1 Service Function Chaining
2 =========================
4 OpenDaylight Service Function Chaining (SFC) Overview
5 -----------------------------------------------------
7 OpenDaylight Service Function Chaining (SFC) provides the ability to
8 define an ordered list of a network services (e.g. firewalls, load
9 balancers). These service are then "stitched" together in the network to
10 create a service chain. This project provides the infrastructure
11 (chaining logic, APIs) needed for ODL to provision a service chain in
12 the network and an end-user application for defining such chains.
14 - ACE - Access Control Entry
16 - ACL - Access Control List
18 - SCF - Service Classifier Function
20 - SF - Service Function
22 - SFC - Service Function Chain
24 - SFF - Service Function Forwarder
26 - SFG - Service Function Group
28 - SFP - Service Function Path
30 - RSP - Rendered Service Path
32 - NSH - Network Service Header
40 SFC User Interface (SFC-UI) is based on Dlux project. It provides an
41 easy way to create, read, update and delete configuration stored in
42 datastore. Moreover, it shows the status of all SFC features (e.g
43 installed, uninstalled) and Karaf log messages as well.
48 SFC-UI operates purely by using RESTCONF.
50 .. figure:: ./images/sfc/sfc-ui-architecture.png
51 :alt: SFC-UI integration into ODL
53 SFC-UI integration into ODL
58 1. Run ODL distribution (run karaf)
60 2. In Karaf console execute: ``feature:install odl-sfc-ui``
62 3. Visit SFC-UI on: ``http://<odl_ip_address>:8181/sfc/index.html``
64 SFC Southbound REST Plug-in
65 --------------------------
70 The Southbound REST Plug-in is used to send configuration from datastore
71 down to network devices supporting a REST API (i.e. they have a
72 configured REST URI). It supports POST/PUT/DELETE operations, which are
73 triggered accordingly by changes in the SFC data stores.
75 - Access Control List (ACL)
77 - Service Classifier Function (SCF)
79 - Service Function (SF)
81 - Service Function Group (SFG)
83 - Service Function Schedule Type (SFST)
85 - Service Function Forwarder (SFF)
87 - Rendered Service Path (RSP)
89 Southbound REST Plug-in Architecture
90 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
92 From the user perspective, the REST plug-in is another SFC Southbound
93 plug-in used to communicate with network devices.
95 .. figure:: ./images/sfc/sb-rest-architecture-user.png
96 :alt: Southbound REST Plug-in integration into ODL
98 Southbound REST Plug-in integration into ODL
100 Configuring Southbound REST Plugin
101 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
103 1. Run ODL distribution (run karaf)
105 2. In Karaf console execute: ``feature:install odl-sfc-sb-rest``
107 3. Configure REST URIs for SF/SFF through SFC User Interface or RESTCONF
108 (required configuration steps can be found in the tutorial stated
114 Comprehensive tutorial on how to use the Southbound REST Plug-in and how
115 to control network devices with it can be found on:
116 https://wiki.opendaylight.org/view/Service_Function_Chaining:Main#SFC_101
124 SFC-OVS provides integration of SFC with Open vSwitch (OVS) devices.
125 Integration is realized through mapping of SFC objects (like SF, SFF,
126 Classifier, etc.) to OVS objects (like Bridge,
127 TerminationPoint=Port/Interface). The mapping takes care of automatic
128 instantiation (setup) of corresponding object whenever its counterpart
129 is created. For example, when a new SFF is created, the SFC-OVS plug-in
130 will create a new OVS bridge and when a new OVS Bridge is created, the
131 SFC-OVS plug-in will create a new SFF.
133 The feature is intended for SFC users willing to use Open vSwitch as
134 underlying network infrastructure for deploying RSPs (Rendered Service
140 SFC-OVS uses the OVSDB MD-SAL Southbound API for getting/writing
141 information from/to OVS devices. From the user perspective SFC-OVS acts
142 as a layer between SFC datastore and OVSDB.
144 .. figure:: ./images/sfc/sfc-ovs-architecture-user.png
145 :alt: SFC-OVS integration into ODL
147 SFC-OVS integration into ODL
152 1. Run ODL distribution (run karaf)
154 2. In Karaf console execute: ``feature:install odl-sfc-ovs``
156 3. Configure Open vSwitch to use ODL as a manager, using following
157 command: ``ovs-vsctl set-manager tcp:<odl_ip_address>:6640``
162 Verifying mapping from OVS to SFF
163 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
168 This tutorial shows the usual work flow when OVS configuration is
169 transformed to corresponding SFC objects (in this case SFF).
174 - Open vSwitch installed (ovs-vsctl command available in shell)
176 - SFC-OVS feature configured as stated above
181 1. ``ovs-vsctl set-manager tcp:<odl_ip_address>:6640``
183 2. ``ovs-vsctl add-br br1``
185 3. ``ovs-vsctl add-port br1 testPort``
190 a. visit SFC User Interface:
191 ``http://<odl_ip_address>:8181/sfc/index.html#/sfc/serviceforwarder``
193 b. use pure RESTCONF and send GET request to URL:
194 ``http://<odl_ip_address>:8181/restconf/config/service-function-forwarder:service-function-forwarders``
196 There should be SFF, which name will be ending with *br1* and the SFF
197 should containt two DataPlane locators: *br1* and *testPort*.
199 Verifying mapping from SFF to OVS
200 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
205 This tutorial shows the usual workflow during creation of OVS Bridge
206 with use of SFC APIs.
211 - Open vSwitch installed (ovs-vsctl command available in shell)
213 - SFC-OVS feature configured as stated above
218 1. In shell execute: ``ovs-vsctl set-manager tcp:<odl_ip_address>:6640``
220 2. Send POST request to URL:
221 ``http://<odl_ip_address>:8181/restconf/operations/service-function-forwarder-ovs:create-ovs-bridge``
222 Use Basic auth with credentials: "admin", "admin" and set
223 ``Content-Type: application/json``. The content of POST request
233 "ip": "<Open_vSwitch_ip_address>"
238 Open\_vSwitch\_ip\_address is IP address of machine, where Open vSwitch
244 In shell execute: ``ovs-vsctl show``. There should be Bridge with name
245 *br-test* and one port/interface called *br-test*.
247 Also, corresponding SFF for this OVS Bridge should be configured, which
248 can be verified through SFC User Interface or RESTCONF as stated in
251 SFC Classifier User Guide
252 -------------------------
257 Description of classifier can be found in:
258 https://datatracker.ietf.org/doc/draft-ietf-sfc-architecture/
260 There are two types of classifier:
262 1. OpenFlow Classifier
264 2. Iptables Classifier
269 OpenFlow Classifier implements the classification criteria based on
270 OpenFlow rules deployed into an OpenFlow switch. An Open vSwitch will
271 take the role of a classifier and performs various encapsulations such
272 NSH, VLAN, MPLS, etc. In the existing implementation, classifier can
273 support NSH encapsulation. Matching information is based on ACL for MAC
274 addresses, ports, protocol, IPv4 and IPv6. Supported protocols are TCP,
275 UDP and SCTP. Actions information in the OF rules, shall be forwarding
276 of the encapsulated packets with specific information related to the
279 Classifier Architecture
280 ^^^^^^^^^^^^^^^^^^^^^^^
282 The OVSDB Southbound interface is used to create an instance of a bridge
283 in a specific location (via IP address). This bridge contains the
284 OpenFlow rules that perform the classification of the packets and react
285 accordingly. The OpenFlow Southbound interface is used to translate the
286 ACL information into OF rules within the Open vSwitch.
290 in order to create the instance of the bridge that takes the role of
291 a classifier, an "empty" SFF must be created.
293 Configuring Classifier
294 ^^^^^^^^^^^^^^^^^^^^^^
296 1. An empty SFF must be created in order to host the ACL that contains
297 the classification information.
299 2. SFF data plane locator must be configured
301 3. Classifier interface must be manually added to SFF bridge.
303 Administering or Managing Classifier
304 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
306 Classification information is based on MAC addresses, protocol, ports
307 and IP. ACL gathers this information and is assigned to an RSP which
308 turns to be a specific path for a Service Chain.
313 Classifier manages everything from starting the packet listener to
314 creation (and removal) of appropriate ip(6)tables rules and marking
315 received packets accordingly. Its functionality is **available only on
316 Linux** as it leverdges **NetfilterQueue**, which provides access to
317 packets matched by an **iptables** rule. Classifier requires **root
318 privileges** to be able to operate.
320 So far it is capable of processing ACL for MAC addresses, ports, IPv4
321 and IPv6. Supported protocols are TCP and UDP.
323 Classifier Architecture
324 ^^^^^^^^^^^^^^^^^^^^^^^
326 Python code located in the project repository
327 sfc-py/common/classifier.py.
331 classifier assumes that Rendered Service Path (RSP) **already
332 exists** in ODL when an ACL referencing it is obtained
334 1. sfc\_agent receives an ACL and passes it for processing to the
337 2. the RSP (its SFF locator) referenced by ACL is requested from ODL
339 3. if the RSP exists in the ODL then ACL based iptables rules for it are
342 After this process is over, every packet successfully matched to an
343 iptables rule (i.e. successfully classified) will be NSH encapsulated
344 and forwarded to a related SFF, which knows how to traverse the RSP.
346 Rules are created using appropriate iptables command. If the Access
347 Control Entry (ACE) rule is MAC address related both iptables and
348 IPv6 tables rules re issued. If ACE rule is IPv4 address related, only
349 iptables rules are issued, same for IPv6.
353 iptables **raw** table contains all created rules
355 Configuring Classifier
356 ^^^^^^^^^^^^^^^^^^^^^^
358 | Classfier does’t need any configuration.
359 | Its only requirement is that the **second (2) Netfilter Queue** is not
360 used by any other process and is **avalilable for the classifier**.
362 Administering or Managing Classifier
363 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
365 Classifier runs alongside sfc\_agent, therefore the command for starting
370 sudo python3.4 sfc-py/sfc_agent.py --rest --odl-ip-port localhost:8181 --auto-sff-name --nfq-class
372 SFC OpenFlow Renderer User Guide
373 --------------------------------
378 The Service Function Chaining (SFC) OpenFlow Renderer (SFC OF Renderer)
379 implements Service Chaining on OpenFlow switches. It listens for the
380 creation of a Rendered Service Path (RSP), and once received it programs
381 Service Function Forwarders (SFF) that are hosted on OpenFlow capable
382 switches to steer packets through the service chain.
384 Common acronyms used in the following sections:
386 - SF - Service Function
388 - SFF - Service Function Forwarder
390 - SFC - Service Function Chain
392 - SFP - Service Function Path
394 - RSP - Rendered Service Path
396 SFC OpenFlow Renderer Architecture
397 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
399 The SFC OF Renderer is invoked after a RSP is created using an MD-SAL
400 listener called ``SfcOfRspDataListener``. Upon SFC OF Renderer
401 initialization, the ``SfcOfRspDataListener`` registers itself to listen
402 for RSP changes. When invoked, the ``SfcOfRspDataListener`` processes
403 the RSP and calls the ``SfcOfFlowProgrammerImpl`` to create the
404 necessary flows in the Service Function Forwarders configured in the
405 RSP. Refer to the following diagram for more details.
407 .. figure:: ./images/sfc/sfcofrenderer_architecture.png
408 :alt: SFC OpenFlow Renderer High Level Architecture
410 SFC OpenFlow Renderer High Level Architecture
412 .. _sfc-user-guide-sfc-of-pipeline:
414 SFC OpenFlow Switch Flow pipeline
415 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
417 The SFC OpenFlow Renderer uses the following tables for its Flow
420 - Table 0, Classifier
422 - Table 1, Transport Ingress
424 - Table 2, Path Mapper
426 - Table 3, Path Mapper ACL
430 - Table 10, Transport Egress
432 The OpenFlow Table Pipeline is intended to be generic to work for all of
433 the different encapsulations supported by SFC.
435 All of the tables are explained in detail in the following section.
437 The SFFs (SFF1 and SFF2), SFs (SF1), and topology used for the flow
438 tables in the following sections are as described in the following
441 .. figure:: ./images/sfc/sfcofrenderer_nwtopo.png
442 :alt: SFC OpenFlow Renderer Typical Network Topology
444 SFC OpenFlow Renderer Typical Network Topology
446 Classifier Table detailed
447 ^^^^^^^^^^^^^^^^^^^^^^^^^
449 It is possible for the SFF to also act as a classifier. This table maps
450 subscriber traffic to RSPs, and is explained in detail in the classifier
453 If the SFF is not a classifier, then this table will just have a simple
456 Transport Ingress Table detailed
457 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
459 The Transport Ingress table has an entry per expected tunnel transport
460 type to be received in a particular SFF, as established in the SFC
463 Here are two example on SFF1: one where the RSP ingress tunnel is MPLS
464 assuming VLAN is used for the SFF-SF, and the other where the RSP
465 ingress tunnel is NSH GRE (UDP port 4789):
467 +----------+-------------------------------------+--------------+
468 | Priority | Match | Action |
469 +==========+=====================================+==============+
470 | 256 | EtherType==0x8847 (MPLS unicast) | Goto Table 2 |
471 +----------+-------------------------------------+--------------+
472 | 256 | EtherType==0x8100 (VLAN) | Goto Table 2 |
473 +----------+-------------------------------------+--------------+
474 | 256 | EtherType==0x0800,udp,tp\_dst==4789 | Goto Table 2 |
476 +----------+-------------------------------------+--------------+
477 | 5 | Match Any | Drop |
478 +----------+-------------------------------------+--------------+
480 Table: Table Transport Ingress
482 Path Mapper Table detailed
483 ^^^^^^^^^^^^^^^^^^^^^^^^^^
485 The Path Mapper table has an entry per expected tunnel transport info to
486 be received in a particular SFF, as established in the SFC
487 configuration. The tunnel transport info is used to determine the RSP
488 Path ID, and is stored in the OpenFlow Metadata. This table is not used
489 for NSH, since the RSP Path ID is stored in the NSH header.
491 For SF nodes that do not support NSH tunneling, the IP header DSCP field
492 is used to store the RSP Path Id. The RSP Path Id is written to the DSCP
493 field in the Transport Egress table for those packets sent to an SF.
495 Here is an example on SFF1, assuming the following details:
497 - VLAN ID 1000 is used for the SFF-SF
499 - The RSP Path 1 tunnel uses MPLS label 100 for ingress and 101 for
502 - The RSP Path 2 (symmetric downlink path) uses MPLS label 101 for
503 ingress and 100 for egress
505 +----------+-------------------+-----------------------+
506 | Priority | Match | Action |
507 +==========+===================+=======================+
508 | 256 | MPLS Label==100 | RSP Path=1, Pop MPLS, |
510 +----------+-------------------+-----------------------+
511 | 256 | MPLS Label==101 | RSP Path=2, Pop MPLS, |
513 +----------+-------------------+-----------------------+
514 | 256 | VLAN ID==1000, IP | RSP Path=1, Pop VLAN, |
515 | | DSCP==1 | Goto Table 4 |
516 +----------+-------------------+-----------------------+
517 | 256 | VLAN ID==1000, IP | RSP Path=2, Pop VLAN, |
518 | | DSCP==2 | Goto Table 4 |
519 +----------+-------------------+-----------------------+
520 | 5 | Match Any | Goto Table 3 |
521 +----------+-------------------+-----------------------+
523 Table: Table Path Mapper
525 Path Mapper ACL Table detailed
526 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
528 This table is only populated when PacketIn packets are received from the
529 switch for TcpProxy type SFs. These flows are created with an inactivity
530 timer of 60 seconds and will be automatically deleted upon expiration.
532 Next Hop Table detailed
533 ^^^^^^^^^^^^^^^^^^^^^^^
535 The Next Hop table uses the RSP Path Id and appropriate packet fields to
536 determine where to send the packet next. For NSH, only the NSP (Network
537 Services Path, RSP ID) and NSI (Network Services Index, next hop) fields
538 from the NSH header are needed to determine the VXLAN tunnel destination
539 IP. For VLAN or MPLS, then the source MAC address is used to determine
540 the destination MAC address.
542 Here are two examples on SFF1, assuming SFF1 is connected to SFF2. RSP
543 Paths 1 and 2 are symmetric VLAN paths. RSP Paths 3 and 4 are symmetric
544 NSH paths. RSP Path 1 ingress packets come from external to SFC, for
545 which we don’t have the source MAC address (MacSrc).
547 +----------+--------------------------------+--------------------------------+
548 | Priority | Match | Action |
549 +==========+================================+================================+
550 | 256 | RSP Path==1, MacSrc==SF1 | MacDst=SFF2, Goto Table 10 |
551 +----------+--------------------------------+--------------------------------+
552 | 256 | RSP Path==2, MacSrc==SF1 | Goto Table 10 |
553 +----------+--------------------------------+--------------------------------+
554 | 256 | RSP Path==2, MacSrc==SFF2 | MacDst=SF1, Goto Table 10 |
555 +----------+--------------------------------+--------------------------------+
556 | 246 | RSP Path==1 | MacDst=SF1, Goto Table 10 |
557 +----------+--------------------------------+--------------------------------+
558 | 256 | nsp=3,nsi=255 (SFF Ingress RSP | load:0xa000002→NXM\_NX\_TUN\_I |
559 | | 3) | PV4\_DST[], |
560 | | | Goto Table 10 |
561 +----------+--------------------------------+--------------------------------+
562 | 256 | nsp=3,nsi=254 (SFF Ingress | load:0xa00000a→NXM\_NX\_TUN\_I |
563 | | from SF, RSP 3) | PV4\_DST[], |
564 | | | Goto Table 10 |
565 +----------+--------------------------------+--------------------------------+
566 | 256 | nsp=4,nsi=254 (SFF1 Ingress | load:0xa00000a→NXM\_NX\_TUN\_I |
567 | | from SFF2) | PV4\_DST[], |
568 | | | Goto Table 10 |
569 +----------+--------------------------------+--------------------------------+
570 | 5 | Match Any | Drop |
571 +----------+--------------------------------+--------------------------------+
573 Table: Table Next Hop
575 Transport Egress Table detailed
576 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
578 The Transport Egress table prepares egress tunnel information and sends
581 Here are two examples on SFF1. RSP Paths 1 and 2 are symmetric MPLS
582 paths that use VLAN for the SFF-SF. RSP Paths 3 and 4 are symmetric NSH
583 paths. Since it is assumed that switches used for NSH will only have one
584 VXLAN port, the NSH packets are just sent back where they came from.
586 +----------+--------------------------------+--------------------------------+
587 | Priority | Match | Action |
588 +==========+================================+================================+
589 | 256 | RSP Path==1, MacDst==SF1 | Push VLAN ID 1000, Port=SF1 |
590 +----------+--------------------------------+--------------------------------+
591 | 256 | RSP Path==1, MacDst==SFF2 | Push MPLS Label 101, Port=SFF2 |
592 +----------+--------------------------------+--------------------------------+
593 | 256 | RSP Path==2, MacDst==SF1 | Push VLAN ID 1000, Port=SF1 |
594 +----------+--------------------------------+--------------------------------+
595 | 246 | RSP Path==2 | Push MPLS Label 100, |
597 +----------+--------------------------------+--------------------------------+
598 | 256 | nsp=3,nsi=255 (SFF Ingress RSP | IN\_PORT |
600 +----------+--------------------------------+--------------------------------+
601 | 256 | nsp=3,nsi=254 (SFF Ingress | IN\_PORT |
602 | | from SF, RSP 3) | |
603 +----------+--------------------------------+--------------------------------+
604 | 256 | nsp=4,nsi=254 (SFF1 Ingress | IN\_PORT |
606 +----------+--------------------------------+--------------------------------+
607 | 5 | Match Any | Drop |
608 +----------+--------------------------------+--------------------------------+
610 Table: Table Transport Egress
612 Administering SFC OF Renderer
613 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
615 To use the SFC OpenFlow Renderer Karaf, at least the following Karaf
616 features must be installed.
618 - odl-openflowplugin-nxm-extensions
620 - odl-openflowplugin-flow-services
626 - odl-sfc-openflow-renderer
628 - odl-sfc-ui (optional)
630 The following command can be used to view all of the currently installed
635 opendaylight-user@root>feature:list -i
637 Or, pipe the command to a grep to see a subset of the currently
638 installed Karaf features:
642 opendaylight-user@root>feature:list -i | grep sfc
644 To install a particular feature, use the Karaf ``feature:install``
647 SFC OF Renderer Tutorial
648 ~~~~~~~~~~~~~~~~~~~~~~~~
653 In this tutorial, 2 different encapsulations will be shown: MPLS and
654 NSH. The following Network Topology diagram is a logical view of the
655 SFFs and SFs involved in creating the Service Chains.
657 .. figure:: ./images/sfc/sfcofrenderer_nwtopo.png
658 :alt: SFC OpenFlow Renderer Typical Network Topology
660 SFC OpenFlow Renderer Typical Network Topology
665 To use this example, SFF OpenFlow switches must be created and connected
666 as illustrated above. Additionally, the SFs must be created and
669 Note that RSP symmetry depends on Service Function Path symmetric field, if present.
670 If not, the RSP will be symmetric if any of the SFs involved in the chain
671 has the bidirectional field set to true.
676 The target environment is not important, but this use-case was created
682 The steps to use this tutorial are as follows. The referenced
683 configuration in the steps is listed in the following sections.
685 There are numerous ways to send the configuration. In the following
686 configuration chapters, the appropriate ``curl`` command is shown for
687 each configuration to be sent, including the URL.
689 Steps to configure the SFC OF Renderer tutorial:
691 1. Send the ``SF`` RESTCONF configuration
693 2. Send the ``SFF`` RESTCONF configuration
695 3. Send the ``SFC`` RESTCONF configuration
697 4. Send the ``SFP`` RESTCONF configuration
699 5. Create the ``RSP`` with a RESTCONF RPC command
701 Once the configuration has been successfully created, query the Rendered
702 Service Paths with either the SFC UI or via RESTCONF. Notice that the
703 RSP is symmetrical, so the following 2 RSPs will be created:
709 At this point the Service Chains have been created, and the OpenFlow
710 Switches are programmed to steer traffic through the Service Chain.
711 Traffic can now be injected from a client into the Service Chain. To
712 debug problems, the OpenFlow tables can be dumped with the following
713 commands, assuming SFF1 is called ``s1`` and SFF2 is called ``s2``.
717 sudo ovs-ofctl -O OpenFlow13 dump-flows s1
721 sudo ovs-ofctl -O OpenFlow13 dump-flows s2
723 In all the following configuration sections, replace the ``${JSON}``
724 string with the appropriate JSON configuration. Also, change the
725 ``localhost`` destination in the URL accordingly.
727 SFC OF Renderer NSH Tutorial
728 ''''''''''''''''''''''''''''
730 The following configuration sections show how to create the different
731 elements using NSH encapsulation.
733 | **NSH Service Function configuration**
735 The Service Function configuration can be sent with the following
740 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache" --data '${JSON}' -X PUT --user admin:admin http://localhost:8181/restconf/config/service-function:service-functions/
742 **SF configuration JSON.**
747 "service-functions": {
748 "service-function": [
751 "type": "http-header-enrichment",
752 "ip-mgmt-address": "10.0.0.2",
753 "sf-data-plane-locator": [
758 "transport": "service-locator:vxlan-gpe",
759 "service-function-forwarder": "sff1"
766 "ip-mgmt-address": "10.0.0.3",
767 "sf-data-plane-locator": [
772 "transport": "service-locator:vxlan-gpe",
773 "service-function-forwarder": "sff2"
781 | **NSH Service Function Forwarder configuration**
783 The Service Function Forwarder configuration can be sent with the
788 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache" --data '${JSON}' -X PUT --user admin:admin http://localhost:8181/restconf/config/service-function-forwarder:service-function-forwarders/
790 **SFF configuration JSON.**
795 "service-function-forwarders": {
796 "service-function-forwarder": [
799 "service-node": "openflow:2",
800 "sff-data-plane-locator": [
803 "data-plane-locator":
807 "transport": "service-locator:vxlan-gpe"
811 "service-function-dictionary": [
814 "sff-sf-data-plane-locator":
816 "sf-dpl-name": "sf1dpl",
817 "sff-dpl-name": "sff1dpl"
824 "service-node": "openflow:3",
825 "sff-data-plane-locator": [
828 "data-plane-locator":
832 "transport": "service-locator:vxlan-gpe"
836 "service-function-dictionary": [
839 "sff-sf-data-plane-locator":
841 "sf-dpl-name": "sf2dpl",
842 "sff-dpl-name": "sff2dpl"
851 | **NSH Service Function Chain configuration**
853 The Service Function Chain configuration can be sent with the following
858 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache" --data '${JSON}' -X PUT --user admin:admin http://localhost:8181/restconf/config/service-function-chain:service-function-chains/
860 **SFC configuration JSON.**
865 "service-function-chains": {
866 "service-function-chain": [
868 "name": "sfc-chain1",
869 "sfc-service-function": [
871 "name": "hdr-enrich-abstract1",
872 "type": "http-header-enrichment"
875 "name": "firewall-abstract1",
884 | **NSH Service Function Path configuration**
886 The Service Function Path configuration can be sent with the following
891 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache" --data '${JSON}' -X PUT --user admin:admin http://localhost:8181/restconf/config/service-function-path:service-function-paths/
893 **SFP configuration JSON.**
898 "service-function-paths": {
899 "service-function-path": [
902 "service-chain-name": "sfc-chain1",
903 "transport-type": "service-locator:vxlan-gpe",
910 | **NSH Rendered Service Path creation**
914 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache" --data '${JSON}' -X POST --user admin:admin http://localhost:8181/restconf/operations/rendered-service-path:create-rendered-path/
916 **RSP creation JSON.**
923 "parent-service-function-path": "sfc-path1"
927 | **NSH Rendered Service Path removal**
929 The following command can be used to remove a Rendered Service Path
930 called ``sfc-path1``:
934 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache" --data '{"input": {"name": "sfc-path1" } }' -X POST --user admin:admin http://localhost:8181/restconf/operations/rendered-service-path:delete-rendered-path/
936 | **NSH Rendered Service Path Query**
938 The following command can be used to query all of the created Rendered
943 curl -H "Content-Type: application/json" -H "Cache-Control: no-cache" -X GET --user admin:admin http://localhost:8181/restconf/operational/rendered-service-path:rendered-service-paths/
945 SFC OF Renderer MPLS Tutorial
946 '''''''''''''''''''''''''''''
948 The following configuration sections show how to create the different
949 elements using MPLS encapsulation.
951 | **MPLS Service Function configuration**
953 The Service Function configuration can be sent with the following
958 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache" --data '${JSON}' -X PUT --user admin:admin http://localhost:8181/restconf/config/service-function:service-functions/
960 **SF configuration JSON.**
965 "service-functions": {
966 "service-function": [
969 "type": "http-header-enrichment",
970 "ip-mgmt-address": "10.0.0.2",
971 "sf-data-plane-locator": [
974 "mac": "00:00:08:01:02:01",
976 "transport": "service-locator:mac",
977 "service-function-forwarder": "sff1"
984 "ip-mgmt-address": "10.0.0.3",
985 "sf-data-plane-locator": [
988 "mac": "00:00:08:01:03:01",
990 "transport": "service-locator:mac",
991 "service-function-forwarder": "sff2"
999 | **MPLS Service Function Forwarder configuration**
1001 The Service Function Forwarder configuration can be sent with the
1006 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache" --data '${JSON}' -X PUT --user admin:admin http://localhost:8181/restconf/config/service-function-forwarder:service-function-forwarders/
1008 **SFF configuration JSON.**
1013 "service-function-forwarders": {
1014 "service-function-forwarder": [
1017 "service-node": "openflow:2",
1018 "sff-data-plane-locator": [
1020 "name": "ulSff1Ingress",
1021 "data-plane-locator":
1024 "transport": "service-locator:mpls"
1026 "service-function-forwarder-ofs:ofs-port":
1028 "mac": "11:11:11:11:11:11",
1033 "name": "ulSff1ToSff2",
1034 "data-plane-locator":
1037 "transport": "service-locator:mpls"
1039 "service-function-forwarder-ofs:ofs-port":
1041 "mac": "33:33:33:33:33:33",
1047 "data-plane-locator":
1049 "mac": "22:22:22:22:22:22",
1051 "transport": "service-locator:mac",
1053 "service-function-forwarder-ofs:ofs-port":
1055 "mac": "33:33:33:33:33:33",
1060 "service-function-dictionary": [
1063 "sff-sf-data-plane-locator":
1065 "sf-dpl-name": "sf1-sff1",
1066 "sff-dpl-name": "toSf1"
1073 "service-node": "openflow:3",
1074 "sff-data-plane-locator": [
1076 "name": "ulSff2Ingress",
1077 "data-plane-locator":
1080 "transport": "service-locator:mpls"
1082 "service-function-forwarder-ofs:ofs-port":
1084 "mac": "44:44:44:44:44:44",
1089 "name": "ulSff2Egress",
1090 "data-plane-locator":
1093 "transport": "service-locator:mpls"
1095 "service-function-forwarder-ofs:ofs-port":
1097 "mac": "66:66:66:66:66:66",
1103 "data-plane-locator":
1105 "mac": "55:55:55:55:55:55",
1107 "transport": "service-locator:mac"
1109 "service-function-forwarder-ofs:ofs-port":
1115 "service-function-dictionary": [
1118 "sff-sf-data-plane-locator":
1120 "sf-dpl-name": "sf2-sff2",
1121 "sff-dpl-name": "toSf2"
1124 "service-function-forwarder-ofs:ofs-port":
1135 | **MPLS Service Function Chain configuration**
1137 The Service Function Chain configuration can be sent with the following
1142 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache" --data '${JSON}' -X PUT --user admin:admin http://localhost:8181/restconf/config/service-function-chain:service-function-chains/
1144 **SFC configuration JSON.**
1149 "service-function-chains": {
1150 "service-function-chain": [
1152 "name": "sfc-chain1",
1153 "sfc-service-function": [
1155 "name": "hdr-enrich-abstract1",
1156 "type": "http-header-enrichment"
1159 "name": "firewall-abstract1",
1168 | **MPLS Service Function Path configuration**
1170 The Service Function Path configuration can be sent with the following
1175 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache" --data '${JSON}' -X PUT --user admin:admin http://localhost:8181/restconf/config/service-function-path:service-function-paths/
1177 **SFP configuration JSON.**
1182 "service-function-paths": {
1183 "service-function-path": [
1185 "name": "sfc-path1",
1186 "service-chain-name": "sfc-chain1",
1187 "transport-type": "service-locator:mpls",
1194 | **MPLS Rendered Service Path creation**
1198 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache" --data '${JSON}' -X POST --user admin:admin http://localhost:8181/restconf/operations/rendered-service-path:create-rendered-path/
1200 **RSP creation JSON.**
1206 "name": "sfc-path1",
1207 "parent-service-function-path": "sfc-path1"
1211 | **MPLS Rendered Service Path removal**
1213 The following command can be used to remove a Rendered Service Path
1214 called ``sfc-path1``:
1218 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache" --data '{"input": {"name": "sfc-path1" } }' -X POST --user admin:admin http://localhost:8181/restconf/operations/rendered-service-path:delete-rendered-path/
1220 | **MPLS Rendered Service Path Query**
1222 The following command can be used to query all of the created Rendered
1227 curl -H "Content-Type: application/json" -H "Cache-Control: no-cache" -X GET --user admin:admin http://localhost:8181/restconf/operational/rendered-service-path:rendered-service-paths/
1229 SFC IOS XE Renderer User Guide
1230 ------------------------------
1235 The early Service Function Chaining (SFC) renderer for IOS-XE devices
1236 (SFC IOS-XE renderer) implements Service Chaining functionality on
1237 IOS-XE capable switches. It listens for the creation of a Rendered
1238 Service Path (RSP) and sets up Service Function Forwarders (SFF) that
1239 are hosted on IOS-XE switches to steer traffic through the service
1242 Common acronyms used in the following sections:
1244 - SF - Service Function
1246 - SFF - Service Function Forwarder
1248 - SFC - Service Function Chain
1252 - SFP - Service Function Path
1254 - RSP - Rendered Service Path
1256 - LSF - Local Service Forwarder
1258 - RSF - Remote Service Forwarder
1260 SFC IOS-XE Renderer Architecture
1261 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1263 When the SFC IOS-XE renderer is initialized, all required listeners are
1264 registered to handle incoming data. It involves CSR/IOS-XE
1265 ``NodeListener`` which stores data about all configurable devices
1266 including their mountpoints (used here as databrokers),
1267 ``ServiceFunctionListener``, ``ServiceForwarderListener`` (see mapping)
1268 and ``RenderedPathListener`` used to listen for RSP changes. When the
1269 SFC IOS-XE renderer is invoked, ``RenderedPathListener`` calls the
1270 ``IosXeRspProcessor`` which processes the RSP change and creates all
1271 necessary Service Paths and Remote Service Forwarders (if necessary) on
1274 Service Path details
1275 ~~~~~~~~~~~~~~~~~~~~
1277 Each Service Path is defined by index (represented by NSP) and contains
1278 service path entries. Each entry has appropriate service index (NSI) and
1279 definition of next hop. Next hop can be Service Function, different
1280 Service Function Forwarder or definition of end of chain - terminate.
1281 After terminating, the packet is sent to destination. If a SFF is
1282 defined as a next hop, it has to be present on device in the form of
1283 Remote Service Forwarder. RSFs are also created during RSP processing.
1285 Example of Service Path:
1289 service-chain service-path 200
1290 service-index 255 service-function firewall-1
1291 service-index 254 service-function dpi-1
1292 service-index 253 terminate
1294 Mapping to IOS-XE SFC entities
1295 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1297 Renderer contains mappers for SFs and SFFs. IOS-XE capable device is
1298 using its own definition of Service Functions and Service Function
1299 Forwarders according to appropriate .yang file.
1300 ``ServiceFunctionListener`` serves as a listener for SF changes. If SF
1301 appears in datastore, listener extracts its management ip address and
1302 looks into cached IOS-XE nodes. If some of available nodes match,
1303 Service function is mapped in ``IosXeServiceFunctionMapper`` to be
1304 understandable by IOS-XE device and it’s written into device’s config.
1305 ``ServiceForwarderListener`` is used in a similar way. All SFFs with
1306 suitable management ip address it mapped in
1307 ``IosXeServiceForwarderMapper``. Remapped SFFs are configured as a Local
1308 Service Forwarders. It is not possible to directly create Remote Service
1309 Forwarder using IOS-XE renderer. RSF is created only during RSP
1312 Administering SFC IOS-XE renderer
1313 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1315 To use the SFC IOS-XE Renderer Karaf, at least the following Karaf
1316 features must be installed:
1326 - odl-netconf-topology
1328 - odl-sfc-ios-xe-renderer
1330 SFC IOS-XE renderer Tutorial
1331 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1336 This tutorial is a simple example how to create Service Path on IOS-XE
1337 capable device using IOS-XE renderer
1342 To connect to IOS-XE device, it is necessary to use several modified
1343 yang models and override device’s ones. All .yang files are in the
1344 ``Yang/netconf`` folder in the ``sfc-ios-xe-renderer module`` in the SFC
1345 project. These files have to be copied to the ``cache/schema``
1346 directory, before Karaf is started. After that, custom capabilities have
1347 to be sent to network-topology:
1351 PUT ./config/network-topology:network-topology/topology/topology-netconf/node/<device-name>
1353 <node xmlns="urn:TBD:params:xml:ns:yang:network-topology">
1354 <node-id>device-name</node-id>
1355 <host xmlns="urn:opendaylight:netconf-node-topology">device-ip</host>
1356 <port xmlns="urn:opendaylight:netconf-node-topology">2022</port>
1357 <username xmlns="urn:opendaylight:netconf-node-topology">login</username>
1358 <password xmlns="urn:opendaylight:netconf-node-topology">password</password>
1359 <tcp-only xmlns="urn:opendaylight:netconf-node-topology">false</tcp-only>
1360 <keepalive-delay xmlns="urn:opendaylight:netconf-node-topology">0</keepalive-delay>
1361 <yang-module-capabilities xmlns="urn:opendaylight:netconf-node-topology">
1362 <override>true</override>
1363 <capability xmlns="urn:opendaylight:netconf-node-topology">
1364 urn:ietf:params:xml:ns:yang:ietf-inet-types?module=ietf-inet-types&revision=2013-07-15
1366 <capability xmlns="urn:opendaylight:netconf-node-topology">
1367 urn:ietf:params:xml:ns:yang:ietf-yang-types?module=ietf-yang-types&revision=2013-07-15
1369 <capability xmlns="urn:opendaylight:netconf-node-topology">
1370 urn:ios?module=ned&revision=2016-03-08
1372 <capability xmlns="urn:opendaylight:netconf-node-topology">
1373 http://tail-f.com/yang/common?module=tailf-common&revision=2015-05-22
1375 <capability xmlns="urn:opendaylight:netconf-node-topology">
1376 http://tail-f.com/yang/common?module=tailf-meta-extensions&revision=2013-11-07
1378 <capability xmlns="urn:opendaylight:netconf-node-topology">
1379 http://tail-f.com/yang/common?module=tailf-cli-extensions&revision=2015-03-19
1381 </yang-module-capabilities>
1386 The device name in the URL and in the XML must match.
1391 When the IOS-XE renderer is installed, all NETCONF nodes in
1392 topology-netconf are processed and all capable nodes with accessible
1393 mountpoints are cached. The first step is to create LSF on node.
1395 ``Service Function Forwarder configuration``
1399 PUT ./config/service-function-forwarder:service-function-forwarders
1402 "service-function-forwarders": {
1403 "service-function-forwarder": [
1406 "ip-mgmt-address": "172.25.73.23",
1407 "sff-data-plane-locator": [
1409 "name": "CSR1Kv-2-dpl",
1410 "data-plane-locator": {
1411 "transport": "service-locator:vxlan-gpe",
1413 "ip": "10.99.150.10"
1422 If the IOS-XE node with appropriate management IP exists, this
1423 configuration is mapped and LSF is created on the device. The same
1424 approach is used for Service Functions.
1428 PUT ./config/service-function:service-functions
1431 "service-functions": {
1432 "service-function": [
1435 "ip-mgmt-address": "172.25.73.23",
1437 "sf-data-plane-locator": [
1439 "name": "firewall-dpl",
1442 "transport": "service-locator:gre",
1443 "service-function-forwarder": "CSR1Kv-2"
1449 "ip-mgmt-address": "172.25.73.23",
1451 "sf-data-plane-locator": [
1456 "transport": "service-locator:gre",
1457 "service-function-forwarder": "CSR1Kv-2"
1463 "ip-mgmt-address": "172.25.73.23",
1465 "sf-data-plane-locator": [
1470 "transport": "service-locator:gre",
1471 "service-function-forwarder": "CSR1Kv-2"
1479 All these SFs are configured on the same device as the LSF. The next
1480 step is to prepare Service Function Chain.
1484 PUT ./config/service-function-chain:service-function-chains/
1487 "service-function-chains": {
1488 "service-function-chain": [
1491 "sfc-service-function": [
1510 Service Function Path:
1514 PUT ./config/service-function-path:service-function-paths/
1517 "service-function-paths": {
1518 "service-function-path": [
1520 "name": "CSR3XSF-Path",
1521 "service-chain-name": "CSR3XSF",
1522 "starting-index": 255,
1529 Without a classifier, there is possibility to POST RSP directly.
1533 POST ./operations/rendered-service-path:create-rendered-path
1537 "name": "CSR3XSF-Path-RSP",
1538 "parent-service-function-path": "CSR3XSF-Path"
1542 The resulting configuration:
1547 service-chain service-function-forwarder local
1548 ip address 10.99.150.10
1550 service-chain service-function firewall
1552 encapsulation gre enhanced divert
1554 service-chain service-function dpi
1556 encapsulation gre enhanced divert
1558 service-chain service-function qos
1560 encapsulation gre enhanced divert
1562 service-chain service-path 1
1563 service-index 255 service-function firewall
1564 service-index 254 service-function dpi
1565 service-index 253 service-function qos
1566 service-index 252 terminate
1568 service-chain service-path 2
1569 service-index 255 service-function qos
1570 service-index 254 service-function dpi
1571 service-index 253 service-function firewall
1572 service-index 252 terminate
1575 Service Path 1 is direct, Service Path 2 is reversed. Path numbers may
1578 Service Function Scheduling Algorithms
1579 --------------------------------------
1584 When creating the Rendered Service Path, the origin SFC controller chose
1585 the first available service function from a list of service function
1586 names. This may result in many issues such as overloaded service
1587 functions and a longer service path as SFC has no means to understand
1588 the status of service functions and network topology. The service
1589 function selection framework supports at least four algorithms (Random,
1590 Round Robin, Load Balancing and Shortest Path) to select the most
1591 appropriate service function when instantiating the Rendered Service
1592 Path. In addition, it is an extensible framework that allows 3rd party
1593 selection algorithm to be plugged in.
1598 The following figure illustrates the service function selection
1599 framework and algorithms.
1601 .. figure:: ./images/sfc/sf-selection-arch.png
1602 :alt: SF Selection Architecture
1604 SF Selection Architecture
1606 A user has three different ways to select one service function selection
1609 1. Integrated RESTCONF Calls. OpenStack and/or other administration
1610 system could provide plugins to call the APIs to select one
1611 scheduling algorithm.
1613 2. Command line tools. Command line tools such as curl or browser
1614 plugins such as POSTMAN (for Google Chrome) and RESTClient (for
1615 Mozilla Firefox) could select schedule algorithm by making RESTCONF
1618 3. SFC-UI. Now the SFC-UI provides an option for choosing a selection
1619 algorithm when creating a Rendered Service Path.
1621 The RESTCONF northbound SFC API provides GUI/RESTCONF interactions for
1622 choosing the service function selection algorithm. MD-SAL data store
1623 provides all supported service function selection algorithms, and
1624 provides APIs to enable one of the provided service function selection
1625 algorithms. Once a service function selection algorithm is enabled, the
1626 service function selection algorithm will work when creating a Rendered
1629 Select SFs with Scheduler
1630 ~~~~~~~~~~~~~~~~~~~~~~~~~
1632 Administrator could use both the following ways to select one of the
1633 selection algorithm when creating a Rendered Service Path.
1635 - Command line tools. Command line tools includes Linux commands curl
1636 or even browser plugins such as POSTMAN(for Google Chrome) or
1637 RESTClient(for Mozilla Firefox). In this case, the following JSON
1638 content is needed at the moment:
1639 Service\_function\_schudule\_type.json
1644 "service-function-scheduler-types": {
1645 "service-function-scheduler-type": [
1648 "type": "service-function-scheduler-type:random",
1652 "name": "roundrobin",
1653 "type": "service-function-scheduler-type:round-robin",
1657 "name": "loadbalance",
1658 "type": "service-function-scheduler-type:load-balance",
1662 "name": "shortestpath",
1663 "type": "service-function-scheduler-type:shortest-path",
1670 If using the Linux curl command, it could be:
1674 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache" --data '$${Service_function_schudule_type.json}'
1675 -X PUT --user admin:admin http://localhost:8181/restconf/config/service-function-scheduler-type:service-function-scheduler-types/
1677 Here is also a snapshot for using the RESTClient plugin:
1679 .. figure:: ./images/sfc/RESTClient-snapshot.png
1680 :alt: Mozilla Firefox RESTClient
1682 Mozilla Firefox RESTClient
1684 - SFC-UI.SFC-UI provides a drop down menu for service function
1685 selection algorithm. Here is a snapshot for the user interaction from
1686 SFC-UI when creating a Rendered Service Path.
1688 .. figure:: ./images/sfc/karaf-webui-select-a-type.png
1695 Some service function selection algorithms in the drop list are not
1696 implemented yet. Only the first three algorithms are committed at
1702 Select Service Function from the name list randomly.
1707 The Random algorithm is used to select one Service Function from the
1708 name list which it gets from the Service Function Type randomly.
1713 - Service Function information are stored in datastore.
1715 - Either no algorithm or the Random algorithm is selected.
1720 The Random algorithm will work either no algorithm type is selected or
1721 the Random algorithm is selected.
1726 Once the plugins are installed into Karaf successfully, a user can use
1727 his favorite method to select the Random scheduling algorithm type.
1728 There are no special instructions for using the Random algorithm.
1733 Select Service Function from the name list in Round Robin manner.
1738 The Round Robin algorithm is used to select one Service Function from
1739 the name list which it gets from the Service Function Type in a Round
1740 Robin manner, this will balance workloads to all Service Functions.
1741 However, this method cannot help all Service Functions load the same
1742 workload because it’s flow-based Round Robin.
1747 - Service Function information are stored in datastore.
1749 - Round Robin algorithm is selected
1754 The Round Robin algorithm will work one the Round Robin algorithm is
1760 Once the plugins are installed into Karaf successfully, a user can use
1761 his favorite method to select the Round Robin scheduling algorithm type.
1762 There are no special instructions for using the Round Robin algorithm.
1764 Load Balance Algorithm
1765 ^^^^^^^^^^^^^^^^^^^^^^
1767 Select appropriate Service Function by actual CPU utilization.
1772 The Load Balance Algorithm is used to select appropriate Service
1773 Function by actual CPU utilization of service functions. The CPU
1774 utilization of service function obtained from monitoring information
1775 reported via NETCONF.
1780 - CPU-utilization for Service Function.
1786 - Each VM has a NETCONF server and it could work with NETCONF client
1792 Set up VMs as Service Functions. enable NETCONF server in VMs. Ensure
1793 that you specify them separately. For example:
1795 a. Set up 4 VMs include 2 SFs' type are Firewall, Others are Napt44.
1796 Name them as firewall-1, firewall-2, napt44-1, napt44-2 as Service
1797 Function. The four VMs can run either the same server or different
1800 b. Install NETCONF server on every VM and enable it. More information on
1801 NETCONF can be found on the OpenDaylight wiki here:
1802 https://wiki.opendaylight.org/view/OpenDaylight_Controller:Config:Examples:Netconf:Manual_netopeer_installation
1804 c. Get Monitoring data from NETCONF server. These monitoring data should
1805 be get from the NETCONF server which is running in VMs. The following
1806 static XML data is an example:
1808 static XML data like this:
1812 <?xml version="1.0" encoding="UTF-8"?>
1813 <service-function-description-monitor-report>
1815 <number-of-dataports>2</number-of-dataports>
1817 <supported-packet-rate>5</supported-packet-rate>
1818 <supported-bandwidth>10</supported-bandwidth>
1819 <supported-ACL-number>2000</supported-ACL-number>
1820 <RIB-size>200</RIB-size>
1821 <FIB-size>100</FIB-size>
1824 <port-id>1</port-id>
1825 <ipaddress>10.0.0.1</ipaddress>
1826 <macaddress>00:1e:67:a2:5f:f4</macaddress>
1827 <supported-bandwidth>20</supported-bandwidth>
1830 <port-id>2</port-id>
1831 <ipaddress>10.0.0.2</ipaddress>
1832 <macaddress>01:1e:67:a2:5f:f6</macaddress>
1833 <supported-bandwidth>10</supported-bandwidth>
1838 <SF-monitoring-info>
1839 <liveness>true</liveness>
1840 <resource-utilization>
1841 <packet-rate-utilization>10</packet-rate-utilization>
1842 <bandwidth-utilization>15</bandwidth-utilization>
1843 <CPU-utilization>12</CPU-utilization>
1844 <memory-utilization>17</memory-utilization>
1845 <available-memory>8</available-memory>
1846 <RIB-utilization>20</RIB-utilization>
1847 <FIB-utilization>25</FIB-utilization>
1848 <power-utilization>30</power-utilization>
1849 <SF-ports-bandwidth-utilization>
1850 <port-bandwidth-utilization>
1851 <port-id>1</port-id>
1852 <bandwidth-utilization>20</bandwidth-utilization>
1853 </port-bandwidth-utilization>
1854 <port-bandwidth-utilization>
1855 <port-id>2</port-id>
1856 <bandwidth-utilization>30</bandwidth-utilization>
1857 </port-bandwidth-utilization>
1858 </SF-ports-bandwidth-utilization>
1859 </resource-utilization>
1860 </SF-monitoring-info>
1861 </service-function-description-monitor-report>
1863 a. Unzip SFC release tarball.
1865 b. Run SFC: ${sfc}/bin/karaf. More information on Service Function
1866 Chaining can be found on the OpenDaylight SFC’s wiki page:
1867 https://wiki.opendaylight.org/view/Service_Function_Chaining:Main
1869 a. Deploy the SFC2 (firewall-abstract2⇒napt44-abstract2) and click
1870 button to Create Rendered Service Path in SFC UI
1871 (http://localhost:8181/sfc/index.html).
1873 b. Verify the Rendered Service Path to ensure the CPU utilization of the
1874 selected hop is the minimum one among all the service functions with
1875 same type. The correct RSP is firewall-1⇒napt44-2
1877 Shortest Path Algorithm
1878 ^^^^^^^^^^^^^^^^^^^^^^^
1880 Select appropriate Service Function by Dijkstra’s algorithm. Dijkstra’s
1881 algorithm is an algorithm for finding the shortest paths between nodes
1887 The Shortest Path Algorithm is used to select appropriate Service
1888 Function by actual topology.
1893 - Deployed topology (include SFFs, SFs and their links).
1895 - Dijkstra’s algorithm. More information on Dijkstra’s algorithm can be
1896 found on the wiki here:
1897 http://en.wikipedia.org/wiki/Dijkstra%27s_algorithm
1902 a. Unzip SFC release tarball.
1904 b. Run SFC: ${sfc}/bin/karaf.
1906 c. Depoly SFFs and SFs. import the service-function-forwarders.json and
1907 service-functions.json in UI
1908 (http://localhost:8181/sfc/index.html#/sfc/config)
1910 service-function-forwarders.json:
1915 "service-function-forwarders": {
1916 "service-function-forwarder": [
1919 "service-node": "OVSDB-test01",
1920 "rest-uri": "http://localhost:5001",
1921 "sff-data-plane-locator": [
1924 "service-function-forwarder-ovs:ovs-bridge": {
1925 "uuid": "4c3778e4-840d-47f4-b45e-0988e514d26c",
1926 "bridge-name": "br-tun"
1928 "data-plane-locator": {
1930 "ip": "192.168.1.1",
1931 "transport": "service-locator:vxlan-gpe"
1935 "service-function-dictionary": [
1937 "sff-sf-data-plane-locator": {
1938 "sf-dpl-name": "sf1dpl",
1939 "sff-dpl-name": "sff1dpl"
1945 "sff-sf-data-plane-locator": {
1946 "sf-dpl-name": "sf2dpl",
1947 "sff-dpl-name": "sff2dpl"
1949 "name": "firewall-1",
1953 "connected-sff-dictionary": [
1961 "service-node": "OVSDB-test01",
1962 "rest-uri": "http://localhost:5002",
1963 "sff-data-plane-locator": [
1966 "service-function-forwarder-ovs:ovs-bridge": {
1967 "uuid": "fd4d849f-5140-48cd-bc60-6ad1f5fc0a1",
1968 "bridge-name": "br-tun"
1970 "data-plane-locator": {
1972 "ip": "192.168.1.2",
1973 "transport": "service-locator:vxlan-gpe"
1977 "service-function-dictionary": [
1979 "sff-sf-data-plane-locator": {
1980 "sf-dpl-name": "sf1dpl",
1981 "sff-dpl-name": "sff1dpl"
1987 "sff-sf-data-plane-locator": {
1988 "sf-dpl-name": "sf2dpl",
1989 "sff-dpl-name": "sff2dpl"
1991 "name": "firewall-2",
1995 "connected-sff-dictionary": [
2003 "service-node": "OVSDB-test01",
2004 "rest-uri": "http://localhost:5005",
2005 "sff-data-plane-locator": [
2008 "service-function-forwarder-ovs:ovs-bridge": {
2009 "uuid": "fd4d849f-5140-48cd-bc60-6ad1f5fc0a4",
2010 "bridge-name": "br-tun"
2012 "data-plane-locator": {
2014 "ip": "192.168.1.2",
2015 "transport": "service-locator:vxlan-gpe"
2019 "service-function-dictionary": [
2021 "sff-sf-data-plane-locator": {
2022 "sf-dpl-name": "sf1dpl",
2023 "sff-dpl-name": "sff1dpl"
2025 "name": "test-server",
2029 "sff-sf-data-plane-locator": {
2030 "sf-dpl-name": "sf2dpl",
2031 "sff-dpl-name": "sff2dpl"
2033 "name": "test-client",
2037 "connected-sff-dictionary": [
2050 service-functions.json:
2055 "service-functions": {
2056 "service-function": [
2058 "rest-uri": "http://localhost:10001",
2059 "ip-mgmt-address": "10.3.1.103",
2060 "sf-data-plane-locator": [
2062 "name": "preferred",
2065 "service-function-forwarder": "SFF-br1"
2072 "rest-uri": "http://localhost:10002",
2073 "ip-mgmt-address": "10.3.1.103",
2074 "sf-data-plane-locator": [
2079 "service-function-forwarder": "SFF-br2"
2086 "rest-uri": "http://localhost:10003",
2087 "ip-mgmt-address": "10.3.1.103",
2088 "sf-data-plane-locator": [
2093 "service-function-forwarder": "SFF-br1"
2096 "name": "firewall-1",
2100 "rest-uri": "http://localhost:10004",
2101 "ip-mgmt-address": "10.3.1.103",
2102 "sf-data-plane-locator": [
2107 "service-function-forwarder": "SFF-br2"
2110 "name": "firewall-2",
2114 "rest-uri": "http://localhost:10005",
2115 "ip-mgmt-address": "10.3.1.103",
2116 "sf-data-plane-locator": [
2121 "service-function-forwarder": "SFF-br3"
2124 "name": "test-server",
2128 "rest-uri": "http://localhost:10006",
2129 "ip-mgmt-address": "10.3.1.103",
2130 "sf-data-plane-locator": [
2135 "service-function-forwarder": "SFF-br3"
2138 "name": "test-client",
2145 The deployed topology like this:
2149 +----+ +----+ +----+
2150 |sff1|+----------|sff3|---------+|sff2|
2151 +----+ +----+ +----+
2153 +--------------+ +--------------+
2155 +----------+ +--------+ +----------+ +--------+
2156 |firewall-1| |napt44-1| |firewall-2| |napt44-2|
2157 +----------+ +--------+ +----------+ +--------+
2159 - Deploy the SFC2(firewall-abstract2⇒napt44-abstract2), select
2160 "Shortest Path" as schedule type and click button to Create Rendered
2161 Service Path in SFC UI (http://localhost:8181/sfc/index.html).
2163 .. figure:: ./images/sfc/sf-schedule-type.png
2164 :alt: select schedule type
2166 select schedule type
2168 - Verify the Rendered Service Path to ensure the selected hops are
2169 linked in one SFF. The correct RSP is firewall-1⇒napt44-1 or
2170 firewall-2⇒napt44-2. The first SF type is Firewall in Service
2171 Function Chain. So the algorithm will select first Hop randomly among
2172 all the SFs type is Firewall. Assume the first selected SF is
2173 firewall-2. All the path from firewall-1 to SF which type is Napt44
2176 - Path1: firewall-2 → sff2 → napt44-2
2178 - Path2: firewall-2 → sff2 → sff3 → sff1 → napt44-1 The shortest
2179 path is Path1, so the selected next hop is napt44-2.
2181 .. figure:: ./images/sfc/sf-rendered-service-path.png
2182 :alt: rendered service path
2184 rendered service path
2186 Service Function Load Balancing User Guide
2187 ------------------------------------------
2192 SFC Load-Balancing feature implements load balancing of Service
2193 Functions, rather than a one-to-one mapping between
2194 Service-Function-Forwarder and Service-Function.
2196 Load Balancing Architecture
2197 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
2199 Service Function Groups (SFG) can replace Service Functions (SF) in the
2200 Rendered Path model. A Service Path can only be defined using SFGs or
2201 SFs, but not a combination of both.
2203 Relevant objects in the YANG model are as follows:
2205 1. Service-Function-Group-Algorithm:
2209 Service-Function-Group-Algorithms {
2210 Service-Function-Group-Algorithm {
2218 Available types: ALL, SELECT, INDIRECT, FAST_FAILURE
2220 2. Service-Function-Group:
2224 Service-Function-Groups {
2225 Service-Function-Group {
2227 String serviceFunctionGroupAlgorithmName
2230 Service-Function-Group-Element {
2231 String service-function-name
2237 3. ServiceFunctionHop: holds a reference to a name of SFG (or SF)
2242 This tutorial will explain how to create a simple SFC configuration,
2243 with SFG instead of SF. In this example, the SFG will include two
2249 For general SFC setup and scenarios, please see the SFC wiki page:
2250 https://wiki.opendaylight.org/view/Service_Function_Chaining:Main#SFC_101
2256 http://127.0.0.1:8181/restconf/config/service-function-group-algorithm:service-function-group-algorithms
2261 "service-function-group-algorithm": [
2269 (Header "content-type": application/json)
2271 Verify: get all algorithms
2272 ^^^^^^^^^^^^^^^^^^^^^^^^^^
2275 http://127.0.0.1:8181/restconf/config/service-function-group-algorithm:service-function-group-algorithms
2277 In order to delete all algorithms: DELETE -
2278 http://127.0.0.1:8181/restconf/config/service-function-group-algorithm:service-function-group-algorithms
2284 http://127.0.0.1:8181/restconf/config/service-function-group:service-function-groups
2289 "service-function-group": [
2291 "rest-uri": "http://localhost:10002",
2292 "ip-mgmt-address": "10.3.1.103",
2293 "algorithm": "alg1",
2296 "sfc-service-function": [
2301 "name":"napt44-103-1"
2308 Verify: get all SFG’s
2309 ^^^^^^^^^^^^^^^^^^^^^
2312 http://127.0.0.1:8181/restconf/config/service-function-group:service-function-groups
2314 SFC Proof of Transit User Guide
2315 -------------------------------
2320 Several deployments use traffic engineering, policy routing, segment
2321 routing or service function chaining (SFC) to steer packets through a
2322 specific set of nodes. In certain cases regulatory obligations or a
2323 compliance policy require to prove that all packets that are supposed to
2324 follow a specific path are indeed being forwarded across the exact set
2325 of nodes specified. I.e. if a packet flow is supposed to go through a
2326 series of service functions or network nodes, it has to be proven that
2327 all packets of the flow actually went through the service chain or
2328 collection of nodes specified by the policy. In case the packets of a
2329 flow weren’t appropriately processed, a proof of transit egress device
2330 would be required to identify the policy violation and take
2331 corresponding actions (e.g. drop or redirect the packet, send an alert
2332 etc.) corresponding to the policy.
2334 Service Function Chaining (SFC) Proof of Transit (SFC PoT)
2335 implements Service Chaining Proof of Transit functionality on capable
2336 network devices. Proof of Transit defines mechanisms to securely
2337 prove that traffic transited the defined path. After the creation of an
2338 Rendered Service Path (RSP), a user can configure to enable SFC proof
2339 of transit on the selected RSP to effect the proof of transit.
2341 To ensure that the data traffic follows a specified path or a function
2342 chain, meta-data is added to user traffic in the form of a header. The
2343 meta-data is based on a 'share of a secret' and provisioned by the SFC
2344 PoT configuration from ODL over a secure channel to each of the nodes
2345 in the SFC. This meta-data is updated at each of the service-hop while
2346 a designated node called the verifier checks whether the collected
2347 meta-data allows the retrieval of the secret.
2349 The following diagram shows the overview and essentially utilizes Shamir's
2350 secret sharing algorithm, where each service is given a point on the
2351 curve and when the packet travels through each service, it collects these
2352 points (meta-data) and a verifier node tries to re-construct the curve
2353 using the collected points, thus verifying that the packet traversed
2354 through all the service functions along the chain.
2356 .. figure:: ./images/sfc/sfc-pot-intro.png
2357 :alt: SFC Proof of Transit overview
2359 SFC Proof of Transit overview
2361 Transport options for different protocols includes a new TLV in SR header
2362 for Segment Routing, NSH Type-2 meta-data, IPv6 extension headers, IPv4
2363 variants and for VXLAN-GPE. More details are captured in the following
2366 In-situ OAM: https://github.com/CiscoDevNet/iOAM
2368 Common acronyms used in the following sections:
2370 - SF - Service Function
2372 - SFF - Service Function Forwarder
2374 - SFC - Service Function Chain
2376 - SFP - Service Function Path
2378 - RSP - Rendered Service Path
2380 - SFC PoT - Service Function Chain Proof of Transit
2383 SFC Proof of Transit Architecture
2384 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2386 SFC PoT feature is implemented as a two-part implementation with a
2387 north-bound handler that augments the RSP while a south-bound renderer
2388 auto-generates the required parameters and passes it on to the nodes
2389 that belong to the SFC.
2391 The north-bound feature is enabled via odl-sfc-pot feature while the
2392 south-bound renderer is enabled via the odl-sfc-pot-netconf-renderer
2393 feature. For the purposes of SFC PoT handling, both features must be
2396 RPC handlers to augment the RSP are part of ``SfcPotRpc`` while the
2397 RSP augmentation to enable or disable SFC PoT feature is done via
2398 ``SfcPotRspProcessor``.
2401 SFC Proof of Transit entities
2402 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2404 In order to implement SFC Proof of Transit for a service function chain,
2405 an RSP is a pre-requisite to identify the SFC to enable SFC PoT on. SFC
2406 Proof of Transit for a particular RSP is enabled by an RPC request to
2407 the controller along with necessary parameters to control some of the
2408 aspects of the SFC Proof of Transit process.
2410 The RPC handler identifies the RSP and adds PoT feature meta-data like
2411 enable/disable, number of PoT profiles, profiles refresh parameters etc.,
2412 that directs the south-bound renderer appropriately when RSP changes
2413 are noticed via call-backs in the renderer handlers.
2415 Administering SFC Proof of Transit
2416 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2418 To use the SFC Proof of Transit Karaf, at least the following Karaf
2419 features must be installed:
2429 - odl-netconf-topology
2431 - odl-netconf-connector-all
2435 Please note that the odl-sfc-pot-netconf-renderer or other renderers in future
2436 must be installed for the feature to take full-effect. The details of the renderer
2437 features are described in other parts of this document.
2439 SFC Proof of Transit Tutorial
2440 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2445 This tutorial is a simple example how to configure Service Function
2446 Chain Proof of Transit using SFC POT feature.
2451 To enable a device to handle SFC Proof of Transit, it is expected that
2452 the NETCONF node device advertise capability as under ioam-sb-pot.yang
2453 present under sfc-model/src/main/yang folder. It is also expected that base
2454 NETCONF support be enabled and its support capability advertised as capabilities.
2456 NETCONF support:``urn:ietf:params:netconf:base:1.0``
2458 PoT support: ``(urn:cisco:params:xml:ns:yang:sfc-ioam-sb-pot?revision=2017-01-12)sfc-ioam-sb-pot``
2460 It is also expected that the devices are netconf mounted and available
2461 in the topology-netconf store.
2466 When SFC Proof of Transit is installed, all netconf nodes in topology-netconf
2467 are processed and all capable nodes with accessible mountpoints are cached.
2469 First step is to create the required RSP as is usually done using RSP creation
2472 Once RSP name is available it is used to send a POST RPC to the
2473 controller similar to below:
2476 http://ODL-IP:8181/restconf/operations/sfc-ioam-nb-pot:enable-sfc-ioam-pot-rendered-path/
2478 .. code-block:: json
2483 "sfc-ioam-pot-rsp-name": "sfc-path-3sf3sff",
2484 "ioam-pot-enable":true,
2485 "ioam-pot-num-profiles":2,
2486 "ioam-pot-bit-mask":"bits32",
2487 "refresh-period-time-units":"milliseconds",
2488 "refresh-period-value":5000
2492 The following can be used to disable the SFC Proof of Transit on an RSP
2493 which disables the PoT feature.
2496 http://ODL-IP:8181/restconf/operations/sfc-ioam-nb-pot:disable-sfc-ioam-pot-rendered-path/
2498 .. code-block:: json
2503 "sfc-ioam-pot-rsp-name": "sfc-path-3sf3sff",
2507 SFC PoT NETCONF Renderer User Guide
2508 -----------------------------------
2513 The SFC Proof of Transit (PoT) NETCONF renderer implements SFC Proof of
2514 Transit functionality on NETCONF-capable devices, that have advertised
2515 support for in-situ OAM (iOAM) support.
2517 It listens for an update to an existing RSP with enable or disable proof of
2518 transit support and adds the auto-generated SFC PoT configuration parameters
2519 to all the SFC hop nodes. The last node in the SFC is configured as a
2520 verifier node to allow SFC PoT process to be completed.
2522 Common acronyms are used as below:
2524 - SF - Service Function
2526 - SFC - Service Function Chain
2528 - RSP - Rendered Service Path
2530 - SFF - Service Function Forwarder
2533 Mapping to SFC entities
2534 ~~~~~~~~~~~~~~~~~~~~~~~
2536 The renderer module listens to RSP updates in ``SfcPotNetconfRSPListener``
2537 and triggers configuration generation in ``SfcPotNetconfIoam`` class. Node
2538 arrival and leaving are managed via ``SfcPotNetconfNodeManager`` and
2539 ``SfcPotNetconfNodeListener``. In addition there is a timer thread that
2540 runs to generate configuration periodically to refresh the profiles in the
2541 nodes that are part of the SFC.
2544 Administering SFC PoT NETCONF Renderer
2545 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2547 To use the SFC Proof of Transit Karaf, the following Karaf features must
2558 - odl-netconf-topology
2560 - odl-netconf-connector-all
2564 - odl-sfc-pot-netconf-renderer
2567 SFC PoT NETCONF Renderer Tutorial
2568 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2573 This tutorial is a simple example how to enable SFC PoT on NETCONF-capable
2579 The NETCONF-capable device will have to support sfc-ioam-sb-pot.yang file.
2581 It is expected that a NETCONF-capable VPP device has Honeycomb (Hc2vpp)
2582 Java-based agent that helps to translate between NETCONF and VPP internal
2585 More details are here:
2586 In-situ OAM: https://github.com/CiscoDevNet/iOAM
2590 When the SFC PoT NETCONF renderer module is installed, all NETCONF nodes in
2591 topology-netconf are processed and all sfc-ioam-sb-pot yang capable nodes
2592 with accessible mountpoints are cached.
2594 The first step is to create RSP for the SFC as per SFC guidelines above.
2596 Enable SFC PoT is done on the RSP via RESTCONF to the ODL as outlined above.
2598 Internally, the NETCONF renderer will act on the callback to a modified RSP
2599 that has PoT enabled.
2601 In-situ OAM algorithms for auto-generation of SFC PoT parameters are
2602 generated automatically and sent to these nodes via NETCONF.
2604 Logical Service Function Forwarder
2605 ----------------------------------
2610 .. _sfc-user-guide-logical-sff-motivation:
2614 When the current SFC is deployed in a cloud environment, it is assumed that each
2615 switch connected to a Service Function is configured as a Service Function Forwarder and
2616 each Service Function is connected to its Service Function Forwarder depending on the
2617 Compute Node where the Virtual Machine is located.
2619 .. figure:: ./images/sfc/sfc-in-cloud.png
2620 :alt: Deploying SFC in Cloud Environments
2622 As shown in the picture above, this solution allows the basic cloud use cases to be fulfilled,
2623 as for example, the ones required in OPNFV Brahmaputra, however, some advanced use cases
2624 like the transparent migration of VMs can not be implemented. The Logical Service Function Forwarder
2625 enables the following advanced use cases:
2627 1. Service Function mobility without service disruption
2628 2. Service Functions load balancing and failover
2630 As shown in the picture below, the Logical Service Function Forwarder concept extends the current
2631 SFC northbound API to provide an abstraction of the underlying Data Center infrastructure.
2632 The Data Center underlaying network can be abstracted by a single SFF. This single SFF uses
2633 the logical port UUID as data plane locator to connect SFs globally and in a location-transparent manner.
2634 SFC makes use of `Genius <./genius-user-guide.html>`__ project to track the
2635 location of the SF's logical ports.
2637 .. figure:: ./images/sfc/single-logical-sff-concept.png
2638 :alt: Single Logical SFF concept
2640 The SFC internally distributes the necessary flow state over the relevant switches based on the
2641 internal Data Center topology and the deployment of SFs.
2643 Changes in data model
2644 ~~~~~~~~~~~~~~~~~~~~~
2645 The Logical Service Function Forwarder concept extends the current SFC northbound API to provide
2646 an abstraction of the underlying Data Center infrastructure.
2648 The Logical SFF simplifies the configuration of the current SFC data model by reducing the number
2649 of parameters to be be configured in every SFF, since the controller will discover those parameters
2650 by interacting with the services offered by the `Genius <./genius-user-guide.html>`__ project.
2652 The following picture shows the Logical SFF data model. The model gets simplified as most of the
2653 configuration parameters of the current SFC data model are discovered in runtime. The complete
2654 YANG model can be found here `logical SFF model
2655 <https://github.com/opendaylight/sfc/blob/master/sfc-model/src/main/yang/service-function-forwarder-logical.yang>`__.
2657 .. figure:: ./images/sfc/logical-sff-datamodel.png
2658 :alt: Logical SFF data model
2660 How to configure the Logical SFF
2661 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2662 The following are examples to configure the Logical SFF:
2665 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache" --data '${JSON}' -X PUT --user admin:admin http://localhost:8181/restconf/config/restconf/config/service-function:service-functions/
2667 **Service Functions JSON.**
2672 "service-functions": {
2673 "service-function": [
2675 "name": "firewall-1",
2677 "sf-data-plane-locator": [
2679 "name": "firewall-dpl",
2680 "interface-name": "eccb57ae-5a2e-467f-823e-45d7bb2a6a9a",
2681 "transport": "service-locator:eth-nsh",
2682 "service-function-forwarder": "sfflogical1"
2690 "sf-data-plane-locator": [
2693 "interface-name": "df15ac52-e8ef-4e9a-8340-ae0738aba0c0",
2694 "transport": "service-locator:eth-nsh",
2695 "service-function-forwarder": "sfflogical1"
2705 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache" --data '${JSON}' -X PUT --user admin:admin http://localhost:8181/restconf/config/service-function-forwarder:service-function-forwarders/
2707 **Service Function Forwarders JSON.**
2712 "service-function-forwarders": {
2713 "service-function-forwarder": [
2715 "name": "sfflogical1"
2723 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache" --data '${JSON}' -X PUT --user admin:admin http://localhost:8181/restconf/config/service-function-chain:service-function-chains/
2725 **Service Function Chains JSON.**
2730 "service-function-chains": {
2731 "service-function-chain": [
2734 "sfc-service-function": [
2736 "name": "dpi-abstract1",
2740 "name": "firewall-abstract1",
2747 "sfc-service-function": [
2749 "name": "dpi-abstract1",
2760 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache" --data '${JSON}' -X PUT --user admin:admin http://localhost:8182/restconf/config/service-function-chain:service-function-paths/
2762 **Service Function Paths JSON.**
2767 "service-function-paths": {
2768 "service-function-path": [
2771 "service-chain-name": "SFC1",
2772 "starting-index": 255,
2773 "symmetric": "true",
2774 "context-metadata": "NSH1",
2775 "transport-type": "service-locator:vxlan-gpe"
2782 As a result of above configuration, OpenDaylight renders the needed flows in all involved SFFs. Those flows implement:
2784 - Two Rendered Service Paths:
2786 - dpi-1 (SF1), firewall-1 (SF2)
2787 - firewall-1 (SF2), dpi-1 (SF1)
2789 - The communication between SFFs and SFs based on eth-nsh
2791 - The communication between SFFs based on vxlan-gpe
2793 The following picture shows a topology and traffic flow (in green) which corresponds to the above configuration.
2795 .. figure:: ./images/sfc/single-logical-sff-example.png
2796 :alt: Logical SFF Example
2804 The Logical SFF functionality allows OpenDaylight to find out the SFFs holding the SFs involved in a path. In this example
2805 the SFFs affected are Node3 and Node4 thus the controller renders the flows containing NSH parameters just in those SFFs.
2807 Here you have the new flows rendered in Node3 and Node4 which implement the NSH protocol. Every Rendered Service Path is represented
2808 by an NSP value. We provisioned a symmetric RSP so we get two NSPs: 8388613 and 5. Node3 holds the first SF of NSP 8388613 and
2809 the last SF of NSP 5. Node 4 holds the first SF of NSP 5 and the last SF of NSP 8388613. Both Node3 and Node4 will pop the NSH header
2810 when the received packet has gone through the last SF of its path.
2813 **Rendered flows Node 3**
2817 cookie=0x14, duration=59.264s, table=83, n_packets=0, n_bytes=0, priority=250,nsp=5 actions=goto_table:86
2818 cookie=0x14, duration=59.194s, table=83, n_packets=0, n_bytes=0, priority=250,nsp=8388613 actions=goto_table:86
2819 cookie=0x14, duration=59.257s, table=86, n_packets=0, n_bytes=0, priority=550,nsi=254,nsp=5 actions=load:0x8e0a37cc9094->NXM_NX_ENCAP_ETH_SRC[],load:0x6ee006b4c51e->NXM_NX_ENCAP_ETH_DST[],goto_table:87
2820 cookie=0x14, duration=59.189s, table=86, n_packets=0, n_bytes=0, priority=550,nsi=255,nsp=8388613 actions=load:0x8e0a37cc9094->NXM_NX_ENCAP_ETH_SRC[],load:0x6ee006b4c51e->NXM_NX_ENCAP_ETH_DST[],goto_table:87
2821 cookie=0xba5eba1100000203, duration=59.213s, table=87, n_packets=0, n_bytes=0, priority=650,nsi=253,nsp=5 actions=pop_nsh,set_field:6e:e0:06:b4:c5:1e->eth_src,resubmit(,17)
2822 cookie=0xba5eba1100000201, duration=59.213s, table=87, n_packets=0, n_bytes=0, priority=650,nsi=254,nsp=5 actions=load:0x800->NXM_NX_REG6[],resubmit(,220)
2823 cookie=0xba5eba1100000201, duration=59.188s, table=87, n_packets=0, n_bytes=0, priority=650,nsi=255,nsp=8388613 actions=load:0x800->NXM_NX_REG6[],resubmit(,220)
2824 cookie=0xba5eba1100000201, duration=59.182s, table=87, n_packets=0, n_bytes=0, priority=650,nsi=254,nsp=8388613 actions=set_field:0->tun_id,output:6
2826 **Rendered Flows Node 4**
2830 cookie=0x14, duration=69.040s, table=83, n_packets=0, n_bytes=0, priority=250,nsp=5 actions=goto_table:86
2831 cookie=0x14, duration=69.008s, table=83, n_packets=0, n_bytes=0, priority=250,nsp=8388613 actions=goto_table:86
2832 cookie=0x14, duration=69.040s, table=86, n_packets=0, n_bytes=0, priority=550,nsi=255,nsp=5 actions=load:0xbea93873f4fa->NXM_NX_ENCAP_ETH_SRC[],load:0x214845ea85d->NXM_NX_ENCAP_ETH_DST[],goto_table:87
2833 cookie=0x14, duration=69.005s, table=86, n_packets=0, n_bytes=0, priority=550,nsi=254,nsp=8388613 actions=load:0xbea93873f4fa->NXM_NX_ENCAP_ETH_SRC[],load:0x214845ea85d->NXM_NX_ENCAP_ETH_DST[],goto_table:87
2834 cookie=0xba5eba1100000201, duration=69.029s, table=87, n_packets=0, n_bytes=0, priority=650,nsi=255,nsp=5 actions=load:0x1100->NXM_NX_REG6[],resubmit(,220)
2835 cookie=0xba5eba1100000201, duration=69.029s, table=87, n_packets=0, n_bytes=0, priority=650,nsi=254,nsp=5 actions=set_field:0->tun_id,output:1
2836 cookie=0xba5eba1100000201, duration=68.999s, table=87, n_packets=0, n_bytes=0, priority=650,nsi=254,nsp=8388613 actions=load:0x1100->NXM_NX_REG6[],resubmit(,220)
2837 cookie=0xba5eba1100000203, duration=68.996s, table=87, n_packets=0, n_bytes=0, priority=650,nsi=253,nsp=8388613 actions=pop_nsh,set_field:02:14:84:5e:a8:5d->eth_src,resubmit(,17)
2840 An interesting scenario to show the Logical SFF strength is the migration of a SF from a compute node to another.
2841 The OpenDaylight will learn the new topology by itself, then it will re-render the new flows to the new SFFs affected.
2843 .. figure:: ./images/sfc/single-logical-sff-example-migration.png
2844 :alt: Logical SFF - SF Migration Example
2848 Logical SFF - SF Migration Example
2851 In our example, SF2 is moved from Node4 to Node2 then OpenDaylight removes NSH specific flows from Node4 and puts them in Node2.
2852 Check below flows showing this effect. Now Node3 keeps holding the first SF of NSP 8388613 and the last SF of NSP 5;
2853 but Node2 becomes the new holder of the first SF of NSP 5 and the last SF of NSP 8388613.
2856 **Rendered Flows Node 3 After Migration**
2860 cookie=0x14, duration=64.044s, table=83, n_packets=0, n_bytes=0, priority=250,nsp=5 actions=goto_table:86
2861 cookie=0x14, duration=63.947s, table=83, n_packets=0, n_bytes=0, priority=250,nsp=8388613 actions=goto_table:86
2862 cookie=0x14, duration=64.044s, table=86, n_packets=0, n_bytes=0, priority=550,nsi=254,nsp=5 actions=load:0x8e0a37cc9094->NXM_NX_ENCAP_ETH_SRC[],load:0x6ee006b4c51e->NXM_NX_ENCAP_ETH_DST[],goto_table:87
2863 cookie=0x14, duration=63.947s, table=86, n_packets=0, n_bytes=0, priority=550,nsi=255,nsp=8388613 actions=load:0x8e0a37cc9094->NXM_NX_ENCAP_ETH_SRC[],load:0x6ee006b4c51e->NXM_NX_ENCAP_ETH_DST[],goto_table:87
2864 cookie=0xba5eba1100000201, duration=64.034s, table=87, n_packets=0, n_bytes=0, priority=650,nsi=254,nsp=5 actions=load:0x800->NXM_NX_REG6[],resubmit(,220)
2865 cookie=0xba5eba1100000203, duration=64.034s, table=87, n_packets=0, n_bytes=0, priority=650,nsi=253,nsp=5 actions=pop_nsh,set_field:6e:e0:06:b4:c5:1e->eth_src,resubmit(,17)
2866 cookie=0xba5eba1100000201, duration=63.947s, table=87, n_packets=0, n_bytes=0, priority=650,nsi=255,nsp=8388613 actions=load:0x800->NXM_NX_REG6[],resubmit(,220)
2867 cookie=0xba5eba1100000201, duration=63.942s, table=87, n_packets=0, n_bytes=0, priority=650,nsi=254,nsp=8388613 actions=set_field:0->tun_id,output:2
2869 **Rendered Flows Node 2 After Migration**
2873 cookie=0x14, duration=56.856s, table=83, n_packets=0, n_bytes=0, priority=250,nsp=5 actions=goto_table:86
2874 cookie=0x14, duration=56.755s, table=83, n_packets=0, n_bytes=0, priority=250,nsp=8388613 actions=goto_table:86
2875 cookie=0x14, duration=56.847s, table=86, n_packets=0, n_bytes=0, priority=550,nsi=255,nsp=5 actions=load:0xbea93873f4fa->NXM_NX_ENCAP_ETH_SRC[],load:0x214845ea85d->NXM_NX_ENCAP_ETH_DST[],goto_table:87
2876 cookie=0x14, duration=56.755s, table=86, n_packets=0, n_bytes=0, priority=550,nsi=254,nsp=8388613 actions=load:0xbea93873f4fa->NXM_NX_ENCAP_ETH_SRC[],load:0x214845ea85d->NXM_NX_ENCAP_ETH_DST[],goto_table:87
2877 cookie=0xba5eba1100000201, duration=56.823s, table=87, n_packets=0, n_bytes=0, priority=650,nsi=255,nsp=5 actions=load:0x1100->NXM_NX_REG6[],resubmit(,220)
2878 cookie=0xba5eba1100000201, duration=56.823s, table=87, n_packets=0, n_bytes=0, priority=650,nsi=254,nsp=5 actions=set_field:0->tun_id,output:4
2879 cookie=0xba5eba1100000201, duration=56.755s, table=87, n_packets=0, n_bytes=0, priority=650,nsi=254,nsp=8388613 actions=load:0x1100->NXM_NX_REG6[],resubmit(,220)
2880 cookie=0xba5eba1100000203, duration=56.750s, table=87, n_packets=0, n_bytes=0, priority=650,nsi=253,nsp=8388613 actions=pop_nsh,set_field:02:14:84:5e:a8:5d->eth_src,resubmit(,17)
2882 **Rendered Flows Node 4 After Migration**
2886 -- No flows for NSH processing --
2888 .. _sfc-user-guide-classifier-impacts:
2893 As previously mentioned, in the :ref:`Logical SFF rationale
2894 <sfc-user-guide-logical-sff-motivation>`, the Logical SFF feature relies on
2895 Genius to get the dataplane IDs of the OpenFlow switches, in order to properly
2896 steer the traffic through the chain.
2898 Since one of the classifier's objectives is to steer the packets *into* the
2899 SFC domain, the classifier has to be aware of where the first Service
2900 Function is located - if it migrates somewhere else, the classifier table
2901 has to be updated accordingly, thus enabling the seemless migration of Service
2904 For this feature, mobility of the client VM is out of scope, and should be
2905 managed by its high-availability module, or VNF manager.
2907 Keep in mind that classification *always* occur in the compute-node where
2908 the client VM (i.e. traffic origin) is running.
2910 How to attach the classifier to a Logical SFF
2911 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2913 In order to leverage this functionality, the classifier has to be configured
2914 using a Logical SFF as an attachment-point, specifying within it the neutron
2917 The following examples show how to configure an ACL, and a classifier having
2918 a Logical SFF as an attachment-point:
2920 **Configure an ACL**
2922 The following ACL enables traffic intended for port 80 within the subnetwork
2923 192.168.2.0/24, for RSP1 and RSP1-Reverse.
2932 "acl-type": "ietf-access-control-list:ipv4-acl",
2933 "access-list-entries": {
2936 "rule-name": "ACE1",
2938 "service-function-acl:rendered-service-path": "RSP1"
2941 "destination-ipv4-network": "192.168.2.0/24",
2942 "source-ipv4-network": "192.168.2.0/24",
2944 "source-port-range": {
2947 "destination-port-range": {
2957 "acl-type": "ietf-access-control-list:ipv4-acl",
2958 "access-list-entries": {
2961 "rule-name": "ACE2",
2963 "service-function-acl:rendered-service-path": "RSP1-Reverse"
2966 "destination-ipv4-network": "192.168.2.0/24",
2967 "source-ipv4-network": "192.168.2.0/24",
2969 "source-port-range": {
2972 "destination-port-range": {
2986 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache" --data '${JSON}' -X PUT --user admin:admin http://localhost:8181/restconf/config/ietf-access-control-list:access-lists/
2988 **Configure a classifier JSON**
2990 The following JSON provisions a classifier, having a Logical SFF as an
2991 attachment point. The value of the field 'interface' is where you
2992 indicate the neutron ports of the VMs you want to classify.
2997 "service-function-classifiers": {
2998 "service-function-classifier": [
3000 "name": "Classifier1",
3001 "scl-service-function-forwarder": [
3003 "name": "sfflogical1",
3004 "interface": "09a78ba3-78ba-40f5-a3ea-1ce708367f2b"
3009 "type": "ietf-access-control-list:ipv4-acl"
3018 curl -i -H "Content-Type: application/json" -H "Cache-Control: no-cache" --data '${JSON}' -X PUT --user admin:admin http://localhost:8181/restconf/config/service-function-classifier:service-function-classifiers/
3020 .. _sfc-user-guide-pipeline-impacts:
3022 SFC pipeline impacts
3023 ~~~~~~~~~~~~~~~~~~~~
3025 After binding SFC service with a particular interface by means of Genius, as explained in the :ref:`Genius User Guide <genius-user-guide-binding-services>`,
3026 the entry point in the SFC pipeline will be table 82 (SFC_TRANSPORT_CLASSIFIER_TABLE), and from that point, packet
3027 processing will be similar to the :ref:`SFC OpenFlow pipeline <sfc-user-guide-sfc-of-pipeline>`, just with another set
3028 of specific tables for the SFC service.
3030 This picture shows the SFC pipeline after service integration with Genius:
3032 .. figure:: ./images/sfc/LSFF_pipeline.png
3033 :alt: SFC Logical SFF OpenFlow pipeline
3035 SFC Logical SFF OpenFlow pipeline
Code Review / docs.git / blob