blob: da6b2eefbd4cf8d19e35987da386c1c57078fcc5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
|
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<chapter id="in_band_managemen">
<title>In-band Management</title>
<para>In-band Management refers to administrative access to systems and
network devices, over the same network used by the traffic being
filtered.</para>
<para>In some situations, In-Band Management is the only option available to
both control and configure the device, while also allowing for data-path
traffic to pass over the same physical interface. In-band Management can
represent a significant risk to the administrator if certain precautions are
not taken. These risks center predominantly around the use of unencrypted
communications channels. However this use case (i.e. all traffic going over
the same physical interface) is required on a setup with a poor
infrastructure configuration.</para>
<para>The main requirement for this use case solution is to have all traffic
pass through a defined WAN physical port.</para>
<para>Three types of traffic are mentioned:</para>
<itemizedlist>
<listitem>
<para>Device management - e.g.: device configuration, firmware upgrades
done by the uCPE Manager.</para>
</listitem>
<listitem>
<para>VNF(s) configuration - enabling or disabling features of a VNF.
E.g. enabling/disabling the firewall or VPN setup.</para>
</listitem>
<listitem>
<para>Data-path - all the other traffic that is not used in the control
plane and needs to reach a LAN network.</para>
</listitem>
</itemizedlist>
<note>
<para>For use-cases where latency is very important, it is recommended to
use out-of-band management with a dedicated physical interface for the
data-path.</para>
</note>
<para>The solution provided by Enea for In-band management is based upon
Open vSwitch bridges which control all traffic passing through the WAN
physical port. Note that the NFV Access platform will assume that the
activated connection with the uCPE Manager should be used for In-band
management. The physical port used by the active connection will be attached
to the In-band management WAN bridge. Communication with the uCPE Manager
should not be affected, it is reestablished automatically after In-band
management activation.</para>
<para>All network traffic, with the exception of any received from the uCPE
Manager, will be sent towards the VNF or dropped if there is no VNF
instantiated on the NFV Access device. The VNF connected to the WAN bridge
must be configured for In-band management since traffic from the VNF manager
and data-path will be sent to only to one port (WAN) of the VNF.</para>
<note>
<para>Only one VNF must be connected to the In-band management WAN bridge.
Please make sure the VNF accepts in-band management.</para>
</note>
<figure>
<title>Enea In-band Management solution</title>
<mediaobject>
<imageobject>
<imagedata align="center" fileref="images/In-bandManagement2.png"
scale="55" />
</imageobject>
</mediaobject>
</figure>
<table>
<title>Setup Prerequisites</title>
<tgroup cols="2">
<colspec align="left" colwidth="2*" />
<colspec align="left" colwidth="4*" />
<tbody>
<row>
<entry>WAN port</entry>
<entry>Physical port supported by DPDK</entry>
</row>
<row>
<entry>Dynamic IP on WAN port</entry>
<entry>DHCP server configured to distribute same IP address for same
MAC</entry>
</row>
<row>
<entry>uCPE Manager</entry>
<entry>uCPE Manager IP address must be public (accessible for target)
and static</entry>
</row>
</tbody>
</tgroup>
</table>
<para><emphasis role="bold">How to activate In-band Management from the uCPE
Manager</emphasis></para>
<orderedlist>
<listitem>
<para>Select the device.</para>
</listitem>
<listitem>
<para>Select Configuration.</para>
</listitem>
<listitem>
<para>Click OpenvSwitch.</para>
</listitem>
<listitem>
<para> Select the Bridges option, then click Add.</para>
</listitem>
</orderedlist>
<table>
<title>In-band management WAN DPDK bridge configuration</title>
<tgroup cols="2">
<colspec align="left" colwidth="2*" />
<colspec align="left" colwidth="4*" />
<tbody>
<row>
<entry>name</entry>
<entry>Provide a name for the WAN bridge e.g. "ibm-wan-br"</entry>
</row>
<row>
<entry>ovs-bridge-type</entry>
<entry>dpdkWan</entry>
</row>
<row>
<entry>mgmt-address</entry>
<entry>IPv4 (add IP address of uCPE Manager machine)</entry>
</row>
<row>
<entry>mgmt-port</entry>
<entry>4334</entry>
</row>
</tbody>
</tgroup>
</table>
<para>The connection between the device and uCPE Manager will be recreated
and all traffic will pass through the new bridge (ibm-wan-br). The user
should be able to continue device configuration. The WAN port of the very
first instantiated VNF must be connected to ibm-wan-br and it should receive
the same IP address as the WAN interfaces of the device.</para>
<figure>
<title>Enea In-band Management solution</title>
<mediaobject>
<imageobject>
<imagedata align="center" fileref="images/In-bandManagement.png"
scale="65" />
</imageobject>
</mediaobject>
</figure>
<para>The VNF can be reached on the same IP address as the device, e.g.
<literal> https://<WAN_IP></literal>.</para>
<note>
<para>The In-band management bridge must be recreated each time the uCPE
Manager IP is changed.</para>
</note>
</chapter>
|
