SD-WAN Branch to Branch ConnectionSoftware-Defined Wide Area Networking (SD-WAN), provides the benefits
of software-defined networking (SDN) technology to traditionally
hardware-based networking. It is an overlay architecture providing a
networking foundation that is much easier to manage than legacy WANs,
essentially moving the control layer to the cloud and in the process,
centralizing and simplifying network management. This overlay design
abstracts software from hardware, enabling network virtualization and making
the network more elastic.The setup detailed in this chapter covers all the steps required to
create a connection between two branch offices. On each site a uCPE device
is installed and connected to a WAN network. NFV Access should be installed
on each uCPE device, and flexiWAN and pfSense VNFs will be instantiated on
each site.The flexiWAN VNF will create the tunnel between the two branches while
the pfSense VNF (connected in the service chain), will cover the
communication with LAN on each branch. The setup will be configured from the
uCPE Manager GUI.The figure above represents the uCPE configuration of one of the
branches. The second uCPE device (site2) will be configured in a similar
way, described in the following sections.Since there is only one physical network interface connected to WAN,
the configuration allows for multiple types of traffic to pass over this
interface. The ibm_br bridge is the main bridge that
connects the physical network interface to the virtual
infrastructure.The Data-Path represents the traffic that passes over the physical
interface between the in-band management bridge (ibm_br),
the flexiWAN VNF, the service chain bridge (sfc_br), the
pfSense VNF, and the lan_br bridge to finally reach the
LAN.The VNF management interface for the pfSense VNF can be accessed from
WAN using a web browser. VNF management for flexiWAN is done from a
centralized management location where the user needs an account in order to
have access. Please contact the flexiWAN VNF provider before beginning to
set up the configuration.For infrastructure configuration of each uCPE device Zero Touch
Provisioning (ZTP) will be used. This is a feature that allows the user to
create an offline configuration before starting and connecting a uCPE device
to the uCPE Manager. NFV Access allows a user to preconfigure interfaces and
bridges using ZTP so that, all that is left to do in order to have a full
setup running correctly after adding uCPE devices, is simply instantiation
of the VNFs on the designated devices.Preliminary SetupConnect each uCPE device to the network/Internet using one
physical interface as the designated WAN access interface.The uCPE device must have Internet access beforehand.Install NFV Access on the uCPE devices. See the make
this into an olink Enea NFV Access Getting Started manual,
chapter Getting Started with the Enea NFV Access, for more
details.Install the uCPE Manager on the CentOS host or VM. See the
make this into an olink Enea NFV Access Getting
Started manual, chapter Getting Started with Enea uCPE Manager, for
more details.The uCPE Manager host machine must be connected to the network
so all uCPE devices can access it.Connect to the uCPE Manager: https://<uCPE Manager
IP>The uCPE ManagerLog into the uCPE Manager using the default credentials,
username:admin and password: admin.Zero Touch Provisioning (ZTP) will be used to preconfigure the
infrastructure in the uCPE Manager for each device. The interface and
bridge configurations are pushed onto each uCPE device when
connected.Onboarding is the process of registering VNFs into the uCPE Manager
after devices are configured. The flexiWAN and pfSense VNFs are used along
with example configuration data.Onboarding the FlexiWAN VNFAdd a VNF by accessing the VNF menu from the
top toolbar then Descriptors ->
On-board -> VM Image.Use the following values to fill the required fields:
VM image fileflexiWAN.qcow2Image formatQCOW2VNF Type NameflexiWANDescriptionFlexiwan VNFVersion1.0Memory in MB4096. More memory can be allocated if required.Num of CPUs2. More CPUs can be reserved if required and
available.Interfaces to add (click the " + " button):wan and lan. Please make sure to add them in this order.Cloud Init -> Cloud-Init DatasourceISOCloud Init -> Cloud-Init Disk TypecdromOnboardWait for the message: "VNF package onboarded
successfully" then close the pop-up.
Onboarding the pfSense VNFAdd the other VNF by accessing the VNF menu
from the top toolbar once again, then Descriptors
-> On-board -> VM
Image.Use the following values to fill the required fields:
VM image filepfSense.qcow2Image formatQCOW2VNF Type NamepfSenseDescriptionpfSense VNFVersion1.0Memory in MB1024Num of CPUs1Interfaces to add (click the " + " button):wan, lan and mgmt. Please make sure to add them in this order.Cloud Init -> Cloud-Init DatasourceISOCloud Init -> Cloud-Init Disk TypecdromProperties to add (click the " + " button):Name: vnfMgmtIpAddress. Value:
10.0.0.31Name: internalMgmtPort. Value:
4432Name: externalMgmtPort. Value:
600023OnboardWait for the message: "VNF package onboarded
successfully" then close the pop-up.
Please note the following:1vnfMgmtIpAddress (10.0.0.3)
represents the IP address of the management interface of the pfSense
VNF. Changing this value requires an update of the pfSense
configuration to match the new IP address.2HTTPS access (443) can be changed
to another type of access. Please consult the official pfSense
documentation for more details and make sure the pfSense VNF is
configured to accept another type of connection before changing the
port number.3externalMgmtPort (60002)
represents the external port on which a user can access the VNF
management interface from a web browser. The user can select another
port if needed. There are no other changes required or components
affected by this change.Offline Configuration for uCPE device1A Zero Touch Provisioning configuration for a device is done in
two steps from the uCPE Manager's GUI. The first step is to create a
data store and then to add the offline configuration for the device
infrastructure into that data store.Create the "device1" data
store: Applications ->
Offline Config ->
Add.Use the following values to fill the required fields:
Namedevice1Device TypeEnea universal CPEDevice Version2.2.1Config SetuCPE ConfigdeviceIdThe ID extracted from device1
after running list_deviceID.sh on the
NFV Access CLI.
Press the Create button.Prepare the infrastructure configuration for
device1 in the data store:
Applications -> Offline
Config -> <select "device1" data store> ->
Config App.... This window layout is very similar
to the Configuration window of a device.Disable the DPDK: DPDK ->
Advanced Settings -> uncheck Enable
DPDK to disable the DPDK and click "Create".Configure the host
interface(s):OpenVSwitch ->
Host Interfaces ->
Add.Use the following values to fill the required fields:Name:
enp7s0f1. This is just an example interface. The user must
select the interface needed for use with the LAN connection.
To locate the name of the interface, run
ifconfig on the NFV Access CLI.networking-type:
standard.Click Create, and the
enp7s0f1 interface will be ready to use in a
bridge (LAN).Configure the bridges:
OpenVSwitch -> Bridges
-> Add.Use the following values to fill the required fields for the
four bridges that need to be created: ibm_br:Name:
ibm_br.ovs-bridge-type:
inbandMgmt.mgmt-address:
Provide the IPv4 address of the uCPE Manager machine (E.g.
172.24.3.109).mgmt-port:
830.Click Create.vnf_mgmt_br:Name:
vnf_mgmt_br.ovs-bridge-type:
vnfMgmt.vnf-mgmt-address:
10.0.0.1Click Create.sfc_br:Name:
sfc_br.ovs-bridge-type:
dataPlane.Sub-type:
integration.Click Create.lan_br:Name:
lan_br.ovs-bridge-type:
dataPlane.Sub-type:
communication. Name: enp7s0f1Click Create.Offline Configuration for uCPE device2A Zero Touch Provisioning configuration for a device is done in
two steps from the uCPE Manager's GUI. The first step is to create a
data store and then to add the offline configuration for the device
infrastructure into that data store.Create the "device2" data
store: Applications ->
Offline Config ->
Add.Use the following values to fill the required fields:
Namedevice2Device TypeEnea universal CPEDevice Version2.2.1Config SetuCPE ConfigdeviceIdThe ID extracted from device2
after running list_deviceID.sh on the
NFV Access CLI.
Press the Create button.Prepare the infrastructure configuration for
device2 in the data store:
Applications -> Offline
Config -> <select "device2" data store> ->
Config App.... This window layout is very similar
to the Configuration window of a device.Disable the DPDK: DPDK ->
Advanced Settings -> uncheck Enable
DPDK to disable the DPDK and click "Create".Configure the host
interface(s): OpenVSwitch ->
Host Interfaces ->
Add.Use the following values to fill the required fields:Name:
eno4. This is just an example interface. The user must
select the interface needed for use with the LAN connection.
To locate the name of the interface, run
ifconfig on the NFV Access CLI.networking-type:
standard.Click Create, and the
eno4 interface will be ready to use in a bridge
(LAN).Configure the bridges:
OpenVSwitch -> Bridges
-> Add.Use the following values to fill the required fields for the
four bridges that need to be created:ibm_br:Name:
ibm_br.ovs-bridge-type:
inbandMgmt.mgmt-address: Provide
the IPv4 address of the uCPE Manager machine (E.g.
172.24.3.109).mgmt-port:
830.Click Create.vnf_mgmt_br:Name:
vnf_mgmt_br.ovs-bridge-type:
vnfMgmt.vnf-mgmt-address:
10.0.0.1Click Create.sfc_br:Name:
sfc_br.ovs-bridge-type:
dataPlane.Sub-type:
integration.Click Create.lan_br:Name:
lan_br.ovs-bridge-type:
dataPlane.Sub-type:
communication.Name: eno4Click Create.Uploading the offline ConfigurationThe offline configuration can be uploaded and applied on a uCPE
device only once. If the setup needs to be rerun on a device where ZTP
was already used, please do the following:Add the device manually from the uCPE manager GUI.Clean the entire configuration on the device.Reset the ZTP: device -> Configuration
-> Host -> initial-config-complete: false -> Apply.Delete the device from the uCPE Manager.Adding the uCPE device1 into the uCPE ManagerAccess the Devices menu, then
Manage -> Add.Use the following values to fill the required fields:
TypeEnea universal CPERelease2.2.1NameUcpe1IP/DNS AddressDynamic IP received by the device from the DHCP server
(E.g. 172.24.12.74).Descriptionucpe device site 1SSH Port830SSH User NamerootPasswordDevice IDExtract the device ID from device1, by running
list_deviceID.sh.OKGreen status indicates connection with the device was
established.To add the device on the map: Right-Click on
the Map -> Place Device -> Ucpe1.
Adding the uCPE device2 into the uCPE ManagerAccess the Devices menu, then
Manage -> Add.Use the following values to fill the required fields:
TypeEnea universal CPERelease2.2.1NameUcpe2IP/DNS AddressDynamic IP received by the device from the DHCP server
(E.g. 172.24.12.74).Descriptionucpe device site 2SSH Port830SSH User NamerootPasswordDevice IDExtract the device ID from device2, by running
list_deviceID.sh.OKGreen status indicates connection with the device was
established.To add the device on the map: Right-Click on
the Map -> Place Device -> Ucpe2.
After the two devices are added into the uCPE Manager all offline
configuration data prepared for them is pushed automatically onto the
devices. To check if a device is configured, add the device onto the map
and select <Ucpe1> -> Configuration ->
OpenVSwitch -> Bridges.FlexiWAN VNF Instantiation on device1Instantiate the FlexiWAN VNF by selecting the Ucpe1 device, then the
VNF menu -> Instances ->
Add.Use the following values to fill the required fields:Name:Flexiwan_ucpe1.VNF Type:flexiWAN.VNFD Version: 1.0.Flavour: Canonical.uCPE Device: Ucpe1.Cloud Init File:flexiWAN_cloudinit.iso.Example cloud-init image provided. Please see the Appendix for
details on how to generate a new cloud-init image with a different
token. Please contact flexiWAN in order to get a valid token and
access to the flexiWAN manager.Create the wan Interface:ID:wan.Type:tap.IF Name: Bridge:
ibm_br.NIC Model:
virtio.Create the lan Interface:ID:lan.Type:tap.IF Name: Bridge:
sfc_br.Click Create.pfSense VNF Instantiation on device1Instantiate the pfSense VNF by selecting the ucpe1 device, then the
VNF menu -> Instances ->
Add.Use the following values to fill the required fields:Name:Pfsense_ucpe1.VNF Type:pfSense.VNFD Version: 1.0.Flavour: Canonical.uCPE Device: Ucpe1.Cloud Init File:pfsense_192_168_1_1.iso.Create the wan Interface:ID:wan.Type:tap.IF Name: Bridge:
sfc_br.NIC Model:
virtio.Create the lan Interface:ID:lan.Type:tap.IF Name: Bridge:
lan_br.NIC Model:
virtio.Create the mgmt Interface:ID:mgmt.Type:tap.IF Name: Bridge:
vnf_mgmt_br.Click Create.FlexiWAN VNF Instantiation on device2Instantiate the FlexiWAN VNF by selecting the ucpe2 device, then the
VNF menu -> Instances ->
Add.Use the following values to fill the required fields:Name:Flexiwan_ucpe2.VNF Type:flexiWAN.VNFD Version: 1.0.Flavour: Canonical.uCPE Device: Ucpe2.Cloud Init File:flexiWAN_cloudinit.iso.Example cloud-init image provided. Please see the Appendix for
details on how to generate a new cloud-init image with a different
token. Please contact flexiWAN in order to get a valid token and
access to the flexiWAN manager.Create the wan Interface:ID:wan.Type:tap.IF Name: Bridge:
ibm_br.NIC Model:
virtio.Create the lan Interface:ID:lan.Type:tap.IF Name: Bridge:
sfc_br.NIC Model:
virtio.Click Create.pfSense VNF Instantiation on device2Instantiate the pfSense VNF by selecting the ucpe2 device, then the
VNF menu -> Instances ->
Add.Use the following values to fill the required fields:Name:Pfsense_ucpe2.VNF Type:pfSense.VNFD Version: 1.0.Flavour: Canonical.uCPE Device: Ucpe2.Cloud Init File:pfsense_192_168_2_1.iso.Create the wan Interface:ID:wan.Type:tap.IF Name: Bridge:
sfc_br.NIC Model:
virtio.Create the lan Interface:ID:lan.Type:tap.IF Name: Bridge:
lan_br.NIC Model:
virtio.Create the mgmt Interface:ID:mgmt.Type:tap.IF Name: Bridge:
vnf_mgmt_br.NIC Model:
virtio.Click Create.Once all VNFs are up and running, the setup is ready for final VNF
configuration and testing.In order to have the full setup working properly, a tunnel between
two SD-WAN devices needs to be created. The FlexiWAN VNF provides the
functionality to create the VPN tunnel.FlexiWAN configurationConnect to https://manage.flexiwan.com and make
sure to have an account and at least two valid device tokens. For more
information please contact the flexiWAN VNF provider.Proceed to the Inventory menu and click on Devices,
the devices should already be present and need to be configured.How to configure a deviceSelect each Unknown device and make sure to set the following
values:
Device1 (ucpe1)Device2 (ucpe2)Device Name: Device1Device Name: Device2Description: uCPE device1 Description: uCPE device2 Set "Approved".Set "Approved".Click "Update Device" button.Click "Update Device" button.Select Interfaces tab.Select Interfaces tab.Set IPv4 for the second interface
(ens3): 10.0.1.1/24Set IPv4 for the second interface
(ens3): 10.0.2.1/24Click "Update Interfaces".Click "Update Interfaces".
uCPE devices can installed under the same local network, i.e.
having the same public IP, or on different networks (different
public IPs). If both devices are installed under the same local network
(the same public IP), delete the public IP address from the Interfaces
configuration tab before creating a tunnel: https://manage.flexiwan.com
-> Inventory -> Devices
-> <device> -> Interfaces
-> Public IP.Select the ">" button (Start) for each device to be put in the
"running" state.Wait for each "vRouter" device to also enter the "running"
state.Select the main top up checkbox in order to select all devices
and hit the "Actions" -> "Create Tunnels" options. At this moment a direct
connection should be available between those two devices. Check to
see if the tunnel was created by selecting Inventory
-> Tunnels.pfSense configurationFor the pfSense VNF there is no need for manual configuration. The
configuration provided into the cloud init image is good enough to run the
setup.The management interface can be accessed from a web browser at:
https://<deviceIP>:60002