manualshive.com logo in svg

HP HPE VAN SDN Controller 2.7, Administrator'S Manual, Page: 122 / 231

Share
Download
HP HPE VAN SDN Controller 2.7 Administrator'S Manual Download Page 122

Revoking Trust

Revoking trust via truststore

The controller components rely on the public certificates in the respective truststore to establish
trust with a given identity. Therefore, revoking trust from a client with a given public certificate
amounts to removing its certificate from the respective truststore. To remove a given certificate
from the truststore:

List the certificates in your truststore:

/opt/sdn/openjdk8-jre/bin/keytool –list –v -keystore

truststore

[-storepass

password

]

Delete certificate from truststore:

/opt/sdn/openjdk8-jre/bin/keytool –delete –alias

cert-aliastruststore

Revoking trust via CRL

For the controller’s REST API, a CRL (Certificate Revocation List) might also be specified to
allow blacklisting of certain clients. This is done by modifying the

/opt/sdn/virgo/

configuration/tomcat-server.xml

file to include the CRL file location in the SSL connector:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
keystoreFile="../admin/keystore"
keystorePass="skyline"/>

For the change to take effect, restart the controller.

SDN administrative REST API

The main SDN Controller daemon (sdnc) is accompanied by an ancillary daemon process (sdna),
which runs under user sdnadmin in order to grant it access to some elevated privileges.

The administrative REST API can be used to securely perform various management functions
in a privileged context. It would be undesirable for the main SDN Controller process to possess
those privileges as it might be hosting execution of third-party code.

The SDN Administrator daemon can be accessed via the REST API via HTTPS on port 8081.
The access is secured through either token-based authentication or basic authentication, against
the locally running Keystone server, which is the same as the main SDN Controller REST API.

The following set of features are accessible through the administrative REST API:

SDN Controller daemon (

sdnc

) stop/start/restart

Adding/removing the team leader IP alias (required only when in team mode)

Configure

iptables

rules to protect team communication

NOTE:

If the

iptables

rule programming for Cassandra fails, the Cassandra server will

not come up. In previous releases, the server would come up regardless of the

iptables

rule programming.

Downloading the ZIP bundle of log files

Uploading upgrade Debian bundles and installing/removing Debian packages

Uploading upgrade ZIP bundles and executing upgrade commands

System reboot

122

Security

Summary of Contents for HPE VAN SDN Controller 2.7

Page 1: ...etwork administrators and support personnel involved in Configuring and managing HPE VAN SDN Virtual Application Network Software Defined Networking Controller installations Registering and activating HPE VAN SDN Controller licenses Part Number 5200 0907 Published March 2016 Edition 1 ...

Page 2: ... VAN SDN Controller license text can be found in opt sdn legal EULA pdf The HPE VAN SDN Controller incorporates materials from several Open Source software projects Therefore the use of these materials by the HPE VAN SDN Controller is governed by different Open Source licenses Refer to opt sdn legal HP SDN CONTROLLER OPENSOURCE LIST pdf for a complete list of the materials used Links to third part...

Page 3: ...he SDN user password 24 Changing the background and text colors 25 Expanding the SDN user window 25 Collapsing the SDN user window 25 Logging out of the controller 25 Navigation menu 25 About the navigation menu 25 Expanding or collapsing the navigation menu 25 Navigation menu screen details 26 Alerts 27 About alerts 27 Alerts screen details 28 Viewing the alert notification counter 29 Viewing the...

Page 4: ...acket listeners display details 57 OpenFlow Monitor 58 OpenFlow Monitor screen details 58 Summary for data path view 59 Ports for data path view 60 Flows for data path view 60 Groups for data path view 61 OpenFlow topology 61 Displaying the network Topology 62 Using keyboard shortcuts to change the display 62 Changing switch and host node labeling 63 Using the mouse to change the topology display ...

Page 5: ...ler UI 87 Registering and activating a license 87 Registering your license and obtaining a license key 88 Viewing your license information 90 Activating a license on the controller 92 Adding and activating a license using the controller UI 92 Activating a license using a script 93 Managing licenses 93 Transferring licenses 93 Deactivating licenses to prepare for transfer 94 Transferring licenses t...

Page 6: ...ministrative REST API 122 Virgo admin UI access via localhost only 123 Virgo console access disabled by default 123 JMX console enabled for local access only 123 Creating the Cassandra keystore and truststore 124 Cassandra keystore and truststore locations and passwords 125 Security procedure 125 Security best practices 126 8 Configuring OpenFlow instances 128 Configuring OpenFlow Instances with M...

Page 7: ...code 401 155 Controller not listening on port TCP 8443 155 Packets not received at the end point 156 Session expired message in the UI 156 Error running the config_sdn py script with date time NTP option 156 Licensing 157 Redeem quantity error 157 Install ID format errors 157 Install ID errors 157 Applications that use the Cassandra database are experiencing failures 158 Controller support log fil...

Page 8: ...bout an application 175 Getting application health status 175 Uploading an application new or upgrade 176 Installing a new application 176 Upgrading an application 177 Disabling an application 177 Enabling an application 178 Removing a staged application 178 Deleting an application 179 Viewing metric data using curl commands 179 Managing SNMP keys 179 Getting the SNMP keys 179 Adding SNMP keys 179...

Page 9: ...ing controller and devices for a region using curl 194 Getting the status of a specific region using curl 195 Getting the status of all regions using curl 196 Removing a device from a region using curl 198 Removing a region using curl 198 B Scripts 199 Restoring a controller 199 Backing up a controller team 201 Restoring a controller team 206 C Using an external policy manager 211 D Performance te...

Page 10: ...Support for Hewlett Packard Enterprise and H3C OpenFlow enabled switches Secure authentication using a local or remote Keystone server Controller teaming for distributed platform High Availability HA Embedded applications that provide common network services Open APIs enable SDN application developers to deliver innovative solutions that dynamically link business requirements to network infrastruc...

Page 11: ...nclude HPE Network Protector SDN Application HPE Network Optimizer SDN Application and HPE Network Visualizer SDN Application The extensibility and open APIs of the HPE VAN SDN Controller allows new applications to be created that make requests of the underlying network without the need to physically uproot or re configure the underlying infrastructure Northbound APIs utilize the REST architecture...

Page 12: ...rise offers an SDN developer community as well as forums events and other services to help developers and partners build and sell SDN applications Hewlett Packard Enterprise SDN information library The following information is provided for the HPE VAN SDN Controller HPE VAN SDN Controller Release Notes HPE VAN SDN Controller Installation Guide HPE VAN SDN Controller Administrator Guide HPE VAN SDN...

Page 13: ...in the switch using the OpenFlow controller API You should create a separate VLAN for an OpenFlow control plane For information on configuring OpenFlow see the latest OpenFlow Administration Guide for your switch IPv6 traffic IPv6 traffic running in the data plane of an OpenFlow network is supported when the controller is operating with hybrid mode set to true the default In this state the control...

Page 14: ... the controller Audit Log service The Alert Log records information about events that affect controller operation and in some cases indicate that some action is needed to correct a condition Alerts are managed by the controller Alert service Client Mapper Service combines information known about a network client by the controller such as host IP address host MAC addresses and the connected datapat...

Page 15: ...alled as modules on the controller The following applications are embedded in the controller and are installed when you install the controller OpenFlow Link Discovery OpenFlow Node Discovery Path Daemon Path Diagnostics Topology Manager Topology Viewer OpenFlow Link Discovery The OpenFlow Link Discovery application is the default OpenFlow link supplier application that is installed with the contro...

Page 16: ...on it learns from such received packets NOTE Because PACKET_IN messages that contain the BDDP protocol are for controller generated link discovery packets no corresponding PACKET_OUT is sent back to the device that sent the PACKET_IN The OpenFlow Link Discovery application also listens to device and interface events and registers with the ControllerService API to send OpenFlow packets to datapaths...

Page 17: ...uce network performance by overwhelming the control plane Path Diagnostics The Path Diagnostics application determines and verifies the path taken by trace packets from a source host to a destination host The application finds an existing flow that matches the description of the trace packet clones it with higher priority and adds an additional action to instruct the selected switch to send this p...

Page 18: ...uses the following match fields when pushing a flow mod These match fields have been chosen so that the flow modules are pushed on hardware tables in both ProVision based and Comware based switches Ether type OFPXMT_OFB_ETH_TYPE Source MAC or IP address OFPXMT_OFB_ETH_SRC or OFPXMT_OFB_IPV4_SRC Destination MAC or IP address OFPXMT_OFB_ETH_DST or OFPXMT_OFB_IPV4_DST Input port OFPXMT_OFB_IN_PORT Pa...

Page 19: ...ow cost next hops or link edge weight between any two datapaths in the control domain Topology Manager creates the clusters and broadcast tree to avoid loops and broadcast storms The Topology Manager Indicates whether a connection point is part of Infrastructure or is connected to an end host Indicates whether ingress broadcast traffic can be allowed through a specified connection point Topology M...

Page 20: ... of clusters in the current topology The Topology Manager provides notifications to subscribed applications about changes in its broadcast tree and cluster Applications that subscribe to these notifications can use the information to respond to changes in topology Topology Viewer The Topology Viewer application creates and updates a network graph for visualizing the network the controller discover...

Page 21: ...PI Reference This chapter includes details on the following Licenses page 52 Starting the SDN controller console UI Team page 53 About the user interface page 22 Support logs page 53 SDN User window page 23 Packet listeners page 56 Navigation menu page 25 OpenFlow Monitor page 58 Alerts page 27 OpenFlow topology page 61 Applications page 32 OpenFlow Trace log page 69 Configuration components page ...

Page 22: ...ion has expired is displayed You must reload the page and log in again For details on changing the Keystone timeout value see Session expired message in the UI page 156 Default domain name user name and password Default domain name sdn Default user name sdn Default password skyline About the user interface NOTE Descriptions for common areas icons and controls on the UI screen are listed after the ...

Page 23: ...controller navigation select the number of items to display in a tree labeled General and can contain single view The Auto option displays all additional navigation trees for installed items in a single screen For listings applications that integrate with the controller exceeding the length of the screen you can UI Can be displayed as a pane as shown use the scroll bar on the right side of the scr...

Page 24: ...site provides fact sheets case studies white papers product summaries technical and business documentation and other information to help you identify SDN solutions for your business needs SDN Community Links to the Hewlett Packard Enterprise SDN community discussion forum website within the HP Enterprise Business Community This site offers resources such as SDN discussion boards SDN development in...

Page 25: ...of the controller UI From the SDN User window select Log out Navigation menu About the navigation menu The navigation menu is the primary menu for navigating to controller resources The resources included with the controller are described in this document Applications installed on controller might add resources to this menu Displays as a pane or an overlay window You can display the navigation men...

Page 26: ...applications and allows you to add upgrade uninstall enable and disable these applications For more information see Applications page 32 Applications Displays the Configurations screen This screen lists the configurable components of the controller and allows you to modify key values For more information see Configuration components page 38 Configuration Displays the Audit Log screen This screen d...

Page 27: ...acket Listeners May include additional navigation trees for installed applications that integrate with the controller UI Other navigation menu items Alerts About alerts Alerts give notification of events that affect controller operation and in some cases indicate that some action is needed to correct a condition When controllers are operating in a team alerts generated by any team member are visib...

Page 28: ...ates the state of the alert Alert text color The controller displays active unacknowledged alerts the alert in the text color corresponding to the controller theme For example when the controller theme is daylight the active alerts appear in black text The controller displays the selected alert in blue text Click an alert to select it The controller displays acknowledged alerts in gray text Indica...

Page 29: ...ner and appears on all controller screens This counter indicates the number of active alerts The controller increments this counter when each new alert occurs The controller decrements this counter when you acknowledge an alert or when the controller deletes an alert according to the alert policies set for aging out alerts for details see Configuring how alerts age out page 31 Figure 6 Alert notif...

Page 30: ...the Alerts as of today window displays the alert in gray text on the Alerts screen and decrements the alert notification counter by one To acknowledge an alert from the Alerts screen 1 Click the alert to select it 2 Click Acknowledge The controller displays the alert in gray text on the Alerts screen and decrements the alert notification counter by one Deleting an alert You can acknowledge an indi...

Page 31: ...s that the controller deletes alerts that have exceeded the trim alert age limit trim enabled Default value true Specifies how often in hours the controller is to delete alerts that have exceeded the trim alert age limit trim frequency Data type A number from 8 through 168 Default value 24 Example Enter 8 to specify that the controller delete aged out alerts every eight hours To configure how aler...

Page 32: ...dding or upgrading an application page 34 Disabling stopping or enabling starting an application page 35 Uninstalling an application page 36 Understanding application states and OSGi artifacts page 36 Prerequisites for installing an application Any application to be installed on the controller must meet the following requirements It must be in a zip format The zip file must be accessible from the ...

Page 33: ...work Protector application Launch Network Protector The name of the application Name The following core embedded applications that come with the controller are listed by default on the Applications screen Path Diagnostics OpenFlow Link Discovery OpenFlow Node Discovery Path Daemon These are the only embedded applications you are allowed to manage using the UI Other embedded applications are not li...

Page 34: ...onf file on each controller and then restart the controllers for these changes to take effect If you are downloading a signed application from the App Store the JAR signing requires a trusted certificate in the sdnjar_trust jks file even if the certificate is trusted in the JAVA cacerts keystore For details see Adding certificates to the jar signing truststore page 121 Adding or upgrading an appli...

Page 35: ...ontroller restarts To use curl commands and the REST APIs to complete this task see curl commands page 170 To disable an application using the UI 1 In the Applications screen select the application you want to stop 2 Click Disable to display the Disable Application dialog box 3 In the Disable Application dialog box click Disable The Disable Application dialog box closes and the application state i...

Page 36: ...nstall 3 Click the Uninstall button to remove delete the application Understanding application states and OSGi artifacts In the default state or when an application has been started it is in the ACTIVE state and is servicing requests Application states include the following Table 1 Application States Description State The application is running and servicing requests ACTIVE A new application has b...

Page 37: ...n up after themselves NEW STAGED NEW UPGRADE STAGED If an OSGi deployment exception is encountered the application is moved to DISABLED if it fails to deploy as STAGED ACTIVE it is If a File I O or URI exception is encountered the application remains in the installing state If an exception is encountered OSGi deployment File I O or URI rollback attempt is made as listed below UPGRADE STAGED ACTIVE...

Page 38: ...l configuration components However direct addition or removal of configuration components is not supported NOTE When controllers are operating in a team configuration changes on one active controller propagate to the other active controllers in the team See also Using configuration component keys page 38 Modifying a component configuration page 45 Modifying NTP server or date and time page 46 Modi...

Page 39: ...o timing performance tuning and debugging configuration see Advanced Configurations view page 41 System tab provides access to platform specific configuration see System Configurations view page 43 Apps tab provides access to configuration components for installed SDN applications see Apps Configurations view page 45 The controls on these screens are the same Description Screen component Select a ...

Page 40: ...arts com hp sdn ctl path impl PathDaemon The PathDaemon component provides parameters used to perform L2 path calculations based on IPv4 addresses for IPv4 packets or MAC addresses for ARP packets You can set the following flow timeout parameters Use the idle timeout key default 60 seconds to configure the idle timeout value for each flow mod The idle timeout value specifies how long the flow mod ...

Page 41: ...P protocol Use the dhcp age key to configure the node timeout values The listener altitude key changes the altitude of the OfDhcpDiscoveryComponent component For more information see Packet listeners page 56 com hp sdn disco of node impl OfIpDiscoveryComponent The OpenFlow IP discovery component of the OpenFlow Node Discovery application is used for topology host discovery via IP Protocol Use the ...

Page 42: ...k discovery packets to the attached Openflow devices listens to the responses and populates the Link Service cache with the results Use the age multihop links key to configure the OpenFlow Link Discovery application to remove multihop links from the link table if the link is not re discovered in two poll intervals Use the multihop poll interval key to configure the polling interval in seconds for ...

Page 43: ...ecking for alert data to be deleted based on the configured age out policy For more information about alert log policies see Configuring how alerts age out page 31 com hp sdn adm auditlog impl AuditLogManager The AuditLogManager component controls the quantity of audit log data present on the system by periodically checking for audit log data to be deleted based on the configured age out policy Fo...

Page 44: ... data that is too old should be trimmed and how often persisted metric values should be saved to disk This value can be overridden for any metric when the metric is created com hp sdn dvc impl DeviceManager The DeviceManager component serves as an in memory cache for the persistent devices known to the controller It holds information about those devices and whether they are currently connected to ...

Page 45: ... these SDN application specific components see the documentation for the SDN application Modifying a component configuration 1 On the Configurations screen select the tab that contains the component you want to modify Basic Advanced System or Apps 2 Select the component you want to modify 3 Click Modify A Modify Configuration dialog box is displayed for the component you selected For example 4 Ent...

Page 46: ...s script see the HPE VAN SDN Controller Installation Guide IMPORTANT If you change the NTP server or date and time after applying the change you are logged out and you must log on to the UI again 1 On the Configurations screen in the System tab select the NTP component You can use the expand icon to view the NTP information currently configured 2 Click Modify The Modify System Configuration dialog...

Page 47: ...from the Configurations screen IMPORTANT The configuration is for the eth0 interface only If the controller is in a team you must first disband the team before modifying the network settings If you make changes to the Network component the controller will automatically be restarted After applying the change you will be disconnected from the UI and will need to wait for the controller to restart be...

Page 48: ...nformation in the log file for use in debugging a problem Setting all loggers to a high verbose level of logging is not recommended because it can lead to a shortage of system storage space very quickly NOTE If the controller is restarted or if the virtual machine is rebooted the log levels for all loggers revert back to INFO The log levels from most verbose to least verbose are ALL TRACE DEBUG IN...

Page 49: ...activities operations and configuration changes initiated by an authorized user This includes activities such as Installing an application or starting stopping uninstalling an application Modifying the configuration of a controller component Installing a license Forming a controller team When controllers are operating in a team the audit log shows events for all controllers in the team See also De...

Page 50: ...les you to identify which controller in the team generated the alert Controller ID Deleting an audit log entry You cannot delete or modify a log entry The controller deletes entries according to the configured audit log policies To configure the audit log policies see Configuring how audit log data ages out page 50 Configuring how audit log data ages out You can configure the following key values ...

Page 51: ...he Modify System Configuration dialog box is displayed for the com hp sdn adm auditlog impl AuditLogManager component 3 Change the values for the keys these keys are described in the table above 4 Click Apply Figure 16 The AuditLogManager Configuration Component Controls Audit Log Policy Exporting and archiving audit log data To retain log records for longer than the trim auditlog age limit you mu...

Page 52: ...ctivates the selected license Deactivate When a license is deactivated an uninstall key is assigned for license transfer purposes and you can copy this uninstall key by selecting this button see Transferring licenses page 93 Copy Uninstall Key Contains the installation identifier for this controller Install ID A sequence serial record number given for that license across all licenses generated for...

Page 53: ...ng the UI page 104 For details on configuring High Availability HA and teaming see Configuring for High Availability page 99 Figure 17 Team screen Support logs About support logs The support logs maintain an internal record of events of interest from the operations of an active SDN controller This information is the type of data a support engineer would request when troubleshooting an SDN installa...

Page 54: ...e 56 Support logs screen details Figure 18 Selecting the Support Logs screen Description Screen component Displays a listing of the most recent log messages as determined by the currently configured queue size For example with a queue size of 100 Refresh lists the 100 most recent log messages Refresh Gathers the set of support log file data from the standalone controller or all active controllers ...

Page 55: ...uration component You can also dynamically change the logging level by using the REST API See HPE VAN SDN Controller REST API Reference The module or feature that triggered the logging condition Logger The thread that caused the logging condition to occur Thread Describes the details of the logging condition Message Detailed information about the log entry Data A hexadecimal number that identifies...

Page 56: ...r resume interaction with the controller or examine the log by selecting an item from the menu such as Open a window showing the new log zip file Set the default operation to always open the directory containing the log zip file Show the log zip file in the default directory for receiving downloads NOTE The actions resulting from these choices depend on the browser and operating system not on the ...

Page 57: ... passive observer who might examine the incoming packet and any packet out response Packets are given to packet listeners with role of ADVISOR first DIRECTOR second and OBSERVER third Every packet listener is guaranteed to see the packet in message Depending on the action taken by higher altitude Directors a lower altitude Director might be too late to influence the packet processing The weight or...

Page 58: ...e options for viewing traffic information To view information about a specific device click the Data Path ID for that device and then select one of these tabs for the view you want to display Summary Ports Flows Groups Click Refresh to update the display for Topology changes such as a newly discovered OpenFlow device or the loss of a device that has been disconnected Figure 22 The Main OpenFlow Mo...

Page 59: ... version of the device H W Version Software version on the device S W Version Serial number on the device Serial Number Summary for data path view Figure 23 Summary view for a specific OpenFlow device The OpenFlow Monitor Summary view includes the following details related to the selected device Manufacturer Hardware and software version Serial number and device description of the device Device id...

Page 60: ...path view The OpenFlow Monitor Flows view shows current flows on the selected OpenFlow device For a given flow traffic meeting the requirements specified in the Matches field is directed as specified in the corresponding Actions Instructions field Figure 25 Flows view for a specific OpenFlow device NOTE The Table ID applies to OpenFlow 1 3 and greater but not to OpenFlow 1 0 60 Using the SDN contr...

Page 61: ...overed on a given switch Interface name and OpenFlow numbers are displayed Identifies the shortest path between two nodes Provides node identification options such as MAC or IP address label Provides a view of switch port identifiers active flow rules and a tool for testing flow rule options CAUTION Do not configure a looped topology in the network between the OpenFlow and non OpenFlow portions of...

Page 62: ...y viewer The topology legend is show in the top right corner Switch shown in light green Collapsed Switch shown in dark green End Host shown in orange Using keyboard shortcuts to change the display Use the icon to list the keyboard shortcuts you can use to change the display To use the keyboard shortcut keys you must first click somewhere in the topology view to bring it into focus and then you ca...

Page 63: ... 65 Changing switch and host node labeling You can change how nodes are labeled in the topology using keyboard shortcuts To turn on or off ALL node labels enter the keyboard shortcut L To change the host node labeling in the topology enter the keyboard shortcut H and the display will cycle through the different node labels each time you enter H OpenFlow topology 63 ...

Page 64: ...contain a system name then IP address is shown instead IP address DatapathId No label For example to change the default display showing System name labels to show the IP addresses of the switch nodes click anywhere in the topology display then press N The switch IP addresses appear as labels in the topology diagram Figure 29 Switch IP address labeling Press N again to display the switch datapath I...

Page 65: ...node Viewing node tooltips You can view node tooltips by hovering the mouse over a node in the topology Or you can press O to toggle on and off tooltips Mouse over the switch to display datapath information Mouse over the host to display end node information Changing the topology display using the View menu You can use the View menu to change the topology display Figure 31 Topology View Menu See a...

Page 66: ...Or press the F shortcut key to open the Search dialog box 2 The Search dialog box is displayed When the Search dialog box is opened if one or more nodes are collapsed or highlight path is enabled all will be cleared during the search After the search dialog is closed the state of collapse and highlighting will be returned 3 From the drop down list select one of the search criteria Switch IP Datapa...

Page 67: ...You can view details for a switch by selecting View Details For more information see Viewing flow details for selected nodes page 69 Using tools After specifying a source and destination data flow you can view details on the packet selection criteria by selecting View Tools For more information see Viewing details on packet selection criteria for a data flow page 69 Using pin Collapse All Auto Ref...

Page 68: ... path between two nodes You can view the shortest path between two nodes as follows 1 Select the source node and click Src or press S 2 Select the destination node and click Dst or press D The controller displays the path between the two nodes as a line see Figure 32 page 68 Features like Collapse all collapse a single node and highlight a particular node using Ctrl click are not allowed when a pa...

Page 69: ...r a source destination data flow you can view details on the packet selection criteria used Select View Tools to display the Packet Selection dialog box or press T The display is read only The Abstract Packet window displays selection criteria for packets moving between the Source Destination node pair MAC addresses and IP addresses are shown based on the source and destination nodes selected Figu...

Page 70: ... interval page 74 OpenFlow Trace screen details Figure 35 Example of OpenFlow Trace Default Display Description Screen component Starts trace logging In the default configuration the trace stops after ten seconds have passed To change the trace interval see Changing the OpenFlow trace interval page 74 Stops trace logging before the end of the configured trace interval Trace logging stops automatic...

Page 71: ...oller from a datapath Tx Indicates an OpenFlow message sent from the controller to a datapath The Data Path ID of the data path associated with the event Data Path ID The trace message Message Starting stopping or clearing OpenFlow trace Use the buttons above the Time field to control trace operations see OpenFlow Trace screen details page 70 Displaying trace event details 1 Select the event you w...

Page 72: ...hows how to export and access OpenFlow Trace Log files using Google Chrome You might experience different results than shown here depending on your web browser and its configuration 1 Click Export This action places the trace log contents into a CSV file in the default downloads folder in the system on which the controller is running Check your web browser for an indication that the file has been ...

Page 73: ...folder listing locate the of trace csv file and open it using an application such as Microsoft Excel that enables you to read the log messages and configure a filter For example to investigate the messages collected for data path 00 00 00 00 00 00 00 02 2 Select the DPID Data Path ID column Figure 39 DPID column 3 Set the filter Figure 40 Setting the filter 4 Apply the filter by checking the box f...

Page 74: ...ging the OpenFlow trace interval The default trace interval is ten seconds To change the interval change the value for the record duration key of the com hp sdn ctl of impl TraceManager component 1 From the navigation menu select Configurations Then select the Basic tab 2 Select the com hp sdn ctl of impl TraceManager component 74 Using the SDN controller UI ...

Page 75: ...ing to act on the same packets In addition many environments make it difficult to trace the origin of flow modification requests installed in switches The HPE VAN SDN Controller uses OpenFlow classes to dynamically manage the priorities of the OpenFlow rules being deployed to the network thus enabling applications to execute their business logic in a more orderly fashion 1 For each class of flow m...

Page 76: ... This capability means that the behavior of an application must match the intent that the application disclosed when it registered with the controller The flow match must contain exactly the fields and field types that were disclosed when the application registered with the controller The controller validates field types but not field value The action or instruction must fall into the category tha...

Page 77: ...class The application that registered this class must use this base cookie when constructing flows that belong to this class Cookie The types of match fields that are expected to be specified in flows that belong to this class Match Fields The general category of the action or instruction a flow that belongs to this class is expected to include For a list of categories see About OpenFlow classes p...

Page 78: ...ered The controller replaces logical priorities with actual priorities for registered applications only The controller manages all flow modification priorities and validates all flow modification requests strict Applications that do not register OpenFlow classes with the controller are not permitted to send flow modifications to switches The controller validates all flow modifications against the ...

Page 79: ...Figure 45 The ControllerManager Configuration Component Controls the enforcement levels for OpenFlow classes OpenFlow Classes 79 ...

Page 80: ...ing the hybrid mode configuration page 80 Coordinating controller hybrid mode and OpenFlow switch settings page 82 In all cases the controller only monitors or directs packets within OpenFlow instances The controller cannot direct or monitor packets outside of OpenFlow instances For information on supported network switches see the HPE VAN SDN Controller and Applications Support Matrix Learning mo...

Page 81: ... component Figure 47 Select the hybrid mode field 4 Set hybrid mode to one of the following true the default Enables hybrid mode The controller makes packet forwarding decisions only as required by installed applications false Disables hybrid mode The controller makes all forwarding decisions Release 2 0 of the HPE VAN SDN Controller operates only in this mode pure OpenFlow mode Viewing and changi...

Page 82: ... Instance Configuration Hybrid Mode Settings passive Enabled true active Disabled false For more information on the specific switch how to configure passive active mode and how these switches behave if they lose their control plane connection to the controller see the OpenFlow documentation For a list of switches that are supported in Hybrid and pure OpenFlow mode see HPE VAN SDN Controller and Ap...

Page 83: ...k Apply to save the changes For more information on using the Configurations screen see Configurations screen details page 39 Limitations For information on limitations in OpenFlow table support see the HPE VAN SDN Controller and Applications Support Matrix OpenFlow 1 0 is the default version of OpenFlow for Hewlett Packard Enterprise ProVision switches OpenFlow does not allow the controller to op...

Page 84: ...s The forwarding decision is communicated to controlled switches through OpenFlow In instances where the controller has not provided the switch with a rule for how to forward a packet type the switch sends the packet to the controller and waits for the controller to provide forwarding instructions Hybrid mode is commonly disabled in networks that are either used for experimental OpenFlow work such...

Page 85: ...t can discover inter switch links changing the priority on Microsoft Lync packets to improve instant messaging speed monitoring DNS requests to detect dangerous end host behavior Packets in flows that the controller does not examine or direct are forwarded through normal switching operations without controller intervention NOTE Hewlett Packard Enterprise recommends that hybrid mode be enabled when...

Page 86: ... see Using Evaluation Licenses page 98 The basic steps are 1 Preparing for license registration page 87 a Prerequisites for license registration page 87 b Identifying the Install ID displayed in the controller UI page 87 2 Registering and activating a license page 87 a Registering your license and obtaining a license key page 88 using the My Networking portal b Activating a license on the controll...

Page 87: ...er or product registration ID and e mail address from your HPE VAN SDN Controller license order confirmation Install the HPE VAN SDN Controller software and have the controller running as described in the HPE VAN SDN Controller Installation Guide Identifying the Install ID displayed in the controller UI Each controller installation generates a unique Install ID that is used for licensing activitie...

Page 88: ...nd obtain a license key 1 Log on to the My Networking portal at http www hpe com networking mynetworking 2 Select My Licenses 3 In the Order number or Registration ID field enter your order number or registration ID and then click Next If you enter a registration ID go to step 5 page 88 If you enter an order number the Email field appears 4 In the Email field enter either the Ship to or Sold to e ...

Page 89: ...n details screen appears as shown in Figure 52 Figure 52 Entering the install ID 6 In the Install ID field enter your Install ID number See Identifying the Install ID displayed in the controller UI page 87 7 Optional Enter a Friendly name and Customer notes for this license 8 Click Next The end user software license agreement screen appears 9 To continue after reading the license agreement select ...

Page 90: ...l Enter Comments about this license c Click Send email 13 Optional If you want to register additional licenses for this order a Click Register more for this order to return to the license selection screen shown in Figure 51 b Repeat steps 5 page 88 through 13 until you have registered all licenses Viewing your license information To view your license information 1 Log on to the My Networking porta...

Page 91: ... the license you just loaded click the Select button for that license You will then see a screen similar to the following Figure 54 Viewing your license and other information Registering your license and obtaining a license key 91 ...

Page 92: ...the controller UI page 92 To use a Python script on the controller to complete this task see Activating a license using a script page 93 To use curl commands and the REST APIs to complete this task see curl commands page 170 Adding and activating a license using the controller UI Use the following procedure to add and activate a license using the controller UI 1 In the controller UI from the navig...

Page 93: ... license 1 To use the script you must ssh to the controller system For example ssh sdn 1 1 1 1 then enter the ssh password 2 You can run the script either interactively or with a configuration file as follows If you are running the script interactively without a configuration file enter the option for add license on the command line python config_sdn py L You will be prompted to enter the license ...

Page 94: ... the Install ID displayed in the controller UI page 87 Deactivating licenses to prepare for transfer When you deactivate a license to prepare for transfer the controller generates an Uninstall Key for that license which you will need when you transfer the license Be prepared to record the Uninstall Key for each license you deactivate The Uninstall Key is a long text string For example AE2RCLT7CJMD...

Page 95: ...ller To transfer licenses 1 Log on to the My Networking portal at http www hpe com networking mynetworking 2 From the My Licenses section select Transfer licenses to a new platform 3 In the Search field enter the Install ID for the controller from which you deactivated the license and then click Search The transfer license screen displays a list of associated licenses as shown in Figure 59 Figure ...

Page 96: ...fore transfer 5 Verify that this is the license you want to transfer and then click Next The target Install ID screen is displayed Figure 61 Figure 61 Entering target install and uninstall IDs 96 License Registration and Activation ...

Page 97: ...nsfer confirmation screen and license details screen as shown in Figure 62 Figure 62 Viewing license transfer confirmation and details screens 7 Review the confirmation screen details 8 For each license you are transferring record the new license key so that it will be available when you add and activate the license on the new controller 9 Optional To e mail transferred license details a Enter one...

Page 98: ...ng the Hewlett Packard Enterprise SDN App Store install the Trial Mode SDN applications 2 Go to the My Networking portal MNP at http www hpe com networking mynetworking 3 Under Licenses select Register License 4 From the menu on the right of the screen select SDN Evaluation Licenses 5 Enter the HPE VAN SDN Controller installation identifier install id 6 The My Networking portal generates every eva...

Page 99: ...eystone server for each controller in the team For details on security see Security page 110 To use TLS connections for communications between the switch and the built in OpenFlow controller module of the HPE VAN SDN Controller Hewlett Packard Enterprise recommends that all controller and device certificates be signed by the same CA For information about configuring TLS on a switch see the documen...

Page 100: ...evice then automatically assigns a role of slave to the other two configured controllers This ensures the master knows of all the events happening on the device while the slaves are kept up to date on a subset of events Applications are stopped when there is a change in the teaming status for a given controller For example When the controller transitions from stand alone to a member of a team all ...

Page 101: ...etwork devices are supported when the controller is teamed OpenFlow 1 3 devices must be configured with the IPs of all three controllers in the team Team status You can view your team status from the top banner of the controller UI see Viewing team status page 104 The team states are active All 3 controllers are actively operating A prerequisite for this state is that all controllers are able to c...

Page 102: ...OpenFlow port is closed unreachable A controller sees a remote controller as unreachable if the connection to the remote controller is broken A controller never sees itself as unreachable If an application reports an unhealthy status an alert is generated but the controller remains in the active state If two controllers in a team fail the third controller does not operate as a standalone controlle...

Page 103: ... team to use the same local NTP servers You can specify an NTP server for each controller using the controller UI see Modifying NTP server or date and time page 46 or using the manual steps below Obtain the IP addresses of the local NTP servers for your site Then ensure that these local NTP servers are the only NTP servers configured for each controller you plan to include in the team 1 Log in to ...

Page 104: ...atus You can view your team status from the top banner of the controller UIscreen The team status indicator refreshes dynamically to immediately notify you of important team status changes such as when a 3 node team changes to a 2 node team The team status banner displays one of the following team status messages ACTIVE All 3 controllers are actively operating for example all controllers are able ...

Page 105: ...zing active suspended unreachable Version The build version of the controller software running on the controller CDV Core data version This field is incremented every time the controller experiences a change in configuration This field is used to determine which controller to synchronize with when a controller joins a cluster CDV Timestamp Date and time at which the controller experienced its last...

Page 106: ...Default flows have been pushed To view a device s debug log for support purposes select the desired device In this example the debug log for device 12 255 125 29 is shown Methods for configuring HA teaming There are a number of different ways for you to configure HA teaming For the first method using a script a configuration file is required see Defining inputs for teaming in a configuration file ...

Page 107: ... in order to see this directory path You can edit this file to provide the input for team configuration or you can create a custom configuration file with a different name but the same format and in the same directory You can create any number of configuration files The following is an example of a build_team conf file build_team conf User sdn_controller_username Password sdn_controller_password S...

Page 108: ...s for the three controllers in the team IP1 IP2 IP3 IP1 IP2 and IP3 are optional because alternately you can enter the IP addresses under Controller_IPs instead of as IP1 IP2 and IP3 If you enter an IP address for IP1 IP2 and IP3 you can use the notation IP1 IP2 and IP3 in the Controller_IPs and Region parameters that follow When running the team configuration script it will check to verify that t...

Page 109: ...t opt sdn scripts teaming build_team conf The opt sdn path may not be visible to the ssh user The user must be part of the sdn group to see the directory structure You can edit this file or you can create a custom configuration file with a different name but the same format and in the same directory For details on using the configuration file see Defining inputs for teaming in a configuration file...

Page 110: ...re locations and passwords page 112 The controller ships with a self signed certificate Therefore it is recommended that the self signed certificate be replaced by a certificate signed by a reputable Certificate Authority CA If you choose to replace the self signed certificates with CA signed equivalents see Changing the default controller keystore and truststore to use CA signed certificates page...

Page 111: ...re using the following commands cd opt sdn admin rm keystore truststore opt sdn openjdk8 jre bin keytool genkey alias serverKey keyalg rsa keysize 2048 keystore keystore To support teaming you must specify an IP address as the common name when configuring your server for the first and last name question 5 Generate a CSR Certificate Signing Request for signing opt sdn openjdk8 jre bin keytool keyst...

Page 112: ...update ca certificates The following is an example of what you will see displayed during this process Updating certificates in etc ssl certs 1 added 0 removed done Running hooks in etc ca certificates update d Adding debian cacert pem done done root sdnctl1 opt sdn admin 10 Start the controller sudo service sdna start SDN Controller keystore and truststore locations and passwords The SDN Controlle...

Page 113: ...OpenFlow switch communication The process for creating the OpenFlow keystore and truststore is similar to the steps outlined under Changing the default controller keystore and truststore to use CA signed certificates page 110 Built in OpenFlow controller keystore and truststore locations and passwords The HPE VAN SDN Controller has a built in OpenFlow controller for controller to switch communicat...

Page 114: ... action can result in changes to your current controller environment Requests to the controller using the POST method of the cms client event resource can be authenticated using client certificate based authentication instead of token based authentication For details on the Client Mapper Service that allows integration with an external policy manager such as Aruba ClearPass Policy Manager see Usin...

Page 115: ...ed to use a specific provider The auto detection logic determines that any token longer than 32 characters is PKI or PKIZ Distinguishing between PKI and PKIZ is accomplished by detecting the PKIZ prefix which is prepended to PKIZ compressed tokens UUID Authentication The UUID authentication follows this process 1 The controller upon receiving the username password pair for a user sends the pair al...

Page 116: ...t b If the username password tenant combination is valid Builds a JSON message using Service catalog details User role Metadata Produces a CMS message signing it using the private key Strips the header footer and produces a URL safe base64 encoded token Returns the token to the controller c The controller caches the token and returns a copy to its client d The controller s client uses this token o...

Page 117: ...gning and CA certificates location RevListPollPeriod Keystone PKI revocation list poll interval in seconds ServerPort Keystone server port ServerVIP Keystone server virtual IP ServiceRole Role for shared secret ServiceTenant Tenant project for shared secret ServiceToken Shared secret for internal requests ServiceTokenTimeout Timeout for shared secret 0 for never Minimum is 1 ServiceUser User for s...

Page 118: ...eates a test tenant curl H X Auth Token ADMIN H Content Type application json d tenant enabled true name test tenant description Test Tenant http controller ip 35357 v2 0 tenants 2 List tenants curl H X Auth Token ADMIN http controller ip 35357 v2 0 tenants 3 Create a user curl H X Auth Token ADMIN H Content Type application json d user email tester test rose hp com password somepass enabled true ...

Page 119: ...2ba6536d3 username test user 3 List roles root sdnctl1 var curl H X Auth Token ADMIN http 192 168 4 61 35357 v2 0 OS KSADM roles python mjson tool Total Received Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 342 100 342 0 0 58481 0 68400 roles description Default role for project membership enabled True id 9fe2ff9ee4384b1894a90878d3e92bab name _member_ id 1719c...

Page 120: ...in CAUTION Please guard this token information as it can be used as an API key to gain access to your controller REST APIs To gain access to the REST API include the token in the X Auth Token header as in the following curl example curl sk H X Auth Token 54a6f80a9ae243db89bfa05de4ced51d https controller ip 8443 sdn v2 0 systems One can continue using the same token for different SDN Controller API...

Page 121: ...ars and or zips into the controller jar signing truststore opt sdn admin sdnjar_trust jks opt sdn openjdk8 jre bin keytool importcert keystore opt sdn admin sdnjar_trust jks file signed_app cer alias mysignedcert The controller needs to be restarted for the new truststore to take effect Running the SDN Controller Without Jar Signing Validation The SDN Controller enforces jar zip signing validation...

Page 122: ... effect restart the controller SDN administrative REST API The main SDN Controller daemon sdnc is accompanied by an ancillary daemon process sdna which runs under user sdnadmin in order to grant it access to some elevated privileges The administrative REST API can be used to securely perform various management functions in a privileged context It would be undesirable for the main SDN Controller pr...

Page 123: ...properties This file includes the following two entries user admin sdn role admin admin where role admin defines the user and user admin defines the password This file needs to be owned by user sdn group sdn Changes to this file require a restart of the controller to recognize the new credentials To disable access to the Virgo Admin UI either remove the following file or move it to a safe location...

Page 124: ...keystore keystore certreq alias serverKey keyalg rsa file sdn server csr 6 Send the sdn server csr to a CA to be signed The CA will authenticate you and return a signed certificate and its CA certificate chain This procedure assumes that the signed certificate from the CA is named signed cer and the CA s certificate is root cer 7 Import the signed root certificate into your keystores NOTE In a tea...

Page 125: ...ions Then select the System tab 3 Select the component com hp sdn adm auth impl AuthenticationManager 4 Select Modify and change the default values for the following keys to the newly chosen credentials Set the AdminToken key to the newly chosen Keystone authentication admin token Set the ServiceToken to the newly chosen internal communication secret Set the KeystorePass to the value that you will...

Page 126: ... the running controller Navigate to the opt sdn virgo bin directory as the sdn user Open the dmk sh file to edit In the dmk sh file find the line containing XX HeapDumpPath After the XX HeapDumpPath line add a new line Dsdn trustpass newpass4sign Save the dmk sh file c Restart the sdnc service sudo service sdnc restart for the modified password to be read by the controller When you have completed ...

Page 127: ...ot opt source destination Chain OUTPUT policy ACCEPT target prot opt source destination cassandra team all 0 0 0 0 0 0 0 0 0 0 cassandra default all 0 0 0 0 0 0 0 0 0 0 hazelcast all 0 0 0 0 0 0 0 0 0 0 Chain cassandra default 2 references target prot opt source destination ACCEPT tcp 127 0 0 1 127 0 0 1 tcp dpt 7001 ACCEPT tcp 127 0 0 1 127 0 0 1 tcp dpt 9160 ACCEPT tcp 127 0 0 1 127 0 0 1 tcp dp...

Page 128: ...on all switches Interface Any valid configuration ProVision Comware Instance ProVision Aggregate Comware group all Interface Comware interswitch link port PVID in OpenFlow instance Comware Comware Instance Consistent OpenFlow instance VLAN configuration throughout topology Interface Interswitch link port PVID in OpenFlow VLAN Configuring OpenFlow Instances with Single VLAN Identifier In a topology...

Page 129: ...id 1 version 1 3 enable exit enable exit vlan 1 name DEFAULT_VLAN no untagged 6 25 48 untagged 1 5 7 24 26 47 49 52 ip address dhcp bootp exit vlan 40 name VLAN40 tagged 6 no ip address exit The Comware 5500HI has the following configuration interface GigabitEthernet1 0 14 port link mode bridge port link type trunk undo port trunk permit vlan 1 port trunk permit vlan 40 openflow instance 1 control...

Page 130: ...g link from the 3800 to the 5500 is missing The controller injected link discovery packets sent to port GigabitEthernet 1 0 14 on 5500 OpenFlow instance the device with DPID 00 01 cc 3e 5f 6a d3 80 were not tagged therefore they were dropped by the receiving 3800 whose port 6 is configured for tagged traffic Solution To ensure link discovery packets are tagged when sent out by tagged Comware devic...

Page 131: ...e the controller will always insert a 802 1Q header with the configured VLAN on each link discovery packet sent to all ports of the device regardless of the actual port configurations as the controller does not have any knowledge of the port configuration Configuring OpenFlow Instances with Single VLAN Identifier 131 ...

Page 132: ...C group matching Beginning with version 2 6 the HPE VAN SDN Controller supports the use of MAC groups and MAC tables for OpenFlow v1 3 instances on ProVision based switches running release K KA KB WB 15 18 or later with the following restrictions Support is provided for V2 and V3 modules only MAC group tables are not supported when the switch is in V1 module compatible mode The 2920 switch does no...

Page 133: ...s the name of the OpenFlow instance for which you are enabling MAC groups openflow instance instance name dst mac grp table Disabling MAC groups 1 To disable source MAC groups enter the following command where instance name is the name of the OpenFlow instance for which you are disabling MAC groups openflow instance instance name no src mac grp table 2 To disable destination MAC groups enter the f...

Page 134: ...a controller A controller backup takes a snapshot of the controller state and includes the following in a single file Controller databases License compliance history and metrics log data In a teaming environment the teaming configuration User repository folder for user installed applications Controller configuration folder Application data for applications that have implemented backup restore func...

Page 135: ... run at any given time backup restore upload or download Also starting a new backup while another backup is being downloaded creates an error condition and halts the new backup Only authenticated users are allowed to create and restore backups In some cases the domain name is also required NOTE The default domain name is sdn The default username is also sdn The default password is skyline The cont...

Page 136: ...n tokens used in curl commands might be saved in the command history For security reasons Hewlett Packard Enterprise recommends that you disable command history prior to executing commands containing credential information 2 If needed increase the Cassandra backupLockSeconds configuration using the GUI See Configuration components page 38 3 Acquire the controller uid curl noproxy controller_ip hea...

Page 137: ...kup files you take off each controller in the team together so they can easily be retrieved for a future restore NOTE If any controller in a team fails to complete the backup start the backup over for all members of the controller team Examples of curl commands in this guide use the noproxy option which is appropriate where execution of curl commands do not need a proxy to access controllers If yo...

Page 138: ...ntroller s making sure to use the same IP address configuration During the re installation log messages similar to the following appear in the Audit Log root mak dev controller dist sudo dpkg i hp sdn ctl_1 11_amd64 deb Selecting previously unselected package hp sdn ctl Reading database 212350 files and directories currently installed Unpacking hp sdn ctl from hp sdn ctl_1 11_amd64 deb Setup has d...

Page 139: ...r X Auth Token auth_token fail ksS request POST url https controller_ip 8443 sdn v2 0 restore 8 For a controller team wait for HA synchronization to complete to all the controllers and wait for the team to become connected The team can take a few minutes to come back up Be sure to verify that team status has all controllers as active and one of the team members is a leader curl noproxy controller_...

Page 140: ...d Cassandra is running as follows opt sdn cassandra bin nodetool ring grep c Up This command must return 3 You must login to each controller in sequence and run the following command no matter how many controllers were actually restored opt sdn cassandra bin nodetool repair NOTE Do not attempt to run this command at the same time on different nodes It must run to completion on one node before you ...

Page 141: ...val for that metric Each persisted value represents the value of the metric over the elapsed persistence interval For example for a counter that increments from 100 to 145 during a 5 minute interval the persisted value for the interval is 45 which is the value of the counter at the start of the interval subtracted from the value of the counter at the end of the interval For each type of metric the...

Page 142: ...ys such as by including the values in the appropriate section of a controller support report In such cases the values exposed are the most recent raw values as would be shown if they were exposed via JMX instead of values for a specific time interval such as values that are persisted to disk Metric identifiers When a metric is created it is associated with the following text strings that taken as ...

Page 143: ... VAN SDN Controller This example shows the JSON output formatted for readability apps app_id com hp sdn app_name HP VAN SDN Controller Viewing the metrics persisted by a specific application To list all of the metrics available for a specific application use the following curl command curl noproxy controller_ip X GET header X Auth Token token fail ksSfL url https controller_ip 8443 sdn v2 0 metric...

Page 144: ...mittedBytes description The amount of non heap memory in bytes committed for the JVM to use primary_tag jvm secondary_tag memoryNonHeap jmx false persistence true summary_interval ONE uid b82f5b00 0373 4a23 b5a8 bbda7eec44cb app_id com hp sdn type GAUGE name countTerminated description Number of JVM threads that had exited primary_tag jvm secondary_tag threads jmx false persistence true summary_in...

Page 145: ...er itself in this example is jvm primaries jvm Viewing the secondary tags for metrics persisted by an application To list the the secondary tags associated with the metrics persisted by a specific application use the following curl command curl noproxy controller_ip X GET header X Auth Token token fail ksSfL url https controller_ip 8443 sdn v2 0 metrics apps app_id secondaries name name primary_ta...

Page 146: ...s after the character separated by the character are optional parameters primary_tag The name of the primary tag The controller lists only the metrics that have a primary tag that matches the specified value secondary_tag The name of the primary tag The controller lists only the metrics that have a secondary tag that matches the specified value If you specify more than one parameter the controller...

Page 147: ...35 Command output metric app_id com hp sdn type GAUGE name usedBytes description The amount of heap memory currently being used by the JVM in bytes primary_tag jvm secondary_tag memoryHeap jmx false persistence true summary_interval ONE uid 431b746e e62e 4874 a801 b1438eaac635 More information Viewing the metrics persisted by a specific application page 143 Viewing the time series values for a per...

Page 148: ... summarizes the data and enables you to quickly look for anomalous data For example instead of viewing 1440 discrete minute by minute values for a specific metric over the course of a day you can request that each returned value represent 60 minutes so that the number of returned values is more manageable and can be more easily inspected Summarizing the returned data for a period typically results...

Page 149: ... JConsole or another JMX client to connect to the controller s JMX server to view metric data as it is updated in real time Metrics that are viewable using a JMX client The jmx field of the MetricDescriptor used to create the TimeStampedMetric determines whether or not the metric can be viewed using a JMX client The content exposed for each TimeStampedMetric is contingent on the type of TimeStampe...

Page 150: ...t 2 From the New Connection screen select Local Process For an example see Figure 66 page 150 Figure 66 JConsole new connection 3 Choose a local connection to the JMX server instance and click Connect After successfully connecting to that JMX server instance a screen similar to the screen shown in Figure 67 page 150 is displayed Figure 67 JConsole window 150 Metrics ...

Page 151: ...er application folder with the metrics displayed Other applications that expose JMX metrics have folders that are separate from the folder for the HPE VAN SDN Controller Figure 68 JConsole window displaying HPE VAN SDN Controller metrics 2 Expand the metric you want to view The name displayed for each TimeStampedMetric is a combination of the application ID metric name and optional primary and sec...

Page 152: ...shooting To create a controller support report use the following curl command curl noproxy controller_ip X GET header X Auth Token token fail ksSfL url https controller_ip 8443 sdn v2 0 support id id string fields fields string Optional parameters Name and value pairs after the character separated by the character are optional parameters id The list of contributors to include in the returned suppo...

Page 153: ...h Diagnostics Version 2 5 0 SNAPSHOT State ACTIVE Link Manager Version 2 5 0 SNAPSHOT State ACTIVE Node Manager Version 2 5 0 SNAPSHOT State ACTIVE OpenFlow Link Discovery Version 2 5 0 SNAPSHOT State ACTIVE OpenFlow Node Discovery Version 2 5 0 SNAPSHOT State ACTIVE Path Daemon Version 2 5 0 SNAPSHOT State ACTIVE Topology Manager Version 2 5 0 SNAPSHOT State ACTIVE Topology Viewer Version 2 5 0 S...

Page 154: ... Garbage Collection last 1 minute s Executions 0 Elapsed time 0 ms Threads Total count 122 By Type Daemon 65 Non daemon 57 By State Blocked 0 Deadlocked 0 New 0 Runnable 7 Terminated 0 Timed waiting 24 Waiting 91 Operating System CPU Usage System 0 079 JVM 0 058 File Descriptors Maximum 8 192 Open 214 Usage 2 612 154 Metrics ...

Page 155: ...r test rose hp com password somepass enabled true name test user tenantId 2c851897a09f483fa452e2de11511f71 http controller ip 35357 v2 0 users d List users curl H X Auth Token ADMIN http controller ip 35357 v2 0 users e Create a role curl H X Auth Token ADMIN H Contant Type application json d role name test role http controller ip 35357 v2 0 OS KSADM roles f List users curl H X Auth Token ADMIN ht...

Page 156: ... in so your session has expired The default Keystone login session timeout is 1 hour Action Reload the page and log in again If you want to increase the Keystone session timeout value do the following 1 Log on to the controller as sudo user 2 Open the etc keystone keystone conf file for editing 3 Locate the line expiration 3600 4 Modify that line by removing the comment hash tag and change the val...

Page 157: ...edeem quantity Cause You specified a license quantity that exceeds what your license type supports Action 1 Return to the My Network portal license selection screen 2 Enter the correct quantity in the Redeem column for your license type For an HPE VAN SDN Ctrl Base SW w 50 node E LTU license the quantity must be 1 For HPE VAN SDN Ctrl 50 node E LTU or HPE VAN SDN Ctrl HA E LTU licenses the quantit...

Page 158: ...mand sudo service sdnc restart 4 If the Cassandra database stops repeatedly determine why by doing the following a Export the logs files b In the sdn all logs zip file check the var log sdn cassandra system log file for possible errors Controller support log fills disk space contains multiple Too many open files messages Symptom The controller support log exceeds its configured maximum size and po...

Page 159: ... start an application in the OSGi runtime environment Action 1 Correct the OSGi runtime conditions 2 Enable the application via the GUI or a REST call Application in transitive state Symptom An application is in a transitive state Cause An unexpected error condition occurred when manipulating an application such as file I O exception or missing files Action 1 Examine the log files for exceptions d...

Page 160: ...onfigurationException HTTP code 403 Applies to application license and configuration changes Cause One member of a team is not active All team members in a teamed environment must be active before you can make configuration licensing or application changes or changes to regions Otherwise the configuration is not guaranteed to be synchronized with all the members of the team Action Indicates that t...

Page 161: ...r message Action Indicates that an application cannot be upgraded Getting ApplicationUninstallException HTTP code 500 Symptom Getting ApplicationUninstallException HTTP code 500 Cause Occurs when something has gone wrong as specified in the error message Action Indicates that an application cannot be uninstalled Getting ApplicationUploadException HTTP code 500 Symptom Getting ApplicationUploadExce...

Page 162: ...tom The switches are constantly being disconnected and reconnected Cause The pure OpenFlow loop topology requires packets to be flooded across the network This can result in a lot of network traffic and interfere with the switches ability to send echo packets Action When running a looped topology in pure OpenFlow mode be aware of how much traffic is being flooded Some virtual switch implementation...

Page 163: ...ralized NTP daemon If the servers for the controllers in the team are configured such that they connect to different NTP servers change the configurations of the servers to use a centralized NTP daemon Teaming framework does not run Symptom The teaming subsystem does not run Cause The Iptable rule programming for the teaming framework Hazelcast failed Action For each controller in the team do as f...

Page 164: ...eachable uid 2533a1df cced 44f9 b9be f6e3851da261 version 2 5 2 0496 ip 192 0 125 176 role member core_data_version 16 core_data_version_timestamp 2014 11 18T19 30 38 933Z status unreachable 3 Check alerts To get all alerts use the following curl command curl noproxy IP_ADDRESS header X Auth Token AUTHENTICATION_TOKEN fail ksS L f request GET url https IP_ADDRESS 8443 sdn v2 0 alerts To get alerts...

Page 165: ...displayed in the user interfaces and the output of programmatic interfaces of applications that use Cassandra differs among the controllers in a team after a controller rejoins the team after a long outage such as more than 1 hour Controller data and data for applications that do not use the Cassandra database are not affected Cause After a Cassandra instance is offline for longer than is supporte...

Page 166: ...00 0 c172bbe2 799c 4adf bd38 690dfa75ac79 rack1 DN 192 0 2 141 310 11 MB 1 100 0 26999328 abec 4d80 a689 eb8b1f7f89d1 rack1 8 Remove the Cassandra instance from the cluster by entering the nodetool removenode HostID command where HostID is the identifier of the Cassandra instance to remove For example opt sdn cassandra bin nodetool removenode 26999328 abec 4d80 a689 eb8b1f7f89d1 9 Log out of the s...

Page 167: ...ace Review your product documentation to identify the recommended software update method To download product updates go to either of the following Hewlett Packard Enterprise Support Center Get connected with updates page www hpe com support e updates Software Depot website www hpe com support softwaredepot To view and update your entitlements and to link your contracts and warranties with your pro...

Page 168: ...com support e updates Subscription Service Support Alerts www hpe com support softwaredepot Software Depot www hpe com support selfrepair Customer Self Repair not applicable to all devices www hpe com info insightremotesupport docs Insight Remote Support not applicable to all devices Customer self repair Hewlett Packard Enterprise customer self repair CSR programs allow you to repair your product ...

Page 169: ...ggestions or comments to Documentation Feedback docsfeedback hpe com When submitting your feedback include the document title part number edition and publication date located on the front cover of the document For online help content include the product name product version help edition and publication date located on the legal notices page Documentation feedback 169 ...

Page 170: ...a proxy to access controllers If your network is set up such that a proxy is needed to access controllers use the proxy option For details on curl proxy options visit http curl haxx se docs manpage html The following sections describe some typical curl commands Export audit log data as a CSV file using curl commands page 171 Licensing actions using curl commands page 171 Application manager action...

Page 171: ...0f1c232401e8f75e9f318c0ae8a domainName sdn More information About the curl commands in this document page 170 Default domain name user name and password page 22 Export audit log data as a CSV file using curl commands To export the audit log use the following command curl options H X Auth Token token H Accept Type application zip https controller_ip 8443 sdn v2 0 auditlog o zip file name To acquire...

Page 172: ...curl options H X Auth Token token d license_key https controller_ip 8443 sdn v2 0 licenses Replace token with the token you obtained using the authentication command Replace license_key with the key obtained in Registering your license and obtaining a license key You can view the key by logging on to the My Network portal and selecting My Licenses as shown in Figure 54 Replace controller_ip with y...

Page 173: ...l_no 13 license_metric HA Controller product HP VAN SDN Ctrl Base metric_qty 500 license_type PRODUCTION base_license false creation_date 2013 09 06T00 26 52 248 0000 activated_date 2013 09 06T00 26 52 248 0000 expiry_date 2014 01 14T00 26 52 248 0000 license_status ACTIVE 2 Record each serial_no value 3 Use the following command to uninstall or deactivate each active license on your controller cu...

Page 174: ...key obtained from the example in the previous step is MYOCD9JMCRRRM IRTEQ2QUNBYCB 6Q6CJIEIJFKIQ VAI2QUJBYC433 Application manager actions using curl commands Listing applications Form curl options H X Auth Token token https controller_ip 8443 sdn v2 0 apps Example of listing applications curl ksS H X Auth Token 3d61f0d3e61349359e6dbd82ec02c113 https 10 0 1 42 8443 sdn v2 0 apps Example output apps...

Page 175: ...oduct_id sku state ACTIVE uid com hp sdn ctl diag vendor Hewlett Packard version 2 3 5 6370 Getting application health status The HEAD command on health status returns only the response code rather than the entire message for management type clients that want to poll for health status Returns HTTP status as follows 200 for healthy 290 for unhealthy 295 for critical Form curl options H X Auth Token...

Page 176: ...z event production download_url name GeeWiz product_id sku state STAGED uid com geewiz vendor Gee Wiz Inc version 1 0 0 Example output upgrade app action NONE catalog_id deployed 2014 06 18T23 04 25 955Z desc Gee Wiz event production download_url name GeeWiz product_id sku state UPGRADE_STAGED uid com geewiz vendor Gee Wiz Inc version 2 0 0 Installing a new application Form curl options H X Auth T...

Page 177: ...c113 X POST https 10 0 1 42 8443 sdn v2 0 apps com geewiz action d upgrade Example output app action NONE catalog_id deployed 2014 06 18T23 04 25 955Z desc Gee Wiz event production download_url name GeeWiz product_id sku state ACTIVE uid com geewiz vendor Gee Wiz Inc version 2 0 0 Disabling an application Form curl options H X Auth Token token X POST https controller_ip 8443 sdn v2 0 apps app_id a...

Page 178: ...1f0d3e61349359e6dbd82ec02c113 X POST https 10 0 1 42 8443 sdn v2 0 apps com geewiz action d enable Example output app action NONE catalog_id deployed 2014 06 18T23 04 25 955Z desc Gee Wiz event production download_url name GeeWiz product_id sku state ACTIVE uid com geewiz vendor Gee Wiz Inc version 2 0 0 Removing a staged application This curl request is used to remove a newly uploaded application...

Page 179: ...NMP enabled switches can be configured with community names to provide more secure access The Key Service component of the controller allows network administrators to configure SNMP security keys so that the controller can communicate with those switches using the secure key Getting the SNMP keys To get the SNMP keys known to the controller enter the following curl command curl header X Auth Token...

Page 180: ... secure key Getting the NETCONF keys To get the NETCONF keys known to the controller enter the following curl command curl header X Auth Token token sX GET http controller_ip 8080 sdn v2 0 net keys NETCONF Sample command curl header X Auth Token 131eaa225ece4293bcebfd7f8e3cffd0 sX GET http localhost 8080 sdn v2 0 net keys NETCONF Sample Response NETCONF Default Netconf key Adding NETCONF keys To a...

Page 181: ...ration etc sdn admin options might be changed using vim or emacs to reflect the desired configuration sdncontroller opt sdn admin cat options export ADMIN_OPTS Dcom hp sdn admin interface eth0 Once the change has been made the SDNA service must be restarted as shown with the following command sdncontroller opt sdn admin sudo service sdna restart sdna stop waiting This change must be made for every...

Page 182: ...For security reasons Hewlett Packard Enterprise recommends that you disable command history prior to executing commands containing credential information NOTE The default domain and user settings are sdn The default password setting is skyline 1 Install and start three standalone controllers in the network See the latest HPE VAN SDN Controller Installation Guide 2 Optional To improve security you ...

Page 183: ...uld be the IP address of the controller chosen to configure the team 3 After executing the command in step 2 the team elects a team leader The team leader then configures all team members and normal controller operation begins in the domain The team creation command does not block until the team creation is complete You will need to check the status of the system to verify on each controller that ...

Page 184: ...uccesses 192 168 1 1 192 168 1 2 Failures 192 168 1 3 The alert does not include the error description however the error description is added to the log files Review the log files to get the cause of the partial team creation Example of an alert for a team creation that failed in a quorum Team could not be created on a quorum If a team cannot be created in a quorum delete the team and create it ag...

Page 185: ...y need to reinstall the controller Table 6 Success log Description Message The controller has completed all required steps to configure itself as part of the team Team created The controller has completed all required steps to configure itself as part of the team The log entry includes the team configuration provided by the user Team created with the following configuration Team IP team ip Members...

Page 186: ...ra database to store persistent data For these applications there is an extra maintenance step that you must run once every ten days to help maintain the performance of the database and the consistency across the team as follows 1 You need to make sure all controllers are up and Cassandra is running opt sdn cassandra bin nodetool ring grep c Up This command must return 3 2 Login to each controller...

Page 187: ... alert is posted Example of an alert for a team partially deleted Team partially deleted Successes 192 168 1 1 192 168 1 2 Failures 192 168 1 3 The alert does not include the error description however the error description is added to the log files Review the log files to get the cause of the partial team deletion To recover from this failure Hewlett Packard Enterprise recommends that you delete t...

Page 188: ... Device Owner Service also provides a measure of security only devices explicitly included in a region can connect to the region s controllers thus if no regions are defined for the teamed controllers then no devices will be able to connect to the controllers Putting the region configurations in place for a controller team ensures seamless failover and failback among the configured controllers for...

Page 189: ...red master controller might be offline slave Controllers with this role can read the configurations of the network devices that are managed by the region but cannot write or modify those configurations The slave controllers in priority order are the configured primary slave and the configured secondary slave Controllers with a configured role of slave can be assigned the role of master controller ...

Page 190: ...Example output regions uid 713def9a 4f96 485f 990c 8924bc06c8d8 name Region Red prioritizedControllerIps 172 17 6 70 172 17 6 71 172 17 6 72 devices deviceIp 192 168 1 101 owningControllerIp 172 17 6 71 dataPaths dpid 00 01 44 31 92 5c af 86 owningControllerIp 172 17 6 71 deviceIp 192 168 1 102 owningControllerIp 172 17 6 71 dataPaths dpid 00 1e c8 cb b8 dd f0 c0 owningControllerIp 172 17 6 71 dev...

Page 191: ...ing a primary slave and all 5 devices 192 168 1 101 105 belong to the configured master controller 172 17 6 70 Example command curl noproxy teamIp header X Auth Token token ksS request GET url https teamIp 8443 sdn v2 0 owners region uid state dataPathDetails yes Example output regions uid 713def9a 4f96 485f 990c 8924bc06c8d8 name Region Red prioritizedControllerIps 172 17 6 70 172 17 6 71 172 17 ...

Page 192: ...f9a 4f96 485f 990c 8924bc06c8d8 that has three controllers 172 17 6 70 master 172 17 6 71 primary slave 172 17 6 72 secondary slave Two devices are part of the region 192 168 1 101 and 192 168 1 10 The devices IP range includes 192 168 1 103 192 168 1 104 192 168 1 105 Example command curl noproxy controllerIp header X Auth Token token header Content Type application json ksS request POST url http...

Page 193: ...header X Auth Token token ksS request POST url https teamIp 8443 sdn v2 0 owners region_uid devices deviceIp 192 168 1 103 Example output result Device IP address 192 168 1 103 now exists in the region with UID 713def9a 4f96 485f 990c 8924bc06c8d8 To check if your device was added to the region check the Team screen in the controller UI or see Getting the configuration of a specific region using c...

Page 194: ...er owns the device corresponding to the specified IP address this is decided based on the controller s locally cached data which is guaranteed to be consistent with the receipt of DeviceOwnerEvents events You must specify the deviceIp query parameter The command returns one of the following status 204 The local controller owns the device 404 The local controller does not own the device Example com...

Page 195: ... deviceIp 192 168 1 103 deviceIp 192 168 1 104 deviceIp 192 168 1 105 Getting the status of a specific region using curl This GET command retrieves the current status of the region with the specified UID including its configured devices and the controller that currently owns each device In this example for region UID 713def9a 4f96 485f 990c 8924bc06c8d8 the command output shows the status of all t...

Page 196: ...7 6 70 Getting the status of all regions using curl This GET command retrieves the current status of all regions including their configured devices and the controller that currently owns each device You can filter the returned content of this command in order to get the current status for a specified device allowing you to determine which region the device is configured in addition to which contro...

Page 197: ...e Region Red prioritizedControllerIps 172 17 6 70 172 17 6 71 172 17 6 72 devices deviceIp 192 168 1 101 owningControllerIp 172 17 6 70 dataPaths dpid 00 01 44 31 92 5c af 86 owningControllerIp 172 17 6 70 deviceIp 192 168 1 102 owningControllerIp 172 17 6 70 dataPaths dpid 00 1e c8 cb b8 dd f0 c0 owningControllerIp 172 17 6 70 deviceIp 192 168 1 103 owningControllerIp 172 17 6 70 dataPaths dpid 0...

Page 198: ...03 is removed Example command curl noproxy teamIp header X Auth Token token ksS request DELETE url https teamIp 8443 sdn v2 0 owners region_uid devices deviceIp 192 168 1 103 Example output result Device IP address 192 168 1 103 no longer exists in the region with UID 713def9a 4f96 485f 990c 8924bc06c8d8 To check if your device was removed from the region check the Team screen in the controller UI...

Page 199: ...sh grep w opt sdn admin sdnc sh head n 1 awk print 2 is_sdnc_running pid get_sdnc_pid x x pid return 1 return 0 function restoreCassandraData 1 shutdown the node done by stopping sdnc opt sdn cassandra bin caServer sh status if eq 0 then restore_log Cassandra is still running attempting stop sudo u sdnadmin opt sdn cassandra bin caServer sh stop check_stop_and_exit fi pick the cassandra zip file a...

Page 200: ...his assumes that sdndb database already exists psql sdndb backupPG sql check_and_exit function restoreLicenseLogs if f licenselog zip then restore_log Restoring license history logs unzip the license logs unzip o licenselog zip d var log sdn virgo logs check_and_exit fi function restoreMetricsData if f metricsData zip then restore_log Restoring metrics data wipe out existing contents rm rf metrics...

Page 201: ...r IDs have changed since the backup sudo chown R sdn sdn opt sdn var lib sdn var log sdn virgo logs license history log restore_log Turning off the restore mode delete the restore indicator file f opt sdn backup restore indicator rm opt sdn backup restore indicator restore_log Restore done Backing up a controller team NOTE Because the scripts in this appendix cross page boundaries be careful to av...

Page 202: ...ocal backupIp ipArr nodeIndex local backupUUID nodeUUID nodeIndex backupURL https backupIp 8443 sdn v2 0 backup post backupIp backupToken backupURL if errorCode ne 0 then teamBackup_log Failed to start backup for backupIp exitBackup 1 fi if sessionID then teamBackup_log Failed to start backup on backupIp exitBackup 1 fi echo sessionID Function downloadBackupSet nodeIndex Downloads the backup file ...

Page 203: ...p BACKUP_TEAM_DIR sdn_team_backup remotePath Function getSysInfo authToken Gets the SysInformation for the running node function getSysInfo local leadAuth 1 local sysUrl https localhost 8443 sdn v2 0 systems for i in 1 5 do sysInfo get localhost leadAuth sysUrl if errorCode ne 0 then teamBackup_log Failed to retrieve the system information exitBackup 1 fi sysInfo break sleep 5 done if sysInfo then...

Page 204: ...rl data binary postData errorCode let attempts attempts 1 if 35 eq errorCode then teamBackup_log SSL error on POST to postUrl retrying continue fi break done echo postRes Function put ipAddr authToken url data Performs a PUT of the specified data function put local putIP 1 local putToken 2 local putUrl 3 local putData 4 local attempts 0 while attempts lt 5 do putRes curl noproxy putIP header X Aut...

Page 205: ...oken for the local controller leaderAuth getAuthToken localhost Get the system Information for the local controller getSysInfo leaderAuth Get the set of team IPs and their associated team roles extractRole_NodeIP sysInfo validateTeamLead Initiate a backup on each node for i 0 i numNodes i do nodeAuth i getAuthToken ipArr i uuidURL https ipArr i 8443 sdn v2 0 systems nodeUUID i get ipArr i nodeAuth...

Page 206: ... Because the scripts in this appendix cross page boundaries be careful to avoid including the page number when copying a script Copying a script one page at a time can prevent inclusion of page numbers bin bash Copyright 2013 Hewlett Packard Co All Rights Reserved Restore a Team export BACKUP_DIR opt sdn backup export BACKUP_TEAM_DIR opt sdn team_backup export RESTORE_TEAM_DIR opt sdn team_restore...

Page 207: ... sysAuth 3 local restoreUrl https sysIp 8443 sdn v2 0 restore Set the IP first Ignore errors since this only works for standalone put sysIp sysAuth https sysIp 8443 sdn v2 0 systems sysUUID system ip sysIp dev null 2 1 restoreSession post sysIp sysAuth restoreUrl if errorCode ne 0 then teamBackup_log Failed to start restore on node sysIp exitBackup 1 fi teamBackup_log Started restore on node sysIp...

Page 208: ...store the specified node restore_node restoreIpArr i restoreUUID i restoreAuth i done sleep 200 Validate that the restored nodes are up for n 0 n numNodes n do Skip the leader node it s already done n eq leaderIndex continue validate_node_status restoreIpArr n done Function teamBackup_log message Writes messages to the log for the team backup operation function teamBackup_log msg 1 echo msg tee a ...

Page 209: ...n v2 0 auth login login domain domain user user password pass Attempt to authenticate and extract token if successful auth curl noproxy nodeIP X POST fail ksSfL url url H Content Type application json data binary login 2 1 if ne 0 then teamBackup_log Unable to authenticate as user user in domain domain exitBackup 1 fi authToken extractJSONString auth token sed d if restore_mode ne 1 authToken then...

Page 210: ...ive_restore 1 for ip in do restoreIp count ip let count count 1 done fileIndex 1 file restoreIp fileIndex unset restoreIp fileIndex fi Upload the team backup file from the user specified location scp file RESTORE_TEAM_DIR if ne 0 then teamBackup_log Failed to upload team backup file to the node exitBackup 1 fi Unzip the team backup file extract_zip_and_ip Validate the IP address of the node valida...

Page 211: ...s including user information device information and location information External SDN applications can use the information about a client and perform appropriate actions Currently the information is available on the controller via the REST API only For REST API details see the HPE VAN SDN Controller REST API Reference To integrate the controller with Aruba ClearPass Policy Manager you must configu...

Page 212: ...onfigurations 2 In the Basic tab select the com hp sdn disco of node OfIpDiscoveryComponent component 3 Click Modify Figure 70 Display the learn ip option 4 For the learn ip key enter false in the Value box 5 Click Apply to set the new learn ip configuration and close the window NOTE When flow measurement tasks are complete set the learn ip key to true its default value Flow measurement results ca...

Page 213: ...l would be 45 The amount of time during the interval over which the metric value was accrued is also persisted If the counter value was accrued over only the last 3 minutes of the 5 minute interval then the normalized rate of accrual over the interval would be 15 counts per minute or 75 counts for the entire 5 minute interval The user can inspect the most recent value of the exposed metric using a...

Page 214: ...r itself has persisted metrics to disk Curl equivalent command curl noproxy controller_ip X GET header X Auth Token token fail ksSfL url https controller_ip 8443 sdn v2 0 metrics apps Curl output apps app_id com hp sdn app_name HP VAN SDN Controller Result The application ID for the controller is com hp sdn It can be plugged into other metric REST API calls that require an app_id value in their UR...

Page 215: ...ag jvm secondary_tag memoryNonHeap jmx false persistence true summary_interval ONE uid afa9a4b2 856a 4f69 8abf a4775fd0f2e7 app_id com hp sdn type ROLLING_COUNTER name count description The number of garbage collections undertaken by the JVM during the sampling interval primary_tag jvm secondary_tag garbageCollection jmx false persistence true summary_interval ONE uid d62c49d4 46b3 4c2c be60 24f6f...

Page 216: ...ds primary_tag jvm secondary_tag threads jmx false persistence true summary_interval ONE uid 7328dd03 57fd 4baa b741 25dab77446fc app_id com hp sdn type RATIO_GAUGE name cpuLoadJvm description The recent CPU usage of the JVM process primary_tag jvm secondary_tag operatingSystem jmx false persistence true summary_interval ONE uid cc82ee87 80eb 417b 8d41 9010fbf24b63 app_id com hp sdn type GAUGE nam...

Page 217: ... name its primary and secondary tags whether it is persisted whether it is exposed via JMX and its summary interval Also displayed for each metric is the unique ID uid assigned to the metric on the controller Other metric REST API calls can be used to view specific subsets of this data 217 ...

Page 218: ...t command curl noproxy controller_ip X GET header X Auth Token token fail ksSfL url https controller_ip 8443 sdn v2 0 metrics apps app_id primaries Curl output for app_id com hp sdn primaries jvm Result The only primary tag associated with the controller is jvm 218 Examples of Metrics ...

Page 219: ...X Auth Token token fail ksSfL url https controller_ip 8443 sdn v2 0 metrics apps app_id secondaries Curl output for app_id com hp sdn secondaries nioDirectMemory operatingSystem threads garbageCollection memoryNonHeap memoryHeap memoryTotal nioMappedMemory Result Several secondary tags are associated with the primary tag jvm along with several subcategories of jvm metric memoryHeap metrics and thr...

Page 220: ...locked bufferCapacityBytes count countNew bufferCount countWaiting fileDescriptorsOpen uptimeMs cou ntTerminated elapsedMs countTimedWaiting countDaemon countBlocked fileDescriptorsUsage averageBuff erCapacityBytes cpuLoadSystem countTotal bufferUsedBytes usedBytes usage countNonDaemon countRu nnable cpuLoadJvm committedBytes Result Optional query parameters are provided in each of the calls To se...

Page 221: ...y_tag secondary_tag secondary_tag Curl output for app_id com hp sdn primary_tag jvm secondary_tag memoryHeap names usedBytes usage committedBytes Result Metric names are specific to JVM heap memory The UID can be obtained once the specific metric of interest is identified via the earlier call Optional query parameters to filter the output and list the metrics associated with an application ID may ...

Page 222: ... usedBytes Curl output for app_id com hp sdn primary_tag jvm secondary_tag memoryHeap name usedBytes metrics app_id com hp sdn type GAUGE name usedBytes description The amount of heap memory currently being used by the JVM in bytes primary_tag jvm secondary_tag memoryHeap jmx false persistence true summary_interval ONE uid 431b746e e62e 4874 a801 b1438eaac635 Result Detailed information about the ...

Page 223: ...last 3 39215208E8 update_time Tue Sep 23 18 06 55 PDT 2014 milliseconds_span 60001 last 3 40427184E8 update_time Tue Sep 23 18 07 55 PDT 2014 milliseconds_span 60000 last 3 44840904E8 update_time Tue Sep 23 18 08 55 PDT 2014 milliseconds_span 59999 last 2 0824068E8 update_time Tue Sep 23 18 09 55 PDT 2014 milliseconds_span 60000 last 2 09534728E8 update_time Tue Sep 23 18 10 55 PDT 2014 millisecon...

Page 224: ...intervals depends upon the type of metric Gauge values as shown in this example are averaged over the data points encompassed in the summary Counter values are summed over the summary interval in which histogram values are combined 224 Examples of Metrics ...

Page 225: ...801 b1438eaac635 start 2014 09 23 18 00 interval 5 metric_values uid 431b746e e62e 4874 a801 b1438eaac635 type GAUGE datapoint_count 6 datapoints update_time Tue Sep 23 18 03 55 PDT 2014 milliseconds_span 300000 last 3 274097568E8 update_time Tue Sep 23 18 08 55 PDT 2014 milliseconds_span 300000 last 3 133927072E8 update_time Tue Sep 23 18 13 55 PDT 2014 milliseconds_span 300000 last 2 154562624E8...

Page 226: ...urs Data Trim Enabled true Last trim conducted at Mon Sep 22 19 15 20 PDT 2014 title Server Environment id env content OS architecture amd64 OS Name Linux OS Version 3 5 0 52 generic Java Vendor Oracle Corporation Java Version 24 65 b04 Java Name OpenJDK 64 Bit Server VM Available processors cores 4 Max Heap 3817865216 3641Mb Heap 671088640 640Mb Heap used 405144704 386Mb Start Date Tue Sep 16 19 ...

Page 227: ...persisted as time series data because they do vary throughout the JVM lifetime are available in the controller support report The controller support report offers various information such as the number of installed applications configuration data and the number of alerts and audit logs in the database 227 ...

Page 228: ...nts 138 Controller code verification 121 controller regions roles 189 controller support report and JVM metrics 149 description of 152 generating 152 Controller team alias disabling 186 alias interface configuring 186 alias node 186 configuration displaying 187 configuring prerequisites 182 procedure 183 disbanding 186 error log 184 high availability 99 REST API configuring 182 curl activating a l...

Page 229: ...tion activation 86 registration prerequites 87 registration procedure 86 registration process activation process 86 transferring 93 95 types usage expiration 86 uninstalling transferring 94 Licensing curl 171 line continuation character 170 M master controller role definition 189 MetricManagerComponent 141 Metrics all applications 215 application ID 214 names associated 220 primary tag 217 seconda...

Page 230: ...es CA certificates 113 Device Owner Service failback 191 failover 189 hybrid mode 80 regional configuration Device Owner Service 188 standalone controller configuring a team 99 team management 99 TLS 113 Openstack keystone 115 P Packet forwarding hybrid mode 80 overview 80 password change 24 controller default 22 Path Daemon features 18 Path Diagnostics features 17 policy manager 211 R remote supp...

Page 231: ...g details 50 License details 52 configurable components 38 audit log 49 audit log data 51 audit log policies 50 data path display 59 60 deleting log entry 50 license activation transferring 53 license installation 53 licenses 52 modifying configuration 45 OpenFlow monitor 58 support log 53 54 55 56 configuration screen 38 configuring alert policies 31 deleting alerts 30 details pane 23 displaying ...

Reviews:

No comments