Software-Defined Wide Area Networking (SD-WAN), provides the benefits of software-defined networking (SDN) technology to traditionally hardware-based networking. It is an overlay architecture providing a networking foundation that is much easier to manage than legacy WANs, essentially moving the control layer to the cloud and in the process, centralizing and simplifying network management. This overlay design abstracts software from hardware, enabling network virtualization and making the network more elastic. The setup detailed in this chapter covers all the steps required to create a connection between two branch offices. On each site a uCPE device is installed and connected to a WAN network. NFV Access should be installed on each uCPE device, and flexiWAN and pfSense VNFs will be instantiated on each site. The flexiWAN VNF will create the tunnel between the two branches while the pfSense VNF (connected in the service chain), will cover the communication with LAN on each branch. The setup will be configured from the uCPE Manager GUI.

The figure above represents the uCPE configuration of one of the branches. The second uCPE device (site2) will be configured in a similar way, described in the following sections. Since there is only one physical network interface connected to WAN, the configuration allows for multiple types of traffic to pass over this interface. The ibm_br bridge is the main bridge that connects the physical network interface to the virtual infrastructure. The Data-Path represents the traffic that passes over the physical interface between the in-band management bridge (ibm_br), the flexiWAN VNF, the service chain bridge (sfc_br), the pfSense VNF, and the lan_br bridge to finally reach the LAN. The VNF management interface for the pfSense VNF can be accessed from WAN using a web browser. VNF management for flexiWAN is done from a centralized management location where the user needs an account in order to have access. Please contact the flexiWAN VNF provider before beginning to set up the configuration. For infrastructure configuration of each uCPE device Zero Touch Provisioning (ZTP) will be used. This is a feature that allows the user to create an offline configuration before starting and connecting a uCPE device to the uCPE Manager. NFV Access allows a user to preconfigure interfaces and bridges using ZTP so that, all that is left to do in order to have a full setup running correctly after adding uCPE devices, is simply instantiation of the VNFs on the designated devices.

Connect each uCPE device to the network/Internet using one physical interface as the designated WAN access interface. The uCPE device must have Internet access beforehand. Install NFV Access on the uCPE devices. See the make this into an olink Enea NFV Access Getting Started manual, chapter Getting Started with the Enea NFV Access, for more details. Install the uCPE Manager on the CentOS host or VM. See the make this into an olink Enea NFV Access Getting Started manual, chapter Getting Started with Enea uCPE Manager, for more details. The uCPE Manager host machine must be connected to the network so all uCPE devices can access it. Connect to the uCPE Manager: https://<uCPE Manager IP>

Log into the uCPE Manager using the default credentials, username:admin and password: admin. Zero Touch Provisioning (ZTP) will be used to preconfigure the infrastructure in the uCPE Manager for each device. The interface and bridge configurations are pushed onto each uCPE device when connected. Onboarding is the process of registering VNFs into the uCPE Manager after devices are configured. The flexiWAN and pfSense VNFs are used along with example configuration data.

Add a VNF by accessing the VNF menu from the top toolbar then Descriptors -> On-board -> VM Image. Use the following values to fill the required fields: VM image file flexiWAN.qcow2 Image format QCOW2 VNF Type Name flexiWAN Description Flexiwan VNF Version 1.0 Memory in MB 4096. More memory can be allocated if required. Num of CPUs 2. More CPUs can be reserved if required and available. Interfaces to add (click the " + " button): wan and lan. Please make sure to add them in this order. Cloud Init -> Cloud-Init Datasource ISO Cloud Init -> Cloud-Init Disk Type cdrom Onboard Wait for the message: "VNF package onboarded successfully" then close the pop-up.

Add the other VNF by accessing the VNF menu from the top toolbar once again, then Descriptors -> On-board -> VM Image. Use the following values to fill the required fields: VM image file pfSense.qcow2 Image format QCOW2 VNF Type Name pfSense Description pfSense VNF Version 1.0 Memory in MB 1024 Num of CPUs 1 Interfaces to add (click the " + " button): wan, lan and mgmt. Please make sure to add them in this order. Cloud Init -> Cloud-Init Datasource ISO Cloud Init -> Cloud-Init Disk Type cdrom Properties to add (click the " + " button): Name: vnfMgmtIpAddress. Value: 10.0.0.31 Name: internalMgmtPort. Value: 4432 Name: externalMgmtPort. Value: 600023 Onboard Wait for the message: "VNF package onboarded successfully" then close the pop-up. Please note the following: 1vnfMgmtIpAddress (10.0.0.3) represents the IP address of the management interface of the pfSense VNF. Changing this value requires an update of the pfSense configuration to match the new IP address. 2HTTPS access (443) can be changed to another type of access. Please consult the official pfSense documentation for more details and make sure the pfSense VNF is configured to accept another type of connection before changing the port number. 3externalMgmtPort (60002) represents the external port on which a user can access the VNF management interface from a web browser. The user can select another port if needed. There are no other changes required or components affected by this change.

A Zero Touch Provisioning configuration for a device is done in two steps from the uCPE Manager's GUI. The first step is to create a data store and then to add the offline configuration for the device infrastructure into that data store. Create the "device1" data store: Applications -> Offline Config -> Add. Use the following values to fill the required fields: Name device1 Device Type Enea universal CPE Device Version 2.2.1 Config Set uCPE Config deviceId The ID extracted from device1 after running list_deviceID.sh on the NFV Access CLI. Press the Create button. Prepare the infrastructure configuration for device1 in the data store: Applications -> Offline Config -> <select "device1" data store> -> Config App.... This window layout is very similar to the Configuration window of a device. Disable the DPDK: DPDK -> Advanced Settings -> uncheck Enable DPDK to disable the DPDK and click "Create". Configure the host interface(s): OpenVSwitch -> Host Interfaces -> Add. Use the following values to fill the required fields: Source: enp7s0f1. This is just an example interface. The user must select the interface needed for use with the LAN connection. To locate the name of the interface, run ifconfig on the NFV Access CLI. networking-type: standard. Click Create, and the enp7s0f1 interface will be ready to use in a bridge (LAN). Configure the bridges: OpenVSwitch -> Bridges -> Add. Use the following values to fill the required fields for the four bridges that need to be created: ibm_br: Name: ibm_br. ovs-bridge-type: inbandMgmt. mgmt-address: Provide the IPv4 address of the uCPE Manager machine (E.g. 172.24.3.109). mgmt-port: 830. Click Create. vnf_mgmt_br: Name: vnf_mgmt_br. ovs-bridge-type: vnfMgmt. vnf-mgmt-address: 10.0.0.1 Click Create. sfc_br: Name: sfc_br. ovs-bridge-type: dataPlane. Sub-type: integration. Click Create. lan_br: Name: lan_br. ovs-bridge-type: dataPlane. Sub-type: communication. Name: enp7s0f1 Click Create.

A Zero Touch Provisioning configuration for a device is done in two steps from the uCPE Manager's GUI. The first step is to create a data store and then to add the offline configuration for the device infrastructure into that data store. Create the "device2" data store: Applications -> Offline Config -> Add. Use the following values to fill the required fields: Name device2 Device Type Enea universal CPE Device Version 2.2.1 Config Set uCPE Config deviceId The ID extracted from device2 after running list_deviceID.sh on the NFV Access CLI. Press the Create button. Prepare the infrastructure configuration for device2 in the data store: Applications -> Offline Config -> <select "device2" data store> -> Config App.... This window layout is very similar to the Configuration window of a device. Disable the DPDK: DPDK -> Advanced Settings -> uncheck Enable DPDK to disable the DPDK and click "Create". Configure the host interface(s): OpenVSwitch -> Host Interfaces -> Add. Use the following values to fill the required fields: Source: eno4. This is just an example interface. The user must select the interface needed for use with the LAN connection. To locate the name of the interface, run ifconfig on the NFV Access CLI. networking-type: standard. Click Create, and the eno4 interface will be ready to use in a bridge (LAN). Configure the bridges: OpenVSwitch -> Bridges -> Add. Use the following values to fill the required fields for the four bridges that need to be created: ibm_br: Name: ibm_br. ovs-bridge-type: inbandMgmt. mgmt-address: Provide the IPv4 address of the uCPE Manager machine (E.g. 172.24.3.109). mgmt-port: 830. Click Create. vnf_mgmt_br: Name: vnf_mgmt_br. ovs-bridge-type: vnfMgmt. vnf-mgmt-address: 10.0.0.1 Click Create. sfc_br: Name: sfc_br. ovs-bridge-type: dataPlane. Sub-type: integration. Click Create. lan_br: Name: lan_br. ovs-bridge-type: dataPlane. Sub-type: communication. Name: eno4 Click Create.

The offline configuration can be uploaded and applied on a uCPE device only once. If the setup needs to be rerun on a device where ZTP was already used, please do the following: Add the device manually from the uCPE manager GUI. Clean the entire configuration on the device. Reset the ZTP: device -> Configuration -> Host -> initial-config-complete: false -> Apply. Delete the device from the uCPE Manager.

Access the Devices menu, then Manage -> Add. Use the following values to fill the required fields: Type Enea universal CPE Release 2.2.1 Name Ucpe1 IP/DNS Address Dynamic IP received by the device from the DHCP server (E.g. 172.24.12.74). Description ucpe device site 1 SSH Port 830 SSH User Name root Password Device ID Extract the device ID from device1, by running list_deviceID.sh. OK Green status indicates connection with the device was established. To add the device on the map: Right-Click on the Map -> Place Device -> Ucpe1.

Access the Devices menu, then Manage -> Add. Use the following values to fill the required fields: Type Enea universal CPE Release 2.2.1 Name Ucpe2 IP/DNS Address Dynamic IP received by the device from the DHCP server (E.g. 172.24.12.74). Description ucpe device site 2 SSH Port 830 SSH User Name root Password Device ID Extract the device ID from device2, by running list_deviceID.sh. OK Green status indicates connection with the device was established. To add the device on the map: Right-Click on the Map -> Place Device -> Ucpe2. After the two devices are added into the uCPE Manager all offline configuration data prepared for them is pushed automatically onto the devices. To check if a device is configured, add the device onto the map and select <Ucpe1> -> Configuration -> OpenVSwitch -> Bridges.

Instantiate the FlexiWAN VNF by selecting the Ucpe1 device, then the VNF menu -> Instances -> Add. Use the following values to fill the required fields: Name: Flexiwan_ucpe1. VNF Type: flexiWAN. VNFD Version: 1.0. Flavour: Canonical. uCPE Device: Ucpe1. Cloud Init File: flexiWAN_cloudinit.iso. Example cloud-init image provided. Please see the Appendix for details on how to generate a new cloud-init image with a different token. Please contact flexiWAN in order to get a valid token and access to the flexiWAN manager. Create the wan Interface: ID: wan. Type: tap. IF Name: Bridge: ibm_br. NIC Model: virtio. Create the lan Interface: ID: lan. Type: tap. IF Name: Bridge: sfc_br. Click Create.

Instantiate the pfSense VNF by selecting the ucpe1 device, then the VNF menu -> Instances -> Add. Use the following values to fill the required fields: Name: Pfsense_ucpe1. VNF Type: pfSense. VNFD Version: 1.0. Flavour: Canonical. uCPE Device: Ucpe1. Cloud Init File: pfsense_192_168_1_1.iso. Create the wan Interface: ID: wan. Type: tap. IF Name: Bridge: sfc_br. NIC Model: virtio. Create the lan Interface: ID: lan. Type: tap. IF Name: Bridge: lan_br. NIC Model: virtio. Create the mgmt Interface: ID: mgmt. Type: tap. IF Name: Bridge: vnf_mgmt_br. Click Create.

Instantiate the FlexiWAN VNF by selecting the ucpe2 device, then the VNF menu -> Instances -> Add. Use the following values to fill the required fields: Name: Flexiwan_ucpe2. VNF Type: flexiWAN. VNFD Version: 1.0. Flavour: Canonical. uCPE Device: Ucpe2. Cloud Init File: flexiWAN_cloudinit.iso. Example cloud-init image provided. Please see the Appendix for details on how to generate a new cloud-init image with a different token. Please contact flexiWAN in order to get a valid token and access to the flexiWAN manager. Create the wan Interface: ID: wan. Type: tap. IF Name: Bridge: ibm_br. NIC Model: virtio. Create the lan Interface: ID: lan. Type: tap. IF Name: Bridge: sfc_br. NIC Model: virtio. Click Create.

Instantiate the pfSense VNF by selecting the ucpe2 device, then the VNF menu -> Instances -> Add. Use the following values to fill the required fields: Name: Pfsense_ucpe2. VNF Type: pfSense. VNFD Version: 1.0. Flavour: Canonical. uCPE Device: Ucpe2. Cloud Init File: pfsense_192_168_2_1.iso. Create the wan Interface: ID: wan. Type: tap. IF Name: Bridge: sfc_br. NIC Model: virtio. Create the lan Interface: ID: lan. Type: tap. IF Name: Bridge: lan_br. NIC Model: virtio. Create the mgmt Interface: ID: mgmt. Type: tap. IF Name: Bridge: vnf_mgmt_br. NIC Model: virtio. Click Create. Once all VNFs are up and running, the setup is ready for final VNF configuration and testing.

In order to have the full setup working properly, a tunnel between two SD-WAN devices needs to be created. The FlexiWAN VNF provides the functionality to create the VPN tunnel.

Connect to https://manage.flexiwan.com and make sure to have an account and at least two valid device tokens. For more information please contact the flexiWAN VNF provider. Proceed to the Inventory menu and click on Devices, the devices should already be present and need to be configured. How to configure a device Select each Unknown device and make sure to set the following values: Device1 (ucpe1) Device2 (ucpe2) Device Name: Device1 Device Name: Device2 Description: uCPE device1 Description: uCPE device2 Set "Approved". Set "Approved". Click "Update Device" button. Click "Update Device" button. Select Interfaces tab. Select Interfaces tab. Set IPv4 for the second interface (ens3): 10.0.1.1/24 Set IPv4 for the second interface (ens3): 10.0.2.1/24 Click "Update Interfaces". Click "Update Interfaces". uCPE devices can installed under the same local network, i.e. having the same public IP, or on different networks (different public IPs). If both devices are installed under the same local network (the same public IP), delete the public IP address from the Interfaces configuration tab before creating a tunnel: https://manage.flexiwan.com -> Inventory -> Devices -> <device> -> Interfaces -> Public IP. Select the ">" option for each device to be put in the "running" state. Wait for each "vRouter" device to also enter the "running" state. Select the main top up checkbox in order to select all devices and hit "Actions" -> "Create Tunnels". At this moment a direct connection should be available between those two devices. Check to see if the tunnel was created by selecting Inventory -> Tunnels.

For the pfSense VNF there is no need for manual configuration. The configuration provided into the cloud init image is good enough to run the setup. The management interface can be accessed from a web browser at: https://<deviceIP>:60002