HP E VAN SDN Controller 2.7 Administrator's Manual

HPE VAN SDN Controller 2.7 Administrator Guide

Abstract

This guide is intended for network administrators and support personnel involved in:

• Configuring and managing HPE VAN SDN (Virtual Application Network Software-Defined Networking) Controller installations

• Registering and activating HPE VAN SDN Controller licenses

Part Number: 5200-0907 Published: March 2016 Edition: 1

The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services

are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting

an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or copying. Consistent with FAR

12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed

to the U.S. Government under vendor's standard commercial license.

The HPE VAN SDN Controller license text can be found in /opt/sdn/legal/EULA.pdf. The HPE VAN SDN Controller incorporates materials from

several Open Source software projects. Therefore, the use of these materials by the HPE VAN SDN Controller is governed by different Open

Source licenses. Refer to /opt/sdn/legal/HP-SDN-CONTROLLER-OPENSOURCE-LIST.pdf for a complete list of the materials used.

Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard Enterprise has no control over and is not

responsible for information outside the Hewlett Packard Enterprise website.

Acknowledgments

Java® and Oracle® are registered trademarks of Oracle and/or its affiliates.

Open Source Software

For information on licenses for the open source software used by the HPE VAN SDN Controller, see the HPE VAN SDN Controller Open Source

and Third-Party Software License Agreements.

For information on acquiring the open source code for the HPE VAN SDN Controller, send an email to HPN-SDN-Open-Source-Query@hpe.com.

1 Introduction........................................................................................................10

About the HPE VAN SDN Controller...................................................................................................10

The HPE SDN ecosystem..................................................................................................................10

SDN Controller applications and the App Store.................................................................................12

Hewlett Packard Enterprise SDN information library..........................................................................12

Supported switches and OpenFlow compatibility ..............................................................................12

OpenFlow requirements................................................................................................................12

IPv6 traffic......................................................................................................................................13

2 Understanding the controller architecture.........................................................14

List of controller embedded applications............................................................................................15

OpenFlow Link Discovery ..................................................................................................................15

OpenFlow Node Discovery ................................................................................................................16

Path Diagnostics ................................................................................................................................17

Path Daemon......................................................................................................................................17

Topology Manager..............................................................................................................................19

Topology Viewer.................................................................................................................................20

3 Using the SDN controller UI..............................................................................21

Starting the SDN controller console UI...............................................................................................21

Default domain name, user name, and password.........................................................................22

About the user interface......................................................................................................................22

Banner...........................................................................................................................................23

Changing column widths...............................................................................................................23

SDN User window...............................................................................................................................23

User window screen details...........................................................................................................24

Changing the SDN user password................................................................................................24

Changing the background and text colors.....................................................................................25

Expanding the SDN user window..................................................................................................25

Collapsing the SDN user window..................................................................................................25

Logging out of the controller..........................................................................................................25

Navigation menu.................................................................................................................................25

About the navigation menu............................................................................................................25

Expanding or collapsing the navigation menu...............................................................................25

Navigation menu screen details....................................................................................................26

Alerts...................................................................................................................................................27

About alerts...................................................................................................................................27

Alerts screen details......................................................................................................................28

Viewing the alert notification counter.............................................................................................29

Viewing the ten most severe recent active alerts .........................................................................29

Acknowledging an alert.................................................................................................................30

Deleting an alert............................................................................................................................30

Configuring how alerts age out......................................................................................................31

Applications........................................................................................................................................32

About the application manager......................................................................................................32

Prerequisites for installing an application......................................................................................32

Applications screen details............................................................................................................33

Obtaining applications from the Hewlett Packard Enterprise SDN App Store...............................34

Adding or upgrading an application...............................................................................................34

Disabling (stopping) or enabling (starting) an application.............................................................35

Uninstalling an application.............................................................................................................36

Understanding application states and OSGi artifacts....................................................................36

Configuration components..................................................................................................................38

Contents 3

Using configuration component keys............................................................................................38

Configurations screen details........................................................................................................39

Basic Configurations view........................................................................................................40

Advanced Configurations view.................................................................................................41

System Configurations view.....................................................................................................43

Apps Configurations view.........................................................................................................45

Modifying a component configuration............................................................................................45

Modifying NTP server or date and time.........................................................................................46

Modifying Network settings............................................................................................................47

Modifying Logger settings..............................................................................................................48

Audit log..............................................................................................................................................49

About the audit log ........................................................................................................................49

Audit log screen details.................................................................................................................50

Deleting an audit log entry.............................................................................................................50

Configuring how audit log data ages out.......................................................................................50

Exporting and archiving audit log data..........................................................................................51

Licenses..............................................................................................................................................52

Licenses screen details.................................................................................................................52

Installing, activating, uninstalling, or transferring licenses.............................................................53

Team...................................................................................................................................................53

Support logs........................................................................................................................................53

About support logs.........................................................................................................................53

Support logs screen details...........................................................................................................54

Configuring the support log queue size ........................................................................................55

Exporting the support logs ............................................................................................................56

Packet listeners..................................................................................................................................56

Packet listeners display details.....................................................................................................57

OpenFlow Monitor..............................................................................................................................58

OpenFlow Monitor screen details..................................................................................................58

Summary for data path view....................................................................................................59

Ports for data path view...........................................................................................................60

Flows for data path view..........................................................................................................60

Groups for data path view........................................................................................................61

OpenFlow topology ............................................................................................................................61

Displaying the network Topology...................................................................................................62

Using keyboard shortcuts to change the display...........................................................................62

Changing switch and host node labeling..................................................................................63

Using the mouse to change the topology display.....................................................................65

Viewing node tooltips...............................................................................................................65

Changing the topology display using the View menu....................................................................65

Using Search............................................................................................................................66

Viewing port labels on switches...............................................................................................67

Viewing details.........................................................................................................................67

Using tools................................................................................................................................67

Using pin, Collapse All, Auto Refresh and Reload...................................................................67

Viewing the shortest path between two nodes .............................................................................68

Follow Flow..............................................................................................................................68

Highlight flow............................................................................................................................69

Viewing flow details for selected nodes.........................................................................................69

Viewing details on packet selection criteria for a data flow...........................................................69

OpenFlow Trace log............................................................................................................................69

About the OpenFlow Trace log......................................................................................................70

OpenFlow Trace screen details.....................................................................................................70

Starting, stopping, or clearing OpenFlow trace ............................................................................71

Displaying trace event details........................................................................................................71

4 Contents

Exporting the OpenFlow Trace log................................................................................................72

Filtering the OpenFlow trace log in a CSV file...............................................................................73

Changing the OpenFlow trace interval .........................................................................................74

OpenFlow Classes .............................................................................................................................75

About OpenFlow classes...............................................................................................................75

OpenFlow Classes screen details.................................................................................................76

Controller enforcement levels for OpenFlow classes....................................................................78

Changing the enforcement levels for OpenFlow classes..............................................................78

4 Hybrid mode for controlling packet forwarding..................................................80

Overview.............................................................................................................................................80

Learning more about hybrid mode......................................................................................................80

Viewing and changing the hybrid mode configuration........................................................................80

Coordinating controller hybrid mode and OpenFlow switch settings..................................................82

Supporting hybrid mode on OpenFlow switches...........................................................................82

Configuring controller settings to support hybrid mode.................................................................82

Limitations................................................................................................................................83

Controller packet-forwarding when hybrid mode is disabled..............................................................84

Controller packet forwarding when hybrid mode is enabled...............................................................85

5 License Registration and Activation..................................................................86

Overview of the license registration and activation process...............................................................86

License types, usage, and expiration.................................................................................................86

Preparing for license registration........................................................................................................87

Prerequisites for license registration.............................................................................................87

Identifying the Install ID displayed in the controller UI...................................................................87

Registering and activating a license...................................................................................................87

Registering your license and obtaining a license key.........................................................................88

Viewing your license information...................................................................................................90

Activating a license on the controller..................................................................................................92

Adding and activating a license using the controller UI.................................................................92

Activating a license using a script.................................................................................................93

Managing licenses..............................................................................................................................93

Transferring licenses.....................................................................................................................93

Deactivating licenses to prepare for transfer............................................................................94

Transferring licenses to a new platform...................................................................................95

Using Evaluation Licenses .................................................................................................................98

6 Configuring for High Availability.........................................................................99

High Availability best practices...........................................................................................................99

About teaming for High Availability.....................................................................................................99

Requirements for teaming................................................................................................................100

Team status......................................................................................................................................101

Controller status ...............................................................................................................................101

Manually synchronizing Cassandra database nodes using nodetool repair utility...........................102

Guidelines for running the nodetool repair utility.........................................................................102

Running the Cassandra nodetool repair command.....................................................................102

Configuring controllers to use the same local NTP servers..............................................................103

Viewing your team configuration using the UI..................................................................................104

Viewing team status....................................................................................................................104

Viewing team configuration and controller status........................................................................105

Viewing region configuration.......................................................................................................105

Viewing devices, datapaths, and debug logs..............................................................................106

Methods for configuring HA teaming................................................................................................106

Defining inputs for teaming in a configuration file.............................................................................107

Using a Python script from a controller to configure a team.............................................................109

Contents 5

7 Security............................................................................................................110

SDN Controller authentication .........................................................................................................110

Changing the default controller keystore and truststore to use CA signed certificates....................110

SDN Controller keystore and truststore locations and passwords ..................................................112

Encryption ........................................................................................................................................112

Built-in OpenFlow controller..............................................................................................................113

Creating a keystore and truststore for OpenFlow switch communication...................................113

Built-in OpenFlow controller keystore and truststore locations and passwords..........................113

REST authentication.........................................................................................................................114

OpenStack Keystone used for user and token management......................................................115

UUID Authentication....................................................................................................................115

PKI Authentication.......................................................................................................................116

Local vs Remote Keystone..........................................................................................................116

Keystone controller configuration................................................................................................117

Security .......................................................................................................................................117

Role-Based Access Control (RBAC)...........................................................................................118

Assigning a user to a role.......................................................................................................118

API access requires authentication.............................................................................................120

Service and admin tokens ..........................................................................................................120

Controller code verification ..............................................................................................................121

Adding certificates to the jar-signing truststore ..........................................................................121

Running the SDN Controller Without Jar-Signing Validation ......................................................121

Revoking Trust .................................................................................................................................122

Revoking trust via truststore .......................................................................................................122

Revoking trust via CRL ...............................................................................................................122

SDN administrative REST API .........................................................................................................122

Virgo admin UI access via localhost only.........................................................................................123

Virgo console access disabled by default.........................................................................................123

JMX console enabled for local access only......................................................................................123

Creating the Cassandra keystore and truststore..............................................................................124

Cassandra keystore and truststore locations and passwords .........................................................125

Security procedure ...........................................................................................................................125

Security best practices......................................................................................................................126

8 Configuring OpenFlow instances....................................................................128

Configuring OpenFlow Instances with Multiple VLANs ...................................................................128

Configuring OpenFlow Instances with Single VLAN Identifier..........................................................128

Configuring OpenFlow instances to enable MAC group matching...................................................132

MAC group matching...................................................................................................................132

Switches that support MAC group tables and MAC group matching..........................................132

Configuration rules for OpenFlow instances and MAC groups...................................................132

Enabling or disabling MAC group matching on an OpenFlow instance......................................132

Prerequisites..........................................................................................................................132

Enabling MAC groups............................................................................................................133

Disabling MAC groups...........................................................................................................133

9 Backing up and restoring ................................................................................134

Backing up and restoring Best Practices..........................................................................................134

Backing up a controller ....................................................................................................................134

Backup operation ........................................................................................................................135

Backing up a controller ...............................................................................................................136

Downloading a backup from the controller to another location ..................................................136

Recommended backup practices ...............................................................................................137

Restoring a controller from a backup ...............................................................................................137

Restore operation .......................................................................................................................137

System restore requirements .....................................................................................................138

6 Contents

Restoring a controller from a backup..........................................................................................138

Distributed (team) backing up and restoring ....................................................................................140

Backing up and restoring the Keystone configuration and database...............................................140

10 Metrics...........................................................................................................141

Viewing metric data..........................................................................................................................141

About metrics...............................................................................................................................141

How metric values are processed..........................................................................................141

Metric identifiers.....................................................................................................................142

Viewing the application IDs for applications that have persisted metrics to disk.........................143

Viewing the metrics persisted by a specific application...............................................................143

Metrics returned by the metrics/apps/app_id command......................................................144

Viewing the primary tags for metrics persisted by an application................................................145

Viewing the secondary tags for metrics persisted by an application...........................................145

Viewing the names of metrics persisted by an application..........................................................146

Viewing information about a persisted metric identified by its UID..............................................147

Viewing the time-series values for a persisted metric identified by its UID.................................147

Viewing all controller JVM metrics....................................................................................................149

Viewing current metric data using a JMX client................................................................................149

Metrics that are viewable using a JMX client..............................................................................149

Prerequisites................................................................................................................................149

Connecting to the JMX server using the JConsole JMX client....................................................150

Selecting and viewing metrics using JConsole JMX...................................................................151

Generating a controller support report..............................................................................................152

11 Troubleshooting.............................................................................................155

REST API request returns HTTP code 401......................................................................................155

Controller not listening on port TCP/8443.........................................................................................155

Packets not received at the end point...............................................................................................156

Session expired message in the UI..................................................................................................156

Error running the config_sdn.py script with date/time/NTP option....................................................156

Licensing...........................................................................................................................................157

Redeem quantity error.................................................................................................................157

Install ID format errors ................................................................................................................157

Install ID errors ...........................................................................................................................157

Applications that use the Cassandra database are experiencing failures........................................158

Controller support log fills disk space, contains multiple “Too many open files” messages.............158

Application management errors........................................................................................................159

Application not starting and in disabled state..............................................................................159

Application in transitive state.......................................................................................................159

Application management exceptions................................................................................................159

Getting IllegalStateException: HTTP code 500...........................................................................159

Getting UnsafeConfigurationException, HTTP code: 403...........................................................160

Getting ApplicationDisableException, HTTP code: 500..............................................................160

Getting ApplicationEnableException, HTTP code: 500...............................................................160

Getting ApplicationInstallException, HTTP code: 500.................................................................161

Getting ApplicationUpgradeException, HTTP code: 500............................................................161

Getting ApplicationUninstallException, HTTP code: 500............................................................161

Getting ApplicationUploadException, HTTP code: 500...............................................................161

Getting ApplicationValidationException, HTTP code: 400...........................................................161

OpenFlow errors...............................................................................................................................162

Host location not learned by controller........................................................................................162

Switches constantly being disconnected and reconnected ........................................................162

Unexpected network or service problems in hybrid mode...........................................................162

Troubleshooting teamed environments............................................................................................163

Controllers dropped from team or unable to form team..............................................................163

Contents 7

Teaming framework does not run................................................................................................163

Controller becomes suspended...................................................................................................163

Unable to create team.................................................................................................................164

Controller and application data differs among controllers in a team...........................................165

Application data is not synchronized after a controller rejoins the team.....................................165

12 Support and other resources.........................................................................167

Accessing Hewlett Packard Enterprise Support...............................................................................167

Accessing updates............................................................................................................................167

Websites...........................................................................................................................................167

Customer self repair.........................................................................................................................168

Remote support................................................................................................................................168

Documentation feedback..................................................................................................................169

A curl commands................................................................................................170

About the curl commands in this document......................................................................................170

Getting an authorization token using a curl command.....................................................................171

Export audit log data as a CSV file using curl commands................................................................171

Licensing actions using curl commands...........................................................................................171

Obtaining an install ID.................................................................................................................171

Activating a license on the controller...........................................................................................172

Uninstalling licenses to prepare for transfer................................................................................172

Application manager actions using curl commands.........................................................................174

Listing applications......................................................................................................................174

Listing information about an application......................................................................................175

Getting application health status.................................................................................................175

Uploading an application (new or upgrade).................................................................................176

Installing a new application..........................................................................................................176

Upgrading an application.............................................................................................................177

Disabling an application...............................................................................................................177

Enabling an application...............................................................................................................178

Removing a staged application...................................................................................................178

Deleting an application................................................................................................................179

Viewing metric data using curl commands.......................................................................................179

Managing SNMP keys .....................................................................................................................179

Getting the SNMP keys...............................................................................................................179

Adding SNMP keys......................................................................................................................179

Deleting an SNMP key................................................................................................................180

Managing NETCONF keys ..............................................................................................................180

Getting the NETCONF keys........................................................................................................180

Adding NETCONF keys...............................................................................................................180

Deleting a NETCONF key...........................................................................................................180

Team configuration using curl commands........................................................................................181

Creating a team using curl...........................................................................................................181

Considerations when a controller team is formed using REST..............................................181

Configuring a controller team using curl.................................................................................182

Error log for team configuration ..................................................................................................184

Team alias node.....................................................................................................................186

Cassandra database maintenance in a team.........................................................................186

Disbanding a team using curl......................................................................................................186

Viewing the team configuration using curl...................................................................................187

Creating regions using curl..........................................................................................................188

Regions and device ownership..............................................................................................189

Failover behavior within a region...........................................................................................189

Failback behavior within a region...........................................................................................191

Adding a region using curl...........................................................................................................192

8 Contents

Adding a device to a region using curl........................................................................................193

Getting the configuration of all regions using curl.......................................................................193

Getting the configuration of a specific region using curl..............................................................194

Determining whether or not a controller owns a specific device using curl.................................194

Getting the owning controller and devices for a region using curl...............................................194

Getting the status of a specific region using curl.........................................................................195

Getting the status of all regions using curl..................................................................................196

Removing a device from a region using curl...............................................................................198

Removing a region using curl......................................................................................................198

B Scripts.............................................................................................................199

Restoring a controller........................................................................................................................199

Backing up a controller team............................................................................................................201

Restoring a controller team ..............................................................................................................206

C Using an external policy manager..................................................................211

D Performance testing........................................................................................212

E Examples of Metrics........................................................................................213

Index...................................................................................................................228

Contents 9

1 Introduction

This document describes the configuration and management of the HPE VAN SDN Controller in standalone and team modes.

About the HPE VAN SDN Controller

The HPE VAN SDN Controller provides a unified control point in an OpenFlow-enabled network, simplifying management, provisioning, and orchestration and enabling delivery of a new generation of application-based network services.

In the Hewlett Packard Enterprise Software Defined Networking (SDN) architecture, the control and data planes of the network are decoupled from each other, centralizing network intelligence and abstracting the underlying network infrastructure from applications. Controller software manages forwarding behavior for physical and virtual switches under its control via the industry-standard OpenFlow protocol. Network ports, links, and topologies are all directly visible, enabling centralized policy administration and more effective path selection based on a dynamic, global view of the network. This dramatically simplifies the orchestration of multi-tenant environments and the enforcement of network policy for both mobile clients and servers.

The HPE VAN SDN Controller is designed to operate in a variety of computing environments, including campus, data center, service provider, private cloud, and public cloud. The HPE VAN SDN Controller features:

• An enterprise-class platform for the delivery of a broad range of network innovations

• An extensible, scalable, and resilient controller architecture

• Compliance with OpenFlow 1.0 and 1.3 protocols

• Support for Hewlett Packard Enterprise and H3C OpenFlow-enabled switches

• Secure authentication using a local or remote Keystone server

• Controller teaming for distributed platform High Availability (HA)

• Embedded applications that provide common network services

• Open APIs enable SDN application developers to deliver innovative solutions that dynamically

link business requirements to network infrastructure using either custom Java programs or general-purpose RESTful control interfaces, including functions to extend the controller REST API and UI.

• Integration with HPE Intelligent Management Center (IMC). HPE IMC provides full controller application life cycle management and monitoring, enhanced reporting and SDN network visualization.

The HPE SDN ecosystem

SDN architecture separates the network control plane from the forwarding hardware on network devices. Control can then be centralized, while forwarding remains distributed. SDN is based on OpenFlow, which is a standards-based protocol allowing for a centralized-control plane in a separate device (the controller).

OpenFlow is managed by the Open Networking Foundation (ONF). By separating the control plane from the forwarding plane, SDN makes it possible for the network status and capabilities to be exposed directly to the business service layer, so that business systems can request services from the network directly. SDN applications thus provide higher level application direction to the SDN controller. And freed from the control function, the forwarding plane can then provide optimized packet processing at very high speeds.

The HPE VAN SDN Controller is the central building block of the HPE SDN ecosystem and creates a platform for application development.

10 Introduction

The HPE SDN ecosystem includes the following:

• Infrastructure. The infrastructure layer is made up of network devices, typically but not exclusively routers and switches. The devices are OpenFlow-enabled. An OpenFlow switch consists of one or more flow tables and a group table, which perform packet lookups and forwarding and provide an OpenFlow channel to the HPE VAN SDN Controller. The switch communicates with the controller and the controller manages the switch via the OpenFlow protocol. Hewlett Packard Enterprise has more than 50 switch models that are OpenFlow-enabled.

• Control. HPE VAN SDN Controller provides centralized control and automation for an SDN network. The controller controls policy and forwarding decisions, which are communicated to the OpenFlow-enabled switches in the data center or campus network. A variety of Hewlett Packard Enterprise and third-party SDN applications can leverage the controller to automatically deliver the necessary business and network service levels.

• Applications. Hewlett Packard Enterprise and third-party SDN applications provide a true end-to-end service level for network performance, quality of service, and security, which can be tuned to an applications’ needs. For example, SDN applications can inspect flows, or perform other network control functions via the HPE VAN SDN Controller. Hewlett Packard Enterprise SDN applications include: HPE Network Protector SDN Application, HPE Network Optimizer SDN Application and HPE Network Visualizer SDN Application.

The extensibility and open APIs of the HPE VAN SDN Controller allows new applications to be created that make requests of the underlying network, without the need to physically uproot or re-configure the underlying infrastructure. Northbound APIs utilize the REST architecture and provide easy access to applications that are integrated directly in the controller or off the controller. Native APIs, provided in Java, deliver support to Network Control applications that are integrated directly in the controller.

• Management. The HPE Intelligent Management Center (IMC) VAN SDN Manager software integrates with HPE IMC to provide administrators with a single interface to manage both the traditional network and the SDN. The IMC VAN SDN Manager Software monitors and manages all three layers of the SDN architecture: infrastructure, control, and application, providing comprehensive management—including fault, configuration, accounting, monitoring, and security for the controller and OpenFlow infrastructure. IMC provides full controller application life cycle management and monitoring, reporting of network service status and OpenFlow-related information, and SDN network visualization.

In addition, the HPE VAN SDN Controller provides REST and Java APIs that enable applications to interact with the controller to receive alerts, to get information about the network, devices, and controller, and to perform various network management tasks.

The HPE SDN ecosystem 11

SDN Controller applications and the App Store

The HPE VAN SDN Controller includes a default set of core network service applications that are installed as modules with the controller. These embedded applications provide services such as authentication, data persistence, logging and alerts. For details, see “Understanding the

controller architecture” (page 14).

The HPE VAN SDN Controller also provides a platform for developing and deploying SDN applications. Several applications have been developed by Hewlett Packard Enterprise including HPE Network Protector SDN Application, HPE Network Optimizer SDN Application, and HPE Network Visualizer SDN Application. There are also SDN applications developed by third-party partners. In addition, you can develop your own SDN applications.

Hewlett Packard Enterprise’s SDN applications as well as third-party SDN applications are available through the Hewlett Packard Enterprise SDN App Store. Access the App Store at www.hpe.com/networking/sdnappstore.

The HPE VAN SDN Controller includes an SDK providing the tools needed to develop applications for the controller. The SDK includes documentation for both the Java and REST APIs as well as all of the jar files necessary during compilation. A sample application is also included along with API specifications. For details on how to develop applications for the controller, see the HPE VAN SDN Controller Programming Guide.

Hewlett Packard Enterprise offers an SDN developer community, as well as forums, events, and other services, to help developers and partners build and sell SDN applications.

Hewlett Packard Enterprise SDN information library

The following information is provided for the HPE VAN SDN Controller:

• HPE VAN SDN Controller Release Notes

• HPE VAN SDN Controller Installation Guide

• HPE VAN SDN Controller Administrator Guide

• HPE VAN SDN Controller and Applications Support Matrix

• HPE VAN SDN Controller Programming Guide

• HPE VAN SDN Controller REST API Reference

• HPE VAN SDN Controller Troubleshooting Guide

• HPE VAN SDN Controller Open Source and Third-Party Software License Agreements

The most recent versions of these documents are in the Hewlett Packard Enterprise SDN information library at the following website: www.hpe.com/info/sdn/infolib.

Supported switches and OpenFlow compatibility

For information about supported network switches, OpenFlow versions, and switch configuration requirements, see the HPE VAN SDN Controller and Applications Support Matrix.

CAUTION: OpenFlow switches in a controller domain should not be connected in a loop topology with switches outside the domain. Allowing such connections can create broadcast loops inside the OpenFlow network. For more on packet-forwarding decisions, see “Hybrid mode

for controlling packet forwarding” (page 80).

OpenFlow requirements

The controller must be connected to a network that includes one or more switches configured to run OpenFlow. Hewlett Packard Enterprise recommends that you plan and implement the switch OpenFlow configurations before connecting the controller to the network.

12 Introduction

NOTE: OpenFlow switches in the network must be configured to allow control by the HPE VAN SDN Controller. In a controller domain, including a switch that does not support OpenFlow or allow control by another HPE VAN SDN Controller creates separate clusters of OpenFlow networks.

NOTE: Running the OpenFlow control mode on a specified switch VLAN disrupts the traffic on that VLAN until the controller configures the required flow rules in the switch using the OpenFlow controller API. You should create a separate VLAN for an OpenFlow control plane. For information on configuring OpenFlow, see the latest OpenFlow Administration Guide for your switch.

IPv6 traffic

IPv6 traffic running in the data plane of an OpenFlow network is supported when the controller is operating with hybrid mode set to “true” (the default). In this state the controller is not aware of the IPv6 traffic. However, with hybrid mode set to false (all packets sent to the controller), the controller drops IPv6 packets, and they do not reach their destinations.

Supported switches and OpenFlow compatibility 13

2 Understanding the controller architecture

The HPE VAN SDN Controller software is built upon a Linux OS, Java 1.8, and OSGI (Virgo stack and Equinox framework) and uses an Apache Cassandra distributed post-relational database.

Keystone is an external service that provides authentication and high level authorization services. It supports token-based authentication

REST API and GUI framework are used by SDN application developers for building applications (RESTful web services and web based UIs).

Figure 1 HPE VAN SDN Controller software stack

The following gives a short description of the controller components:

• The controller Application Manager enables installing, upgrading, enabling (starting), disabling (stopping), and uninstalling SDN applications on the controller.

• The Audit Log records events related to activities, operations, and configuration changes initiated by an authorized user. The Audit Log is managed by the controller Audit Log service.

• The Alert Log records information about events that affect controller operation, and in some cases indicate that some action is needed to correct a condition. Alerts are managed by the controller Alert service.

• Client Mapper Service combines information known about a network client by the controller, such as host IP address, host MAC addresses, and the connected datapath and port, with information about the network client known by an outside policy manager, such as the Aruba ClearPass policy manager, to provide information about network clients, including user information, device information, and location information. This information is available via the REST API only.

• The controller uses the embedded applications Topology Manager and Topology Viewer to collect and display information about the OpenFlow network.

• The controller provides a framework to back up and restore controller and application state in a backup file. The backup file can be copied and stored for later use. The stored backup file can be uploaded to the controller.

14 Understanding the controller architecture

• The Distributed Coordination Framework is one of the high-availability features of the controller. It provides the infrastructure for controller-to-controller communication and coordination of state information for controllers in a controller team.

• The controller can be configured in a team. The teaming services of the controller keep the runtime state of each controller in the team (active, unreachable, or suspended) up to date and is used by other parts of the controller for functions related to high-availability.

• The Device Drivers model the capabilities of the devices and provide APIs for interacting with different device types.

• The controller uses the embedded applications OpenFlow Link Discovery and OpenFlow Node Discovery to discover information about the OpenFlow network.

• The OpenFlow controller (also called the core controller) handles the connections from OpenFlow devices and provides the means for upper layers of software to interact with those devices.

The HPE VAN SDN Controller includes a default set of core network service applications that are installed with the controller (see “List of controller embedded applications” (page 15).

List of controller embedded applications

The HPE VAN SDN Controller includes a default set of core network service applications that are installed as modules on the controller. The following applications are embedded in the controller and are installed when you install the controller:

• OpenFlow Link Discovery

• OpenFlow Node Discovery

• Path Daemon

• Path Diagnostics

• Topology Manager

• Topology Viewer

OpenFlow Link Discovery

The OpenFlow Link Discovery application is the default OpenFlow link supplier application that is installed with the controller. This application implements the com.hp.sdn.supplier.LinkSuppliersBroker interface and uses LinkSupplierService and LinkService APIs to create and maintain link information for OpenFlow datapaths that register with the controller.

The OpenFlow Link Discovery application pushes flow-mods to steal discovery packets, injects discovery packets to all ports on all datapaths, and discovers links on the controlled network by listening for PACKET_IN messages. It discovers two types of links:

• direct links

• multi-hop links

The OpenFlow Link Discovery application distinguishes the link type by injecting two packets to each port in an OpenFlow instance. These packets have the same Ethernet type (0x8999), but are sent to different destination MAC addresses.

The ControllerManager configuration specifies the hybrid mode that has one of the following values:

• hybrid.mode=true

The OpenFlow Link Discovery application installs a flow rule on every OpenFlow devices to steal these packets. Packets that match this flow rule are forwarded to the controller from

List of controller embedded applications 15

the OpenFlow instance and port where they were received. Using the origin information contained within the received packet, the controller derives the source and destination of the link that this packet traversed and records a link between the OpenFlow instances.

The link type is derived from the destination MAC address of the packet (direct or multi-hop). If a link is direct, it will be discovered as both direct and multi-hop from the reporting OpenFlow instance, but the type direct has precedence over the type multi-hop, so the link is recorded as direct.

• hybrid.mode=false

All packets are stolen to the controller by default. Therefore, the OpenFlow Link Discovery application does not push flow rules to devices.

A controller-generated link discovery packet:

• Uses a non-standard protocol, BDDP, which uses a payload format similar to LLDP.

• Is sent to either a link-local MAC address (to discover direct links) or a multicast MAC address

(to discover multihop links). The link-local MAC address is: 01:08:c2:00:00:0e

The multicast MAC address used for link discovery is: 01:1B:78:E9:7B:CD.

• Contains the source device and port that introduced the packet to the controlled network.

The OpenFlow Link Discovery application listens for PACKET_IN messages that contain the BDDP protocol. Each discovery packet has the source device ID embedded within its payload, and the destination device can be derived from the PACKET_IN message. This design enables the OpenFlow Link Discovery application to populate the link table with information it learns from such received packets.

NOTE: Because PACKET_IN messages that contain the BDDP protocol are for controller-generated link discovery packets, no corresponding PACKET_OUT is sent back to the device that sent the PACKET_IN.

The OpenFlow Link Discovery application also listens to device and interface events and registers with the ControllerService API to send OpenFlow packets to datapaths.

If the OpenFlowLinkDiscoveryComponent configuration has age.multihop.links=true, the OpenFlow Link Discovery application periodically injects discovery packets into the controlled network to refresh the multihop links. Any multihop links that are not refreshed at the interval configured for the multihop.poll.interval key are considered to be invalid and are removed from the link table. Additionally, network events such as a port going down or a device status change causes relevant links to be removed from the link table, and causes discovery packets to be sent to all datapaths that are in a ready state.

OpenFlow Node Discovery

The OpenFlow Node Discovery application is the default OpenFlow node supplier application that is installed with the controller. This application implements the com.hp.sdn.supplier.NodeSuppliersBroker interface and uses NodeSupplierService and NodeService APIs to create and maintain node information for OpenFlow datapaths that register with the controller.

If the ControllerManager configuration has hybrid.mode=false, all packets are implicitly stolen to the controller and processed by the OpenFlow Node Discovery application. If learn.ip=true, the node discovery application in this case uses ARP, DHP and IP packets to discover the hosts.

16 Understanding the controller architecture

If the ControllerManager configuration has hybrid.mode=true:

• The OpenFlow Node Discovery application pushes flow-mods to controlled devices that copy ARP packets or DHCP packets to the controller for processing and listens for PACKET_IN messages that contain the ARP or DHCP protocol.

By default in hybrid mode, IP packets are not sent to controller. Based upon the information supplied by these copied ARP, DHCP, and IP packets, and if learn.ip=true, the OpenFlow Node Discovery application registers as a node supplier and supplies updates to the node table. The controller administrator can configure the timeout value for nodes discovered by each protocol by setting the value of the age key of the configurable component for that protocol.

Only when learn.ip=true and some other application has pushed a flow that sends IP packets to controller. will the controller receive IP packets. By default, in hybrid mode, IP packets are not sent to controller.

The Node Manager does not update the node table for every PACKET_IN message it receives. Specifically, PACKET_IN messages are ignored if the connected port is identified by the Topology Manager as being part of the infrastructure.

NOTE: Because these PACKET_IN messages represent copies of packets that have already been forwarded by the controlled device, no corresponding PACKET_OUT is sent back to the device that sent the PACKET_IN.

• If the OfIpDiscoveryComponent configuration has learn.ip=true, the OpenFlow Node Discovery application also listens for PACKET_IN messages that contain the IP protocol, but does not explicitly push flow-mods to controlled devices that send IP packets because doing so would drastically reduce network performance by overwhelming the control plane.

Path Diagnostics

The Path Diagnostics application determines and verifies the path taken by trace packets from a source host to a destination host. The application finds an existing flow that matches the description of the trace packet, clones it with higher priority, and adds an additional action to instruct the selected switch to send this packet back to the controller for status tally.

The Path Diagnostics application is available when the ControllerManager configuration has hybrid.mode=false only.

Path Daemon

Path Daemon is a path-paving application that listens for all ARP and IPv4 PACKET_IN messages and attempts to push flow-mods to datapaths along the forwarding path to ensure that such packets get forwarded at line-rate. Path Daemon operates only when the entire network is controlled by the controller (ControllerManager configuration has hybrid.mode=false and there are no uncontrolled devices). Each PACKET_IN message processed by Path Daemon results in a PACKET_OUT message and possibly a flow-mod getting pushed to one or more controlled devices.

By default, the Path Daemon application pushes flow-mods that attempt to forward traffic using MAC address and incoming port for ARP PACKET_IN messages, and using IPv4 address and incoming port for IPv4 PACKET_IN messages. These flow-mods are only pushed when the ControllerManager configuration has hybrid.mode=false. Specifically, the flow-mods will match all packets that enter a specific switch on a specific port and they will match only packets with the source MAC or IPv4 address and destination MAC or IPv4 address from the PACKET_IN message. Any packets that match the flow-mod will be forwarded by the switch to the most optimal destination port—determined by Path Daemon—for the packet to reach its intended destination.

Path Diagnostics 17

The Path Daemon application is responsible for pushing end-to-end flows for all ARP and IPv4 flow misses that arrive at the controller. By default, Path Daemon is responsible for Layer-2 forwarding only. This component depends on other network service components like the Node manager and the Path Selection manager.

Path Daemon does the following:

• Registers with the controller as a Director. Directors are allowed to send a packet out.

• Registers for ARP packets and IPv4 packets.

• Uses the Node Manager to get the end hosts corresponding to the source and destination

MAC addresses and the datapaths to which these hosts are connected. It makes use of the Path Selection manager to get the end-to-end shortest path between the source and destination hosts. It makes use of the controller to push flows to the datapaths. The flowchart in Figure 2 provides more details of its operation.

• Path Daemon uses the following match fields when pushing a flow-mod. These match fields have been chosen so that the flow modules are pushed on hardware tables in both ProVision-based and Comware-based switches.

◦ Ether type: OFPXMT_OFB_ETH_TYPE

◦ Source MAC or IP address: OFPXMT_OFB_ETH_SRC or OFPXMT_OFB_IPV4_SRC

◦ Destination MAC or IP address: OFPXMT_OFB_ETH_DST or OFPXMT_OFB_IPV4_DST

◦ Input port: OFPXMT_OFB_IN_PORT

• Path Daemon also registers for Port Status Down messages. When such messages are received, Path Daemon removes all flows configured for the impacted port, thereby causing the PACKET_IN messages to again come to the controller.

Operational notes

The Path Daemon:

• Does not handle multicast or broadcast traffic

• Does not configure the reverse path along with the forward path

• Drops packets from sources that the controller has not learned

• Floods packets when their destinations are not known

• Does not support fast-failover

• Performance is topology-dependent, recommended for 100-200 node environments, and

can degrade when there is a larger number of nodes

18 Understanding the controller architecture

Figure 2 Path Daemon flowchart

Topology Manager

The Topology Manager provides topology information of the control domain. It also facilitates shortest path traversals through the control domain by computing low cost next-hops or link edge weight between any two datapaths in the control domain. Topology Manager creates the clusters and broadcast tree to avoid loops and broadcast storms. The Topology Manager:

• Indicates whether a connection point is part of Infrastructure or is connected to an end host

• Indicates whether ingress broadcast traffic can be allowed through a specified connection

point

Topology Manager 19

• Determines if a path exists between two datapaths

• Identifies the shortest path between two datapaths based on hop count or link edge weight

• Provides enumeration of the grouping of datapaths into clusters of strongly connected nodes

• For a given datapath, provides information about the cluster to which the datapath belongs

• Provides information about number of datapaths, number of links, and number of clusters

in the current topology

The Topology Manager provides notifications to subscribed applications about changes in its broadcast tree and cluster. Applications that subscribe to these notifications can use the information to respond to changes in topology.

Topology Viewer

The Topology Viewer application creates and updates a network graph for visualizing the network the controller discovers. In the UI, this graph is displayed in on the OpenFlow Topology screen.

The Topology Viewer uses the services of the Topology Manager and the Link Manager.

20 Understanding the controller architecture

3 Using the SDN controller UI

The SDN controller provides a console UI you can use as follows:

• View information such as alerts and logs and view OpenFlow information such as data flow details, topology of discovered switches and end nodes including shortest path and view OpenFlow classes that applications have registered.

• Perform actions such as acknowledging an alert, adding or enabling an application, exporting log data and entering licensing information.

• Configure SDN controller components such as setting key values for alert policies.

The SDN controller also provides REST APIs you can use to program or configure the controller and develop applications to run on the controller. For details on how to use the REST APIs and how to develop applications, see the HPE VAN SDN Controller Programming Guide and HPE VAN SDN Controller REST API Reference.

This chapter includes details on the following:

“Licenses” (page 52)“Starting the SDN controller console UI”

“Team” (page 53)“About the user interface” (page 22)

“Support logs” (page 53)“SDN User window” (page 23)

“Packet listeners” (page 56)“Navigation menu” (page 25)

Starting the SDN controller console UI

Access the SDN controller from a Chrome or Firefox supported browser. A message will be displayed indicating if you are using an unsupported browser such as Internet Explorer.

1. Using a supported browser, access the controller UI:

https://<SDN_Controller_Address>:8443

Where <SDN_Controller_Address> is the IP address for your controller. The URI is case sensitive.

For example: https://192.0.2.1:8443

2. Enter the User Name and Password credentials, then select Login.

For Example: Default user name: sdn

Default password:skyline

“OpenFlow Monitor” (page 58)“Alerts” (page 27)

“OpenFlow topology ” (page 61)“Applications” (page 32)

“OpenFlow Trace log” (page 69)“Configuration components” (page 38)

“OpenFlow Classes ” (page 75)“Audit log” (page 49)

Starting the SDN controller console UI 21

3. Once you log in, the main controller screen is displayed. For more information about the controller console UI, see “About the user interface” (page 22).

The Keystone default timeout is 1 hour. If it is more than 1 hour since you logged in a message indicating that the session has expired is displayed. You must reload the page and log in again. For details on changing the Keystone timeout value, see “Session expired message in the UI”

(page 156).

Default domain name, user name, and password

Default domain name: sdn

Default user name: sdn

Default password: skyline

About the user interface

NOTE: Descriptions for common areas, icons, and controls on the UI screen are listed after the image.

Figure 3 Screen areas and menus

22 Using the SDN controller UI

Banner: Identifies the user interface. Contains the alert notification counter and links to the navigation menu, alert information, and the SDN User window.

Alert notification counter: Displays the current number of active alerts. Clicking this icon displays the Alerts as of Today window box.

SDN User window: Enables you to log out

of the controller, link to external websites, change the theme for the controller, and identify the version of controller software currently in use.

4 8

Navigation menu: The primary menu for

navigating to controller and application

Navigation tree: Used to select the controller

or application screen to display in the details pane. General is the controller navigation tree. Navigation trees for installed applications are displayed below or to the right of the General navigation tree.

Details pane: Displays the detailed interface for the controller or application resource selected in the Navigation menu. When the controller starts, it displays the Alerts screen.

Pagination control: Can appear on screens that have lists of items. Use these controls to view the listings page by page. Listing control: Can appear on screens that

have lists of items. Use these controls to resources. Contains the controller navigation select the number of items to display in a tree, labeled General, and can contain single view. The Auto option displays all additional navigation trees for installed items in a single screen. For listings applications that integrate with the controller exceeding the length of the screen, you can UI. Can be displayed as a pane (as shown) use the scroll bar on the right side of the

screen.or as a window that overlays the controller screen (see “Expanding or collapsing the

navigation menu” (page 25)).

Banner

DescriptionScreen component

SDN Controller

Expands or collapses the “navigation menu” (page 25) as an overlay window.

Expands or collapses the controller “Alerts as of today” (page 29) window.

The number next to the icon is the “alert notification counter” (page 29), which provides a count of the current active alerts.

Expands or collapses the “SDN User” (page 23) window.

Changing column widths

To change the column widths, drag the column head borders. For example:

• To narrow the Severity column width, click the border to the left of Date/Time and drag it to the left.

• To change the width of the navigation menu pane, click and drag the divider between the menu pane and the details pane.

SDN User window

The SDN User window displays as an overlay on the controller screen. See also:

• “Changing the SDN user password” (page 24)

• “Changing the background and text colors” (page 25)

• “Expanding the SDN user window” (page 25)

SDN User window 23

• “Collapsing the SDN user window” (page 25)

• “Logging out of the controller” (page 25)

User window screen details

Figure 4 SDN user window

DescriptionScreen component

Logs the user out of the controller.Log out

Password

Change the SDN user password.Change SDN User

Links to websites outside of the controller:Links:

SDN Information Library

Links to the information library on the Hewlett Packard Enterprise Software-Defined Networking website. The Hewlett Packard Enterprise Information Library for SDN provides links to the technical documentation for the HPE VAN SDN Controller and the HP SDN applications. The Hewlett Packard Enterprise Software-Defined Networking website provides fact sheets, case studies, white papers, product summaries, technical and business documentation, and other information to help you identify SDN solutions for your business needs.

SDN Community

Links to the Hewlett Packard Enterprise SDN community discussion forum website within the HP Enterprise Business Community. This site offers resources such as:

• SDN discussion boards

• SDN development information

• An SDN knowledge base

Changes the theme for the controller UI:Set Theme:

Day

When selected, plain text is black and the background is white.

Night

When selected, plain text is white and the background is black.

Displays the version of the controller software that is running on this system.SDN Controller

Version:

Collapses the window.

Changing the SDN user password

To change the SDN user password:

1. Expand the SDN User window.

24 Using the SDN controller UI

2. Select Change SDN User Password.

3. In the Change SDN User Password dialog box, enter the Old Password, New Password, and Re-enter New Password and click Apply. Or click Cancel to exit without changing the password.

The SDN user password you can change on this screen is the Keystone user password not the HPE Linux operating system password.

Changing the background and text colors

The background and text colors are part of the theme of the controller UI. To change the theme:

1. Expand the SDN User window.

2. In Set Theme:, select one of the following options:

• Day

• Night

Expanding the SDN user window

To expand the SDN User window, from the top banner, click .

Collapsing the SDN user window

To collapse the SDN User window, do one of the following:

• In the SDN User window, click .

• From the top banner, click .

Logging out of the controller

To log out of the controller UI:

• From the SDN User window, select Log out.

Alerts

About alerts

Alerts give notification of events that affect controller operation, and in some cases indicate that some action is needed to correct a condition.

When controllers are operating in a team, alerts generated by any team member are visible in the Alerts screen for all active team members.

By default, alerts are in an unacknowledged, active state. An alert must be in an active state to appear in the following places:

Displays the OpenFlow Trace screen. OpenFlow conversations are captured in messages to and from the controller and the OpenFlow devices it manages and displayed on this screen. For more information, see “OpenFlow Trace log” (page 69).

Displays the OpenFlow Classes screen. This screen shows the OpenFlow classes that applications have registered with the controller. For more information, see “OpenFlow

Classes ” (page 75).

Displays the Packet Listeners screen. This screen displays details on the packet listeners that are currently running on the controllers. For more information, see “Packet listeners”

(page 56).

May include additional navigation trees for installed applications that integrate with the controller UI.

• The alert notification counter

• The Alerts as of today window

Alerts screen details

Figure 5 Example of global alerts screen

Refresh

Acknowledge

Severity

DescriptionScreen component

Updates the alerts displayed on the screen. The controller does not update the display as new alerts are generated. Use this action to refresh the display.

Changes the selected alert to an acknowledged state. The controller displays the alert in gray text. Use this action to indicate that you have read the alert.

Changes the selected alert to an active, unacknowledged state.UnAcknowledge

Indicates the state of the alert:Alert text color

• The controller displays active, unacknowledged alerts the alert in the text color corresponding to the controller theme. For example, when the controller theme is daylight, the active alerts appear in black text.

• The controller displays the selected alert in blue text. Click an alert to select it.

• The controller displays acknowledged alerts in gray text.

Indicates the severity of the alert.

DescriptionIcon

Informational

Warning

Critical

28 Using the SDN controller UI

Indicates the date and time the alert was generated.Date/Time

Describes the alert in human readable text.Description

Indicates which component or application generated the alert.Origin

DescriptionScreen component

Topic

Controller ID

Indicates the category for this alert. Multiple origins can contribute alerts to the same topic.

Identifies the controller that generated the alert. The controller is represented as a hexadecimal number. When you use controller teaming, this ID enables you to identify which controller in the team generated the alert.

Viewing the alert notification counter

The alert notification counter is displayed in the top banner and appears on all controller screens. This counter indicates the number of active alerts:

• The controller increments this counter when each new alert occurs.

• The controller decrements this counter when you acknowledge an alert or when the controller

deletes an alert according to the alert policies set for aging out alerts (for details see,

“Configuring how alerts age out” (page 31).

Figure 6 Alert notification counter

Viewing the ten most severe recent active alerts

To display a summary of up to 10 alerts ranked by severity (highest to lowest) and then by date and time (newest to oldest):

• In the top banner, click . The Alerts as of today window is displayed.

Alerts 29

Figure 7 Example of the Alerts as of today window

To close the window, do one of the following:

• To close the window and display the Alerts screen, click All.

• At the bottom of the window, click the collapse icon ( ).

• In the top banner, click either the alert counter number or .

Acknowledging an alert

To acknowledge an alert from the Alerts as of today window:

1. Click the alert to select it.

2. Click Acknowledge. The controller removes the alert from the Alerts as of today window, displays the alert in

gray text on the Alerts screen, and decrements the alert notification counter by one.

To acknowledge an alert from the Alerts screen:

1. Click the alert to select it.

2. Click Acknowledge. The controller displays the alert in gray text on the Alerts screen, and decrements the alert

notification counter by one.

Deleting an alert

You can acknowledge an individual alert, but you cannot clear or delete the alert. The controller deletes alerts according to the configured alert age-out policy. To configure the

age-out policy, see “Configuring how alerts age out” (page 31)

30 Using the SDN controller UI

+ 201 hidden pages

HP E VAN SDN Controller 2.7 Administrator's Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

HPE VAN SDN Controller 2.7 Administrator Guide

Contents

1 Introduction

About the HPE VAN SDN Controller

The HPE SDN ecosystem

SDN Controller applications and the App Store

Hewlett Packard Enterprise SDN information library

Supported switches and OpenFlow compatibility

OpenFlow requirements

IPv6 traffic

2 Understanding the controller architecture

List of controller embedded applications

OpenFlow Link Discovery

OpenFlow Node Discovery

Path Diagnostics

Path Daemon

Topology Manager

Topology Viewer

3 Using the SDN controller UI

Starting the SDN controller console UI

Default domain name, user name, and password

About the user interface

Banner

Changing column widths

SDN User window

User window screen details

Changing the SDN user password

Changing the background and text colors

Expanding the SDN user window

Collapsing the SDN user window

Logging out of the controller

Navigation menu

About the navigation menu

Expanding or collapsing the navigation menu

Navigation menu screen details

Alerts

About alerts

Alerts screen details

Viewing the alert notification counter

Viewing the ten most severe recent active alerts

Acknowledging an alert

Deleting an alert