summaryrefslogtreecommitdiffstats
path: root/doc/book-enea-nfv-access-getting-started
diff options
context:
space:
mode:
authorMiruna Paun <Miruna.Paun@enea.com>2019-03-14 10:31:09 +0100
committerMiruna Paun <Miruna.Paun@enea.com>2019-03-14 10:35:02 +0100
commit1f89982d96429f382f1e9a9c0bb5f49d4af91a9c (patch)
treefc336cfaa3ff0e90241ae08fa21238a081c1fbcd /doc/book-enea-nfv-access-getting-started
parent0839384fd33375bb50d66d0aace0cdea5216c946 (diff)
downloadel_releases-nfv-access-1f89982d96429f382f1e9a9c0bb5f49d4af91a9c.tar.gz
Fixing whitespaces and Target table title.
Change-Id: I0502fe92cfc2c6b398640837d82d55ccff89cbd3
Diffstat (limited to 'doc/book-enea-nfv-access-getting-started')
-rw-r--r--doc/book-enea-nfv-access-getting-started/doc/book.xml3
-rw-r--r--doc/book-enea-nfv-access-getting-started/doc/demo_usecases.xml2202
2 files changed, 2 insertions, 2203 deletions
diff --git a/doc/book-enea-nfv-access-getting-started/doc/book.xml b/doc/book-enea-nfv-access-getting-started/doc/book.xml
index 6dde8db..7861f7e 100644
--- a/doc/book-enea-nfv-access-getting-started/doc/book.xml
+++ b/doc/book-enea-nfv-access-getting-started/doc/book.xml
@@ -25,7 +25,8 @@
25 xmlns:xi="http://www.w3.org/2001/XInclude" /> 25 xmlns:xi="http://www.w3.org/2001/XInclude" />
26 26
27 <xi:include href="device_configuration_and_provisioning.xml" 27 <xi:include href="device_configuration_and_provisioning.xml"
28 xmlns:xi="http://www.w3.org/2001/XInclude" /> 28 xmlns:xi="http://www.w3.org/2001/XInclude" />
29
29 <xi:include href="in_band_management.xml" 30 <xi:include href="in_band_management.xml"
30 xmlns:xi="http://www.w3.org/2001/XInclude" /> 31 xmlns:xi="http://www.w3.org/2001/XInclude" />
31 32
diff --git a/doc/book-enea-nfv-access-getting-started/doc/demo_usecases.xml b/doc/book-enea-nfv-access-getting-started/doc/demo_usecases.xml
deleted file mode 100644
index cdcb931..0000000
--- a/doc/book-enea-nfv-access-getting-started/doc/demo_usecases.xml
+++ /dev/null
@@ -1,2202 +0,0 @@
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<chapter id="demo_usecases">
3 <title>Demo Use Cases</title>
4
5 <section id="clav_vnf_demo">
6 <title>Clavister VNF Demo</title>
7
8 <para>In this use case, <literal>target_1</literal> will run the Clavister
9 VNF and an Open vSwitch bridge.</para>
10
11 <figure>
12 <title>Clavister VNF Demo Overview</title>
13
14 <mediaobject>
15 <imageobject>
16 <imagedata align="center" contentwidth="600"
17 fileref="images/clavister_vnf_diagram.svg" />
18 </imageobject>
19 </mediaobject>
20 </figure>
21
22 <para><emphasis role="bold">How to setup the target to run the Clavister
23 VNF and an Open vSwitch Bridge</emphasis></para>
24
25 <orderedlist>
26 <listitem>
27 <para>Network interfaces must be bound to the DPDK (target_1 -&gt;
28 Configuration -&gt; OpenVSwitch -&gt; Host Interfaces -&gt;
29 Add):</para>
30
31 <figure>
32 <title>Adding Host Interfaces</title>
33
34 <mediaobject>
35 <imageobject>
36 <imagedata align="center"
37 fileref="images/add_host_interface.png" scale="80" />
38 </imageobject>
39 </mediaobject>
40 </figure>
41 </listitem>
42
43 <listitem>
44 <para>Select the network interface that will be used to connect to the
45 second target, configure it for DPDK, and click "Create" to send the
46 configuration to the target:</para>
47
48 <figure>
49 <title>Host Interface Creation</title>
50
51 <mediaobject>
52 <imageobject>
53 <imagedata align="center"
54 fileref="images/host_interface_creation.png" />
55 </imageobject>
56 </mediaobject>
57 </figure>
58 </listitem>
59
60 <listitem>
61 <para>Create an Open vSwitch bridge (<literal>ovsbr0</literal>) with
62 one DPDK interface by selecting the "Add" button from the "Bridges"
63 tab:</para>
64
65 <figure>
66 <title>The Bridges Tab</title>
67
68 <mediaobject>
69 <imageobject>
70 <imagedata align="center" fileref="images/bridges_tab.png"
71 scale="80" />
72 </imageobject>
73 </mediaobject>
74 </figure>
75
76 <para>Once the bridge creation popup appears, fill the fields and add
77 the physical interface:</para>
78
79 <figure>
80 <title>OVS bridge</title>
81
82 <mediaobject>
83 <imageobject>
84 <imagedata align="center" fileref="images/ovs_bridge_zero.png"
85 scale="80" />
86 </imageobject>
87 </mediaobject>
88 </figure>
89 </listitem>
90
91 <listitem>
92 <para>Repeat these steps on the second target (target_2), by also
93 using one DPDK interface and creating an OVS bridge.</para>
94
95 <para>Once the network configuration has been completed on both
96 targets, VNFs can be instantiated.</para>
97 </listitem>
98
99 <listitem>
100 <para>Before instantiating the iPerf VNF, a flavor needs to be
101 reconfigured to use two cores and 2 GB of RAM.</para>
102
103 <para>Please follow the steps in the figure below to reconfigure the
104 flavor (target_2 -&gt; Configuration (1) -&gt; Virtual Machines -&gt;
105 Double Click on Iperf flavor (2)):</para>
106
107 <figure>
108 <title>Reconfiguring the Flavor</title>
109
110 <mediaobject>
111 <imageobject>
112 <imagedata align="center"
113 fileref="images/reconfiguring_flavor.png" scale="40" />
114 </imageobject>
115 </mediaobject>
116 </figure>
117
118 <note>
119 <para>The Clavister VNF will be instantiated on target_1.</para>
120 </note>
121 </listitem>
122
123 <listitem>
124 <para>Select the target_1 device, click the "VNF" button from the top
125 toolbar menu and click "Add" in the new window at the bottom of the
126 screen:</para>
127
128 <figure>
129 <title>Creating a new VNF</title>
130
131 <mediaobject>
132 <imageobject>
133 <imagedata align="center" fileref="images/new_vnf.png"
134 scale="50" />
135 </imageobject>
136 </mediaobject>
137 </figure>
138 </listitem>
139
140 <listitem>
141 <para>Fill in the required information about the Clavister VNF, (the
142 default network configuration can be used):</para>
143
144 <figure>
145 <title>VNF Instance</title>
146
147 <mediaobject>
148 <imageobject>
149 <imagedata align="center" fileref="images/vnf_instance.png"
150 scale="80" />
151 </imageobject>
152 </mediaobject>
153 </figure>
154 </listitem>
155
156 <listitem>
157 <para>On target_2, two iPerf VNFs will be instantiated. One will act
158 as the server and the second as the client.</para>
159 </listitem>
160
161 <listitem>
162 <para>Select target_2, then the VNF option from the top toolbar (VNF
163 -&gt; Instances -&gt; Add):</para>
164
165 <figure>
166 <title>Target 2 VNF Instance</title>
167
168 <mediaobject>
169 <imageobject>
170 <imagedata align="center" fileref="images/t2_vnf_instance.png"
171 scale="60" />
172 </imageobject>
173 </mediaobject>
174 </figure>
175 </listitem>
176
177 <listitem>
178 <para>In the "VNF Instance" window, select the first "iPerf" VNF from
179 the dropdown menu, configure it to act as a server by unchecking the
180 "Client mode IPerf" box, and click the "Create" button:</para>
181
182 <figure>
183 <title>VNF instance in server mode</title>
184
185 <mediaobject>
186 <imageobject>
187 <imagedata align="center"
188 fileref="images/vnf_instance_server.png" scale="80" />
189 </imageobject>
190 </mediaobject>
191 </figure>
192 </listitem>
193
194 <listitem>
195 <para>Select "Add", enable the "Client mode IPerf" checkbox and then
196 click "Create" to instantiate the second iPerf VNF as a client, and to
197 run it in client mode:</para>
198
199 <figure>
200 <title>VNF instance in client mode</title>
201
202 <mediaobject>
203 <imageobject>
204 <imagedata align="center"
205 fileref="images/vnf_instance_client.png" scale="80" />
206 </imageobject>
207 </mediaobject>
208 </figure>
209 </listitem>
210
211 <listitem>
212 <para>In order to check that traffic is forwarded between the VNFs,
213 connect to the iPerf VNF client console (target_2 -&gt; SSH - &gt;
214 user:root -&gt; Connect) and run the following:</para>
215
216 <programlisting>virsh list
217virsh console
218root@qemux86-64:~# iperf3 -c 192.168.10.10</programlisting>
219 </listitem>
220 </orderedlist>
221 </section>
222
223 <section id="enea_vnf_demo">
224 <title>Enea VNF demo</title>
225
226 <para>Use case description: pktgen[DPDK] - PHY1 - PHY2 - [DPDK]OVS -
227 VM[DPDK]testpmd(forwarding) - OVS[DPDK] - VM[DPDK]
228 testpmd(termination).</para>
229
230 <figure>
231 <title>Enea VNF Demo Overview</title>
232
233 <mediaobject>
234 <imageobject>
235 <imagedata align="center"
236 fileref="images/enea_vnf_demo_overview.svg" scale="95" />
237 </imageobject>
238 </mediaobject>
239 </figure>
240
241 <para><emphasis role="bold">How to setup the Enea VNF
242 Demo</emphasis></para>
243
244 <orderedlist>
245 <listitem>
246 <para>Host interfaces must be bound to the DPDK (target_1 -&gt;
247 Configuration -&gt; OpenVSwitch -&gt; Host Interfaces -&gt;
248 Add):</para>
249
250 <figure>
251 <title>Adding OVS Host Interfaces</title>
252
253 <mediaobject>
254 <imageobject>
255 <imagedata align="center"
256 fileref="images/ovs_host_interface.png" scale="80" />
257 </imageobject>
258 </mediaobject>
259 </figure>
260 </listitem>
261
262 <listitem>
263 <para>Select the network interface that will be used to connect to the
264 second target and configure it for the DPDK:</para>
265
266 <figure>
267 <title>Configuring the host interface</title>
268
269 <mediaobject>
270 <imageobject>
271 <imagedata align="center"
272 fileref="images/secondtar_hostinterface.png"
273 scale="90" />
274 </imageobject>
275 </mediaobject>
276 </figure>
277 </listitem>
278
279 <listitem>
280 <para>Select the "Create" button to send the configuration to the
281 target. The same steps must also be performed on the target_2
282 device.</para>
283 </listitem>
284
285 <listitem>
286 <para>Create an OpenVSwitch bridge (<literal>ovsbr0</literal>) on
287 target_1 that uses one DPDK interface, by selecting the "Add" button
288 from the Bridges tab (target_1 -&gt; Configuration -&gt;
289 OpenVSwitch-&gt; Bridges):</para>
290
291 <figure>
292 <title>OVS Bridge Table</title>
293
294 <mediaobject>
295 <imageobject>
296 <imagedata align="center" fileref="images/ovs_bridge_tab.png"
297 scale="75" />
298 </imageobject>
299 </mediaobject>
300 </figure>
301
302 <figure>
303 <title>Adding the interface to the OVS Bridge</title>
304
305 <mediaobject>
306 <imageobject>
307 <imagedata align="center" fileref="images/ovs_bridge_two.png"
308 scale="90" />
309 </imageobject>
310 </mediaobject>
311 </figure>
312 </listitem>
313
314 <listitem>
315 <para>Instantiate the TestPMD VNFs on target_1 (target_1 -&gt; VNF
316 -&gt; Instances -&gt; Add).</para>
317 </listitem>
318
319 <listitem>
320 <para>Configure the VNF that forwards traffic:</para>
321
322 <figure>
323 <title>Configuring the fwdVNF</title>
324
325 <mediaobject>
326 <imageobject>
327 <imagedata align="center" fileref="images/traffic_forward.png"
328 scale="85" />
329 </imageobject>
330 </mediaobject>
331 </figure>
332 </listitem>
333
334 <listitem>
335 <para>Configure the VNF that terminates traffic:</para>
336
337 <figure>
338 <title>Configuring the termVNF</title>
339
340 <mediaobject>
341 <imageobject>
342 <imagedata align="center" fileref="images/traffic_terminate.png"
343 scale="85" />
344 </imageobject>
345 </mediaobject>
346 </figure>
347 </listitem>
348
349 <listitem>
350 <para>Add OpenVSwitch flows to control this traffic:</para>
351
352 <figure>
353 <title>Configuring the FWD flow</title>
354
355 <mediaobject>
356 <imageobject>
357 <imagedata align="center" fileref="images/flow_fwd.png"
358 scale="90" />
359 </imageobject>
360 </mediaobject>
361 </figure>
362
363 <figure>
364 <title>Configuring the TERM flow</title>
365
366 <mediaobject>
367 <imageobject>
368 <imagedata align="center" fileref="images/flow_term.png"
369 scale="90" />
370 </imageobject>
371 </mediaobject>
372 </figure>
373 </listitem>
374
375 <listitem>
376 <para>Start pktgen on target_2. Connect to the device by using SSH
377 (target2 -&gt; SSH -&gt; user (root)) and perform the
378 following:</para>
379
380 <programlisting>killall ovsdb-server ovs-vswitchd
381rm -rf /etc/openvswitch/*
382mkdir -p /var/run/openvswitch
383modprobe igb_uio
384dpdk-devbind --bind=igb_uio 0000:05:00.3
385cd /usr/share/apps/pktgen/
386./pktgen -c 0x7 -n 4 --proc-type auto --socket-mem 256 -w 0000:05:00.3 -- \
387 -P -m "[1:2].0"
388Pktgen:/&gt; start 0</programlisting>
389 </listitem>
390
391 <listitem>
392 <para>Connect to the forwarder VNF in order to check the traffic
393 statistics (target_1 -&gt; SSH):</para>
394
395 <programlisting>Virsh list
396Virsh console 1
397# Qemux86-64 login: root
398tail -f /opt/testpmd-out</programlisting>
399
400 <figure>
401 <title>Traffic Statistics</title>
402
403 <mediaobject>
404 <imageobject>
405 <imagedata align="center"
406 fileref="images/connection_information.png"
407 scale="70" />
408 </imageobject>
409 </mediaobject>
410 </figure>
411 </listitem>
412 </orderedlist>
413 </section>
414
415 <section id="clav_demo_sriov">
416 <title>Clavister VNF demo using SR-IOV</title>
417
418 <para>In this use case, target 1 will run the iPerf server and iPerf
419 client VNFs using SR-IOV and target 2 will run the Clavister VNF using
420 SR-IOV with two virtual functions (vf1 and vf2):</para>
421
422 <figure>
423 <title>Demo Overview</title>
424
425 <mediaobject>
426 <imageobject>
427 <imagedata align="center" fileref="images/clav_VNF_demo_SR-IOV.svg"
428 scale="70" />
429 </imageobject>
430 </mediaobject>
431 </figure>
432
433 <orderedlist>
434 <listitem>
435 <para>On target 2, create an SR-IOV configuration with 2 virtual
436 functions (target 2 -&gt; Configuration -&gt; OpenVSwitch -&gt; Host
437 Interfaces -&gt; Add):</para>
438
439 <figure>
440 <title>SR-IOV configuration with 2 virtual functions</title>
441
442 <mediaobject>
443 <imageobject>
444 <imagedata align="center"
445 fileref="images/sriov_configuration.png" scale="80" />
446 </imageobject>
447 </mediaobject>
448 </figure>
449 </listitem>
450
451 <listitem>
452 <para>Instantiate the Clavister VNF on target 2, by clicking VNF -&gt;
453 Instances -&gt; Add.</para>
454
455 <para>Select "SrIovAdapterPool" for both Interface1 type and 2 type,
456 before clicking "Create":</para>
457
458 <figure>
459 <title>Instantiating the Clavister VNF on target 2</title>
460
461 <mediaobject>
462 <imageobject>
463 <imagedata align="center" fileref="images/srlov_adap_pool.png"
464 scale="70" />
465 </imageobject>
466 </mediaobject>
467 </figure>
468 </listitem>
469
470 <listitem>
471 <para>On target 1, create an SR-IOV interface as done in step
472 1.</para>
473 </listitem>
474
475 <listitem>
476 <para>Create the iPerf server on target 1. Select "SrIovAdapterPool"
477 as an Interface type:</para>
478
479 <figure>
480 <title>IPerf Server Interface Type</title>
481
482 <mediaobject>
483 <imageobject>
484 <imagedata align="center"
485 fileref="images/iperf_server_inttype.png" scale="70" />
486 </imageobject>
487 </mediaobject>
488 </figure>
489 </listitem>
490
491 <listitem>
492 <para>Create the iPerf client on target 1. Select "SrIovAdapterPool"
493 as an Interface type and tick the "Client mode IPerf" checkbox:</para>
494
495 <figure>
496 <title>IPerf Client Interface Type</title>
497
498 <mediaobject>
499 <imageobject>
500 <imagedata align="center"
501 fileref="images/iperf_client_inttype.png" scale="70" />
502 </imageobject>
503 </mediaobject>
504 </figure>
505 </listitem>
506
507 <listitem>
508 <para>In order to check that traffic is forwarded between the VNFs,
509 connect to the iPerf VNF client console (target 1 -&gt; SSH - &gt;
510 user:root -&gt; Connect) and run the following
511 commands:<programlisting>virsh list
512virsh console
513root@qemux86-64:~# iperf3 -c 192.168.10.10</programlisting></para>
514 </listitem>
515 </orderedlist>
516 </section>
517
518 <section id="vnf_pci">
519 <title>TestPMD VNF using PCI passthrough</title>
520
521 <para>In this use case, target 1 will run the Pktgen and target 2 will run
522 the TestPMD VNF. Both will be using PCI passthrough:</para>
523
524 <figure>
525 <title>TestPMD VNF using PCI passthrough Overview</title>
526
527 <mediaobject>
528 <imageobject>
529 <imagedata align="center" fileref="images/testPMD_VNF_PCI.png"
530 scale="65" />
531 </imageobject>
532 </mediaobject>
533 </figure>
534
535 <orderedlist>
536 <listitem>
537 <para>Make sure that neither target 1 nor target 2 have any configured
538 host interfaces (target -&gt; Configuration -&gt; OpenVSwitch -&gt;
539 Host Interfaces).</para>
540 </listitem>
541
542 <listitem>
543 <para>On target 1 start the Pktgen VNF. Select "PciPassthrough" as the
544 Interface type.</para>
545
546 <para>From the drop-down list, select the PCI interface corresponding
547 to the NIC which is connected to target 2:</para>
548
549 <figure>
550 <title>Selecting the Pktgen VNF Interface</title>
551
552 <mediaobject>
553 <imageobject>
554 <imagedata align="center" fileref="images/pciPass_interface.png"
555 scale="70" />
556 </imageobject>
557 </mediaobject>
558 </figure>
559 </listitem>
560
561 <listitem>
562 <para>On target 2, start the TestPmdForwarder VNF. Select
563 "PciPassthrough" as the Interface type. From the drop-down list,
564 select the PCI interface corresponding to the NIC which is connected
565 to target 1:</para>
566
567 <figure>
568 <title>Selecting the TestPmdForwarder VNF Interface</title>
569
570 <mediaobject>
571 <imageobject>
572 <imagedata align="center"
573 fileref="images/testpmd_fwdvnf_int.png" scale="70" />
574 </imageobject>
575 </mediaobject>
576 </figure>
577 </listitem>
578
579 <listitem>
580 <para>To check that traffic is being forwarded from target 2, SSH to
581 the target and connect to the VNFs console:</para>
582
583 <programlisting>Right click on target 2 and select SSH.
584Run: virsh list
585Run: virsh console [VM NAME]
586Run: tail -f /opt/testpmd-out</programlisting>
587 </listitem>
588 </orderedlist>
589 </section>
590
591 <section id="vnf_fortigate">
592 <title>FortiGate VNF</title>
593
594 <para>FortiGate virtual appliances <remark>is "appliances" the correct
595 word to use here?</remark> feature all of the security and networking
596 services common to traditional hardware-based FortiGate appliances. The
597 virtual appliances can be integrated in Firewall or SD-WAN solution
598 development.</para>
599
600 <para>Enea provides a prepared VNF bundle for download from the Enea
601 Portal, for usage with the Enea NFV Access product. The prepared VNF
602 bundle includes the FortiGate VNF image as well as a VNF Descriptor and
603 other onboarding related configuration files. The VNF Descriptor provided
604 configures a setup, which requires the following resources:</para>
605
606 <itemizedlist>
607 <listitem>
608 <para>3 x Network Interfaces</para>
609 </listitem>
610
611 <listitem>
612 <para>1 x vCPU</para>
613 </listitem>
614
615 <listitem>
616 <para>1 GB of RAM memory</para>
617 </listitem>
618 </itemizedlist>
619
620 <para>The VNF Descriptor represents one specific setup, suitable for usage
621 with the Firewall and SD-WAN VPN instructions in this guide. Alternative
622 VNF Descriptor configurations may be needed to support other
623 configurations required by the customer.</para>
624
625 <para>Enea can provide assistance to provide alternative VNF Descriptor
626 configurations.</para>
627
628 <note>
629 <para>While the prepared FortiGate bundle is provided from Enea Portal,
630 additional content needs to be received from Fortinet directly. The
631 FortiGate VNF license as well as any FortiGate specific documentation
632 shall be requested from the local Fortinet sales representatives in your
633 region, before FortiGate can be used.</para>
634 </note>
635
636 <section id="fortigate_firewall">
637 <title>FortiGate VNF as a Firewall</title>
638
639 <para>FortiGate Next Generation Firewall utilizes purpose-built security
640 processors and threat intelligence security services to deliver
641 top-rated protection and high performance, including encrypted traffic.
642 FortiGate reduces complexity with automated visibility into
643 applications, users and networks, and provides security ratings to adopt
644 security best practices.</para>
645
646 <para>An example firewall configuration for the FortiGate VNF is
647 provided in the Enea Portal. It is a simple firewall base
648 configuration.</para>
649
650 <table>
651 <title>FortiGate VNF Example Configuration</title>
652
653 <tgroup cols="2">
654 <colspec align="center" />
655
656 <thead>
657 <row>
658 <entry align="center">Component</entry>
659
660 <entry align="center">Setting/Description</entry>
661 </row>
662 </thead>
663
664 <tbody>
665 <row>
666 <entry>Firewall</entry>
667
668 <entry>"All pass" mode</entry>
669 </row>
670
671 <row>
672 <entry>WAN (Virtual Port1)</entry>
673
674 <entry><para>DHCP Client, dynamically assigned IP
675 address.</para>FortiGate In-Band
676 Management<superscript>1</superscript></entry>
677 </row>
678
679 <row>
680 <entry>WAN (Virtual Port2)</entry>
681
682 <entry><para>IP address: 172.168.16.1</para>DHCP server (IP
683 range 172.168.16.1 - 172.168.16.255).</entry>
684 </row>
685
686 <row>
687 <entry>WAN (Virtual Port3)</entry>
688
689 <entry>Ignored</entry>
690 </row>
691 </tbody>
692 </tgroup>
693 </table>
694
695 <para><superscript>1</superscript>FortiGate In-Band Management is a
696 feature for running FortiGate Management traffic over WAN.</para>
697
698 <para>Instructions on how to alter the default configuration is provided
699 in the Fortigate VNF management chapter.</para>
700
701 <para><emphasis role="bold">Lab Setup</emphasis></para>
702
703 <para>Before starting the configuration of the FortiGate Firewall, a lab
704 setup of hardware and software configurations has to be built. The
705 following table illustrates the required lab setup:</para>
706
707 <table>
708 <title>Lab Setup Prerequisites</title>
709
710 <tgroup cols="2">
711 <colspec align="center" />
712
713 <thead>
714 <row>
715 <entry align="center">Component</entry>
716
717 <entry align="center">Description/Requirements</entry>
718 </row>
719 </thead>
720
721 <tbody>
722 <row>
723 <entry>Lab Network</entry>
724
725 <entrytbl cols="1">
726 <tbody>
727 <row>
728 <entry>DHCP enabled Lab Network</entry>
729 </row>
730
731 <row>
732 <entry>Internet Connectivity</entry>
733 </row>
734 </tbody>
735 </entrytbl>
736 </row>
737
738 <row>
739 <entry>Setup of an Intel Whitebox target device</entry>
740
741 <entrytbl cols="1">
742 <tbody>
743 <row>
744 <entry>Minimum 4 Physical Network Devices</entry>
745 </row>
746
747 <row>
748 <entry>4 GB RAM and 4 cores (C3000 or Xeon D)</entry>
749 </row>
750
751 <row>
752 <entry>Enea NFV Access Installed</entry>
753 </row>
754
755 <row>
756 <entry>WAN Connected to Lab Network</entry>
757 </row>
758
759 <row>
760 <entry>LAN1 Connected to Test Machine</entry>
761 </row>
762
763 <row>
764 <entry>LAN2 Unconnected</entry>
765 </row>
766
767 <row>
768 <entry>ETH0 connected to Lab Network (for Enea uCPE
769 Manager communications)</entry>
770 </row>
771 </tbody>
772 </entrytbl>
773 </row>
774
775 <row>
776 <entry>Setup of a Lab Machine</entry>
777
778 <entrytbl cols="1">
779 <tbody>
780 <row>
781 <entry>Connected to Lab Network</entry>
782 </row>
783
784 <row>
785 <entry>Running either Windows or CentOS</entry>
786 </row>
787
788 <row>
789 <entry>Enea uCPE Manager installed</entry>
790 </row>
791 </tbody>
792 </entrytbl>
793 </row>
794
795 <row>
796 <entry>Setup of a Test Machine</entry>
797
798 <entrytbl cols="1">
799 <tbody>
800 <row>
801 <entry>Connected to Whitebox LAN</entry>
802 </row>
803
804 <row>
805 <entry>Internet Connectivity via LAN</entry>
806 </row>
807
808 <row>
809 <entry>Configured as DHCP client on LAN</entry>
810 </row>
811 </tbody>
812 </entrytbl>
813 </row>
814
815 <row>
816 <entry>FortiGate VNF</entry>
817
818 <entrytbl cols="1">
819 <tbody>
820 <row>
821 <entry>Downloaded the FortiGate VNF Bundle from Enea
822 Portal to the Lab Machine file system. Please see the
823 Download Chapter for more details.</entry>
824 </row>
825
826 <row>
827 <entry>Downloaded FortiGate configuration examples from
828 the Enea Portal to the Lab Machine file system. Please
829 check the Download Chapter for more details. Unpack the
830 configuration examples on the Lab Machine.</entry>
831 </row>
832
833 <row>
834 <entry>Retrieve FortiGate VNF license from Fortinet and
835 store it on the Lab Machine file system. See FortiGate VNF
836 for details.</entry>
837 </row>
838
839 <row>
840 <entry>Optionally retrieve FortiGate VNF documentation
841 from Fortinet. See FortiGate VNF for details.</entry>
842 </row>
843 </tbody>
844 </entrytbl>
845 </row>
846 </tbody>
847 </tgroup>
848 </table>
849
850 <figure>
851 <title>Lap Setup Overview</title>
852
853 <mediaobject>
854 <imageobject>
855 <imagedata align="center" contentwidth="600"
856 fileref="images/intel_whitebox.svg" />
857 </imageobject>
858 </mediaobject>
859 </figure>
860
861 <para><emphasis role="bold">uCPE Networking Setup</emphasis></para>
862
863 <para>Before deploying the FortiGate Firewall, the Enea NFV Access
864 platform has to be configured to the specific networking setup.</para>
865
866 <para>Since the firewall is using three External Network Interfaces,
867 three bridges need to be configured. Each bridge provides the ability to
868 connect a physical network interface to the virtual machines' virtual
869 network interface. Each physical to virtual network interface connection
870 is setup in two steps:</para>
871
872 <itemizedlist>
873 <listitem>
874 <para>Bind the physical network interfaces with a DPDK
875 driver.</para>
876 </listitem>
877
878 <listitem>
879 <para>Create a named bridge for each physical network
880 interface.</para>
881 </listitem>
882 </itemizedlist>
883
884 <note>
885 <para>For more details about interface configuration, please see the
886 Network Configuration section in the chapter on Configuration
887 Options.</para>
888 </note>
889
890 <orderedlist>
891 <listitem>
892 <para>Start the setup by preparing each interface for attachment to
893 a bridge. Bind the physical network interfaces to the DPDK (target
894 -&gt; Configuration -&gt; OpenVSwitch -&gt; Host Interfaces -&gt;
895 Add):</para>
896
897 <figure>
898 <title>Binding the physical network interface</title>
899
900 <mediaobject>
901 <imageobject>
902 <imagedata align="center"
903 fileref="images/bind_phys_interface.png" scale="80" />
904 </imageobject>
905 </mediaobject>
906 </figure>
907
908 <para>The result of binding these three physical network interfaces
909 should look like the following:</para>
910
911 <figure>
912 <title>Successful Binding</title>
913
914 <mediaobject>
915 <imageobject>
916 <imagedata align="center"
917 fileref="images/result_of_binding.png" scale="65" />
918 </imageobject>
919 </mediaobject>
920 </figure>
921 </listitem>
922
923 <listitem>
924 <para>Create one OpenVSwitch bridge for each firewall network
925 connection (WAN, LAN1 and LAN2), by selecting the "Add" button from
926 Bridges tab (target -&gt; Configuration -&gt; OpenvSwitch-&gt;
927 Bridges). A popup like the following should appear:</para>
928
929 <figure>
930 <title>Creating a bridge each Firewall Net. Connection</title>
931
932 <mediaobject>
933 <imageobject>
934 <imagedata align="center" fileref="images/bridge_net_conn.png"
935 scale="80" />
936 </imageobject>
937 </mediaobject>
938 </figure>
939 </listitem>
940
941 <listitem>
942 <para>Repeat this step for each type of connection until all are
943 bridges are configured.</para>
944
945 <figure>
946 <title>Configured Bridges per Connection Type</title>
947
948 <mediaobject>
949 <imageobject>
950 <imagedata align="center"
951 fileref="images/configured_bridges.png" scale="65" />
952 </imageobject>
953 </mediaobject>
954 </figure>
955 </listitem>
956 </orderedlist>
957
958 <para><emphasis role="bold">Onboarding the FortiGate
959 VNF</emphasis></para>
960
961 <orderedlist>
962 <listitem>
963 <para>To on-board the Fortigate VNF click the VNF tab in the top
964 toolbar and select the Descriptors button.</para>
965
966 <para>Click on the "Descriptors(2)" -&gt; "On-board(3)" -&gt;
967 "Browse(4)" options, and select the "Fortigate.zip" file, before
968 clicking "Send":</para>
969
970 <figure>
971 <title>Selecting Descriptors</title>
972
973 <mediaobject>
974 <imageobject>
975 <imagedata align="center"
976 fileref="images/descriptor_button.png" scale="45" />
977 </imageobject>
978 </mediaobject>
979 </figure>
980 </listitem>
981
982 <listitem>
983 <para>Wait for the "Onboarding Status" popup to display the
984 confirmation message (listed in green) and select "OK":</para>
985
986 <figure>
987 <title>Onboarding the new VNF</title>
988
989 <mediaobject>
990 <imageobject>
991 <imagedata align="center"
992 fileref="images/onboarding_status.png" scale="80" />
993 </imageobject>
994 </mediaobject>
995 </figure>
996 </listitem>
997 </orderedlist>
998
999 <para><emphasis role="bold">Instantiate the FortiGate
1000 VNF</emphasis></para>
1001
1002 <orderedlist>
1003 <listitem>
1004 <para>Select the target device, then from the top toolbar the select
1005 "VNF" -&gt; "Instances" -&gt; "Add":</para>
1006
1007 <figure>
1008 <title>Adding Instances to Target</title>
1009
1010 <mediaobject>
1011 <imageobject>
1012 <imagedata align="center" fileref="images/vnf_instances.png"
1013 scale="50" />
1014 </imageobject>
1015 </mediaobject>
1016 </figure>
1017
1018 <para>Make sure you have downloaded valid license files for the
1019 Fortigate VNF from Fortinet, and the configuration file provided by
1020 Enea as examples according to previous instructions.</para>
1021
1022 <figure>
1023 <title>Example License and Configuration files</title>
1024
1025 <mediaobject>
1026 <imageobject>
1027 <imagedata align="center"
1028 fileref="images/fortigate_licenses.png" scale="75" />
1029 </imageobject>
1030 </mediaobject>
1031 </figure>
1032 </listitem>
1033
1034 <listitem>
1035 <para>Fortigate VNF instantiation requires the following
1036 settings:</para>
1037
1038 <table>
1039 <title>Instantiation Requirements</title>
1040
1041 <tgroup cols="2">
1042 <colspec align="center" colwidth="2*" />
1043
1044 <colspec align="center" colwidth="4*" />
1045
1046 <thead>
1047 <row>
1048 <entry align="center">Component</entry>
1049
1050 <entry align="center">Description</entry>
1051 </row>
1052 </thead>
1053
1054 <tbody>
1055 <row>
1056 <entry align="left">Name</entry>
1057
1058 <entry>The name of the VM which will be created on the
1059 target device.</entry>
1060 </row>
1061
1062 <row>
1063 <entry align="left">VNF Type</entry>
1064
1065 <entry>Name of the on-boarded VNF bundle.</entry>
1066 </row>
1067
1068 <row>
1069 <entry align="left">VIM</entry>
1070
1071 <entry>Name and IP address of the device where the VNF has
1072 to be instantiated.</entry>
1073 </row>
1074
1075 <row>
1076 <entry align="left">License file</entry>
1077
1078 <entry>FortiGate license file provided by Fortinet.</entry>
1079 </row>
1080
1081 <row>
1082 <entry align="left">Configuration file</entry>
1083
1084 <entry>Firewall example configuration file provided by Enea
1085 <filename>FGVM080000136187_20180828_0353_basic_fw.conf
1086 </filename></entry>
1087 </row>
1088
1089 <row>
1090 <entry align="left">Port1 - WAN</entry>
1091
1092 <entry>Set as dpdk type and connect it to wanmgrbr
1093 bridge.</entry>
1094 </row>
1095
1096 <row>
1097 <entry align="left">Port2 - LAN1</entry>
1098
1099 <entry>Set as dpdk type and connect it to lan1
1100 bridge.</entry>
1101 </row>
1102
1103 <row>
1104 <entry align="left">Port3 - LAN2</entry>
1105
1106 <entry>Set as dpdk type and connect it to lan2
1107 bridge.</entry>
1108 </row>
1109 </tbody>
1110 </tgroup>
1111 </table>
1112
1113 <para>When the instantiation process is completed, the setup is
1114 ready for testing.</para>
1115 </listitem>
1116 </orderedlist>
1117
1118 <para><emphasis role="bold">Test the FortiGate
1119 Firewall</emphasis></para>
1120
1121 <para>Connect the Test Machine on the LAN interface and access the
1122 internet from the Test Machine to use the firewall on the target
1123 device.</para>
1124
1125 <note>
1126 <para>The connected Test Machine can be a laptop or a target that has
1127 one interface configured to get an dynamic IP from a DHCP server. The
1128 <literal>dhclient &lt;interface&gt;</literal> command can be used to
1129 request an IP address. The received IP must be in the 172.16.1.2 -
1130 172.16.1.255 range.</para>
1131 </note>
1132
1133 <figure>
1134 <title>Testing Overview</title>
1135
1136 <mediaobject>
1137 <imageobject>
1138 <imagedata align="center" contentwidth="600"
1139 fileref="images/testing_fortigate.svg" />
1140 </imageobject>
1141 </mediaobject>
1142 </figure>
1143
1144 <para>In the example above, the FortiGate VNF management interface is
1145 accessible through the WAN interface, the WAN IP address can be used
1146 from a web browser on the Lab Machine to access the Fortigate VNF
1147 Management Web UI. Please check the Fortigate VNF web management section
1148 for more information.</para>
1149
1150 <para>In another example, the firewall can be setup to use bridges as
1151 connection points for the Fortigate VNF. It is possible to replace
1152 OVS-DPDK bridges with SR-IOV connection points. <remark>The previous
1153 sentence in the original was very hard to understand, please confirm if
1154 this is what you intended to say</remark> Please check the network
1155 configuration chapter on how to configure an interface for
1156 SR-IOV.</para>
1157
1158 <para>It was previously assumed that three physical interfaces are
1159 available for VNF connection. In the case of a firewall setup it is
1160 possible to use only two physical interfaces for the data path (one for
1161 WAN and one for LAN). In the example below only two interfaces will be
1162 configured as DPDK and two bridges are created, one for each type of
1163 connection.</para>
1164
1165 <para>At VNF instantiation instead of assigning distinct bridges for
1166 each LAN interface, only one will be used for both LAN1 and LAN2, with
1167 no changes in WAN interface configuration. Please see the picture below
1168 for final setup:</para>
1169
1170 <figure>
1171 <title>Two Interface Configuration</title>
1172
1173 <mediaobject>
1174 <imageobject>
1175 <imagedata align="center" contentwidth="600"
1176 fileref="images/two_inst_firewall.svg" />
1177 </imageobject>
1178 </mediaobject>
1179 </figure>
1180 </section>
1181
1182 <section id="fortigate_webmg">
1183 <title>FortiGate VNF web management</title>
1184
1185 <para>In order to check the IP address assigned to Fortigate VNF you
1186 need to connect to the Fortigate CLI.</para>
1187
1188 <para><emphasis role="bold">Connecting to the Fortigate
1189 CLI</emphasis></para>
1190
1191 <orderedlist>
1192 <listitem>
1193 <para>SSH to the target device from the Lab Machine and attach to
1194 the VNF's console using the "virsh console" command shown
1195 below:</para>
1196
1197 <figure>
1198 <title>Attaching to the VNF Console</title>
1199
1200 <mediaobject>
1201 <imageobject>
1202 <imagedata align="center" fileref="images/virsh_console.png"
1203 scale="80" />
1204 </imageobject>
1205 </mediaobject>
1206 </figure>
1207 </listitem>
1208
1209 <listitem>
1210 <para>To access Fortigate CLI, use the credential "admin" for the
1211 user, leaving the password blank, then press enter.</para>
1212
1213 <para>Use the CLI command "get system interface" to get the dynamic
1214 interfaces configuration.</para>
1215
1216 <figure>
1217 <title>Acessing and configuring Fortigate CLI</title>
1218
1219 <mediaobject>
1220 <imageobject>
1221 <imagedata align="center"
1222 fileref="images/access_fortigate_cli.png"
1223 scale="58" />
1224 </imageobject>
1225 </mediaobject>
1226 </figure>
1227 </listitem>
1228
1229 <listitem>
1230 <para>Use the IP address assigned for the management interface in
1231 the web browser (<literal>https://&lt;IP&gt;</literal>), to access
1232 the Fortinet VNF web management interface. Use the same credentials
1233 as before to login:</para>
1234
1235 <figure>
1236 <title>Accessing the web management interface</title>
1237
1238 <mediaobject>
1239 <imageobject>
1240 <imagedata align="center"
1241 fileref="images/fortinet_vnf_login.png" scale="50" />
1242 </imageobject>
1243 </mediaobject>
1244 </figure>
1245 </listitem>
1246
1247 <listitem>
1248 <para>You can browse through the configuration and perform changes
1249 according to your setup:</para>
1250
1251 <figure>
1252 <title>The Fortinet Web Interface</title>
1253
1254 <mediaobject>
1255 <imageobject>
1256 <imagedata align="center"
1257 fileref="images/fortinet_interface.png" scale="30" />
1258 </imageobject>
1259 </mediaobject>
1260 </figure>
1261 </listitem>
1262
1263 <listitem>
1264 <para>Optional, alter the default Fortinet example configuration
1265 provided by Enea, through the following steps:</para>
1266
1267 <orderedlist>
1268 <listitem>
1269 <para>Deploy the FortiGate Firewall in its default
1270 settings.</para>
1271 </listitem>
1272
1273 <listitem>
1274 <para>Connect to the FortiGate VNF Web Management with a web
1275 browser.</para>
1276 </listitem>
1277
1278 <listitem>
1279 <para>Modify the FortiGate configuration in the FortiGate VNF
1280 Web Management as needed.</para>
1281 </listitem>
1282
1283 <listitem>
1284 <para>Store the updated configuration in a file, by saving in
1285 the FortiGate VNF Web Management interface, so it may be used at
1286 the next FortiGate VNF instantiation.</para>
1287 </listitem>
1288 </orderedlist>
1289
1290 <note>
1291 <para>Editing the default configuration is only recommended for
1292 FortiGate configuration experts.</para>
1293 </note>
1294 </listitem>
1295 </orderedlist>
1296 </section>
1297
1298 <section id="fortigate_sdwan_vpn">
1299 <title>FortiGate VNF as an SD-WAN VPN</title>
1300
1301 <para>The software-defined wide-area network (SD-WAN or SDWAN) is a
1302 specific application of software-defined networking (SDN) technology
1303 applied to WAN connections. It connects enterprise networks, including
1304 branch offices and data centers, over large geographic distances.</para>
1305
1306 <para>SD-WAN decouples the network from the management plane, detaching
1307 the traffic management and monitoring functions from hardware. Most
1308 forms of SD-WAN technology create a virtual overlay that is
1309 transport-agnostic, i.e. it abstracts underlying private or public WAN
1310 connections. With an overlay SD-WAN, a vendor provides an edge device to
1311 the customer that contains the software necessary to run the SD-WAN
1312 technology. For deployment, the customer plugs in WAN links into the
1313 device, which automatically configures itself with the network.</para>
1314
1315 <para>The following will detail an SD-WAN setup for a branch to branch
1316 connection using the FortiGate VNF. FortiGate provides native SD-WAN
1317 along with integrated advanced threat protection.</para>
1318
1319 <note>
1320 <para>Example SD-WAN configurations for the FortiGate VNF are provided
1321 in the Enea Portal.</para>
1322 </note>
1323
1324 <table>
1325 <title>FortiGate VNF Example Configuration - SD-WAN Target 1</title>
1326
1327 <tgroup cols="2">
1328 <colspec align="center" />
1329
1330 <thead>
1331 <row>
1332 <entry align="center">Component</entry>
1333
1334 <entry align="center">Description</entry>
1335 </row>
1336 </thead>
1337
1338 <tbody>
1339 <row>
1340 <entry>SD-WAN</entry>
1341
1342 <entry>VPN connection between two branches (Target 1 and Target
1343 2).</entry>
1344 </row>
1345
1346 <row>
1347 <entry>VNFMgr (Virtual Port1)</entry>
1348
1349 <entry>DHCP Client, dynamically assigned IP address.</entry>
1350 </row>
1351
1352 <row>
1353 <entry>WAN (Virtual Port2)</entry>
1354
1355 <entry>IP address: 10.0.0.1</entry>
1356 </row>
1357
1358 <row>
1359 <entry>LAN (Virtual Port3)</entry>
1360
1361 <entrytbl cols="1">
1362 <tbody>
1363 <row>
1364 <entry>IP address: 172.16.1.1</entry>
1365 </row>
1366
1367 <row>
1368 <entry>DHCP server (IP range 172.16.1.2 -
1369 172.16.1.254)</entry>
1370 </row>
1371 </tbody>
1372 </entrytbl>
1373 </row>
1374 </tbody>
1375 </tgroup>
1376 </table>
1377
1378 <table>
1379 <title>FortiGate VNF Example Configuration - SD-WAN Target 2</title>
1380
1381 <tgroup cols="2">
1382 <colspec align="center" />
1383
1384 <thead>
1385 <row>
1386 <entry align="center">Component</entry>
1387
1388 <entry align="center">Description</entry>
1389 </row>
1390 </thead>
1391
1392 <tbody>
1393 <row>
1394 <entry>SD-WAN</entry>
1395
1396 <entry>VPN connection between two branches (Target 2 and Target
1397 1).</entry>
1398 </row>
1399
1400 <row>
1401 <entry>VNFMgr (Virtual Port1)</entry>
1402
1403 <entry>DHCP Client, dynamically assigned IP address.</entry>
1404 </row>
1405
1406 <row>
1407 <entry>WAN (Virtual Port2)</entry>
1408
1409 <entry>IP address: 10.0.0.2</entry>
1410 </row>
1411
1412 <row>
1413 <entry>LAN (Virtual Port3)</entry>
1414
1415 <entrytbl cols="1">
1416 <tbody>
1417 <row>
1418 <entry>IP address: 172.16.2.1</entry>
1419 </row>
1420
1421 <row>
1422 <entry>DHCP server (IP range 172.16.2.2 -
1423 172.16.2.254)</entry>
1424 </row>
1425 </tbody>
1426 </entrytbl>
1427 </row>
1428 </tbody>
1429 </tgroup>
1430 </table>
1431
1432 <para><emphasis role="bold">Lab Setup</emphasis></para>
1433
1434 <para>The following table illustrates the use-case prerequisites of the
1435 setup:</para>
1436
1437 <table>
1438 <title>Lab Setup Prerequisites</title>
1439
1440 <tgroup cols="2">
1441 <colspec align="center" />
1442
1443 <thead>
1444 <row>
1445 <entry align="center">Component</entry>
1446
1447 <entry align="center">Description</entry>
1448 </row>
1449 </thead>
1450
1451 <tbody>
1452 <row>
1453 <entry>Lab Network</entry>
1454
1455 <entrytbl cols="1">
1456 <tbody>
1457 <row>
1458 <entry>DHCP enabled Lab Network.</entry>
1459 </row>
1460
1461 <row>
1462 <entry>Internet Connectivity.</entry>
1463 </row>
1464 </tbody>
1465 </entrytbl>
1466 </row>
1467
1468 <row>
1469 <entry>Two Intel Whitebox target devices</entry>
1470
1471 <entrytbl cols="1">
1472 <tbody>
1473 <row>
1474 <entry>Minimum 4 Physical Network Devices.</entry>
1475 </row>
1476
1477 <row>
1478 <entry>4 GB RAM and 4 cores (C3000 or Xeon D).</entry>
1479 </row>
1480
1481 <row>
1482 <entry>Enea NFV Access Installed.</entry>
1483 </row>
1484
1485 <row>
1486 <entry>VNFMgr Connected to Lab Network for VNF management
1487 access.</entry>
1488 </row>
1489
1490 <row>
1491 <entry>WAN interfaces directly connected through Ethernet
1492 cable.</entry>
1493 </row>
1494
1495 <row>
1496 <entry>LAN Connected to Test Machine.</entry>
1497 </row>
1498
1499 <row>
1500 <entry>ETH0 connected to Lab Network (for Enea uCPE
1501 Manager communications).</entry>
1502 </row>
1503 </tbody>
1504 </entrytbl>
1505 </row>
1506
1507 <row>
1508 <entry>One Lab Machine</entry>
1509
1510 <entrytbl cols="1">
1511 <tbody>
1512 <row>
1513 <entry>Connected to Lab Network.</entry>
1514 </row>
1515
1516 <row>
1517 <entry>Running either Windows or CentOS.</entry>
1518 </row>
1519
1520 <row>
1521 <entry>Enea uCPE Manager installed.</entry>
1522 </row>
1523 </tbody>
1524 </entrytbl>
1525 </row>
1526
1527 <row>
1528 <entry>Two Test Machines</entry>
1529
1530 <entrytbl cols="1">
1531 <tbody>
1532 <row>
1533 <entry>Connected to Whitebox LANs.</entry>
1534 </row>
1535
1536 <row>
1537 <entry>Internet Connectivity via LAN.</entry>
1538 </row>
1539
1540 <row>
1541 <entry>Configured as DHCP client on LAN.</entry>
1542 </row>
1543 </tbody>
1544 </entrytbl>
1545 </row>
1546
1547 <row>
1548 <entry>FortiGate VNF</entry>
1549
1550 <entrytbl cols="1">
1551 <tbody>
1552 <row>
1553 <entry>Downloaded the FortiGate VNF Bundle from Enea
1554 Portal to the Lab Machine file system.</entry>
1555 </row>
1556
1557 <row>
1558 <entry>Downloaded FortiGate configuration examples from
1559 Enea Portal to Lab Machine file system. Unpack the
1560 configuration examples specific for SD-WAN on the Lab
1561 Machine.</entry>
1562 </row>
1563
1564 <row>
1565 <entry>Retrieve the FortiGate VNF license from Fortinet
1566 and store it on the Lab Machine file system.</entry>
1567 </row>
1568
1569 <row>
1570 <entry>Optionally, retrieve FortiGate VNF documentation
1571 from Fortinet.</entry>
1572 </row>
1573 </tbody>
1574 </entrytbl>
1575 </row>
1576 </tbody>
1577 </tgroup>
1578 </table>
1579
1580 <figure>
1581 <title>SD-WAN: VPN Configuration</title>
1582
1583 <mediaobject>
1584 <imageobject>
1585 <imagedata align="center"
1586 fileref="images/sdwan_vpn_overview_1.png" scale="50" />
1587 </imageobject>
1588 </mediaobject>
1589 </figure>
1590
1591 <para><emphasis role="bold">uCPE Networking Setup</emphasis></para>
1592
1593 <para>Before deploying the FortiGate SD-WAN, the Enea NFV Access
1594 platform has to be configured to the specific networking setup.</para>
1595
1596 <para>Since the SD-WAN VNF uses three External Network Interfaces, three
1597 bridges need to be configured. Each bridge provides the ability to
1598 connect a physical network interface to the virtual machine's virtual
1599 network interface. Each physical to virtual network interface connection
1600 is setup in two steps:</para>
1601
1602 <itemizedlist>
1603 <listitem>
1604 <para>Bind the physical network interfaces with a DPDK
1605 driver.</para>
1606 </listitem>
1607
1608 <listitem>
1609 <para>Create a named bridge for each physical network
1610 interface.</para>
1611 </listitem>
1612 </itemizedlist>
1613
1614 <para>Start the setup by preparing each physical interface for
1615 attachment to a bridge. Each VNF instance will have a virtual interface
1616 for VNF management, for the WAN network and for LAN
1617 communication.</para>
1618
1619 <orderedlist>
1620 <listitem>
1621 <para>Bind physical interface to DPDK (target_1 -&gt; Configuration
1622 -&gt; OpenVSwitch -&gt; Host Interfaces -&gt; Add):</para>
1623
1624 <figure>
1625 <title>Binding the Physical Interface</title>
1626
1627 <mediaobject>
1628 <imageobject>
1629 <imagedata align="center"
1630 fileref="images/bind_phys_interface.png" scale="90" />
1631 </imageobject>
1632 </mediaobject>
1633 </figure>
1634
1635 <para>The result of binding these three interfaces should look like
1636 the following:</para>
1637
1638 <figure>
1639 <title>Results of Binding</title>
1640
1641 <mediaobject>
1642 <imageobject>
1643 <imagedata align="center" fileref="images/binding_results.png"
1644 scale="70" />
1645 </imageobject>
1646 </mediaobject>
1647 </figure>
1648 </listitem>
1649
1650 <listitem>
1651 <para>Create one OpenVSwitch bridge for each SD-WAN network
1652 connection (VNF management, WAN and LAN) by selecting the "Add"
1653 button from the Bridges tab (target -&gt; Configuration -&gt;
1654 OpenvSwitch-&gt; Bridges). A popup like this should appear:</para>
1655
1656 <figure>
1657 <title>Creating an OpenVSwitch bridge for an SD-WAN network
1658 connection</title>
1659
1660 <mediaobject>
1661 <imageobject>
1662 <imagedata align="center" fileref="images/ovs_bridge_four.png"
1663 scale="70" />
1664 </imageobject>
1665 </mediaobject>
1666 </figure>
1667 </listitem>
1668
1669 <listitem>
1670 <para>Repeat this step for all network connections. Three bridges
1671 will be created:</para>
1672
1673 <figure>
1674 <title>The three newly created Bridges</title>
1675
1676 <mediaobject>
1677 <imageobject>
1678 <imagedata align="center" fileref="images/created_bridges.png"
1679 scale="70" />
1680 </imageobject>
1681 </mediaobject>
1682 </figure>
1683 </listitem>
1684 </orderedlist>
1685
1686 <para>Once the interfaces and bridges are ready, only the on-boarding
1687 and instantiation of the VNF remains to be done.</para>
1688
1689 <para><emphasis role="bold">Onboarding the FortiGate
1690 VNF</emphasis></para>
1691
1692 <orderedlist>
1693 <listitem>
1694 <para>To on-board a VNF, select a target device on the map and click
1695 the VNF button in the top toolbar. Then, click the "Descriptors"
1696 -&gt; "On-board" -&gt; "Browse" options, and select the
1697 <filename>Fortigate.zip</filename> file, before clicking
1698 "Send":</para>
1699
1700 <figure>
1701 <title>On-boarding FortiGate VNF</title>
1702
1703 <mediaobject>
1704 <imageobject>
1705 <imagedata align="center" fileref="images/onboard.png"
1706 scale="45" />
1707 </imageobject>
1708 </mediaobject>
1709 </figure>
1710 </listitem>
1711
1712 <listitem>
1713 <para>Wait for the "Onboarding Status" popup to display the
1714 confirmation message and select "OK":</para>
1715
1716 <figure>
1717 <title>Successful Confirmation</title>
1718
1719 <mediaobject>
1720 <imageobject>
1721 <imagedata align="center"
1722 fileref="images/onboarded_successfully.png"
1723 scale="42" />
1724 </imageobject>
1725 </mediaobject>
1726 </figure>
1727 </listitem>
1728 </orderedlist>
1729
1730 <para><emphasis role="bold">Instantiating the FortiGate
1731 VNF</emphasis></para>
1732
1733 <para>The following steps describe how to instantiate the Fortigate
1734 VNF.</para>
1735
1736 <orderedlist>
1737 <listitem>
1738 <para>Select the target, then from the top toolbar click on "VNF"
1739 and choose the "Instances" -&gt; "Add" options:</para>
1740
1741 <figure>
1742 <title>Adding an Instance</title>
1743
1744 <mediaobject>
1745 <imageobject>
1746 <imagedata align="center" fileref="images/adding_instance.png"
1747 scale="50" />
1748 </imageobject>
1749 </mediaobject>
1750 </figure>
1751
1752 <note>
1753 <para>Download locally the valid license files for the Fortigate
1754 VNF from Fortinet and the configuration file provided by Enea as
1755 examples.</para>
1756 </note>
1757 </listitem>
1758
1759 <listitem>
1760 <para>Use the <literal>sdwan1</literal> example configuration file
1761 for the first target:</para>
1762
1763 <figure>
1764 <title>Configuring target_1</title>
1765
1766 <mediaobject>
1767 <imageobject>
1768 <imagedata align="center"
1769 fileref="images/sdwan1_eg_config.png" scale="70" />
1770 </imageobject>
1771 </mediaobject>
1772 </figure>
1773 </listitem>
1774 </orderedlist>
1775
1776 <para>Fortigate VNF instantiation requires the following
1777 settings:</para>
1778
1779 <table>
1780 <title>Fortigate VNF Instantiation Requirements</title>
1781
1782 <tgroup cols="2">
1783 <colspec align="left" colwidth="2*" />
1784
1785 <colspec align="left" colwidth="4*" />
1786
1787 <thead>
1788 <row>
1789 <entry align="center">Component</entry>
1790
1791 <entry align="center">Description</entry>
1792 </row>
1793 </thead>
1794
1795 <tbody>
1796 <row>
1797 <entry>Name</entry>
1798
1799 <entry>The name of the VM which will be created on target
1800 device.</entry>
1801 </row>
1802
1803 <row>
1804 <entry>VNF Type</entry>
1805
1806 <entry>The name of the on-boarded VNF bundle.</entry>
1807 </row>
1808
1809 <row>
1810 <entry>VIM</entry>
1811
1812 <entry>Name and IP address of the device where the VNF has to be
1813 instantiated.</entry>
1814 </row>
1815
1816 <row>
1817 <entry>License file</entry>
1818
1819 <entry>FortiGate license file provided by Fortinet.</entry>
1820 </row>
1821
1822 <row>
1823 <entry>Configuration file</entry>
1824
1825 <entry>SD-WAN example configuration files provided by Enea: -
1826 FGVM080000136187_20180215_0708_sdwan1.conf -
1827 FGVM080000136188_20180215_0708_sdwan2.conf</entry>
1828 </row>
1829
1830 <row>
1831 <entry>Port1 - VNFMgr</entry>
1832
1833 <entry>Set as dpdk type and connect it to vnfmgrbr
1834 bridge.</entry>
1835 </row>
1836
1837 <row>
1838 <entry>Port2 - WAN</entry>
1839
1840 <entry>Set as dpdk type and connect it to wanbr bridge.</entry>
1841 </row>
1842
1843 <row>
1844 <entry>Port3 - LAN</entry>
1845
1846 <entry>Set as dpdk type and connect it to lanbr bridge.</entry>
1847 </row>
1848 </tbody>
1849 </tgroup>
1850 </table>
1851
1852 <para>To complete the branch-to-branch setup, configure the peer target
1853 in the same way as <literal>target_1</literal>. Make sure to use the
1854 <filename>FGVM080000136188_20180215_0708_sdwan2.conf</filename>
1855 configuration file for the second VNF instantiation.</para>
1856
1857 <para><emphasis role="bold">Testing the FortiGate SD-WAN
1858 VPN</emphasis></para>
1859
1860 <para>Once the full SD-WAN setup is in place a VPN connection needs to
1861 established between the two devices. The Test Machines can be connected
1862 to the LAN interface on each target.</para>
1863
1864 <para>The connected Test Machine can be a laptop or a target that has
1865 one interface configured to get dynamic IP from a DHCP server. The
1866 <command>dhclient &lt;interface&gt;</command> command can be used to
1867 request an IP address.</para>
1868
1869 <note>
1870 <para>The received IP must be in the 172.16.1.2 - 172.16.1.255 range
1871 for Test Machine-1 and in the 172.16.2.2 - 172.16.2.255 range for Test
1872 Machine-2.</para>
1873 </note>
1874
1875 <figure>
1876 <title>Overview: Testing Machines Setup</title>
1877
1878 <mediaobject>
1879 <imageobject>
1880 <imagedata align="center" fileref="images/test_machines.png"
1881 scale="40" />
1882 </imageobject>
1883 </mediaobject>
1884 </figure>
1885
1886 <para>Test Machine-1 should be able to ping Test Machine-2 in this setup
1887 over the WAN connection.</para>
1888
1889 <para>In the figure above and this example, the FortiGate VNF management
1890 interface is accessible through a dedicated Mgmt interface. The Mgmt IP
1891 address can be used from a web browser on the Lab Machine to access the
1892 Fortigate VNF Management Web UI.</para>
1893
1894 <note>
1895 <para>In this SD-WAN VPN setup example, bridges were used as
1896 connection points for Fortigate VNF. It is possible to replace
1897 OVS-DPDK bridges with SR-IOV connection points.</para>
1898 </note>
1899 </section>
1900 </section>
1901
1902 <section id="inband_management">
1903 <title>In-band Management</title>
1904
1905 <para>In the case of an NFV Access device installed on a network with
1906 limited access, In-band management can be a solution to manage the device
1907 and to pass data traffic (through only one physical interface). This demo
1908 use-case will show how to enable the In-band management on the NFV Access
1909 device and to access a VNF on the same physical interface.</para>
1910
1911 <figure>
1912 <title>NFV Access In-band management solution setup</title>
1913
1914 <mediaobject>
1915 <imageobject>
1916 <imagedata align="center" fileref="images/uc_ibm_solution.png"
1917 scale="50" />
1918 </imageobject>
1919 </mediaobject>
1920 </figure>
1921
1922 <para>Setup uses the following network configuration:</para>
1923
1924 <itemizedlist>
1925 <listitem>
1926 <para>1 x Network Interface for WAN and management.</para>
1927 </listitem>
1928
1929 <listitem>
1930 <para>1 x Network Interface for LAN.</para>
1931 </listitem>
1932 </itemizedlist>
1933
1934 <para>For prerequisites and further details, please see <xref
1935 linkend="inband_management" /> and <xref
1936 linkend="vnf_fortigate" />.</para>
1937
1938 <section id="mg_activation">
1939 <title>In-band management activation for FortiGate VNF
1940 Instantiation</title>
1941
1942 <para>In-band management activation is done by creating a special bridge
1943 which manages all traffic from the WAN interface. The active physical
1944 port of the device (used by the device manager to communicate with the
1945 uCPE Manager) will be connected to the In-band management bridge. Once
1946 the In-band management bridge is activated, communication to the uCPE
1947 Manager will be reactivated, passing through the bridge.</para>
1948
1949 <note>
1950 <para>No other physical port for In-band management can be
1951 used.</para>
1952 </note>
1953
1954 <orderedlist>
1955 <listitem>
1956 <para>Create an In-band management WAN Bridge:</para>
1957
1958 <itemizedlist>
1959 <listitem>
1960 <para>Select the <literal>Device</literal> menu.</para>
1961 </listitem>
1962
1963 <listitem>
1964 <para>In the Configuration tab select
1965 <literal>OpenVSwitch.</literal></para>
1966 </listitem>
1967
1968 <listitem>
1969 <para>Select <literal>Bridges</literal> and click
1970 <literal>Add</literal>.</para>
1971 </listitem>
1972
1973 <listitem>
1974 <para>Use <literal>dpdkWAN</literal> as the
1975 <literal>ovs-bridge-type</literal>.</para>
1976 </listitem>
1977 </itemizedlist>
1978
1979 <figure>
1980 <title>Create In-band management WAN bridge</title>
1981
1982 <mediaobject>
1983 <imageobject>
1984 <imagedata align="center" fileref="images/uc_ibm_br.png"
1985 scale="75" />
1986 </imageobject>
1987 </mediaobject>
1988 </figure>
1989 </listitem>
1990
1991 <listitem>
1992 <para>Bind the physical port which will be used for LAN access to
1993 <literal>dpdk</literal>:</para>
1994
1995 <itemizedlist>
1996 <listitem>
1997 <para>Select the <literal>Device</literal> menu.</para>
1998 </listitem>
1999
2000 <listitem>
2001 <para>In the Configuration tab select
2002 <literal>OpenVSwitch</literal>.</para>
2003 </listitem>
2004
2005 <listitem>
2006 <para>Select the <literal>Host Interfaces</literal> menu and
2007 click <literal>Add</literal>.</para>
2008 </listitem>
2009
2010 <listitem>
2011 <para>Use <literal>dpdk</literal> as the
2012 <literal>ovs-bridge-type</literal>.</para>
2013 </listitem>
2014 </itemizedlist>
2015
2016 <figure>
2017 <title>Bind LAN physical port to dpdk</title>
2018
2019 <mediaobject>
2020 <imageobject>
2021 <imagedata align="center"
2022 fileref="images/uc_ibm_dpdk_int_bind.png"
2023 scale="75" />
2024 </imageobject>
2025 </mediaobject>
2026 </figure>
2027 </listitem>
2028
2029 <listitem>
2030 <para>Create a LAN Bridge:</para>
2031
2032 <itemizedlist>
2033 <listitem>
2034 <para>Select the <literal>Device.</literal></para>
2035 </listitem>
2036
2037 <listitem>
2038 <para>In the Configuration menu select
2039 <literal>OpenVSwitch.</literal></para>
2040 </listitem>
2041
2042 <listitem>
2043 <para>Open the <literal>Bridges</literal> menu and click
2044 <literal>Add.</literal></para>
2045 </listitem>
2046 </itemizedlist>
2047
2048 <figure>
2049 <title>Create LAN bridge</title>
2050
2051 <mediaobject>
2052 <imageobject>
2053 <imagedata align="center" fileref="images/uc_ibm_lanbr.png"
2054 scale="75" />
2055 </imageobject>
2056 </mediaobject>
2057 </figure>
2058
2059 <para>At this step the following bridges should exist:</para>
2060
2061 <figure>
2062 <title>Bridges</title>
2063
2064 <mediaobject>
2065 <imageobject>
2066 <imagedata align="center" fileref="images/uc_ibm_br2.png"
2067 scale="65" />
2068 </imageobject>
2069 </mediaobject>
2070 </figure>
2071
2072 <note>
2073 <para>The WAN port of the very first VNF instantiated on the
2074 device must be connected to the <literal>ibm-wan-br
2075 bridge</literal>. All other VNFs must be connected in chain with
2076 the first VNF.</para>
2077 </note>
2078 </listitem>
2079
2080 <listitem>
2081 <para>Onboard the first VNF and instantiate it on the device:</para>
2082
2083 <itemizedlist>
2084 <listitem>
2085 <para>Select the <literal>Device.</literal></para>
2086 </listitem>
2087
2088 <listitem>
2089 <para>Select the <literal>VNF</literal> menu.</para>
2090 </listitem>
2091
2092 <listitem>
2093 <para>In the <literal>Descriptors</literal> menu, choose the
2094 <literal>VNF Package</literal> option.</para>
2095 </listitem>
2096
2097 <listitem>
2098 <para>Browse and select the Fortigate bundle you require, before
2099 pressing the <literal>Send</literal> button.</para>
2100 </listitem>
2101 </itemizedlist>
2102
2103 <figure>
2104 <title>Onboard Fortigate VNF</title>
2105
2106 <mediaobject>
2107 <imageobject>
2108 <imagedata align="center"
2109 fileref="images/uc_ibm_fortigate_onboard.png"
2110 scale="50" />
2111 </imageobject>
2112 </mediaobject>
2113 </figure>
2114 </listitem>
2115
2116 <listitem>
2117 <para>Add the VNF instance:</para>
2118
2119 <itemizedlist>
2120 <listitem>
2121 <para>Select the <literal>Device.</literal></para>
2122 </listitem>
2123
2124 <listitem>
2125 <para>Select the <literal>VNF</literal> menu.</para>
2126 </listitem>
2127
2128 <listitem>
2129 <para>Choose the <literal>Instances</literal> option, select the
2130 VNF configuration you desire and press
2131 <literal>Add.</literal></para>
2132 </listitem>
2133
2134 <listitem>
2135 <para>Browse and select the Fortigate bundle you require, before
2136 pressing the <literal>Send</literal> button.</para>
2137 </listitem>
2138 </itemizedlist>
2139
2140 <figure>
2141 <title>Instantiate Fortigate VNF</title>
2142
2143 <mediaobject>
2144 <imageobject>
2145 <imagedata align="center"
2146 fileref="images/uc_ibm_fg_instantiation.png"
2147 scale="65" />
2148 </imageobject>
2149 </mediaobject>
2150 </figure>
2151 </listitem>
2152 </orderedlist>
2153
2154 <para>Once the VNF is instantiated, the setup is complete and ready for
2155 testing. Connect the test machine to the LAN port. It will receive an IP
2156 address from the Fortigate VNF and be able to access the
2157 internet.</para>
2158 </section>
2159
2160 <section id="test_fortvnf_inband">
2161 <title>Testing the Fortigate VNF In-band management activation</title>
2162
2163 <figure>
2164 <title>Test setup</title>
2165
2166 <mediaobject>
2167 <imageobject>
2168 <imagedata align="center"
2169 fileref="images/uc_ibm_solution_test.png" scale="50" />
2170 </imageobject>
2171 </mediaobject>
2172 </figure>
2173
2174 <para>At this stage, three types of traffic are passing through the WAN
2175 port on the same IP address: </para>
2176
2177 <itemizedlist>
2178 <listitem>
2179 <para>Device management traffic from uCPE Manager.</para>
2180 </listitem>
2181
2182 <listitem>
2183 <para>Fortigate management interface traffic from a web
2184 browser.</para>
2185 </listitem>
2186
2187 <listitem>
2188 <para>Data traffic from the LAN to the internet.</para>
2189 </listitem>
2190 </itemizedlist>
2191
2192 <para>Having access from the uCPE Manager to the device as shown above,
2193 demonstrates that device management traffic passes through the in-band
2194 management WAN bridge successfully.</para>
2195
2196 <para>To access the management interface of the VNF, connect from a web
2197 browser to the public IP address of the device e.g.
2198 <literal>https://&lt;IP&gt;</literal>. From a Test machine connected on
2199 LAN port, try a test ping to the internet e.g. "ping 8.8.8.8".</para>
2200 </section>
2201 </section>
2202</chapter> \ No newline at end of file
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-06-26 04:58:56 +0000