3 Please refer to the Service Function Chaining project for specifics on SFC provisioning and theory.
5 *GBP* allows for the use of a chain, by name, in policy.
7 This takes the form of an _action_ in *GBP*.
9 Using the <<demo,*GBP* demo and development environment>> as an example:
11 .GBP and SFC integration environment
12 image::groupbasedpolicy/sfc-1-topology.png[align="center",width=500]
14 In the topology above, a symmetrical chain between H35_2 and H36_3 could take path:
16 H35_2 to sw1 to sff1 to sf1 to sff1 to sff2 to sf2 to sff2 to sw6 to H36_3
18 If symmetric chaining was desired, the return path is:
20 .GBP and SFC symmetric chain environment
21 image::groupbasedpolicy/sfc-2-symmetric.png[align="center",width=500]
24 If asymmetric chaining was desired, the return path could be direct, or an *entirely different chain*.
26 .GBP and SFC assymmetric chain environment
27 image::groupbasedpolicy/sfc-3-asymmetric.png[align="center",width=500]
30 All these scenarios are supported by the integration.
32 In the *Subject Feature Instance* section of the tenant config, we define the instances of the classifier definitions for ICMP and HTTP:
34 "subject-feature-instances": {
35 "classifier-instance": [
74 Then the action instances to associate to traffic that matches classifiers are defined.
76 Note the _SFC chain name_ must exist in SFC, and is validated against
77 the datastore once the tenant configuration is entered, before entering a valid tenant configuration into the operational datastore (which triggers policy resolution).
85 "name": "sfc-chain-name",
86 "string-value": "SFCGBP"
97 When ICMP is matched, allow the traffic:
105 "name": "icmp-subject",
108 "name": "allow-icmp-rule",
127 When HTTP is matched, *in* to the provider of the contract with a TCP destination port of 80 (HTTP) or the HTTP request. The chain action is triggered, and similarly
128 *out* from the provider for traffic with TCP source port of 80 (HTTP), or the HTTP response.
132 "name": "http-subject",
135 "name": "http-chain-rule-in",
150 "name": "http-chain-rule-out",
168 To enable asymmetrical chaining, for instance, the user desires that HTTP requests traverse the chain, but the HTTP response does not, the HTTP response is set to _allow_ instead of chain:
173 "name": "http-chain-rule-out",