Gary Wu | e4a2df8 | 2018-11-29 12:49:09 -0800 | [diff] [blame] | 1 | .. _docs_vfw: |
| 2 | |
Marco Platania | e5064cd | 2018-11-28 15:33:47 -0500 | [diff] [blame] | 3 | vFirewall Use Case |
| 4 | ------------------ |
| 5 | |
| 6 | Source files |
| 7 | ~~~~~~~~~~~~ |
| 8 | |
Marco Platania | 9442f8f | 2019-06-17 09:12:21 -0400 | [diff] [blame] | 9 | - vFirewall/vSink template file: https://git.onap.org/demo/tree/heat/vFWCL/vFWSNK/base_vfw.yaml?h=dublin |
| 10 | - vFirewall/vSink environment file: https://git.onap.org/demo/tree/heat/vFWCL/vFWSNK/base_vfw.env?h=dublin |
Marco Platania | e5064cd | 2018-11-28 15:33:47 -0500 | [diff] [blame] | 11 | |
Marco Platania | 9442f8f | 2019-06-17 09:12:21 -0400 | [diff] [blame] | 12 | - vPacketGenerator template file: https://git.onap.org/demo/tree/heat/vFWCL/vPKG/base_vpkg.env?h=dublin |
| 13 | - vPacketGenerator environment file: https://git.onap.org/demo/tree/heat/vFWCL/vPKG/base_vpkg.env?h=dublin |
Marco Platania | e5064cd | 2018-11-28 15:33:47 -0500 | [diff] [blame] | 14 | |
stark, steven | 6a507a4 | 2019-04-24 12:04:41 -0700 | [diff] [blame] | 15 | VVP Report |
| 16 | ~~~~~~~~~~ |
| 17 | |
| 18 | :download:`vFWCL/vPKG report <files/vFWCL_vPKG_report.json>` |
| 19 | |
| 20 | :download:`vFWCL/vFWSNK report <files/vFWCL_vFWSNK_report.json>` |
Marco Platania | e5064cd | 2018-11-28 15:33:47 -0500 | [diff] [blame] | 21 | |
| 22 | Description |
| 23 | ~~~~~~~~~~~ |
| 24 | |
Gary Wu | 9da1b69 | 2019-06-17 22:36:04 -0700 | [diff] [blame] | 25 | The use case is composed of three virtual functions (VFs): packet generator, firewall, and traffic sink. |
| 26 | These VFs run in three separate VMs. The packet generator sends packets to the packet sink through the firewall. |
| 27 | The firewall reports the volume of traffic passing though to the ONAP DCAE collector. To check the traffic volume |
| 28 | that lands at the sink VM, you can access the link http://sink_ip_address:667 through your browser and enable |
Marco Platania | e5064cd | 2018-11-28 15:33:47 -0500 | [diff] [blame] | 29 | automatic page refresh by clicking the "Off" button. You can see the traffic volume in the charts. |
| 30 | |
Gary Wu | 9da1b69 | 2019-06-17 22:36:04 -0700 | [diff] [blame] | 31 | The packet generator includes a script that periodically generates different volumes of traffic. The closed-loop |
Marco Platania | e5064cd | 2018-11-28 15:33:47 -0500 | [diff] [blame] | 32 | policy has been configured to re-adjust the traffic volume when high-water or low-water marks are crossed. |
| 33 | |
Gary Wu | 9da1b69 | 2019-06-17 22:36:04 -0700 | [diff] [blame] | 34 | Since Casablanca, we have used a vFWCL service tag for this testing instead of the vFW service tag. vFW servic tag |
| 35 | is a regression for onboard and instantiation of a single VNF service (all three VMs in the same VNF) where as the |
| 36 | vFWCL is a two VNF service (vFW+ vSNK and separeate vPKG) |
Brian Freeman | 8aeeef8 | 2019-06-17 10:07:36 -0500 | [diff] [blame] | 37 | |
| 38 | ./demo-k8s.sh onap instantiateVFWCL can be used to onboard and instantiate a vFWCL via robot scripts or follow the procedure to use the GUI that is available in the documentation. |
| 39 | |
Marco Platania | e5064cd | 2018-11-28 15:33:47 -0500 | [diff] [blame] | 40 | |
| 41 | Closed-Loop for vFirewall Use Case |
| 42 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 43 | |
Gary Wu | 9da1b69 | 2019-06-17 22:36:04 -0700 | [diff] [blame] | 44 | Through the ONAP Portal's Policy Portal, we can find the configuration and operation policies that are currently |
Marco Platania | e5064cd | 2018-11-28 15:33:47 -0500 | [diff] [blame] | 45 | enabled for the vFirewall use case: |
| 46 | |
| 47 | - The configuration policy sets the thresholds for generating an onset event from DCAE to the Policy engine. Currently, the high-water mark is set to 700 packets while the low-water mark is set to 300 packets. The measurement interval is set to 10 seconds. |
| 48 | - When a threshold is crossed (i.e. the number of received packets is below 300 packets or above 700 packets per 10 seconds), the Policy engine executes the operational policy to request APPC to adjust the traffic volume to 500 packets per 10 seconds. |
Gary Wu | 9da1b69 | 2019-06-17 22:36:04 -0700 | [diff] [blame] | 49 | - APPC sends a request to the packet generator to adjust the traffic volume. |
Marco Platania | e5064cd | 2018-11-28 15:33:47 -0500 | [diff] [blame] | 50 | - Changes to the traffic volume can be observed through the link http://sink_ip_address:667. |
| 51 | |
| 52 | |
| 53 | Adjust packet generator |
| 54 | ~~~~~~~~~~~~~~~~~~~~~~~ |
| 55 | |
Gary Wu | 9da1b69 | 2019-06-17 22:36:04 -0700 | [diff] [blame] | 56 | The packet generator contains 10 streams: fw_udp1, fw_udp2, fw_udp3, ..., fw_udp10. Each stream generates 100 packets |
| 57 | per 10 seconds. A script in /opt/run_traffic_fw_demo.sh on the packet generator VM starts automatically and alternates high |
Marco Platania | e5064cd | 2018-11-28 15:33:47 -0500 | [diff] [blame] | 58 | traffic (i.e. 10 active streams at the same time) and low traffic (1 active stream) every 5 minutes. |
| 59 | |
Gary Wu | 9da1b69 | 2019-06-17 22:36:04 -0700 | [diff] [blame] | 60 | To adjust the traffic volume produced by the packet generator, run the following command in a shell, replacing PacketGen_IP in |
Marco Platania | e5064cd | 2018-11-28 15:33:47 -0500 | [diff] [blame] | 61 | the HTTP argument with localhost (if you run it in the packet generator VM) or the packet generator IP address: |
| 62 | |
| 63 | :: |
| 64 | |
Marco Platania | 9442f8f | 2019-06-17 09:12:21 -0400 | [diff] [blame] | 65 | curl -X PUT \ |
| 66 | https://PacketGen_IP:8445/restconf/config/stream-count:stream-count/streams \ |
| 67 | -H 'Accept: application/json' \ |
| 68 | -H 'Content-Type: application/json' \ |
| 69 | -H 'Postman-Token: 88610924-938b-4d64-a682-0b0aabed4a6d' \ |
| 70 | -H 'cache-control: no-cache' \ |
| 71 | -d '{ |
| 72 | "streams": { |
| 73 | "active-streams": 5 |
| 74 | }}' |
| 75 | |
Marco Platania | e5064cd | 2018-11-28 15:33:47 -0500 | [diff] [blame] | 76 | |
| 77 | The command above enables 5 streams. |
| 78 | |
| 79 | |
Brian Freeman | 8aeeef8 | 2019-06-17 10:07:36 -0500 | [diff] [blame] | 80 | |
| 81 | Preconditions |
Gary Wu | 9da1b69 | 2019-06-17 22:36:04 -0700 | [diff] [blame] | 82 | ~~~~~~~~~~~~~ |
Brian Freeman | 8aeeef8 | 2019-06-17 10:07:36 -0500 | [diff] [blame] | 83 | |
Gary Wu | 9da1b69 | 2019-06-17 22:36:04 -0700 | [diff] [blame] | 84 | The control loop name in DCAE's TCA micro-service needs to match the Operational Policy control loop name. |
Brian Freeman | 8aeeef8 | 2019-06-17 10:07:36 -0500 | [diff] [blame] | 85 | Due to timing robot scripts that setup the operational policy do not change the control loop name in DCAE. |
| 86 | Do the following to update DCAE's consul entry for TCA to match the name assigned by robot to the operational |
Gary Wu | 9da1b69 | 2019-06-17 22:36:04 -0700 | [diff] [blame] | 87 | policy. The control loop name generated by policy can be viewed in the log.html page on robot from the |
Brian Freeman | 8aeeef8 | 2019-06-17 10:07:36 -0500 | [diff] [blame] | 88 | instantiateVFWCL. |
| 89 | |
Gary Wu | 9da1b69 | 2019-06-17 22:36:04 -0700 | [diff] [blame] | 90 | - Connect to Consul: http://<k8s_host_ip>:30270/ui/#/dc1/services (change the IP based on the K8S cluster IP assignment) |
Brian Freeman | 8aeeef8 | 2019-06-17 10:07:36 -0500 | [diff] [blame] | 91 | - Click Key/Value on the bar at the top of the Consul menu |
Gary Wu | 9da1b69 | 2019-06-17 22:36:04 -0700 | [diff] [blame] | 92 | - Select "dcae-tca-analytics" microservice from the list on the left |
Brian Freeman | 8aeeef8 | 2019-06-17 10:07:36 -0500 | [diff] [blame] | 93 | - Search for "closedLoopControlName" key in the configuration policy JSON object |
Gary Wu | 9da1b69 | 2019-06-17 22:36:04 -0700 | [diff] [blame] | 94 | - Replace the standard ControlLoop-vFirewall-* closed loop names with the one generated by robot |
| 95 | - Click "Update" button to update the configuration policy |
Brian Freeman | 8aeeef8 | 2019-06-17 10:07:36 -0500 | [diff] [blame] | 96 | |
Marco Platania | e5064cd | 2018-11-28 15:33:47 -0500 | [diff] [blame] | 97 | Running the Use Case |
| 98 | ~~~~~~~~~~~~~~~~~~~~ |
Brian Freeman | 8aeeef8 | 2019-06-17 10:07:36 -0500 | [diff] [blame] | 99 | |
| 100 | Users can run the use case using the automated Robot Framework or manually. For using the Robot Framework in an ONAP instance installed with OOM, users have to ssh to the Rancher VM and run the following command: |
Marco Platania | e5064cd | 2018-11-28 15:33:47 -0500 | [diff] [blame] | 101 | |
| 102 | :: |
| 103 | |
| 104 | bash oom/kubernetes/robot/demo-k8s.sh <namespace> vfwclosedloop <pgn-ip-address> |
| 105 | |
Brian Freeman | 8aeeef8 | 2019-06-17 10:07:36 -0500 | [diff] [blame] | 106 | The script sets the packet generator to high and low rates, and checks whether the policy kicks in to modulate the rates back to medium. At the end of the test , robot sets the streams back to Medium so that it is setup for the next test. |
Marco Platania | e5064cd | 2018-11-28 15:33:47 -0500 | [diff] [blame] | 107 | |
| 108 | For documentation about running the use case manually for previous releases, please look at the videos and the material available at this `wiki page`__. |
| 109 | |
| 110 | __ https://wiki.onap.org/display/DW/Running+the+ONAP+Demos |
| 111 | |
| 112 | Although videos are still valid, users are encouraged to use the Heat templates linked at the top of this page rather than the old Heat templates in that wiki page. |
| 113 | |
| 114 | Known issues and resolution |
| 115 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
Brian Freeman | 8aeeef8 | 2019-06-17 10:07:36 -0500 | [diff] [blame] | 116 | The packet generator may become unresponsive to external inputs like changing the number of active streams. To solve the problem, reboot the packet generator VM. |
| 117 | |
| 118 | Policy can lock the target VNF if there are too many failed attempts due to mis-configuration etc. Set the streams to medium and wait 30 minutes or so and the lock in policy will expire. Monitoring the DMaaP topic for DCAE_CL_OUTPUT can be used to confirm that no TCA events are coming in from the VNF through VES/TCA. |
| 119 | |
| 120 | :: |
| 121 | http://<k8s-host>:30227/events/unauthenticated.DCAE_CL_OUTPUT/g1/c3?timeout=5000 |