From 1f89982d96429f382f1e9a9c0bb5f49d4af91a9c Mon Sep 17 00:00:00 2001 From: Miruna Paun Date: Thu, 14 Mar 2019 10:31:09 +0100 Subject: Fixing whitespaces and Target table title. Change-Id: I0502fe92cfc2c6b398640837d82d55ccff89cbd3 --- .../doc/book.xml | 3 +- .../doc/demo_usecases.xml | 2202 -------------------- 2 files changed, 2 insertions(+), 2203 deletions(-) delete mode 100644 doc/book-enea-nfv-access-getting-started/doc/demo_usecases.xml (limited to 'doc/book-enea-nfv-access-getting-started') diff --git a/doc/book-enea-nfv-access-getting-started/doc/book.xml b/doc/book-enea-nfv-access-getting-started/doc/book.xml index 6dde8db..7861f7e 100644 --- a/doc/book-enea-nfv-access-getting-started/doc/book.xml +++ b/doc/book-enea-nfv-access-getting-started/doc/book.xml @@ -25,7 +25,8 @@ xmlns:xi="http://www.w3.org/2001/XInclude" /> + xmlns:xi="http://www.w3.org/2001/XInclude" /> + diff --git a/doc/book-enea-nfv-access-getting-started/doc/demo_usecases.xml b/doc/book-enea-nfv-access-getting-started/doc/demo_usecases.xml deleted file mode 100644 index cdcb931..0000000 --- a/doc/book-enea-nfv-access-getting-started/doc/demo_usecases.xml +++ /dev/null @@ -1,2202 +0,0 @@ - - - Demo Use Cases - -
- Clavister VNF Demo - - In this use case, target_1 will run the Clavister - VNF and an Open vSwitch bridge. - -
- Clavister VNF Demo Overview - - - - - - -
- - How to setup the target to run the Clavister - VNF and an Open vSwitch Bridge - - - - Network interfaces must be bound to the DPDK (target_1 -> - Configuration -> OpenVSwitch -> Host Interfaces -> - Add): - -
- Adding Host Interfaces - - - - - - -
- - - - Select the network interface that will be used to connect to the - second target, configure it for DPDK, and click "Create" to send the - configuration to the target: - -
- Host Interface Creation - - - - - - -
- - - - Create an Open vSwitch bridge (ovsbr0) with - one DPDK interface by selecting the "Add" button from the "Bridges" - tab: - -
- The Bridges Tab - - - - - - -
- - Once the bridge creation popup appears, fill the fields and add - the physical interface: - -
- OVS bridge - - - - - - -
- - - - Repeat these steps on the second target (target_2), by also - using one DPDK interface and creating an OVS bridge. - - Once the network configuration has been completed on both - targets, VNFs can be instantiated. - - - - Before instantiating the iPerf VNF, a flavor needs to be - reconfigured to use two cores and 2 GB of RAM. - - Please follow the steps in the figure below to reconfigure the - flavor (target_2 -> Configuration (1) -> Virtual Machines -> - Double Click on Iperf flavor (2)): - -
- Reconfiguring the Flavor - - - - - - -
- - - The Clavister VNF will be instantiated on target_1. - - - - - Select the target_1 device, click the "VNF" button from the top - toolbar menu and click "Add" in the new window at the bottom of the - screen: - -
- Creating a new VNF - - - - - - -
- - - - Fill in the required information about the Clavister VNF, (the - default network configuration can be used): - -
- VNF Instance - - - - - - -
- - - - On target_2, two iPerf VNFs will be instantiated. One will act - as the server and the second as the client. - - - - Select target_2, then the VNF option from the top toolbar (VNF - -> Instances -> Add): - -
- Target 2 VNF Instance - - - - - - -
- - - - In the "VNF Instance" window, select the first "iPerf" VNF from - the dropdown menu, configure it to act as a server by unchecking the - "Client mode IPerf" box, and click the "Create" button: - -
- VNF instance in server mode - - - - - - -
- - - - Select "Add", enable the "Client mode IPerf" checkbox and then - click "Create" to instantiate the second iPerf VNF as a client, and to - run it in client mode: - -
- VNF instance in client mode - - - - - - -
- - - - In order to check that traffic is forwarded between the VNFs, - connect to the iPerf VNF client console (target_2 -> SSH - > - user:root -> Connect) and run the following: - - virsh list -virsh console -root@qemux86-64:~# iperf3 -c 192.168.10.10 - - -
- -
- Enea VNF demo - - Use case description: pktgen[DPDK] - PHY1 - PHY2 - [DPDK]OVS - - VM[DPDK]testpmd(forwarding) - OVS[DPDK] - VM[DPDK] - testpmd(termination). - -
- Enea VNF Demo Overview - - - - - - -
- - How to setup the Enea VNF - Demo - - - - Host interfaces must be bound to the DPDK (target_1 -> - Configuration -> OpenVSwitch -> Host Interfaces -> - Add): - -
- Adding OVS Host Interfaces - - - - - - -
- - - - Select the network interface that will be used to connect to the - second target and configure it for the DPDK: - -
- Configuring the host interface - - - - - - -
- - - - Select the "Create" button to send the configuration to the - target. The same steps must also be performed on the target_2 - device. - - - - Create an OpenVSwitch bridge (ovsbr0) on - target_1 that uses one DPDK interface, by selecting the "Add" button - from the Bridges tab (target_1 -> Configuration -> - OpenVSwitch-> Bridges): - -
- OVS Bridge Table - - - - - - -
- -
- Adding the interface to the OVS Bridge - - - - - - -
- - - - Instantiate the TestPMD VNFs on target_1 (target_1 -> VNF - -> Instances -> Add). - - - - Configure the VNF that forwards traffic: - -
- Configuring the fwdVNF - - - - - - -
- - - - Configure the VNF that terminates traffic: - -
- Configuring the termVNF - - - - - - -
- - - - Add OpenVSwitch flows to control this traffic: - -
- Configuring the FWD flow - - - - - - -
- -
- Configuring the TERM flow - - - - - - -
- - - - Start pktgen on target_2. Connect to the device by using SSH - (target2 -> SSH -> user (root)) and perform the - following: - - killall ovsdb-server ovs-vswitchd -rm -rf /etc/openvswitch/* -mkdir -p /var/run/openvswitch -modprobe igb_uio -dpdk-devbind --bind=igb_uio 0000:05:00.3 -cd /usr/share/apps/pktgen/ -./pktgen -c 0x7 -n 4 --proc-type auto --socket-mem 256 -w 0000:05:00.3 -- \ - -P -m "[1:2].0" -Pktgen:/> start 0 - - - - Connect to the forwarder VNF in order to check the traffic - statistics (target_1 -> SSH): - - Virsh list -Virsh console 1 -# Qemux86-64 login: root -tail -f /opt/testpmd-out - -
- Traffic Statistics - - - - - - -
- - -
- -
- Clavister VNF demo using SR-IOV - - In this use case, target 1 will run the iPerf server and iPerf - client VNFs using SR-IOV and target 2 will run the Clavister VNF using - SR-IOV with two virtual functions (vf1 and vf2): - -
- Demo Overview - - - - - - -
- - - - On target 2, create an SR-IOV configuration with 2 virtual - functions (target 2 -> Configuration -> OpenVSwitch -> Host - Interfaces -> Add): - -
- SR-IOV configuration with 2 virtual functions - - - - - - -
- - - - Instantiate the Clavister VNF on target 2, by clicking VNF -> - Instances -> Add. - - Select "SrIovAdapterPool" for both Interface1 type and 2 type, - before clicking "Create": - -
- Instantiating the Clavister VNF on target 2 - - - - - - -
- - - - On target 1, create an SR-IOV interface as done in step - 1. - - - - Create the iPerf server on target 1. Select "SrIovAdapterPool" - as an Interface type: - -
- IPerf Server Interface Type - - - - - - -
- - - - Create the iPerf client on target 1. Select "SrIovAdapterPool" - as an Interface type and tick the "Client mode IPerf" checkbox: - -
- IPerf Client Interface Type - - - - - - -
- - - - In order to check that traffic is forwarded between the VNFs, - connect to the iPerf VNF client console (target 1 -> SSH - > - user:root -> Connect) and run the following - commands:virsh list -virsh console -root@qemux86-64:~# iperf3 -c 192.168.10.10 - - -
- -
- TestPMD VNF using PCI passthrough - - In this use case, target 1 will run the Pktgen and target 2 will run - the TestPMD VNF. Both will be using PCI passthrough: - -
- TestPMD VNF using PCI passthrough Overview - - - - - - -
- - - - Make sure that neither target 1 nor target 2 have any configured - host interfaces (target -> Configuration -> OpenVSwitch -> - Host Interfaces). - - - - On target 1 start the Pktgen VNF. Select "PciPassthrough" as the - Interface type. - - From the drop-down list, select the PCI interface corresponding - to the NIC which is connected to target 2: - -
- Selecting the Pktgen VNF Interface - - - - - - -
- - - - On target 2, start the TestPmdForwarder VNF. Select - "PciPassthrough" as the Interface type. From the drop-down list, - select the PCI interface corresponding to the NIC which is connected - to target 1: - -
- Selecting the TestPmdForwarder VNF Interface - - - - - - -
- - - - To check that traffic is being forwarded from target 2, SSH to - the target and connect to the VNFs console: - - Right click on target 2 and select SSH. -Run: virsh list -Run: virsh console [VM NAME] -Run: tail -f /opt/testpmd-out - - -
- -
- FortiGate VNF - - FortiGate virtual appliances is "appliances" the correct - word to use here? feature all of the security and networking - services common to traditional hardware-based FortiGate appliances. The - virtual appliances can be integrated in Firewall or SD-WAN solution - development. - - Enea provides a prepared VNF bundle for download from the Enea - Portal, for usage with the Enea NFV Access product. The prepared VNF - bundle includes the FortiGate VNF image as well as a VNF Descriptor and - other onboarding related configuration files. The VNF Descriptor provided - configures a setup, which requires the following resources: - - - - 3 x Network Interfaces - - - - 1 x vCPU - - - - 1 GB of RAM memory - - - - The VNF Descriptor represents one specific setup, suitable for usage - with the Firewall and SD-WAN VPN instructions in this guide. Alternative - VNF Descriptor configurations may be needed to support other - configurations required by the customer. - - Enea can provide assistance to provide alternative VNF Descriptor - configurations. - - - While the prepared FortiGate bundle is provided from Enea Portal, - additional content needs to be received from Fortinet directly. The - FortiGate VNF license as well as any FortiGate specific documentation - shall be requested from the local Fortinet sales representatives in your - region, before FortiGate can be used. - - -
- FortiGate VNF as a Firewall - - FortiGate Next Generation Firewall utilizes purpose-built security - processors and threat intelligence security services to deliver - top-rated protection and high performance, including encrypted traffic. - FortiGate reduces complexity with automated visibility into - applications, users and networks, and provides security ratings to adopt - security best practices. - - An example firewall configuration for the FortiGate VNF is - provided in the Enea Portal. It is a simple firewall base - configuration. - - - FortiGate VNF Example Configuration - - - - - - - Component - - Setting/Description - - - - - - Firewall - - "All pass" mode - - - - WAN (Virtual Port1) - - DHCP Client, dynamically assigned IP - address.FortiGate In-Band - Management1 - - - - WAN (Virtual Port2) - - IP address: 172.168.16.1DHCP server (IP - range 172.168.16.1 - 172.168.16.255). - - - - WAN (Virtual Port3) - - Ignored - - - -
- - 1FortiGate In-Band Management is a - feature for running FortiGate Management traffic over WAN. - - Instructions on how to alter the default configuration is provided - in the Fortigate VNF management chapter. - - Lab Setup - - Before starting the configuration of the FortiGate Firewall, a lab - setup of hardware and software configurations has to be built. The - following table illustrates the required lab setup: - - - Lab Setup Prerequisites - - - - - - - Component - - Description/Requirements - - - - - - Lab Network - - - - - DHCP enabled Lab Network - - - - Internet Connectivity - - - - - - - Setup of an Intel Whitebox target device - - - - - Minimum 4 Physical Network Devices - - - - 4 GB RAM and 4 cores (C3000 or Xeon D) - - - - Enea NFV Access Installed - - - - WAN Connected to Lab Network - - - - LAN1 Connected to Test Machine - - - - LAN2 Unconnected - - - - ETH0 connected to Lab Network (for Enea uCPE - Manager communications) - - - - - - - Setup of a Lab Machine - - - - - Connected to Lab Network - - - - Running either Windows or CentOS - - - - Enea uCPE Manager installed - - - - - - - Setup of a Test Machine - - - - - Connected to Whitebox LAN - - - - Internet Connectivity via LAN - - - - Configured as DHCP client on LAN - - - - - - - FortiGate VNF - - - - - Downloaded the FortiGate VNF Bundle from Enea - Portal to the Lab Machine file system. Please see the - Download Chapter for more details. - - - - Downloaded FortiGate configuration examples from - the Enea Portal to the Lab Machine file system. Please - check the Download Chapter for more details. Unpack the - configuration examples on the Lab Machine. - - - - Retrieve FortiGate VNF license from Fortinet and - store it on the Lab Machine file system. See FortiGate VNF - for details. - - - - Optionally retrieve FortiGate VNF documentation - from Fortinet. See FortiGate VNF for details. - - - - - - -
- -
- Lap Setup Overview - - - - - - -
- - uCPE Networking Setup - - Before deploying the FortiGate Firewall, the Enea NFV Access - platform has to be configured to the specific networking setup. - - Since the firewall is using three External Network Interfaces, - three bridges need to be configured. Each bridge provides the ability to - connect a physical network interface to the virtual machines' virtual - network interface. Each physical to virtual network interface connection - is setup in two steps: - - - - Bind the physical network interfaces with a DPDK - driver. - - - - Create a named bridge for each physical network - interface. - - - - - For more details about interface configuration, please see the - Network Configuration section in the chapter on Configuration - Options. - - - - - Start the setup by preparing each interface for attachment to - a bridge. Bind the physical network interfaces to the DPDK (target - -> Configuration -> OpenVSwitch -> Host Interfaces -> - Add): - -
- Binding the physical network interface - - - - - - -
- - The result of binding these three physical network interfaces - should look like the following: - -
- Successful Binding - - - - - - -
- - - - Create one OpenVSwitch bridge for each firewall network - connection (WAN, LAN1 and LAN2), by selecting the "Add" button from - Bridges tab (target -> Configuration -> OpenvSwitch-> - Bridges). A popup like the following should appear: - -
- Creating a bridge each Firewall Net. Connection - - - - - - -
- - - - Repeat this step for each type of connection until all are - bridges are configured. - -
- Configured Bridges per Connection Type - - - - - - -
- - - - Onboarding the FortiGate - VNF - - - - To on-board the Fortigate VNF click the VNF tab in the top - toolbar and select the Descriptors button. - - Click on the "Descriptors(2)" -> "On-board(3)" -> - "Browse(4)" options, and select the "Fortigate.zip" file, before - clicking "Send": - -
- Selecting Descriptors - - - - - - -
- - - - Wait for the "Onboarding Status" popup to display the - confirmation message (listed in green) and select "OK": - -
- Onboarding the new VNF - - - - - - -
- - - - Instantiate the FortiGate - VNF - - - - Select the target device, then from the top toolbar the select - "VNF" -> "Instances" -> "Add": - -
- Adding Instances to Target - - - - - - -
- - Make sure you have downloaded valid license files for the - Fortigate VNF from Fortinet, and the configuration file provided by - Enea as examples according to previous instructions. - -
- Example License and Configuration files - - - - - - -
- - - - Fortigate VNF instantiation requires the following - settings: - - - Instantiation Requirements - - - - - - - - - Component - - Description - - - - - - Name - - The name of the VM which will be created on the - target device. - - - - VNF Type - - Name of the on-boarded VNF bundle. - - - - VIM - - Name and IP address of the device where the VNF has - to be instantiated. - - - - License file - - FortiGate license file provided by Fortinet. - - - - Configuration file - - Firewall example configuration file provided by Enea - FGVM080000136187_20180828_0353_basic_fw.conf - - - - - Port1 - WAN - - Set as dpdk type and connect it to wanmgrbr - bridge. - - - - Port2 - LAN1 - - Set as dpdk type and connect it to lan1 - bridge. - - - - Port3 - LAN2 - - Set as dpdk type and connect it to lan2 - bridge. - - - -
- - When the instantiation process is completed, the setup is - ready for testing. - - - - Test the FortiGate - Firewall - - Connect the Test Machine on the LAN interface and access the - internet from the Test Machine to use the firewall on the target - device. - - - The connected Test Machine can be a laptop or a target that has - one interface configured to get an dynamic IP from a DHCP server. The - dhclient <interface> command can be used to - request an IP address. The received IP must be in the 172.16.1.2 - - 172.16.1.255 range. - - -
- Testing Overview - - - - - - -
- - In the example above, the FortiGate VNF management interface is - accessible through the WAN interface, the WAN IP address can be used - from a web browser on the Lab Machine to access the Fortigate VNF - Management Web UI. Please check the Fortigate VNF web management section - for more information. - - In another example, the firewall can be setup to use bridges as - connection points for the Fortigate VNF. It is possible to replace - OVS-DPDK bridges with SR-IOV connection points. The previous - sentence in the original was very hard to understand, please confirm if - this is what you intended to say Please check the network - configuration chapter on how to configure an interface for - SR-IOV. - - It was previously assumed that three physical interfaces are - available for VNF connection. In the case of a firewall setup it is - possible to use only two physical interfaces for the data path (one for - WAN and one for LAN). In the example below only two interfaces will be - configured as DPDK and two bridges are created, one for each type of - connection. - - At VNF instantiation instead of assigning distinct bridges for - each LAN interface, only one will be used for both LAN1 and LAN2, with - no changes in WAN interface configuration. Please see the picture below - for final setup: - -
- Two Interface Configuration - - - - - - -
-
- -
- FortiGate VNF web management - - In order to check the IP address assigned to Fortigate VNF you - need to connect to the Fortigate CLI. - - Connecting to the Fortigate - CLI - - - - SSH to the target device from the Lab Machine and attach to - the VNF's console using the "virsh console" command shown - below: - -
- Attaching to the VNF Console - - - - - - -
- - - - To access Fortigate CLI, use the credential "admin" for the - user, leaving the password blank, then press enter. - - Use the CLI command "get system interface" to get the dynamic - interfaces configuration. - -
- Acessing and configuring Fortigate CLI - - - - - - -
- - - - Use the IP address assigned for the management interface in - the web browser (https://<IP>), to access - the Fortinet VNF web management interface. Use the same credentials - as before to login: - -
- Accessing the web management interface - - - - - - -
- - - - You can browse through the configuration and perform changes - according to your setup: - -
- The Fortinet Web Interface - - - - - - -
- - - - Optional, alter the default Fortinet example configuration - provided by Enea, through the following steps: - - - - Deploy the FortiGate Firewall in its default - settings. - - - - Connect to the FortiGate VNF Web Management with a web - browser. - - - - Modify the FortiGate configuration in the FortiGate VNF - Web Management as needed. - - - - Store the updated configuration in a file, by saving in - the FortiGate VNF Web Management interface, so it may be used at - the next FortiGate VNF instantiation. - - - - - Editing the default configuration is only recommended for - FortiGate configuration experts. - - - -
- -
- FortiGate VNF as an SD-WAN VPN - - The software-defined wide-area network (SD-WAN or SDWAN) is a - specific application of software-defined networking (SDN) technology - applied to WAN connections. It connects enterprise networks, including - branch offices and data centers, over large geographic distances. - - SD-WAN decouples the network from the management plane, detaching - the traffic management and monitoring functions from hardware. Most - forms of SD-WAN technology create a virtual overlay that is - transport-agnostic, i.e. it abstracts underlying private or public WAN - connections. With an overlay SD-WAN, a vendor provides an edge device to - the customer that contains the software necessary to run the SD-WAN - technology. For deployment, the customer plugs in WAN links into the - device, which automatically configures itself with the network. - - The following will detail an SD-WAN setup for a branch to branch - connection using the FortiGate VNF. FortiGate provides native SD-WAN - along with integrated advanced threat protection. - - - Example SD-WAN configurations for the FortiGate VNF are provided - in the Enea Portal. - - - - FortiGate VNF Example Configuration - SD-WAN Target 1 - - - - - - - Component - - Description - - - - - - SD-WAN - - VPN connection between two branches (Target 1 and Target - 2). - - - - VNFMgr (Virtual Port1) - - DHCP Client, dynamically assigned IP address. - - - - WAN (Virtual Port2) - - IP address: 10.0.0.1 - - - - LAN (Virtual Port3) - - - - - IP address: 172.16.1.1 - - - - DHCP server (IP range 172.16.1.2 - - 172.16.1.254) - - - - - - -
- - - FortiGate VNF Example Configuration - SD-WAN Target 2 - - - - - - - Component - - Description - - - - - - SD-WAN - - VPN connection between two branches (Target 2 and Target - 1). - - - - VNFMgr (Virtual Port1) - - DHCP Client, dynamically assigned IP address. - - - - WAN (Virtual Port2) - - IP address: 10.0.0.2 - - - - LAN (Virtual Port3) - - - - - IP address: 172.16.2.1 - - - - DHCP server (IP range 172.16.2.2 - - 172.16.2.254) - - - - - - -
- - Lab Setup - - The following table illustrates the use-case prerequisites of the - setup: - - - Lab Setup Prerequisites - - - - - - - Component - - Description - - - - - - Lab Network - - - - - DHCP enabled Lab Network. - - - - Internet Connectivity. - - - - - - - Two Intel Whitebox target devices - - - - - Minimum 4 Physical Network Devices. - - - - 4 GB RAM and 4 cores (C3000 or Xeon D). - - - - Enea NFV Access Installed. - - - - VNFMgr Connected to Lab Network for VNF management - access. - - - - WAN interfaces directly connected through Ethernet - cable. - - - - LAN Connected to Test Machine. - - - - ETH0 connected to Lab Network (for Enea uCPE - Manager communications). - - - - - - - One Lab Machine - - - - - Connected to Lab Network. - - - - Running either Windows or CentOS. - - - - Enea uCPE Manager installed. - - - - - - - Two Test Machines - - - - - Connected to Whitebox LANs. - - - - Internet Connectivity via LAN. - - - - Configured as DHCP client on LAN. - - - - - - - FortiGate VNF - - - - - Downloaded the FortiGate VNF Bundle from Enea - Portal to the Lab Machine file system. - - - - Downloaded FortiGate configuration examples from - Enea Portal to Lab Machine file system. Unpack the - configuration examples specific for SD-WAN on the Lab - Machine. - - - - Retrieve the FortiGate VNF license from Fortinet - and store it on the Lab Machine file system. - - - - Optionally, retrieve FortiGate VNF documentation - from Fortinet. - - - - - - -
- -
- SD-WAN: VPN Configuration - - - - - - -
- - uCPE Networking Setup - - Before deploying the FortiGate SD-WAN, the Enea NFV Access - platform has to be configured to the specific networking setup. - - Since the SD-WAN VNF uses three External Network Interfaces, three - bridges need to be configured. Each bridge provides the ability to - connect a physical network interface to the virtual machine's virtual - network interface. Each physical to virtual network interface connection - is setup in two steps: - - - - Bind the physical network interfaces with a DPDK - driver. - - - - Create a named bridge for each physical network - interface. - - - - Start the setup by preparing each physical interface for - attachment to a bridge. Each VNF instance will have a virtual interface - for VNF management, for the WAN network and for LAN - communication. - - - - Bind physical interface to DPDK (target_1 -> Configuration - -> OpenVSwitch -> Host Interfaces -> Add): - -
- Binding the Physical Interface - - - - - - -
- - The result of binding these three interfaces should look like - the following: - -
- Results of Binding - - - - - - -
- - - - Create one OpenVSwitch bridge for each SD-WAN network - connection (VNF management, WAN and LAN) by selecting the "Add" - button from the Bridges tab (target -> Configuration -> - OpenvSwitch-> Bridges). A popup like this should appear: - -
- Creating an OpenVSwitch bridge for an SD-WAN network - connection - - - - - - -
- - - - Repeat this step for all network connections. Three bridges - will be created: - -
- The three newly created Bridges - - - - - - -
- - - - Once the interfaces and bridges are ready, only the on-boarding - and instantiation of the VNF remains to be done. - - Onboarding the FortiGate - VNF - - - - To on-board a VNF, select a target device on the map and click - the VNF button in the top toolbar. Then, click the "Descriptors" - -> "On-board" -> "Browse" options, and select the - Fortigate.zip file, before clicking - "Send": - -
- On-boarding FortiGate VNF - - - - - - -
- - - - Wait for the "Onboarding Status" popup to display the - confirmation message and select "OK": - -
- Successful Confirmation - - - - - - -
- - - - Instantiating the FortiGate - VNF - - The following steps describe how to instantiate the Fortigate - VNF. - - - - Select the target, then from the top toolbar click on "VNF" - and choose the "Instances" -> "Add" options: - -
- Adding an Instance - - - - - - -
- - - Download locally the valid license files for the Fortigate - VNF from Fortinet and the configuration file provided by Enea as - examples. - - - - - Use the sdwan1 example configuration file - for the first target: - -
- Configuring target_1 - - - - - - -
- - - - Fortigate VNF instantiation requires the following - settings: - - - Fortigate VNF Instantiation Requirements - - - - - - - - - Component - - Description - - - - - - Name - - The name of the VM which will be created on target - device. - - - - VNF Type - - The name of the on-boarded VNF bundle. - - - - VIM - - Name and IP address of the device where the VNF has to be - instantiated. - - - - License file - - FortiGate license file provided by Fortinet. - - - - Configuration file - - SD-WAN example configuration files provided by Enea: - - FGVM080000136187_20180215_0708_sdwan1.conf - - FGVM080000136188_20180215_0708_sdwan2.conf - - - - Port1 - VNFMgr - - Set as dpdk type and connect it to vnfmgrbr - bridge. - - - - Port2 - WAN - - Set as dpdk type and connect it to wanbr bridge. - - - - Port3 - LAN - - Set as dpdk type and connect it to lanbr bridge. - - - -
- - To complete the branch-to-branch setup, configure the peer target - in the same way as target_1. Make sure to use the - FGVM080000136188_20180215_0708_sdwan2.conf - configuration file for the second VNF instantiation. - - Testing the FortiGate SD-WAN - VPN - - Once the full SD-WAN setup is in place a VPN connection needs to - established between the two devices. The Test Machines can be connected - to the LAN interface on each target. - - The connected Test Machine can be a laptop or a target that has - one interface configured to get dynamic IP from a DHCP server. The - dhclient <interface> command can be used to - request an IP address. - - - The received IP must be in the 172.16.1.2 - 172.16.1.255 range - for Test Machine-1 and in the 172.16.2.2 - 172.16.2.255 range for Test - Machine-2. - - -
- Overview: Testing Machines Setup - - - - - - -
- - Test Machine-1 should be able to ping Test Machine-2 in this setup - over the WAN connection. - - In the figure above and this example, the FortiGate VNF management - interface is accessible through a dedicated Mgmt interface. The Mgmt IP - address can be used from a web browser on the Lab Machine to access the - Fortigate VNF Management Web UI. - - - In this SD-WAN VPN setup example, bridges were used as - connection points for Fortigate VNF. It is possible to replace - OVS-DPDK bridges with SR-IOV connection points. - -
-
- -
- In-band Management - - In the case of an NFV Access device installed on a network with - limited access, In-band management can be a solution to manage the device - and to pass data traffic (through only one physical interface). This demo - use-case will show how to enable the In-band management on the NFV Access - device and to access a VNF on the same physical interface. - -
- NFV Access In-band management solution setup - - - - - - -
- - Setup uses the following network configuration: - - - - 1 x Network Interface for WAN and management. - - - - 1 x Network Interface for LAN. - - - - For prerequisites and further details, please see and . - -
- In-band management activation for FortiGate VNF - Instantiation - - In-band management activation is done by creating a special bridge - which manages all traffic from the WAN interface. The active physical - port of the device (used by the device manager to communicate with the - uCPE Manager) will be connected to the In-band management bridge. Once - the In-band management bridge is activated, communication to the uCPE - Manager will be reactivated, passing through the bridge. - - - No other physical port for In-band management can be - used. - - - - - Create an In-band management WAN Bridge: - - - - Select the Device menu. - - - - In the Configuration tab select - OpenVSwitch. - - - - Select Bridges and click - Add. - - - - Use dpdkWAN as the - ovs-bridge-type. - - - -
- Create In-band management WAN bridge - - - - - - -
- - - - Bind the physical port which will be used for LAN access to - dpdk: - - - - Select the Device menu. - - - - In the Configuration tab select - OpenVSwitch. - - - - Select the Host Interfaces menu and - click Add. - - - - Use dpdk as the - ovs-bridge-type. - - - -
- Bind LAN physical port to dpdk - - - - - - -
- - - - Create a LAN Bridge: - - - - Select the Device. - - - - In the Configuration menu select - OpenVSwitch. - - - - Open the Bridges menu and click - Add. - - - -
- Create LAN bridge - - - - - - -
- - At this step the following bridges should exist: - -
- Bridges - - - - - - -
- - - The WAN port of the very first VNF instantiated on the - device must be connected to the ibm-wan-br - bridge. All other VNFs must be connected in chain with - the first VNF. - - - - - Onboard the first VNF and instantiate it on the device: - - - - Select the Device. - - - - Select the VNF menu. - - - - In the Descriptors menu, choose the - VNF Package option. - - - - Browse and select the Fortigate bundle you require, before - pressing the Send button. - - - -
- Onboard Fortigate VNF - - - - - - -
- - - - Add the VNF instance: - - - - Select the Device. - - - - Select the VNF menu. - - - - Choose the Instances option, select the - VNF configuration you desire and press - Add. - - - - Browse and select the Fortigate bundle you require, before - pressing the Send button. - - - -
- Instantiate Fortigate VNF - - - - - - -
- - - - Once the VNF is instantiated, the setup is complete and ready for - testing. Connect the test machine to the LAN port. It will receive an IP - address from the Fortigate VNF and be able to access the - internet. -
- -
- Testing the Fortigate VNF In-band management activation - -
- Test setup - - - - - - -
- - At this stage, three types of traffic are passing through the WAN - port on the same IP address: - - - - Device management traffic from uCPE Manager. - - - - Fortigate management interface traffic from a web - browser. - - - - Data traffic from the LAN to the internet. - - - - Having access from the uCPE Manager to the device as shown above, - demonstrates that device management traffic passes through the in-band - management WAN bridge successfully. - - To access the management interface of the VNF, connect from a web - browser to the public IP address of the device e.g. - https://<IP>. From a Test machine connected on - LAN port, try a test ping to the internet e.g. "ping 8.8.8.8". -
-
- \ No newline at end of file -- cgit v1.2.3-54-g00ecf