blob: 010fb4ac3014fb1fbe4c243bed6eae789419f8c3 [file] [log] [blame]
Gary Wue4a2df82018-11-29 12:49:09 -08001.. _docs_vfw:
2
Marco Plataniae5064cd2018-11-28 15:33:47 -05003vFirewall Use Case
4------------------
5
6Source files
7~~~~~~~~~~~~
8
Marco Platania9442f8f2019-06-17 09:12:21 -04009- vFirewall/vSink template file: https://git.onap.org/demo/tree/heat/vFWCL/vFWSNK/base_vfw.yaml?h=dublin
10- vFirewall/vSink environment file: https://git.onap.org/demo/tree/heat/vFWCL/vFWSNK/base_vfw.env?h=dublin
Marco Plataniae5064cd2018-11-28 15:33:47 -050011
Marco Platania9442f8f2019-06-17 09:12:21 -040012- vPacketGenerator template file: https://git.onap.org/demo/tree/heat/vFWCL/vPKG/base_vpkg.env?h=dublin
13- vPacketGenerator environment file: https://git.onap.org/demo/tree/heat/vFWCL/vPKG/base_vpkg.env?h=dublin
Marco Plataniae5064cd2018-11-28 15:33:47 -050014
stark, steven6a507a42019-04-24 12:04:41 -070015VVP Report
16~~~~~~~~~~
17
18:download:`vFWCL/vPKG report <files/vFWCL_vPKG_report.json>`
19
20:download:`vFWCL/vFWSNK report <files/vFWCL_vFWSNK_report.json>`
Marco Plataniae5064cd2018-11-28 15:33:47 -050021
22Description
23~~~~~~~~~~~
24
Gary Wu9da1b692019-06-17 22:36:04 -070025The use case is composed of three virtual functions (VFs): packet generator, firewall, and traffic sink.
26These VFs run in three separate VMs. The packet generator sends packets to the packet sink through the firewall.
27The firewall reports the volume of traffic passing though to the ONAP DCAE collector. To check the traffic volume
28that lands at the sink VM, you can access the link http://sink_ip_address:667 through your browser and enable
Marco Plataniae5064cd2018-11-28 15:33:47 -050029automatic page refresh by clicking the "Off" button. You can see the traffic volume in the charts.
30
Gary Wu9da1b692019-06-17 22:36:04 -070031The packet generator includes a script that periodically generates different volumes of traffic. The closed-loop
Marco Plataniae5064cd2018-11-28 15:33:47 -050032policy has been configured to re-adjust the traffic volume when high-water or low-water marks are crossed.
33
Gary Wu9da1b692019-06-17 22:36:04 -070034Since Casablanca, we have used a vFWCL service tag for this testing instead of the vFW service tag. vFW servic tag
35is a regression for onboard and instantiation of a single VNF service (all three VMs in the same VNF) where as the
36vFWCL is a two VNF service (vFW+ vSNK and separeate vPKG)
Brian Freeman8aeeef82019-06-17 10:07:36 -050037
38./demo-k8s.sh onap instantiateVFWCL can be used to onboard and instantiate a vFWCL via robot scripts or follow the procedure to use the GUI that is available in the documentation.
39
Marco Plataniae5064cd2018-11-28 15:33:47 -050040
41Closed-Loop for vFirewall Use Case
42~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
43
Gary Wu9da1b692019-06-17 22:36:04 -070044Through the ONAP Portal's Policy Portal, we can find the configuration and operation policies that are currently
Marco Plataniae5064cd2018-11-28 15:33:47 -050045enabled for the vFirewall use case:
46
47- The configuration policy sets the thresholds for generating an onset event from DCAE to the Policy engine. Currently, the high-water mark is set to 700 packets while the low-water mark is set to 300 packets. The measurement interval is set to 10 seconds.
48- When a threshold is crossed (i.e. the number of received packets is below 300 packets or above 700 packets per 10 seconds), the Policy engine executes the operational policy to request APPC to adjust the traffic volume to 500 packets per 10 seconds.
Gary Wu9da1b692019-06-17 22:36:04 -070049- APPC sends a request to the packet generator to adjust the traffic volume.
Marco Plataniae5064cd2018-11-28 15:33:47 -050050- Changes to the traffic volume can be observed through the link http://sink_ip_address:667.
51
52
53Adjust packet generator
54~~~~~~~~~~~~~~~~~~~~~~~
55
Gary Wu9da1b692019-06-17 22:36:04 -070056The packet generator contains 10 streams: fw_udp1, fw_udp2, fw_udp3, ..., fw_udp10. Each stream generates 100 packets
57per 10 seconds. A script in /opt/run_traffic_fw_demo.sh on the packet generator VM starts automatically and alternates high
Marco Plataniae5064cd2018-11-28 15:33:47 -050058traffic (i.e. 10 active streams at the same time) and low traffic (1 active stream) every 5 minutes.
59
Gary Wu9da1b692019-06-17 22:36:04 -070060To adjust the traffic volume produced by the packet generator, run the following command in a shell, replacing PacketGen_IP in
Marco Plataniae5064cd2018-11-28 15:33:47 -050061the HTTP argument with localhost (if you run it in the packet generator VM) or the packet generator IP address:
62
63::
64
Marco Platania9442f8f2019-06-17 09:12:21 -040065 curl -X PUT \
66 https://PacketGen_IP:8445/restconf/config/stream-count:stream-count/streams \
67 -H 'Accept: application/json' \
68 -H 'Content-Type: application/json' \
69 -H 'Postman-Token: 88610924-938b-4d64-a682-0b0aabed4a6d' \
70 -H 'cache-control: no-cache' \
71 -d '{
72 "streams": {
73 "active-streams": 5
74 }}'
75
Marco Plataniae5064cd2018-11-28 15:33:47 -050076
77The command above enables 5 streams.
78
79
Brian Freeman8aeeef82019-06-17 10:07:36 -050080
81Preconditions
Gary Wu9da1b692019-06-17 22:36:04 -070082~~~~~~~~~~~~~
Brian Freeman8aeeef82019-06-17 10:07:36 -050083
Gary Wu9da1b692019-06-17 22:36:04 -070084The control loop name in DCAE's TCA micro-service needs to match the Operational Policy control loop name.
Brian Freeman8aeeef82019-06-17 10:07:36 -050085Due to timing robot scripts that setup the operational policy do not change the control loop name in DCAE.
86Do the following to update DCAE's consul entry for TCA to match the name assigned by robot to the operational
Gary Wu9da1b692019-06-17 22:36:04 -070087policy. The control loop name generated by policy can be viewed in the log.html page on robot from the
Brian Freeman8aeeef82019-06-17 10:07:36 -050088instantiateVFWCL.
89
Gary Wu9da1b692019-06-17 22:36:04 -070090- Connect to Consul: http://<k8s_host_ip>:30270/ui/#/dc1/services (change the IP based on the K8S cluster IP assignment)
Brian Freeman8aeeef82019-06-17 10:07:36 -050091- Click Key/Value on the bar at the top of the Consul menu
Gary Wu9da1b692019-06-17 22:36:04 -070092- Select "dcae-tca-analytics" microservice from the list on the left
Brian Freeman8aeeef82019-06-17 10:07:36 -050093- Search for "closedLoopControlName" key in the configuration policy JSON object
Gary Wu9da1b692019-06-17 22:36:04 -070094- Replace the standard ControlLoop-vFirewall-* closed loop names with the one generated by robot
95- Click "Update" button to update the configuration policy
Brian Freeman8aeeef82019-06-17 10:07:36 -050096
Marco Plataniae5064cd2018-11-28 15:33:47 -050097Running the Use Case
98~~~~~~~~~~~~~~~~~~~~
Brian Freeman8aeeef82019-06-17 10:07:36 -050099
100Users can run the use case using the automated Robot Framework or manually. For using the Robot Framework in an ONAP instance installed with OOM, users have to ssh to the Rancher VM and run the following command:
Marco Plataniae5064cd2018-11-28 15:33:47 -0500101
102::
103
104 bash oom/kubernetes/robot/demo-k8s.sh <namespace> vfwclosedloop <pgn-ip-address>
105
Brian Freeman8aeeef82019-06-17 10:07:36 -0500106The script sets the packet generator to high and low rates, and checks whether the policy kicks in to modulate the rates back to medium. At the end of the test , robot sets the streams back to Medium so that it is setup for the next test.
Marco Plataniae5064cd2018-11-28 15:33:47 -0500107
108For documentation about running the use case manually for previous releases, please look at the videos and the material available at this `wiki page`__.
109
110__ https://wiki.onap.org/display/DW/Running+the+ONAP+Demos
111
112Although videos are still valid, users are encouraged to use the Heat templates linked at the top of this page rather than the old Heat templates in that wiki page.
113
114Known issues and resolution
115~~~~~~~~~~~~~~~~~~~~~~~~~~~
Brian Freeman8aeeef82019-06-17 10:07:36 -0500116The packet generator may become unresponsive to external inputs like changing the number of active streams. To solve the problem, reboot the packet generator VM.
117
118Policy can lock the target VNF if there are too many failed attempts due to mis-configuration etc. Set the streams to medium and wait 30 minutes or so and the lock in policy will expire. Monitoring the DMaaP topic for DCAE_CL_OUTPUT can be used to confirm that no TCA events are coming in from the VNF through VES/TCA.
119
120::
121 http://<k8s-host>:30227/events/unauthenticated.DCAE_CL_OUTPUT/g1/c3?timeout=5000