Service Chaining 128T - Fortigate Example Use-caseThe term service chaining or service function chaining (SFC) is used
to describe the definition and instantiation of an ordered list of instances
of such service functions and the subsequent "steering" of traffic flows
through those service functions. The set of enabled service function chains
reflects operator service offerings and is designed in conjunction with
application delivery and service and network policy.PrerequisitesThe 128T router and the Fortinet firewall in a service chain require
the following prequisites for this example use case:1 in band management port for device management.1 in band management port for the 128T router.1 in band management port for Fortinet.1 WAN interface for Fortinet.1 LAN facing interface for Fortinet.1 WAN facing interface for the 128T router.1 service chain (SFC Bridged interface) to sit between the
Firewall and vRouter.Service Chaining 128T - FortigateUse-case SetupConfiguring Network Interfaces on uCPE
devices:Log into the uCPE Manager with both username and password
values: admin.Add the trgt uCPE device into the uCPE Manager:
Devices -> Manage -> Add.Fill in the required fields with the following data:
Device DetailsFieldValueTypeEnea universal CPERelease2.2.2NametrgtIP/DNS Address<unspecified>DescriptionTarget 1SSH Port830SSH User NamerootPasswordnullDevice IDAlso configured during installation of the device (E.g.: Target-15).OKGreen status indicates connection with uCPE device
was established.
In order to add the device on the map: Right-Click on
Map -> Place Device -> trgt.Configure the infrastructure for the 128T and Fortigate VNFs
in the service chain by creating four OVS bridges and a host
interface.Add the Host Interface by selecting the trgt device, then
Configuration -> External Interfaces ->
Configuration -> Add.Fill in the required fields with the following data:
Host Interface DetailsFieldValueSourceenp4s0f1. The only interface
available for LAN connection.networking-typedpdkdpdk-typevfio-pciCreate<interface enp4s0f1 ready to be used in a LAN
bridge.>
Add the OVS bridges by selecting the trgt device then:
Configuration -> OpenVSwitch -> Bridges ->
Add.Fill in the required fields for each bridge with the
following data from each table:
ibm_br Bridge DetailsFieldValueid<autogenerated - do not change>Nameibm_brovs-bridge-typeinbandMgmtCreate
vnf_mgmt_br Bridge DetailsFieldValueid<autogenerated - do not change>Namevnf_mgmt_brovs-bridge-typevnfMgmtvnf-mgmt-address10.0.0.1Create
lan_br Bridge DetailsFieldValueid<autogenerated - do not change>Namelan_brovs-bridge-typedataPlanesub-typecommunication+Name: enp4s0f1 OKCreate
sfc_br Bridge DetailsFieldValueid<autogenerated - do not change>Namesfc_brovs-bridge-typedataPlanesub-typeintegrationCreate
Onboarding the VNFs:Onboard the 128T VNF VM Image through VNF ->
Descriptors -> On-board -> VM Image, and fill in the
required fields with the following values:
128T VM Image DetailsFieldValueVM image filecentos_128t_with_ci.qcow2Image formatQCOW2VNF Type Name128TDescription128T RouterVersion1.0Memory in MB8192. More memory can be allocated if required
(<28672).Num. of CPUs2. More CPUs can be reserved if required
(<15).Interfaces -> +Name: mgmtInterfaces -> +Name: wanInterfaces -> +Name: lanCloud Init -> Cloud-Init DatasourceISOCloud Init -> Cloud-Init Disk TypecdromProperties -> +Name: vnfMgmtIpAddress. Value: 10.0.0.2Properties -> +Name: internalMgmtPort. Value: 443Properties -> +Name: externalMgmtPort. Value: 60001Onboard<Wait for message: VNF package onboarded
successfully>Close
HTTPS access (443) can be changed to another type of access.
Please consult official 128T documentation and make sure the 128T
VNF is configured to accept another type of connection before
changing the port number.externalMgmtPort(60001) represents the
external port on which the user can access the VNF management
interface from the web browser via HTTPS. The user can select
another port if needed. There are no other changes required or
components affected by this change.vnfMgmtIpAddress (10.0.0.2) represents
the IP address of the management interface of the 128T VNF.
Changing this value requires an update to the 128T configuration
to match the new IP address.Onboard the Fortigate VNF VM Image through VNF ->
Descriptors -> On-board -> VM Image, and fill in the
required fields with the following values:
Fortigate VM Image DetailsFieldValueVM image filefortios.qcow2. Please make sure to
contact Fortigate for an official Fortigate KVM image.Image formatQCOW2VNF Type NameFortigateDescriptionFortigate VNFVersion1.0Memory in MB1024. More memory can be allocated if required
(<28672).Num. of CPUs1. More CPUs can be reserved if required
(<15).Interfaces -> +Name: mgmtInterfaces -> +Name: wanInterfaces -> +Name: lanCloud Init -> Cloud-Init DatasourceConfigDriveCloud Init -> Cloud-Init Disk TypecdromCloud Init -> +Path: licenseProperties -> +Name: vnfMgmtIpAddress. Value: 10.0.0.3Properties -> +Name: internalMgmtPort. Value: 443Properties -> +Name: externalMgmtPort. Value: 60002Onboard<Wait for message: VNF package onboarded
successfully>Close
HTTPS access (443) can be changed to another type of access.
Please consult official Fortigate documentation and make sure the
Fortigate VNF is configured to accept another type of connection
before changing the port number.externalMgmtPort (60002) represents the
external port on which the user can access the VNF management
interface from the web browser via HTTPS. The user can select
another port if needed. There are no other changes required or
components affected by this change.vnfMgmtIpAddress (10.0.0.3) represents
the IP address of the management interface of the Fortigate VNF.
Changing this value requires an update to the Fortigate
configuration to match with new IP address.Instantiating the VNFs:Instantiate the 128T VNF by selecting the trgt device, then
VNF -> Instances -> Add.Fill in the required fields with the following values:
128T VNF InstantiationFieldValueName128T_trgt_1VNF Type128TVNFD Version1.0FlavourCanonicaluCPE DevicetrgtCloud Init Filecentos_128t_internet_ci.iso. Example
image provided. Please see Appendix A for details on how to
change the configuration and create a new cloud-init iso
image.Domain Update ScriptInterfacesIDIF Namemgmt (dpdk)Bridge: vnf_mgmt_brwan (dpdk)Bridge: ibm_brlan (dpdk)Bridge: sfc_brCreate
Instantiate the Fortigate VNF by selecting the trgt device, then
VNF -> Instances -> Add.Fill in the required fields with the following values:
Fortigate VNF InstantiationFieldValueNamefg_trgt_1VNF TypeFortigateVNFD Version1.0FlavourCanonicaluCPE DevicetrgtCloud Init Filefg_cust_basic_fw.confLicense FileFGVM08TM00001.lic. Please make sure to
use a valid license file (.lic) received from Fortinet.Domain Update ScriptInterfacesIDIF Namemgmt (dpdk)Bridge: vnf_mgmt_brwan (dpdk)Bridge: sfc_brlan (dpdk)Bridge: lan_brCreate
Testing the Use-caseIn order to access the web interfaces of the 128T VNF, open a
browser on a machine connected on the same network with the WAN port of
the target and connect to:
https://<publicIP>:60001 using the username:
admin and the password: 128Tadmin.In order to access the web interfaces of the Fortigate VNF, open a
browser on a machine connected on the same network with the WAN port of
the target and connect to:
https://<publicIP>:60002 using the username:
admin, and leaving the password blank.Make sure the WAN interface of the trgt device has access to
the internet. The Fortigate VNF requires internet access to validate
the license.In order to validate the data path connect a test machine to the
LAN physical port and check for a dynamic IP (the Fortigate LAN
interface is configured with a DHCP server):> dhclient eth1
> ping 8.8.8.8For data path validation, a new cloud-init
image may need to be generated for the 128T VNF to match your network
configuration. Please check Appendix A "How to create 128T cloud-init
iso image (day-0 configuration)" for details.Use-case Clean-upIn order to remove the setup created in previously, all components
need to be deleted in reverse order:Select the trgt uCPE device -> VNF -> Instances.
Select the 128T and Fortigate VNFs -> Delete.Select the trgt uCPE device -> Configuration ->
OpenVSwitch -> Bridges. Select all bridges -> Delete.Select the trgt uCPE device -> Configuration ->
External Interfaces -> Configuration. Select all interfaces ->
Delete.VNF -> Descriptors. Select all bundles ->
Offboard.