as shown in Figure 26. Figure 26 Entering an e-mail address 4. In the Email field, enter either the “Ship to” or “Sold to” e-mail address listed in your sales order confirmation, and then click Next. A license selection screen appears, as shown in Figure 27.
NOTE: • For an HP VAN SDN Ctrl Base SW w/ 50–node E-LTU license, the quantity must be 1. • For HP VAN SDN Ctrl 50–node E-LTU or HP VAN SDN Ctrl HA E-LTU licenses, quantity is the number of licenses to be installed with a single Install ID. • For information on using this process for an application license, see the administrator guide for that application. The registration details screen appears, as shown in Figure 28. Figure 28 Entering the install ID 6. 7. 8.
Figure 29 Accepting the license agreement 9. To continue after reading the license agreement, select I accept all of the above terms, and then click Finish. The confirmation screen appears, as shown in Figure 30. Figure 30 Reviewing your registration 10. Review your license registration details, and record the License key listed. 11. Optional: To download the license key file, click Save as, and then save it to your local hard drive.
12. Optional: To e-mail the registration details: a. Enter one or more e-mail addresses, separated by a comma or semi-colon in the field provided. b. Optional: Enter Comments about this license. c. Click Send email. 13. Optional: If you want to register additional licenses for this order: a. Click Register more for this order to return to the license selection screen shown in Figure 27. b. Repeat steps “5” (page 54) through 13 until you have registered all licenses. To view your license information: 1.
Figure 33 Viewing your license and other information Record the license key in the above screen for use when you activate the license on the controller. 4.5 Activating a license on the controller To activate a license on the controller, you must add the license key. If the controller has no licenses listed, enter the license key for the HP VAN SDN Ctrl Base SW w/50–node E-LTU before you add any other license keys. Use the following procedure to add and activate a license using the controller UI. 1.
Figure 34 Enter the License Key 3. To activate the license, click on the Add button shown in Figure 34 (page 59). The active license is displayed in the table below the Install ID and the Add button is greyed out: Figure 35 Active License Displayed on License screen 4.6 Managing licenses 4.6.1 Transferring licenses You can transfer a license from one controller to another. To do so, you must first uninstall all licenses from the controller.
4.6.1.1 Uninstalling licenses to prepare for transfer When you deactivate a license, the controller generates an Uninstall Key for that license, which you will need when you transfer the license. Be prepared to record the Uninstall Key for each license you deactivate. The Uninstall Key is a long text string. For example: AE2RCLT7CJMDI-MAGAQHS2NBTOB-6VM4QKEQ4HAEZ-3AY4QELRPG4AA-3EMHQELRPGAYQ To uninstall a license using the controller UI, use the following procedure. 1.
Figure 37 Reviewing details before transfer 5. Verify that this is the license you want to transfer, and then click Next. The target install ID screen appears (Figure 38). Figure 38 Entering target install and uninstall IDs 6. In the screen in Figure 38, do the following: 1. In the Target Install ID field, enter the Install ID of the controller to which you want to transfer the license. 2. In each Uninstall field, enter a license uninstall key. (For more on acquiring uninstall keys, see Section 4.6.1.1.
NOTE: In order for the transfer process to succeed, you must enter an Uninstall value for every registered license. 3. Click on the Transfer button in the lower-right corner of the screen. New license registration information displays on the license transfer confirmation screen and license details screen, as shown in Figure 39. Figure 39 Viewing license transfer confirmation and details screens 7. 8. 9. Review the confirmation screen details.
5 SDN Controller authentication 5.1 SDN Controller security guidelines The HP VAN SDN controller communicates with different components, both internal and external to the controller, via secure channels. This section documents these channels, their defaults, and how to configure them in a deployment environment. 5.2 SDN Controller authentication The SDN Controller identifies itself via Public-Key Infrastructure (PKI) for its communication with external subsystems and other controllers.
8. Replace your self-signed certificate in your serverKey entry with the signed certificate from your CA (signed.cer). keytool -importcert -keystore keystore -file signed.cer -alias serverKey 9. If you are operating a team of controllers in your environment, turn off self-signing for inter-controller communication: Under /opt/sdn/virgo/repository/usr, change the "selfsigned" value to false for the following component: com.hp.sdn.misc.ServiceRestComponent.properties 10.
Figure 41 Components that reference controller keystore and truststore The values for keystore and keystore.password contain the keystore location and encrypted keystore password respectively. The values for truststore and truststore.password contain the truststore location and encrypted truststore password respectively. 5.5 Configuration encryption Sensitive information such as tokens and passwords are stored encrypted on the SDN Controller.
must be signed by the same CA, so that the TLS connection will be established. See your switch’s manual for information about configuring TLS on your switch. 5.6.2 Openflow Controller keystore and truststore locations and passwords The Openflow Controller’s configurations for keystore/truststore are located in the com.hp.sdn.ctl.of.impl.ControllerManager configuration. The keystore and keystore.password properties capture the location of the keystore and the password of the keystore respectively.
5.7.1 Openstack Keystone The SDN Controller uses Openstack Keystone as an identity management for managing users, generating tokens, as well as token validation. Upon installation, the SDN Controller creates the following users and roles: • User: sdn – This is the primary user that operates different SDN REST and UI operations. The sdn user has roles sdn-user and sdn-admin. • User: rsdoc – This is the primary user that is associated with API documentation operations. The rsdoc user has sdn-user role.
One can continue using the same token for different SDN Controller APIs within the default 24-hour period since token creation. If desired, one can change this default 24-hour timeout in the /etc/ keystone/keystone.conf file. (See the OpenStack Keystone Administration Guide for more information). The CachedTokenTTL value under the configuration properties com.hp.sdn.adm.auth.impl.AuthenticationManager needs to match the timeout set by Keystone as well to allow efficient caching of tokens. 5.7.
2. Modify the /opt/sdn/virgo/bin/dmk.sh script to add the following option to the list of JMX_OPTS: -Dsdn.signedJar=none For example: cd $KERNEL_HOME; exec $JAVA_EXECUTABLE \ $JAVA_OPTS \ $DEBUG_OPTS \ $JMX_OPTS \ -XX:+HeapDumpOnOutOfMemoryError \ -XX:ErrorFile=$KERNEL_HOME/serviceability/error.log \ -XX:HeapDumpPath=$KERNEL_HOME/serviceability/heap_dump.hprof \ -Dsdn.signedJar=none \ -Djava.security.auth.login.config=$AUTH_LOGIN \ -Dorg.eclipse.virgo.kernel.authentication.file=$AUTH_FILE \ 3.
The SDN Administrator daemon can be accessed via the REST API vi HTTPS on port 8081. The access is secured through either token-based authentication or basic authentication, against the locally running keystone server, which is the same as the main SDN Controller REST API.
5.13 JMX console The JMX console is only enabled for local access. This is used by the controller for metering and can also be used for debugging. To enable JMX console remote access, edit /opt/sdn/virgo/bin/dmk.sh. The following line determines whether JMX allows remote access or not: -Dcom.sun.management.jmxremote.local.only=true \ Any changes to this file require a controller restart to recognize the change. 5.14 Security practices 5.14.1 Security procedure 1. 2. 3. 4. 5. 6. 7. 8. 9. 10.
15. Update opt/sdn/virgo/bin/dmk.sh to insert environment variables that set the sdnjar_trust.jks values in the controller. a. Under the line containing “XX-HeadDumpPath...” add —DSDN.trustpas=. b. Restart the Keystone service (sudo service keystore restart). 16. Restart the controller. 5.14.2 Recommended administrative rules Observing these rules can help to prevent unauthorized access to the controller: • Do not enable shell history on your controller.
6 Hybrid mode for controlling packet-forwarding 6.1 Overview The hybrid mode setting determines which packet-forwarding decisions are made by controlled OpenFlow switches and which of these decisions are made by the controller itself. • If hybrid mode is enabled (the default setting), the controller delegates normal packet forwarding to the controlled switches, but overrides these switches for non-standard packet-forwarding decisions required by installed applications for specific packet types.
Figure 44 Select the hybrid.mode Value field In Figure 44 (page 74), the hybrid.mode field shows the current setting. Continue with the following steps if you want to change the setting. 6. 7. Set hybrid.mode to one of the following: • true (the default): Enables hybrid mode. The controller makes packet-forwarding decisions required by installed applications. • false: Disables hybrid mode The controller makes all forwarding decisions. (Release 2.
See the OpenFlow documentation for the specific switch. See the latest OpenFlow documentation for HP switches for details on how to configure passive/active mode (where applicable) and for how such switches behave if they lose their control-plane connection to the controller. 6.3.2 Configuring controller settings to support hybrid mode Network-related settings on the controller must agree with the controlled switches.
Table 3 Controller settings to support hybrid mode (continued) Controller Configurations Component Key Comments NOTE: Anytime user changes values for either age.multihop.links or multihop.poll.interval the "OpenFlow Link Discovery" app needs to be bounced so that those newly changed values take into effect. com.hp.sdn.disco.of.node.impl.OfDhcpDiscoveryComponent dhcp.age Set this value equal to or greater than your network’s DHCP lease time. Timeout (in minutes) for nodes learned via DHCP. com.hp.sdn.
NOTE: For information about version support for ip-control-table-mode command options, see HP VAN SDN Controller and Applications Support Matrix. For information about version support for hardware-only mode, see HP VAN SDN Controller and Applications Support Matrix. NOTE: OpenFlow 1.0 is the default version of OpenFlow for HP ProVision switches. OpenFlow does not allow the controller to optimize flow location in hardware tables.
6.4.1 Controller packet forwarding when hybrid mode is enabled Figure 47 Controller operation with hybrid mode enabled When hybrid mode is enabled (the default), the specific packet types for which the controller monitors and overrides switch forwarding rules depends on the applications installed and running in the controller.
7 Team configuration Standalone controller operation provides management for the OpenFlow switches in a network. However, it does not provide high availability (HA), with the result that a controller failure leaves the network in an unmanaged state. Configuring a team of controllers and a corresponding controller region creates a high availability network with failover capability, resulting in a continuously managed network in the event that a controller in the team goes down.
collisions:0 txqueuelen:0 RX bytes:32894518 (32.8 MB) TX bytes:32894518 (32.8 MB) 7.2 Team management Each controller belonging to a team is a team member. To centralize team management and control, one controller is designated as the team leader. Teaming is configured on one controller and is automatically propagated to the other controllers in the team, regardless of which controller becomes the team leader.
NOTE: The default domain and user settings are sdn. The default password setting is skyline. Examples of cURL commands in this guide use the --noproxy option, which is appropriate where execution of cURL commands does not need a proxy to access controllers. If your network is set up such that a proxy is needed to access controllers, use the --proxy option. For details on cURL proxy options, visit http://curl.haxx.se/docs/manpage.html.
Example 1 Configuration example This example shows a team of controllers configured with the following team member values: Team IP Address Member IP Addresses 192.0.2.100 192.0.2.119 192.0.2.125 192.0.2.127 Domain: sdn (the default domain name) Username: myname Password: mypass NOTE: It is not mandatory that the team IP address be in the same subnet as the member IP addresses. Other IP aliases can be used if the appropriate IP routes are present for the addresses to be reachable and usable. 1.
401 Unauthorized 503 Service unavailable In case the team is not created in a quorum or if the team is partially created an alert will be posted. Example of the alert description for team partially created "Team partially created: [Successes: 192.168.1.1, 192.168.1.2], [Failures: 192.168.1.3]" The error for failures is not part of the alert, however an entry to the log files will be added with such errors.
2. Using the token acquired in the preceding step, execute this cURL command to view the team configuration: curl --noproxy member-ip --header "X-Auth-Token:auth_token" --fail -ksSfL --request GET --url https://member-ip:8443/sdn/v2.0/team For example: curl --noproxy 192.0.2.100 --header "X-Auth-Token:auth_token" --fail -ksSfL --request GET --url https://192.0.2.100:8443/sdn/v2.0/team The resulting team configuration output includes the following: { "team": { "ip": "192.0.2.
Possible responses Since team deletion is asynchronous, the response is always 202 unless there is a problem configuring the local controller as standalone. Possible codes: 202 Accepted 400 Bad request 401 Unauthorized 503 Service unavailable In case the team is not deleted in a quorum or if the team is partially deleted an alert will be posted. Example of the alert description for team partially deleted "Team partially deleted: [Successes: 192.168.1.1, 192.168.1.2], [Failures: 192.168.1.
NOTE: In teamed controller operation, maintaining the integrity of the controller state information requires that a minimum of two controllers in a team of three must be active at all times. The failure of all but one of the controllers places the entire team in a SUSPEND state, and the domain serviced by the team becomes unmanaged. (The remaining teamed controller does not operate in standalone mode.) A controller may also transition to Suspended state because of healthy reasons.
Table 4 Error log for team configuration (continued) Log message Description to those controllers where the operation was a success. To recover from this failure it is recommended to delete the team on each failed controller so configuration files are removed and so the controllers transition to standalone mode. Table 5 Success log Message Description Team created. Team created with the following configuration: [Team IP: , [Members]. Team disbanded.
8 Regional configuration 8.1 Overview This chapter describes the configuration needed to support High Availability (HA) for SDN Controllers to OpenFlow switches. This is done by creating region configurations in the controllers using the REST APIs provided by the Role Orchestration Service (ROS). Putting the region configurations in place in a controller team ensures seamless failover and failback among the configured controllers for the specified network devices in a region.
8.2 Creating a region A region should have a minimum of two controllers. This example illustrates the cURL command to use for creating a new region definition with the following controllers and devices: Master Controller Slave Controllers OpenFlow Switches IP Address Name IPAddresses Names 15.146.194.80 Controller_1 15.146.194.103 Controller_2 10.250.100.20 15.146.194.38 Controller_3 10.250.100.
8.3 Aquiring a region UID The region ID is required for updating, refreshing, or deleting a region. The cURL command to use for acquiring a region is: Syntax curl --noproxy --header "X-Auth-Token:" --header "Content-Type:application/json" --fail -ksS --request GET --url https://:8443/sdn/v2.0/regions/ For example, the following command acquires the region ID (uid) for the controller team in the region created in “Creating a region” (page 89). curl --noproxy 15.
8.5 Refreshing a region In case of an inconsistency, and as a troubleshooting feature, you can initiate a re-assertion of the configured roles in a region by using the "refresh" cURL command. This command refreshes all devices in the region. curl --noproxy controller-ip --header "X-Auth-Token:auth_token" --header "Content-Type:application/json" --fail -ksS --request POST --url https://controller_ip:8443/sdn/v2.
9 Backing up and restoring This chapter describes controller backup and restore actions using cURL commands. For the REST APIs related to backup and restore, go to /restore and /backup in the RSdoc facility on the controller. (Using a Google Chrome browser window on the controller, enter https:// system_ip_address:8443/api .) NOTE: You cannot use RSdoc to download or upload files.
NOTE: The default domain name is sdn. The default username is also sdn. The default password is skyline. The controller does not save a non-default domain, user name, or pass-word across a backup. Changing these settings to non-default values and later backing up the controller, resets these settings to their defaults in the backup file. Later restoring the backup to the controller resets the domain, user name, and password to their default settings in the controller.
"https://controller_ip:8443/sdn/v2.0/systems/controller_uid" --data-binary '{"system":{"ip":"controller_ip"}}' 4. Perform the actual backup using the following cURL command: curl --noproxy controller_ip --header "X-Auth-Token:auth_token" --fail -ksS --request POST --url "https://controller_ip:8443/sdn/v2.0/backup" 5. Get the checksum to verify the backup file has not been corrupted.
9.2 Restoring a controller from a backup 9.2.1 Restore operation NOTE: To restore a controller from a backup, it is necessary to re-install the controller. • In a controller team environment each active controller is restored as a single system. • When the controller is deployed in a VM, standard VM restore tools (such as Snapshot or Clone) can be used.
...done. Adding SDN-related items to Keystone... keystone stop/waiting keystone start/running, process 11514 ...done. Setting up hp-sdn-ctl (1.11) ... Certificate was added to keystore CTL_RESTORE_INSTALL_MODE option is set SDN controller will be started in restore mode sdna start/running, process 11633 sdnc start/running, process 11636 Processing triggers for ureadahead ... CAUTION: Do not re-install any applications before you complete the restore process.
curl --noproxy controller_ip --header "X-Auth-Token:auth_token" --fail -ksSfL --request GET --url "https://controller_ip:8443/sdn/v2.0/systems • If less than a quorum of controllers are restored, then those controllers are updated to the latest state of the running team via HA synchronization. (A quorum is n/2+1 where n is the total number of controllers in a team. In a three-controller team, a quorum is two controllers.
10 Requirements for applications 10.1 Application requirements Any application to be installed using application manager on the controller must meet the following requirements: • It must be in a zip format. • The zip file must be on the same system as the controller. • It must contain an application descriptor file containing key value pairs of the attributes associated with the application. 10.
10.4 Application zip file content criteria The application zip file contains all of the component files that make up an OSGi application. In order for the Application Manager to accept this as a valid application, certain criteria must be met: • Must contain one file with a “.descriptor” extension containing the key-value pairs described above. • Must contain at least one bundle (JAR), PAR, or WAR file. • All application component files must be valid OSGi artifacts.
Table 7 Application States (continued) State Description UNINSTALLING A transitive state indication an application is being stopped and completely removed from the controller. RESOLVED The application is stopped and not servicing requests. An application can only be in this state when it is stopped externally to the SDN Controller (e.g. the virgo console).
11 Troubleshooting 11.1 License troubleshooting Table 9 lists recommended solutions for possible error messages that may display during the controller license registration and activation process. Table 9 Error messages and recommended solutions Symptom Possible cause and recommendation Redeem quantity error You specified a license quantity that exceeds what your license type supports. 1. Return to the My Network portal license selection screen. 2.
11.4 Application management exceptions Table 10 Application management exceptions • ApplicationDisableException: Indicates that an application cannot be disabled. ◦ Occurs when an app is STAGED or UPGRADE_STAGED, or something else has gone wrong (specified in error message) ◦ HTTP code: 500 • ApplicationEnableException: Indicates that an application cannot be enabled. ◦ Occurs when an app is not DISABLED, or something else has gone wrong (as specified in the error message).
11.5 Performance testing Measuring flows (packets) per second For measuring flows-per-second for performance testing, disable the additional processing required by learn.ip key of the com.hp.sdn.ctl.nodemgr.impl.NodeManager component by setting the value of the key to false. 1. From the navigation menu, select Configurations. 2. Select the com.hp.sdn.ctl.nodemgr.impl.NodeManager component. 3. Click Modify. Figure 49 Display the learn.ip option 4. 5. For the learn.ip key, enter false in the Value box.
11.6 Application management errors • • • If the Application Management framework is able to detect a failure to start an application in the OSGi runtime environment, the application is automatically moved to the DISABLED state. ◦ Correct the OSGi runtime conditions. ◦ Enable the application. If an unexpected error condition occurs when manipulating an application (file I/O exception, missing files, etc) the application is left in a transitive state.
11.7.2.2 Run the packet generator process 1. Authenticate using the following cURL command: curl --noproxy controller_ip -X POST --fail -ksSfL --url "https:// controller_ip:8443/sdn/v2.0/auth" -H "Content-Type: application/json --data-binary '{"login":{"domain": "sdn","user": "sdn","password": "skyline"}} 2. Collect the source and destination end host details using NodeManager REST API via RsDoc/CLI For example: https://controller-ip-addr:8443/sdn/v2.
{ "ip": "10.0.0.8", "mac": "e6:12:8e:f9:03:64", "vid": 0, "dpid": "00:00:00:00:00:00:00:08", "port": 1 }, { "ip": "10.0.0.7", "mac": "12:94:57:f7:cb:66", "vid": 0, "dpid": "00:00:00:00:00:00:00:07", "port": 1 }, { "ip": "10.0.0.4", "mac": "82:a3:85:71:63:bf", "vid": 0, "dpid": "00:00:00:00:00:00:00:04", "port": 1 } ] } 3. Register a packet which needs to be injected in the network for tracing the path. For example TCP packet with destination port as 21. POST https://controller_ip:8443/sdn/v2.
"ip_ident": 0, "ip_dscp": "CS0", "ip_ecn": "NOT_ECT" }, "tcp": { "tcp_src": 12345, "tcp_dst": 20 } } } 4. Set the observation post on the switch where the destined end host is connected. post /diag/observations. NOTE: An alert is generated for an operation such as setting or removing an observation post. These alerts can be viewed by using the Alert Log in the controller UI. Destination end host ( 00:00:00:00:00:05 ) is connected to switch having dpid as 00:00:00:00:00:00:00:01 .
"in_phy_port":9 } ], "packet_uid": "2096432597", "status": "OK", "type": "TCP", } } 7. If the packet has reached the destined observation post , it means the connectivity is between the source and the end host is good. For example, user sees the "status": "OK", // inference packet reached the observation above. 8. 9. In case the destined observation post has not received the trace packet , it means it is being dropped by one of the intermediate hops.
12 Support and other resources To learn how to contact HP, obtain software updates, submit feedback on documentation, and locate links to HP SDN websites and other related HP products, see the following topics. 12.
12.4.1 Care packs To supplement the technical support provided with the purchase of a license, HP offers a wide variety of Care Packs that provide full technical support at 9x5 or 24x7 availability with annual or multi-year options. To purchase a Care Pack for an HP SDN application, you must have a license for that application and a license for the controller. For a list of Care Packs available for the controller and HP SDN applications, see: http://www.hp.
13 Documentation feedback HP is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hp.com). Include the document title and part number, version number, or the URL when submitting your feedback.
A cURL commands The HP VAN SDN Controller provides a restful web service API. There are several tools available for accessing restful web service APIs, one of which is cURL. This sppendix shows examples of accessing the HP VAN SDN Controller's restful web service API with cURL. For details on installing the curl application, see http://curl.haxx.se/download.html. The cURL application has many options, which are described in detail in the cURL manual (run "curl --manual") and at http://curl.haxx.
1. Use the following command to obtain the SDN controller-assigned install_id value. curl [options] -H "X-Auth-Token:" \ https://:8443/sdn/v2.0/licenses/installid • Replace with the token created in step 2. • Replace with your controller IP address. NOTE: If you are installing a High Availability license, enter the IP address of the lead controller. A numerical install_id appears. For example: 1249679 2.
1. Use the following command to obtain information about all installed licenses on your controller. curl [options] -H "X-Auth-Token:" \ https://:8443/sdn/v2.0/licenses • Replace with the token created in step 1. • Replace controller_ip with your controller IP address. NOTE: If you are uninstalling a High Availability license, enter the IP address of the lead controller. The installed license information appears in JSON format, as shown below.
The license uninstall key appears in JSON format, as shown below. Example 4 License uninstall key output { "license" : { "install_id" : 1249679, "serial_no" : 13, "license_metric" : "HA Controller", "product" : "HP VAN SDN Ctrl Base", "metric_qty" : 500, "license_type" : "PRODUCTION", "base_license" : false, "creation_date" : "2013-09-06T00:26:52.248+0000", "activated_date" : "2013-09-06T00:26:52.248+0000", "expiry_date" : "2014-01-14T00:26:52.
"catalog_id": "", "deployed": "2014-06-18T19:22:50.890Z", "desc": "Link Management", "download_url": "", "name": "Link Manager", "product_id": "", "sku": "", "state": "ACTIVE", "uid": "com.hp.sdn.ctl.linkdisco", "vendor": "Hewlett-Packard", "version": "2.3.5.6370" } ] } A.3.2 Listing information about an application Form curl [options] -H "X-Auth-Token:" \ https://:8443/sdn/v2.0/apps/ Example curl -ksS -H "X-Auth-Token:3d61f0d3e61349359e6dbd82ec02c113" \ https://10.0.1.
Example curl -ksS -H "X-Auth-Token:3d61f0d3e61349359e6dbd82ec02c113" -w %{http_code} \ -X HEAD https://10.0.1.42:8443/sdn/v2.0/apps/com.hp.sdn.ctl.diag/health Example output 200 A.3.4 Uploading an application (new or upgrade) Form curl [options] -H "X-Auth-Token:" \ -X POST https://:8443/sdn/v2.0/apps/ \ --data-binary @ Example curl -ksS -H "X-Auth-Token:3d61f0d3e61349359e6dbd82ec02c113" \ -X POST https://10.0.1.42:8443/sdn/v2.
A.3.5 Installing a new application Form curl [options] -H "X-Auth-Token:" \ -X POST https:///action \ -d install Example curl -ksS -H "X-Auth-Token:3d61f0d3e61349359e6dbd82ec02c113" \ -X POST https://10.0.1.42:8443/sdn/v2.0/apps/com.geewiz/action \ -d install Example output { "app": { "action": "NONE", "catalog_id": "", "deployed": "2014-06-18T21:46:39.
"version": "2.0.0" } } A.3.7 Disabling an application Form curl [options] -H "X-Auth-Token:" \ -X POST https://:8443/sdn/v2.0/apps//action \ -d disable Example curl -ksS -H "X-Auth-Token:3d61f0d3e61349359e6dbd82ec02c113" \ -X POST https://10.0.1.42:8443/sdn/v2.0/apps/com.geewiz/action \ -d disable Example output { "app": { "action": "NONE", "catalog_id": "", "deployed": "2014-06-18T23:04:25.
"sku": "", "state": "ACTIVE", "uid": "com.geewiz", "vendor": "Gee Wiz, Inc.", "version": "2.0.0" } } A.3.9 Removing a staged application This curl request is used to remove a newly uploaded application before it is installed or upgraded. It has no output. Form curl [options] -H "X-Auth-Token:" \ -X POST https://:8443/dn/v2.0/apps//action \ -d cancel Example curl -ksS -H "X-Auth-Token:3d61f0d3e61349359e6dbd82ec02c113" \ -X POST https://10.0.1.42:8443/sdn/v2.0/apps/com.
B Scripts B.1 Configuring a controller team This script configures a team composed of three controllers. NOTE: Because the scripts in this appendix cross page boundaries, be careful to avoid including the page number when copying a script. Copying a script one page at a time can prevent inclusion of page numbers. ========== ===== =================================================== #!/bin/bash #------------------------------------------------------------------------------# Copyright 2013 Hewlett Packard Co.
#------------------------------------------------------------------------------export BACKUP_DIR="/opt/sdn/backup" export BACKUP_TEAM_DIR="/opt/sdn/team_backup" export TEAM_BACKUP_STATUS_FILE="$BACKUP_TEAM_DIR/teamBackup_status" export TEAM_BACKUP_LOGFILE="$BACKUP_TEAM_DIR/teamBackup_log.
backupUrl="https://$backupIp:8443/sdn/v2.0/backup" `get $backupIp $backupAuth $backupUrl > $fileName` expected=`get $nodeIP "v2.0/backup/checksum"` actual=$(sha256sum "$fileName" | cut -d ' ' -f1) if [ "$expected" != "$actual" ]; then echo "Checksum failure: expected $expected but got $actual." exitBackup 1 fi teamBackup_log "Successfully copied backup MD5 file from $backupIp.
fi done } #-----------------------------------------------------------------------------# Function teamBackup_log ( ) # Writes messages to the log for the team backup operation. #-----------------------------------------------------------------------------function teamBackup_log { msg="$1" echo "$msg" |tee -a $TEAM_BACKUP_LOGFILE } #-----------------------------------------------------------------------------# Function exitBackup ( ) # Exits the backup.
function extractJSONString { json=$1 field=$2 json=`echo $json|tr -d '"'| sed -e 's/\,\|{/\n/g'|grep -w "$field"| \ cut -d ':' -f2-` echo $json } #-----------------------------------------------------------------------------# Function getAuthToken ( ) # Log-in and get the UID. #-----------------------------------------------------------------------------function getAuthToken { local nodeIP=$1 url="https://$nodeIP:8443/sdn/v2.
break fi sleep 10 for (( i=0; i<$numNodes; i++ )); do # Skip the leader node check, since it will be done last. [ "${ipArr[$i]}" == "$leaderIp" ] && continue # Backup already completed for this node, so continue. [ "${backupStatus[$i]}" == "SUCCESS" ] && continue verifyBackupStatus $i done done if [ $backup_complete -gt 1 ]; then teamBackup_log "Backup of all member nodes took longer than $waitTime min. Aborting backup..." teamBackup_log "To increase backup wait time, change BACKUP_WAIT_COUNT in the script.
exitBackup 1 fi teamBackup_log "Extracted the team backup file successfully." rm -rf "$RESTORE_TEAM_DIR/sdn_team_backup*" backupIp=($(ls $RESTORE_BACKUP_FILESET | grep "zip$" | sed "s/.zip//" | \ sed "s/.Leader//" | sed "s/sdn_controller_backup_//")) numBackup=${#backupIp[@]} teamBackup_log "Found $numBackup backup file sets in the team backup file." } #-----------------------------------------------------------------------------# Function create_restoreDir ( ) # Creates the team restore directory.
exitBackup 1 } #-----------------------------------------------------------------------------# Function restore_nodes ( ) # Restores only the specified node(s). #-----------------------------------------------------------------------------function restore_nodes { local leaderindex=-1 local restoreIpArr=("$@") local numNodes=${#restoreIpArr[@]} for (( i=0; i<$numNodes; i++ )); do # Get the auth token for a specific node.
break; done } #-----------------------------------------------------------------------------# Function post ( ) # Performs a POST of the specified data.
selective_restore=0 # Check for unzip package. command -v unzip &> /dev/null if [ $? -ne 0 ]; then echo "The unzip package must be installed to use this script." exit 1 fi # Check the user specified script parameters. if [ $# -lt 3 ]; then echo "Usage : restoreTeam [ ...] " echo " - user name to access the controller" echo " - domain of the controller" echo " [ ...
Index A A cURL activating a license, 113 application health status, 116 application information, 116 application manager actions, 115 commands, 112 deleting an application, 120 disabling an application, 119 enabling an application, 119 exporting audit log data, 112 installation ID, 112 installing a new application, 118 listing applications, 115 packet generator process, 105 removing a staged application, 120 uninstalling licenses preparation for transfer, 113 upgrading an application, 118 uploading an appli
license keys overview, 52 managing license, 52 registering activating, 53 license key, 53 registration activation, 52 registration prerequites, 53 registration procedure, 52 registration process activation process, 52 transfer license, 52 transferring, 59, 60 types, usage expiration, 52 uninstalling transferring, 60 Licensing a cURL, 112 Link manager features, 10 N Node manager features, 10 O OpenFlow classes display, 49 classes display, details, 50 classes enforcement levels, changes, 51 classes, about,
controller API, 9 IPv6 traffic, 9 separate clusters, 9 OSGi framework, 8 REST API services, 9 SDK, 8 SDN Controller community forum, 109 starting console UI, 14 SDN Controller user community SDN Controller online forum, 109 Security procedure, 71 Security practices Recommended administrative rules, 72 Standalone controller OpenFlow switches configuring a team, 79 License details, 34 configurable components, 25, 26 AdminREST, 26 alert manager, 26 alert post manager, 27 audit log, 32 audit log data, 33 audit
