manuals/user-guide/src/main/asciidoc/groupbasedpolicy/odl-groupbasedpolicy-sfc-user-guide.adoc

   1 ==== Overview
   2
   3 Please refer to the Service Function Chaining project for specifics on SFC provisioning and theory.
   4
   5 *GBP* allows for the use of a chain, by name, in policy.
   6
   7 This takes the form of an _action_ in *GBP*.
   8
   9 Using the <<demo,*GBP* demo and development environment>> as an example:
  10
  11 .GBP and SFC integration environment
  12 image::groupbasedpolicy/sfc-1-topology.png[align="center",width=500]
  13
  14 In the topology above, a symmetrical chain between H35_2 and H36_3 could take path:
  15
  16 H35_2 to sw1 to sff1 to sf1 to sff1 to sff2 to sf2 to sff2 to sw6 to H36_3
  17
  18 If symmetric chaining was desired, the return path is:
  19
  20 .GBP and SFC symmetric chain environment
  21 image::groupbasedpolicy/sfc-2-symmetric.png[align="center",width=500]
  22
  23
  24 If asymmetric chaining was desired, the return path could be direct, or an *entirely different chain*.
  25
  26 .GBP and SFC assymmetric chain environment
  27 image::groupbasedpolicy/sfc-3-asymmetric.png[align="center",width=500]
  28
  29
  30 All these scenarios are supported by the integration.
  31
  32 In the *Subject Feature Instance* section of the tenant config, we define the instances of the classifier definitions for ICMP and HTTP:
  33 ----
  34         "subject-feature-instances": {
  35           "classifier-instance": [
  36             {
  37               "name": "icmp",
  38               "parameter-value": [
  39                 {
  40                   "name": "proto",
  41                   "int-value": 1
  42                 }
  43               ]
  44             },
  45             {
  46               "name": "http-dest",
  47               "parameter-value": [
  48                 {
  49                   "int-value": "6",
  50                   "name": "proto"
  51                 },
  52                 {
  53                   "int-value": "80",
  54                   "name": "destport"
  55                 }
  56               ]
  57             },
  58             {
  59               "name": "http-src",
  60               "parameter-value": [
  61                 {
  62                   "int-value": "6",
  63                   "name": "proto"
  64                 },
  65                 {
  66                   "int-value": "80",
  67                   "name": "sourceport"
  68                 }
  69               ]
  70             }
  71           ],
  72 ----
  73
  74 Then the action instances to associate to traffic that matches classifiers are defined.
  75
  76 Note the _SFC chain name_ must exist in SFC, and is validated against
  77 the datastore once the tenant configuration is entered, before entering a valid tenant configuration into the operational datastore (which triggers policy resolution).
  78
  79 ----
  80           "action-instance": [
  81             {
  82               "name": "chain1",
  83               "parameter-value": [
  84                 {
  85                   "name": "sfc-chain-name",
  86                   "string-value": "SFCGBP"
  87                 }
  88               ]
  89             },
  90             {
  91               "name": "allow1",
  92             }
  93           ]
  94         },
  95 ----
  96
  97 When ICMP is matched, allow the traffic:
  98
  99 ----
 100
 101         "contract": [
 102           {
 103             "subject": [
 104               {
 105                 "name": "icmp-subject",
 106                 "rule": [
 107                   {
 108                     "name": "allow-icmp-rule",
 109                     "order" : 0,
 110                     "classifier-ref": [
 111                       {
 112                         "name": "icmp"
 113                       }
 114                     ],
 115                     "action-ref": [
 116                       {
 117                         "name": "allow1",
 118                         "order": 0
 119                       }
 120                     ]
 121                   }
 122
 123                 ]
 124               },
 125 ----
 126
 127 When HTTP is matched, *in* to the provider of the contract with a TCP destination port of 80 (HTTP) or the HTTP request. The chain action is triggered, and similarly
 128 *out* from the provider for traffic with TCP source port of 80 (HTTP), or the HTTP response.
 129
 130 ----
 131               {
 132                 "name": "http-subject",
 133                 "rule": [
 134                   {
 135                     "name": "http-chain-rule-in",
 136                     "classifier-ref": [
 137                       {
 138                         "name": "http-dest",
 139                         "direction": "in"
 140                       }
 141                     ],
 142                     "action-ref": [
 143                       {
 144                         "name": "chain1",
 145                         "order": 0
 146                       }
 147                     ]
 148                   },
 149                   {
 150                     "name": "http-chain-rule-out",
 151                     "classifier-ref": [
 152                       {
 153                         "name": "http-src",
 154                         "direction": "out"
 155                       }
 156                     ],
 157                     "action-ref": [
 158                       {
 159                         "name": "chain1",
 160                         "order": 0
 161                       }
 162                     ]
 163                   }
 164                 ]
 165               }
 166 ----
 167
 168 To enable asymmetrical chaining, for instance, the user desires that HTTP requests traverse the chain, but the HTTP response does not, the HTTP response is set to _allow_ instead of chain:
 169
 170 ----
 171
 172                   {
 173                     "name": "http-chain-rule-out",
 174                     "classifier-ref": [
 175                       {
 176                         "name": "http-src",
 177                         "direction": "out"
 178                       }
 179                     ],
 180                     "action-ref": [
 181                       {
 182                         "name": "allow1",
 183                         "order": 0
 184                       }
 185                     ]
 186                   }
 187 ----
 188