1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
|
<?xml version="1.0" encoding="ISO-8859-1"?>
<chapter id="vnf_chaining">
<title>VNF Chaining Example Use-case</title>
<section id="VNF_chain_intro">
<title>Introduction</title>
<para>The following decribes an example of how to setup and configure a
branch-to-branch service comprised on two commercial VNFs (SD-WAN +
Firewall). This service will run in a service chain on top of the Enea NFV
Access virtualization platform, deployed through the Enea uCPE Manager. In
the example setup the following commercial VNFs are used: Juniper vSRX as
the SD-WAN VNF and Fortigate as the Router/Firewall.</para>
<para>The setup requires two physical appliances (uCPEs), each of them
having three DPDK-compatible NICs and one interface available for uCPE
management (i.e. connected to Enea uCPE Manager). On each uCPE, one of the
DPDK-compatible interfaces is connected back-to-back with one interface
from the other uCPE device. This link simulates a WAN/uplink
connection.</para>
<para>Optionally, one additional device (PC/laptop) can be connected on
the LAN port of each branch to run LAN-to-LAN connectivity tests.</para>
<figure>
<title>Example Setup</title>
<mediaobject>
<imageobject>
<imagedata align="center" fileref="images/example_setup.png"
scale="88" />
</imageobject>
</mediaobject>
</figure>
<note>
<para>For simplicity, the image above does not present the
management-plane, which will be described in the Setup steps.</para>
</note>
</section>
<section id="prere">
<title>Prerequisites</title>
<para>The following files are needed for this example use case:</para>
<itemizedlist>
<listitem>
<para>Juniper vSRX VNF image, vSRX-Site<x>.iso as the Cloud-Init
files. This VNF/image is not provided by Enea. Please contact Juniper
to get this image.</para>
</listitem>
<listitem>
<para>Fortigate VNF image. This image is provided by Enea.</para>
</listitem>
<listitem>
<para>vSRX-domain-update-script. This file is provided by Enea.</para>
</listitem>
<listitem>
<para>FortiFW-Site<x>.conf as the Cloud-Init file(s). This file
is provided by Enea.</para>
</listitem>
<listitem>
<para>license as the Cloud-Init content in the Cloud-Init tab files.
For license files for the VNFs, please contact the VNF
provider.</para>
</listitem>
</itemizedlist>
</section>
<section id="crateing_setup">
<title>Creating the setup</title>
<para>Both branches in the example have similar setups, therefore
necessary step details are presented for only one branch. The second
branch shall be configured in the same way, adapting as needed the
corresponding VNFs configuration files.</para>
<orderedlist>
<listitem>
<para>Assign three physical interfaces to the DPDK (one for
management, one WAN and one for LAN). In the example, one of these
interfaces gets an IP through DHCP and it will be used exclusively for
the management plane.</para>
</listitem>
<listitem>
<para>Create the following OVS-DPDK bridges:</para>
<itemizedlist>
<listitem>
<para><literal>vnf_mgmt_br</literal>. Used by VNF management
ports.</para>
</listitem>
<listitem>
<para><literal>wan_br</literal>. Used by the service uplink
connection. In our case, Juniper vSRX will have its WAN virtual
interface in this bridge.</para>
</listitem>
<listitem>
<para><literal>sfc_br</literal>. Used for creating the service
chain. Each VNF will have a virtual interface in this
bridge.</para>
</listitem>
<listitem>
<para><literal>lan_br</literal>. Used for the LAN interface of the
Fortigate FW.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>Add corresponding DPDK ports (see Step 1) to the management, WAN
and LAN bridges (<literal>sfc_br</literal> does not have a physical
port attached to it).</para>
<note>
<para>The networking setup (Steps 1-3) can be modeled using the
Offline Configuration entry, so that it is automatically provisioned
on the uCPE, once it gets enrolled into the management system (uCPE
Manager).</para>
</note>
</listitem>
<listitem>
<para>Onboard Juniper vSRX using the VNF Onboarding Wizard:</para>
<itemizedlist>
<listitem>
<para>The Flavor selected must have at least 2 vCPUs and 4 GB RAM
since vSRX is quite resource consuming.</para>
<para>Tested-inhouse with 4 vCPUs/ 6 GB RAM.</para>
</listitem>
<listitem>
<para>Add three virtual interfaces: management, WAN and
LAN.</para>
</listitem>
<listitem>
<para>Select <literal>ISO</literal> on the Cloud-Init tab.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>Onboard Fortigate FW using the VNF Onboarding Wizard:</para>
<itemizedlist>
<listitem>
<para>The Flavor selected can be quite light in resources, e.g. 1
vCPU and 2 GB RAM.</para>
</listitem>
<listitem>
<para>Add three virtual interfaces: management, WAN and
LAN.</para>
</listitem>
<listitem>
<para>Select <literal>ConfigDrive</literal> on the Cloud-Init
tab.</para>
</listitem>
<listitem>
<para>Add <literal>license</literal> as the Cloud-Init content in
the Cloud-Init tab files.</para>
</listitem>
</itemizedlist>
<note>
<para>Steps 4-5 are done only once, i.e. they will not be repeated
for Site 2.</para>
</note>
</listitem>
<listitem>
<para>Create the vSRX instance:</para>
<itemizedlist>
<listitem>
<para>Use <filename>vSRX-Site1.iso</filename> as the Cloud-Init
file.</para>
</listitem>
<listitem>
<para>The <literal>Domain Update Script</literal> field can be
left empty for the Atom C3000 architecture, while for XeonD the
<filename>vSRX-domain-update-script</filename> file will be
used.</para>
</listitem>
<listitem>
<para>Add virtual interfaces:</para>
<itemizedlist>
<listitem>
<para>Management interface added to
<literal>vnf_mgmt_br</literal>.</para>
</listitem>
</itemizedlist>
<itemizedlist>
<listitem>
<para>WAN interface added to <literal>wan_br</literal>.</para>
</listitem>
</itemizedlist>
<itemizedlist>
<listitem>
<para>LAN interface added to <literal>sfc_br</literal>.</para>
</listitem>
</itemizedlist>
</listitem>
</itemizedlist>
<note>
<para>The login/password values for the vSRX VNF are
<literal>root/vsrx1234</literal>, respectively.</para>
</note>
</listitem>
<listitem>
<para>Create the Fortigate FW instance:</para>
<itemizedlist>
<listitem>
<para>Use <filename>FortiFW-Site1.conf</filename> as Cloud-Init
file.</para>
</listitem>
<listitem>
<para>Add <filename>.lic</filename> (not part of the folder) as
the license file.</para>
</listitem>
<listitem>
<para>Add virtual interfaces:</para>
<itemizedlist>
<listitem>
<para>Management interface added to
<literal>vnf_mgmt_br</literal>.</para>
</listitem>
</itemizedlist>
<itemizedlist>
<listitem>
<para>WAN interface added to <literal>sfc_br</literal>.</para>
</listitem>
</itemizedlist>
<itemizedlist>
<listitem>
<para>LAN interface added to <literal>lan_br</literal>.</para>
</listitem>
</itemizedlist>
</listitem>
</itemizedlist>
<note>
<para>The login/password values for the Fortigate VNF are
<literal>admin/<empty password></literal>,
respectively.</para>
</note>
</listitem>
</orderedlist>
<para>At this point the service will be up and running on Site1. Repeat
the necessary steps for Site2, by changing the configuration files
accordingly. After the service is deployed on both branches, the VPN
tunnel is established and LAN to LAN visibility can be verified by
connecting one device on each uCPE LAN port. See <link
linkend="test_setup">Testing the setup</link> for details on how to
proceed.</para>
</section>
<section id="test_setup">
<title>Testing the setup</title>
<para>Before testing LAN to LAN connectivity, preliminary tests of service
can be run to ensure everything was set up properly.</para>
<para>Before testing LAN to LAN connectivity, one can run preliminary
tests of service to ensure everything was set-up properly. For instance,
by connecting to vSRX CLI (any site), one can test IKE security
associations:</para>
<programlisting>root@Atom-C3000:~ # cli</programlisting>
<programlisting>root@Atom-C3000> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
1588673 UP 2f2047b144ebfce4 0000000000000000 Aggressive 10.1.1.2
...
root@Atom-C3000> show security ike security-associations index 1588673 detail
...</programlisting>
<para>Also, from the vSRX CLI, a user can check that the VPN tunnel was
established and get statistics of the packets passing the tunnel:</para>
<programlisting>root@Atom-C3000> show security ipsec security-associations
...
root@Atom-C3000> show security ipsec statistics index <xxxxx>
...</programlisting>
<para>From the Fortigate Firewall CLI on Site 1, one can check
connectivity to the remote Fortigate FW (from Site 2):</para>
<programlisting>FGVM080000136187 # execute ping 192.168.168.2
PING 192.168.168.2 (192.168.168.2): 56 data bytes
64 bytes from 192.168.168.2: icmp_seq=0 ttl=255 time=0.0 ms
64 bytes from 192.168.168.2: icmp_seq=1 ttl=255 time=0.0 ms
64 bytes from 192.168.168.2: icmp_seq=2 ttl=255 time=0.0 ms
...</programlisting>
<para>Since VNF management ports were configured to get IPs through DHCP,
the user can use a Web-based management UI to check and modify the
configuration settings of both vSRX and Fortigate.</para>
<para>For example, in the case of vSRX, from the VNF CLI you can list the
virtual interfaces as below:</para>
<programlisting>root@Atom-C3000> show interfaces terse
...
fxp0.0 up up inet 172.24.15.92/22
gre up up
ipip up up
...</programlisting>
<para>When using provided configurations, the VNF management port for
Juniper vSRX is always <literal>fxp0.0</literal>.</para>
<para>In the case of Fortigate, from the VNF CLI you can list the virtual
interfaces as such:</para>
<programlisting>FGVM080000136187 # get system interface
== [ port1 ]
name: port1 mode: dhcp ip: 172.24.15.94 255.255.252.0 status: up netbios-forward:
disable type: physical netflow-sampler: disable sflow-sampler: disable...
...</programlisting>
<para>When using provided configurations, the VNF management port for
Fortigate is always <literal>port1</literal>.</para>
<note>
<para>Please note that VNF management ports will get dynamically
allocated IPs only if the physical NIC used for management is configured
to get its IP through DHCP (see Step 1 from above).</para>
</note>
<para>If functionality is as intended, LAN-to-LAN connectivity can be
checked (through the VPN tunnel) by using two devices (PC/laptop)
connected to the LAN ports of each uCPE. Optionally, these devices can be
simulated by using Enea's sample VNF running on both uCPEs and connected
to the <literal>lan_br</literal> on each side. Please note that
instructions for onboarding and instantiating this VNF is not in the scope
of this document.</para>
<para>Since Fortigate VNF, which is acting as router and firewall, is
configured to be the DHCP server for the LAN network, the device interface
connected to the uCPE LAN port has to be configured to get dinamically
assigned IPs. These IPs are in the 172.0.0.0/24 network for Site1 and the
172.10.10.0/24 network for Site2. Therefore, site-to-site connectivity can
be checked (from Site1) as such:</para>
<programlisting>root@atom-c3000:~# ping 172.10.10.2
PING 172.10.10.1 (172.10.10.2): 56 data bytes
...</programlisting>
</section>
<section id="limitations">
<title>Limitations</title>
<para>Below is a list of known limitations:</para>
<itemizedlist>
<listitem>
<para>The vSRX VNF has no trust-to-untrust and untrust-to-trust
policies (only trust-to-vpn and vpn-to-trust were configured).
Therefore, uCPEs were not configured for a "direct Internet access"
use-case.</para>
</listitem>
<listitem>
<para>The Fortigate VNF has no "real" firewall policies set, i.e. all
traffic from LAN is allowed to pass through the WAN interface and
vice-versa.</para>
</listitem>
</itemizedlist>
</section>
</chapter>
|