3 Service Function Chaining
4 =========================
6 OpenDaylight Service Function Chaining (SFC) Overview
7 -----------------------------------------------------
9 OpenDaylight Service Function Chaining (SFC) provides the ability to
10 define an ordered list of network services (e.g. firewalls, load
11 balancers). These services are then "stitched" together in the network
12 to create a service chain. This project provides the infrastructure
13 (chaining logic, APIs) needed for ODL to provision a service chain in
14 the network and an end-user application for defining such chains.
16 - ACE - Access Control Entry
18 - ACL - Access Control List
20 - SCF - Service Classifier Function
22 - SF - Service Function
24 - SFC - Service Function Chain
26 - SFF - Service Function Forwarder
28 - SFG - Service Function Group
30 - SFP - Service Function Path
32 - RSP - Rendered Service Path
34 - NSH - Network Service Header
42 The SFC User interface comes with a Command Line Interface (CLI): it provides
43 several Karaf console commands to show the SFC model (SF, SFFs, etc.) provisioned
47 SFC Web Interface (SFC-UI)
48 ~~~~~~~~~~~~~~~~~~~~~~~~~~
53 SFC-UI operates purely by using RESTCONF.
55 .. figure:: ./images/sfc/sfc-ui-architecture.png
56 :alt: SFC-UI integration into ODL
58 SFC-UI integration into ODL
63 1. Run ODL distribution (run karaf)
65 2. In Karaf console execute: ``feature:install odl-sfc-ui``
67 3. Visit SFC-UI on: ``http://<odl_ip_address>:8181/sfc/index.html``
70 SFC Command Line Interface (SFC-CLI)
71 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
76 The Karaf Container offers a complete Unix-like console that allows managing
77 the container. This console can be extended with custom commands to manage the
78 features deployed on it. This feature will add some basic commands to show the
79 provisioned SFC entities.
84 The SFC-CLI implements commands to show some of the provisioned SFC entities:
85 Service Functions, Service Function Forwarders, Service Function
86 Chains, Service Function Paths, Service Function Classifiers, Service Nodes and
87 Service Function Types:
89 * List one/all provisioned Service Functions:
93 sfc:sf-list [--name <name>]
95 * List one/all provisioned Service Function Forwarders:
99 sfc:sff-list [--name <name>]
101 * List one/all provisioned Service Function Chains:
105 sfc:sfc-list [--name <name>]
107 * List one/all provisioned Service Function Paths:
111 sfc:sfp-list [--name <name>]
113 * List one/all provisioned Service Function Classifiers:
117 sfc:sc-list [--name <name>]
119 * List one/all provisioned Service Nodes:
123 sfc:sn-list [--name <name>]
125 * List one/all provisioned Service Function Types:
129 sfc:sft-list [--name <name>]
131 SFC Southbound REST Plug-in
132 ---------------------------
137 The Southbound REST Plug-in is used to send configuration from datastore
138 down to network devices supporting a REST API (i.e. they have a
139 configured REST URI). It supports POST/PUT/DELETE operations, which are
140 triggered accordingly by changes in the SFC data stores.
142 - Access Control List (ACL)
144 - Service Classifier Function (SCF)
146 - Service Function (SF)
148 - Service Function Group (SFG)
150 - Service Function Schedule Type (SFST)
152 - Service Function Forwarder (SFF)
154 - Rendered Service Path (RSP)
156 Southbound REST Plug-in Architecture
157 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
159 From the user perspective, the REST plug-in is another SFC Southbound
160 plug-in used to communicate with network devices.
162 .. figure:: ./images/sfc/sb-rest-architecture-user.png
163 :alt: Southbound REST Plug-in integration into ODL
165 Southbound REST Plug-in integration into ODL
167 Configuring Southbound REST Plugin
168 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
170 1. Run ODL distribution (run karaf)
172 2. In Karaf console execute: ``feature:install odl-sfc-sb-rest``
174 3. Configure REST URIs for SF/SFF through SFC User Interface or RESTCONF
175 (required configuration steps can be found in the tutorial stated
181 Comprehensive tutorial on how to use the Southbound REST Plug-in and how
182 to control network devices with it can be found on:
183 https://wiki.opendaylight.org/view/Service_Function_Chaining:Main#SFC_103
191 SFC-OVS provides integration of SFC with Open vSwitch (OVS) devices.
192 Integration is realized through mapping of SFC objects (like SF, SFF,
193 Classifier, etc.) to OVS objects (like Bridge,
194 TerminationPoint=Port/Interface). The mapping takes care of automatic
195 instantiation (setup) of corresponding object whenever its counterpart
196 is created. For example, when a new SFF is created, the SFC-OVS plug-in
197 will create a new OVS bridge.
199 The feature is intended for SFC users willing to use Open vSwitch as an
200 underlying network infrastructure for deploying RSPs (Rendered Service
206 SFC-OVS uses the OVSDB MD-SAL Southbound API for getting/writing
207 information from/to OVS devices. From the user perspective SFC-OVS acts
208 as a layer between SFC datastore and OVSDB.
210 .. figure:: ./images/sfc/sfc-ovs-architecture-user.png
211 :alt: SFC-OVS integration into ODL
213 SFC-OVS integration into ODL
218 1. Run ODL distribution (run karaf)
220 2. In Karaf console execute: ``feature:install odl-sfc-ovs``
222 3. Configure Open vSwitch to use ODL as a manager, using following
223 command: ``ovs-vsctl set-manager tcp:<odl_ip_address>:6640``
228 Verifying mapping from SFF to OVS
229 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
234 This tutorial shows the usual workflow during creation of an OVS
235 Bridge with use of the SFC APIs.
240 - Open vSwitch installed (ovs-vsctl command available in shell)
242 - SFC-OVS feature configured as stated above
247 1. In a shell execute: ``ovs-vsctl set-manager tcp:<odl_ip_address>:6640``
249 2. Send POST request to URL:
250 ``http://<odl_ip_address>:8181/restconf/operations/service-function-forwarder-ovs:create-ovs-bridge``
251 Use Basic auth with credentials: "admin", "admin" and set
252 ``Content-Type: application/json``. The content of POST request
262 "ip": "<Open_vSwitch_ip_address>"
267 Open\_vSwitch\_ip\_address is the IP address of the machine where Open vSwitch
273 In a shell execute: ``ovs-vsctl show``. There should be a Bridge with
274 the name *br-test* and one port/interface called *br-test*.
276 Also, the corresponding SFF for this OVS Bridge should be configured,
277 which can be verified through the SFC User Interface or RESTCONF as
280 a. Visit the SFC User Interface:
281 ``http://<odl_ip_address>:8181/sfc/index.html#/sfc/serviceforwarder``
283 b. Use pure RESTCONF and send a GET request to URL:
284 ``http://<odl_ip_address>:8181/restconf/config/service-function-forwarder:service-function-forwarders``
286 There should be an SFF, whose name will be ending with *br1* and the
287 SFF should contain two DataPlane locators: *br1* and *testPort*.
290 SFC Classifier User Guide
291 -------------------------
296 Description of classifier can be found in:
297 https://datatracker.ietf.org/doc/draft-ietf-sfc-architecture/
299 There are two types of classifier:
301 1. OpenFlow Classifier
303 2. Iptables Classifier
308 OpenFlow Classifier implements the classification criteria based on
309 OpenFlow rules deployed into an OpenFlow switch. An Open vSwitch will
310 take the role of a classifier and performs various encapsulations such
311 NSH, VLAN, MPLS, etc. In the existing implementation, classifier can
312 support NSH encapsulation. Matching information is based on ACL for MAC
313 addresses, ports, protocol, IPv4 and IPv6. Supported protocols are TCP,
314 UDP and SCTP. Actions information in the OF rules, shall be forwarding
315 of the encapsulated packets with specific information related to the
318 Classifier Architecture
319 ^^^^^^^^^^^^^^^^^^^^^^^
321 The OVSDB Southbound interface is used to create an instance of a bridge
322 in a specific location (via IP address). This bridge contains the
323 OpenFlow rules that perform the classification of the packets and react
324 accordingly. The OpenFlow Southbound interface is used to translate the
325 ACL information into OF rules within the Open vSwitch.
329 in order to create the instance of the bridge that takes the role of
330 a classifier, an "empty" SFF must be created.
332 Configuring Classifier
333 ^^^^^^^^^^^^^^^^^^^^^^
335 1. An empty SFF must be created in order to host the ACL that contains
336 the classification information.
338 2. SFF data plane locator must be configured
340 3. Classifier interface must be manually added to SFF bridge.
342 Administering or Managing Classifier
343 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
345 Classification information is based on MAC addresses, protocol, ports
346 and IP. ACL gathers this information and is assigned to an RSP which
347 turns to be a specific path for a Service Chain.
352 Classifier manages everything from starting the packet listener to
353 creation (and removal) of appropriate ip(6)tables rules and marking
354 received packets accordingly. Its functionality is **available only on
355 Linux** as it leverdges **NetfilterQueue**, which provides access to
356 packets matched by an **iptables** rule. Classifier requires **root
357 privileges** to be able to operate.
359 So far it is capable of processing ACL for MAC addresses, ports, IPv4
360 and IPv6. Supported protocols are TCP and UDP.
362 Classifier Architecture
363 ^^^^^^^^^^^^^^^^^^^^^^^
365 Python code located in the project repository
366 sfc-py/common/classifier.py.
370 classifier assumes that Rendered Service Path (RSP) **already
371 exists** in ODL when an ACL referencing it is obtained
373 1. sfc\_agent receives an ACL and passes it for processing to the
376 2. the RSP (its SFF locator) referenced by ACL is requested from ODL
378 3. if the RSP exists in the ODL then ACL based iptables rules for it are
381 After this process is over, every packet successfully matched to an
382 iptables rule (i.e. successfully classified) will be NSH encapsulated
383 and forwarded to a related SFF, which knows how to traverse the RSP.
385 Rules are created using appropriate iptables command. If the Access
386 Control Entry (ACE) rule is MAC address related both iptables and
387 IPv6 tables rules re issued. If ACE rule is IPv4 address related, only
388 iptables rules are issued, same for IPv6.
392 iptables **raw** table contains all created rules
394 Configuring Classifier
395 ^^^^^^^^^^^^^^^^^^^^^^
397 | Classfier does’t need any configuration.
398 | Its only requirement is that the **second (2) Netfilter Queue** is not
399 used by any other process and is **avalilable for the classifier**.
401 Administering or Managing Classifier
402 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
404 Classifier runs alongside sfc\_agent, therefore the command for starting
409 sudo python3.4 sfc-py/sfc_agent.py --rest --odl-ip-port localhost:8181
410 --auto-sff-name --nfq-class
412 SFC OpenFlow Renderer User Guide
413 --------------------------------
418 The Service Function Chaining (SFC) OpenFlow Renderer (SFC OF Renderer)
419 implements Service Chaining on OpenFlow switches. It listens for the
420 creation of a Rendered Service Path (RSP) in the operational data store,
421 and once received it programs Service Function Forwarders (SFF) that
422 are hosted on OpenFlow capable switches to forward packets through the
423 service chain. Currently the only tested OpenFlow capable switch is
426 Common acronyms used in the following sections:
428 - SF - Service Function
430 - SFF - Service Function Forwarder
432 - SFC - Service Function Chain
434 - SFP - Service Function Path
436 - RSP - Rendered Service Path
438 SFC OpenFlow Renderer Architecture
439 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
441 The SFC OF Renderer is invoked after a RSP is created in the operational
442 data store using an MD-SAL listener called ``SfcOfRspDataListener``.
443 Upon SFC OF Renderer initialization, the ``SfcOfRspDataListener``
444 registers itself to listen for RSP changes. When invoked, the
445 ``SfcOfRspDataListener`` processes the RSP and calls the
446 ``SfcOfFlowProgrammerImpl`` to create the necessary flows in
447 the Service Function Forwarders configured in the
448 RSP. Refer to the following diagram for more details.
450 .. figure:: ./images/sfc/sfcofrenderer_architecture.png
451 :alt: SFC OpenFlow Renderer High Level Architecture
453 SFC OpenFlow Renderer High Level Architecture
455 .. _sfc-user-guide-sfc-of-pipeline:
457 SFC OpenFlow Switch Flow pipeline
458 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
460 The SFC OpenFlow Renderer uses the following tables for its Flow
463 - Table 0, Classifier
465 - Table 1, Transport Ingress
467 - Table 2, Path Mapper
469 - Table 3, Path Mapper ACL
473 - Table 10, Transport Egress
475 The OpenFlow Table Pipeline is intended to be generic to work for all of
476 the different encapsulations supported by SFC.
478 All of the tables are explained in detail in the following section.
480 The SFFs (SFF1 and SFF2), SFs (SF1), and topology used for the flow
481 tables in the following sections are as described in the following
484 .. figure:: ./images/sfc/sfcofrenderer_nwtopo.png
485 :alt: SFC OpenFlow Renderer Typical Network Topology
487 SFC OpenFlow Renderer Typical Network Topology
489 Classifier Table detailed
490 ^^^^^^^^^^^^^^^^^^^^^^^^^
492 It is possible for the SFF to also act as a classifier. This table maps
493 subscriber traffic to RSPs, and is explained in detail in the classifier
496 If the SFF is not a classifier, then this table will just have a simple
499 Transport Ingress Table detailed
500 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
502 The Transport Ingress table has an entry per expected tunnel transport
503 type to be received in a particular SFF, as established in the SFC
506 Here are two example on SFF1: one where the RSP ingress tunnel is MPLS
507 assuming VLAN is used for the SFF-SF, and the other where the RSP
508 ingress tunnel is either Eth+NSH or just NSH with no ethernet.
510 +----------+-------------------------------------+--------------+
511 | Priority | Match | Action |
512 +==========+=====================================+==============+
513 | 256 | EtherType==0x8847 (MPLS unicast) | Goto Table 2 |
514 +----------+-------------------------------------+--------------+
515 | 256 | EtherType==0x8100 (VLAN) | Goto Table 2 |
516 +----------+-------------------------------------+--------------+
517 | 250 | EtherType==0x894f (Eth+NSH) | Goto Table 2 |
518 +----------+-------------------------------------+--------------+
519 | 250 | PacketType==0x894f (NSH no Eth) | Goto Table 2 |
520 +----------+-------------------------------------+--------------+
521 | 5 | Match Any | Drop |
522 +----------+-------------------------------------+--------------+
525 Table: Table Transport Ingress
527 Path Mapper Table detailed
528 ^^^^^^^^^^^^^^^^^^^^^^^^^^
530 The Path Mapper table has an entry per expected tunnel transport info to
531 be received in a particular SFF, as established in the SFC
532 configuration. The tunnel transport info is used to determine the RSP
533 Path ID, and is stored in the OpenFlow Metadata. This table is not used
534 for NSH, since the RSP Path ID is stored in the NSH header.
536 For SF nodes that do not support NSH tunneling, the IP header DSCP field
537 is used to store the RSP Path Id. The RSP Path Id is written to the DSCP
538 field in the Transport Egress table for those packets sent to an SF.
540 Here is an example on SFF1, assuming the following details:
542 - VLAN ID 1000 is used for the SFF-SF
544 - The RSP Path 1 tunnel uses MPLS label 100 for ingress and 101 for
547 - The RSP Path 2 (symmetric downlink path) uses MPLS label 101 for
548 ingress and 100 for egress
550 +----------+-------------------+-----------------------+
551 | Priority | Match | Action |
552 +==========+===================+=======================+
553 | 256 | MPLS Label==100 | RSP Path=1, Pop MPLS, |
555 +----------+-------------------+-----------------------+
556 | 256 | MPLS Label==101 | RSP Path=2, Pop MPLS, |
558 +----------+-------------------+-----------------------+
559 | 256 | VLAN ID==1000, IP | RSP Path=1, Pop VLAN, |
560 | | DSCP==1 | Goto Table 4 |
561 +----------+-------------------+-----------------------+
562 | 256 | VLAN ID==1000, IP | RSP Path=2, Pop VLAN, |
563 | | DSCP==2 | Goto Table 4 |
564 +----------+-------------------+-----------------------+
565 | 5 | Match Any | Goto Table 3 |
566 +----------+-------------------+-----------------------+
568 Table: Table Path Mapper
570 Path Mapper ACL Table detailed
571 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
573 This table is only populated when PacketIn packets are received from the
574 switch for TcpProxy type SFs. These flows are created with an inactivity
575 timer of 60 seconds and will be automatically deleted upon expiration.
577 Next Hop Table detailed
578 ^^^^^^^^^^^^^^^^^^^^^^^
580 The Next Hop table uses the RSP Path Id and appropriate packet fields to
581 determine where to send the packet next. For NSH, only the NSP (Network
582 Services Path, RSP ID) and NSI (Network Services Index, next hop) fields
583 from the NSH header are needed to determine the VXLAN tunnel destination
584 IP. For VLAN or MPLS, then the source MAC address is used to determine
585 the destination MAC address.
587 Here are two examples on SFF1, assuming SFF1 is connected to SFF2. RSP
588 Paths 1 and 2 are symmetric VLAN paths. RSP Paths 3 and 4 are symmetric
589 NSH paths. RSP Path 1 ingress packets come from external to SFC, for
590 which we don’t have the source MAC address (MacSrc).
592 +----------+--------------------------------+--------------------------------+
593 | Priority | Match | Action |
594 +==========+================================+================================+
595 | 256 | RSP Path==1, MacSrc==SF1 | MacDst=SFF2, Goto Table 10 |
596 +----------+--------------------------------+--------------------------------+
597 | 256 | RSP Path==2, MacSrc==SF1 | Goto Table 10 |
598 +----------+--------------------------------+--------------------------------+
599 | 256 | RSP Path==2, MacSrc==SFF2 | MacDst=SF1, Goto Table 10 |
600 +----------+--------------------------------+--------------------------------+
601 | 246 | RSP Path==1 | MacDst=SF1, Goto Table 10 |
602 +----------+--------------------------------+--------------------------------+
603 | 550 | dl_type=0x894f, | load:0xa000002→ |
604 | | nsh_spi=3,nsh_si=255 | NXM\_NX\_TUN\_IPV4\_DST[], |
605 | | (NSH, SFF Ingress RSP 3, hop 1)| Goto Table 10 |
606 +----------+--------------------------------+--------------------------------+
607 | 550 | dl_type=0x894f | load:0xa00000a→ |
608 | | nsh_spi=3,nsh_si=254 | NXM\_NX\_TUN\_IPV4\_DST[], |
609 | | (NSH, SFF Ingress from SF, | Goto Table 10 |
610 | | RSP 3, hop 2) | |
611 +----------+--------------------------------+--------------------------------+
612 | 550 | dl_type=0x894f, | load:0xa00000a→ |
613 | | nsh_spi=4,nsh_si=254 | NXM\_NX\_TUN\_IPV4\_DST[], |
614 | | (NSH, SFF1 Ingress from SFF2) | Goto Table 10 |
615 +----------+--------------------------------+--------------------------------+
616 | 5 | Match Any | Drop |
617 +----------+--------------------------------+--------------------------------+
619 Table: Table Next Hop
621 Transport Egress Table detailed
622 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
624 The Transport Egress table prepares egress tunnel information and sends
627 Here are two examples on SFF1. RSP Paths 1 and 2 are symmetric MPLS
628 paths that use VLAN for the SFF-SF. RSP Paths 3 and 4 are symmetric NSH
629 paths. Since it is assumed that switches used for NSH will only have one
630 VXLAN port, the NSH packets are just sent back where they came from.
632 +----------+--------------------------------+--------------------------------+
633 | Priority | Match | Action |
634 +==========+================================+================================+
635 | 256 | RSP Path==1, MacDst==SF1 | Push VLAN ID 1000, Port=SF1 |
636 +----------+--------------------------------+--------------------------------+
637 | 256 | RSP Path==1, MacDst==SFF2 | Push MPLS Label 101, Port=SFF2 |
638 +----------+--------------------------------+--------------------------------+
639 | 256 | RSP Path==2, MacDst==SF1 | Push VLAN ID 1000, Port=SF1 |
640 +----------+--------------------------------+--------------------------------+
641 | 246 | RSP Path==2 | Push MPLS Label 100, |
643 +----------+--------------------------------+--------------------------------+
644 | 256 | in_port=1,dl_type=0x894f | IN\_PORT |
645 | | nsh_spi=0x3,nsh_si=255 | |
646 | | (NSH, SFF Ingress RSP 3) | |
647 +----------+--------------------------------+--------------------------------+
648 | 256 | in_port=1,dl_type=0x894f, | IN\_PORT |
649 | | nsh_spi=0x3,nsh_si=254 | |
650 | | (NSH,SFF Ingress from SF,RSP 3)| |
651 +----------+--------------------------------+--------------------------------+
652 | 256 | in_port=1,dl_type=0x894f, | IN\_PORT |
653 | | nsh_spi=0x4,nsh_si=254 | |
654 | | (NSH, SFF1 Ingress from SFF2) | |
655 +---------+---------------------------------+--------------------------------+
656 | 5 | Match Any | Drop |
657 +---------+---------------------------------+--------------------------------+
659 Table: Table Transport Egress
661 Administering SFC OF Renderer
662 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
664 To use the SFC OpenFlow Renderer Karaf, at least the following Karaf
665 features must be installed.
667 - odl-openflowplugin-nxm-extensions
669 - odl-openflowplugin-flow-services
675 - odl-sfc-openflow-renderer
677 - odl-sfc-ui (optional)
679 Since OpenDaylight Karaf features internally install dependent features
680 all of the above features can be installed by simply installing the
681 ''odl-sfc-openflow-renderer'' feature.
683 The following command can be used to view all of the currently installed
688 opendaylight-user@root>feature:list -i
690 Or, pipe the command to a grep to see a subset of the currently
691 installed Karaf features:
695 opendaylight-user@root>feature:list -i | grep sfc
697 To install a particular feature, use the Karaf ``feature:install``
700 SFC OF Renderer Tutorial
701 ~~~~~~~~~~~~~~~~~~~~~~~~
706 In this tutorial, the VXLAN-GPE NSH encapsulations will be shown.
707 The following Network Topology diagram is a logical view of the
708 SFFs and SFs involved in creating the Service Chains.
710 .. figure:: ./images/sfc/sfcofrenderer_nwtopo.png
711 :alt: SFC OpenFlow Renderer Typical Network Topology
713 SFC OpenFlow Renderer Typical Network Topology
718 To use this example, SFF OpenFlow switches must be created and connected
719 as illustrated above. Additionally, the SFs must be created and
722 Note that RSP symmetry depends on the Service Function Path symmetric
723 field, if present. If not, the RSP will be symmetric if any of the SFs
724 involved in the chain has the bidirectional field set to true.
729 The target environment is not important, but this use-case was created
735 The steps to use this tutorial are as follows. The referenced
736 configuration in the steps is listed in the following sections.
738 There are numerous ways to send the configuration. In the following
739 configuration chapters, the appropriate ``curl`` command is shown for
740 each configuration to be sent, including the URL.
742 Steps to configure the SFC OF Renderer tutorial:
744 1. Send the ``SF`` RESTCONF configuration
746 2. Send the ``SFF`` RESTCONF configuration
748 3. Send the ``SFC`` RESTCONF configuration
750 4. Send the ``SFP`` RESTCONF configuration
752 5. The ``RSP`` will be created internally when the ``SFP`` is created.
754 Once the configuration has been successfully created, query the Rendered
755 Service Paths with either the SFC UI or via RESTCONF. Notice that the
756 RSP is symmetrical, so the following 2 RSPs will be created:
758 - sfc-path1-Path-<RSP-ID>
760 - sfc-path1-Path-<RSP-ID>-Reverse
762 At this point the Service Chains have been created, and the OpenFlow
763 Switches are programmed to steer traffic through the Service Chain.
764 Traffic can now be injected from a client into the Service Chain. To
765 debug problems, the OpenFlow tables can be dumped with the following
766 commands, assuming SFF1 is called ``s1`` and SFF2 is called ``s2``.
770 sudo ovs-ofctl -O OpenFlow13 dump-flows s1
774 sudo ovs-ofctl -O OpenFlow13 dump-flows s2
776 In all the following configuration sections, replace the ``${JSON}``
777 string with the appropriate JSON configuration. Also, change the
778 ``localhost`` destination in the URL accordingly.
780 SFC OF Renderer NSH Tutorial
781 ''''''''''''''''''''''''''''
783 The following configuration sections show how to create the different
784 elements using NSH encapsulation.
786 | **NSH Service Function configuration**
788 The Service Function configuration can be sent with the following
793 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache"
794 --data '${JSON}' -X PUT --user
795 admin:admin http://localhost:8181/restconf/config/service-function:service-functions/
797 **SF configuration JSON.**
802 "service-functions": {
803 "service-function": [
806 "type": "http-header-enrichment",
807 "ip-mgmt-address": "10.0.0.2",
808 "sf-data-plane-locator": [
813 "transport": "service-locator:vxlan-gpe",
814 "service-function-forwarder": "sff1"
821 "ip-mgmt-address": "10.0.0.3",
822 "sf-data-plane-locator": [
827 "transport": "service-locator:vxlan-gpe",
828 "service-function-forwarder": "sff2"
836 | **NSH Service Function Forwarder configuration**
838 The Service Function Forwarder configuration can be sent with the
843 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache" --data '${JSON}' -X PUT --user admin:admin http://localhost:8181/restconf/config/service-function-forwarder:service-function-forwarders/
845 **SFF configuration JSON.**
850 "service-function-forwarders": {
851 "service-function-forwarder": [
854 "service-node": "openflow:2",
855 "sff-data-plane-locator": [
858 "data-plane-locator":
862 "transport": "service-locator:vxlan-gpe"
866 "service-function-dictionary": [
869 "sff-sf-data-plane-locator":
871 "sf-dpl-name": "sf1dpl",
872 "sff-dpl-name": "sff1dpl"
879 "service-node": "openflow:3",
880 "sff-data-plane-locator": [
883 "data-plane-locator":
887 "transport": "service-locator:vxlan-gpe"
891 "service-function-dictionary": [
894 "sff-sf-data-plane-locator":
896 "sf-dpl-name": "sf2dpl",
897 "sff-dpl-name": "sff2dpl"
906 | **NSH Service Function Chain configuration**
908 The Service Function Chain configuration can be sent with the following
913 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache"
914 --data '${JSON}' -X PUT --user
915 admin:admin http://localhost:8181/restconf/config/service-function-chain:service-function-chains/
917 **SFC configuration JSON.**
922 "service-function-chains": {
923 "service-function-chain": [
925 "name": "sfc-chain1",
926 "sfc-service-function": [
928 "name": "hdr-enrich-abstract1",
929 "type": "http-header-enrichment"
932 "name": "firewall-abstract1",
941 | **NSH Service Function Path configuration**
943 The Service Function Path configuration can be sent with the following
948 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache" --data '${JSON}' -X PUT --user admin:admin http://localhost:8181/restconf/config/service-function-path:service-function-paths/
950 **SFP configuration JSON.**
955 "service-function-paths": {
956 "service-function-path": [
959 "service-chain-name": "sfc-chain1",
960 "transport-type": "service-locator:vxlan-gpe",
967 | **NSH Rendered Service Path Query**
969 The following command can be used to query all of the created Rendered
974 curl -H "Content-Type: application/json" -H "Cache-Control: no-cache" -X GET --user admin:admin http://localhost:8181/restconf/operational/rendered-service-path:rendered-service-paths/
976 SFC OF Renderer MPLS Tutorial
977 '''''''''''''''''''''''''''''
979 The following configuration sections show how to create the different
980 elements using MPLS encapsulation.
982 | **MPLS Service Function configuration**
984 The Service Function configuration can be sent with the following
989 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache"
990 --data '${JSON}' -X PUT --user
991 admin:admin http://localhost:8181/restconf/config/service-function:service-functions/
993 **SF configuration JSON.**
998 "service-functions": {
999 "service-function": [
1002 "type": "http-header-enrichment",
1003 "ip-mgmt-address": "10.0.0.2",
1004 "sf-data-plane-locator": [
1007 "mac": "00:00:08:01:02:01",
1009 "transport": "service-locator:mac",
1010 "service-function-forwarder": "sff1"
1017 "ip-mgmt-address": "10.0.0.3",
1018 "sf-data-plane-locator": [
1021 "mac": "00:00:08:01:03:01",
1023 "transport": "service-locator:mac",
1024 "service-function-forwarder": "sff2"
1032 | **MPLS Service Function Forwarder configuration**
1034 The Service Function Forwarder configuration can be sent with the
1037 .. code-block:: bash
1039 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache" --data '${JSON}' -X PUT --user admin:admin http://localhost:8181/restconf/config/service-function-forwarder:service-function-forwarders/
1041 **SFF configuration JSON.**
1043 .. code-block:: none
1046 "service-function-forwarders": {
1047 "service-function-forwarder": [
1050 "service-node": "openflow:2",
1051 "sff-data-plane-locator": [
1053 "name": "ulSff1Ingress",
1054 "data-plane-locator":
1057 "transport": "service-locator:mpls"
1059 "service-function-forwarder-ofs:ofs-port":
1061 "mac": "11:11:11:11:11:11",
1066 "name": "ulSff1ToSff2",
1067 "data-plane-locator":
1070 "transport": "service-locator:mpls"
1072 "service-function-forwarder-ofs:ofs-port":
1074 "mac": "33:33:33:33:33:33",
1080 "data-plane-locator":
1082 "mac": "22:22:22:22:22:22",
1084 "transport": "service-locator:mac",
1086 "service-function-forwarder-ofs:ofs-port":
1088 "mac": "33:33:33:33:33:33",
1093 "service-function-dictionary": [
1096 "sff-sf-data-plane-locator":
1098 "sf-dpl-name": "sf1-sff1",
1099 "sff-dpl-name": "toSf1"
1106 "service-node": "openflow:3",
1107 "sff-data-plane-locator": [
1109 "name": "ulSff2Ingress",
1110 "data-plane-locator":
1113 "transport": "service-locator:mpls"
1115 "service-function-forwarder-ofs:ofs-port":
1117 "mac": "44:44:44:44:44:44",
1122 "name": "ulSff2Egress",
1123 "data-plane-locator":
1126 "transport": "service-locator:mpls"
1128 "service-function-forwarder-ofs:ofs-port":
1130 "mac": "66:66:66:66:66:66",
1136 "data-plane-locator":
1138 "mac": "55:55:55:55:55:55",
1140 "transport": "service-locator:mac"
1142 "service-function-forwarder-ofs:ofs-port":
1148 "service-function-dictionary": [
1151 "sff-sf-data-plane-locator":
1153 "sf-dpl-name": "sf2-sff2",
1154 "sff-dpl-name": "toSf2"
1157 "service-function-forwarder-ofs:ofs-port":
1168 | **MPLS Service Function Chain configuration**
1170 The Service Function Chain configuration can be sent with the following
1173 .. code-block:: bash
1175 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache"
1176 --data '${JSON}' -X PUT --user admin:admin
1177 http://localhost:8181/restconf/config/service-function-chain:service-function-chains/
1179 **SFC configuration JSON.**
1181 .. code-block:: none
1184 "service-function-chains": {
1185 "service-function-chain": [
1187 "name": "sfc-chain1",
1188 "sfc-service-function": [
1190 "name": "hdr-enrich-abstract1",
1191 "type": "http-header-enrichment"
1194 "name": "firewall-abstract1",
1203 | **MPLS Service Function Path configuration**
1205 The Service Function Path configuration can be sent with the following
1206 command. This will internally trigger the Rendered Service Paths to be
1209 .. code-block:: bash
1211 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache"
1212 --data '${JSON}' -X PUT --user admin:admin
1213 http://localhost:8181/restconf/config/service-function-path:service-function-paths/
1215 **SFP configuration JSON.**
1217 .. code-block:: none
1220 "service-function-paths": {
1221 "service-function-path": [
1223 "name": "sfc-path1",
1224 "service-chain-name": "sfc-chain1",
1225 "transport-type": "service-locator:mpls",
1232 The following command can be used to query all of the Rendered Service
1233 Paths that were created when the Service Function Path was created:
1235 .. code-block:: bash
1237 curl -H "Content-Type: application/json" -H "Cache-Control: no-cache" -X GET
1238 --user admin:admin http://localhost:8181/restconf/operational/rendered-service-path:rendered-service-paths/
1240 SFC IOS XE Renderer User Guide
1241 ------------------------------
1246 The early Service Function Chaining (SFC) renderer for IOS-XE devices
1247 (SFC IOS-XE renderer) implements Service Chaining functionality on
1248 IOS-XE capable switches. It listens for the creation of a Rendered
1249 Service Path (RSP) and sets up Service Function Forwarders (SFF) that
1250 are hosted on IOS-XE switches to steer traffic through the service
1253 Common acronyms used in the following sections:
1255 - SF - Service Function
1257 - SFF - Service Function Forwarder
1259 - SFC - Service Function Chain
1263 - SFP - Service Function Path
1265 - RSP - Rendered Service Path
1267 - LSF - Local Service Forwarder
1269 - RSF - Remote Service Forwarder
1271 SFC IOS-XE Renderer Architecture
1272 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1274 When the SFC IOS-XE renderer is initialized, all required listeners are
1275 registered to handle incoming data. It involves CSR/IOS-XE
1276 ``NodeListener`` which stores data about all configurable devices
1277 including their mountpoints (used here as databrokers),
1278 ``ServiceFunctionListener``, ``ServiceForwarderListener`` (see mapping)
1279 and ``RenderedPathListener`` used to listen for RSP changes. When the
1280 SFC IOS-XE renderer is invoked, ``RenderedPathListener`` calls the
1281 ``IosXeRspProcessor`` which processes the RSP change and creates all
1282 necessary Service Paths and Remote Service Forwarders (if necessary) on
1285 Service Path details
1286 ~~~~~~~~~~~~~~~~~~~~
1288 Each Service Path is defined by index (represented by NSP) and contains
1289 service path entries. Each entry has appropriate service index (NSI) and
1290 definition of next hop. Next hop can be Service Function, different
1291 Service Function Forwarder or definition of end of chain - terminate.
1292 After terminating, the packet is sent to destination. If a SFF is
1293 defined as a next hop, it has to be present on device in the form of
1294 Remote Service Forwarder. RSFs are also created during RSP processing.
1296 Example of Service Path:
1300 service-chain service-path 200
1301 service-index 255 service-function firewall-1
1302 service-index 254 service-function dpi-1
1303 service-index 253 terminate
1305 Mapping to IOS-XE SFC entities
1306 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1308 Renderer contains mappers for SFs and SFFs. IOS-XE capable device is
1309 using its own definition of Service Functions and Service Function
1310 Forwarders according to appropriate .yang file.
1311 ``ServiceFunctionListener`` serves as a listener for SF changes. If SF
1312 appears in datastore, listener extracts its management ip address and
1313 looks into cached IOS-XE nodes. If some of available nodes match,
1314 Service function is mapped in ``IosXeServiceFunctionMapper`` to be
1315 understandable by IOS-XE device and it’s written into device’s config.
1316 ``ServiceForwarderListener`` is used in a similar way. All SFFs with
1317 suitable management ip address it mapped in
1318 ``IosXeServiceForwarderMapper``. Remapped SFFs are configured as a Local
1319 Service Forwarders. It is not possible to directly create Remote Service
1320 Forwarder using IOS-XE renderer. RSF is created only during RSP
1323 Administering SFC IOS-XE renderer
1324 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1326 To use the SFC IOS-XE Renderer Karaf, at least the following Karaf
1327 features must be installed:
1337 - odl-netconf-topology
1339 - odl-sfc-ios-xe-renderer
1341 SFC IOS-XE renderer Tutorial
1342 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1347 This tutorial is a simple example how to create Service Path on IOS-XE
1348 capable device using IOS-XE renderer
1353 To connect to IOS-XE device, it is necessary to use several modified
1354 yang models and override device’s ones. All .yang files are in the
1355 ``Yang/netconf`` folder in the ``sfc-ios-xe-renderer module`` in the SFC
1356 project. These files have to be copied to the ``cache/schema``
1357 directory, before Karaf is started. After that, custom capabilities have
1358 to be sent to network-topology:
1360 * PUT ./config/network-topology:network-topology/topology/topology-netconf/node/<device-name>
1364 <node xmlns="urn:TBD:params:xml:ns:yang:network-topology">
1365 <node-id>device-name</node-id>
1366 <host xmlns="urn:opendaylight:netconf-node-topology">device-ip</host>
1367 <port xmlns="urn:opendaylight:netconf-node-topology">2022</port>
1368 <username xmlns="urn:opendaylight:netconf-node-topology">login</username>
1369 <password xmlns="urn:opendaylight:netconf-node-topology">password</password>
1370 <tcp-only xmlns="urn:opendaylight:netconf-node-topology">false</tcp-only>
1371 <keepalive-delay xmlns="urn:opendaylight:netconf-node-topology">0</keepalive-delay>
1372 <yang-module-capabilities xmlns="urn:opendaylight:netconf-node-topology">
1373 <override>true</override>
1374 <capability xmlns="urn:opendaylight:netconf-node-topology">
1375 urn:ietf:params:xml:ns:yang:ietf-inet-types?module=ietf-inet-types&revision=2013-07-15
1377 <capability xmlns="urn:opendaylight:netconf-node-topology">
1378 urn:ietf:params:xml:ns:yang:ietf-yang-types?module=ietf-yang-types&revision=2013-07-15
1380 <capability xmlns="urn:opendaylight:netconf-node-topology">
1381 urn:ios?module=ned&revision=2016-03-08
1383 <capability xmlns="urn:opendaylight:netconf-node-topology">
1384 http://tail-f.com/yang/common?module=tailf-common&revision=2015-05-22
1386 <capability xmlns="urn:opendaylight:netconf-node-topology">
1387 http://tail-f.com/yang/common?module=tailf-meta-extensions&revision=2013-11-07
1389 <capability xmlns="urn:opendaylight:netconf-node-topology">
1390 http://tail-f.com/yang/common?module=tailf-cli-extensions&revision=2015-03-19
1392 </yang-module-capabilities>
1397 The device name in the URL and in the XML must match.
1402 When the IOS-XE renderer is installed, all NETCONF nodes in
1403 topology-netconf are processed and all capable nodes with accessible
1404 mountpoints are cached. The first step is to create LSF on node.
1406 ``Service Function Forwarder configuration``
1408 * PUT ./config/service-function-forwarder:service-function-forwarders
1410 .. code-block:: none
1413 "service-function-forwarders": {
1414 "service-function-forwarder": [
1417 "ip-mgmt-address": "172.25.73.23",
1418 "sff-data-plane-locator": [
1420 "name": "CSR1Kv-2-dpl",
1421 "data-plane-locator": {
1422 "transport": "service-locator:vxlan-gpe",
1424 "ip": "10.99.150.10"
1433 If the IOS-XE node with appropriate management IP exists, this
1434 configuration is mapped and LSF is created on the device. The same
1435 approach is used for Service Functions.
1437 * PUT ./config/service-function:service-functions
1439 .. code-block:: none
1442 "service-functions": {
1443 "service-function": [
1446 "ip-mgmt-address": "172.25.73.23",
1448 "sf-data-plane-locator": [
1450 "name": "firewall-dpl",
1453 "transport": "service-locator:gre",
1454 "service-function-forwarder": "CSR1Kv-2"
1460 "ip-mgmt-address": "172.25.73.23",
1462 "sf-data-plane-locator": [
1467 "transport": "service-locator:gre",
1468 "service-function-forwarder": "CSR1Kv-2"
1474 "ip-mgmt-address": "172.25.73.23",
1476 "sf-data-plane-locator": [
1481 "transport": "service-locator:gre",
1482 "service-function-forwarder": "CSR1Kv-2"
1490 All these SFs are configured on the same device as the LSF. The next
1491 step is to prepare Service Function Chain.
1493 * PUT ./config/service-function-chain:service-function-chains/
1495 .. code-block:: none
1498 "service-function-chains": {
1499 "service-function-chain": [
1502 "sfc-service-function": [
1521 Service Function Path:
1523 * PUT ./config/service-function-path:service-function-paths/
1525 .. code-block:: none
1528 "service-function-paths": {
1529 "service-function-path": [
1531 "name": "CSR3XSF-Path",
1532 "service-chain-name": "CSR3XSF",
1533 "starting-index": 255,
1540 Without a classifier, there is possibility to POST RSP directly.
1542 * POST ./operations/rendered-service-path:create-rendered-path
1544 .. code-block:: none
1548 "name": "CSR3XSF-Path-RSP",
1549 "parent-service-function-path": "CSR3XSF-Path"
1553 The resulting configuration:
1558 service-chain service-function-forwarder local
1559 ip address 10.99.150.10
1561 service-chain service-function firewall
1563 encapsulation gre enhanced divert
1565 service-chain service-function dpi
1567 encapsulation gre enhanced divert
1569 service-chain service-function qos
1571 encapsulation gre enhanced divert
1573 service-chain service-path 1
1574 service-index 255 service-function firewall
1575 service-index 254 service-function dpi
1576 service-index 253 service-function qos
1577 service-index 252 terminate
1579 service-chain service-path 2
1580 service-index 255 service-function qos
1581 service-index 254 service-function dpi
1582 service-index 253 service-function firewall
1583 service-index 252 terminate
1586 Service Path 1 is direct, Service Path 2 is reversed. Path numbers may
1589 Service Function Scheduling Algorithms
1590 --------------------------------------
1595 When creating the Rendered Service Path, the origin SFC controller chose
1596 the first available service function from a list of service function
1597 names. This may result in many issues such as overloaded service
1598 functions and a longer service path as SFC has no means to understand
1599 the status of service functions and network topology. The service
1600 function selection framework supports at least four algorithms (Random,
1601 Round Robin, Load Balancing and Shortest Path) to select the most
1602 appropriate service function when instantiating the Rendered Service
1603 Path. In addition, it is an extensible framework that allows 3rd party
1604 selection algorithm to be plugged in.
1609 The following figure illustrates the service function selection
1610 framework and algorithms.
1612 .. figure:: ./images/sfc/sf-selection-arch.png
1613 :alt: SF Selection Architecture
1615 SF Selection Architecture
1617 A user has three different ways to select one service function selection
1620 1. Integrated RESTCONF Calls. OpenStack and/or other administration
1621 system could provide plugins to call the APIs to select one
1622 scheduling algorithm.
1624 2. Command line tools. Command line tools such as curl or browser
1625 plugins such as POSTMAN (for Google Chrome) and RESTClient (for
1626 Mozilla Firefox) could select schedule algorithm by making RESTCONF
1629 3. SFC-UI. Now the SFC-UI provides an option for choosing a selection
1630 algorithm when creating a Rendered Service Path.
1632 The RESTCONF northbound SFC API provides GUI/RESTCONF interactions for
1633 choosing the service function selection algorithm. MD-SAL data store
1634 provides all supported service function selection algorithms, and
1635 provides APIs to enable one of the provided service function selection
1636 algorithms. Once a service function selection algorithm is enabled, the
1637 service function selection algorithm will work when creating a Rendered
1640 Select SFs with Scheduler
1641 ~~~~~~~~~~~~~~~~~~~~~~~~~
1643 Administrator could use both the following ways to select one of the
1644 selection algorithm when creating a Rendered Service Path.
1646 - Command line tools. Command line tools includes Linux commands curl
1647 or even browser plugins such as POSTMAN(for Google Chrome) or
1648 RESTClient(for Mozilla Firefox). In this case, the following JSON
1649 content is needed at the moment:
1650 Service\_function\_schudule\_type.json
1652 .. code-block:: none
1655 "service-function-scheduler-types": {
1656 "service-function-scheduler-type": [
1659 "type": "service-function-scheduler-type:random",
1663 "name": "roundrobin",
1664 "type": "service-function-scheduler-type:round-robin",
1668 "name": "loadbalance",
1669 "type": "service-function-scheduler-type:load-balance",
1673 "name": "shortestpath",
1674 "type": "service-function-scheduler-type:shortest-path",
1681 If using the Linux curl command, it could be:
1683 .. code-block:: bash
1685 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache"
1686 --data '$${Service_function_schudule_type.json}' -X PUT
1687 --user admin:admin http://localhost:8181/restconf/config/service-function-scheduler-type:service-function-scheduler-types/
1690 Here is also a snapshot for using the RESTClient plugin:
1692 .. figure:: ./images/sfc/RESTClient-snapshot.png
1693 :alt: Mozilla Firefox RESTClient
1695 Mozilla Firefox RESTClient
1697 - SFC-UI.SFC-UI provides a drop down menu for service function
1698 selection algorithm. Here is a snapshot for the user interaction from
1699 SFC-UI when creating a Rendered Service Path.
1701 .. figure:: ./images/sfc/karaf-webui-select-a-type.png
1708 Some service function selection algorithms in the drop list are not
1709 implemented yet. Only the first three algorithms are committed at
1715 Select Service Function from the name list randomly.
1720 The Random algorithm is used to select one Service Function from the
1721 name list which it gets from the Service Function Type randomly.
1726 - Service Function information are stored in datastore.
1728 - Either no algorithm or the Random algorithm is selected.
1733 The Random algorithm will work either no algorithm type is selected or
1734 the Random algorithm is selected.
1739 Once the plugins are installed into Karaf successfully, a user can use
1740 his favorite method to select the Random scheduling algorithm type.
1741 There are no special instructions for using the Random algorithm.
1746 Select Service Function from the name list in Round Robin manner.
1751 The Round Robin algorithm is used to select one Service Function from
1752 the name list which it gets from the Service Function Type in a Round
1753 Robin manner, this will balance workloads to all Service Functions.
1754 However, this method cannot help all Service Functions load the same
1755 workload because it’s flow-based Round Robin.
1760 - Service Function information are stored in datastore.
1762 - Round Robin algorithm is selected
1767 The Round Robin algorithm will work one the Round Robin algorithm is
1773 Once the plugins are installed into Karaf successfully, a user can use
1774 his favorite method to select the Round Robin scheduling algorithm type.
1775 There are no special instructions for using the Round Robin algorithm.
1777 Load Balance Algorithm
1778 ^^^^^^^^^^^^^^^^^^^^^^
1780 Select appropriate Service Function by actual CPU utilization.
1785 The Load Balance Algorithm is used to select appropriate Service
1786 Function by actual CPU utilization of service functions. The CPU
1787 utilization of service function obtained from monitoring information
1788 reported via NETCONF.
1793 - CPU-utilization for Service Function.
1799 - Each VM has a NETCONF server and it could work with NETCONF client
1805 Set up VMs as Service Functions. enable NETCONF server in VMs. Ensure
1806 that you specify them separately. For example:
1808 a. Set up 4 VMs include 2 SFs' type are Firewall, Others are Napt44.
1809 Name them as firewall-1, firewall-2, napt44-1, napt44-2 as Service
1810 Function. The four VMs can run either the same server or different
1813 b. Install NETCONF server on every VM and enable it. More information on
1814 NETCONF can be found on the OpenDaylight wiki here:
1815 https://wiki.opendaylight.org/view/OpenDaylight_Controller:Config:Examples:Netconf:Manual_netopeer_installation
1817 c. Get Monitoring data from NETCONF server. These monitoring data should
1818 be get from the NETCONF server which is running in VMs. The following
1819 static XML data is an example:
1821 static XML data like this:
1825 <?xml version="1.0" encoding="UTF-8"?>
1826 <service-function-description-monitor-report>
1828 <number-of-dataports>2</number-of-dataports>
1830 <supported-packet-rate>5</supported-packet-rate>
1831 <supported-bandwidth>10</supported-bandwidth>
1832 <supported-ACL-number>2000</supported-ACL-number>
1833 <RIB-size>200</RIB-size>
1834 <FIB-size>100</FIB-size>
1837 <port-id>1</port-id>
1838 <ipaddress>10.0.0.1</ipaddress>
1839 <macaddress>00:1e:67:a2:5f:f4</macaddress>
1840 <supported-bandwidth>20</supported-bandwidth>
1843 <port-id>2</port-id>
1844 <ipaddress>10.0.0.2</ipaddress>
1845 <macaddress>01:1e:67:a2:5f:f6</macaddress>
1846 <supported-bandwidth>10</supported-bandwidth>
1851 <SF-monitoring-info>
1852 <liveness>true</liveness>
1853 <resource-utilization>
1854 <packet-rate-utilization>10</packet-rate-utilization>
1855 <bandwidth-utilization>15</bandwidth-utilization>
1856 <CPU-utilization>12</CPU-utilization>
1857 <memory-utilization>17</memory-utilization>
1858 <available-memory>8</available-memory>
1859 <RIB-utilization>20</RIB-utilization>
1860 <FIB-utilization>25</FIB-utilization>
1861 <power-utilization>30</power-utilization>
1862 <SF-ports-bandwidth-utilization>
1863 <port-bandwidth-utilization>
1864 <port-id>1</port-id>
1865 <bandwidth-utilization>20</bandwidth-utilization>
1866 </port-bandwidth-utilization>
1867 <port-bandwidth-utilization>
1868 <port-id>2</port-id>
1869 <bandwidth-utilization>30</bandwidth-utilization>
1870 </port-bandwidth-utilization>
1871 </SF-ports-bandwidth-utilization>
1872 </resource-utilization>
1873 </SF-monitoring-info>
1874 </service-function-description-monitor-report>
1876 a. Unzip SFC release tarball.
1878 b. Run SFC: ${sfc}/bin/karaf. More information on Service Function
1879 Chaining can be found on the OpenDaylight SFC’s wiki page:
1880 https://wiki.opendaylight.org/view/Service_Function_Chaining:Main
1882 a. Deploy the SFC2 (firewall-abstract2⇒napt44-abstract2) and click
1883 button to Create Rendered Service Path in SFC UI
1884 (http://localhost:8181/sfc/index.html).
1886 b. Verify the Rendered Service Path to ensure the CPU utilization of the
1887 selected hop is the minimum one among all the service functions with
1888 same type. The correct RSP is firewall-1⇒napt44-2
1890 Shortest Path Algorithm
1891 ^^^^^^^^^^^^^^^^^^^^^^^
1893 Select appropriate Service Function by Dijkstra’s algorithm. Dijkstra’s
1894 algorithm is an algorithm for finding the shortest paths between nodes
1900 The Shortest Path Algorithm is used to select appropriate Service
1901 Function by actual topology.
1906 - Deployed topology (include SFFs, SFs and their links).
1908 - Dijkstra’s algorithm. More information on Dijkstra’s algorithm can be
1909 found on the wiki here:
1910 http://en.wikipedia.org/wiki/Dijkstra%27s_algorithm
1915 a. Unzip SFC release tarball.
1917 b. Run SFC: ${sfc}/bin/karaf.
1919 c. Depoly SFFs and SFs. import the service-function-forwarders.json and
1920 service-functions.json in UI
1921 (http://localhost:8181/sfc/index.html#/sfc/config)
1923 service-function-forwarders.json:
1925 .. code-block:: none
1928 "service-function-forwarders": {
1929 "service-function-forwarder": [
1932 "service-node": "OVSDB-test01",
1933 "rest-uri": "http://localhost:5001",
1934 "sff-data-plane-locator": [
1937 "service-function-forwarder-ovs:ovs-bridge": {
1938 "uuid": "4c3778e4-840d-47f4-b45e-0988e514d26c",
1939 "bridge-name": "br-tun"
1941 "data-plane-locator": {
1943 "ip": "192.168.1.1",
1944 "transport": "service-locator:vxlan-gpe"
1948 "service-function-dictionary": [
1950 "sff-sf-data-plane-locator": {
1951 "sf-dpl-name": "sf1dpl",
1952 "sff-dpl-name": "sff1dpl"
1958 "sff-sf-data-plane-locator": {
1959 "sf-dpl-name": "sf2dpl",
1960 "sff-dpl-name": "sff2dpl"
1962 "name": "firewall-1",
1966 "connected-sff-dictionary": [
1974 "service-node": "OVSDB-test01",
1975 "rest-uri": "http://localhost:5002",
1976 "sff-data-plane-locator": [
1979 "service-function-forwarder-ovs:ovs-bridge": {
1980 "uuid": "fd4d849f-5140-48cd-bc60-6ad1f5fc0a1",
1981 "bridge-name": "br-tun"
1983 "data-plane-locator": {
1985 "ip": "192.168.1.2",
1986 "transport": "service-locator:vxlan-gpe"
1990 "service-function-dictionary": [
1992 "sff-sf-data-plane-locator": {
1993 "sf-dpl-name": "sf1dpl",
1994 "sff-dpl-name": "sff1dpl"
2000 "sff-sf-data-plane-locator": {
2001 "sf-dpl-name": "sf2dpl",
2002 "sff-dpl-name": "sff2dpl"
2004 "name": "firewall-2",
2008 "connected-sff-dictionary": [
2016 "service-node": "OVSDB-test01",
2017 "rest-uri": "http://localhost:5005",
2018 "sff-data-plane-locator": [
2021 "service-function-forwarder-ovs:ovs-bridge": {
2022 "uuid": "fd4d849f-5140-48cd-bc60-6ad1f5fc0a4",
2023 "bridge-name": "br-tun"
2025 "data-plane-locator": {
2027 "ip": "192.168.1.2",
2028 "transport": "service-locator:vxlan-gpe"
2032 "service-function-dictionary": [
2034 "sff-sf-data-plane-locator": {
2035 "sf-dpl-name": "sf1dpl",
2036 "sff-dpl-name": "sff1dpl"
2038 "name": "test-server",
2042 "sff-sf-data-plane-locator": {
2043 "sf-dpl-name": "sf2dpl",
2044 "sff-dpl-name": "sff2dpl"
2046 "name": "test-client",
2050 "connected-sff-dictionary": [
2063 service-functions.json:
2065 .. code-block:: none
2068 "service-functions": {
2069 "service-function": [
2071 "rest-uri": "http://localhost:10001",
2072 "ip-mgmt-address": "10.3.1.103",
2073 "sf-data-plane-locator": [
2075 "name": "preferred",
2078 "service-function-forwarder": "SFF-br1"
2085 "rest-uri": "http://localhost:10002",
2086 "ip-mgmt-address": "10.3.1.103",
2087 "sf-data-plane-locator": [
2092 "service-function-forwarder": "SFF-br2"
2099 "rest-uri": "http://localhost:10003",
2100 "ip-mgmt-address": "10.3.1.103",
2101 "sf-data-plane-locator": [
2106 "service-function-forwarder": "SFF-br1"
2109 "name": "firewall-1",
2113 "rest-uri": "http://localhost:10004",
2114 "ip-mgmt-address": "10.3.1.103",
2115 "sf-data-plane-locator": [
2120 "service-function-forwarder": "SFF-br2"
2123 "name": "firewall-2",
2127 "rest-uri": "http://localhost:10005",
2128 "ip-mgmt-address": "10.3.1.103",
2129 "sf-data-plane-locator": [
2134 "service-function-forwarder": "SFF-br3"
2137 "name": "test-server",
2141 "rest-uri": "http://localhost:10006",
2142 "ip-mgmt-address": "10.3.1.103",
2143 "sf-data-plane-locator": [
2148 "service-function-forwarder": "SFF-br3"
2151 "name": "test-client",
2158 The deployed topology like this:
2160 .. code-block:: none
2162 +----+ +----+ +----+
2163 |sff1|+----------|sff3|---------+|sff2|
2164 +----+ +----+ +----+
2166 +--------------+ +--------------+
2168 +----------+ +--------+ +----------+ +--------+
2169 |firewall-1| |napt44-1| |firewall-2| |napt44-2|
2170 +----------+ +--------+ +----------+ +--------+
2172 - Deploy the SFC2(firewall-abstract2⇒napt44-abstract2), select
2173 "Shortest Path" as schedule type and click button to Create Rendered
2174 Service Path in SFC UI (http://localhost:8181/sfc/index.html).
2176 .. figure:: ./images/sfc/sf-schedule-type.png
2177 :alt: select schedule type
2179 select schedule type
2181 - Verify the Rendered Service Path to ensure the selected hops are
2182 linked in one SFF. The correct RSP is firewall-1⇒napt44-1 or
2183 firewall-2⇒napt44-2. The first SF type is Firewall in Service
2184 Function Chain. So the algorithm will select first Hop randomly among
2185 all the SFs type is Firewall. Assume the first selected SF is
2186 firewall-2. All the path from firewall-1 to SF which type is Napt44
2189 - Path1: firewall-2 → sff2 → napt44-2
2191 - Path2: firewall-2 → sff2 → sff3 → sff1 → napt44-1 The shortest
2192 path is Path1, so the selected next hop is napt44-2.
2194 .. figure:: ./images/sfc/sf-rendered-service-path.png
2195 :alt: rendered service path
2197 rendered service path
2199 Service Function Load Balancing User Guide
2200 ------------------------------------------
2205 SFC Load-Balancing feature implements load balancing of Service
2206 Functions, rather than a one-to-one mapping between
2207 Service-Function-Forwarder and Service-Function.
2209 Load Balancing Architecture
2210 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
2212 Service Function Groups (SFG) can replace Service Functions (SF) in the
2213 Rendered Path model. A Service Path can only be defined using SFGs or
2214 SFs, but not a combination of both.
2216 Relevant objects in the YANG model are as follows:
2218 1. Service-Function-Group-Algorithm:
2222 Service-Function-Group-Algorithms {
2223 Service-Function-Group-Algorithm {
2231 Available types: ALL, SELECT, INDIRECT, FAST_FAILURE
2233 2. Service-Function-Group:
2237 Service-Function-Groups {
2238 Service-Function-Group {
2240 String serviceFunctionGroupAlgorithmName
2243 Service-Function-Group-Element {
2244 String service-function-name
2250 3. ServiceFunctionHop: holds a reference to a name of SFG (or SF)
2255 This tutorial will explain how to create a simple SFC configuration,
2256 with SFG instead of SF. In this example, the SFG will include two
2262 For general SFC setup and scenarios, please see the SFC wiki page:
2263 https://wiki.opendaylight.org/view/Service_Function_Chaining:Main#SFC_101
2269 http://127.0.0.1:8181/restconf/config/service-function-group-algorithm:service-function-group-algorithms
2271 .. code-block:: none
2274 "service-function-group-algorithm": [
2282 (Header "content-type": application/json)
2284 Verify: get all algorithms
2285 ^^^^^^^^^^^^^^^^^^^^^^^^^^
2288 http://127.0.0.1:8181/restconf/config/service-function-group-algorithm:service-function-group-algorithms
2290 In order to delete all algorithms: DELETE -
2291 http://127.0.0.1:8181/restconf/config/service-function-group-algorithm:service-function-group-algorithms
2297 http://127.0.0.1:8181/restconf/config/service-function-group:service-function-groups
2299 .. code-block:: none
2302 "service-function-group": [
2304 "rest-uri": "http://localhost:10002",
2305 "ip-mgmt-address": "10.3.1.103",
2306 "algorithm": "alg1",
2309 "sfc-service-function": [
2314 "name":"napt44-103-1"
2321 Verify: get all SFG’s
2322 ^^^^^^^^^^^^^^^^^^^^^
2325 http://127.0.0.1:8181/restconf/config/service-function-group:service-function-groups
2327 SFC Proof of Transit User Guide
2328 -------------------------------
2333 Several deployments use traffic engineering, policy routing, segment
2334 routing or service function chaining (SFC) to steer packets through a
2335 specific set of nodes. In certain cases regulatory obligations or a
2336 compliance policy require to prove that all packets that are supposed to
2337 follow a specific path are indeed being forwarded across the exact set
2338 of nodes specified. I.e. if a packet flow is supposed to go through a
2339 series of service functions or network nodes, it has to be proven that
2340 all packets of the flow actually went through the service chain or
2341 collection of nodes specified by the policy. In case the packets of a
2342 flow weren’t appropriately processed, a proof of transit egress device
2343 would be required to identify the policy violation and take
2344 corresponding actions (e.g. drop or redirect the packet, send an alert
2345 etc.) corresponding to the policy.
2347 Service Function Chaining (SFC) Proof of Transit (SFC PoT)
2348 implements Service Chaining Proof of Transit functionality on capable
2349 network devices. Proof of Transit defines mechanisms to securely
2350 prove that traffic transited the defined path. After the creation of an
2351 Rendered Service Path (RSP), a user can configure to enable SFC proof
2352 of transit on the selected RSP to effect the proof of transit.
2354 To ensure that the data traffic follows a specified path or a function
2355 chain, meta-data is added to user traffic in the form of a header. The
2356 meta-data is based on a 'share of a secret' and provisioned by the SFC
2357 PoT configuration from ODL over a secure channel to each of the nodes
2358 in the SFC. This meta-data is updated at each of the service-hop while
2359 a designated node called the verifier checks whether the collected
2360 meta-data allows the retrieval of the secret.
2362 The following diagram shows the overview and essentially utilizes Shamir's
2363 secret sharing algorithm, where each service is given a point on the
2364 curve and when the packet travels through each service, it collects these
2365 points (meta-data) and a verifier node tries to re-construct the curve
2366 using the collected points, thus verifying that the packet traversed
2367 through all the service functions along the chain.
2369 .. figure:: ./images/sfc/sfc-pot-intro.png
2370 :alt: SFC Proof of Transit overview
2372 SFC Proof of Transit overview
2374 Transport options for different protocols includes a new TLV in SR header
2375 for Segment Routing, NSH Type-2 meta-data, IPv6 extension headers, IPv4
2376 variants and for VXLAN-GPE. More details are captured in the following
2379 In-situ OAM: https://github.com/CiscoDevNet/iOAM
2381 Common acronyms used in the following sections:
2383 - SF - Service Function
2385 - SFF - Service Function Forwarder
2387 - SFC - Service Function Chain
2389 - SFP - Service Function Path
2391 - RSP - Rendered Service Path
2393 - SFC PoT - Service Function Chain Proof of Transit
2396 SFC Proof of Transit Architecture
2397 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2399 SFC PoT feature is implemented as a two-part implementation with a
2400 north-bound handler that augments the RSP while a south-bound renderer
2401 auto-generates the required parameters and passes it on to the nodes
2402 that belong to the SFC.
2404 The north-bound feature is enabled via odl-sfc-pot feature while the
2405 south-bound renderer is enabled via the odl-sfc-pot-netconf-renderer
2406 feature. For the purposes of SFC PoT handling, both features must be
2409 RPC handlers to augment the RSP are part of ``SfcPotRpc`` while the
2410 RSP augmentation to enable or disable SFC PoT feature is done via
2411 ``SfcPotRspProcessor``.
2414 SFC Proof of Transit entities
2415 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2417 In order to implement SFC Proof of Transit for a service function chain,
2418 an RSP is a pre-requisite to identify the SFC to enable SFC PoT on. SFC
2419 Proof of Transit for a particular RSP is enabled by an RPC request to
2420 the controller along with necessary parameters to control some of the
2421 aspects of the SFC Proof of Transit process.
2423 The RPC handler identifies the RSP and adds PoT feature meta-data like
2424 enable/disable, number of PoT profiles, profiles refresh parameters etc.,
2425 that directs the south-bound renderer appropriately when RSP changes
2426 are noticed via call-backs in the renderer handlers.
2428 Administering SFC Proof of Transit
2429 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2431 To use the SFC Proof of Transit Karaf, at least the following Karaf
2432 features must be installed:
2442 - odl-netconf-topology
2444 - odl-netconf-connector-all
2448 Please note that the odl-sfc-pot-netconf-renderer or other renderers in future
2449 must be installed for the feature to take full-effect. The details of the renderer
2450 features are described in other parts of this document.
2452 SFC Proof of Transit Tutorial
2453 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2458 This tutorial is a simple example how to configure Service Function
2459 Chain Proof of Transit using SFC POT feature.
2464 To enable a device to handle SFC Proof of Transit, it is expected that
2465 the NETCONF node device advertise capability as under ioam-sb-pot.yang
2466 present under sfc-model/src/main/yang folder. It is also expected that base
2467 NETCONF support be enabled and its support capability advertised as capabilities.
2469 NETCONF support:``urn:ietf:params:netconf:base:1.0``
2471 PoT support: ``(urn:cisco:params:xml:ns:yang:sfc-ioam-sb-pot?revision=2017-01-12)sfc-ioam-sb-pot``
2473 It is also expected that the devices are netconf mounted and available
2474 in the topology-netconf store.
2479 When SFC Proof of Transit is installed, all netconf nodes in topology-netconf
2480 are processed and all capable nodes with accessible mountpoints are cached.
2482 First step is to create the required RSP as is usually done using RSP creation
2485 Once RSP name is available it is used to send a POST RPC to the
2486 controller similar to below:
2489 http://ODL-IP:8181/restconf/operations/sfc-ioam-nb-pot:enable-sfc-ioam-pot-rendered-path/
2491 .. code-block:: none
2496 "sfc-ioam-pot-rsp-name": "sfc-path-3sf3sff",
2497 "ioam-pot-enable":true,
2498 "ioam-pot-num-profiles":2,
2499 "ioam-pot-bit-mask":"bits32",
2500 "refresh-period-time-units":"milliseconds",
2501 "refresh-period-value":5000
2505 The following can be used to disable the SFC Proof of Transit on an RSP
2506 which disables the PoT feature.
2509 http://ODL-IP:8181/restconf/operations/sfc-ioam-nb-pot:disable-sfc-ioam-pot-rendered-path/
2511 .. code-block:: none
2516 "sfc-ioam-pot-rsp-name": "sfc-path-3sf3sff",
2520 SFC PoT NETCONF Renderer User Guide
2521 -----------------------------------
2526 The SFC Proof of Transit (PoT) NETCONF renderer implements SFC Proof of
2527 Transit functionality on NETCONF-capable devices, that have advertised
2528 support for in-situ OAM (iOAM) support.
2530 It listens for an update to an existing RSP with enable or disable proof of
2531 transit support and adds the auto-generated SFC PoT configuration parameters
2532 to all the SFC hop nodes. The last node in the SFC is configured as a
2533 verifier node to allow SFC PoT process to be completed.
2535 Common acronyms are used as below:
2537 - SF - Service Function
2539 - SFC - Service Function Chain
2541 - RSP - Rendered Service Path
2543 - SFF - Service Function Forwarder
2546 Mapping to SFC entities
2547 ~~~~~~~~~~~~~~~~~~~~~~~
2549 The renderer module listens to RSP updates in ``SfcPotNetconfRSPListener``
2550 and triggers configuration generation in ``SfcPotNetconfIoam`` class. Node
2551 arrival and leaving are managed via ``SfcPotNetconfNodeManager`` and
2552 ``SfcPotNetconfNodeListener``. In addition there is a timer thread that
2553 runs to generate configuration periodically to refresh the profiles in the
2554 nodes that are part of the SFC.
2557 Administering SFC PoT NETCONF Renderer
2558 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2560 To use the SFC Proof of Transit Karaf, the following Karaf features must
2571 - odl-netconf-topology
2573 - odl-netconf-connector-all
2577 - odl-sfc-pot-netconf-renderer
2580 SFC PoT NETCONF Renderer Tutorial
2581 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2586 This tutorial is a simple example how to enable SFC PoT on NETCONF-capable
2592 The NETCONF-capable device will have to support sfc-ioam-sb-pot.yang file.
2594 It is expected that a NETCONF-capable VPP device has Honeycomb (Hc2vpp)
2595 Java-based agent that helps to translate between NETCONF and VPP internal
2598 More details are here:
2599 In-situ OAM: https://github.com/CiscoDevNet/iOAM
2603 When the SFC PoT NETCONF renderer module is installed, all NETCONF nodes in
2604 topology-netconf are processed and all sfc-ioam-sb-pot yang capable nodes
2605 with accessible mountpoints are cached.
2607 The first step is to create RSP for the SFC as per SFC guidelines above.
2609 Enable SFC PoT is done on the RSP via RESTCONF to the ODL as outlined above.
2611 Internally, the NETCONF renderer will act on the callback to a modified RSP
2612 that has PoT enabled.
2614 In-situ OAM algorithms for auto-generation of SFC PoT parameters are
2615 generated automatically and sent to these nodes via NETCONF.
2617 Logical Service Function Forwarder
2618 ----------------------------------
2623 .. _sfc-user-guide-logical-sff-motivation:
2627 When the current SFC is deployed in a cloud environment, it is assumed that each
2628 switch connected to a Service Function is configured as a Service Function
2629 Forwarder and each Service Function is connected to its Service Function
2630 Forwarder depending on the Compute Node where the Virtual Machine is located.
2632 .. figure:: ./images/sfc/sfc-in-cloud.png
2633 :alt: Deploying SFC in Cloud Environments
2635 As shown in the picture above, this solution allows the basic cloud use cases to
2636 be fulfilled, as for example, the ones required in OPNFV Brahmaputra, however,
2637 some advanced use cases like the transparent migration of VMs can not be
2638 implemented. The Logical Service Function Forwarder enables the following
2641 1. Service Function mobility without service disruption
2642 2. Service Functions load balancing and failover
2644 As shown in the picture below, the Logical Service Function Forwarder concept
2645 extends the current SFC northbound API to provide an abstraction of the
2646 underlying Data Center infrastructure. The Data Center underlaying network can
2647 be abstracted by a single SFF. This single SFF uses the logical port UUID as
2648 data plane locator to connect SFs globally and in a location-transparent manner.
2649 SFC makes use of `Genius <./genius-user-guide.html>`__ project to track the
2650 location of the SF's logical ports.
2652 .. figure:: ./images/sfc/single-logical-sff-concept.png
2653 :alt: Single Logical SFF concept
2655 The SFC internally distributes the necessary flow state over the relevant
2656 switches based on the internal Data Center topology and the deployment of SFs.
2658 Changes in data model
2659 ~~~~~~~~~~~~~~~~~~~~~
2660 The Logical Service Function Forwarder concept extends the current SFC
2661 northbound API to provide an abstraction of the underlying Data Center
2664 The Logical SFF simplifies the configuration of the current SFC data model by
2665 reducing the number of parameters to be be configured in every SFF, since the
2666 controller will discover those parameters by interacting with the services
2667 offered by the `Genius <./genius-user-guide.html>`__ project.
2669 The following picture shows the Logical SFF data model. The model gets
2670 simplified as most of the configuration parameters of the current SFC data model
2671 are discovered in runtime. The complete YANG model can be found here
2672 `logical SFF model <https://github.com/opendaylight/sfc/blob/master/sfc-model/src/main/yang/service-function-forwarder-logical.yang>`__.
2674 .. figure:: ./images/sfc/logical-sff-datamodel.png
2675 :alt: Logical SFF data model
2677 How to configure the Logical SFF
2678 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2679 The following are examples to configure the Logical SFF:
2681 .. code-block:: bash
2683 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache"
2684 --data '${JSON}' -X PUT --user
2685 admin:admin http://localhost:8181/restconf/config/restconf/config/service-function:service-functions/
2687 **Service Functions JSON.**
2689 .. code-block:: none
2692 "service-functions": {
2693 "service-function": [
2695 "name": "firewall-1",
2697 "sf-data-plane-locator": [
2699 "name": "firewall-dpl",
2700 "interface-name": "eccb57ae-5a2e-467f-823e-45d7bb2a6a9a",
2701 "transport": "service-locator:eth-nsh",
2702 "service-function-forwarder": "sfflogical1"
2710 "sf-data-plane-locator": [
2713 "interface-name": "df15ac52-e8ef-4e9a-8340-ae0738aba0c0",
2714 "transport": "service-locator:eth-nsh",
2715 "service-function-forwarder": "sfflogical1"
2723 .. code-block:: bash
2725 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache"
2726 --data '${JSON}' -X PUT --user
2727 admin:admin http://localhost:8181/restconf/config/service-function-forwarder:service-function-forwarders/
2729 **Service Function Forwarders JSON.**
2731 .. code-block:: none
2734 "service-function-forwarders": {
2735 "service-function-forwarder": [
2737 "name": "sfflogical1"
2743 .. code-block:: bash
2745 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache"
2746 --data '${JSON}' -X PUT --user
2747 admin:admin http://localhost:8181/restconf/config/service-function-chain:service-function-chains/
2749 **Service Function Chains JSON.**
2751 .. code-block:: none
2754 "service-function-chains": {
2755 "service-function-chain": [
2758 "sfc-service-function": [
2760 "name": "dpi-abstract1",
2764 "name": "firewall-abstract1",
2771 "sfc-service-function": [
2773 "name": "dpi-abstract1",
2782 .. code-block:: bash
2784 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache"
2785 --data '${JSON}' -X PUT --user
2786 admin:admin http://localhost:8182/restconf/config/service-function-chain:service-function-paths/
2788 **Service Function Paths JSON.**
2790 .. code-block:: none
2793 "service-function-paths": {
2794 "service-function-path": [
2797 "service-chain-name": "SFC1",
2798 "starting-index": 255,
2799 "symmetric": "true",
2800 "context-metadata": "NSH1",
2801 "transport-type": "service-locator:vxlan-gpe"
2808 As a result of above configuration, OpenDaylight renders the needed flows in all involved SFFs. Those flows implement:
2810 - Two Rendered Service Paths:
2812 - dpi-1 (SF1), firewall-1 (SF2)
2813 - firewall-1 (SF2), dpi-1 (SF1)
2815 - The communication between SFFs and SFs based on eth-nsh
2817 - The communication between SFFs based on vxlan-gpe
2819 The following picture shows a topology and traffic flow (in green) which corresponds to the above configuration.
2821 .. figure:: ./images/sfc/single-logical-sff-example.png
2822 :alt: Logical SFF Example
2829 The Logical SFF functionality allows OpenDaylight to find out the SFFs holding
2830 the SFs involved in a path. In this example the SFFs affected are Node3 and
2831 Node4 thus the controller renders the flows containing NSH parameters just in
2834 Here you have the new flows rendered in Node3 and Node4 which implement the NSH
2835 protocol. Every Rendered Service Path is represented by an NSP value. We
2836 provisioned a symmetric RSP so we get two NSPs: 8388613 and 5. Node3 holds the
2837 first SF of NSP 8388613 and the last SF of NSP 5. Node 4 holds the first SF of
2838 NSP 5 and the last SF of NSP 8388613. Both Node3 and Node4 will pop the NSH
2839 header when the received packet has gone through the last SF of its path.
2841 **Rendered flows Node 3**
2845 cookie=0x14, duration=59.264s, table=83, n_packets=0, n_bytes=0, priority=250,nsp=5 actions=goto_table:86
2846 cookie=0x14, duration=59.194s, table=83, n_packets=0, n_bytes=0, priority=250,nsp=8388613 actions=goto_table:86
2847 cookie=0x14, duration=59.257s, table=86, n_packets=0, n_bytes=0, priority=550,nsi=254,nsp=5 actions=load:0x8e0a37cc9094->NXM_NX_ENCAP_ETH_SRC[],load:0x6ee006b4c51e->NXM_NX_ENCAP_ETH_DST[],goto_table:87
2848 cookie=0x14, duration=59.189s, table=86, n_packets=0, n_bytes=0, priority=550,nsi=255,nsp=8388613 actions=load:0x8e0a37cc9094->NXM_NX_ENCAP_ETH_SRC[],load:0x6ee006b4c51e->NXM_NX_ENCAP_ETH_DST[],goto_table:87
2849 cookie=0xba5eba1100000203, duration=59.213s, table=87, n_packets=0, n_bytes=0, priority=650,nsi=253,nsp=5 actions=pop_nsh,set_field:6e:e0:06:b4:c5:1e->eth_src,resubmit(,17)
2850 cookie=0xba5eba1100000201, duration=59.213s, table=87, n_packets=0, n_bytes=0, priority=650,nsi=254,nsp=5 actions=load:0x800->NXM_NX_REG6[],resubmit(,220)
2851 cookie=0xba5eba1100000201, duration=59.188s, table=87, n_packets=0, n_bytes=0, priority=650,nsi=255,nsp=8388613 actions=load:0x800->NXM_NX_REG6[],resubmit(,220)
2852 cookie=0xba5eba1100000201, duration=59.182s, table=87, n_packets=0, n_bytes=0, priority=650,nsi=254,nsp=8388613 actions=set_field:0->tun_id,output:6
2854 **Rendered Flows Node 4**
2858 cookie=0x14, duration=69.040s, table=83, n_packets=0, n_bytes=0, priority=250,nsp=5 actions=goto_table:86
2859 cookie=0x14, duration=69.008s, table=83, n_packets=0, n_bytes=0, priority=250,nsp=8388613 actions=goto_table:86
2860 cookie=0x14, duration=69.040s, table=86, n_packets=0, n_bytes=0, priority=550,nsi=255,nsp=5 actions=load:0xbea93873f4fa->NXM_NX_ENCAP_ETH_SRC[],load:0x214845ea85d->NXM_NX_ENCAP_ETH_DST[],goto_table:87
2861 cookie=0x14, duration=69.005s, table=86, n_packets=0, n_bytes=0, priority=550,nsi=254,nsp=8388613 actions=load:0xbea93873f4fa->NXM_NX_ENCAP_ETH_SRC[],load:0x214845ea85d->NXM_NX_ENCAP_ETH_DST[],goto_table:87
2862 cookie=0xba5eba1100000201, duration=69.029s, table=87, n_packets=0, n_bytes=0, priority=650,nsi=255,nsp=5 actions=load:0x1100->NXM_NX_REG6[],resubmit(,220)
2863 cookie=0xba5eba1100000201, duration=69.029s, table=87, n_packets=0, n_bytes=0, priority=650,nsi=254,nsp=5 actions=set_field:0->tun_id,output:1
2864 cookie=0xba5eba1100000201, duration=68.999s, table=87, n_packets=0, n_bytes=0, priority=650,nsi=254,nsp=8388613 actions=load:0x1100->NXM_NX_REG6[],resubmit(,220)
2865 cookie=0xba5eba1100000203, duration=68.996s, table=87, n_packets=0, n_bytes=0, priority=650,nsi=253,nsp=8388613 actions=pop_nsh,set_field:02:14:84:5e:a8:5d->eth_src,resubmit(,17)
2868 An interesting scenario to show the Logical SFF strength is the migration of a
2869 SF from a compute node to another. The OpenDaylight will learn the new topology
2870 by itself, then it will re-render the new flows to the new SFFs affected.
2872 .. figure:: ./images/sfc/single-logical-sff-example-migration.png
2873 :alt: Logical SFF - SF Migration Example
2877 Logical SFF - SF Migration Example
2880 In our example, SF2 is moved from Node4 to Node2 then OpenDaylight removes NSH
2881 specific flows from Node4 and puts them in Node2. Check below flows showing this
2882 effect. Now Node3 keeps holding the first SF of NSP 8388613 and the last SF of
2883 NSP 5; but Node2 becomes the new holder of the first SF of NSP 5 and the last SF
2886 **Rendered Flows Node 3 After Migration**
2890 cookie=0x14, duration=64.044s, table=83, n_packets=0, n_bytes=0, priority=250,nsp=5 actions=goto_table:86
2891 cookie=0x14, duration=63.947s, table=83, n_packets=0, n_bytes=0, priority=250,nsp=8388613 actions=goto_table:86
2892 cookie=0x14, duration=64.044s, table=86, n_packets=0, n_bytes=0, priority=550,nsi=254,nsp=5 actions=load:0x8e0a37cc9094->NXM_NX_ENCAP_ETH_SRC[],load:0x6ee006b4c51e->NXM_NX_ENCAP_ETH_DST[],goto_table:87
2893 cookie=0x14, duration=63.947s, table=86, n_packets=0, n_bytes=0, priority=550,nsi=255,nsp=8388613 actions=load:0x8e0a37cc9094->NXM_NX_ENCAP_ETH_SRC[],load:0x6ee006b4c51e->NXM_NX_ENCAP_ETH_DST[],goto_table:87
2894 cookie=0xba5eba1100000201, duration=64.034s, table=87, n_packets=0, n_bytes=0, priority=650,nsi=254,nsp=5 actions=load:0x800->NXM_NX_REG6[],resubmit(,220)
2895 cookie=0xba5eba1100000203, duration=64.034s, table=87, n_packets=0, n_bytes=0, priority=650,nsi=253,nsp=5 actions=pop_nsh,set_field:6e:e0:06:b4:c5:1e->eth_src,resubmit(,17)
2896 cookie=0xba5eba1100000201, duration=63.947s, table=87, n_packets=0, n_bytes=0, priority=650,nsi=255,nsp=8388613 actions=load:0x800->NXM_NX_REG6[],resubmit(,220)
2897 cookie=0xba5eba1100000201, duration=63.942s, table=87, n_packets=0, n_bytes=0, priority=650,nsi=254,nsp=8388613 actions=set_field:0->tun_id,output:2
2899 **Rendered Flows Node 2 After Migration**
2903 cookie=0x14, duration=56.856s, table=83, n_packets=0, n_bytes=0, priority=250,nsp=5 actions=goto_table:86
2904 cookie=0x14, duration=56.755s, table=83, n_packets=0, n_bytes=0, priority=250,nsp=8388613 actions=goto_table:86
2905 cookie=0x14, duration=56.847s, table=86, n_packets=0, n_bytes=0, priority=550,nsi=255,nsp=5 actions=load:0xbea93873f4fa->NXM_NX_ENCAP_ETH_SRC[],load:0x214845ea85d->NXM_NX_ENCAP_ETH_DST[],goto_table:87
2906 cookie=0x14, duration=56.755s, table=86, n_packets=0, n_bytes=0, priority=550,nsi=254,nsp=8388613 actions=load:0xbea93873f4fa->NXM_NX_ENCAP_ETH_SRC[],load:0x214845ea85d->NXM_NX_ENCAP_ETH_DST[],goto_table:87
2907 cookie=0xba5eba1100000201, duration=56.823s, table=87, n_packets=0, n_bytes=0, priority=650,nsi=255,nsp=5 actions=load:0x1100->NXM_NX_REG6[],resubmit(,220)
2908 cookie=0xba5eba1100000201, duration=56.823s, table=87, n_packets=0, n_bytes=0, priority=650,nsi=254,nsp=5 actions=set_field:0->tun_id,output:4
2909 cookie=0xba5eba1100000201, duration=56.755s, table=87, n_packets=0, n_bytes=0, priority=650,nsi=254,nsp=8388613 actions=load:0x1100->NXM_NX_REG6[],resubmit(,220)
2910 cookie=0xba5eba1100000203, duration=56.750s, table=87, n_packets=0, n_bytes=0, priority=650,nsi=253,nsp=8388613 actions=pop_nsh,set_field:02:14:84:5e:a8:5d->eth_src,resubmit(,17)
2912 **Rendered Flows Node 4 After Migration**
2916 -- No flows for NSH processing --
2918 .. _sfc-user-guide-classifier-impacts:
2923 As previously mentioned, in the :ref:`Logical SFF rationale
2924 <sfc-user-guide-logical-sff-motivation>`, the Logical SFF feature relies on
2925 Genius to get the dataplane IDs of the OpenFlow switches, in order to properly
2926 steer the traffic through the chain.
2928 Since one of the classifier's objectives is to steer the packets *into* the
2929 SFC domain, the classifier has to be aware of where the first Service
2930 Function is located - if it migrates somewhere else, the classifier table
2931 has to be updated accordingly, thus enabling the seemless migration of Service
2934 For this feature, mobility of the client VM is out of scope, and should be
2935 managed by its high-availability module, or VNF manager.
2937 Keep in mind that classification *always* occur in the compute-node where
2938 the client VM (i.e. traffic origin) is running.
2940 How to attach the classifier to a Logical SFF
2941 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2943 In order to leverage this functionality, the classifier has to be configured
2944 using a Logical SFF as an attachment-point, specifying within it the neutron
2947 The following examples show how to configure an ACL, and a classifier having
2948 a Logical SFF as an attachment-point:
2950 **Configure an ACL**
2952 The following ACL enables traffic intended for port 80 within the subnetwork
2953 192.168.2.0/24, for RSP1 and RSP1-Reverse.
2955 .. code-block:: none
2962 "acl-type": "ietf-access-control-list:ipv4-acl",
2963 "access-list-entries": {
2966 "rule-name": "ACE1",
2968 "service-function-acl:rendered-service-path": "RSP1"
2971 "destination-ipv4-network": "192.168.2.0/24",
2972 "source-ipv4-network": "192.168.2.0/24",
2974 "source-port-range": {
2977 "destination-port-range": {
2987 "acl-type": "ietf-access-control-list:ipv4-acl",
2988 "access-list-entries": {
2991 "rule-name": "ACE2",
2993 "service-function-acl:rendered-service-path": "RSP1-Reverse"
2996 "destination-ipv4-network": "192.168.2.0/24",
2997 "source-ipv4-network": "192.168.2.0/24",
2999 "source-port-range": {
3002 "destination-port-range": {
3014 .. code-block:: bash
3016 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache"
3017 --data '${JSON}' -X PUT --user
3018 admin:admin http://localhost:8181/restconf/config/ietf-access-control-list:access-lists/
3020 **Configure a classifier JSON**
3022 The following JSON provisions a classifier, having a Logical SFF as an
3023 attachment point. The value of the field 'interface' is where you
3024 indicate the neutron ports of the VMs you want to classify.
3026 .. code-block:: none
3029 "service-function-classifiers": {
3030 "service-function-classifier": [
3032 "name": "Classifier1",
3033 "scl-service-function-forwarder": [
3035 "name": "sfflogical1",
3036 "interface": "09a78ba3-78ba-40f5-a3ea-1ce708367f2b"
3041 "type": "ietf-access-control-list:ipv4-acl"
3048 .. code-block:: bash
3050 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache"
3051 --data '${JSON}' -X PUT --user
3052 admin:admin http://localhost:8181/restconf/config/service-function-classifier:service-function-classifiers/
3054 .. _sfc-user-guide-pipeline-impacts:
3056 SFC pipeline impacts
3057 ~~~~~~~~~~~~~~~~~~~~
3059 After binding SFC service with a particular interface by means of Genius, as
3060 explained in the :ref:`Genius User Guide <genius-user-guide-binding-services>`,
3061 the entry point in the SFC pipeline will be table 82
3062 (SFC_TRANSPORT_CLASSIFIER_TABLE), and from that point, packet processing will be
3063 similar to the :ref:`SFC OpenFlow pipeline <sfc-user-guide-sfc-of-pipeline>`,
3064 just with another set of specific tables for the SFC service.
3066 This picture shows the SFC pipeline after service integration with Genius:
3068 .. figure:: ./images/sfc/LSFF_pipeline.png
3069 :alt: SFC Logical SFF OpenFlow pipeline
3071 SFC Logical SFF OpenFlow pipeline
3073 Directional data plane locators for symmetric paths
3074 ---------------------------------------------------
3079 A symmetric path results from a Service Function Path with the symmetric field
3080 set or when any of the constituent Service Functions is set as bidirectional.
3081 Such a path is defined by two Rendered Service Paths where one of them steers
3082 the traffic through the same Service Functions as the other but in opposite
3083 order. These two Rendered Service Paths are also said to be symmetric to each
3084 other and gives to each path a sense of direction: The Rendered Service Path
3085 that corresponds to the same order of Service Functions as that defined on the
3086 Service Function Chain is tagged as the forward or up-link path, while the
3087 Rendered Service Path that corresponds to the opposite order is tagged as
3088 reverse or down-link path.
3090 Directional data plane locators allow the use of different interfaces or
3091 interface details between the Service Function Forwarder and the Service
3092 Function in relation with the direction of the path for which they are being
3093 used. This function is relevant for Service Functions that would have no other
3094 way of discerning the direction of the traffic, like for example legacy
3095 bump-in-the-wire network devices.
3099 +-----------------------------------------------+
3104 | sf-forward-dpl sf-reverse-dpl |
3105 +--------+-----------------------------+--------+
3111 Forward Path | Reverse Path Forward Path | Reverse Path
3118 +-----------+-----------------------------------------+
3119 Forward Path | sff-forward-dpl sff-reverse-dpl | Forward Path
3120 +--------------> | | +-------------->
3124 <--------------+ | | <--------------+
3125 Reverse Path | | Reverse Path
3126 +-----------------------------------------------------+
3128 As shown in the previous figure, the forward path egress from the Service
3129 Function Forwarder towards the Service Function is defined by the
3130 sff-forward-dpl and sf-forward-dpl data plane locators. The forward path
3131 ingress from the Service Function to the Service Function Forwarder is defined
3132 by the sf-reverse-dpl and sff-reverse-dpl data plane locators. For the reverse
3133 path, it's the opposite: the sff-reverse-dpl and sf-reverse-dpl define the
3134 egress from the Service Function Forwarder to the Service Function, and the
3135 sf-forward-dpl and sff-forward-dpl define the ingress into the Service Function
3136 Forwarder from the Service Function.
3138 .. note:: Directional data plane locators are only supported in combination
3139 with the SFC OF Renderer at this time.
3144 Directional data plane locators are configured within the
3145 service-function-forwarder in the service-function-dictionary entity, which
3146 describes the association between a Service Function Forwarder and Service
3149 .. code-block:: none
3150 :caption: service-function-forwarder.yang
3152 list service-function-dictionary {
3155 type sfc-common:sf-name;
3157 "The name of the service function.";
3159 container sff-sf-data-plane-locator {
3161 "SFF and SF data plane locators to use when sending
3162 packets from this SFF to the associated SF";
3164 type sfc-common:sf-data-plane-locator-name;
3166 "The SF data plane locator to use when sending
3167 packets to the associated service function.
3168 Used both as forward and reverse locators for
3169 paths of a symmetric chain.";
3172 type sfc-common:sff-data-plane-locator-name;
3174 "The SFF data plane locator to use when sending
3175 packets to the associated service function.
3176 Used both as forward and reverse locators for
3177 paths of a symmetric chain.";
3179 leaf sf-forward-dpl-name {
3180 type sfc-common:sf-data-plane-locator-name;
3182 "The SF data plane locator to use when sending
3183 packets to the associated service function
3184 on the forward path of a symmetric chain";
3186 leaf sf-reverse-dpl-name {
3187 type sfc-common:sf-data-plane-locator-name;
3189 "The SF data plane locator to use when sending
3190 packets to the associated service function
3191 on the reverse path of a symmetric chain";
3193 leaf sff-forward-dpl-name {
3194 type sfc-common:sff-data-plane-locator-name;
3196 "The SFF data plane locator to use when sending
3197 packets to the associated service function
3198 on the forward path of a symmetric chain.";
3200 leaf sff-reverse-dpl-name {
3201 type sfc-common:sff-data-plane-locator-name;
3203 "The SFF data plane locator to use when sending
3204 packets to the associated service function
3205 on the reverse path of a symmetric chain.";
3213 The following configuration example is based on the Logical SFF configuration
3214 one. Only the Service Function and Service Function Forwarder configuration
3215 changes with respect to that example:
3217 .. code-block:: bash
3219 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache"
3220 --data '${JSON}' -X PUT --user
3221 admin:admin http://localhost:8181/restconf/config/restconf/config/service-function:service-functions/
3223 **Service Functions JSON.**
3225 .. code-block:: none
3228 "service-functions": {
3229 "service-function": [
3231 "name": "firewall-1",
3233 "sf-data-plane-locator": [
3235 "name": "sf-firewall-net-A-dpl",
3236 "interface-name": "eccb57ae-5a2e-467f-823e-45d7bb2a6a9a",
3237 "transport": "service-locator:mac",
3238 "service-function-forwarder": "sfflogical1"
3242 "name": "sf-firewall-net-B-dpl",
3243 "interface-name": "7764b6f1-a5cd-46be-9201-78f917ddee1d",
3244 "transport": "service-locator:mac",
3245 "service-function-forwarder": "sfflogical1"
3253 "sf-data-plane-locator": [
3255 "name": "sf-dpi-net-A-dpl",
3256 "interface-name": "df15ac52-e8ef-4e9a-8340-ae0738aba0c0",
3257 "transport": "service-locator:mac",
3258 "service-function-forwarder": "sfflogical1"
3261 "name": "sf-dpi-net-B-dpl",
3262 "interface-name": "1bb09b01-422d-4ccf-8d7a-9ebf00d1a1a5",
3263 "transport": "service-locator:mac",
3264 "service-function-forwarder": "sfflogical1"
3272 .. code-block:: bash
3274 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache"
3275 --data '${JSON}' -X PUT --user
3276 admin:admin http://localhost:8181/restconf/config/service-function-forwarder:service-function-forwarders/
3278 **Service Function Forwarders JSON.**
3280 .. code-block:: none
3283 "service-function-forwarders": {
3284 "service-function-forwarder": [
3286 "name": "sfflogical1"
3287 "sff-data-plane-locator": [
3289 "name": "sff-firewall-net-A-dpl",
3290 "data-plane-locator": {
3291 "interface-name": "eccb57ae-5a2e-467f-823e-45d7bb2a6a9a",
3292 "transport": "service-locator:mac"
3296 "name": "sff-firewall-net-B-dpl",
3297 "data-plane-locator": {
3298 "interface-name": "7764b6f1-a5cd-46be-9201-78f917ddee1d",
3299 "transport": "service-locator:mac"
3303 "name": "sff-dpi-net-A-dpl",
3304 "data-plane-locator": {
3305 "interface-name": "df15ac52-e8ef-4e9a-8340-ae0738aba0c0",
3306 "transport": "service-locator:mac"
3310 "name": "sff-dpi-net-B-dpl",
3311 "data-plane-locator": {
3312 "interface-name": "1bb09b01-422d-4ccf-8d7a-9ebf00d1a1a5",
3313 "transport": "service-locator:mac"
3317 "service-function-dictionary": [
3319 "name": "firewall-1",
3320 "sff-sf-data-plane-locator": {
3321 "sf-forward-dpl-name": "sf-firewall-net-A-dpl",
3322 "sf-reverse-dpl-name": "sf-firewall-net-B-dpl",
3323 "sff-forward-dpl-name": "sff-firewall-net-A-dpl",
3324 "sff-reverse-dpl-name": "sff-firewall-net-B-dpl",
3329 "sff-sf-data-plane-locator": {
3330 "sf-forward-dpl-name": "sf-dpi-net-A-dpl",
3331 "sf-reverse-dpl-name": "sf-dpi-net-B-dpl",
3332 "sff-forward-dpl-name": "sff-dpi-net-A-dpl",
3333 "sff-reverse-dpl-name": "sff-dpi-net-B-dpl",
3342 In comparison with the Logical SFF example, noticed that each Service Function
3343 is configured with two data plane locators instead of one so that each can be
3344 used in different directions of the path. To specify which locator is used on
3345 which direction, the Service Function Forwarder configuration is also more
3346 extensive compared to the previous example.
3348 When comparing this example with the Logical SFF one, that the Service Function
3349 Forwarder is configured with data plane locators and that they hold the same
3350 interface name values as the corresponding Service Function interfaces. This is
3351 because in the Logical SFF particular case, a single logical interface fully
3352 describes an attachment of a Service Function Forwarder to a Service Function
3353 on both the Service Function and Service Function Forwarder sides. For
3354 non-Logical SFF scenarios, it would be expected for the data plane locators to
3355 have different values as we have seen on other examples through out this user
3356 guide. For example, if mac addresses are to be specified in the locators, the
3357 Service Function would have a different mac address than the Service Function
3361 As a result of the overall configuration, two Rendered Service Paths are
3362 implemented. The forward path:
3366 +------------+ +-------+
3367 | firewall-1 | | dpi- 1 |
3368 +---+---+----+ +--+--+-+
3370 net-A-dpl| |net-B-dpl net-A-dpl| |net-B-dpl
3372 +----------+ | | | | +----------+
3373 | client A +--------------+ +------------------------+ +------------>+ server B |
3374 +----------+ +----------+
3376 And the reverse path:
3380 +------------+ +-------+
3381 | firewall 1 | | dpi-1 |
3382 +---+---+----+ +--+--+-+
3384 net-A-dpl| |net-B-dpl net-A-dpl| |net-B-dpl
3386 +----------+ | | | | +----------+
3387 | client A +<-------------+ +------------------------+ +-------------+ server B |
3388 +----------+ +----------+
3390 Consider the following notes to put the example in context:
3392 - The classification function is obviated from the illustration.
3393 - The forward path is up-link traffic from a client in network A to a server in
3395 - The reverse path is down-link traffic from a server in network B to a client
3397 - The service functions might be legacy bump-in-the-wire network devices that
3398 need to use different interfaces for each network.
3400 SFC Statistics User Guide
3401 -------------------------
3403 Statistics can be queried for Rendered Service Paths created on OVS bridges.
3404 Future support will be added for Service Function Forwarders and Service
3405 Functions. Future support will also be added for VPP and IOs-XE devices.
3407 To use SFC statistics the 'odl-sfc-statistics' Karaf feature needs to be
3410 Statistics are queried by sending an RPC RESTconf message to ODL. For
3411 RSPs, its possible to either query statistics for one individual RSP
3412 or for all RSPs, as follows:
3414 Querying statistics for a specific RSP:
3416 .. code-block:: bash
3418 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache"
3419 --data '{ "input": { "name" : "path1-Path-42" } }' -X POST --user admin:admin
3420 http://localhost:8181/restconf/operations/sfc-statistics-operations:get-rsp-statistics
3423 Querying statistics for all RSPs:
3425 .. code-block:: bash
3427 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache"
3428 --data '{ "input": { } }' -X POST --user admin:admin
3429 http://localhost:8181/restconf/operations/sfc-statistics-operations:get-rsp-statistics
3432 The following is the sort of output that can be expected for each RSP.
3434 .. code-block:: none
3440 "name": "sfc-path-1sf1sff-Path-34",
3441 "statistic-by-timestamp": [
3443 "service-statistic": {
3449 "timestamp": 1518561500480