diff options
Diffstat (limited to 'doc/book-enea-nfv-access-example-usecases/doc/forti_vnf_examples.xml')
-rw-r--r-- | doc/book-enea-nfv-access-example-usecases/doc/forti_vnf_examples.xml | 142 |
1 files changed, 59 insertions, 83 deletions
diff --git a/doc/book-enea-nfv-access-example-usecases/doc/forti_vnf_examples.xml b/doc/book-enea-nfv-access-example-usecases/doc/forti_vnf_examples.xml index 547cda4..a56fc0a 100644 --- a/doc/book-enea-nfv-access-example-usecases/doc/forti_vnf_examples.xml +++ b/doc/book-enea-nfv-access-example-usecases/doc/forti_vnf_examples.xml | |||
@@ -41,7 +41,7 @@ | |||
41 | </listitem> | 41 | </listitem> |
42 | </itemizedlist> | 42 | </itemizedlist> |
43 | 43 | ||
44 | <para>The following files are needed for this example use-case:</para> | 44 | <para>The following file(s) are needed for this example use-case:</para> |
45 | 45 | ||
46 | <itemizedlist> | 46 | <itemizedlist> |
47 | <listitem> | 47 | <listitem> |
@@ -49,12 +49,8 @@ | |||
49 | its license file.</para> | 49 | its license file.</para> |
50 | </listitem> | 50 | </listitem> |
51 | 51 | ||
52 | <listitem><para>VNF Configuration files, provided with your Enea NFV Access | 52 | <listitem><para>VNF Configuration file(s), provided with your Enea NFV Access |
53 | release:</para> | 53 | release: <filename>fortigate-basic-fw.conf</filename>.</para> |
54 | <itemizedlist spacing="compact"> | ||
55 | <listitem><para><filename>fortigate-basic-fw.conf</filename>.</para></listitem> | ||
56 | <listitem><para><filename>fortigate-sdwan<x>.conf</filename>.</para></listitem> | ||
57 | </itemizedlist> | ||
58 | </listitem> | 54 | </listitem> |
59 | </itemizedlist> | 55 | </itemizedlist> |
60 | </section> | 56 | </section> |
@@ -76,12 +72,28 @@ | |||
76 | <para><emphasis role="bold">Network Configuration</emphasis>:</para> | 72 | <para><emphasis role="bold">Network Configuration</emphasis>:</para> |
77 | 73 | ||
78 | <para>Since the firewall uses three External Network Interfaces, three | 74 | <para>Since the firewall uses three External Network Interfaces, three |
79 | bridges need to be configured. Each bridge provides the ability to | 75 | bridges need to be configured. Each bridge provides the ability to connect a physical network interface to the virtual network interface of a VM.</para> |
80 | connect a physical network interface to the virtual machines' virtual | 76 | |
81 | network interface.</para> | 77 | <para><emphasis role="bold">Setup of the uCPE device:</emphasis></para> |
82 | 78 | ||
83 | <orderedlist> | 79 | <orderedlist> |
84 | <listitem> | 80 | <listitem> |
81 | <para>Connect WAN to the Lab Network.</para> | ||
82 | </listitem> | ||
83 | |||
84 | <listitem> | ||
85 | <para>Connect LAN1 to the Test Machine.</para> | ||
86 | </listitem> | ||
87 | |||
88 | <listitem> | ||
89 | <para>Leave LAN2 unconnected.</para> | ||
90 | </listitem> | ||
91 | |||
92 | <listitem> | ||
93 | <para>Connect ETH0 to the Lab Network (for Enea uCPE Manager communications).</para> | ||
94 | </listitem> | ||
95 | |||
96 | <listitem> | ||
85 | <para>Select the uCPE device, access | 97 | <para>Select the uCPE device, access |
86 | <literal>Configuration</literal> and bind the three physical network | 98 | <literal>Configuration</literal> and bind the three physical network |
87 | interfaces to DPDK.</para> | 99 | interfaces to DPDK.</para> |
@@ -90,8 +102,6 @@ | |||
90 | <listitem> | 102 | <listitem> |
91 | <para>Create three OVS bridges, one for each DPDK network interface | 103 | <para>Create three OVS bridges, one for each DPDK network interface |
92 | (WAN, LAN1 and LAN2).</para> | 104 | (WAN, LAN1 and LAN2).</para> |
93 | </listitem> | ||
94 | </orderedlist> | ||
95 | 105 | ||
96 | <para>Alternatively, the firewall can be setup to use bridges as | 106 | <para>Alternatively, the firewall can be setup to use bridges as |
97 | connection points for the FortiGate VNF, by replacing the OVS-DPDK | 107 | connection points for the FortiGate VNF, by replacing the OVS-DPDK |
@@ -110,27 +120,8 @@ | |||
110 | each LAN interface, only one will be used for both LAN1 and LAN2, with | 120 | each LAN interface, only one will be used for both LAN1 and LAN2, with |
111 | no changes in WAN interface configuration.</para> | 121 | no changes in WAN interface configuration.</para> |
112 | </note> | 122 | </note> |
113 | |||
114 | <para><emphasis role="bold">Setup of the uCPE device:</emphasis></para> | ||
115 | |||
116 | <itemizedlist> | ||
117 | <listitem> | ||
118 | <para>WAN connected to the Lab Network.</para> | ||
119 | </listitem> | ||
120 | |||
121 | <listitem> | ||
122 | <para>LAN1 connected to the Test Machine.</para> | ||
123 | </listitem> | ||
124 | |||
125 | <listitem> | ||
126 | <para>LAN2 unconnected.</para> | ||
127 | </listitem> | 123 | </listitem> |
128 | 124 | </orderedlist> | |
129 | <listitem> | ||
130 | <para>ETH0 connected to the Lab Network (for Enea uCPE Manager | ||
131 | communications).</para> | ||
132 | </listitem> | ||
133 | </itemizedlist> | ||
134 | 125 | ||
135 | <para><emphasis role="bold">Onboarding the VNF:</emphasis></para> | 126 | <para><emphasis role="bold">Onboarding the VNF:</emphasis></para> |
136 | 127 | ||
@@ -157,7 +148,7 @@ | |||
157 | 148 | ||
158 | <listitem> | 149 | <listitem> |
159 | <para><emphasis role="bold">Interfaces</emphasis>: Add 3 | 150 | <para><emphasis role="bold">Interfaces</emphasis>: Add 3 |
160 | interfaces.</para> | 151 | interfaces (wan, lan1 and lan2).</para> |
161 | </listitem> | 152 | </listitem> |
162 | 153 | ||
163 | <listitem> | 154 | <listitem> |
@@ -212,21 +203,21 @@ | |||
212 | <para><emphasis role="bold">Port1 - WAN</emphasis>: Set the | 203 | <para><emphasis role="bold">Port1 - WAN</emphasis>: Set the |
213 | <literal>External Interface</literal> type to | 204 | <literal>External Interface</literal> type to |
214 | <literal>DPDK</literal> and connect it to the | 205 | <literal>DPDK</literal> and connect it to the |
215 | <literal>wanmgrbr</literal> ovs bridge.</para> | 206 | <literal>wan_br</literal> ovs bridge.</para> |
216 | </listitem> | 207 | </listitem> |
217 | 208 | ||
218 | <listitem> | 209 | <listitem> |
219 | <para><emphasis role="bold">Port2 - LAN1</emphasis>: Set the | 210 | <para><emphasis role="bold">Port2 - LAN1</emphasis>: Set the |
220 | <literal>Incoming Interface</literal> type to | 211 | <literal>Incoming Interface</literal> type to |
221 | <literal>DPDK</literal> and connect it to the | 212 | <literal>DPDK</literal> and connect it to the |
222 | <literal>lan1</literal> ovs bridge.</para> | 213 | <literal>lan1_br</literal> ovs bridge.</para> |
223 | </listitem> | 214 | </listitem> |
224 | 215 | ||
225 | <listitem> | 216 | <listitem> |
226 | <para><emphasis role="bold">Port3 - LAN2</emphasis>: Set the | 217 | <para><emphasis role="bold">Port3 - LAN2</emphasis>: Set the |
227 | <literal>Outgoing Interface</literal> type to | 218 | <literal>Outgoing Interface</literal> type to |
228 | <literal>DPDK</literal> and connect it to the | 219 | <literal>DPDK</literal> and connect it to the |
229 | <literal>lan2</literal> ovs bridge.</para> | 220 | <literal>lan2_br</literal> ovs bridge.</para> |
230 | 221 | ||
231 | <note> | 222 | <note> |
232 | <para>The names of the ports used during instantiation need to be | 223 | <para>The names of the ports used during instantiation need to be |
@@ -307,13 +298,8 @@ | |||
307 | its license file.</para> | 298 | its license file.</para> |
308 | </listitem> | 299 | </listitem> |
309 | 300 | ||
310 | <listitem><para>VNF Configuration files, provided with your Enea NFV Access | 301 | <listitem><para>VNF Configuration file(s), provided with your Enea NFV Access |
311 | release:</para> | 302 | release: <filename>fortigate-sdwan<x>.conf</filename>.</para></listitem> |
312 | <itemizedlist spacing="compact"> | ||
313 | <listitem><para><filename>fortigate-basic-fw.conf</filename>.</para></listitem> | ||
314 | <listitem><para><filename>fortigate-sdwan<x>.conf</filename>.</para></listitem> | ||
315 | </itemizedlist> | ||
316 | </listitem> | ||
317 | </itemizedlist> | 303 | </itemizedlist> |
318 | </section> | 304 | </section> |
319 | 305 | ||
@@ -347,45 +333,39 @@ | |||
347 | <para>Each VNF instance will have a virtual interface for VNF | 333 | <para>Each VNF instance will have a virtual interface for VNF |
348 | management, for the WAN network and for LAN communication.</para> | 334 | management, for the WAN network and for LAN communication.</para> |
349 | 335 | ||
336 | <para><emphasis role="bold">Setup of an Intel Whitebox uCPE device</emphasis>:</para> | ||
337 | |||
350 | <orderedlist> | 338 | <orderedlist> |
351 | <listitem> | 339 | <listitem> |
352 | <para>Select uCPE Device 1, access <literal>Configuration</literal> | 340 | <para>Connect the <literal>VNFMgr</literal> interfaces to the Lab Network for VNF management access.</para> |
353 | and bind the three physical network interfaces to the DPDK.</para> | ||
354 | </listitem> | 341 | </listitem> |
355 | 342 | ||
356 | <listitem> | 343 | <listitem> |
357 | <para>Create three OVS bridges, one for each DPDK network interface | 344 | <para>Directly connect the <literal>WAN</literal> interfaces back to back (using a cable) or connected via VPN.</para> |
358 | (VNF management, WAN and LAN).</para> | ||
359 | </listitem> | 345 | </listitem> |
360 | 346 | ||
361 | <listitem> | 347 | <listitem> |
362 | <para>Repeat the steps above for uCPE device 2.</para> | 348 | <para>Connect the <literal>LAN</literal> interfaces to the Test Machine.</para> |
363 | </listitem> | 349 | </listitem> |
364 | </orderedlist> | ||
365 | |||
366 | <para><emphasis role="bold">Setup of an Intel Whitebox uCPE | ||
367 | device</emphasis>:</para> | ||
368 | 350 | ||
369 | <itemizedlist> | ||
370 | <listitem> | 351 | <listitem> |
371 | <para><literal>VNFMgr</literal>. Connected to the Lab Network for | 352 | <para>Connect the <literal>ETH0</literal> interfaces to the Lab Network (for Enea uCPE Manager communications).</para> |
372 | VNF management access.</para> | ||
373 | </listitem> | 353 | </listitem> |
374 | 354 | ||
375 | <listitem> | 355 | <listitem> |
376 | <para><literal>WAN interfaces</literal>. Directly connected through | 356 | <para>Select uCPE Device 1, access <literal>Configuration</literal> |
377 | the Ethernet cable.</para> | 357 | and bind the three physical network interfaces to the DPDK.</para> |
378 | </listitem> | 358 | </listitem> |
379 | 359 | ||
380 | <listitem> | 360 | <listitem> |
381 | <para><literal>LAN</literal>. Connected to the Test Machine.</para> | 361 | <para>Create three OVS bridges, one for each DPDK network interface |
362 | (VNF management, WAN and LAN).</para> | ||
382 | </listitem> | 363 | </listitem> |
383 | 364 | ||
384 | <listitem> | 365 | <listitem> |
385 | <para><literal>ETH0</literal>. Connected to the Lab Network (for | 366 | <para>Repeat the steps above for uCPE device 2.</para> |
386 | Enea uCPE Manager communications).</para> | ||
387 | </listitem> | 367 | </listitem> |
388 | </itemizedlist> | 368 | </orderedlist> |
389 | 369 | ||
390 | <para><emphasis role="bold">Onboarding the VNF</emphasis>:</para> | 370 | <para><emphasis role="bold">Onboarding the VNF</emphasis>:</para> |
391 | 371 | ||
@@ -417,17 +397,17 @@ | |||
417 | <itemizedlist spacing="compact"> | 397 | <itemizedlist spacing="compact"> |
418 | <listitem> | 398 | <listitem> |
419 | <para><emphasis role="bold">vnfmgr</emphasis>: to connect it to | 399 | <para><emphasis role="bold">vnfmgr</emphasis>: to connect it to |
420 | the <literal>vnfmgrbr</literal> bridge.</para> | 400 | the <literal>vnfmgmt_br</literal> bridge.</para> |
421 | </listitem> | 401 | </listitem> |
422 | 402 | ||
423 | <listitem> | 403 | <listitem> |
424 | <para><emphasis role="bold">wan:</emphasis> to connect it to the | 404 | <para><emphasis role="bold">wan:</emphasis> to connect it to the |
425 | <literal>wanbr</literal> bridge.</para> | 405 | <literal>wan_br</literal> bridge.</para> |
426 | </listitem> | 406 | </listitem> |
427 | 407 | ||
428 | <listitem> | 408 | <listitem> |
429 | <para><emphasis role="bold">lan:</emphasis> to connect it to the | 409 | <para><emphasis role="bold">lan:</emphasis> to connect it to the |
430 | <literal>lanbr</literal> bridge.</para> | 410 | <literal>lan_br</literal> bridge.</para> |
431 | </listitem> | 411 | </listitem> |
432 | </itemizedlist> | 412 | </itemizedlist> |
433 | </listitem> | 413 | </listitem> |
@@ -454,11 +434,9 @@ | |||
454 | will fail.</para> | 434 | will fail.</para> |
455 | </note> | 435 | </note> |
456 | 436 | ||
457 | <para><emphasis role="bold">Instantiating the FortiGate | 437 | <para><emphasis role="bold">Instantiating the FortiGate VNF</emphasis>:</para> |
458 | VNF</emphasis>:</para> | ||
459 | 438 | ||
460 | <para>Instantiate the FortiGate VNF by filling the required fields with | 439 | <para>Instantiate the FortiGate VNF by filling the required fields with the following values:</para> |
461 | the following values:</para> | ||
462 | 440 | ||
463 | <itemizedlist spacing="compact"> | 441 | <itemizedlist spacing="compact"> |
464 | <listitem> | 442 | <listitem> |
@@ -484,42 +462,42 @@ | |||
484 | <listitem> | 462 | <listitem> |
485 | <para><emphasis role="bold">Configuration file</emphasis>: The | 463 | <para><emphasis role="bold">Configuration file</emphasis>: The |
486 | SD-WAN example configuration files provided by Enea: | 464 | SD-WAN example configuration files provided by Enea: |
487 | <literal>fortigate-sdwan1.conf</literal> and | 465 | <literal>fortigate-sdwan1.conf</literal> for the FortiGate VNF on uCPE device 1 and |
488 | <literal>fortigate-sdwan2.conf</literal>.</para> | 466 | <literal>fortigate-sdwan2.conf</literal> for the FortiGate VNF on uCPE device 2.</para> |
489 | </listitem> | 467 | </listitem> |
490 | 468 | ||
491 | <listitem> | 469 | <listitem> |
492 | <para><emphasis role="bold">Port1 - VNF Mgr</emphasis>: Set the type | 470 | <para><emphasis role="bold">Port1 - VNF Mgr</emphasis>: Set the type |
493 | to <literal>DPDK</literal> and connect it to the | 471 | to <literal>DPDK</literal> and connect it to the |
494 | <literal>vnfmgrbr</literal> bridge.</para> | 472 | <literal>vnfmgmt_br</literal> bridge.</para> |
495 | </listitem> | 473 | </listitem> |
496 | 474 | ||
497 | <listitem> | 475 | <listitem> |
498 | <para><emphasis role="bold">Port2 - WAN</emphasis>: Set the type to | 476 | <para><emphasis role="bold">Port2 - WAN</emphasis>: Set the type to |
499 | <literal>DPDK</literal> and connect it to the | 477 | <literal>DPDK</literal> and connect it to the |
500 | <literal>wanbr</literal> bridge.</para> | 478 | <literal>wan_br</literal> bridge.</para> |
501 | </listitem> | 479 | </listitem> |
502 | 480 | ||
503 | <listitem> | 481 | <listitem> |
504 | <para><emphasis role="bold">Port3 - LAN</emphasis>: Set the type to | 482 | <para><emphasis role="bold">Port3 - LAN</emphasis>: Set the type to |
505 | <literal>DPDK</literal> and connect it to the | 483 | <literal>DPDK</literal> and connect it to the |
506 | <literal>lanbr</literal> bridge.</para> | 484 | <literal>lan_br</literal> bridge.</para> |
507 | </listitem> | 485 | </listitem> |
508 | </itemizedlist> | 486 | </itemizedlist> |
509 | 487 | ||
510 | <para>Instantiate the FortiGate VNF on uCPE device 1 using the | 488 | <para>Instantiate the FortiGate VNF on uCPE device 1 using the |
511 | <literal>sdwan1</literal> example configuration file.</para> | 489 | <literal>sdwan1</literal> example configuration file.</para> |
512 | 490 | ||
491 | <para>To complete the branch-to-branch setup, configure <literal>uCPE | ||
492 | device 2</literal> in the same way as <literal>uCPE device 1</literal>. | ||
493 | Make sure to use the <literal>sdwan2</literal> configuration file for | ||
494 | the second VNF instantiation.</para> | ||
495 | |||
513 | <note> | 496 | <note> |
514 | <para>The names of the ports used during instantiation need to be the | 497 | <para>The names of the ports used during instantiation need to be the |
515 | same as the ones described above, as the same names will be used in | 498 | same as the ones described above, as the same names will be used in |
516 | the configuration files provided for this example use-case.</para> | 499 | the configuration files provided for this example use-case.</para> |
517 | </note> | 500 | </note> |
518 | |||
519 | <para>To complete the branch-to-branch setup, configure <literal>uCPE | ||
520 | device 2</literal> in the same way as <literal>uCPE device 1</literal>. | ||
521 | Make sure to use the <literal>sdwan2</literal> configuration file for | ||
522 | the second VNF instantiation.</para> | ||
523 | </section> | 501 | </section> |
524 | 502 | ||
525 | <section id="forti_test_uc2"> | 503 | <section id="forti_test_uc2"> |
@@ -540,9 +518,7 @@ | |||
540 | Machine-2.</para> | 518 | Machine-2.</para> |
541 | </note> | 519 | </note> |
542 | 520 | ||
543 | <para><literal>uCPE device 1</literal> should be able to ping Test | 521 | <para>The Test Machine connected to <literal>uCPE device 1</literal> should be able to ping the Test Machine connected to <literal>uCPE device 2</literal> in this setup, over the WAN connection. The FortiGate VNF management interface can be accessed from a web |
544 | <literal>uCPE device 2</literal> in this setup over the WAN connection. | ||
545 | The FortiGate VNF management interface can be accessed from a web | ||
546 | browser on the Lab Machine. For more details please see <olink | 522 | browser on the Lab Machine. For more details please see <olink |
547 | targetdoc="book_enea_nfv_access_example_usecases" | 523 | targetdoc="book_enea_nfv_access_example_usecases" |
548 | targetptr="fortigate_webmg">FortiGate VNF Web Management, <xi:include | 524 | targetptr="fortigate_webmg">FortiGate VNF Web Management, <xi:include |
@@ -611,7 +587,7 @@ virsh console <id of FortiGate VNF></programlisting> | |||
611 | <orderedlist> | 587 | <orderedlist> |
612 | <listitem> | 588 | <listitem> |
613 | <para>Deploy the FortiGate Firewall in its default | 589 | <para>Deploy the FortiGate Firewall in its default |
614 | settings.</para> | 590 | settings.</para><remark>Maybe more info about how to do it should be added here.</remark> |
615 | </listitem> | 591 | </listitem> |
616 | 592 | ||
617 | <listitem> | 593 | <listitem> |