Page 1 HPE VAN SDN Controller 2.7 Administrator Guide Abstract This guide is intended for network administrators and support personnel involved in: Configuring and managing HPE VAN SDN (Virtual Application Network Software-Defined Networking) Controller installations Registering and activating HPE VAN SDN Controller licenses...
Page 2 Open Source software projects. Therefore, the use of these materials by the HPE VAN SDN Controller is governed by different Open Source licenses. Refer to /opt/sdn/legal/HP-SDN-CONTROLLER-OPENSOURCE-LIST.pdf for a complete list of the materials used. Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise website.
Page 3: Table Of Contents
Contents 1 Introduction......................10 About the HPE VAN SDN Controller....................10 The HPE SDN ecosystem........................10 SDN Controller applications and the App Store.................12 Hewlett Packard Enterprise SDN information library................12 Supported switches and OpenFlow compatibility ................12 OpenFlow requirements........................12 IPv6 traffic............................13 2 Understanding the controller architecture............14 List of controller embedded applications....................15 OpenFlow Link Discovery ........................15 OpenFlow Node Discovery ........................16...
Page 4 Using configuration component keys....................38 Configurations screen details......................39 Basic Configurations view......................40 Advanced Configurations view....................41 System Configurations view.....................43 Apps Configurations view......................45 Modifying a component configuration....................45 Modifying NTP server or date and time..................46 Modifying Network settings......................47 Modifying Logger settings......................48 Audit log..............................49 About the audit log ........................49 Audit log screen details.........................50 Deleting an audit log entry......................50 Configuring how audit log data ages out..................50...
Page 5 Exporting the OpenFlow Trace log....................72 Filtering the OpenFlow trace log in a CSV file................73 Changing the OpenFlow trace interval ..................74 OpenFlow Classes ..........................75 About OpenFlow classes.......................75 OpenFlow Classes screen details....................76 Controller enforcement levels for OpenFlow classes..............78 Changing the enforcement levels for OpenFlow classes..............78 4 Hybrid mode for controlling packet forwarding..........80 Overview.............................80 Learning more about hybrid mode......................80...
Page 6 7 Security......................110 SDN Controller authentication ......................110 Changing the default controller keystore and truststore to use CA signed certificates....110 SDN Controller keystore and truststore locations and passwords ..........112 Encryption ............................112 Built-in OpenFlow controller......................113 Creating a keystore and truststore for OpenFlow switch communication........113 Built-in OpenFlow controller keystore and truststore locations and passwords......113 REST authentication.........................114 OpenStack Keystone used for user and token management............115...
Page 7 Restoring a controller from a backup..................138 Distributed (team) backing up and restoring ..................140 Backing up and restoring the Keystone configuration and database..........140 10 Metrics......................141 Viewing metric data..........................141 About metrics..........................141 How metric values are processed..................141 Metric identifiers........................142 Viewing the application IDs for applications that have persisted metrics to disk......143 Viewing the metrics persisted by a specific application...............143 Metrics returned by the metrics/apps/app_id command............144 Viewing the primary tags for metrics persisted by an application..........145...
Page 8 Teaming framework does not run....................163 Controller becomes suspended....................163 Unable to create team.........................164 Controller and application data differs among controllers in a team...........165 Application data is not synchronized after a controller rejoins the team........165 12 Support and other resources.................167 Accessing Hewlett Packard Enterprise Support................167 Accessing updates..........................167 Websites............................167 Customer self repair.........................168...
Page 9 Adding a device to a region using curl..................193 Getting the configuration of all regions using curl...............193 Getting the configuration of a specific region using curl..............194 Determining whether or not a controller owns a specific device using curl.........194 Getting the owning controller and devices for a region using curl..........194 Getting the status of a specific region using curl.................195 Getting the status of all regions using curl..................196 Removing a device from a region using curl................198...
Page 10: Introduction
1 Introduction This document describes the configuration and management of the HPE VAN SDN Controller in standalone and team modes. About the HPE VAN SDN Controller The HPE VAN SDN Controller provides a unified control point in an OpenFlow-enabled network, simplifying management, provisioning, and orchestration and enabling delivery of a new generation of application-based network services.
Page 11 The HPE SDN ecosystem includes the following: Infrastructure. The infrastructure layer is made up of network devices, typically but not exclusively routers and switches. The devices are OpenFlow-enabled. An OpenFlow switch consists of one or more flow tables and a group table, which perform packet lookups and forwarding and provide an OpenFlow channel to the HPE VAN SDN Controller.
Page 12: Sdn Controller Applications And The App Store
SDN Controller applications and the App Store The HPE VAN SDN Controller includes a default set of core network service applications that are installed as modules with the controller. These embedded applications provide services such as authentication, data persistence, logging and alerts. For details, see “Understanding the controller architecture”...
Page 13: Ipv6 Traffic
NOTE: OpenFlow switches in the network must be configured to allow control by the HPE VAN SDN Controller. In a controller domain, including a switch that does not support OpenFlow or allow control by another HPE VAN SDN Controller creates separate clusters of OpenFlow networks.
Page 14: Understanding The Controller Architecture
2 Understanding the controller architecture The HPE VAN SDN Controller software is built upon a Linux OS, Java 1.8, and OSGI (Virgo stack and Equinox framework) and uses an Apache Cassandra distributed post-relational database. Keystone is an external service that provides authentication and high level authorization services. It supports token-based authentication REST API and GUI framework are used by SDN application developers for building applications (RESTful web services and web based UIs).
Page 15: List Of Controller Embedded Applications
The OpenFlow Link Discovery application is the default OpenFlow link supplier application that is installed with the controller. This application implements the com.hp.sdn.supplier.LinkSuppliersBroker interface and uses LinkSupplierService and LinkService APIs to create and maintain link information for OpenFlow datapaths that register with the controller.
Page 16: Openflow Node Discovery
The OpenFlow Node Discovery application is the default OpenFlow node supplier application that is installed with the controller. This application implements the com.hp.sdn.supplier.NodeSuppliersBroker interface and uses NodeSupplierService and NodeService APIs to create and maintain node information for OpenFlow datapaths that register with the controller.
Page 17: Path Diagnostics
If the ControllerManager configuration has hybrid.mode=true: The OpenFlow Node Discovery application pushes flow-mods to controlled devices that copy ARP packets or DHCP packets to the controller for processing and listens for PACKET_IN messages that contain the ARP or DHCP protocol. By default in hybrid mode, IP packets are not sent to controller.
Page 18 The Path Daemon application is responsible for pushing end-to-end flows for all ARP and IPv4 flow misses that arrive at the controller. By default, Path Daemon is responsible for Layer-2 forwarding only. This component depends on other network service components like the Node manager and the Path Selection manager.
Page 19: Topology Manager
Figure 2 Path Daemon flowchart Topology Manager The Topology Manager provides topology information of the control domain. It also facilitates shortest path traversals through the control domain by computing low cost next-hops or link edge weight between any two datapaths in the control domain. Topology Manager creates the clusters and broadcast tree to avoid loops and broadcast storms.
Page 20: Topology Viewer
Determines if a path exists between two datapaths Identifies the shortest path between two datapaths based on hop count or link edge weight Provides enumeration of the grouping of datapaths into clusters of strongly connected nodes For a given datapath, provides information about the cluster to which the datapath belongs Provides information about number of datapaths, number of links, and number of clusters in the current topology The Topology Manager provides notifications to subscribed applications about changes in its...
Page 21: Using The Sdn Controller Ui
3 Using the SDN controller UI The SDN controller provides a console UI you can use as follows: View information such as alerts and logs and view OpenFlow information such as data flow details, topology of discovered switches and end nodes including shortest path and view OpenFlow classes that applications have registered.
Page 22: Default Domain Name, User Name, And Password
Once you log in, the main controller screen is displayed. For more information about the controller console UI, see “About the user interface” (page 22). The Keystone default timeout is 1 hour. If it is more than 1 hour since you logged in a message indicating that the session has expired is displayed.
Page 23: Banner
Banner: Identifies the user interface. Navigation tree: Used to select the controller Contains the alert notification counter and or application screen to display in the details links to the navigation menu, alert pane. General is the controller navigation information, and the SDN User window. tree.
Page 24: User Window Screen Details
Links to the information library on the Hewlett Packard Enterprise Software-Defined Networking website. The Hewlett Packard Enterprise Information Library for SDN provides links to the technical documentation for the HPE VAN SDN Controller and the HP SDN applications. The Hewlett Packard Enterprise Software-Defined Networking website provides fact sheets, case studies, white papers, product summaries, technical and business documentation, and other information to help you identify SDN solutions for your business needs.
Page 25: Changing The Background And Text Colors
Select Change SDN User Password. In the Change SDN User Password dialog box, enter the Old Password, New Password, and Re-enter New Password and click Apply. Or click Cancel to exit without changing the password. The SDN user password you can change on this screen is the Keystone user password not the HPE Linux operating system password.
Page 26: Navigation Menu Screen Details
Expanding or collapsing the navigation menu as an overlay window To display the navigation menu as an overlay window, from the top banner of the controller screen, click To collapse the navigation window, do one of the following: In the window, click From the top banner, click HPE VAN SDN Controller.
Page 27: Alerts
Screen component Description OpenFlow Trace Displays the OpenFlow Trace screen. OpenFlow conversations are captured in messages to and from the controller and the OpenFlow devices it manages and displayed on this screen. For more information, see “OpenFlow Trace log” (page 69).
Page 28: Alerts Screen Details
Alerts screen details Figure 5 Example of global alerts screen Screen component Description Refresh Updates the alerts displayed on the screen. The controller does not update the display as new alerts are generated. Use this action to refresh the display. Acknowledge Changes the selected alert to an acknowledged state.
Page 29: Viewing The Alert Notification Counter
Screen component Description Topic Indicates the category for this alert. Multiple origins can contribute alerts to the same topic. Controller ID Identifies the controller that generated the alert. The controller is represented as a hexadecimal number. When you use controller teaming, this ID enables you to identify which controller in the team generated the alert.
Page 30: Acknowledging An Alert
Figure 7 Example of the Alerts as of today window To close the window, do one of the following: To close the window and display the Alerts screen, click All. At the bottom of the window, click the collapse icon ( In the top banner, click either the alert counter number or Acknowledging an alert To acknowledge an alert from the Alerts as of today window:...
Page 31: Configuring How Alerts Age Out
Configuring how alerts age out You can configure the following key values for alerts to control how alert data ages out. To set these key values you configure the com.hp.sdn.adm.alert.impl.AlertManager component using the Configurations screen. Description trim.alert.age Specifies the number of days an alert remains in persistent storage and remains displayed on the Alerts screen.
Page 32: Applications
Click Modify. The Modify System Configuration dialog box is displayed for the com.hp.sdn.adm.alert.impl.AlertManager component. Change the values for the keys. Click Apply. Applications About the application manager The Application Manager is a component on the controller that supports default and add-on network services, and enables installing, upgrading, enabling (starting), disabling (stopping), and uninstalling SDN applications.
Page 33: Applications Screen Details
Applications screen details Figure 9 Applications screen details Screen component Description Refresh Reloads the view. Installs an application on the controller. Upgrade Installs an upgrade to an application that has already been installed on the controller. Uninstall Removes an application from the controller. Enable Starts or allows an application to continue operations on the controller.
Page 34: Obtaining Applications From The Hewlett Packard Enterprise Sdn App Store
Screen component Description State The most common states are active, staged and disabled. AppStore Purchased The name and version number of SDN applications purchase from the Hewlett Applications Packard Enterprise SDN App Store. Launch AppStore Launches the Hewlett Packard Enterprise SDN App Store website. Obtaining applications from the Hewlett Packard Enterprise SDN App Store From the App Store, you can purchase and download applications for your controller.
Page 35: Disabling (Stopping) Or Enabling (Starting) An Application
Click Deploy. The new application then appears by name on the Applications screen as ACTIVE. Disabling (stopping) or enabling (starting) an application This procedure temporarily stops an active application from servicing requests, but retains the application on the system. The application remains present on the system and can be restarted when needed.
Page 36: Uninstalling An Application
Click Enable button to activate the application. The application starts or resumes operation and the application state is changed to ACTIVE. Uninstalling an application This procedure completely removes an application from the controller. To later restore the removed application, see Adding or upgrading an application.
Page 37 Table 1 Application States (continued) State Description UPGRADING A transitive state indicating the existing application is being stopped and a new version of the application is being installed. CANCELING A transitive state indicating a non-installed version of an application is being deleted from the controller.
Page 38: Configuration Components
Figure 10 Links to OSGi artifacts associated with individual applications Configuration components The Configurations screen enables access to the configurable components in the controller which are used to manage the controller and application features. Some examples of when you might want to make configuration changes include: Specify an NTP server or date and time on the controller system using the NTP component or specify a static IP address using the Network component.
Page 39: Configurations Screen Details
NTP components, and the REST API for Logger configuration can only be done for each individual module (such as hp.sdn.event) not groups of modules. CAUTION: Inappropriate changes to key values can result in severely degraded system performance. For this reason, Hewlett Packard Enterprise strongly recommends that managing the default key values be done only by experienced network administrators and programmers who have a strong understanding of SDN controller systems.
Page 40: Basic Configurations View
Basic Configurations view Figure 11 Basic Configurations view Components in the Basic configurations tab com.hp.sdn.ctl.of.impl.ControllerManager The ControllerManager component provides parameters used in the implementation of the OpenFlow protocol. You can configure parameters such as hybrid.mode, keystore, keystore.password, truststore, truststore.password. com.hp.sdn.ctl.of.impl.TraceManager The TraceManager controls OpenFlow trace duration.
Page 41: Advanced Configurations View
The OpenFlow ARP discovery component of the OpenFlow Node Discovery application is used for topology host discovery via ARP protocol. ◦ Use the arp.age key to configure the node timeout values. ◦ The listener.altitude key changes the altitude of the OfArpDiscoveryComponent component.
Page 42 Components in the Advanced Configurations view. com.hp.sdn.adm.mgr.impl.hpws.HpwsInstallManager The HpwsInstallManager component provides a service for installing applications from the Hewlett Packard Enterprise SDN App Store, a remote web service. com.hp.sdn.api.impl.AlertPostManager The AlertPostManager component uses the HTTP(s) protocol to send alert data as a JSON string to registered alert topic listeners.
Page 43: System Configurations View
Configure logging levels (ALL, TRACE, DEBUG, INFO, WARN, ERROR, OFF). For details, “Modifying Logger settings” (page 48). com.hp.sdn.adm.alert.impl.AlertManager The AlertManager component controls the quantity of alert data present on the system by periodically checking for alert data to be deleted based on the configured age-out policy.
Page 44 You must configure the autoShutdown.properties exactly as it is done in the sample file. The possible health status are critical, unhealthy, healthy, or hung. com.hp.sdn.adm.log.impl.LogManager The LogManager component controls the number of log message rows displayed in the Support Logs display. For more information on support log queue size, see “Configuring the...
Page 45: Apps Configurations View
If you have other SDN applications installed, configurable components for these applications are listed in the Apps Configurations view. For example in the screen shown above the com.hp.mvisor.adm.topo.impl.NetworkVisualizerTopologyManager component for the HPE Network Visualizer SDN Application is listed in the Apps Configurations view.
Page 46: Modifying Ntp Server Or Date And Time
Modifying NTP server or date and time You can configure one NTP server or set a specific date and time for the controller system. It is recommended that you use an NTP server rather than setting date and time because if you change network settings, the date/time will be reset to current date/time.
Page 47: Modifying Network Settings
Do one of the following: To save your changes and close the dialog box, click Apply. You will be logged out and must log in again. To close the dialog box without saving changes, click Cancel. Click Yes in the confirmation window showing a message that you will be logged out of the UI and will need to log back in for authentication.
Page 48: Modifying Logger Settings
Enter new values for Host Name, IP Address, Type, and other fields as required. No spaces are allowed in the Host Name field. If the controller is in a team, you must first disband the team before modifying the network settings. If you are configuring a static IP address then you must enter values for Gateway, Netmask, and Primary DNS fields, Secondary DNS field is optional.
Page 49: Audit Log
Enter new values for each of the keys you want to modify. Do one of the following: To save your changes and close the dialog box, click Apply. To close the dialog box without saving changes, click Cancel. Audit log About the audit log The audit log is available through both the controller GUI and the REST API, and records events related to activities, operations, and configuration changes initiated by an authorized user.
Page 50: Audit Log Screen Details
Configuring how audit log data ages out You can configure the following key values for the audit log to control how audit log data ages out. To set these key values you configure the com.hp.sdn.adm.auditlog.impl.AuditLogManager component using the Configurations screen. Default Value Description Specifies the number of days to retain a log entry.
Page 51: Exporting And Archiving Audit Log Data
24 hours (once per day). To configure how audit log data ages out: On the Configurations screen in the System tab, select the com.hp.sdn.adm.auditlog.impl.AuditLogManager component. Click Modify. The Modify System Configuration dialog box is displayed for the com.hp.sdn.adm.auditlog.impl.AuditLogManager component.
Page 52: Licenses
Licenses A license is required for the controller. In addition, SDN applications can require licenses that are separate from the license for the controller. For information on installing, activating, uninstalling or transferring licenses, see “License Registration and Activation” (page 86). Licenses screen details The Licenses screen displays the controller Install ID, and is used to activate new licenses, and deactivate installed licenses (for transfer to another installation).
Page 53: Installing, Activating, Uninstalling, Or Transferring Licenses
Screen component Description Expire By Date and time when the license Licensed For expires. Uninstall Key When a license is deactivated, an uninstall key is assigned for license transfer purposes, see “Transferring licenses” (page 93). Installing, activating, uninstalling, or transferring licenses For information about installing, activating, uninstalling, and transferring licenses, see “License Registration and Activation”...
Page 54: Support Logs Screen Details
When the log file has rolled over four times, the controller purges the oldest log file when it needs to roll over again. The core controller has at most 5 log files. Support logs can be exported to a file. In a controller team environment: Each controller maintains its own support logs.
Page 55: Configuring The Support Log Queue Size
Configuring the support log queue size The default queue size is 100 lines. To configure a different queue size, change the value for the max.display.rows key of the com.hp.sdn.adm.log.impl.LogManager component. On the Configurations screen in the System tab, select the com.hp.sdn.adm.log.impl.LogManager component.
Page 56: Exporting The Support Logs
Figure 19 The LogManager Configuration Component Controls Support Log queue size Exporting the support logs The Export operation: Gathers the set of support log file data from the controller, or in a team environment, all active controllers in the team, and stores the data as a single compressed archive file: sdn-all-logs.zip Downloads the archive file from the controller to the default download directory specified by your browser.
Page 57: Packet Listeners Display Details
Packet listeners display details The packet listeners screen displays the packet listeners that are currently running on the controller. Figure 21 Selecting the Packet listeners screen Screen component Description Refresh Refreshes the information on the screen. PacketListener Role The PacketListener Role is one of the following: ADVISOR Examines the incoming packet.
Page 58: Openflow Monitor
OpenFlow Monitor The SDN controller UI includes several screens providing information on OpenFlow enabled switches: “OpenFlow Monitor” (page 58) “OpenFlow topology ” (page 61) “OpenFlow Trace log” (page 69) “OpenFlow Classes ” (page 75) When the controller is active in an OpenFlow domain, the OpenFlow Monitor enables tracking of switch traffic summaries, packet traffic per port, and applied flow rules for switches detected in the controller domain.
Page 59: Summary For Data Path View
Screen component Description Data Path ID Identifies a detected OpenFlow switch. The OpenFlow data path identification for each detected OpenFlow switch. This ID also appears in the representation of the switch in the OpenFlow Topology screen. Address Identifies the IP address associated with an OpenFlow data path instance. Negotiated Version The version of OpenFlow in use with the corresponding data path.
Page 60: Ports For Data Path View
Ports for data path view The OpenFlow Monitor→Ports view includes information on the ports used for OpenFlow traffic on the selected device. Figure 24 Ports view for a specific OpenFlow device Flows for data path view The OpenFlow Monitor→Flows view shows current flows on the selected OpenFlow device. For a given flow, traffic meeting the requirements specified in the "Matches"...
Page 61: Groups For Data Path View
Groups for data path view The OpenFlow Monitor→Groups view provides information on group actions, if any, defined for the device. The group actions can assign more specific forwarding actions. Figure 26 Groups view for a specific OpenFlow device OpenFlow topology The OpenFlow Topology screen displays a topology of discovered switches and end nodes in the controller domain.
Page 62: Displaying The Network Topology
“Viewing the shortest path between two nodes ” (page 68) “Viewing flow details for selected nodes” (page 69) “Viewing details on packet selection criteria for a data flow” (page 69) Displaying the network Topology The OpenFlow Topology screen includes the switches and end-nodes in the controller domain. Figure 27 Topology viewer The topology legend is show in the top right corner: Switch —...
Page 63: Changing Switch And Host Node Labeling
Figure 28 Keyboard shortcuts See also: “Changing switch and host node labeling” (page 63) “Using the mouse to change the topology display” (page 65) “Viewing node tooltips” (page 65) Changing switch and host node labeling You can change how nodes are labeled in the topology using keyboard shortcuts. To turn on or off ALL node labels, enter the keyboard shortcut L.
Page 64 Host end-nodes can be labelled with one of the following: IP Address (default) MAC Address No Label To change the switch node labeling in the topology, enter the keyboard shortcut N and the display will cycle through the different switch labels each time you enter N. Switches can be labelled with one of the following: System name (default, if the switch does not contain a system name then IP address is shown instead)
Page 65: Using The Mouse To Change The Topology Display
And press N again to return to the System Name switch labels. Using the mouse to change the topology display Zoom in or out in the topology by using the scroll wheel on the mouse. To drag the topology to a desired location, place the cursor in the topology and hold the mouse button down while dragging to move the topology.
Page 66: Using Search
Using Search You can search the topology based on various criteria by using one of the following methods. Search using View→Search. Or press the F shortcut key to open the Search dialog box. This search is based on any ONE of the following criteria: Switch IP, Datapath ID, Host IP or Host MAC.
Page 67: Viewing Port Labels On Switches
Enter the value you want to search on in the Search(regex) field located in the top right of the topology view. You can enter a regular expression for more complex searches. For an exact match, $ should be appended at the end. For example, if there are IP addresses like 10.10.10.10, 10.10.10.100, 10.10.10.101, 10.10.10.102, etc.
Page 68: Viewing The Shortest Path Between Two Nodes
Collapse All Collapse the topology display to show only the number of end nodes connected to each switch, instead of showing all end nodes (the default) which can present a cluttered display where a large number of end nodes are connected to the OpenFlow switches. To collapse or expand end-nodes for a particular switch, double-click the selected switch.
Page 69: Highlight Flow
Highlight flow The Highlight option is enabled only when a path is selected (either Shortest Path or in Follow Flow mode). Highlight path is cleared when you toggle between Shortest Path or Follow Flow. For example, with Shortest Path is enabled you select Highlight path, then you select Follow Flow, the Highlight path will be cleared and you have to select Highlight path again for Follow Flow.
Page 70: About The Openflow Trace Log
About the OpenFlow Trace log The number of events that can be held in the trace log is limited by system memory. For this reason, Hewlett Packard Enterprise recommends that you export to a remote storage location any trace log content you want to retain, and to clear the controller trace log whenever its content is not needed on the controller itself.
Page 71: Starting, Stopping, Or Clearing Openflow Trace
Screen component Description Export Copies the trace log into a CSV (comma-separated values) file. See see “Exporting the OpenFlow Trace log” (page 72). Time The time the message event was generated. Event The event type. For example: CkPt Indicates a check point in the trace log, such as the starting or stopping of a trace operation.
Page 72: Exporting The Openflow Trace Log
Figure 37 Displaying event details To close the Event Detail window, click Close. Exporting the OpenFlow Trace log Exporting an OpenFlow Trace Log places the trace content in a CSV file that is stored in the default downloads folder specified in your web browser settings. For more information about CSV files, see RFC 4180.
Page 73: Filtering The Openflow Trace Log In A Csv File
Filtering the OpenFlow trace log in a CSV file Open the CSV file in the default folder. For example, using Google Chrome, open the menu adjacent to the file name (of-trace.csv) and select Show in folder. Figure 38 Accessing the stored CSV file In the resulting folder listing, locate the of-trace.csv file and open it using an application, such as Microsoft Excel, that enables you to read the log messages and configure a filter.
Page 74: Changing The Openflow Trace Interval
Changing the OpenFlow trace interval The default trace interval is ten seconds. To change the interval, change the value for the record.duration key of the com.hp.sdn.ctl.of.impl.TraceManager component.: From the navigation menu, select Configurations. Then select the Basic tab. Select the com.hp.sdn.ctl.of.impl.TraceManager component.
Page 75: Openflow Classes
Click Modify. The Modify Basic Configuration dialog box is displayed for the com.hp.sdn.ctl.of.impl.TraceManager component. Change the value for the record.duration key. Click Apply to set the new time span for active trace recording, and return to the OpenFlow Trace screen.
Page 76: Openflow Classes Screen Details
priority, the application sets the logical priority as assigned by the flow class, and a cookie that is derived from the base cookie of the OpenFlow class. Before sending the flow table modification message to the switch, the controller evaluates the requested flow modification against the registered OpenFlow classes and replaces the logical priority provided by the application with an actual priority.
Page 77 Figure 44 Example of OpenFlow classes screen Screen component Description Refresh Refreshes the list. Flow Class ID The symbolic name for the flow class. The prefix identifies the application that registered the class; the suffix uniquely identifies the class. Priority The actual priority the controller assigns to flows of this class.
Page 78: Controller Enforcement Levels For Openflow Classes
From the navigation menu, select Configurations. Then select the Basic tab. Select the com.hp.sdn.ctl.of.impl.ControllerManager component. Click Modify. The Modify Basic Configuration dialog box is displayed for the com.hp.sdn.ctl.of.impl.ControllerManager component.
Page 79 Figure 45 The ControllerManager Configuration Component Controls the enforcement levels for OpenFlow classes OpenFlow Classes...
Page 80: Hybrid Mode For Controlling Packet Forwarding
In the Controller UI, from the navigation menu, select Configurations. Then select the Basic tab. Select the com.hp.sdn.ctl.of.impl.ControllerManager component. Click to show the configurable keys for this component and view the current value for hybrid.mode. Hybrid mode for controlling packet forwarding...
Page 81 Continue with the following steps if you want to change the setting. Click Modify. The Modify Basic Configuration dialog box is displayed for the com.hp.sdn.ctl.of.impl.ControllerManager component. Figure 47 Select the hybrid.mode field Set hybrid.mode to one of the following: true (the default): Enables hybrid mode. The controller makes packet-forwarding decisions only as required by installed applications.
Page 82: Coordinating Controller Hybrid Mode And Openflow Switch Settings
For information on limitations in OpenFlow table support, see the HPE VAN SDN Controller and Applications Support Matrix. Table 4 Controller settings to support hybrid mode Controller Configurations Component Comments Set to true or false. com.hp.sdn.ctl.of.impl.ControllerManager hybrid.mode Set this value to the com.hp.sdn.disco.of.link.impl.OpenflowLinkDiscoveryComponent age.multihop.links refresh rate for multihop links.
Page 83: Limitations
Table 4 Controller settings to support hybrid mode (continued) Controller Configurations Component Comments To support ARP-based com.hp.sdn.disco.of.node.impl.OfArpDiscoveryComponent arp.age host discovery, change this setting in the controller to be greater than or equal to the “ip arp-age” setting on controlled switches.
Page 84: Controller Packet-Forwarding When Hybrid Mode Is Disabled
Controller packet-forwarding when hybrid mode is disabled Figure 48 Controller operation with hybrid mode disabled When hybrid mode is disabled (set to "false"), the controller examines and directs the packets in all flows for the given OpenFlow instance. The controller forwarding decisions for flows in a given instance are based on the requirements of the installed applications.
Page 85: Controller Packet Forwarding When Hybrid Mode Is Enabled
Controller packet forwarding when hybrid mode is enabled Figure 49 Controller operation with hybrid mode enabled When hybrid mode is enabled (the default), the specific packet types for which the controller monitors and overrides switch forwarding rules depends on the applications installed and running in the controller.
Page 86: License Registration And Activation
5 License Registration and Activation A license is required for the controller. In addition, SDN applications can require licenses that are separate from the license for the controller. Typically, you must have both a license for the controller and a license for each application. For Hewlett Packard Enterprise SDN applications, you register the license, obtain the license key, and activate the license on the controller using the same methods you use to register and activate controller licenses.
Page 87: Preparing For License Registration
a team is formed, Add Nodes licenses can be added to the team leader for increased support. In addition, you must: – Use non-previously licensed controller installations to form the team. – Use a new hardware platform (or Virtual Machine) with a new installation of the HPE VAN SDN Controller.
Page 88: Registering Your License And Obtaining A License Key
NOTE: If you are registering licenses in addition to the base controller license, Hewlett Packard Enterprise recommends you do so in the following order: Register the base controller license. Register any Add Nodes licenses, and then activate the last license key generated. Register any High Availability licenses, and then activate the last license key generated.
Page 89 NOTE: For an HPE VAN SDN Ctrl Base SW w/ 50–node E-LTU license, the quantity must be For HPE VAN SDN Ctrl 50–node E-LTU or HPE VAN SDN Ctrl HA E-LTU licenses, quantity is the number of licenses to be installed with a single Install ID. For information on using this process for an application license, see the administrator guide for that application.
Page 90: Viewing Your License Information
Figure 53 Reviewing your registration 10. Review your license registration details, and record the License key listed. 11. Optional: To download the license key file, click Save as, and then save it to your local hard drive. 12. Optional: To e-mail the registration details: Enter one or more e-mail addresses, separated by a comma or semi-colon in the field provided.
Page 91 To view the information for the license you just loaded, click the Select button for that license. You will then see a screen similar to the following: Figure 54 Viewing your license and other information Registering your license and obtaining a license key...
Page 92: Activating A License On The Controller
Record the license key in the above screen for use when you activate the license on the controller. Activating a license on the controller To activate a license on the controller, you must add the license key. If the controller has no licenses listed, enter the license key for the HPE VAN SDN Ctrl Base SW w/50–node E-LTU before you add any other license keys.
Page 93: Activating A License Using A Script
To activate the license, click the Add button. The active license is displayed in the table, below the Install ID, and the Add button is no longer available. Figure 56 Active License Displayed on License screen Activating a license using a script As an alternative to using the controller UI to activate the license, you can use a post install configuration script run locally on the controller.
Page 94: Deactivating Licenses To Prepare For Transfer
NOTE: Keeping a license on one controller while transferring one or more other licenses from the same controller to another controller is not permitted. When upgrading, no special effort is required to preserve the licenses. Note that the license transfer mechanism is only required when you want to switch the controller currently running hardware.
Page 95: Transferring Licenses To A New Platform
You will see an Uninstall key displayed for that license. Copy the Uninstall key for that license to the clipboard by clicking Copy Uninstall Key. Repeat the preceding steps for each of the remaining licenses on the controller. Transferring licenses to a new platform After you have deactivated all of the licenses for a controller, you can transfer them to another controller.
Page 96 Figure 60 Reviewing details before transfer Verify that this is the license you want to transfer, and then click Next. The target Install ID screen is displayed (Figure 61). Figure 61 Entering target install and uninstall IDs License Registration and Activation...
Page 97 In the screen in Figure 61, do the following: In the Target Install ID field, enter the Install ID of the controller to which you want to transfer the license. In each Uninstall field, enter a license uninstall key. (For more on acquiring uninstall keys, see Section NOTE:...
Page 98: Using Evaluation Licenses
Figure 63 Review transferred license status screens To register the transferred licenses on the new controller, see “Activating a license on the controller” (page 92). Using Evaluation Licenses To use evaluation licenses: Install the HPE VAN SDN Controller and install all the Hewlett Packard Enterprise SDN applications you would like to evaluate.
Page 99: Configuring For High Availability
6 Configuring for High Availability Standalone controller operation provides management for the OpenFlow switches in a network. However, it does not provide high availability (HA), with the result that a controller failure leaves the network in an unmanaged state. Configuring a team of controllers and one or more corresponding controller regions creates a high availability network with failover capability, resulting in a continuously managed network in the event that a controller in the team goes down.
Page 100: Requirements For Teaming
For the controllers in a team to remain active, they must be part of the team quorum. To be part of a team quorum, a controller must be connected to at least one other team member that has a status of active or initializing. If one controller in the team goes offline, controller operations can continue.
Page 101: Team Status
A team must consist of 3 controllers. A controller can only be part of one team. All three controllers in a team must be running the same controller software version. The administrator must create the team and the regions. A team requires one IP address for each controller, plus one IP address assigned to the team as a whole.
Page 102: Manually Synchronizing Cassandra Database Nodes Using Nodetool Repair Utility
and thus the controller status cannot be determined or reported until the core services complete the initialization phase. For more information, see “Error log for team configuration ” (page 184), “Team alias node” (page 186), “Failover behavior within a region” (page 189), “Failback behavior within a region”...
Page 103: Configuring Controllers To Use The Same Local Ntp Servers
Ensure that the Cassandra database is online by entering the following command: ~$ /opt/sdn/cassandra/bin/nodetool status If you see the following message, the Cassandra database is not online: Failed to connect to '127.0.0.1:7199': Connection refused If the Cassandra database is not online, you must restart the controller to restart the Cassandra instance on that controller: Close any instance of the web interface connected to the controller to be restarted.
Page 104: Viewing Your Team Configuration Using The Ui
Viewing your team configuration using the UI You can view your team and region configuration from the SDN Controller UI’s Team screen. To access the Team screen, click Team in the controller UI navigation pane. The Team screen is read-only and includes: Team status (top banner) Team configuration and controller status...
Page 105: Viewing Team Configuration And Controller Status
Unreachable status occurs for either of the following reasons: ◦ The sdnc service stopped working or a controller has been rebooted. ◦ A network partition occurred and a controller in a team has become separated from the other team members. UNKNOWN A team status cannot be determined and an unknown team status message is displayed: Unknown status occurs for either of the following reasons:...
Page 106: Viewing Devices, Datapaths, And Debug Logs
The region’s details include the following fields: Ranges: The configured ranges (IP ranges). Devices: List of IP addresses one-by-one. One of these must be present, or both may be used. Viewing devices, datapaths, and debug logs The Device Owners portion of the Team screen (bottom section) displays the following fields: Device: The device IP.
Page 107: Defining Inputs For Teaming In A Configuration File
are used to configure a single team. The script uses a configuration file to define the inputs for configuring the team. The script can be used to do the following: ◦ Create a team ◦ Disband a team ◦ Create region(s) ◦...
Page 108 Edit the configuration file (for example vi build_team.conf) or create a custom configuration file to include the following inputs about the team configuration. You cannot change the parameter name, such as User or Team_IP. Some entries are optional as noted in the following table. NOTE: You can create multiple configuration files, each for use with a different team configuration.
Page 109: Using A Python Script From A Controller To Configure A Team
The devices must be configured with the IPs of all three controllers in a team. Region2, Region3 (optional) Enter inputs for other regions you want to define. You can specify 1, 2, or 3 regions in a team, or no regions. If you don’t want to define Region2 or Region3 then leave all items for that region blank.
Page 110: Security
7 Security The HPE VAN SDN Controller communicates with different components, both internal and external to the controller, via secure channels. This section documents these channels, their defaults, and how to configure them in a deployment environment. SDN Controller authentication The SDN Controller identifies itself via Public-Key Infrastructure (PKI) for its communication with external subsystems and other controllers.
Page 111 In the Advanced tab of the Configurations screen, select each of the following components and change the value of the selfsigned key to false: com.hp.sdn.api.impl.AlertPostManager com.hp.sdn.misc.AdminRestComponent com.hp.sdn.misc.ServiceRestComponent Select the com.hp.sdn.adm.mgr.impl.hpws.HpwsInstallManager configurable component and ensure that the following keys have the values indicated in the following table: Value keystore...
Page 112: Sdn Controller Keystore And Truststore Locations And Passwords
SDN Controller keystore and truststore locations and passwords The SDN Controller keystore and truststore are referenced by the following configurable components: com.hp.sdn.api.impl.AlertPostManager com.hp.sdn.misc.AdminRestComponent com.hp.sdn.misc.ServiceRestComponent com.hp.sdn.adm.mgr.impl.hpws.HpwsInstallManager The values for keystore and keystore.password contain the keystore location and encrypted keystore password respectively.
Page 113: Built-In Openflow Controller
Similarly, the truststore and truststore.password keys store the location of the truststore and the password of the truststore respectively. You can configure the com.hp.sdn.ctl.of.impl.ControllerManager component in the Configurations screen Basic tab (screen example is shown below). A controller restart is required if these configurations are changed.
Page 114: Rest Authentication
The certificate for the client, an external policy manager such as Aruba ClearPass, must be imported in to the truststore of the controller. The issuer CN (common name) of the certificate must be entered for the value of the clearpass.cert.cn key of the com.hp.sdn.cms.impl.ClientMapperServiceProvider controller configurable component. Security...
Page 115: Openstack Keystone Used For User And Token Management
Controller hybrid mode must be enabled (set to true). The value of the com.hp.sdn.cms.impl.ClientMapperServiceProvider controller configurable component key clearpass.integration.enabled must be true. Requirements for the REST API request when using certificate-based authentication Certificate-based authentication can only be used for cms/client/event POST requests.
Page 116: Pki Authentication
this issue by using a private/public key pair to produce a CMS message which can be verified by an endpoint without checking with Keystone for every API request. PKI Authentication The PKI authentication provider was introduced in the Grizzly release of Keystone. To use PKI tokens, keys and certificates need to be generated.
Page 117: Keystone Controller Configuration
Keystone controller configuration The following Keystone controller configuration is set in the controller UI Configurations screen in the System tab under the com.hp.sdn.adm.auth.impl.AuthenticationManager component. The keys are described as follows: AdminToken – Keystone admin token. ConnPoolEvictPeriod – Keystone idle connection clean-up cycle in milliseconds. Minimum is 100.
Page 118: Role-Based Access Control (Rbac)
-d '{"tenant": {"enabled": true, "name": "test-tenant", "description": "Test Tenant"}}' http://:35357/v2.0/tenants List tenants: curl -H "X-Auth-Token:ADMIN" http://:35357/v2.0/tenants Create a user: curl -H "X-Auth-Token:ADMIN" -H "Content-Type: application/json" -d '{"user": {"email": "[email protected]", "password": "somepass", "enabled": true, "name": "test-user", "tenantId": "2c851897a09f483fa452e2de11511f71"}}' http://:35357/v2.0/users List users: curl -H "X-Auth-Token:ADMIN" http://:35357/v2.0/users Create a role: curl -H "X-Auth-Token:ADMIN"...
Page 119 "tenants_links": [] 2. Create a user as part of sdn tenant root@sdnctl1:/var# curl -H "X-Auth-Token:ADMIN" -H "Content-Type: application/json" -d '{"user": {"email":"[email protected]", "password": "somepass", "enabled": true, "name": "test-user", "tenantId":"575d62cc28bc403c97409072ba6536d3"}}' http://192.168.4.61:35357/v2.0/users {"user": {"username": "test-user", "name": "test-user", "id": "867e7e2e88644e73a4eee25e4b80c303", "enabled": true, "email": "[email protected]", "tenantId": "575d62cc28bc403c97409072ba6536d3"}} root@sdnctl1:/var# curl -H "X-Auth-Token:ADMIN"...
Page 120: Api Access Requires Authentication
The values for these tokens can be seen in the controller UI in the Configurations screen in the System tab under the com.hp.sdn.adm.auth.impl.AuthenticationManager component. All controllers in a team must have the same Service token to communicate successfully. For the Admin token, both the controller token value and the Openstack Keystone admin_token in the directory /etc/keystone/keystone.conf must match for successful authentication.
Page 121: Controller Code Verification
Controller code verification All controller code is signed by Hewlett Packard Enterprise. Validating the certificate via jarsigner should return an Hewlett Packard Enterprise X.509 certificate similar to the following: X.509, CN=Hewlett-Packard, OU=HPGlobal, OU=Digital ID Class 3 - Java Object Signing, O=Hewlett-Packard, L=Andover, ST=Massachusetts, C=US [certificate is valid from 11/14/12 4:00 PM to 11/15/14 3:59 PM] X.509, CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network,...
Page 122: Revoking Trust
Revoking Trust Revoking trust via truststore The controller components rely on the public certificates in the respective truststore to establish trust with a given identity. Therefore, revoking trust from a client with a given public certificate amounts to removing its certificate from the respective truststore. To remove a given certificate from the truststore: List the certificates in your truststore: /opt/sdn/openjdk8-jre/bin/keytool –list –v -keystore truststore...
Page 123: Virgo Admin Ui Access Via Localhost Only
The install process adds a number of sudoers entries for the sdnadmin user. These are as follows: /sbin/ifconfig /sbin/reboot /sbin/iptables /usr/bin/service /usr/bin/at /usr/bin/dpkg /usr/sbin/arp /usr/bin/arping All, or any, of the above entries can be blocked or removed from the sudoers configuration. The /sbin/ifconfig entry is only required when running in teamed mode.
Page 124: Creating The Cassandra Keystore And Truststore
10. Select Configurations on the left navigation pane, select the System tab and then select the com.hp.sdn.teaming.impl.CassandraProcessManager component. 11. Select Modify on the top. When the Modify System Configuration dialog box opens, update the location and password of the new keystore. Click Apply.
Page 125: Cassandra Keystore And Truststore Locations And Passwords
Cassandra keystore and truststore locations and passwords The Cassandra keystore and truststore are referenced by the com.hp.sdn.teaming.impl.CassandraProcessManager component. To change the passwords keystore.password and truststore.password of this component: From the controller UI, select Configurations, then select the System tab. Select the com.hp.sdn.teaming.impl.CassandraProcessManager component.
Page 126: Security Best Practices
Update the keystore’s internal serverkey to match the newly chosen KeystorePass value you entered in step 4 using the following: /opt/sdn/openjdk8-jre/bin/keytool -keypasswd -alias serverkey -storepass -keypass -new -keystore /opt/sdn/admin/keystore Update the truststore password to match the newly chosen TruststorePass value you entered in step 4 using the following: /opt/sdn/openjdk8-jre/bin/keytool -storepasswd -storepass ...
Page 127 ◦ Never let someone who does not have access rights to the controller ‘look over your shoulder’ while accessing the UI. ◦ Make sure Keystone is configured to expire tokens after a short period of time (a common industry practice is 20 minutes). Do not delete any iptables with the name hazelcast, cassandra-default, or cassadra-team, or any rules with the following ports: 5700, 7000, 7001, 7199, 9160.
Page 128: Configuring Openflow Instances
8 Configuring OpenFlow instances Configuring OpenFlow Instances with Multiple VLANs Hewlett Packard Enterprise recommends that the OpenFlow instance VLAN membership be identical throughout the controlled network topology. If an OpenFlow instance contains a set of VLANs on one switch, then neighboring switches should also have an OpenFlow instance with the same set of VLANs.
Page 129 Example 2 Configuring linkDiscoveryVlan to discover all links from the Comware devices In this example, the topology consists of a ProVision 3800 on port 6 connected to a Comware 5500HI on port GigabitEthernet1/0/14: The ProVision 3800 has the following configuration: openflow controller-id 1 ip 172.17.8.129 controller-interface vlan 800 instance "1"...
Page 130 Initially, the REST API reports only one link; the link between the Comware 5500Hl and the ProVision 3800: The Rest API reports the link discovered when the controller injected link discovery packets to the ProVision 3800 OpenFlow instance. The ProVision switches insert a VLAN tag in packets injected by the controller when the egress ports are configured as tagged only.
Page 131 The REST API query now reports that both links are discovered: NOTE: When you configure a linkDiscoveryVlan for a device, the controller will always insert a 802.1Q header with the configured VLAN on each link discovery packet sent to all ports of the device, regardless of the actual port configurations, as the controller does not have any knowledge of the port configuration.
Page 132: Configuring Openflow Instances To Enable Mac Group Matching
Configuring OpenFlow instances to enable MAC group matching MAC group matching By supporting MAC group matching and MAC group tables, an OpenFlow instance can store flow entries that match MAC groups instead individual MAC IDs, freeing up space in the policy (TCAM) table of the physical switch for other flow entries.
Page 133: Enabling Mac Groups
For more information about configuring OpenFlow instances, see the HPE Switch Software OpenFlow v1.3 Administrator Guide. Enabling MAC groups To enable source MAC groups, enter the following command, where instance-name is the name of the OpenFlow instance for which you are enabling MAC groups: openflow instance instance-name src-mac-grp-table.
Page 134: Backing Up And Restoring
9 Backing up and restoring This chapter describes controller backup and restore actions using curl commands. For information about the REST APIs related to backup and restore, see /restore and /backup in the RSdoc facility on the controller. Using a Google Chrome browser window on the controller, enter: https://system_ip_address:8443/api Backing up and restoring Best Practices You cannot use RSdoc to download or upload files.
Page 135: Backup Operation
/var/log/sdn/virgo/logs/log.log file. To configure the backupLockSeconds parameter: Login to the GUI. Click Configurations. From the list of configurations, click com.hp.sdn.teaming.impl.CassandraProcessManager. Click Modify. “Configuration components” (page 38). Examples of curl commands in this guide use the --noproxy option, which is appropriate where execution of curl commands do not need a proxy to access controllers.
Page 136: Backing Up A Controller
is one metering file that is backed up and restored. It contains a mapping of metric descriptor information (such as the ID of the application that created a metric and the metric's primary tag, secondary tag, and name) to the UID that was assigned to each metric. When a restore is performed, this file is restored, and any existing metering time-series data is deleted because it might not match the restored file.
Page 137: Recommended Backup Practices
NOTE: The file name must begin with sdn_controller_backup. • Download the Backup.zip File: curl --noproxy controller_ip --header "X-Auth-Token:auth_token" --fail -ksSfL --request GET --url "https://system_ip:8443/sdn/v2.0/backup>path-and-file-name.zip" Recommended backup practices Do not run backup while making configuration changes. Instead, run the backup after completing configuration changes.
Page 138: System Restore Requirements
Re-install the failed controller(s), making sure to use the same IP address configuration. During the re-installation, log messages similar to the following appear in the Audit Log: root@mak:~/dev/controller/dist# sudo dpkg -i hp-sdn-ctl_1.11_amd64.deb Selecting previously unselected package hp-sdn-ctl. (Reading database ... 212350 files and directories currently installed.) Unpacking hp-sdn-ctl (from hp-sdn-ctl_1.11_amd64.deb) ...
Page 139 "https://controller_ip:8443/sdn/v2.0/auth" -H "Content-Type: application/json" --data-binary '{"login": {"domain": "domain","user": "user","password": "password"}}' CAUTION: Credential information (user name, password, domain, and authentication tokens) used in curl commands might be saved in the command history. For security reasons, Hewlett Packard Enterprise recommends that you disable command history prior to executing commands containing credential information.
Page 140: Distributed (Team) Backing Up And Restoring
NOTE: To restore a controller team, restore each controller as a standalone controller. “Distributed (team) backing up and restoring ” (page 140). NOTE: Attempting to restore a backup taken on any release prior to version 2.6 will not complete. 11. If you have files that were manually backed up prior to restoration, such as truststore or keystore files with CA signed certificates or certificates in the sdnjar_trust.jks file, then do the following: Stop the controller.
Page 141: 10 Metrics
10 Metrics Viewing metric data Metric data created by the controller and applications can assist you when you are troubleshooting issues with the controller or network. The curl commands in this section interact with the metrics/apps REST API to display information about metric data collected by the controller.
Page 142: Metric Identifiers
Application ID (REQUIRED) Identifies the application creating the metric. For example, the application ID for the controller is: com.hp.sdn metric name (REQUIRED) Describes the metric. This name is provided by the application that creates the metric. For example, an application that creates metrics to represent the characteristics of...
Page 143: Viewing The Application Ids For Applications That Have Persisted Metrics To Disk
In this example, only the base controller itself has persisted metric data to disk. The application id is: com.hp.sdn This example shows the JSON output as returned by the curl command: {"apps":[{"app_id":"com.hp.sdn","app_name":"HP VAN SDN Controller"}]} This example shows the JSON output formatted for readability: "apps":[ "app_id":"com.hp.sdn",...
Page 144: Metrics Returned By The Metrics/Apps/App_Id Command
Command example curl --noproxy 10.1.1.9 -X GET \ --header "X-Auth-Token:3d61f0d3e61349359e6dbd82ec02c113" --fail -ksSfL \ --url "https://10.1.1.9:8443/sdn/v2.0/metrics/apps/com.hp.sdn" Command output This example shows a partial listing of the output from the example command. The uid for a metric is the unique identifier assigned to the metric on the controller.
Page 145: Viewing The Primary Tags For Metrics Persisted By An Application
If you do not specify a value for a parameter, the controller does not filter the results based on that parameter. Command example curl --noproxy 10.1.1.9 -X GET \ --header "X-Auth-Token:3d61f0d3e61349359e6dbd82ec02c113" --fail -ksSfL \ --url "https://10.1.1.9:8443/sdn/v2.0/metrics/apps/com.hp.sdn/primaries" Command output The only primary tag associated with the controller itself in this example is jvm. "primaries":[ "jvm"...
Page 146: Viewing The Names Of Metrics Persisted By An Application
Command example curl --noproxy 10.1.1.9 -X GET \ --header "X-Auth-Token:3d61f0d3e61349359e6dbd82ec02c113" --fail -ksSfL \ --url "https://10.1.1.9:8443/sdn/v2.0/metrics/apps/com.hp.sdn/secondaries" Command output "secondaries":[ "nioDirectMemory", "operatingSystem", "threads", "garbageCollection", "memoryNonHeap", "memoryHeap", "memoryTotal", "nioMappedMemory" Viewing the names of metrics persisted by an application • To list the names of the metrics persisted by a specific application, use the following curl...
Page 147: Viewing Information About A Persisted Metric Identified By Its Uid
--url "https://controller_ip:8443/sdn/v2.0/metrics/metric_uid" Command example curl --noproxy 10.1.1.9 -X GET \ --header "X-Auth-Token:3d61f0d3e61349359e6dbd82ec02c113" --fail -ksSfL \ --url "https://10.1.1.9:8443/sdn/v2.0/metrics/431b746e-e62e-4874-a801-b1438eaac635" Command output "metric":{ "app_id":"com.hp.sdn", "type":"GAUGE", "name":"usedBytes", "description":"The amount of heap memory currently being used by the JVM in bytes.", "primary_tag":"jvm", "secondary_tag":"memoryHeap", "jmx":false, "persistence":true, "summary_interval":"ONE",...
Page 148 start The earliest time to query for time-series data. The date and time in must be in the format yyyy-mm-dd+hh:mm. If you specify an end but do not specify a start, the value used for start is the time of the oldest instance of the metric that is within the configured age-out time.
Page 149: Viewing All Controller Jvm Metrics
"update_time":"Tue Sep 23 18:18:55 PDT 2014", "milliseconds_span":300000, "last":4.192128832E8 "update_time":"Tue Sep 23 18:23:55 PDT 2014", "milliseconds_span":300000, "last":3.864813136E8 "update_time":"Tue Sep 23 18:27:55 PDT 2014", "milliseconds_span":240000, "last":3.847236E8 Viewing all controller JVM metrics Many metrics are not persisted to disk. Some metrics are constant over time, at least for the time the JVM is online.
Page 150: Connecting To The Jmx Server Using The Jconsole Jmx Client
http://docs.oracle.com/javase/7/docs/technotes/guides/management/jconsole.html Connecting to the JMX server using the JConsole JMX client Start the JConsole JMX client. From the New Connection screen, select Local Process. For an example, see Figure 66 (page 150). Figure 66 JConsole new connection Choose a local connection to the JMX server instance and click Connect. After successfully connecting to that JMX server instance, a screen similar to the screen shown in Figure 67 (page 150)
Page 151: Selecting And Viewing Metrics Using Jconsole Jmx
Selecting and viewing metrics using JConsole JMX To display the metrics for an application, expand the application folder in the left pane: To view metrics for the HPE VAN SDN Controller and its embedded applications, expand the folder named HPE VAN SDN Controller. To view metrics for an application installed on the controller, expand the folder for the application.
Page 152: Generating A Controller Support Report
Select Attributes to display TimeStampedMetric properties that are exposed via JMX. Figure 69 (page 152) shows an example of displaying the attributes for a metric. For those TimeStampedMetric instances that are persisted as well as exposed via JMX, it is possible to see the value for MsSpanned (milliseconds spanned) get reset when the value is stored;...
Page 153 Command example curl --noproxy 10.1.1.9 -X GET \ --header "X-Auth-Token:3d61f0d3e61349359e6dbd82ec02c113" --fail -ksSfL \ --url "https://10.1.1.9:8443/sdn/v2.0/support" Command output The following example contains a partial listing of the support report returned by the previous command: "support_report":[ "title":"Alert Framework", "id":"alert", "content":[ "Alert-Topics: licensing", "Alert-Count: 7", "Data Retention Age Out: 14 days", "Data Trim Interval: 24 hours",...
Page 154 " Usage: 14.663 %", "NIO Buffer Memory", " Direct", " Capacity: 0 bytes", " Used: 0 bytes", " Buffers: 0", " Mapped", " Capacity: 0 bytes", " Used: 0 bytes", " Buffers: 0", "Garbage Collection (last 1 minute(s))", " Executions: 0", "...
Page 155: 11 Troubleshooting
"name": "test-tenant", "description": "Test Tenant"}}' http://:35357/v2.0/tenants List tenants: curl –H "X-Auth-Token:ADMIN" http://:35357/v2.0/tenants Create a user: curl –H "X-Auth-Token:ADMIN" –H "Contant-Type: application/json" –d '{"user": {"email": "[email protected]", "password": "somepass", "enabled": true, "name": "test-user", "tenantId": "2c851897a09f483fa452e2de11511f71"}}' http://:35357/v2.0/users List users: curl –H "X-Auth-Token:ADMIN" http://:35357/v2.0/users Create a role: curl –H "X-Auth-Token:ADMIN"...
Page 156: Packets Not Received At The End Point
Action Install the controller on Linux Ubuntu version 14.04 LTS 64-bit server. Packets not received at the end point Symptom HTTP traffic is not received at the end point. Cause In some situations, a switch might not forward HTTP traffic. Action Check the switch functionality and compatibility with your setup.
Page 157: Licensing
Cause Making changes to the date and time or NTP server information using the GUI will change the permission of the file /etc/net.conf. After that, using the post install script to change date and time or NTP server information (python config_sdn.py –d) will fail because the script will try to access the /etc/net.conf file which has had the permission changed.
Page 158: Applications That Use The Cassandra Database Are Experiencing Failures
Action See the HPE VAN SDN Controller Administrator Guide for instructions on how to enter your Install ID. Applications that use the Cassandra database are experiencing failures Symptom Applications that use the Cassandra database are experiencing failures, and there are log entries that indicate problems connecting to the Cassandra database.
Page 159: Application Management Errors
Take one or more of following actions: Form a controller team and distributing ownership of the switches in the network across the team members such that each controller in the team controls one third of the switches in the network. Increase the system resources, such as the number of file descriptors, on the system on which the controller is installed.
Page 160: Getting Unsafeconfigurationexception, Http Code: 403
Pushing flows, groups, or meters via a northbound REST API to any controller in the team is supported even if that controller is not the master of the given device. In that case, the controller will delegate the request to the controller who is the master of the switch and the master controller will handle the request.
Page 161: Getting Applicationinstallexception, Http Code: 500
Getting ApplicationInstallException, HTTP code: 500 Symptom Getting ApplicationInstallException, HTTP code: 500. Cause Occurs when an application status is not STAGED, or that something has gone wrong as specified in the error message. Action Indicates that an application cannot be installed. Getting ApplicationUpgradeException, HTTP code: 500 Symptom Getting ApplicationUpgradeException, HTTP code: 500.
Page 162: Openflow Errors
Cause Occurs when the file format or contents is invalid, or when the signed jar verification failed (if enabled). Action Indicates that an application zip file fails validation. OpenFlow errors Host location not learned by controller Symptom The host is not present in the node database maintained by the controller. The REST/Java API that gets the node information is missing on that host.
Page 163: Troubleshooting Teamed Environments
Troubleshooting teamed environments Controllers dropped from team or unable to form team Symptom A group of SDN controllers fail to form a team, or one or more controllers are dropped from the configured team. Cause The system clock on one or more controllers are not synchronized with each other. Action You must synchronize all systems (even after a power cycle).
Page 164: Unable To Create Team
-f --request GET --url "https://192.0.123.5:8443/sdn/v2.0/alerts?start=2014-11-18T19:30:15.000Z&end=2014-11-18T19:30:17.000Z" The curl command in this example generated the following response: {"alerts":[{"uid":"9ddf298e-a747-409c-b021-2610d6bf3e85", "system_uid":"0046a56e-a65e-4960-9d9e-f1820a285e53","topic":"HealthMonitor", "org":"HealthMonitor","ts":"2014-11-18T19:30:16.641Z","sev":"CRITICAL","state":true, "desc":"Health Monitor com.hp.sdn.adm.system.impl.QuorumRegistar changed state to CRITICAL > reason: No quorum"}, {"uid":"0e8deb7d-edcf-4000-a01d-db9bbabcc337","system_uid":"1ac1c1e7-1a6e-4401-ad3e-206028d57db8", "topic":"HealthMonitor","org":"HealthMonitor","ts":"2014-11-18T19:30:16.905Z", "sev":"CRITICAL","state":true,"desc":"Health Monitor com.hp.sdn.adm.system.impl.QuorumRegistar changed state to CRITICAL > reason: No quorum"}]}...
Page 165: Controller And Application Data Differs Among Controllers In A Team
Action Resolve the DNS server reachability issue. If the DNS server cannot be reached, add each team member to the /etc/hosts file on each controller. Controller and application data differs among controllers in a team Symptom Controllers and applications in a team do not display the same data, or data appears to be out of synchronization between controllers in a team.
Page 166 Navigate to the /opt/sdn/cassandra/bin directory and enter the following command: /opt/sdn/cassandra/bin# ./nodetool status Copy the Host ID of the Cassandra instance that has a state of DN in the output of the command you entered in the previous step. For example, the last entry in the following output is the Cassandra instance for the controller that was stopped: Datacenter: datacenter1 =======================...
Page 167: 12 Support And Other Resources
Hewlett Packard Enterprise Support Center More Information on Access to Support Materials page: www.hpe.com/support/AccessToSupportMaterials IMPORTANT: Access to some updates might require product entitlement when accessed through the Hewlett Packard Enterprise Support Center. You must have an HP Passport set up with relevant entitlements. Websites Website Link...
Page 168: Customer Self Repair
Hewlett Packard Enterprise SDN community discussion www.hpe.com/networking/sdnforum forum Hewlett Packard Enterprise SDN App Store www.hpe.com/networking/sdnappstore Hewlett Packard Enterprise SDN Dev Center website http://sdndevcenter.hp.com Hewlett Packard Enterprise Open Source download www.hpe.com/software/opensource website Networking websites Hewlett Packard Enterprise Information Library for www.hpe.com/networking/resourcefinder...
Page 169: Documentation Feedback
Documentation feedback Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback ([email protected]). When submitting your feedback, include the document title, part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.
Page 170: A Curl Commands
A curl commands The HPE VAN SDN Controller provides a RESTful web service API. There are several tools available for accessing RESTful web service APIs, one of which is curl. This appendix shows some examples of accessing the controller's RESTul web service API with curl. For details on installing the curl application, see http://curl.haxx.se/download.html.
Page 171: Getting An Authorization Token Using A Curl Command
Getting an authorization token using a curl command To get an authorization token using curl: Execute the following command: curl --noproxy controller_ip -X POST --fail -ksSfL --url "https://controller_ip:8443/sdn/v2.0/auth" -H "Content-Type: application/json" --data-binary '{"login": {"domain": "domain","user": "user","password": "password"}}' The output of the curl command contains the token. Without including the quotation marks, copy the value displayed for token.
Page 172: Activating A License On The Controller
Example 3 Installed license output "license" : { "install_id" : 1249679, "serial_no" : 13, "license_metric" : "HA Controller", "product" : "HP VAN SDN Ctrl Base", "metric_qty" : 500, "license_type" : "PRODUCTION", "base_license" : false, "creation_date" : "2013-09-06T00:26:52.248+0000", "activated_date" : "2013-09-06T00:26:52.248+0000", "expiry_date"...
Page 173 Example 4 All installed licenses output "licenses" : [{ "install_id" : 12491640, "serial_no" : 12, "license_metric" : "Controller Node", "product" : "HP VAN SDN Ctrl Base", "metric_qty" : 52, "license_type" : "PRODUCTION", "base_license" : true, "creation_date" : "2013-09-06T00:26:52.248+0000", "activated_date" : "2013-09-06T00:26:52.248+0000", "expiry_date"...
Page 174: Application Manager Actions Using Curl Commands
Example 5 License uninstall key output "license" : { "install_id" : 1249679, "serial_no" : 13, "license_metric" : "HA Controller", "product" : "HP VAN SDN Ctrl Base", "metric_qty" : 500, "license_type" : "PRODUCTION", "base_license" : false, "creation_date" : "2013-09-06T00:26:52.248+0000", "activated_date" : "2013-09-06T00:26:52.248+0000", "expiry_date"...
Page 175: Listing Information About An Application
200 for healthy 290 for unhealthy 295 for critical Form curl [options] -H "X-Auth-Token:" -w %{http_code} \ -X HEAD https://controller_ip:8443/sdn/v2.0/apps/app_id/health Example curl -ksS -H "X-Auth-Token:3d61f0d3e61349359e6dbd82ec02c113" -w %{http_code} \ -X HEAD https://10.0.1.42:8443/sdn/v2.0/apps/com.hp.sdn.ctl.diag/health Example output Application manager actions using curl commands 175...
Page 176: Uploading An Application (New Or Upgrade)
Uploading an application (new or upgrade) Form curl [options] -H "X-Auth-Token:token" \ -X POST https://controller_ip:8443/sdn/v2.0/apps/ \ --data-binary @ Example curl -ksS -H "X-Auth-Token:3d61f0d3e61349359e6dbd82ec02c113" \ -X POST https://10.0.1.42:8443/sdn/v2.0/apps/ \ --data-binary @/home/hummer/dev/flare/dist/testApps/geewiz-apps-1.0.0.zip Example output (new) "app": { "action": "NONE", "catalog_id": "", "deployed": "1970-01-01T00:00:00.000Z", "desc": "Gee Wiz event production", "download_url": "", "name": "GeeWiz",...
Page 177: Upgrading An Application
Example output "app": { "action": "NONE", "catalog_id": "", "deployed": "2014-06-18T21:46:39.845Z", "desc": "Gee Wiz event production", "download_url": "", "name": "GeeWiz", "product_id": "", "sku": "", "state": "ACTIVE", "uid": "com.geewiz", "vendor": "Gee Wiz, Inc.", "version": "1.0.0" Upgrading an application Form curl [options] -H "X-Auth-Token:token" \ -X POST https://controller_ip:8443/sdn/v2.0/apps/app_id/action \ -d upgrade Example...
Page 178: Enabling An Application
Example output "app": { "action": "NONE", "catalog_id": "", "deployed": "2014-06-18T23:04:25.955Z", "desc": "Gee Wiz event production", "download_url": "", "name": "GeeWiz", "product_id": "", "sku": "", "state": "DISABLED", "uid": "com.geewiz", "vendor": "Gee Wiz, Inc.", "version": "2.0.0" Enabling an application Form curl [options] -H "X-Auth-Token:token" \ -X POST https://controller_ip:8443/sdn/v2.0/apps/app_id/action \ -d enable Example...
Page 179: Deleting An Application
Example curl -ksS -H "X-Auth-Token:3d61f0d3e61349359e6dbd82ec02c113" \ -X POST https://10.0.1.42:8443/sdn/v2.0/apps/com.geewiz/action \ -d cancel Deleting an application This curl request is used to shutdown and completely remove all application versions. It has no output. Form curl [options] -H "X-Auth-Token:token" \ -X DELETE https://controller_ip:8443/sdn/v2.0/apps/app_id Example curl -ksS -H "X-Auth-Token:3d61f0d3e61349359e6dbd82ec02c113"...
Page 180: Deleting An Snmp Key
Sample content of inputfile for an SNMP v1 key {"key": { "type": "SNMP", "description": "v1Key", "snmp-config": { "snmpversion": "v1", "readcommunityname": "public", "writecommunityname": "public" } } } Sample content of inputfile for an SNMP v3 key {"key": { "type": "SNMP", "description": "authPriv", "snmp-config": { "snmpversion": "v3", "username": "authPriv", "authorization": { "type":"SHA", "password":"MySHApassword"...
Page 181: Team Configuration Using Curl Commands
IP Address. In this case the configuration /etc/sdn/admin/options might be changed using vim or emacs to reflect the desired configuration. sdncontroller:/opt/sdn/admin# cat options export ADMIN_OPTS="-Dcom.hp.sdn.admin.interface=eth0" Once the change has been made, the SDNA service must be restarted as shown with the following command:...
Page 182: Configuring A Controller Team Using Curl
Configuring a controller team using curl This section describes configuring a controller team using curl commands. Team authentication is managed with iptables. The team communication channel is not encrypted. If you deploy the team in a highly secure environment, you can always use standard Linux IPSec functionality to encrypt traffic between the team members.
Page 183 Determine the team configuration parameters: Parameter Value Team IP Address The team IP address is different from the individual controller IP addresses. It is used as a virtual address for connecting to the team leader. Controller IP Address IP address of a team member. NOTE: When the virtual address is programmed on the team leader, gratuitous ARP is sent out.
Page 184: Error Log For Team Configuration
Command example curl --noproxy 192.0.2.119 -X POST --fail -ksSfL --url "https://192.0.2.119:8443/sdn/v2.0/auth" -H "Content-Type: application/json" --data-binary '{"login": {"domain": "sdn","user": "myname","password": "mypass"}}' Command response {"record":{"token":"10f728e477cb4612b07069f339d0ca29","expiration": 1381119301000,"expirationDate":2013-12-06 21-15-01-0700", "userId":"51802e12d16345fe9a4389290c1a04e2","username":"sdn","domainId": "d45eca9bde1b4dc78bd7dff69ee9440d","domainName":"sdn"}} Configure the controller team by using the team values and token from step 1: curl -m 240 --noproxy 192.0.2.119 --header X-Auth-Token: 10f728e477cb4612b07069f339d0ca29 --fail -ksS --request POST --url https://192.0.2.119:8443/sdn/v2.0/team...
Page 185 Table 5 Error log for team configuration (continued) Log message Description Team not configured on this system. An attempt has been made on a standalone controller to disband a team. Programming team alias ip-address failed. “Team alias node” (page 186). Unprogramming team alias ip-address failed.
Page 186: Team Alias Node
Team alias node An IP Address (North-Bound IP) alias is created on the node that is elected as team leader to allow a controller team to be accessible with a single IP Address no matter which controller is the leader. This IP Address is provided as part of the team configuration when creating a team. If the elected node stops being the team leader, the team IP Address must be removed from the interface because this address must be reassigned to the actual team leader.
Page 187: Viewing The Team Configuration Using Curl
-ksSfL --request DELETE --url https://member-ip:8443/sdn/v2.0/team The deletion of the team can take up to 4 minutes to complete. Increase the read timeout for the client request accordingly. In order for the controller to be fully operational in standalone after a team is disbanded, you must completely re-install the controller on each node.
Page 188: Creating Regions Using Curl
Using the token acquired in Step 1, view the team configuration as follows: curl --noproxy team-ip --header "X-Auth-Token:auth_token" --fail -ksSfL --request GET --url https://team-ip:8443/sdn/v2.0/team Example command curl --noproxy 192.0.2.100 --header "X-Auth-Token:" --fail -ksSfL --request GET --url https://192.0.2.100:8443/sdn/v2.0/team Example response "team": { "ip": "192.0.2.100", "revision":0 "members": [...
Page 189: Regions And Device Ownership
NOTE: IPv6 addresses occurring in any region field are not supported and will cause the region to be ignored. All region configuration operations (create, update, refresh, and delete) using the REST API require that every controller specified in the team, including the master controller and all slave controllers, be in an active state.
Page 190 In this example, the master controller 172.17.6.70 fails. Although it is still in the region, it is unavailable to the devices for which it is the configured master and is no longer the master controller. The primary slave controller 172.17.6.71 becomes the master controller. All 5 devices 192.168.1.101–105 now belong to the failover master controller 172.17.6.71.
Page 191: Failback Behavior Within A Region
"dataPaths":[ "dpid":"00:1e:00:9c:02:e0:e4:00", "owningControllerIp":"172.17.6.71" Failback behavior within a region When the configured master recovers from a failure and rejoins the team, or when the connection from the disconnected device(s) with the original master is resumed, Device Owner Service initiates a failback operation in which the master role is restored to the configured master as defined in the region definition.
Page 192: Adding A Region Using Curl
"dpid":"00:1e:f0:92:1c:21:af:00", "owningControllerIp":"172.17.6.70" "deviceIp":"192.168.1.104", "owningControllerIp":"172.17.6.70", "dataPaths":[ "dpid":"00:01:cc:3e:5f:6b:19:00", "owningControllerIp":"172.17.6.70" "deviceIp":"192.168.1.105", "owningControllerIp":"172.17.6.70", "dataPaths":[ "dpid":"00:1e:00:9c:02:e0:e4:00", "owningControllerIp":"172.17.6.70" Adding a region using curl This POST command adds a region to those configured on the controller and propagates the modifications to each controller in the team. All controllers configured for the team must be available for such a configuration change to be permitted.
Page 193: Adding A Device To A Region Using Curl
If deviceIps or deviceIpRanges are not in numeric order, they are reordered in the response and in subsequent GET calls of the configuration. Adding a device to a region using curl This POST command adds a device with the specified IP address to the region with the specified UID and propagates the modifications to each controller in the team.
Page 194: Getting The Configuration Of A Specific Region Using Curl
Getting the configuration of a specific region using curl This GET command retrieves the configuration of the specified region. The regions configuration may have been modified since controller startup to reflect the dynamic addition or removal of regions or devices within specific regions. In this example, there were no changes to the region of interest since controller startup and the configuration is the same is in “Adding a region using curl”...
Page 195: Getting The Status Of A Specific Region Using Curl
In this example, for region UID 713def9a-4f96-485f-990c-8924bc06c8d8 and controller 172.17.6.70 (master), the devices are 192.168.1.101, 192.168.1.102, 192.168.1.103, 192.168.1.104, and 192.168.1.105. Regardless of how many IPs are configured for the devices in the region, this GET command indicates only those that are actually active and owned by the specified controller. Example command curl --noproxy controllerIp --header "X-Auth-Token:token"...
Page 196: Getting The Status Of All Regions Using Curl
"owningControllerIp":"172.17.6.70", "dataPaths":[ "dpid":"00:01:44:31:92:5c:af:86", "owningControllerIp":"172.17.6.70" "deviceIp":"192.168.1.102", "owningControllerIp":"172.17.6.70", "dataPaths":[ "dpid":"00:1e:c8:cb:b8:dd:f0:c0", "owningControllerIp":"172.17.6.70" "deviceIp":"192.168.1.103", "owningControllerIp":"172.17.6.70", "dataPaths":[ "dpid":"00:1e:f0:92:1c:21:af:00", "owningControllerIp":"172.17.6.70" "deviceIp":"192.168.1.104", "owningControllerIp":"172.17.6.70", "dataPaths":[ "dpid":"00:01:cc:3e:5f:6b:19:00", "owningControllerIp":"172.17.6.70" "deviceIp":"192.168.1.105", "owningControllerIp":"172.17.6.70", "dataPaths":[ "dpid":"00:1e:00:9c:02:e0:e4:00", "owningControllerIp":"172.17.6.70" Getting the status of all regions using curl This GET command retrieves the current status of all regions, including their configured devices and the controller that currently owns each device.
Page 197 dataPathDetails parameter is specified for the GET /owners/{region_uid}/state command. In this example, there is only one region therefore, the command output is the same as the “Getting the status of a specific region using curl” (page 195). Example command curl --noproxy teamIp --header "X -Auth-Token:token" -ksS --request --url...
Page 198: Removing A Device From A Region Using Curl
"owningControllerIp":"172.17.6.70", "dataPaths":[ "dpid":"00:1e:00:9c:02:e0:e4:00", "owningControllerIp":"172.17.6.70" Removing a device from a region using curl This DELETE command removes a device with the specified IP address from the region with the specified UID and propagates the modifications to each controller in the team. A deviceIp query parameter must be specified.
Page 199: B Scripts
The Restore.sh script restores a controller from a backup file. This script must have permissions set to 770 and be owned by the sdn user and sdn group: #!/bin/bash readonly OPT_ROOT="/opt/sdn" readonly VAR_LIB_SDN="/var/lib/sdn" readonly backupDir=${OPT_ROOT}"/backup" readonly targetDir=${backupDir}"/tmp/com.hp.sdn.adm.backup.impl.BackupRestoreLegacyManager" readonly configDir=${OPT_ROOT}"/config/" readonly repoDir=${OPT_ROOT}"/virgo/repository/usr" readonly backupFile=${backupDir}"/sdn_controller_backup*.zip" readonly LOG_FILE=${backupDir}"/restore.log" readonly INFO_FILE=${backupDir}"/info.bin"...
Page 200 function check_stop_and_exit { OUT=$1 if [[ $OUT -ne 0 && $OUT -ne 1 ]]; then restore_log "Stopping Cassandra failed and Restore failed : $OUT" rm $INFO_FILE exit 1 function check_and_exit { OUT=$1 if [ $OUT -ne 0 ]; then restore_log "Restore failed:$OUT" rm $INFO_FILE exit 1 function restorePostGre {...
Page 201: Backing Up A Controller Team
# extract the backup archive content cd $targetDir for file in 'ls -a *.*' case $file in config.zip) restore_log "Restoring config files..." unzip -o $file -d $configDir check_and_exit $? teamConfig.zip) restore_log "Restoring teaming Config files..." restoreTeamConfig $file check_and_exit $? userrepo.zip) restore_log "Restoring user repository..."...
Page 202 #------------------------------------------------------------------------------ function validateTeamLead { leaderIp='ifconfig|grep -o $leaderIp' if [ "$leaderIp" == "" ]; then teamBackup_log "Run this script from the team lead node." exitBackup 1 teamBackup_log "Leader node IP $leaderIp is correctly configured." #------------------------------------------------------------------------------ # Function validateTeamBackupStatus ( ) # Checks if a new backup can be started. #------------------------------------------------------------------------------ function validateTeamBackupStatus { TEAM_BACKUP_ON="backup_in_progress=true"...
Page 203 # Verifies the success of the backup. #------------------------------------------------------------------------------ function verifyBackupStatus { local nodeIndex=$1 local backupIP=${ipArr[$nodeIndex]} local backupUrl="https://$backupIP:8443/sdn/v2.0/backup/status" backupStatus[$nodeIndex]='get $backupIP ${nodeAuth[$nodeIndex]} $backupUrl' if [ "${backupStatus[$nodeIndex]}" == "SUCCESS" ]; then teamBackup_log "Backup completed successfully on $backupIP." let "backup_complete = $backup_complete - 1" return #------------------------------------------------------------------------------ # Function teamBackupZip ( )
Page 204 [ $1 -ne 0 ] && teamBackup_log "Stopping backup/restore with errors." rm -rf $TEAM_BACKUP_STATUS_FILE kill -s TERM $B_PID exit $1 #------------------------------------------------------------------------------ # Function get ( ) # Performs a GET. #------------------------------------------------------------------------------ function get { local getIP=$1 local getToken=$2 local getUrl=$3 local attempts=0 while [ $attempts -lt 5 ];...
Page 205 \"domain\": \"$domain\", \"user\": \"$user\", \"password\": \"$pass\" }" # Attempt to authenticate and extract token if successful. auth=$(curl --noproxy $nodeIP -X POST --fail -ksSfL --url "$url" \ -H "Content-Type: application/json" --data-binary "$login" 2>&1) if [ $? -ne 0 ]; then teamBackup_log "Unable to authenticate as user $user in $domain domain." exitBackup 1 authToken='extractJSONString "$auth"...
Page 206: Restoring A Controller Team
exitBackup 1 # Last, backup the leader node to avoid synchronization issues on a restore. backupNode $leaderIndex teamBackup_log "Started backup on leader ${ipArr[$leaderIndex]}." backup_complete=1 # Verify the backup on the leader node. for (( k=0; k<$BACKUP_WAIT_COUNT; k++ )); do sleep 10 verifyBackupStatus $leaderIndex if [ $backup_complete -le 0 ];...
Page 207 chmod 777 $RESTORE_TEAM_DIR #------------------------------------------------------------------------------ # Function validate_my_Ip ( ) # Validates the configured node IP against the backed up IP addresses. #------------------------------------------------------------------------------ function validate_my_Ip { for (( v=0; v
Page 208 uuidURL="https://${restoreIpArr[$i]}:8443/sdn/v2.0/systems" restoreUUID[$i]='get ${restoreIpArr[$i]} ${restoreAuth[$i]} "$uuidURL"' if [ "${restoreUUID[$i]}" == "" ]; then teamBackup_log "Failed to get the UUID for ${restoreIpArr[$i]}, can't start restore." exitBackup 1 restoreUUID[$i]='extractJSONString "${restoreUUID[$i]}" "uid" | sed '/^$/d'' teamBackup_log "UUID for ${restoreIpArr[$i]} is ${restoreUUID[$i]}" # Upload the backup files to a specific node. local ipFileName="sdn_controller_backup_${restoreIpArr[$i]}*.zip"...
Page 209 errorCode=$? let "attempts = $attempts + 1" if [ 35 -eq $errorCode ]; then teamBackup_log "SSL error on POST to $postUrl, retrying..." continue; break; done echo $postRes #------------------------------------------------------------------------------ # Function put ( ) # Performs a PUT of the specified data. #------------------------------------------------------------------------------ function put { local putIP=$1...
Page 210 echo " path - where to copy the file from on the remote system" exit 1 create_restoreDir user="$1" echo -n "Enter Controller Password: " read -s pass echo domain="$2" file="" if [ $# -eq 3 ]; then teamBackup_log "Starting the team restore. This will restore all the nodes in a team." file=$3 else teamBackup_log "Starting selective restore on specified IPs.
Page 211: C Using An External Policy Manager
C Using an external policy manager By integrating the controller with an external policy manager such as Aruba ClearPass Policy Manager, you can get information about a client device based on its activity in the network. Aruba ClearPass Policy manager can push information about a client device to any other server using its REST API.
Page 212: D Performance Testing
D Performance testing Measuring flows (packets) per second For measuring flows-per-second for performance testing, disable the additional processing required by learn.ip key of the com.hp.sdn.disco.of.node.OfIpDiscoveryComponent component by setting the value of the key to false. From the navigation menu, select Configurations.
Page 213: E Examples Of Metrics
E Examples of Metrics The SDN controller has a subsystem for tracking metric values over time. Metric values are held as a time series which becomes available to the user via JMX or may be persisted to disk. For metric values that are persisted to disk the time-series values for each individual metric may be persisted at intervals of 1, 5, or 15 minutes;...
Page 214 "X-Auth-Token:" --fail -ksSfL --url "https://:8443/sdn/v2.0/metrics/apps" Curl output {"apps":[{"app_id":"com.hp.sdn", "app_name":"HP VAN SDN Controller"}]} Result The application ID for the controller is com.hp.sdn. It can be plugged into other metric REST API calls that require an{app_id} value in their URL. 214 Examples of Metrics...
Page 215 This output describes the metrics; it does not represent the time-series values for them. Curl equivalent command curl --noproxy -X GET --header "X-Auth-Token:" --fail -ksSfL --url "https://:8443/sdn/v2.0/metrics/apps/" Curl output for app_id=com.hp.sdn {"metrics":[{"app_id":"com.hp.sdn","type":"RATIO_GAUGE","name":"cpuLoadSystem","description": "The recent CPU usage of the system.","primary_tag":"jvm","secondary_tag": "operatingSystem","jmx":false,"persistence":true,"summary_interval": "ONE","uid":"42f65cd8-03c3-4cad-9788-012d513e3c0f"},{"app_id": "com.hp.sdn","type":"GAUGE","name":"committedBytes","description":...
Page 216 "The average bytes used in each direct memory buffer associated with the JVM.","primary_tag": "jvm","secondary_tag":"nioDirectMemory","jmx":false,"persistence":true,"summary_interval": "ONE","uid":"0cac91dd-4f53-4002-8333-d2a104362bd3"},{"app_id":"com.hp.sdn","type":"GAUGE","name": "fileDescriptorsOpen","description":"The number of file descriptors open on the operating system.", "primary_tag":"jvm","secondary_tag":"operatingSystem","jmx":false,"persistence":true, "summary_interval":"ONE","uid":"60bcbb25-7689-484b-bbc9-b403a1ce9b56"},{"app_id": "com.hp.sdn","type":"GAUGE","name":"countTotal","description":"Total (daemon and non-daemon) number of live JVM threads.","primary_tag":"jvm","secondary_tag":"threads","jmx": false,"persistence":true,"summary_interval":"ONE","uid":"fc9d9166-f525-4b7a-93a7-903278075f31"}, {"app_id":"com.hp.sdn","type":"GAUGE","name":"bufferCount","description": "The number of mapped memory buffers associated with the JVM.","primary_tag": "jvm","secondary_tag":"nioMappedMemory","jmx":false,"persistence":true,"summary_interval": "ONE","uid":"dbe9e2fc-f5a5-42d7-a4e9-45bb6c5d0d8d"},{"app_id":"com.hp.sdn","type": "GAUGE","name":"countNonDaemon","description":"Number of JVM threads that were live non-daemon...
Page 217 Result For each metric listed, one can see the its type, its associated application ID, its name, its primary and secondary tags, whether it is persisted, whether it is exposed via JMX, and its summary interval. Also displayed for each metric is the unique ID (uid) assigned to the metric on the controller.
Page 218 Example 10 Lists primary tags associated with a specific application Curl equivalent command curl --noproxy -X GET --header "X-Auth-Token:" --fail -ksSfL --url "https://:8443/sdn/v2.0/metrics/apps//primaries" Curl output for app_id=com.hp.sdn {"primaries":["jvm"]} Result The only primary tag associated with the controller is jvm. 218 Examples of Metrics...
Page 219 Curl equivalent command curl --noproxy -X GET --header "X-Auth-Token:" --fail -ksSfL --url "https://:8443/sdn/v2.0/metrics/apps//secondaries" Curl output for app_id=com.hp.sdn {"secondaries":["nioDirectMemory","operatingSystem","threads","garbageCollection", "memoryNonHeap","memoryHeap","memoryTotal","nioMappedMemory"]} Result Several secondary tags are associated with the primary tag jvm along with several subcategories of jvm metric: memoryHeap metrics and threads metrics, among...
Page 220 Example 12 Metric names associated with a specific application Metric names associated with a specific application are displayed using the following call. Curl equivalent command curl --noproxy -X GET --header "X-Auth-Token:" --fail -ksSfL --url "https://:8443/sdn/v2.0/metrics/apps//names" Curl output for app_id=com.hp.sdn {"names":["averageBufferUsedBytes","countDeadlocked","bufferCapacityBytes","count", "countNew","bufferCount","countWaiting","fileDescriptorsOpen","uptimeMs","cou ntTerminated", "elapsedMs","countTimedWaiting","countDaemon","countBlocked","fileDescriptorsUsage", "averageBuff erCapacityBytes","cpuLoadSystem","countTotal","bufferUsedBytes","usedBytes",...
Page 221 --noproxy -X GET --header "X-Auth-Token:" --fail -ksSfL --url "https://:8443/sdn/v2.0/ metrics/apps//names?primary_tag=, secondary_tag=" Curl output for app_id=com.hp.sdn primary_tag=jvm&secondary_tag=memoryHeap): {"names":["usedBytes","usage","committedBytes"]} Result Metric names are specific to JVM heap memory. The UID can be obtained once the specific metric of interest is identified via the earlier call. Optional query parameters to filter the output and list the metrics associated with an application ID may be employed.
Page 222 Filter for a primary tag of “jvm”, a secondary tag of “memoryHeap”, and a metric name of “usedBytes”. Curl equivalent command curl --noproxy -X GET --header "X-Auth-Token:" --fail -ksSfL --url "https://:8443/sdn/v2.0/metrics/apps/ ?primary_tag=jvm&secondary_tag=memoryHeap&name=usedBytes" Curl output for app_id=com.hp.sdn, primary_tag=jvm, secondary_tag=memoryHeap, name=usedBytes {"metrics":[{"app_id":"com.hp.sdn","type":"GAUGE","name":"usedBytes","description": "The amount of heap memory currently being used by the JVM in bytes.","primary_tag": "jvm","secondary_tag":"memoryHeap","jmx":false,"persistence":true,"summary_interval": "ONE","uid":"431b746e-e62e-4874-a801-b1438eaac635"}]} Result Detailed information about the metric can be retrieved using a specific metric UID.
Page 223 Curl equivalent command curl --noproxy -X GET --header "X-Auth-Token:" --fail -ksSfL --url "https://:8443/sdn/v2.0/metrics// values?start=&interval=" Curl output for app_id=com.hp.sdn, metric_uid=431b746e-e62e–4874–a801–b1438eaac635,start=2014–09–23+18:00,interval=1 {"metric_values":{"uid":"431b746e-e62e-4874-a801-b1438eaac635","type":"GAUGE","datapoint_count": 25,"datapoints":[{"update_time":"Tue Sep 23 17:59:55 PDT 2014","milliseconds_span":60000,"last": 3.22526704E8},{"update_time":"Tue Sep 23 18:00:55 PDT 2014","milliseconds_span":60000,"last": 3.24059976E8},{"update_time":"Tue Sep 23 18:01:55 PDT 2014","milliseconds_span":60001,"last": 3.28183496E8},{"update_time":"Tue Sep 23 18:02:55 PDT 2014","milliseconds_span":60000,"last": 3.28906008E8},{"update_time":"Tue Sep 23 18:03:55 PDT 2014","milliseconds_span":59999,"last":...
Page 224 Result The computation of values returned over longer intervals depends upon the type of metric. Gauge values as shown in this example are averaged over the data points encompassed in the summary. Counter values are summed over the summary interval in which histogram values are combined. 224 Examples of Metrics...
Page 225 Curl equivalent command curl --noproxy -X GET --header "X-Auth-Token:" --fail -ksSfL --url "https://:8443/sdn/v2.0/metrics// values?start=&interval=" Curl output for app_id=com.hp.sdn, metric_uid=431b746e-e62e–4874–a801–b1438eaac635,start=2014–09–23+18:00,interval=5 {"metric_values":{"uid":"431b746e-e62e-4874-a801-b1438eaac635","type":"GAUGE","datapoint_count":6,"datapoints": [{"update_time":"Tue Sep 23 18:03:55 PDT 2014","milliseconds_span":300000,"last":3.274097568E8},{"update_time": "Tue Sep 23 18:08:55 PDT 2014","milliseconds_span":300000,"last":3.133927072E8},{"update_time": "Tue Sep 23 18:13:55 PDT 2014","milliseconds_span":300000,"last":2.154562624E8},{"update_time": "Tue Sep 23 18:18:55 PDT 2014","milliseconds_span":300000,"last":4.192128832E8},{"update_time":...
Page 226 Server VM","Available processors (cores): 4","Max Heap: 3817865216 [3641Mb]","Heap: 671088640 [640Mb]","Heap used: 405144704 [386Mb]","Start Date: Tue Sep 16 19:14:57 PDT 2014","UpTime: 6 Days, 23 Hours","HP VAN SDN Controller Version: 2.5.0.0482"]},{"title": "JVM Metrics","id":"jvm-metrics","content":["Metric count: 44","Last update time: Wed, 24 Sep 2014 01:31:55 GMT","Uptime: 10,037 minute(s)","Memory"," Total","...
Page 227 Result All of the metrics tracked by the controller with regard to the JVM, including those that are also persisted as time-series data because they do vary throughout the JVM’ lifetime, are available in the controller support report. The controller support report offers various information, such as the number of installed applications, configuration data, and the number of alerts and audit logs in the database.
Page 228: Index
Index controller regions roles, 189 accessing controller support report updates, 167 and JVM metrics, 149 Applications description of, 152 OSGi artifacts, 36 generating, 152 states, 36 Controller team AppStore, 34 alias Aruba ClearPass Policy Manager, 211 disabling, 186 alias interface configuring, 186 backslash (\) character, 170 alias node, 186...
Page 229 controller default, 22 registration process activation process, 86 transferring, 93, 95 Embedded applications types, usage OpenFlow Link Discovery, 15 expiration, 86 OpenFlow Node Discovery, 16 uninstalling Path Daemon, 17 transferring, 94 Path Diagnostics, 17 Licensing Topology Manager, 19 curl, 171 Topology Viewer, 20 line continuation character, 170 High availability...
Page 230 normalized, 141 TLS, 113 persisted, 141 Openstack keystone, 115 persistence interval, 141 primary tag, 142 primary tags, listing, 145 Packet-forwarding raw values, 141, 142 hybrid mode, 80 secondary tag, 142 overview, 80 secondary tags, listing, 145 password time-series values, 141 change, 24 time-series values, listing, 147 controller default, 22...
Page 231 Hewlett Packard Enterprise, 167 logging out, 25 navigating screens, 22 navigation menu, 23, 25, 26 Tokens navigation tree, 23 admin OpenFlow service, 120 displaying network topology, 62 Topology Manager displaying topology, 61 features, 19 network topology, 63 Topology Viewer pagination control, 23 network graph, 20 SDN user window, 23 Troubleshooting...

HP HPE VAN SDN Controller 2.7 Administrator's Manual

1 Introduction

2 Understanding the Controller Architecture

3 Using the SDN Controller UI

4 Hybrid Mode for Controlling Packet Forwarding

5 License Registration and Activation

6 Configuring for High Availability

7 Security

8 Configuring Openflow Instances

9 Backing up and Restoring

10 Metrics

11 Troubleshooting

12 Support and Other Resources

A Curl Commands

Quick Links

Troubleshooting

Related Manuals for HP HPE VAN SDN Controller 2.7

Summary of Contents for HP HPE VAN SDN Controller 2.7