summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMiruna Paun <Miruna.Paun@enea.com>2019-03-13 10:37:31 +0100
committerMiruna Paun <Miruna.Paun@enea.com>2019-03-13 12:09:03 +0100
commit25f5a8f2e73a6985b46797bd159e8d4e08a2f981 (patch)
treede515d39915523a6b0573939e1c73d38878005ed
parentcfbd3983c1b61cfd3d100dbd39f0ec4cf86203f1 (diff)
downloadnfv-access-documentation-25f5a8f2e73a6985b46797bd159e8d4e08a2f981.tar.gz
Updated book structure, proofed vnf chaining usecase.
Change-Id: I38237583d1eea8558d0ac960501aea046076411a
Diffstat
-rw-r--r--doc/book-enea-nfv-access-example-usecases/doc/book.xml14
-rw-r--r--doc/book-enea-nfv-access-example-usecases/doc/clav_vnf_examples.xml267
-rw-r--r--doc/book-enea-nfv-access-example-usecases/doc/enea_vnf_examples.xml274
-rw-r--r--doc/book-enea-nfv-access-example-usecases/doc/example_usecases.xml2525
-rw-r--r--doc/book-enea-nfv-access-example-usecases/doc/inband_management.xml296
-rw-r--r--doc/book-enea-nfv-access-example-usecases/doc/vnf_chaining.xml361
-rw-r--r--doc/book-enea-nfv-access-example-usecases/doc/vnf_fortigate.xml1309
7 files changed, 2520 insertions, 2526 deletions
diff --git a/doc/book-enea-nfv-access-example-usecases/doc/book.xml b/doc/book-enea-nfv-access-example-usecases/doc/book.xml
index c4c6397..22740d2 100644
--- a/doc/book-enea-nfv-access-example-usecases/doc/book.xml
+++ b/doc/book-enea-nfv-access-example-usecases/doc/book.xml
@@ -15,6 +15,18 @@
15 <xi:include href="../../s_docbuild/template/docsrc_common/bookinfo_userdoc.xml" 15 <xi:include href="../../s_docbuild/template/docsrc_common/bookinfo_userdoc.xml"
16 xmlns:xi="http://www.w3.org/2001/XInclude" /> 16 xmlns:xi="http://www.w3.org/2001/XInclude" />
17 17
18 <xi:include href="example_usecases.xml" 18 <xi:include href="clav_vnf_examples.xml"
19 xmlns:xi="http://www.w3.org/2001/XInclude" />
20
21 <xi:include href="enea_vnf_examples.xml"
22 xmlns:xi="http://www.w3.org/2001/XInclude" />
23
24 <xi:include href="vnf_fortigate.xml"
25 xmlns:xi="http://www.w3.org/2001/XInclude" />
26
27 <xi:include href="inband_management.xml"
28 xmlns:xi="http://www.w3.org/2001/XInclude" />
29
30 <xi:include href="vnf_chaining.xml"
19 xmlns:xi="http://www.w3.org/2001/XInclude" /> 31 xmlns:xi="http://www.w3.org/2001/XInclude" />
20</book> 32</book>
diff --git a/doc/book-enea-nfv-access-example-usecases/doc/clav_vnf_examples.xml b/doc/book-enea-nfv-access-example-usecases/doc/clav_vnf_examples.xml
new file mode 100644
index 0000000..eca3c99
--- /dev/null
+++ b/doc/book-enea-nfv-access-example-usecases/doc/clav_vnf_examples.xml
@@ -0,0 +1,267 @@
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<chapter id="clav_vnf_example">
3 <title>Clavister VNF Example Use-cases</title>
4
5 <section id="clav_vnf">
6 <title>Clavister VNF</title>
7
8 <para>In this use case, <literal>target_1</literal> will run the Clavister
9 VNF and an Open vSwitch bridge, while <literal>target_2</literal> will run
10 two iPerf VNFs.</para>
11
12 <figure>
13 <title>Clavister VNF Example Overview</title>
14
15 <mediaobject>
16 <imageobject>
17 <imagedata align="center" fileref="images/clavister_vnf_diagram.png"
18 scale="50" />
19 </imageobject>
20 </mediaobject>
21 </figure>
22
23 <para><emphasis role="bold">How to setup the target to run the Clavister
24 VNF and an Open vSwitch Bridge</emphasis></para>
25
26 <orderedlist>
27 <para><emphasis role="bold">Network Configuration for target_1 and
28 target_2</emphasis></para>
29
30 <listitem>
31 <para>From the uCPE Manager select the target_1:
32 <literal>Configuration</literal> -&gt; <literal>OpenVSwitch</literal>
33 -&gt; H<literal>ost Interfaces</literal> -&gt;
34 <literal>Add</literal></para>
35 </listitem>
36
37 <listitem>
38 <para>Select the network interface that will be used to connect to the
39 second target, configure it for DPDK, and click
40 <literal>Create</literal> to send the configuration to the
41 target:</para>
42
43 <figure>
44 <title>Host Interface Creation</title>
45
46 <mediaobject>
47 <imageobject>
48 <imagedata align="center"
49 fileref="images/host_interface_creation.png" />
50 </imageobject>
51 </mediaobject>
52 </figure>
53 </listitem>
54
55 <listitem>
56 <para>Create an Open vSwitch bridge (<literal>ovsbr0</literal>) with
57 one DPDK interface by selecting the <literal>Add</literal> button from
58 the <literal>Bridges</literal> tab.</para>
59 </listitem>
60
61 <listitem>
62 <para>Once the bridge creation popup appears, fill the fields and add
63 the physical interface:</para>
64
65 <figure>
66 <title>OVS bridge</title>
67
68 <mediaobject>
69 <imageobject>
70 <imagedata align="center" fileref="images/ovs_bridge_zero.png"
71 scale="80" />
72 </imageobject>
73 </mediaobject>
74 </figure>
75 </listitem>
76
77 <listitem>
78 <para>Repeat the steps above on the target_2, by also using one DPDK
79 interface and creating an OVS bridge.</para>
80 </listitem>
81 </orderedlist>
82
83 <orderedlist>
84 <para><emphasis role="bold">Instantiate the VNFs:</emphasis></para>
85
86 <para>Once the network configuration has been completed on both targets
87 instantiate the VNFs:</para>
88
89 <para><emphasis role="bold">A) Instantiate Clavister VNF on
90 target_1:</emphasis></para>
91
92 <listitem>
93 <para>Select the target_1, then the VNF option from the top toolbar:
94 <literal>VNF</literal> -&gt; <literal>Instances</literal> -&gt;
95 <literal>Add</literal>.</para>
96 </listitem>
97
98 <listitem>
99 <para>Fill in the required information about the
100 <literal>Clavister</literal> VNF, (the default network configuration
101 can be used):</para>
102
103 <figure>
104 <title>VNF Instance</title>
105
106 <mediaobject>
107 <imageobject>
108 <imagedata align="center" fileref="images/vnf_instance.png"
109 scale="80" />
110 </imageobject>
111 </mediaobject>
112 </figure>
113 </listitem>
114 </orderedlist>
115
116 <orderedlist>
117 <para><emphasis role="bold">B) Instantiate two iPerf VNFs (one as client
118 and one as server) on target_2: </emphasis></para>
119
120 <listitem>
121 <para>Instantiate two <literal>iPerf</literal> VNFs on target_2. One
122 will act as the server and the second as the client.</para>
123 </listitem>
124
125 <listitem>
126 <para>Select target_2, then the VNF option from the top toolbar:
127 <literal>VNF</literal> -&gt; <literal>Instances</literal> -&gt;
128 <literal>Add</literal>.</para>
129 </listitem>
130
131 <listitem>
132 <para>In the <literal>VNF Instance</literal> window, select the first
133 <literal>iPerf</literal> VNF from the dropdown menu, configure it to
134 act as a server by unchecking the <literal>Client mode IPerf</literal>
135 box, and click the <literal>Create</literal> button.</para>
136 </listitem>
137
138 <listitem>
139 <para>Select <literal>Add</literal>, enable the <literal>Client mode
140 IPerf</literal> checkbox and then click <literal>Create</literal> to
141 instantiate the second <literal>iPerf VNF</literal> as a client, and
142 to run it in client mode.</para>
143 </listitem>
144
145 <listitem>
146 <para>In order to check that traffic is forwarded between the VNFs,
147 connect to the iPerf VNF client console:</para>
148
149 <para>Connect to the target_2 by using: <literal>SSH</literal> -&gt;
150 <literal>user</literal> (root) -&gt;<literal>Connect</literal> and run
151 the following:</para>
152
153 <programlisting>virsh list
154virsh console
155root@qemux86-64:~# iperf3 -c 192.168.10.10</programlisting>
156 </listitem>
157 </orderedlist>
158 </section>
159
160 <section id="clav_example_sriov">
161 <title>Clavister VNF using SR-IOV</title>
162
163 <para>In this use case, target 1 will run the iPerf server and iPerf
164 client VNFs using SR-IOV and target 2 will run the Clavister VNF using
165 SR-IOV with two virtual functions (vf1 and vf2):</para>
166
167 <figure>
168 <title>Example Overview</title>
169
170 <mediaobject>
171 <imageobject>
172 <imagedata align="center" fileref="images/clav_VNF_demo_SR-IOV.png"
173 scale="60" />
174 </imageobject>
175 </mediaobject>
176 </figure>
177
178 <orderedlist>
179 <listitem>
180 <para>On target 2, create an SR-IOV configuration with 2 virtual
181 functions: <literal>Configuration</literal> -&gt;
182 <literal>OpenVSwitch</literal> -&gt; <literal>Host
183 Interfaces</literal> -&gt; <literal>Add</literal>:</para>
184
185 <figure>
186 <title>SR-IOV configuration with 2 virtual functions</title>
187
188 <mediaobject>
189 <imageobject>
190 <imagedata align="center"
191 fileref="images/sriov_configuration.png" scale="80" />
192 </imageobject>
193 </mediaobject>
194 </figure>
195 </listitem>
196
197 <listitem>
198 <para>Instantiate the Clavister VNF on target 2, by clicking
199 <literal>VNF</literal> -&gt; <literal>Instances</literal> -&gt;
200 <literal>Add</literal>.</para>
201
202 <para>Select <literal>SrIovAdapterPool</literal> as an Interface type
203 for both Interface1 type and 2 type, before clicking
204 <literal>Create</literal>:</para>
205
206 <figure>
207 <title>Instantiating the Clavister VNF on target 2</title>
208
209 <mediaobject>
210 <imageobject>
211 <imagedata align="center" fileref="images/srlov_adap_pool.png"
212 scale="70" />
213 </imageobject>
214 </mediaobject>
215 </figure>
216 </listitem>
217
218 <listitem>
219 <para>On target 1, create an SR-IOV interface as done in step
220 1.</para>
221 </listitem>
222
223 <listitem>
224 <para>Create the iPerf server on target 1. Select
225 <literal>SrIovAdapterPool</literal> as an Interface type:</para>
226
227 <figure>
228 <title>IPerf Server Interface Type</title>
229
230 <mediaobject>
231 <imageobject>
232 <imagedata align="center"
233 fileref="images/iperf_server_inttype.png" scale="70" />
234 </imageobject>
235 </mediaobject>
236 </figure>
237 </listitem>
238
239 <listitem>
240 <para>Create the iPerf client on target 1. Select
241 <literal>SrIovAdapterPool</literal> as an Interface type and tick the
242 <literal>Client mode IPer</literal> checkbox:</para>
243
244 <figure>
245 <title>IPerf Client Interface Type</title>
246
247 <mediaobject>
248 <imageobject>
249 <imagedata align="center"
250 fileref="images/iperf_client_inttype.png" scale="70" />
251 </imageobject>
252 </mediaobject>
253 </figure>
254 </listitem>
255
256 <listitem>
257 <para>In order to check that traffic is forwarded between the VNFs,
258 connect to the iPerf VNF client console by using:
259 <literal>SSH</literal> -&gt; <literal>user</literal> (root)
260 -&gt;<literal>Connect</literal> and run the following
261 commands:<programlisting>virsh list
262virsh console
263root@qemux86-64:~# iperf3 -c 192.168.10.10</programlisting></para>
264 </listitem>
265 </orderedlist>
266 </section>
267</chapter> \ No newline at end of file
diff --git a/doc/book-enea-nfv-access-example-usecases/doc/enea_vnf_examples.xml b/doc/book-enea-nfv-access-example-usecases/doc/enea_vnf_examples.xml
new file mode 100644
index 0000000..9ec4861
--- /dev/null
+++ b/doc/book-enea-nfv-access-example-usecases/doc/enea_vnf_examples.xml
@@ -0,0 +1,274 @@
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<chapter id="enea_vnf_examples">
3 <title>Enea VNF Example Use-cases</title>
4
5 <section id="enea_vnf">
6 <title>TestPMD VNF</title>
7
8 <para>Use case description: pktgen[DPDK] - PHY1 - PHY2 - [DPDK]OVS -
9 VM[DPDK]testpmd(forwarding) - OVS[DPDK] - VM[DPDK]
10 testpmd(termination).</para>
11
12 <figure>
13 <title>Enea VNF Example Overview</title>
14
15 <mediaobject>
16 <imageobject>
17 <imagedata align="center"
18 fileref="images/enea_vnf_demo_overview.png" scale="80" />
19 </imageobject>
20 </mediaobject>
21 </figure>
22
23 <para><emphasis role="bold">How to setup the Enea VNF
24 Example</emphasis></para>
25
26 <orderedlist>
27 <listitem>
28 <para>Bind the host interfaces to the DPDK by selecting the target_1:
29 <literal>Configuration</literal> -&gt; <literal>OpenVSwitch</literal>
30 -&gt; <literal>Host Interfaces</literal> -&gt;
31 <literal>Add</literal>:</para>
32
33 <figure>
34 <title>Adding OVS Host Interfaces</title>
35
36 <mediaobject>
37 <imageobject>
38 <imagedata align="center"
39 fileref="images/ovs_host_interface.png" scale="80" />
40 </imageobject>
41 </mediaobject>
42 </figure>
43 </listitem>
44
45 <listitem>
46 <para>Select the network interface that will be used to connect to the
47 second target and configure it for the DPDK:</para>
48
49 <figure>
50 <title>Configuring the host interface</title>
51
52 <mediaobject>
53 <imageobject>
54 <imagedata align="center"
55 fileref="images/secondtar_hostinterface.png"
56 scale="90" />
57 </imageobject>
58 </mediaobject>
59 </figure>
60 </listitem>
61
62 <listitem>
63 <para>Select the <literal>Create</literal> button to send the
64 configuration to the target. The same steps must also be performed on
65 the target_2.</para>
66 </listitem>
67
68 <listitem>
69 <para>Create an OpenVSwitch bridge (<literal>ovsbr0</literal>) on
70 target_1 that uses one DPDK interface, by selecting the
71 <literal>Add</literal> button from the Bridges tab and then selcting:
72 <literal>Configuration</literal> -&gt;
73 <literal>OpenVSwitch</literal>-&gt; <literal>Bridges</literal>:</para>
74
75 <figure>
76 <title>OVS Bridge Table</title>
77
78 <mediaobject>
79 <imageobject>
80 <imagedata align="center" fileref="images/ovs_bridge_tab.png"
81 scale="75" />
82 </imageobject>
83 </mediaobject>
84 </figure>
85
86 <figure>
87 <title>Adding the interface to the OVS Bridge</title>
88
89 <mediaobject>
90 <imageobject>
91 <imagedata align="center" fileref="images/ovs_bridge_two.png"
92 scale="90" />
93 </imageobject>
94 </mediaobject>
95 </figure>
96 </listitem>
97
98 <listitem>
99 <para>Instantiate the TestPMD VNFs on target_1 by selecting:
100 <literal>VNF</literal> -&gt; <literal>Instances</literal> -&gt;
101 <literal>Add</literal>.</para>
102 </listitem>
103
104 <listitem>
105 <para>Configure the VNF that forwards traffic:</para>
106
107 <figure>
108 <title>Configuring the fwdVNF</title>
109
110 <mediaobject>
111 <imageobject>
112 <imagedata align="center" fileref="images/traffic_forward.png"
113 scale="85" />
114 </imageobject>
115 </mediaobject>
116 </figure>
117 </listitem>
118
119 <listitem>
120 <para>Configure the VNF that terminates traffic:</para>
121
122 <figure>
123 <title>Configuring the termVNF</title>
124
125 <mediaobject>
126 <imageobject>
127 <imagedata align="center" fileref="images/traffic_terminate.png"
128 scale="85" />
129 </imageobject>
130 </mediaobject>
131 </figure>
132 </listitem>
133
134 <listitem>
135 <para>Add OpenVSwitch flows to control this traffic:</para>
136
137 <figure>
138 <title>Configuring the FWD flow</title>
139
140 <mediaobject>
141 <imageobject>
142 <imagedata align="center" fileref="images/flow_fwd.png"
143 scale="90" />
144 </imageobject>
145 </mediaobject>
146 </figure>
147
148 <figure>
149 <title>Configuring the TERM flow</title>
150
151 <mediaobject>
152 <imageobject>
153 <imagedata align="center" fileref="images/flow_term.png"
154 scale="90" />
155 </imageobject>
156 </mediaobject>
157 </figure>
158 </listitem>
159
160 <listitem>
161 <para>Start pktgen on target_2. Connect to the target by using:
162 <literal>SSH</literal> -&gt; <literal>user</literal> (root) and
163 perform the following:</para>
164
165 <programlisting>killall ovsdb-server ovs-vswitchd
166rm -rf /etc/openvswitch/*
167mkdir -p /var/run/openvswitch
168modprobe igb_uio
169dpdk-devbind --bind=igb_uio 0000:05:00.3
170cd /usr/share/apps/pktgen/
171./pktgen -c 0x7 -n 4 --proc-type auto --socket-mem 256 -w 0000:05:00.3 -- \
172 -P -m "[1:2].0"
173Pktgen:/&gt; start 0</programlisting>
174 </listitem>
175
176 <listitem>
177 <para>Connect to the forwarder VNF in order to check the traffic
178 statistics by selecting target_1: <literal>SSH</literal> -&gt;
179 <literal>user</literal> (root):</para>
180
181 <programlisting>Virsh list
182Virsh console 1
183# Qemux86-64 login: root
184tail -f /opt/testpmd-out</programlisting>
185
186 <figure>
187 <title>Traffic Statistics</title>
188
189 <mediaobject>
190 <imageobject>
191 <imagedata align="center"
192 fileref="images/connection_information.png"
193 scale="70" />
194 </imageobject>
195 </mediaobject>
196 </figure>
197 </listitem>
198 </orderedlist>
199 </section>
200
201 <section id="vnf_pci">
202 <title>TestPMD VNF using PCI passthrough</title>
203
204 <para>In this use case, target 1 will run the Pktgen and target 2 will run
205 the TestPMD VNF. Both will be using PCI passthrough:</para>
206
207 <figure>
208 <title>TestPMD VNF using PCI passthrough Overview</title>
209
210 <mediaobject>
211 <imageobject>
212 <imagedata align="center" fileref="images/testPMD_VNF_PCI.png"
213 scale="65" />
214 </imageobject>
215 </mediaobject>
216 </figure>
217
218 <orderedlist>
219 <listitem>
220 <para>Make sure that neither target 1 nor target 2 have any configured
221 host interfaces by selcting target: <literal>Configuration</literal>
222 -&gt; <literal>OpenVSwitch</literal> -&gt; <literal>Host
223 Interfaces</literal>.</para>
224 </listitem>
225
226 <listitem>
227 <para>On target 1 start the Pktgen VNF. Select
228 <literal>PciPassthrough</literal> as the Interface type.</para>
229
230 <para>From the drop-down list, select the PCI interface corresponding
231 to the NIC which is connected to target 2:</para>
232
233 <figure>
234 <title>Selecting the Pktgen VNF Interface</title>
235
236 <mediaobject>
237 <imageobject>
238 <imagedata align="center" fileref="images/pciPass_interface.png"
239 scale="70" />
240 </imageobject>
241 </mediaobject>
242 </figure>
243 </listitem>
244
245 <listitem>
246 <para>On target 2, start the TestPmdForwarder VNF. Select
247 "PciPassthrough" as the Interface type. From the drop-down list,
248 select the PCI interface corresponding to the NIC which is connected
249 to target 1:</para>
250
251 <figure>
252 <title>Selecting the TestPmdForwarder VNF Interface</title>
253
254 <mediaobject>
255 <imageobject>
256 <imagedata align="center"
257 fileref="images/testpmd_fwdvnf_int.png" scale="70" />
258 </imageobject>
259 </mediaobject>
260 </figure>
261 </listitem>
262
263 <listitem>
264 <para>To check that traffic is being forwarded from target 2, SSH to
265 the target and connect to the VNFs console:</para>
266
267 <programlisting>Right click on target 2 and select SSH.
268Run: virsh list
269Run: virsh console [VM NAME]
270Run: tail -f /opt/testpmd-out</programlisting>
271 </listitem>
272 </orderedlist>
273 </section>
274</chapter> \ No newline at end of file
diff --git a/doc/book-enea-nfv-access-example-usecases/doc/example_usecases.xml b/doc/book-enea-nfv-access-example-usecases/doc/example_usecases.xml
deleted file mode 100644
index 7934d71..0000000
--- a/doc/book-enea-nfv-access-example-usecases/doc/example_usecases.xml
+++ /dev/null
@@ -1,2525 +0,0 @@
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<chapter id="example_usecases">
3 <title>Example Use Cases Manual</title>
4
5 <para>This book will detail various example use cases that a user can
6 experiment with.</para>
7
8 <section id="clav_vnf_example">
9 <title>Clavister VNF Examples</title>
10
11 <section id="clav_vnf">
12 <title>Clavister VNF</title>
13
14 <para>In this use case, <literal>target_1</literal> will run the
15 Clavister VNF and an Open vSwitch bridge and <literal>target_2</literal>
16 two iPerf VNFs.</para>
17
18 <figure>
19 <title>Clavister VNF Example Overview</title>
20
21 <mediaobject>
22 <imageobject>
23 <imagedata align="center"
24 fileref="images/clavister_vnf_diagram.png" scale="50" />
25 </imageobject>
26 </mediaobject>
27 </figure>
28
29 <para><emphasis role="bold">How to setup the target to run the Clavister
30 VNF and an Open vSwitch Bridge</emphasis></para>
31
32 <orderedlist>
33 <para><emphasis role="bold">Network Configuration for target_1 and
34 target_2</emphasis></para>
35
36 <listitem>
37 <para>From uCPE Manager select the target_1:
38 <literal>Configuration</literal> -&gt;
39 <literal>OpenVSwitch</literal> -&gt; H<literal>ost
40 Interfaces</literal> -&gt; <literal>Add</literal></para>
41 </listitem>
42
43 <listitem>
44 <para>Select the network interface that will be used to connect to
45 the second target, configure it for DPDK, and click
46 <literal>Create</literal> to send the configuration to the
47 target:</para>
48
49 <figure>
50 <title>Host Interface Creation</title>
51
52 <mediaobject>
53 <imageobject>
54 <imagedata align="center"
55 fileref="images/host_interface_creation.png" />
56 </imageobject>
57 </mediaobject>
58 </figure>
59 </listitem>
60
61 <listitem>
62 <para>Create an Open vSwitch bridge (<literal>ovsbr0</literal>) with
63 one DPDK interface by selecting the <literal>Add</literal> button
64 from the <literal>Bridges</literal> tab.</para>
65 </listitem>
66
67 <listitem>
68 <para>Once the bridge creation popup appears, fill the fields and
69 add the physical interface:</para>
70
71 <figure>
72 <title>OVS bridge</title>
73
74 <mediaobject>
75 <imageobject>
76 <imagedata align="center" fileref="images/ovs_bridge_zero.png"
77 scale="80" />
78 </imageobject>
79 </mediaobject>
80 </figure>
81 </listitem>
82
83 <listitem>
84 <para>Repeat the steps above on the target_2, by also using one DPDK
85 interface and creating an OVS bridge.</para>
86 </listitem>
87 </orderedlist>
88
89 <orderedlist>
90 <para><emphasis role="bold">Instantiate the VNFs:</emphasis></para>
91
92 <para>Once the network configuration has been completed on both
93 targets instantiate the VNFs:</para>
94
95 <para><emphasis role="bold">A) Instantiate Clavister VNF on
96 target_1:</emphasis></para>
97
98 <listitem>
99 <para>Select the target_1, then the VNF option from the top toolbar:
100 <literal>VNF</literal> -&gt; <literal>Instances</literal> -&gt;
101 <literal>Add</literal>.</para>
102 </listitem>
103
104 <listitem>
105 <para>Fill in the required information about the
106 <literal>Clavister</literal> VNF, (the default network configuration
107 can be used):</para>
108
109 <figure>
110 <title>VNF Instance</title>
111
112 <mediaobject>
113 <imageobject>
114 <imagedata align="center" fileref="images/vnf_instance.png"
115 scale="80" />
116 </imageobject>
117 </mediaobject>
118 </figure>
119 </listitem>
120 </orderedlist>
121
122 <orderedlist>
123 <para><emphasis role="bold">B) Instantiate two iPerf VNFs (one as
124 client and one as server) on target_2: </emphasis></para>
125
126 <listitem>
127 <para>Instantiate two <literal>iPerf</literal> VNFs on target_2. One
128 will act as the server and the second as the client.</para>
129 </listitem>
130
131 <listitem>
132 <para>Select target_2, then the VNF option from the top toolbar:
133 <literal>VNF</literal> -&gt; <literal>Instances</literal> -&gt;
134 <literal>Add</literal>.</para>
135 </listitem>
136
137 <listitem>
138 <para>In the <literal>VNF Instance</literal> window, select the
139 first <literal>iPerf</literal> VNF from the dropdown menu, configure
140 it to act as a server by unchecking the <literal>Client mode
141 IPerf</literal> box, and click the <literal>Create</literal>
142 button.</para>
143 </listitem>
144
145 <listitem>
146 <para>Select <literal>Add</literal>, enable the <literal>Client mode
147 IPerf</literal> checkbox and then click <literal>Create</literal> to
148 instantiate the second <literal>iPerf VNF</literal> as a client, and
149 to run it in client mode.</para>
150 </listitem>
151
152 <listitem>
153 <para>In order to check that traffic is forwarded between the VNFs,
154 connect to the iPerf VNF client console:</para>
155
156 <para>Connect to the target_2 by using: <literal>SSH</literal> -&gt;
157 <literal>user</literal> (root) -&gt;<literal>Connect</literal> and
158 run the following:</para>
159
160 <programlisting>virsh list
161virsh console
162root@qemux86-64:~# iperf3 -c 192.168.10.10</programlisting>
163 </listitem>
164 </orderedlist>
165 </section>
166
167 <section id="clav_example_sriov">
168 <title>Clavister VNF using SR-IOV</title>
169
170 <para>In this use case, target 1 will run the iPerf server and iPerf
171 client VNFs using SR-IOV and target 2 will run the Clavister VNF using
172 SR-IOV with two virtual functions (vf1 and vf2):</para>
173
174 <figure>
175 <title>Example Overview</title>
176
177 <mediaobject>
178 <imageobject>
179 <imagedata align="center"
180 fileref="images/clav_VNF_demo_SR-IOV.png" scale="60" />
181 </imageobject>
182 </mediaobject>
183 </figure>
184
185 <orderedlist>
186 <listitem>
187 <para>On target 2, create an SR-IOV configuration with 2 virtual
188 functions: <literal>Configuration</literal> -&gt;
189 <literal>OpenVSwitch</literal> -&gt; <literal>Host
190 Interfaces</literal> -&gt; <literal>Add</literal>:</para>
191
192 <figure>
193 <title>SR-IOV configuration with 2 virtual functions</title>
194
195 <mediaobject>
196 <imageobject>
197 <imagedata align="center"
198 fileref="images/sriov_configuration.png" scale="80" />
199 </imageobject>
200 </mediaobject>
201 </figure>
202 </listitem>
203
204 <listitem>
205 <para>Instantiate the Clavister VNF on target 2, by clicking
206 <literal>VNF</literal> -&gt; <literal>Instances</literal> -&gt;
207 <literal>Add</literal>.</para>
208
209 <para>Select <literal>SrIovAdapterPool</literal> as an Interface
210 type for both Interface1 type and 2 type, before clicking
211 <literal>Create</literal>:</para>
212
213 <figure>
214 <title>Instantiating the Clavister VNF on target 2</title>
215
216 <mediaobject>
217 <imageobject>
218 <imagedata align="center" fileref="images/srlov_adap_pool.png"
219 scale="70" />
220 </imageobject>
221 </mediaobject>
222 </figure>
223 </listitem>
224
225 <listitem>
226 <para>On target 1, create an SR-IOV interface as done in step
227 1.</para>
228 </listitem>
229
230 <listitem>
231 <para>Create the iPerf server on target 1. Select
232 <literal>SrIovAdapterPool</literal> as an Interface type:</para>
233
234 <figure>
235 <title>IPerf Server Interface Type</title>
236
237 <mediaobject>
238 <imageobject>
239 <imagedata align="center"
240 fileref="images/iperf_server_inttype.png"
241 scale="70" />
242 </imageobject>
243 </mediaobject>
244 </figure>
245 </listitem>
246
247 <listitem>
248 <para>Create the iPerf client on target 1. Select
249 <literal>SrIovAdapterPool</literal> as an Interface type and tick
250 the <literal>Client mode IPer</literal> checkbox:</para>
251
252 <figure>
253 <title>IPerf Client Interface Type</title>
254
255 <mediaobject>
256 <imageobject>
257 <imagedata align="center"
258 fileref="images/iperf_client_inttype.png"
259 scale="70" />
260 </imageobject>
261 </mediaobject>
262 </figure>
263 </listitem>
264
265 <listitem>
266 <para>In order to check that traffic is forwarded between the VNFs,
267 connect to the iPerf VNF client console by using:
268 <literal>SSH</literal> -&gt; <literal>user</literal> (root)
269 -&gt;<literal>Connect</literal> and run the following
270 commands:<programlisting>virsh list
271virsh console
272root@qemux86-64:~# iperf3 -c 192.168.10.10</programlisting></para>
273 </listitem>
274 </orderedlist>
275 </section>
276 </section>
277
278 <section id="enea_vnf_examples">
279 <title>Enea VNF Examples</title>
280
281 <section id="enea_vnf">
282 <title>TestPMD VNF</title>
283
284 <para>Use case description: pktgen[DPDK] - PHY1 - PHY2 - [DPDK]OVS -
285 VM[DPDK]testpmd(forwarding) - OVS[DPDK] - VM[DPDK]
286 testpmd(termination).</para>
287
288 <figure>
289 <title>Enea VNF Example Overview</title>
290
291 <mediaobject>
292 <imageobject>
293 <imagedata align="center"
294 fileref="images/enea_vnf_demo_overview.png" scale="80" />
295 </imageobject>
296 </mediaobject>
297 </figure>
298
299 <para><emphasis role="bold">How to setup the Enea VNF
300 Example</emphasis></para>
301
302 <orderedlist>
303 <listitem>
304 <para>Bind the host interfaces to the DPDK by selecting the
305 target_1: <literal>Configuration</literal> -&gt;
306 <literal>OpenVSwitch</literal> -&gt; <literal>Host
307 Interfaces</literal> -&gt; <literal>Add</literal>:</para>
308
309 <figure>
310 <title>Adding OVS Host Interfaces</title>
311
312 <mediaobject>
313 <imageobject>
314 <imagedata align="center"
315 fileref="images/ovs_host_interface.png" scale="80" />
316 </imageobject>
317 </mediaobject>
318 </figure>
319 </listitem>
320
321 <listitem>
322 <para>Select the network interface that will be used to connect to
323 the second target and configure it for the DPDK:</para>
324
325 <figure>
326 <title>Configuring the host interface</title>
327
328 <mediaobject>
329 <imageobject>
330 <imagedata align="center"
331 fileref="images/secondtar_hostinterface.png"
332 scale="90" />
333 </imageobject>
334 </mediaobject>
335 </figure>
336 </listitem>
337
338 <listitem>
339 <para>Select the <literal>Create</literal> button to send the
340 configuration to the target. The same steps must also be performed
341 on the target_2.</para>
342 </listitem>
343
344 <listitem>
345 <para>Create an OpenVSwitch bridge (<literal>ovsbr0</literal>) on
346 target_1 that uses one DPDK interface, by selecting the
347 <literal>Add</literal> button from the Bridges tab and then
348 selcting: <literal>Configuration</literal> -&gt;
349 <literal>OpenVSwitch</literal>-&gt;
350 <literal>Bridges</literal>:</para>
351
352 <figure>
353 <title>OVS Bridge Table</title>
354
355 <mediaobject>
356 <imageobject>
357 <imagedata align="center" fileref="images/ovs_bridge_tab.png"
358 scale="75" />
359 </imageobject>
360 </mediaobject>
361 </figure>
362
363 <figure>
364 <title>Adding the interface to the OVS Bridge</title>
365
366 <mediaobject>
367 <imageobject>
368 <imagedata align="center" fileref="images/ovs_bridge_two.png"
369 scale="90" />
370 </imageobject>
371 </mediaobject>
372 </figure>
373 </listitem>
374
375 <listitem>
376 <para>Instantiate the TestPMD VNFs on target_1 by selecting:
377 <literal>VNF</literal> -&gt; <literal>Instances</literal> -&gt;
378 <literal>Add</literal>.</para>
379 </listitem>
380
381 <listitem>
382 <para>Configure the VNF that forwards traffic:</para>
383
384 <figure>
385 <title>Configuring the fwdVNF</title>
386
387 <mediaobject>
388 <imageobject>
389 <imagedata align="center" fileref="images/traffic_forward.png"
390 scale="85" />
391 </imageobject>
392 </mediaobject>
393 </figure>
394 </listitem>
395
396 <listitem>
397 <para>Configure the VNF that terminates traffic:</para>
398
399 <figure>
400 <title>Configuring the termVNF</title>
401
402 <mediaobject>
403 <imageobject>
404 <imagedata align="center"
405 fileref="images/traffic_terminate.png" scale="85" />
406 </imageobject>
407 </mediaobject>
408 </figure>
409 </listitem>
410
411 <listitem>
412 <para>Add OpenVSwitch flows to control this traffic:</para>
413
414 <figure>
415 <title>Configuring the FWD flow</title>
416
417 <mediaobject>
418 <imageobject>
419 <imagedata align="center" fileref="images/flow_fwd.png"
420 scale="90" />
421 </imageobject>
422 </mediaobject>
423 </figure>
424
425 <figure>
426 <title>Configuring the TERM flow</title>
427
428 <mediaobject>
429 <imageobject>
430 <imagedata align="center" fileref="images/flow_term.png"
431 scale="90" />
432 </imageobject>
433 </mediaobject>
434 </figure>
435 </listitem>
436
437 <listitem>
438 <para>Start pktgen on target_2. Connect to the target by using:
439 <literal>SSH</literal> -&gt; <literal>user</literal> (root) and
440 perform the following:</para>
441
442 <programlisting>killall ovsdb-server ovs-vswitchd
443rm -rf /etc/openvswitch/*
444mkdir -p /var/run/openvswitch
445modprobe igb_uio
446dpdk-devbind --bind=igb_uio 0000:05:00.3
447cd /usr/share/apps/pktgen/
448./pktgen -c 0x7 -n 4 --proc-type auto --socket-mem 256 -w 0000:05:00.3 -- \
449 -P -m "[1:2].0"
450Pktgen:/&gt; start 0</programlisting>
451 </listitem>
452
453 <listitem>
454 <para>Connect to the forwarder VNF in order to check the traffic
455 statistics by selecting target_1: <literal>SSH</literal> -&gt;
456 <literal>user</literal> (root):</para>
457
458 <programlisting>Virsh list
459Virsh console 1
460# Qemux86-64 login: root
461tail -f /opt/testpmd-out</programlisting>
462
463 <figure>
464 <title>Traffic Statistics</title>
465
466 <mediaobject>
467 <imageobject>
468 <imagedata align="center"
469 fileref="images/connection_information.png"
470 scale="70" />
471 </imageobject>
472 </mediaobject>
473 </figure>
474 </listitem>
475 </orderedlist>
476 </section>
477
478 <section id="vnf_pci">
479 <title>TestPMD VNF using PCI passthrough</title>
480
481 <para>In this use case, target 1 will run the Pktgen and target 2 will
482 run the TestPMD VNF. Both will be using PCI passthrough:</para>
483
484 <figure>
485 <title>TestPMD VNF using PCI passthrough Overview</title>
486
487 <mediaobject>
488 <imageobject>
489 <imagedata align="center" fileref="images/testPMD_VNF_PCI.png"
490 scale="65" />
491 </imageobject>
492 </mediaobject>
493 </figure>
494
495 <orderedlist>
496 <listitem>
497 <para>Make sure that neither target 1 nor target 2 have any
498 configured host interfaces by selcting target:
499 <literal>Configuration</literal> -&gt;
500 <literal>OpenVSwitch</literal> -&gt; <literal>Host
501 Interfaces</literal>.</para>
502 </listitem>
503
504 <listitem>
505 <para>On target 1 start the Pktgen VNF. Select
506 <literal>PciPassthrough</literal> as the Interface type.</para>
507
508 <para>From the drop-down list, select the PCI interface
509 corresponding to the NIC which is connected to target 2:</para>
510
511 <figure>
512 <title>Selecting the Pktgen VNF Interface</title>
513
514 <mediaobject>
515 <imageobject>
516 <imagedata align="center"
517 fileref="images/pciPass_interface.png" scale="70" />
518 </imageobject>
519 </mediaobject>
520 </figure>
521 </listitem>
522
523 <listitem>
524 <para>On target 2, start the TestPmdForwarder VNF. Select
525 "PciPassthrough" as the Interface type. From the drop-down list,
526 select the PCI interface corresponding to the NIC which is connected
527 to target 1:</para>
528
529 <figure>
530 <title>Selecting the TestPmdForwarder VNF Interface</title>
531
532 <mediaobject>
533 <imageobject>
534 <imagedata align="center"
535 fileref="images/testpmd_fwdvnf_int.png" scale="70" />
536 </imageobject>
537 </mediaobject>
538 </figure>
539 </listitem>
540
541 <listitem>
542 <para>To check that traffic is being forwarded from target 2, SSH to
543 the target and connect to the VNFs console:</para>
544
545 <programlisting>Right click on target 2 and select SSH.
546Run: virsh list
547Run: virsh console [VM NAME]
548Run: tail -f /opt/testpmd-out</programlisting>
549 </listitem>
550 </orderedlist>
551 </section>
552 </section>
553
554 <section id="vnf_fortigate">
555 <title>FortiGate VNF Example</title>
556
557 <para>FortiGate virtual appliances <remark>is "appliances" the correct
558 word to use here?</remark> feature all of the security and networking
559 services common to traditional hardware-based FortiGate appliances. The
560 virtual appliances can be integrated in Firewall or SD-WAN solution
561 development.</para>
562
563 <para>Enea provides a prepared VNF bundle for download from the Enea
564 Portal, for usage with the Enea NFV Access product. The prepared VNF
565 bundle includes the FortiGate VNF image as well as a VNF Descriptor and
566 other onboarding related configuration files. The VNF Descriptor provided
567 configures a setup, which requires the following resources:</para>
568
569 <itemizedlist>
570 <listitem>
571 <para>3 x Network Interfaces</para>
572 </listitem>
573
574 <listitem>
575 <para>1 x vCPU</para>
576 </listitem>
577
578 <listitem>
579 <para>1 GB of RAM memory</para>
580 </listitem>
581 </itemizedlist>
582
583 <para>The VNF Descriptor represents one specific setup, suitable for usage
584 with the Firewall and SD-WAN VPN instructions in this guide. Alternative
585 VNF Descriptor configurations may be needed to support other
586 configurations required by the customer.</para>
587
588 <para>Enea can provide assistance to provide alternative VNF Descriptor
589 configurations.</para>
590
591 <note>
592 <para>While the prepared FortiGate bundle is provided from Enea Portal,
593 additional content needs to be received from Fortinet directly. The
594 FortiGate VNF license as well as any FortiGate specific documentation
595 shall be requested from the local Fortinet sales representatives in your
596 region, before FortiGate can be used.</para>
597 </note>
598
599 <section id="fortigate_firewall">
600 <title>FortiGate VNF as a Firewall</title>
601
602 <para>FortiGate Next Generation Firewall utilizes purpose-built security
603 processors and threat intelligence security services to deliver
604 top-rated protection and high performance, including encrypted traffic.
605 FortiGate reduces complexity with automated visibility into
606 applications, users and networks, and provides security ratings to adopt
607 security best practices.</para>
608
609 <para>An example firewall configuration for the FortiGate VNF is
610 provided in the Enea Portal. It is a simple firewall base
611 configuration.</para>
612
613 <table>
614 <title>FortiGate VNF Example Configuration</title>
615
616 <tgroup cols="2">
617 <colspec align="center" />
618
619 <thead>
620 <row>
621 <entry align="center">Component</entry>
622
623 <entry align="center">Setting/Description</entry>
624 </row>
625 </thead>
626
627 <tbody>
628 <row>
629 <entry>Firewall</entry>
630
631 <entry>"All pass" mode</entry>
632 </row>
633
634 <row>
635 <entry>WAN (Virtual Port1)</entry>
636
637 <entry><para>DHCP Client, dynamically assigned IP
638 address.</para>FortiGate In-Band
639 Management<superscript>1</superscript></entry>
640 </row>
641
642 <row>
643 <entry>WAN (Virtual Port2)</entry>
644
645 <entry><para>IP address: 172.168.16.1</para>DHCP server (IP
646 range 172.168.16.1 - 172.168.16.255).</entry>
647 </row>
648
649 <row>
650 <entry>WAN (Virtual Port3)</entry>
651
652 <entry>Ignored</entry>
653 </row>
654 </tbody>
655 </tgroup>
656 </table>
657
658 <para><superscript>1</superscript>FortiGate In-Band Management is a
659 feature for running FortiGate Management traffic over WAN.</para>
660
661 <para>Instructions on how to alter the default configuration is provided
662 in the Fortigate VNF management chapter.</para>
663
664 <para><emphasis role="bold">Lab Setup</emphasis></para>
665
666 <para>Before starting the configuration of the FortiGate Firewall, a lab
667 setup of hardware and software configurations has to be built. The
668 following table illustrates the required lab setup:</para>
669
670 <table>
671 <title>Lab Setup Prerequisites</title>
672
673 <tgroup cols="2">
674 <colspec align="center" />
675
676 <thead>
677 <row>
678 <entry align="center">Component</entry>
679
680 <entry align="center">Description/Requirements</entry>
681 </row>
682 </thead>
683
684 <tbody>
685 <row>
686 <entry>Lab Network</entry>
687
688 <entrytbl cols="1">
689 <tbody>
690 <row>
691 <entry>DHCP enabled Lab Network</entry>
692 </row>
693
694 <row>
695 <entry>Internet Connectivity</entry>
696 </row>
697 </tbody>
698 </entrytbl>
699 </row>
700
701 <row>
702 <entry>Setup of an Intel Whitebox target device</entry>
703
704 <entrytbl cols="1">
705 <tbody>
706 <row>
707 <entry>Minimum 4 Physical Network Devices</entry>
708 </row>
709
710 <row>
711 <entry>4 GB RAM and 4 cores (C3000 or Xeon D)</entry>
712 </row>
713
714 <row>
715 <entry>Enea NFV Access Installed</entry>
716 </row>
717
718 <row>
719 <entry>WAN Connected to Lab Network</entry>
720 </row>
721
722 <row>
723 <entry>LAN1 Connected to Test Machine</entry>
724 </row>
725
726 <row>
727 <entry>LAN2 Unconnected</entry>
728 </row>
729
730 <row>
731 <entry>ETH0 connected to Lab Network (for Enea uCPE
732 Manager communications)</entry>
733 </row>
734 </tbody>
735 </entrytbl>
736 </row>
737
738 <row>
739 <entry>Setup of a Lab Machine</entry>
740
741 <entrytbl cols="1">
742 <tbody>
743 <row>
744 <entry>Connected to Lab Network</entry>
745 </row>
746
747 <row>
748 <entry>Running either Windows or CentOS</entry>
749 </row>
750
751 <row>
752 <entry>Enea uCPE Manager installed</entry>
753 </row>
754 </tbody>
755 </entrytbl>
756 </row>
757
758 <row>
759 <entry>Setup of a Test Machine</entry>
760
761 <entrytbl cols="1">
762 <tbody>
763 <row>
764 <entry>Connected to Whitebox LAN</entry>
765 </row>
766
767 <row>
768 <entry>Internet Connectivity via LAN</entry>
769 </row>
770
771 <row>
772 <entry>Configured as DHCP client on LAN</entry>
773 </row>
774 </tbody>
775 </entrytbl>
776 </row>
777
778 <row>
779 <entry>FortiGate VNF</entry>
780
781 <entrytbl cols="1">
782 <tbody>
783 <row>
784 <entry>Downloaded the FortiGate VNF Bundle from Enea
785 Portal to the Lab Machine file system. Please see the
786 Download Chapter for more details.</entry>
787 </row>
788
789 <row>
790 <entry>Downloaded FortiGate configuration examples from
791 the Enea Portal to the Lab Machine file system. Please
792 check the Download Chapter for more details. Unpack the
793 configuration examples on the Lab Machine.</entry>
794 </row>
795
796 <row>
797 <entry>Retrieve FortiGate VNF license from Fortinet and
798 store it on the Lab Machine file system. See FortiGate VNF
799 for details.</entry>
800 </row>
801
802 <row>
803 <entry>Optionally retrieve FortiGate VNF documentation
804 from Fortinet. See FortiGate VNF for details.</entry>
805 </row>
806 </tbody>
807 </entrytbl>
808 </row>
809 </tbody>
810 </tgroup>
811 </table>
812
813 <figure>
814 <title>Lab Setup Overview</title>
815
816 <mediaobject>
817 <imageobject>
818 <imagedata align="center" fileref="images/intel_whitebox.png"
819 scale="35" />
820 </imageobject>
821 </mediaobject>
822 </figure>
823
824 <para><emphasis role="bold">uCPE Networking Setup</emphasis></para>
825
826 <para>Before deploying the FortiGate Firewall, the Enea NFV Access
827 platform has to be configured to the specific networking setup.</para>
828
829 <para>Since the firewall is using three External Network Interfaces,
830 three bridges need to be configured. Each bridge provides the ability to
831 connect a physical network interface to the virtual machines' virtual
832 network interface. Each physical to virtual network interface connection
833 is setup in two steps:</para>
834
835 <itemizedlist>
836 <listitem>
837 <para>Bind the physical network interfaces with a DPDK
838 driver.</para>
839 </listitem>
840
841 <listitem>
842 <para>Create a named bridge for each physical network
843 interface.</para>
844 </listitem>
845 </itemizedlist>
846
847 <note>
848 <para>For more details about interface configuration, please see the
849 Network Configuration section in the chapter on Configuration
850 Options.</para>
851 </note>
852
853 <orderedlist>
854 <listitem>
855 <para>Start the setup by preparing each interface for attachment to
856 a bridge. Bind the physical network interfaces to the DPDK by
857 selecting the target: <literal>Configuration</literal> -&gt;
858 <literal>OpenVSwitch</literal> -&gt; <literal>Host Interfaces
859 </literal>-&gt; <literal>Add</literal>:</para>
860
861 <figure>
862 <title>Binding the physical network interface</title>
863
864 <mediaobject>
865 <imageobject>
866 <imagedata align="center"
867 fileref="images/bind_phys_interface.png" scale="80" />
868 </imageobject>
869 </mediaobject>
870 </figure>
871
872 <para>The result of binding these three physical network interfaces
873 should look like the following:</para>
874
875 <figure>
876 <title>Successful Binding</title>
877
878 <mediaobject>
879 <imageobject>
880 <imagedata align="center"
881 fileref="images/result_of_binding.png" scale="65" />
882 </imageobject>
883 </mediaobject>
884 </figure>
885 </listitem>
886
887 <listitem>
888 <para>Create one OpenVSwitch bridge for each firewall network
889 connection (WAN, LAN1 and LAN2), by selecting the
890 <literal>Add</literal> button from Bridges tab:
891 <literal>Configuration</literal> -&gt;
892 <literal>OpenvSwitch</literal>-&gt; <literal>Bridges</literal>. A
893 popup like the following should appear:</para>
894
895 <figure>
896 <title>Creating a bridge each Firewall Net. Connection</title>
897
898 <mediaobject>
899 <imageobject>
900 <imagedata align="center" fileref="images/bridge_net_conn.png"
901 scale="80" />
902 </imageobject>
903 </mediaobject>
904 </figure>
905 </listitem>
906
907 <listitem>
908 <para>Repeat this step for each type of connection until all are
909 bridges are configured.</para>
910
911 <figure>
912 <title>Configured Bridges per Connection Type</title>
913
914 <mediaobject>
915 <imageobject>
916 <imagedata align="center"
917 fileref="images/configured_bridges.png" scale="65" />
918 </imageobject>
919 </mediaobject>
920 </figure>
921 </listitem>
922 </orderedlist>
923
924 <para><emphasis role="bold">Onboarding the FortiGate
925 VNF</emphasis></para>
926
927 <orderedlist>
928 <listitem>
929 <para>To on-board the Fortigate VNF click the <literal>VNF</literal>
930 tab in the top toolbar: <literal>VNF</literal> -&gt;
931 <literal>Descriptors</literal> -&gt; <literal>On-board
932 </literal>-&gt; <literal>Browse</literal> options, and select the
933 <literal>Fortigate.zip</literal> file, before clicking
934 <literal>Send</literal>:</para>
935
936 <figure>
937 <title>Selecting Descriptors</title>
938
939 <mediaobject>
940 <imageobject>
941 <imagedata align="center"
942 fileref="images/descriptor_button.png" scale="45" />
943 </imageobject>
944 </mediaobject>
945 </figure>
946 </listitem>
947
948 <listitem>
949 <para>Wait for the <literal>Onboarding Status</literal> popup to
950 display the confirmation message (listed in green) and select
951 <literal>OK</literal>:</para>
952
953 <figure>
954 <title>Onboarding the new VNF</title>
955
956 <mediaobject>
957 <imageobject>
958 <imagedata align="center"
959 fileref="images/onboarding_status.png" scale="80" />
960 </imageobject>
961 </mediaobject>
962 </figure>
963 </listitem>
964 </orderedlist>
965
966 <para><emphasis role="bold">Instantiate the FortiGate
967 VNF</emphasis></para>
968
969 <orderedlist>
970 <listitem>
971 <para>Select the target, then from the top toolbar the select:
972 <literal>VNF</literal> -&gt; <literal>Instances</literal> -&gt;
973 <literal>Add</literal>:</para>
974
975 <figure>
976 <title>Adding Instances to Target</title>
977
978 <mediaobject>
979 <imageobject>
980 <imagedata align="center" fileref="images/vnf_instances.png"
981 scale="50" />
982 </imageobject>
983 </mediaobject>
984 </figure>
985
986 <para>Make sure you have downloaded valid license files for the
987 Fortigate VNF from Fortinet, and the configuration file provided by
988 Enea as examples according to previous instructions.</para>
989
990 <figure>
991 <title>Example License and Configuration files</title>
992
993 <mediaobject>
994 <imageobject>
995 <imagedata align="center"
996 fileref="images/fortigate_licenses.png" scale="75" />
997 </imageobject>
998 </mediaobject>
999 </figure>
1000 </listitem>
1001
1002 <listitem>
1003 <para>Fortigate VNF instantiation requires the following
1004 settings:</para>
1005
1006 <table>
1007 <title>Instantiation Requirements</title>
1008
1009 <tgroup cols="2">
1010 <colspec align="center" colwidth="2*" />
1011
1012 <colspec align="center" colwidth="4*" />
1013
1014 <thead>
1015 <row>
1016 <entry align="center">Component</entry>
1017
1018 <entry align="center">Description</entry>
1019 </row>
1020 </thead>
1021
1022 <tbody>
1023 <row>
1024 <entry align="left">Name</entry>
1025
1026 <entry>The name of the VM which will be created on the
1027 target device.</entry>
1028 </row>
1029
1030 <row>
1031 <entry align="left">VNF Type</entry>
1032
1033 <entry>Name of the on-boarded VNF bundle.</entry>
1034 </row>
1035
1036 <row>
1037 <entry align="left">VIM</entry>
1038
1039 <entry>Name and IP address of the device where the VNF has
1040 to be instantiated.</entry>
1041 </row>
1042
1043 <row>
1044 <entry align="left">License file</entry>
1045
1046 <entry>FortiGate license file provided by Fortinet.</entry>
1047 </row>
1048
1049 <row>
1050 <entry align="left">Configuration file</entry>
1051
1052 <entry>Firewall example configuration file provided by Enea
1053 <filename>FGVM080000136187_20180828_0353_basic_fw.conf
1054 </filename></entry>
1055 </row>
1056
1057 <row>
1058 <entry align="left">Port1 - WAN</entry>
1059
1060 <entry>Set as dpdk type and connect it to wanmgrbr
1061 bridge.</entry>
1062 </row>
1063
1064 <row>
1065 <entry align="left">Port2 - LAN1</entry>
1066
1067 <entry>Set as dpdk type and connect it to lan1
1068 bridge.</entry>
1069 </row>
1070
1071 <row>
1072 <entry align="left">Port3 - LAN2</entry>
1073
1074 <entry>Set as dpdk type and connect it to lan2
1075 bridge.</entry>
1076 </row>
1077 </tbody>
1078 </tgroup>
1079 </table>
1080
1081 <para>When the instantiation process is completed, the setup is
1082 ready for testing.</para>
1083 </listitem>
1084 </orderedlist>
1085
1086 <para><emphasis role="bold">Test the FortiGate
1087 Firewall</emphasis></para>
1088
1089 <para>Connect the Test Machine on the LAN interface and access the
1090 internet from the Test Machine to use the firewall on the target
1091 device.</para>
1092
1093 <note>
1094 <para>The connected Test Machine can be a laptop or a target that has
1095 one interface configured to get an dynamic IP from a DHCP server. The
1096 <literal>dhclient &lt;interface&gt;</literal> command can be used to
1097 request an IP address. The received IP must be in the 172.16.1.2 -
1098 172.16.1.255 range.</para>
1099 </note>
1100
1101 <figure>
1102 <title>Testing Overview</title>
1103
1104 <mediaobject>
1105 <imageobject>
1106 <imagedata align="center" fileref="images/testing_fortigate.png"
1107 scale="50" />
1108 </imageobject>
1109 </mediaobject>
1110 </figure>
1111
1112 <para>In the example above, the FortiGate VNF management interface is
1113 accessible through the WAN interface, the WAN IP address can be used
1114 from a web browser on the Lab Machine to access the Fortigate VNF
1115 Management Web UI. Please check the Fortigate VNF web management section
1116 for more information.</para>
1117
1118 <para>In another example, the firewall can be setup to use bridges as
1119 connection points for the Fortigate VNF. It is possible to replace
1120 OVS-DPDK bridges with SR-IOV connection points. <remark>The previous
1121 sentence in the original was very hard to understand, please confirm if
1122 this is what you intended to say</remark> Please check the network
1123 configuration chapter on how to configure an interface for
1124 SR-IOV.</para>
1125
1126 <para>It was previously assumed that three physical interfaces are
1127 available for VNF connection. In the case of a firewall setup it is
1128 possible to use only two physical interfaces for the data path (one for
1129 WAN and one for LAN). In the example below only two interfaces will be
1130 configured as DPDK and two bridges are created, one for each type of
1131 connection.</para>
1132
1133 <para>At VNF instantiation instead of assigning distinct bridges for
1134 each LAN interface, only one will be used for both LAN1 and LAN2, with
1135 no changes in WAN interface configuration. Please see the picture below
1136 for final setup:</para>
1137
1138 <figure>
1139 <title>Two Interface Configuration</title>
1140
1141 <mediaobject>
1142 <imageobject>
1143 <imagedata align="center" fileref="images/two_inst_firewall.png"
1144 scale="45" />
1145 </imageobject>
1146 </mediaobject>
1147 </figure>
1148 </section>
1149
1150 <section id="fortigate_webmg">
1151 <title>FortiGate VNF web management</title>
1152
1153 <para>In order to check the IP address assigned to Fortigate VNF you
1154 need to connect to the Fortigate CLI.</para>
1155
1156 <para><emphasis role="bold">Connecting to the Fortigate
1157 CLI</emphasis></para>
1158
1159 <orderedlist>
1160 <listitem>
1161 <para>Connect to the Fortigate VNF by using: <literal>SSH</literal>
1162 -&gt; <literal>user</literal> (root) and attach to the VNF's console
1163 using the <literal>virsh console</literal> command shown
1164 below:</para>
1165
1166 <figure>
1167 <title>Attaching to the VNF Console</title>
1168
1169 <mediaobject>
1170 <imageobject>
1171 <imagedata align="center" fileref="images/virsh_console.png"
1172 scale="80" />
1173 </imageobject>
1174 </mediaobject>
1175 </figure>
1176 </listitem>
1177
1178 <listitem>
1179 <para>To access Fortigate CLI, use the credential
1180 <literal>admin</literal> for the user, leaving the password blank,
1181 then press enter.</para>
1182
1183 <para>Use the CLI command <literal>get system interface</literal> to
1184 get the dynamic interfaces configuration.</para>
1185
1186 <figure>
1187 <title>Acessing and configuring Fortigate CLI</title>
1188
1189 <mediaobject>
1190 <imageobject>
1191 <imagedata align="center"
1192 fileref="images/access_fortigate_cli.png"
1193 scale="58" />
1194 </imageobject>
1195 </mediaobject>
1196 </figure>
1197 </listitem>
1198
1199 <listitem>
1200 <para>Use the IP address assigned for the management interface in
1201 the web browser (<literal>https://&lt;IP&gt;</literal>), to access
1202 the Fortinet VNF web management interface. Use the same credentials
1203 as before to login:</para>
1204
1205 <figure>
1206 <title>Accessing the web management interface</title>
1207
1208 <mediaobject>
1209 <imageobject>
1210 <imagedata align="center"
1211 fileref="images/fortinet_vnf_login.png" scale="50" />
1212 </imageobject>
1213 </mediaobject>
1214 </figure>
1215 </listitem>
1216
1217 <listitem>
1218 <para>You can browse through the configuration and perform changes
1219 according to your setup:</para>
1220
1221 <figure>
1222 <title>The Fortinet Web Interface</title>
1223
1224 <mediaobject>
1225 <imageobject>
1226 <imagedata align="center"
1227 fileref="images/fortinet_interface.png" scale="30" />
1228 </imageobject>
1229 </mediaobject>
1230 </figure>
1231 </listitem>
1232
1233 <listitem>
1234 <para>Optional, alter the default Fortinet example configuration
1235 provided by Enea, through the following steps:</para>
1236
1237 <orderedlist>
1238 <listitem>
1239 <para>Deploy the FortiGate Firewall in its default
1240 settings.</para>
1241 </listitem>
1242
1243 <listitem>
1244 <para>Connect to the FortiGate VNF Web Management with a web
1245 browser.</para>
1246 </listitem>
1247
1248 <listitem>
1249 <para>Modify the FortiGate configuration in the FortiGate VNF
1250 Web Management as needed.</para>
1251 </listitem>
1252
1253 <listitem>
1254 <para>Store the updated configuration in a file, by saving in
1255 the FortiGate VNF Web Management interface, so it may be used at
1256 the next FortiGate VNF instantiation.</para>
1257 </listitem>
1258 </orderedlist>
1259
1260 <note>
1261 <para>Editing the default configuration is only recommended for
1262 FortiGate configuration experts.</para>
1263 </note>
1264 </listitem>
1265 </orderedlist>
1266 </section>
1267
1268 <section id="fortigate_sdwan_vpn">
1269 <title>FortiGate VNF as an SD-WAN VPN</title>
1270
1271 <para>The software-defined wide-area network (SD-WAN or SDWAN) is a
1272 specific application of software-defined networking (SDN) technology
1273 applied to WAN connections. It connects enterprise networks, including
1274 branch offices and data centers, over large geographic distances.</para>
1275
1276 <para>SD-WAN decouples the network from the management plane, detaching
1277 the traffic management and monitoring functions from hardware. Most
1278 forms of SD-WAN technology create a virtual overlay that is
1279 transport-agnostic, i.e. it abstracts underlying private or public WAN
1280 connections. With an overlay SD-WAN, a vendor provides an edge device to
1281 the customer that contains the software necessary to run the SD-WAN
1282 technology. For deployment, the customer plugs in WAN links into the
1283 device, which automatically configures itself with the network.</para>
1284
1285 <para>The following will detail an SD-WAN setup for a branch to branch
1286 connection using the FortiGate VNF. FortiGate provides native SD-WAN
1287 along with integrated advanced threat protection.</para>
1288
1289 <note>
1290 <para>Example SD-WAN configurations for the FortiGate VNF are provided
1291 in the Enea Portal.</para>
1292 </note>
1293
1294 <table>
1295 <title>FortiGate VNF Example Configuration - SD-WAN Target 1</title>
1296
1297 <tgroup cols="2">
1298 <colspec align="center" />
1299
1300 <thead>
1301 <row>
1302 <entry align="center">Component</entry>
1303
1304 <entry align="center">Description</entry>
1305 </row>
1306 </thead>
1307
1308 <tbody>
1309 <row>
1310 <entry>SD-WAN</entry>
1311
1312 <entry>VPN connection between two branches (Target 1 and Target
1313 2).</entry>
1314 </row>
1315
1316 <row>
1317 <entry>VNFMgr (Virtual Port1)</entry>
1318
1319 <entry>DHCP Client, dynamically assigned IP address.</entry>
1320 </row>
1321
1322 <row>
1323 <entry>WAN (Virtual Port2)</entry>
1324
1325 <entry>IP address: 10.0.0.1</entry>
1326 </row>
1327
1328 <row>
1329 <entry>LAN (Virtual Port3)</entry>
1330
1331 <entrytbl cols="1">
1332 <tbody>
1333 <row>
1334 <entry>IP address: 172.16.1.1</entry>
1335 </row>
1336
1337 <row>
1338 <entry>DHCP server (IP range 172.16.1.2 -
1339 172.16.1.254)</entry>
1340 </row>
1341 </tbody>
1342 </entrytbl>
1343 </row>
1344 </tbody>
1345 </tgroup>
1346 </table>
1347
1348 <table>
1349 <title>FortiGate VNF Example Configuration - SD-WAN Target 2</title>
1350
1351 <tgroup cols="2">
1352 <colspec align="center" />
1353
1354 <thead>
1355 <row>
1356 <entry align="center">Component</entry>
1357
1358 <entry align="center">Description</entry>
1359 </row>
1360 </thead>
1361
1362 <tbody>
1363 <row>
1364 <entry>SD-WAN</entry>
1365
1366 <entry>VPN connection between two branches (Target 2 and Target
1367 1).</entry>
1368 </row>
1369
1370 <row>
1371 <entry>VNFMgr (Virtual Port1)</entry>
1372
1373 <entry>DHCP Client, dynamically assigned IP address.</entry>
1374 </row>
1375
1376 <row>
1377 <entry>WAN (Virtual Port2)</entry>
1378
1379 <entry>IP address: 10.0.0.2</entry>
1380 </row>
1381
1382 <row>
1383 <entry>LAN (Virtual Port3)</entry>
1384
1385 <entrytbl cols="1">
1386 <tbody>
1387 <row>
1388 <entry>IP address: 172.16.2.1</entry>
1389 </row>
1390
1391 <row>
1392 <entry>DHCP server (IP range 172.16.2.2 -
1393 172.16.2.254)</entry>
1394 </row>
1395 </tbody>
1396 </entrytbl>
1397 </row>
1398 </tbody>
1399 </tgroup>
1400 </table>
1401
1402 <para><emphasis role="bold">Lab Setup</emphasis></para>
1403
1404 <para>The following table illustrates the use-case prerequisites of the
1405 setup:</para>
1406
1407 <table>
1408 <title>Lab Setup Prerequisites</title>
1409
1410 <tgroup cols="2">
1411 <colspec align="center" />
1412
1413 <thead>
1414 <row>
1415 <entry align="center">Component</entry>
1416
1417 <entry align="center">Description</entry>
1418 </row>
1419 </thead>
1420
1421 <tbody>
1422 <row>
1423 <entry>Lab Network</entry>
1424
1425 <entrytbl cols="1">
1426 <tbody>
1427 <row>
1428 <entry>DHCP enabled Lab Network.</entry>
1429 </row>
1430
1431 <row>
1432 <entry>Internet Connectivity.</entry>
1433 </row>
1434 </tbody>
1435 </entrytbl>
1436 </row>
1437
1438 <row>
1439 <entry>Two Intel Whitebox target devices</entry>
1440
1441 <entrytbl cols="1">
1442 <tbody>
1443 <row>
1444 <entry>Minimum 4 Physical Network Devices.</entry>
1445 </row>
1446
1447 <row>
1448 <entry>4 GB RAM and 4 cores (C3000 or Xeon D).</entry>
1449 </row>
1450
1451 <row>
1452 <entry>Enea NFV Access Installed.</entry>
1453 </row>
1454
1455 <row>
1456 <entry>VNFMgr Connected to Lab Network for VNF management
1457 access.</entry>
1458 </row>
1459
1460 <row>
1461 <entry>WAN interfaces directly connected through Ethernet
1462 cable.</entry>
1463 </row>
1464
1465 <row>
1466 <entry>LAN Connected to Test Machine.</entry>
1467 </row>
1468
1469 <row>
1470 <entry>ETH0 connected to Lab Network (for Enea uCPE
1471 Manager communications).</entry>
1472 </row>
1473 </tbody>
1474 </entrytbl>
1475 </row>
1476
1477 <row>
1478 <entry>One Lab Machine</entry>
1479
1480 <entrytbl cols="1">
1481 <tbody>
1482 <row>
1483 <entry>Connected to Lab Network.</entry>
1484 </row>
1485
1486 <row>
1487 <entry>Running either Windows or CentOS.</entry>
1488 </row>
1489
1490 <row>
1491 <entry>Enea uCPE Manager installed.</entry>
1492 </row>
1493 </tbody>
1494 </entrytbl>
1495 </row>
1496
1497 <row>
1498 <entry>Two Test Machines</entry>
1499
1500 <entrytbl cols="1">
1501 <tbody>
1502 <row>
1503 <entry>Connected to Whitebox LANs.</entry>
1504 </row>
1505
1506 <row>
1507 <entry>Internet Connectivity via LAN.</entry>
1508 </row>
1509
1510 <row>
1511 <entry>Configured as DHCP client on LAN.</entry>
1512 </row>
1513 </tbody>
1514 </entrytbl>
1515 </row>
1516
1517 <row>
1518 <entry>FortiGate VNF</entry>
1519
1520 <entrytbl cols="1">
1521 <tbody>
1522 <row>
1523 <entry>Downloaded the FortiGate VNF Bundle from Enea
1524 Portal to the Lab Machine file system.</entry>
1525 </row>
1526
1527 <row>
1528 <entry>Downloaded FortiGate configuration examples from
1529 Enea Portal to Lab Machine file system. Unpack the
1530 configuration examples specific for SD-WAN on the Lab
1531 Machine.</entry>
1532 </row>
1533
1534 <row>
1535 <entry>Retrieve the FortiGate VNF license from Fortinet
1536 and store it on the Lab Machine file system.</entry>
1537 </row>
1538
1539 <row>
1540 <entry>Optionally, retrieve FortiGate VNF documentation
1541 from Fortinet.</entry>
1542 </row>
1543 </tbody>
1544 </entrytbl>
1545 </row>
1546 </tbody>
1547 </tgroup>
1548 </table>
1549
1550 <figure>
1551 <title>SD-WAN: VPN Configuration</title>
1552
1553 <mediaobject>
1554 <imageobject>
1555 <imagedata align="center"
1556 fileref="images/sdwan_vpn_overview_1.png" scale="50" />
1557 </imageobject>
1558 </mediaobject>
1559 </figure>
1560
1561 <para><emphasis role="bold">uCPE Networking Setup</emphasis></para>
1562
1563 <para>Before deploying the FortiGate SD-WAN, the Enea NFV Access
1564 platform has to be configured to the specific networking setup.</para>
1565
1566 <para>Since the SD-WAN VNF uses three External Network Interfaces, three
1567 bridges need to be configured. Each bridge provides the ability to
1568 connect a physical network interface to the virtual machine's virtual
1569 network interface. Each physical to virtual network interface connection
1570 is setup in two steps:</para>
1571
1572 <itemizedlist>
1573 <listitem>
1574 <para>Bind the physical network interfaces with a DPDK
1575 driver.</para>
1576 </listitem>
1577
1578 <listitem>
1579 <para>Create a named bridge for each physical network
1580 interface.</para>
1581 </listitem>
1582 </itemizedlist>
1583
1584 <para>Start the setup by preparing each physical interface for
1585 attachment to a bridge. Each VNF instance will have a virtual interface
1586 for VNF management, for the WAN network and for LAN
1587 communication.</para>
1588
1589 <orderedlist>
1590 <listitem>
1591 <para>Bind physical interface to DPDK by selecting the target_1:
1592 <literal>Configuration</literal> -&gt;
1593 <literal>OpenVSwitch</literal> -&gt; <literal>Host
1594 Interfaces</literal> -&gt; <literal>Add</literal>:</para>
1595
1596 <figure>
1597 <title>Binding the Physical Interface</title>
1598
1599 <mediaobject>
1600 <imageobject>
1601 <imagedata align="center"
1602 fileref="images/bind_phys_interface.png" scale="90" />
1603 </imageobject>
1604 </mediaobject>
1605 </figure>
1606
1607 <para>The result of binding these three interfaces should look like
1608 the following:</para>
1609
1610 <figure>
1611 <title>Results of Binding</title>
1612
1613 <mediaobject>
1614 <imageobject>
1615 <imagedata align="center" fileref="images/binding_results.png"
1616 scale="70" />
1617 </imageobject>
1618 </mediaobject>
1619 </figure>
1620 </listitem>
1621
1622 <listitem>
1623 <para>Create one OpenVSwitch bridge for each SD-WAN network
1624 connection (VNF management, WAN and LAN) by selecting the
1625 <literal>Add</literal> button from the Bridges tab by selecting the
1626 target: <literal>Configuration</literal> -&gt;
1627 <literal>OpenvSwitch</literal>-&gt; <literal>Bridges</literal>. A
1628 popup like this should appear:</para>
1629
1630 <figure>
1631 <title>Creating an OpenVSwitch bridge for an SD-WAN network
1632 connection</title>
1633
1634 <mediaobject>
1635 <imageobject>
1636 <imagedata align="center" fileref="images/ovs_bridge_four.png"
1637 scale="70" />
1638 </imageobject>
1639 </mediaobject>
1640 </figure>
1641 </listitem>
1642
1643 <listitem>
1644 <para>Repeat this step for all network connections. Three bridges
1645 will be created:</para>
1646
1647 <figure>
1648 <title>The three newly created Bridges</title>
1649
1650 <mediaobject>
1651 <imageobject>
1652 <imagedata align="center" fileref="images/created_bridges.png"
1653 scale="70" />
1654 </imageobject>
1655 </mediaobject>
1656 </figure>
1657 </listitem>
1658 </orderedlist>
1659
1660 <para>Once the interfaces and bridges are ready, only the on-boarding
1661 and instantiation of the VNF remains to be done.</para>
1662
1663 <para><emphasis role="bold">Onboarding the FortiGate
1664 VNF</emphasis></para>
1665
1666 <orderedlist>
1667 <listitem>
1668 <para>To on-board a VNF, select target on the map and click the
1669 <literal>VNF</literal> button in the top toolbar. Then, click the
1670 <literal>Descriptors</literal> -&gt; <literal>On-board</literal>
1671 -&gt; <literal>Browse</literal> options, and select the
1672 <filename>Fortigate.zip</filename> file, before clicking
1673 <literal>Send</literal>:</para>
1674
1675 <figure>
1676 <title>On-boarding FortiGate VNF</title>
1677
1678 <mediaobject>
1679 <imageobject>
1680 <imagedata align="center" fileref="images/onboard.png"
1681 scale="45" />
1682 </imageobject>
1683 </mediaobject>
1684 </figure>
1685 </listitem>
1686
1687 <listitem>
1688 <para>Wait for the <literal>Onboarding Status</literal> popup to
1689 display the confirmation message and select
1690 <literal>OK</literal>:</para>
1691
1692 <figure>
1693 <title>Successful Confirmation</title>
1694
1695 <mediaobject>
1696 <imageobject>
1697 <imagedata align="center"
1698 fileref="images/onboarded_successfully.png"
1699 scale="42" />
1700 </imageobject>
1701 </mediaobject>
1702 </figure>
1703 </listitem>
1704 </orderedlist>
1705
1706 <para><emphasis role="bold">Instantiating the FortiGate
1707 VNF</emphasis></para>
1708
1709 <para>The following steps describe how to instantiate the Fortigate
1710 VNF.</para>
1711
1712 <orderedlist>
1713 <listitem>
1714 <para>Select the target, then from the top toolbar click on
1715 <literal>VNF</literal>-&gt; <literal>Instances</literal> -&gt;
1716 <literal>Add</literal> options:</para>
1717
1718 <figure>
1719 <title>Adding an Instance</title>
1720
1721 <mediaobject>
1722 <imageobject>
1723 <imagedata align="center" fileref="images/adding_instance.png"
1724 scale="50" />
1725 </imageobject>
1726 </mediaobject>
1727 </figure>
1728
1729 <note>
1730 <para>Download locally the valid license files for the Fortigate
1731 VNF from Fortinet and the configuration file provided by Enea as
1732 examples.</para>
1733 </note>
1734 </listitem>
1735
1736 <listitem>
1737 <para>Use the <literal>sdwan1</literal> example configuration file
1738 for the first target:</para>
1739
1740 <figure>
1741 <title>Configuring target_1</title>
1742
1743 <mediaobject>
1744 <imageobject>
1745 <imagedata align="center"
1746 fileref="images/sdwan1_eg_config.png" scale="70" />
1747 </imageobject>
1748 </mediaobject>
1749 </figure>
1750 </listitem>
1751 </orderedlist>
1752
1753 <para>Fortigate VNF instantiation requires the following
1754 settings:</para>
1755
1756 <table>
1757 <title>Fortigate VNF Instantiation Requirements</title>
1758
1759 <tgroup cols="2">
1760 <colspec align="left" colwidth="2*" />
1761
1762 <colspec align="left" colwidth="4*" />
1763
1764 <thead>
1765 <row>
1766 <entry align="center">Component</entry>
1767
1768 <entry align="center">Description</entry>
1769 </row>
1770 </thead>
1771
1772 <tbody>
1773 <row>
1774 <entry>Name</entry>
1775
1776 <entry>The name of the VM which will be created on target
1777 device.</entry>
1778 </row>
1779
1780 <row>
1781 <entry>VNF Type</entry>
1782
1783 <entry>The name of the on-boarded VNF bundle.</entry>
1784 </row>
1785
1786 <row>
1787 <entry>VIM</entry>
1788
1789 <entry>Name and IP address of the device where the VNF has to be
1790 instantiated.</entry>
1791 </row>
1792
1793 <row>
1794 <entry>License file</entry>
1795
1796 <entry>FortiGate license file provided by Fortinet.</entry>
1797 </row>
1798
1799 <row>
1800 <entry>Configuration file</entry>
1801
1802 <entry>SD-WAN example configuration files provided by Enea: -
1803 FGVM080000136187_20180215_0708_sdwan1.conf -
1804 FGVM080000136188_20180215_0708_sdwan2.conf</entry>
1805 </row>
1806
1807 <row>
1808 <entry>Port1 - VNFMgr</entry>
1809
1810 <entry>Set as dpdk type and connect it to vnfmgrbr
1811 bridge.</entry>
1812 </row>
1813
1814 <row>
1815 <entry>Port2 - WAN</entry>
1816
1817 <entry>Set as dpdk type and connect it to wanbr bridge.</entry>
1818 </row>
1819
1820 <row>
1821 <entry>Port3 - LAN</entry>
1822
1823 <entry>Set as dpdk type and connect it to lanbr bridge.</entry>
1824 </row>
1825 </tbody>
1826 </tgroup>
1827 </table>
1828
1829 <para>To complete the branch-to-branch setup, configure the peer target
1830 in the same way as <literal>target_1</literal>. Make sure to use the
1831 <filename>FGVM080000136188_20180215_0708_sdwan2.conf</filename>
1832 configuration file for the second VNF instantiation.</para>
1833
1834 <para><emphasis role="bold">Testing the FortiGate SD-WAN
1835 VPN</emphasis></para>
1836
1837 <para>Once the full SD-WAN setup is in place a VPN connection needs to
1838 established between the two targets. The Test Machines can be connected
1839 to the LAN interface on each target.</para>
1840
1841 <para>The connected Test Machine can be a laptop or a target that has
1842 one interface configured to get dynamic IP from a DHCP server. The
1843 <command>dhclient &lt;interface&gt;</command> command can be used to
1844 request an IP address.</para>
1845
1846 <note>
1847 <para>The received IP must be in the 172.16.1.2 - 172.16.1.255 range
1848 for Test Machine-1 and in the 172.16.2.2 - 172.16.2.255 range for Test
1849 Machine-2.</para>
1850 </note>
1851
1852 <figure>
1853 <title>Overview: Testing Machines Setup</title>
1854
1855 <mediaobject>
1856 <imageobject>
1857 <imagedata align="center" fileref="images/test_machines.png"
1858 scale="40" />
1859 </imageobject>
1860 </mediaobject>
1861 </figure>
1862
1863 <para>Target 1 should be able to ping Test target 2 in this setup over
1864 the WAN connection.</para>
1865
1866 <para>In the figure above and this example, the FortiGate VNF management
1867 interface is accessible through a dedicated Mgmt interface. The Mgmt IP
1868 address can be used from a web browser on the Lab Machine to access the
1869 Fortigate VNF Management Web UI.</para>
1870
1871 <note>
1872 <para>In this SD-WAN VPN setup example, bridges were used as
1873 connection points for Fortigate VNF. It is possible to replace
1874 OVS-DPDK bridges with SR-IOV connection points.</para>
1875 </note>
1876 </section>
1877 </section>
1878
1879 <section id="inband_management">
1880 <title>In-band Management</title>
1881
1882 <para>In the case of an NFV Access device installed on a network with
1883 limited access, In-band management can be a solution to manage the device
1884 and to pass data traffic (through only one physical interface). This
1885 example use-case will show how to enable the In-band management on the NFV
1886 Access device and to access a VNF on the same physical interface.</para>
1887
1888 <figure>
1889 <title>NFV Access In-band management solution setup</title>
1890
1891 <mediaobject>
1892 <imageobject>
1893 <imagedata align="center" fileref="images/uc_ibm_solution.png"
1894 scale="50" />
1895 </imageobject>
1896 </mediaobject>
1897 </figure>
1898
1899 <para>Setup uses the following network configuration:</para>
1900
1901 <itemizedlist>
1902 <listitem>
1903 <para>1 x Network Interface for WAN and management.</para>
1904 </listitem>
1905
1906 <listitem>
1907 <para>1 x Network Interface for LAN.</para>
1908 </listitem>
1909 </itemizedlist>
1910
1911 <para>For prerequisites and further details, please see <xref
1912 linkend="inband_management" /> and <xref
1913 linkend="vnf_fortigate" />.</para>
1914
1915 <section id="mg_activation">
1916 <title>In-band management activation for FortiGate VNF
1917 Instantiation</title>
1918
1919 <para>In-band management activation is done by creating a special bridge
1920 which manages all traffic from the WAN interface. The active physical
1921 port of the device (used by the device manager to communicate with the
1922 uCPE Manager) will be connected to the In-band management bridge. Once
1923 the In-band management bridge is activated, communication to the uCPE
1924 Manager will be reactivated, passing through the bridge.</para>
1925
1926 <note>
1927 <para>No other physical port for In-band management can be
1928 used.</para>
1929 </note>
1930
1931 <orderedlist>
1932 <listitem>
1933 <para>Create an In-band management WAN Bridge:</para>
1934
1935 <itemizedlist>
1936 <listitem>
1937 <para>Select the <literal>Device</literal> menu.</para>
1938 </listitem>
1939
1940 <listitem>
1941 <para>In the Configuration tab select
1942 <literal>OpenVSwitch.</literal></para>
1943 </listitem>
1944
1945 <listitem>
1946 <para>Select <literal>Bridges</literal> and click
1947 <literal>Add</literal>.</para>
1948 </listitem>
1949
1950 <listitem>
1951 <para>Use <literal>dpdkWAN</literal> as the
1952 <literal>ovs-bridge-type</literal>.</para>
1953 </listitem>
1954 </itemizedlist>
1955
1956 <figure>
1957 <title>Create In-band management WAN bridge</title>
1958
1959 <mediaobject>
1960 <imageobject>
1961 <imagedata align="center" fileref="images/uc_ibm_br.png"
1962 scale="75" />
1963 </imageobject>
1964 </mediaobject>
1965 </figure>
1966 </listitem>
1967
1968 <listitem>
1969 <para>Bind the physical port which will be used for LAN access to
1970 <literal>dpdk</literal>:</para>
1971
1972 <itemizedlist>
1973 <listitem>
1974 <para>Select the <literal>Device</literal> menu.</para>
1975 </listitem>
1976
1977 <listitem>
1978 <para>In the Configuration tab select
1979 <literal>OpenVSwitch</literal>.</para>
1980 </listitem>
1981
1982 <listitem>
1983 <para>Select the <literal>Host Interfaces</literal> menu and
1984 click <literal>Add</literal>.</para>
1985 </listitem>
1986
1987 <listitem>
1988 <para>Use <literal>dpdk</literal> as the
1989 <literal>ovs-bridge-type</literal>.</para>
1990 </listitem>
1991 </itemizedlist>
1992
1993 <figure>
1994 <title>Bind LAN physical port to dpdk</title>
1995
1996 <mediaobject>
1997 <imageobject>
1998 <imagedata align="center"
1999 fileref="images/uc_ibm_dpdk_int_bind.png"
2000 scale="75" />
2001 </imageobject>
2002 </mediaobject>
2003 </figure>
2004 </listitem>
2005
2006 <listitem>
2007 <para>Create a LAN Bridge:</para>
2008
2009 <itemizedlist>
2010 <listitem>
2011 <para>Select the <literal>Device.</literal></para>
2012 </listitem>
2013
2014 <listitem>
2015 <para>In the Configuration menu select
2016 <literal>OpenVSwitch.</literal></para>
2017 </listitem>
2018
2019 <listitem>
2020 <para>Open the <literal>Bridges</literal> menu and click
2021 <literal>Add.</literal></para>
2022 </listitem>
2023 </itemizedlist>
2024
2025 <figure>
2026 <title>Create LAN bridge</title>
2027
2028 <mediaobject>
2029 <imageobject>
2030 <imagedata align="center" fileref="images/uc_ibm_lanbr.png"
2031 scale="75" />
2032 </imageobject>
2033 </mediaobject>
2034 </figure>
2035
2036 <para>At this step the following bridges should exist:</para>
2037
2038 <figure>
2039 <title>Bridges</title>
2040
2041 <mediaobject>
2042 <imageobject>
2043 <imagedata align="center" fileref="images/uc_ibm_br2.png"
2044 scale="65" />
2045 </imageobject>
2046 </mediaobject>
2047 </figure>
2048
2049 <note>
2050 <para>The WAN port of the very first VNF instantiated on the
2051 device must be connected to the <literal>ibm-wan-br
2052 bridge</literal>. All other VNFs must be connected in chain with
2053 the first VNF.</para>
2054 </note>
2055 </listitem>
2056
2057 <listitem>
2058 <para>Onboard the first VNF and instantiate it on the device:</para>
2059
2060 <itemizedlist>
2061 <listitem>
2062 <para>Select the <literal>Device.</literal></para>
2063 </listitem>
2064
2065 <listitem>
2066 <para>Select the <literal>VNF</literal> menu.</para>
2067 </listitem>
2068
2069 <listitem>
2070 <para>In the <literal>Descriptors</literal> menu, choose the
2071 <literal>VNF Package</literal> option.</para>
2072 </listitem>
2073
2074 <listitem>
2075 <para>Browse and select the Fortigate bundle you require, before
2076 pressing the <literal>Send</literal> button.</para>
2077 </listitem>
2078 </itemizedlist>
2079
2080 <figure>
2081 <title>Onboard Fortigate VNF</title>
2082
2083 <mediaobject>
2084 <imageobject>
2085 <imagedata align="center"
2086 fileref="images/uc_ibm_fortigate_onboard.png"
2087 scale="50" />
2088 </imageobject>
2089 </mediaobject>
2090 </figure>
2091 </listitem>
2092
2093 <listitem>
2094 <para>Add the VNF instance:</para>
2095
2096 <itemizedlist>
2097 <listitem>
2098 <para>Select the <literal>Device.</literal></para>
2099 </listitem>
2100
2101 <listitem>
2102 <para>Select the <literal>VNF</literal> menu.</para>
2103 </listitem>
2104
2105 <listitem>
2106 <para>Choose the <literal>Instances</literal> option, select the
2107 VNF configuration you desire and press
2108 <literal>Add.</literal></para>
2109 </listitem>
2110
2111 <listitem>
2112 <para>Browse and select the Fortigate bundle you require, before
2113 pressing the <literal>Send</literal> button.</para>
2114 </listitem>
2115 </itemizedlist>
2116
2117 <figure>
2118 <title>Instantiate Fortigate VNF</title>
2119
2120 <mediaobject>
2121 <imageobject>
2122 <imagedata align="center"
2123 fileref="images/uc_ibm_fg_instantiation.png"
2124 scale="65" />
2125 </imageobject>
2126 </mediaobject>
2127 </figure>
2128 </listitem>
2129 </orderedlist>
2130
2131 <para>Once the VNF is instantiated, the setup is complete and ready for
2132 testing. Connect the test machine to the LAN port. It will receive an IP
2133 address from the Fortigate VNF and be able to access the
2134 internet.</para>
2135 </section>
2136
2137 <section id="test_fortvnf_inband">
2138 <title>Testing the Fortigate VNF In-band management activation</title>
2139
2140 <figure>
2141 <title>Test setup</title>
2142
2143 <mediaobject>
2144 <imageobject>
2145 <imagedata align="center"
2146 fileref="images/uc_ibm_solution_test.png" scale="50" />
2147 </imageobject>
2148 </mediaobject>
2149 </figure>
2150
2151 <para>At this stage, three types of traffic are passing through the WAN
2152 port on the same IP address:</para>
2153
2154 <itemizedlist>
2155 <listitem>
2156 <para>Device management traffic from uCPE Manager.</para>
2157 </listitem>
2158
2159 <listitem>
2160 <para>Fortigate management interface traffic from a web
2161 browser.</para>
2162 </listitem>
2163
2164 <listitem>
2165 <para>Data traffic from the LAN to the internet.</para>
2166 </listitem>
2167 </itemizedlist>
2168
2169 <para>Having access from the uCPE Manager to the device as shown above,
2170 demonstrates that device management traffic passes through the in-band
2171 management WAN bridge successfully.</para>
2172
2173 <para>To access the management interface of the VNF, connect from a web
2174 browser to the public IP address of the device e.g.
2175 <literal>https://&lt;IP&gt;</literal>. From a Test machine connected on
2176 LAN port, try a test ping to the internet e.g. "ping 8.8.8.8".</para>
2177 </section>
2178 </section>
2179
2180 <section id="vnf_chaining">
2181 <title>VNF Chaining Example</title>
2182
2183 <section id="VNF_chain_intro">
2184 <title>Introduction</title>
2185
2186 <para>The purpose of this chapter is to describe an example of how to
2187 setup and configure a branch-to-branch service comprised on two
2188 commercial VNFs (SD-WAN + Firewall), running in a service chain on top
2189 of Enea NFV Access virtualization platform and deployed through Enea
2190 uCPE Manager. In the example setup the following commercial VNFs are
2191 used: Juniper vSRX as SD-WAN VNF and Fortigate as
2192 Router/Firewall.</para>
2193
2194 <para>The setup requires two physical appliances (uCPEs), each of them
2195 having three DPDK-compatible NICs and one interface available for uCPE
2196 management (i.e. connected to Enea uCPE Manager). On each uCPE, one of
2197 the DPDK-compatible interfaces shall be connected back-to-back with one
2198 interface from the other uCPE device - this link is simulating
2199 WAN/uplink connection.</para>
2200
2201 <para>Optionally, one additional device (PC/laptop) can be connected on
2202 the LAN port of each branch for running LAN-to-LAN connectivity
2203 tests.</para>
2204
2205 <figure>
2206 <title>Example Setup</title>
2207
2208 <mediaobject>
2209 <imageobject>
2210 <imagedata align="center" fileref="images/example_setup.png"
2211 scale="90" />
2212 </imageobject>
2213 </mediaobject>
2214 </figure>
2215
2216 <note><para>For simplicity, image does not present management-plane, which will be
2217 described in the Setup steps.</para></note>
2218 </section>
2219
2220 <section id="crateing_setup">
2221 <title>Creating the setup</title>
2222
2223 <para>Both branches in the example have similar setups, therefore
2224 necessary step details are presented on only one branch. The second
2225 branch shall be configured in the same way, by changing corresponding
2226 VNFs configurations files.</para>
2227
2228 <orderedlist>
2229 <listitem>
2230 <para>Assign three physical interfaces to DPDK (for management, wan
2231 and lan). In the example, one of them gets IP through DHCP and it
2232 will be used exclusively for management plane.</para>
2233 </listitem>
2234
2235 <listitem>
2236 <para>Create the following OVS-DPDK bridges:</para>
2237
2238 <itemizedlist>
2239 <listitem>
2240 <para>vnf_mgmt_br : used by VNFs management ports.</para>
2241 </listitem>
2242
2243 <listitem>
2244 <para>wan_br : used by service uplink connection. In our case,
2245 Juniper vSRX will have its WAN virtual interface in this
2246 bridge.</para>
2247 </listitem>
2248
2249 <listitem>
2250 <para>sfc_br : used for creating the service chain. Each VNF
2251 will have a virtual interface in this bridge.</para>
2252 </listitem>
2253
2254 <listitem>
2255 <para>lan_br : used for LAN interface of the Fortigate
2256 FW.</para>
2257 </listitem>
2258 </itemizedlist>
2259 </listitem>
2260
2261 <listitem>
2262 <para>Add corresponding DPDK ports (see Step 1) to the management,
2263 wan and lan bridges (sfc_br does not have a physical port attached
2264 to it).</para>
2265
2266 <note>
2267 <para>This networking setup (Steps 1-3) can be modeled using
2268 Offline Configuration entry, so it is automatically provisioned on
2269 the uCPE, once it gets enrolled into the management system (uCPE
2270 Manager).</para>
2271 </note>
2272 </listitem>
2273
2274 <listitem>
2275 <para>Onboard Juniper vSRX using Onboarding Wizard:</para>
2276
2277 <itemizedlist>
2278 <listitem>
2279 <para>Flavor shall have at least 2 vCPUs and 4 GB RAM since vSRX
2280 is quite resource consuming. (We actually tested with 4 vCPUs/ 6
2281 GB RAM).</para>
2282 </listitem>
2283
2284 <listitem>
2285 <para>Add three virtual interfaces: management, wan and
2286 lan.</para>
2287 </listitem>
2288
2289 <listitem>
2290 <para>Select ISO/cdrom on the Cloud-Init tab.</para>
2291 </listitem>
2292 </itemizedlist>
2293 </listitem>
2294
2295 <listitem>
2296 <para>Onboard Fortigate FW using Onboarding Wizard:</para>
2297
2298 <itemizedlist>
2299 <listitem>
2300 <para>Flavor can be quite light in resources, e.g. 1 vCPU and 2
2301 GB RAM.</para>
2302 </listitem>
2303
2304 <listitem>
2305 <para>Add three virtual interfaces: management, wan and
2306 lan.</para>
2307 </listitem>
2308
2309 <listitem>
2310 <para>Select ConfigDrive/cdrom on the Cloud-Init tab.</para>
2311 </listitem>
2312
2313 <listitem>
2314 <para>Add <literal>license</literal> as Cloud-Init content on the Cloud-Init tab
2315 files.</para>
2316 </listitem>
2317 </itemizedlist>
2318
2319 <note>
2320 <para>Steps 4-5 shall be done only once, i.e. they will not be
2321 repeated for Site 2.</para>
2322 </note>
2323 </listitem>
2324
2325 <listitem>
2326 <para>Create vSRX instance:</para>
2327
2328 <itemizedlist>
2329 <listitem>
2330 <para>Use vSRX-Site1.iso as Cloud Init file.</para>
2331 </listitem>
2332
2333 <listitem>
2334 <para>Domain Update Script can be left empty for Atom C3000
2335 architecture, while for XeonD please use
2336 vSRX-domain-update-script file.</para>
2337 </listitem>
2338
2339 <listitem>
2340 <para>Add virtual interfaces:</para>
2341
2342 <itemizedlist>
2343 <listitem>
2344 <para>Management interface added to vnf_mgmt_br.</para>
2345 </listitem>
2346 </itemizedlist>
2347
2348 <itemizedlist>
2349 <listitem>
2350 <para>Wan interface added to wan_br.</para>
2351 </listitem>
2352 </itemizedlist>
2353
2354 <itemizedlist>
2355 <listitem>
2356 <para>Lan interface added to sfc_br.</para>
2357 </listitem>
2358 </itemizedlist>
2359 </listitem>
2360 </itemizedlist>
2361
2362 <note>
2363 <para>login/password for vSRX VNF are root/vsrx1234.</para>
2364 </note>
2365 </listitem>
2366
2367 <listitem>
2368 <para>Create Fortigate FW instance</para>
2369
2370 <itemizedlist>
2371 <listitem>
2372 <para>Use FortiFW-Site1.conf as Cloud Init file.</para>
2373 </listitem>
2374
2375 <listitem>
2376 <para>Add .lic file (not part of the folder) as license
2377 file.</para>
2378 </listitem>
2379
2380 <listitem>
2381 <para>Add virtual interfaces:</para>
2382
2383 <itemizedlist>
2384 <listitem>
2385 <para>Management interface added to vnf_mgmt_br.</para>
2386 </listitem>
2387 </itemizedlist>
2388
2389 <itemizedlist>
2390 <listitem>
2391 <para>Wan interface added to sfc_br.</para>
2392 </listitem>
2393 </itemizedlist>
2394
2395 <itemizedlist>
2396 <listitem>
2397 <para>Lan interface added to lan_br.</para>
2398 </listitem>
2399 </itemizedlist>
2400 </listitem>
2401 </itemizedlist>
2402
2403 <note>
2404 <para>login/password for Juniper VNF are admin/&lt;empty
2405 password&gt;.</para>
2406 </note>
2407 </listitem>
2408 </orderedlist>
2409
2410 <para>At this stage service shall be up and running on Site1. Repeat
2411 necessary steps of Site2, by changing configuration files. After service
2412 is deployed on both branches, VPN tunnel is established and we can
2413 verify LAN to LAN visibility by connecting one device on each uCPE LAN
2414 port (see below).</para>
2415 </section>
2416
2417 <section id="test_setup">
2418 <title>Testing the setup</title>
2419
2420 <para>Before testing LAN to LAN connectivity, one can run preliminary
2421 tests of service to ensure everything was set-up properly. For instance,
2422 by connecting to vSRX CLI (any site), one can test IKE security
2423 associations:</para>
2424
2425 <programlisting>root@Atom-C3000&gt; show security ike security-associations
2426Index State Initiator cookie Responder cookie Mode Remote Address
24271588673 UP 2f2047b144ebfce4 0000000000000000 Aggressive 10.1.1.2
2428...
2429root@Atom-C3000&gt; show security ike security-associations index 1588673 detail
2430...</programlisting>
2431
2432 <para>Also, from vSRX CLI, one can check that VPN tunnel was established
2433 and get statistics of the packets passing the tunnel:</para>
2434
2435 <programlisting>root@Atom-C3000&gt; show security ipsec security-associations
2436...
2437root@Atom-C3000&gt; show security ipsec statistics index &lt;xxxxx&gt;
2438...</programlisting>
2439
2440 <para>From Fortigate Firewall CLI on Site 1, one can check connectivity
2441 to remote Fortigate FW (from Site 2):</para>
2442
2443 <programlisting>FGVM080000136187 # execute ping 192.168.168.2
2444PING 192.168.168.2 (192.168.168.2): 56 data bytes
244564 bytes from 192.168.168.2: icmp_seq=0 ttl=255 time=0.0 ms
244664 bytes from 192.168.168.2: icmp_seq=1 ttl=255 time=0.0 ms
244764 bytes from 192.168.168.2: icmp_seq=2 ttl=255 time=0.0 ms
2448...</programlisting>
2449
2450 <para>As VNFs management ports were configured to get IPs through DHCP,
2451 one can use Web-based management UI to check and modify the
2452 configurations of both vSRX and Fortigate.</para>
2453
2454 <para>For example, in case of vSRX, from VNF CLI you can list the
2455 virtual interfaces as below:</para>
2456
2457 <programlisting>root@Atom-C3000&gt; show interfaces terse
2458...
2459fxp0.0 up up inet 172.24.15.92/22
2460gre up up
2461ipip up up
2462...
2463</programlisting>
2464
2465 <para>When using provided configurations, VNF management port of Juniper
2466 vSRX is always "fxp0.0".</para>
2467
2468 <para>In case of Fortigate, from VNF CLI you can list the virtual
2469 interfaces like :</para>
2470
2471 <programlisting>FGVM080000136187 # get system interface
2472== [ port1 ]
2473name: port1 mode: dhcp ip: 172.24.15.94 255.255.252.0 status: up netbios-forward:
2474disable type: physical netflow-sampler: disable sflow-sampler: disable...
2475...</programlisting>
2476
2477 <para>When using provided configurations, VNF management port of
2478 Fortigate is always "port1".</para>
2479
2480 <note>
2481 <para>Please note that VNFs' management ports will get dynamically
2482 allocated IPs only if physical NIC used for management is configured
2483 to get its IP through DHCP (see Step 1 from above).</para>
2484 </note>
2485
2486 <para>If everything is working, we can check LAN-to-LAN connectivity
2487 (through VPN tunnel) by using two devices (PC/laptop) connected to the
2488 LAN ports of each uCPE. Optionally, these devices can be simulated by
2489 using Enea's sample VNF running on both uCPEs and connected to the
2490 lan_br on each side. However, instructions for onboarding and
2491 instantiating this VNF is not in the scope of this document.</para>
2492
2493 <para>Since Fortigate VNF, which is acting as router and firewall, is
2494 configured to be DHCP server for LAN network, device interface connected
2495 to uCPE LAN port has to be configured to get dinamically assigned IP.
2496 These IPs are in 172.0.0.0/24 network for Site1 and 172.10.10.0/24
2497 network for Site2. Therefore, site-to-site connectivity can be checked
2498 like (from Site1):</para>
2499
2500 <programlisting>root@atom-c3000:~# ping 172.10.10.2
2501PING 172.10.10.1 (172.10.10.2): 56 data bytes
2502...
2503</programlisting>
2504 </section>
2505
2506 <section id="limitation">
2507 <title>Out-of-Scope/Limitations</title>
2508 <para>Below is a list of known limitations:</para>
2509 <itemizedlist>
2510 <listitem>
2511 <para>vSRX VNF has no trust-to-untrust and untrust-to-trust policies
2512 (only trust-to-vpn and vpn-to-trust were configured). Therefore,
2513 uCPEs were not configured for "direct Internet access"
2514 use-case.</para>
2515 </listitem>
2516
2517 <listitem>
2518 <para>Fortigate VNF has no "real" firewall policies set, i.e. all
2519 traffic from LAN is allowed to pass through WAN interface and
2520 vice-versa.</para>
2521 </listitem>
2522 </itemizedlist>
2523 </section>
2524 </section>
2525</chapter>
diff --git a/doc/book-enea-nfv-access-example-usecases/doc/inband_management.xml b/doc/book-enea-nfv-access-example-usecases/doc/inband_management.xml
new file mode 100644
index 0000000..f28fc4e
--- /dev/null
+++ b/doc/book-enea-nfv-access-example-usecases/doc/inband_management.xml
@@ -0,0 +1,296 @@
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<chapter id="inband_management">
3 <title>In-band Management Example Use-case</title>
4
5 <para>In the case of an NFV Access device installed on a network with
6 limited access, In-band management can be a solution to manage the device
7 and to pass data traffic (through only one physical interface). This example
8 use-case will show how to enable the In-band management on the NFV Access
9 device and to access a VNF on the same physical interface.</para>
10
11 <figure>
12 <title>NFV Access In-band management solution setup</title>
13
14 <mediaobject>
15 <imageobject>
16 <imagedata align="center" fileref="images/uc_ibm_solution.png"
17 scale="50" />
18 </imageobject>
19 </mediaobject>
20 </figure>
21
22 <para>Setup uses the following network configuration:</para>
23
24 <itemizedlist>
25 <listitem>
26 <para>1 x Network Interface for WAN and management.</para>
27 </listitem>
28
29 <listitem>
30 <para>1 x Network Interface for LAN.</para>
31 </listitem>
32 </itemizedlist>
33
34 <para>For prerequisites and further details, please see <xref
35 linkend="inband_management" /> and <xref linkend="vnf_fortigate" />.</para>
36
37 <section id="mg_activation">
38 <title>In-band management activation for FortiGate VNF
39 Instantiation</title>
40
41 <para>In-band management activation is done by creating a special bridge
42 which manages all traffic from the WAN interface. The active physical port
43 of the device (used by the device manager to communicate with the uCPE
44 Manager) will be connected to the In-band management bridge. Once the
45 In-band management bridge is activated, communication to the uCPE Manager
46 will be reactivated, passing through the bridge.</para>
47
48 <note>
49 <para>No other physical port for In-band management can be used.</para>
50 </note>
51
52 <orderedlist>
53 <listitem>
54 <para>Create an In-band management WAN Bridge:</para>
55
56 <itemizedlist>
57 <listitem>
58 <para>Select the <literal>Device</literal> menu.</para>
59 </listitem>
60
61 <listitem>
62 <para>In the Configuration tab select
63 <literal>OpenVSwitch.</literal></para>
64 </listitem>
65
66 <listitem>
67 <para>Select <literal>Bridges</literal> and click
68 <literal>Add</literal>.</para>
69 </listitem>
70
71 <listitem>
72 <para>Use <literal>dpdkWAN</literal> as the
73 <literal>ovs-bridge-type</literal>.</para>
74 </listitem>
75 </itemizedlist>
76
77 <figure>
78 <title>Create In-band management WAN bridge</title>
79
80 <mediaobject>
81 <imageobject>
82 <imagedata align="center" fileref="images/uc_ibm_br.png"
83 scale="75" />
84 </imageobject>
85 </mediaobject>
86 </figure>
87 </listitem>
88
89 <listitem>
90 <para>Bind the physical port which will be used for LAN access to
91 <literal>dpdk</literal>:</para>
92
93 <itemizedlist>
94 <listitem>
95 <para>Select the <literal>Device</literal> menu.</para>
96 </listitem>
97
98 <listitem>
99 <para>In the Configuration tab select
100 <literal>OpenVSwitch</literal>.</para>
101 </listitem>
102
103 <listitem>
104 <para>Select the <literal>Host Interfaces</literal> menu and click
105 <literal>Add</literal>.</para>
106 </listitem>
107
108 <listitem>
109 <para>Use <literal>dpdk</literal> as the
110 <literal>ovs-bridge-type</literal>.</para>
111 </listitem>
112 </itemizedlist>
113
114 <figure>
115 <title>Bind LAN physical port to dpdk</title>
116
117 <mediaobject>
118 <imageobject>
119 <imagedata align="center"
120 fileref="images/uc_ibm_dpdk_int_bind.png" scale="75" />
121 </imageobject>
122 </mediaobject>
123 </figure>
124 </listitem>
125
126 <listitem>
127 <para>Create a LAN Bridge:</para>
128
129 <itemizedlist>
130 <listitem>
131 <para>Select the <literal>Device.</literal></para>
132 </listitem>
133
134 <listitem>
135 <para>In the Configuration menu select
136 <literal>OpenVSwitch.</literal></para>
137 </listitem>
138
139 <listitem>
140 <para>Open the <literal>Bridges</literal> menu and click
141 <literal>Add.</literal></para>
142 </listitem>
143 </itemizedlist>
144
145 <figure>
146 <title>Create LAN bridge</title>
147
148 <mediaobject>
149 <imageobject>
150 <imagedata align="center" fileref="images/uc_ibm_lanbr.png"
151 scale="75" />
152 </imageobject>
153 </mediaobject>
154 </figure>
155
156 <para>At this step the following bridges should exist:</para>
157
158 <figure>
159 <title>Bridges</title>
160
161 <mediaobject>
162 <imageobject>
163 <imagedata align="center" fileref="images/uc_ibm_br2.png"
164 scale="65" />
165 </imageobject>
166 </mediaobject>
167 </figure>
168
169 <note>
170 <para>The WAN port of the very first VNF instantiated on the device
171 must be connected to the <literal>ibm-wan-br bridge</literal>. All
172 other VNFs must be connected in chain with the first VNF.</para>
173 </note>
174 </listitem>
175
176 <listitem>
177 <para>Onboard the first VNF and instantiate it on the device:</para>
178
179 <itemizedlist>
180 <listitem>
181 <para>Select the <literal>Device.</literal></para>
182 </listitem>
183
184 <listitem>
185 <para>Select the <literal>VNF</literal> menu.</para>
186 </listitem>
187
188 <listitem>
189 <para>In the <literal>Descriptors</literal> menu, choose the
190 <literal>VNF Package</literal> option.</para>
191 </listitem>
192
193 <listitem>
194 <para>Browse and select the Fortigate bundle you require, before
195 pressing the <literal>Send</literal> button.</para>
196 </listitem>
197 </itemizedlist>
198
199 <figure>
200 <title>Onboard Fortigate VNF</title>
201
202 <mediaobject>
203 <imageobject>
204 <imagedata align="center"
205 fileref="images/uc_ibm_fortigate_onboard.png"
206 scale="50" />
207 </imageobject>
208 </mediaobject>
209 </figure>
210 </listitem>
211
212 <listitem>
213 <para>Add the VNF instance:</para>
214
215 <itemizedlist>
216 <listitem>
217 <para>Select the <literal>Device.</literal></para>
218 </listitem>
219
220 <listitem>
221 <para>Select the <literal>VNF</literal> menu.</para>
222 </listitem>
223
224 <listitem>
225 <para>Choose the <literal>Instances</literal> option, select the
226 VNF configuration you desire and press
227 <literal>Add.</literal></para>
228 </listitem>
229
230 <listitem>
231 <para>Browse and select the Fortigate bundle you require, before
232 pressing the <literal>Send</literal> button.</para>
233 </listitem>
234 </itemizedlist>
235
236 <figure>
237 <title>Instantiate Fortigate VNF</title>
238
239 <mediaobject>
240 <imageobject>
241 <imagedata align="center"
242 fileref="images/uc_ibm_fg_instantiation.png"
243 scale="65" />
244 </imageobject>
245 </mediaobject>
246 </figure>
247 </listitem>
248 </orderedlist>
249
250 <para>Once the VNF is instantiated, the setup is complete and ready for
251 testing. Connect the test machine to the LAN port. It will receive an IP
252 address from the Fortigate VNF and be able to access the internet.</para>
253 </section>
254
255 <section id="test_fortvnf_inband">
256 <title>Testing the Fortigate VNF In-band management activation</title>
257
258 <figure>
259 <title>Test setup</title>
260
261 <mediaobject>
262 <imageobject>
263 <imagedata align="center" fileref="images/uc_ibm_solution_test.png"
264 scale="50" />
265 </imageobject>
266 </mediaobject>
267 </figure>
268
269 <para>At this stage, three types of traffic are passing through the WAN
270 port on the same IP address:</para>
271
272 <itemizedlist>
273 <listitem>
274 <para>Device management traffic from uCPE Manager.</para>
275 </listitem>
276
277 <listitem>
278 <para>Fortigate management interface traffic from a web
279 browser.</para>
280 </listitem>
281
282 <listitem>
283 <para>Data traffic from the LAN to the internet.</para>
284 </listitem>
285 </itemizedlist>
286
287 <para>Having access from the uCPE Manager to the device as shown above,
288 demonstrates that device management traffic passes through the in-band
289 management WAN bridge successfully.</para>
290
291 <para>To access the management interface of the VNF, connect from a web
292 browser to the public IP address of the device e.g.
293 <literal>https://&lt;IP&gt;</literal>. From a Test machine connected on
294 LAN port, try a test ping to the internet e.g. "ping 8.8.8.8".</para>
295 </section>
296</chapter> \ No newline at end of file
diff --git a/doc/book-enea-nfv-access-example-usecases/doc/vnf_chaining.xml b/doc/book-enea-nfv-access-example-usecases/doc/vnf_chaining.xml
new file mode 100644
index 0000000..70d7add
--- /dev/null
+++ b/doc/book-enea-nfv-access-example-usecases/doc/vnf_chaining.xml
@@ -0,0 +1,361 @@
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<chapter id="vnf_chaining">
3 <title>VNF Chaining Example Use-case</title>
4
5 <section id="VNF_chain_intro">
6 <title>Introduction</title>
7
8 <para>The following decribes an example of how to setup and configure a
9 branch-to-branch service comprised on two commercial VNFs (SD-WAN +
10 Firewall). This service will run in a service chain on top of the Enea NFV
11 Access virtualization platform, deployed through the Enea uCPE Manager. In
12 the example setup the following commercial VNFs are used: Juniper vSRX as
13 the SD-WAN VNF and Fortigate as the Router/Firewall.</para>
14
15 <para>The setup requires two physical appliances (uCPEs), each of them
16 having three DPDK-compatible NICs and one interface available for uCPE
17 management (i.e. connected to Enea uCPE Manager). On each uCPE, one of the
18 DPDK-compatible interfaces is connected back-to-back with one interface
19 from the other uCPE device. This link simulates a WAN/uplink
20 connection.</para>
21
22 <para>Optionally, one additional device (PC/laptop) can be connected on
23 the LAN port of each branch to run LAN-to-LAN connectivity tests.</para>
24
25 <figure>
26 <title>Example Setup</title>
27
28 <mediaobject>
29 <imageobject>
30 <imagedata align="center" fileref="images/example_setup.png"
31 scale="90" />
32 </imageobject>
33 </mediaobject>
34 </figure>
35
36 <note>
37 <para>For simplicity, the image above does not present the
38 management-plane, which will be described in the Setup steps.</para>
39 </note>
40 </section>
41
42 <section id="crateing_setup">
43 <title>Creating the setup</title>
44
45 <para>Both branches in the example have similar setups, therefore
46 necessary step details are presented for only one branch. The second
47 branch shall be configured in the same way, adapting as needed the
48 corresponding VNFs configuration files.</para>
49
50 <orderedlist>
51 <listitem>
52 <para>Assign three physical interfaces to the DPDK (one for
53 management, one WAN and one for LAN). In the example, one of these
54 interfaces gets an IP through DHCP and it will be used exclusively for
55 the management plane.</para>
56 </listitem>
57
58 <listitem>
59 <para>Create the following OVS-DPDK bridges:</para>
60
61 <itemizedlist>
62 <listitem>
63 <para><literal>vnf_mgmt_br</literal>. Used by VNF management
64 ports.</para>
65 </listitem>
66
67 <listitem>
68 <para><literal>wan_br</literal>. Used by the service uplink connection. In our case,
69 Juniper vSRX will have its WAN virtual interface in this
70 bridge.</para>
71 </listitem>
72
73 <listitem>
74 <para><literal>sfc_br</literal>. Used for creating the service
75 chain. Each VNF will have a virtual interface in this
76 bridge.</para>
77 </listitem>
78
79 <listitem>
80 <para><literal>lan_br</literal>. Used for the LAN interface of the
81 Fortigate FW.</para>
82 </listitem>
83 </itemizedlist>
84 </listitem>
85
86 <listitem>
87 <para>Add corresponding DPDK ports (see Step 1) to the management, WAN
88 and LAN bridges (<literal>sfc_br</literal> does not have a physical
89 port attached to it).</para>
90
91 <note>
92 <para>The networking setup (Steps 1-3) can be modeled using the
93 Offline Configuration entry, so that it is automatically provisioned
94 on the uCPE, once it gets enrolled into the management system (uCPE
95 Manager).</para>
96 </note>
97 </listitem>
98
99 <listitem>
100 <para>Onboard Juniper vSRX using the VNF Onboarding Wizard:</para>
101
102 <itemizedlist>
103 <listitem>
104 <para>The Flavor selected must have at least 2 vCPUs and 4 GB RAM
105 since vSRX is quite resource consuming. </para>
106
107 <para>Tested-inhouse with 4 vCPUs/ 6 GB RAM.</para>
108 </listitem>
109
110 <listitem>
111 <para>Add three virtual interfaces: management, WAN and
112 LAN.</para>
113 </listitem>
114
115 <listitem>
116 <para>Select <literal>ISO</literal> on the Cloud-Init tab.</para>
117 </listitem>
118 </itemizedlist>
119 </listitem>
120
121 <listitem>
122 <para>Onboard Fortigate FW using the VNF Onboarding Wizard:</para>
123
124 <itemizedlist>
125 <listitem>
126 <para>The Flavor selected can be quite light in resources, e.g. 1
127 vCPU and 2 GB RAM.</para>
128 </listitem>
129
130 <listitem>
131 <para>Add three virtual interfaces: management, WAN and
132 LAN.</para>
133 </listitem>
134
135 <listitem>
136 <para>Select <literal>ConfigDrive</literal> on the Cloud-Init
137 tab.</para>
138 </listitem>
139
140 <listitem>
141 <para>Add <literal>license</literal> as the Cloud-Init content in
142 the Cloud-Init tab files.</para>
143 </listitem>
144 </itemizedlist>
145
146 <note>
147 <para>Steps 4-5 are done only once, i.e. they will not be repeated
148 for Site 2.</para>
149 </note>
150 </listitem>
151
152 <listitem>
153 <para>Create the vSRX instance:</para>
154
155 <itemizedlist>
156 <listitem>
157 <para>Use <filename>vSRX-Site1.iso</filename> as the Cloud-Init
158 file.</para>
159 </listitem>
160
161 <listitem>
162 <para>The <literal>Domain Update Script</literal> field can be
163 left empty for the Atom C3000 architecture, while for XeonD the
164 <filename>vSRX-domain-update-script</filename> file will be
165 used.</para>
166 </listitem>
167
168 <listitem>
169 <para>Add virtual interfaces:</para>
170
171 <itemizedlist>
172 <listitem>
173 <para>Management interface added to
174 <literal>vnf_mgmt_br</literal>.</para>
175 </listitem>
176 </itemizedlist>
177
178 <itemizedlist>
179 <listitem>
180 <para>WAN interface added to <literal>wan_br</literal>.</para>
181 </listitem>
182 </itemizedlist>
183
184 <itemizedlist>
185 <listitem>
186 <para>LAN interface added to <literal>sfc_br</literal>.</para>
187 </listitem>
188 </itemizedlist>
189 </listitem>
190 </itemizedlist>
191
192 <note>
193 <para>The login/password values for the vSRX VNF are
194 <literal>root/vsrx1234</literal>, respectively.</para>
195 </note>
196 </listitem>
197
198 <listitem>
199 <para>Create the Fortigate FW instance:</para>
200
201 <itemizedlist>
202 <listitem>
203 <para>Use <filename>FortiFW-Site1.conf</filename> as Cloud-Init
204 file.</para>
205 </listitem>
206
207 <listitem>
208 <para>Add <filename>.lic</filename> (not part of the folder) as
209 the license file.</para>
210 </listitem>
211
212 <listitem>
213 <para>Add virtual interfaces:</para>
214
215 <itemizedlist>
216 <listitem>
217 <para>Management interface added to
218 <literal>vnf_mgmt_br</literal>.</para>
219 </listitem>
220 </itemizedlist>
221
222 <itemizedlist>
223 <listitem>
224 <para>WAN interface added to <literal>sfc_br</literal>.</para>
225 </listitem>
226 </itemizedlist>
227
228 <itemizedlist>
229 <listitem>
230 <para>LAN interface added to <literal>lan_br</literal>.</para>
231 </listitem>
232 </itemizedlist>
233 </listitem>
234 </itemizedlist>
235
236 <note>
237 <para>the login/password values for the Juniper VNF are
238 <literal>admin/&lt;empty password&gt;</literal>,
239 respectively.</para>
240 </note>
241 </listitem>
242 </orderedlist>
243
244 <para>At this point the service will be up and running on Site1. Repeat
245 the necessary steps for Site2, by changing the configuration files
246 accordingly. After the service is deployed on both branches, the VPN
247 tunnel is established and LAN to LAN visibility can be verified by
248 connecting one device on each uCPE LAN port. See <link
249 linkend="test_setup">Testing the setup</link> for details on how to proceed.</para>
250 </section>
251
252 <section id="test_setup">
253 <title>Testing the setup</title>
254
255 <para>Before testing LAN to LAN connectivity, preliminary tests of service
256 can be run to ensure everything was set up properly.</para>
257
258 <para>For instance, by connecting to the vSRX CLI (any site), the user can
259 test IKE security associations:</para>
260
261 <programlisting>root@Atom-C3000&gt; show security ike security-associations
262Index State Initiator cookie Responder cookie Mode Remote Address
2631588673 UP 2f2047b144ebfce4 0000000000000000 Aggressive 10.1.1.2
264...
265root@Atom-C3000&gt; show security ike security-associations index 1588673 detail
266...</programlisting>
267
268 <para>Also, from the vSRX CLI, a user can check that the VPN tunnel was
269 established and get statistics of the packets passing the tunnel:</para>
270
271 <programlisting>root@Atom-C3000&gt; show security ipsec security-associations
272...
273root@Atom-C3000&gt; show security ipsec statistics index &lt;xxxxx&gt;
274...</programlisting>
275
276 <para>From the Fortigate Firewall CLI on Site 1, one can check
277 connectivity to the remote Fortigate FW (from Site 2):</para>
278
279 <programlisting>FGVM080000136187 # execute ping 192.168.168.2
280PING 192.168.168.2 (192.168.168.2): 56 data bytes
28164 bytes from 192.168.168.2: icmp_seq=0 ttl=255 time=0.0 ms
28264 bytes from 192.168.168.2: icmp_seq=1 ttl=255 time=0.0 ms
28364 bytes from 192.168.168.2: icmp_seq=2 ttl=255 time=0.0 ms
284...</programlisting>
285
286 <para>Since VNF management ports were configured to get IPs through DHCP,
287 the user can use a Web-based management UI to check and modify the
288 configuration settings of both vSRX and Fortigate.</para>
289
290 <para>For example, in the case of vSRX, from the VNF CLI you can list the
291 virtual interfaces as below:</para>
292
293 <programlisting>root@Atom-C3000&gt; show interfaces terse
294...
295fxp0.0 up up inet 172.24.15.92/22
296gre up up
297ipip up up
298...</programlisting>
299
300 <para>When using provided configurations, the VNF management port for
301 Juniper vSRX is always <literal>fxp0.0</literal>.</para>
302
303 <para>In the case of Fortigate, from the VNF CLI you can list the virtual
304 interfaces as such:</para>
305
306 <programlisting>FGVM080000136187 # get system interface
307== [ port1 ]
308name: port1 mode: dhcp ip: 172.24.15.94 255.255.252.0 status: up netbios-forward:
309disable type: physical netflow-sampler: disable sflow-sampler: disable...
310...</programlisting>
311
312 <para>When using provided configurations, the VNF management port for
313 Fortigate is always <literal>port1</literal>.</para>
314
315 <note>
316 <para>Please note that VNF management ports will get dynamically
317 allocated IPs only if the physical NIC used for management is configured
318 to get its IP through DHCP (see Step 1 from above).</para>
319 </note>
320
321 <para>If functionality is as intended, LAN-to-LAN connectivity can be
322 checked (through the VPN tunnel) by using two devices (PC/laptop)
323 connected to the LAN ports of each uCPE. Optionally, these devices can be
324 simulated by using Enea's sample VNF running on both uCPEs and connected
325 to the <literal>lan_br</literal> on each side. Please note that
326 instructions for onboarding and instantiating this VNF is not in the scope
327 of this document.</para>
328
329 <para>Since Fortigate VNF, which is acting as router and firewall, is
330 configured to be the DHCP server for the LAN network, the device interface
331 connected to the uCPE LAN port has to be configured to get dinamically
332 assigned IPs. These IPs are in the 172.0.0.0/24 network for Site1 and the
333 172.10.10.0/24 network for Site2. Therefore, site-to-site connectivity can
334 be checked (from Site1) as such:</para>
335
336 <programlisting>root@atom-c3000:~# ping 172.10.10.2
337PING 172.10.10.1 (172.10.10.2): 56 data bytes
338...</programlisting>
339 </section>
340
341 <section id="limitations">
342 <title>Limitations</title>
343
344 <para>Below is a list of known limitations:</para>
345
346 <itemizedlist>
347 <listitem>
348 <para>The vSRX VNF has no trust-to-untrust and untrust-to-trust
349 policies (only trust-to-vpn and vpn-to-trust were configured).
350 Therefore, uCPEs were not configured for a "direct Internet access"
351 use-case.</para>
352 </listitem>
353
354 <listitem>
355 <para>The Fortigate VNF has no "real" firewall policies set, i.e. all
356 traffic from LAN is allowed to pass through the WAN interface and
357 vice-versa.</para>
358 </listitem>
359 </itemizedlist>
360 </section>
361</chapter> \ No newline at end of file
diff --git a/doc/book-enea-nfv-access-example-usecases/doc/vnf_fortigate.xml b/doc/book-enea-nfv-access-example-usecases/doc/vnf_fortigate.xml
new file mode 100644
index 0000000..2bd0dc3
--- /dev/null
+++ b/doc/book-enea-nfv-access-example-usecases/doc/vnf_fortigate.xml
@@ -0,0 +1,1309 @@
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<chapter id="vnf_fortigate">
3 <title>FortiGate VNF Example Use-cases</title>
4
5 <para>FortiGate virtual appliances feature all of the security and
6 networking services common to traditional hardware-based FortiGate
7 appliances. The virtual appliances can be integrated in Firewall or SD-WAN
8 solution development.</para>
9
10 <para>Enea provides a prepared VNF bundle for download from the Enea Portal,
11 for usage with the Enea NFV Access product. The prepared VNF bundle includes
12 the FortiGate VNF image as well as a VNF Descriptor and other onboarding
13 related configuration files. The VNF Descriptor provided configures a setup,
14 which requires the following resources:</para>
15
16 <itemizedlist>
17 <listitem>
18 <para>3 x Network Interfaces</para>
19 </listitem>
20
21 <listitem>
22 <para>1 x vCPU</para>
23 </listitem>
24
25 <listitem>
26 <para>1 GB of RAM memory</para>
27 </listitem>
28 </itemizedlist>
29
30 <para>The VNF Descriptor represents one specific setup, suitable for usage
31 with the Firewall and SD-WAN VPN instructions in this guide. Alternative VNF
32 Descriptor configurations may be needed to support other configurations
33 required by the customer.</para>
34
35 <para>Enea can provide assistance to provide alternative VNF Descriptor
36 configurations.</para>
37
38 <note>
39 <para>While the prepared FortiGate bundle is provided from Enea Portal,
40 additional content needs to be received from Fortinet directly. The
41 FortiGate VNF license as well as any FortiGate specific documentation
42 shall be requested from the local Fortinet sales representatives in your
43 region, before FortiGate can be used.</para>
44 </note>
45
46 <section id="fortigate_firewall">
47 <title>FortiGate VNF as a Firewall</title>
48
49 <para>FortiGate Next Generation Firewall utilizes purpose-built security
50 processors and threat intelligence security services to deliver top-rated
51 protection and high performance, including encrypted traffic. FortiGate
52 reduces complexity with automated visibility into applications, users and
53 networks, and provides security ratings to adopt security best
54 practices.</para>
55
56 <para>An example firewall configuration for the FortiGate VNF is provided
57 in the Enea Portal. It is a simple firewall base configuration.</para>
58
59 <table>
60 <title>FortiGate VNF Example Configuration</title>
61
62 <tgroup cols="2">
63 <colspec align="center" />
64
65 <thead>
66 <row>
67 <entry align="center">Component</entry>
68
69 <entry align="center">Setting/Description</entry>
70 </row>
71 </thead>
72
73 <tbody>
74 <row>
75 <entry>Firewall</entry>
76
77 <entry>"All pass" mode</entry>
78 </row>
79
80 <row>
81 <entry>WAN (Virtual Port1)</entry>
82
83 <entry><para>DHCP Client, dynamically assigned IP
84 address.</para>FortiGate In-Band
85 Management<superscript>1</superscript></entry>
86 </row>
87
88 <row>
89 <entry>WAN (Virtual Port2)</entry>
90
91 <entry><para>IP address: 172.168.16.1</para>DHCP server (IP range
92 172.168.16.1 - 172.168.16.255).</entry>
93 </row>
94
95 <row>
96 <entry>WAN (Virtual Port3)</entry>
97
98 <entry>Ignored</entry>
99 </row>
100 </tbody>
101 </tgroup>
102 </table>
103
104 <para><superscript>1</superscript>FortiGate In-Band Management is a
105 feature for running FortiGate Management traffic over WAN.</para>
106
107 <para>Instructions on how to alter the default configuration is provided
108 in the Fortigate VNF management chapter.</para>
109
110 <para><emphasis role="bold">Lab Setup</emphasis></para>
111
112 <para>Before starting the configuration of the FortiGate Firewall, a lab
113 setup of hardware and software configurations has to be built. The
114 following table illustrates the required lab setup:</para>
115
116 <table>
117 <title>Lab Setup Prerequisites</title>
118
119 <tgroup cols="2">
120 <colspec align="center" />
121
122 <thead>
123 <row>
124 <entry align="center">Component</entry>
125
126 <entry align="center">Description/Requirements</entry>
127 </row>
128 </thead>
129
130 <tbody>
131 <row>
132 <entry>Lab Network</entry>
133
134 <entrytbl cols="1">
135 <tbody>
136 <row>
137 <entry>DHCP enabled Lab Network</entry>
138 </row>
139
140 <row>
141 <entry>Internet Connectivity</entry>
142 </row>
143 </tbody>
144 </entrytbl>
145 </row>
146
147 <row>
148 <entry>Setup of an Intel Whitebox target device</entry>
149
150 <entrytbl cols="1">
151 <tbody>
152 <row>
153 <entry>Minimum 4 Physical Network Devices</entry>
154 </row>
155
156 <row>
157 <entry>4 GB RAM and 4 cores (C3000 or Xeon D)</entry>
158 </row>
159
160 <row>
161 <entry>Enea NFV Access Installed</entry>
162 </row>
163
164 <row>
165 <entry>WAN Connected to Lab Network</entry>
166 </row>
167
168 <row>
169 <entry>LAN1 Connected to Test Machine</entry>
170 </row>
171
172 <row>
173 <entry>LAN2 Unconnected</entry>
174 </row>
175
176 <row>
177 <entry>ETH0 connected to Lab Network (for Enea uCPE Manager
178 communications)</entry>
179 </row>
180 </tbody>
181 </entrytbl>
182 </row>
183
184 <row>
185 <entry>Setup of a Lab Machine</entry>
186
187 <entrytbl cols="1">
188 <tbody>
189 <row>
190 <entry>Connected to Lab Network</entry>
191 </row>
192
193 <row>
194 <entry>Running either Windows or CentOS</entry>
195 </row>
196
197 <row>
198 <entry>Enea uCPE Manager installed</entry>
199 </row>
200 </tbody>
201 </entrytbl>
202 </row>
203
204 <row>
205 <entry>Setup of a Test Machine</entry>
206
207 <entrytbl cols="1">
208 <tbody>
209 <row>
210 <entry>Connected to Whitebox LAN</entry>
211 </row>
212
213 <row>
214 <entry>Internet Connectivity via LAN</entry>
215 </row>
216
217 <row>
218 <entry>Configured as DHCP client on LAN</entry>
219 </row>
220 </tbody>
221 </entrytbl>
222 </row>
223
224 <row>
225 <entry>FortiGate VNF</entry>
226
227 <entrytbl cols="1">
228 <tbody>
229 <row>
230 <entry>Downloaded the FortiGate VNF Bundle from Enea Portal
231 to the Lab Machine file system. Please see the Download
232 Chapter for more details.</entry>
233 </row>
234
235 <row>
236 <entry>Downloaded FortiGate configuration examples from the
237 Enea Portal to the Lab Machine file system. Please check the
238 Download Chapter for more details. Unpack the configuration
239 examples on the Lab Machine.</entry>
240 </row>
241
242 <row>
243 <entry>Retrieve FortiGate VNF license from Fortinet and
244 store it on the Lab Machine file system. See FortiGate VNF
245 for details.</entry>
246 </row>
247
248 <row>
249 <entry>Optionally retrieve FortiGate VNF documentation from
250 Fortinet. See FortiGate VNF for details.</entry>
251 </row>
252 </tbody>
253 </entrytbl>
254 </row>
255 </tbody>
256 </tgroup>
257 </table>
258
259 <figure>
260 <title>Lab Setup Overview</title>
261
262 <mediaobject>
263 <imageobject>
264 <imagedata align="center" fileref="images/intel_whitebox.png"
265 scale="35" />
266 </imageobject>
267 </mediaobject>
268 </figure>
269
270 <para><emphasis role="bold">uCPE Networking Setup</emphasis></para>
271
272 <para>Before deploying the FortiGate Firewall, the Enea NFV Access
273 platform has to be configured to the specific networking setup.</para>
274
275 <para>Since the firewall is using three External Network Interfaces, three
276 bridges need to be configured. Each bridge provides the ability to connect
277 a physical network interface to the virtual machines' virtual network
278 interface. Each physical to virtual network interface connection is setup
279 in two steps:</para>
280
281 <itemizedlist>
282 <listitem>
283 <para>Bind the physical network interfaces with a DPDK driver.</para>
284 </listitem>
285
286 <listitem>
287 <para>Create a named bridge for each physical network
288 interface.</para>
289 </listitem>
290 </itemizedlist>
291
292 <note>
293 <para>For more details about interface configuration, please see the
294 Network Configuration section in the chapter on Configuration
295 Options.</para>
296 </note>
297
298 <orderedlist>
299 <listitem>
300 <para>Start the setup by preparing each interface for attachment to a
301 bridge. Bind the physical network interfaces to the DPDK by selecting
302 the target: <literal>Configuration</literal> -&gt;
303 <literal>OpenVSwitch</literal> -&gt; <literal>Host Interfaces
304 </literal>-&gt; <literal>Add</literal>:</para>
305
306 <figure>
307 <title>Binding the physical network interface</title>
308
309 <mediaobject>
310 <imageobject>
311 <imagedata align="center"
312 fileref="images/bind_phys_interface.png" scale="80" />
313 </imageobject>
314 </mediaobject>
315 </figure>
316
317 <para>The result of binding these three physical network interfaces
318 should look like the following:</para>
319
320 <figure>
321 <title>Successful Binding</title>
322
323 <mediaobject>
324 <imageobject>
325 <imagedata align="center" fileref="images/result_of_binding.png"
326 scale="65" />
327 </imageobject>
328 </mediaobject>
329 </figure>
330 </listitem>
331
332 <listitem>
333 <para>Create one OpenVSwitch bridge for each firewall network
334 connection (WAN, LAN1 and LAN2), by selecting the
335 <literal>Add</literal> button from Bridges tab:
336 <literal>Configuration</literal> -&gt;
337 <literal>OpenvSwitch</literal>-&gt; <literal>Bridges</literal>. A
338 popup like the following should appear:</para>
339
340 <figure>
341 <title>Creating a bridge each Firewall Net. Connection</title>
342
343 <mediaobject>
344 <imageobject>
345 <imagedata align="center" fileref="images/bridge_net_conn.png"
346 scale="80" />
347 </imageobject>
348 </mediaobject>
349 </figure>
350 </listitem>
351
352 <listitem>
353 <para>Repeat this step for each type of connection until all are
354 bridges are configured.</para>
355
356 <figure>
357 <title>Configured Bridges per Connection Type</title>
358
359 <mediaobject>
360 <imageobject>
361 <imagedata align="center"
362 fileref="images/configured_bridges.png" scale="65" />
363 </imageobject>
364 </mediaobject>
365 </figure>
366 </listitem>
367 </orderedlist>
368
369 <para><emphasis role="bold">Onboarding the FortiGate VNF</emphasis></para>
370
371 <orderedlist>
372 <listitem>
373 <para>To on-board the Fortigate VNF click the <literal>VNF</literal>
374 tab in the top toolbar: <literal>VNF</literal> -&gt;
375 <literal>Descriptors</literal> -&gt; <literal>On-board </literal>-&gt;
376 <literal>Browse</literal> options, and select the
377 <literal>Fortigate.zip</literal> file, before clicking
378 <literal>Send</literal>:</para>
379
380 <figure>
381 <title>Selecting Descriptors</title>
382
383 <mediaobject>
384 <imageobject>
385 <imagedata align="center" fileref="images/descriptor_button.png"
386 scale="45" />
387 </imageobject>
388 </mediaobject>
389 </figure>
390 </listitem>
391
392 <listitem>
393 <para>Wait for the <literal>Onboarding Status</literal> popup to
394 display the confirmation message (listed in green) and select
395 <literal>OK</literal>:</para>
396
397 <figure>
398 <title>Onboarding the new VNF</title>
399
400 <mediaobject>
401 <imageobject>
402 <imagedata align="center" fileref="images/onboarding_status.png"
403 scale="80" />
404 </imageobject>
405 </mediaobject>
406 </figure>
407 </listitem>
408 </orderedlist>
409
410 <para><emphasis role="bold">Instantiate the FortiGate
411 VNF</emphasis></para>
412
413 <orderedlist>
414 <listitem>
415 <para>Select the target, then from the top toolbar the select:
416 <literal>VNF</literal> -&gt; <literal>Instances</literal> -&gt;
417 <literal>Add</literal>:</para>
418
419 <figure>
420 <title>Adding Instances to Target</title>
421
422 <mediaobject>
423 <imageobject>
424 <imagedata align="center" fileref="images/vnf_instances.png"
425 scale="50" />
426 </imageobject>
427 </mediaobject>
428 </figure>
429
430 <para>Make sure you have downloaded valid license files for the
431 Fortigate VNF from Fortinet, and the configuration file provided by
432 Enea as examples according to previous instructions.</para>
433
434 <figure>
435 <title>Example License and Configuration files</title>
436
437 <mediaobject>
438 <imageobject>
439 <imagedata align="center"
440 fileref="images/fortigate_licenses.png" scale="75" />
441 </imageobject>
442 </mediaobject>
443 </figure>
444 </listitem>
445
446 <listitem>
447 <para>Fortigate VNF instantiation requires the following
448 settings:</para>
449
450 <table>
451 <title>Instantiation Requirements</title>
452
453 <tgroup cols="2">
454 <colspec align="center" colwidth="2*" />
455
456 <colspec align="center" colwidth="4*" />
457
458 <thead>
459 <row>
460 <entry align="center">Component</entry>
461
462 <entry align="center">Description</entry>
463 </row>
464 </thead>
465
466 <tbody>
467 <row>
468 <entry align="left">Name</entry>
469
470 <entry>The name of the VM which will be created on the target
471 device.</entry>
472 </row>
473
474 <row>
475 <entry align="left">VNF Type</entry>
476
477 <entry>Name of the on-boarded VNF bundle.</entry>
478 </row>
479
480 <row>
481 <entry align="left">VIM</entry>
482
483 <entry>Name and IP address of the device where the VNF has to
484 be instantiated.</entry>
485 </row>
486
487 <row>
488 <entry align="left">License file</entry>
489
490 <entry>FortiGate license file provided by Fortinet.</entry>
491 </row>
492
493 <row>
494 <entry align="left">Configuration file</entry>
495
496 <entry>Firewall example configuration file provided by Enea
497 <filename>FGVM080000136187_20180828_0353_basic_fw.conf
498 </filename></entry>
499 </row>
500
501 <row>
502 <entry align="left">Port1 - WAN</entry>
503
504 <entry>Set as dpdk type and connect it to wanmgrbr
505 bridge.</entry>
506 </row>
507
508 <row>
509 <entry align="left">Port2 - LAN1</entry>
510
511 <entry>Set as dpdk type and connect it to lan1 bridge.</entry>
512 </row>
513
514 <row>
515 <entry align="left">Port3 - LAN2</entry>
516
517 <entry>Set as dpdk type and connect it to lan2 bridge.</entry>
518 </row>
519 </tbody>
520 </tgroup>
521 </table>
522
523 <para>When the instantiation process is completed, the setup is ready
524 for testing.</para>
525 </listitem>
526 </orderedlist>
527
528 <para><emphasis role="bold">Test the FortiGate Firewall</emphasis></para>
529
530 <para>Connect the Test Machine on the LAN interface and access the
531 internet from the Test Machine to use the firewall on the target
532 device.</para>
533
534 <note>
535 <para>The connected Test Machine can be a laptop or a target that has
536 one interface configured to get an dynamic IP from a DHCP server. The
537 <literal>dhclient &lt;interface&gt;</literal> command can be used to
538 request an IP address. The received IP must be in the 172.16.1.2 -
539 172.16.1.255 range.</para>
540 </note>
541
542 <figure>
543 <title>Testing Overview</title>
544
545 <mediaobject>
546 <imageobject>
547 <imagedata align="center" fileref="images/testing_fortigate.png"
548 scale="50" />
549 </imageobject>
550 </mediaobject>
551 </figure>
552
553 <para>In the example above, the FortiGate VNF management interface is
554 accessible through the WAN interface, the WAN IP address can be used from
555 a web browser on the Lab Machine to access the Fortigate VNF Management
556 Web UI. Please check the Fortigate VNF web management section for more
557 information.</para>
558
559 <para>In another example, the firewall can be setup to use bridges as
560 connection points for the Fortigate VNF. It is possible to replace
561 OVS-DPDK bridges with SR-IOV connection points. <remark>The previous
562 sentence in the original was very hard to understand, please confirm if
563 this is what you intended to say</remark> Please check the network
564 configuration chapter on how to configure an interface for SR-IOV.</para>
565
566 <para>It was previously assumed that three physical interfaces are
567 available for VNF connection. In the case of a firewall setup it is
568 possible to use only two physical interfaces for the data path (one for
569 WAN and one for LAN). In the example below only two interfaces will be
570 configured as DPDK and two bridges are created, one for each type of
571 connection.</para>
572
573 <para>At VNF instantiation instead of assigning distinct bridges for each
574 LAN interface, only one will be used for both LAN1 and LAN2, with no
575 changes in WAN interface configuration. Please see the picture below for
576 final setup:</para>
577
578 <figure>
579 <title>Two Interface Configuration</title>
580
581 <mediaobject>
582 <imageobject>
583 <imagedata align="center" fileref="images/two_inst_firewall.png"
584 scale="45" />
585 </imageobject>
586 </mediaobject>
587 </figure>
588 </section>
589
590 <section id="fortigate_webmg">
591 <title>FortiGate VNF web management</title>
592
593 <para>In order to check the IP address assigned to Fortigate VNF you need
594 to connect to the Fortigate CLI.</para>
595
596 <para><emphasis role="bold">Connecting to the Fortigate
597 CLI</emphasis></para>
598
599 <orderedlist>
600 <listitem>
601 <para>Connect to the Fortigate VNF by using: <literal>SSH</literal>
602 -&gt; <literal>user</literal> (root) and attach to the VNF's console
603 using the <literal>virsh console</literal> command shown below:</para>
604
605 <figure>
606 <title>Attaching to the VNF Console</title>
607
608 <mediaobject>
609 <imageobject>
610 <imagedata align="center" fileref="images/virsh_console.png"
611 scale="80" />
612 </imageobject>
613 </mediaobject>
614 </figure>
615 </listitem>
616
617 <listitem>
618 <para>To access Fortigate CLI, use the credential
619 <literal>admin</literal> for the user, leaving the password blank,
620 then press enter.</para>
621
622 <para>Use the CLI command <literal>get system interface</literal> to
623 get the dynamic interfaces configuration.</para>
624
625 <figure>
626 <title>Acessing and configuring Fortigate CLI</title>
627
628 <mediaobject>
629 <imageobject>
630 <imagedata align="center"
631 fileref="images/access_fortigate_cli.png" scale="58" />
632 </imageobject>
633 </mediaobject>
634 </figure>
635 </listitem>
636
637 <listitem>
638 <para>Use the IP address assigned for the management interface in the
639 web browser (<literal>https://&lt;IP&gt;</literal>), to access the
640 Fortinet VNF web management interface. Use the same credentials as
641 before to login:</para>
642
643 <figure>
644 <title>Accessing the web management interface</title>
645
646 <mediaobject>
647 <imageobject>
648 <imagedata align="center"
649 fileref="images/fortinet_vnf_login.png" scale="50" />
650 </imageobject>
651 </mediaobject>
652 </figure>
653 </listitem>
654
655 <listitem>
656 <para>You can browse through the configuration and perform changes
657 according to your setup:</para>
658
659 <figure>
660 <title>The Fortinet Web Interface</title>
661
662 <mediaobject>
663 <imageobject>
664 <imagedata align="center"
665 fileref="images/fortinet_interface.png" scale="30" />
666 </imageobject>
667 </mediaobject>
668 </figure>
669 </listitem>
670
671 <listitem>
672 <para>Optional, alter the default Fortinet example configuration
673 provided by Enea, through the following steps:</para>
674
675 <orderedlist>
676 <listitem>
677 <para>Deploy the FortiGate Firewall in its default
678 settings.</para>
679 </listitem>
680
681 <listitem>
682 <para>Connect to the FortiGate VNF Web Management with a web
683 browser.</para>
684 </listitem>
685
686 <listitem>
687 <para>Modify the FortiGate configuration in the FortiGate VNF Web
688 Management as needed.</para>
689 </listitem>
690
691 <listitem>
692 <para>Store the updated configuration in a file, by saving in the
693 FortiGate VNF Web Management interface, so it may be used at the
694 next FortiGate VNF instantiation.</para>
695 </listitem>
696 </orderedlist>
697
698 <note>
699 <para>Editing the default configuration is only recommended for
700 FortiGate configuration experts.</para>
701 </note>
702 </listitem>
703 </orderedlist>
704 </section>
705
706 <section id="fortigate_sdwan_vpn">
707 <title>FortiGate VNF as an SD-WAN VPN</title>
708
709 <para>The software-defined wide-area network (SD-WAN or SDWAN) is a
710 specific application of software-defined networking (SDN) technology
711 applied to WAN connections. It connects enterprise networks, including
712 branch offices and data centers, over large geographic distances.</para>
713
714 <para>SD-WAN decouples the network from the management plane, detaching
715 the traffic management and monitoring functions from hardware. Most forms
716 of SD-WAN technology create a virtual overlay that is transport-agnostic,
717 i.e. it abstracts underlying private or public WAN connections. With an
718 overlay SD-WAN, a vendor provides an edge device to the customer that
719 contains the software necessary to run the SD-WAN technology. For
720 deployment, the customer plugs in WAN links into the device, which
721 automatically configures itself with the network.</para>
722
723 <para>The following will detail an SD-WAN setup for a branch to branch
724 connection using the FortiGate VNF. FortiGate provides native SD-WAN along
725 with integrated advanced threat protection.</para>
726
727 <note>
728 <para>Example SD-WAN configurations for the FortiGate VNF are provided
729 in the Enea Portal.</para>
730 </note>
731
732 <table>
733 <title>FortiGate VNF Example Configuration - SD-WAN Target 1</title>
734
735 <tgroup cols="2">
736 <colspec align="center" />
737
738 <thead>
739 <row>
740 <entry align="center">Component</entry>
741
742 <entry align="center">Description</entry>
743 </row>
744 </thead>
745
746 <tbody>
747 <row>
748 <entry>SD-WAN</entry>
749
750 <entry>VPN connection between two branches (Target 1 and Target
751 2).</entry>
752 </row>
753
754 <row>
755 <entry>VNFMgr (Virtual Port1)</entry>
756
757 <entry>DHCP Client, dynamically assigned IP address.</entry>
758 </row>
759
760 <row>
761 <entry>WAN (Virtual Port2)</entry>
762
763 <entry>IP address: 10.0.0.1</entry>
764 </row>
765
766 <row>
767 <entry>LAN (Virtual Port3)</entry>
768
769 <entrytbl cols="1">
770 <tbody>
771 <row>
772 <entry>IP address: 172.16.1.1</entry>
773 </row>
774
775 <row>
776 <entry>DHCP server (IP range 172.16.1.2 -
777 172.16.1.254)</entry>
778 </row>
779 </tbody>
780 </entrytbl>
781 </row>
782 </tbody>
783 </tgroup>
784 </table>
785
786 <table>
787 <title>FortiGate VNF Example Configuration - SD-WAN Target 2</title>
788
789 <tgroup cols="2">
790 <colspec align="center" />
791
792 <thead>
793 <row>
794 <entry align="center">Component</entry>
795
796 <entry align="center">Description</entry>
797 </row>
798 </thead>
799
800 <tbody>
801 <row>
802 <entry>SD-WAN</entry>
803
804 <entry>VPN connection between two branches (Target 2 and Target
805 1).</entry>
806 </row>
807
808 <row>
809 <entry>VNFMgr (Virtual Port1)</entry>
810
811 <entry>DHCP Client, dynamically assigned IP address.</entry>
812 </row>
813
814 <row>
815 <entry>WAN (Virtual Port2)</entry>
816
817 <entry>IP address: 10.0.0.2</entry>
818 </row>
819
820 <row>
821 <entry>LAN (Virtual Port3)</entry>
822
823 <entrytbl cols="1">
824 <tbody>
825 <row>
826 <entry>IP address: 172.16.2.1</entry>
827 </row>
828
829 <row>
830 <entry>DHCP server (IP range 172.16.2.2 -
831 172.16.2.254)</entry>
832 </row>
833 </tbody>
834 </entrytbl>
835 </row>
836 </tbody>
837 </tgroup>
838 </table>
839
840 <para><emphasis role="bold">Lab Setup</emphasis></para>
841
842 <para>The following table illustrates the use-case prerequisites of the
843 setup:</para>
844
845 <table>
846 <title>Lab Setup Prerequisites</title>
847
848 <tgroup cols="2">
849 <colspec align="center" />
850
851 <thead>
852 <row>
853 <entry align="center">Component</entry>
854
855 <entry align="center">Description</entry>
856 </row>
857 </thead>
858
859 <tbody>
860 <row>
861 <entry>Lab Network</entry>
862
863 <entrytbl cols="1">
864 <tbody>
865 <row>
866 <entry>DHCP enabled Lab Network.</entry>
867 </row>
868
869 <row>
870 <entry>Internet Connectivity.</entry>
871 </row>
872 </tbody>
873 </entrytbl>
874 </row>
875
876 <row>
877 <entry>Two Intel Whitebox target devices</entry>
878
879 <entrytbl cols="1">
880 <tbody>
881 <row>
882 <entry>Minimum 4 Physical Network Devices.</entry>
883 </row>
884
885 <row>
886 <entry>4 GB RAM and 4 cores (C3000 or Xeon D).</entry>
887 </row>
888
889 <row>
890 <entry>Enea NFV Access Installed.</entry>
891 </row>
892
893 <row>
894 <entry>VNFMgr Connected to Lab Network for VNF management
895 access.</entry>
896 </row>
897
898 <row>
899 <entry>WAN interfaces directly connected through Ethernet
900 cable.</entry>
901 </row>
902
903 <row>
904 <entry>LAN Connected to Test Machine.</entry>
905 </row>
906
907 <row>
908 <entry>ETH0 connected to Lab Network (for Enea uCPE Manager
909 communications).</entry>
910 </row>
911 </tbody>
912 </entrytbl>
913 </row>
914
915 <row>
916 <entry>One Lab Machine</entry>
917
918 <entrytbl cols="1">
919 <tbody>
920 <row>
921 <entry>Connected to Lab Network.</entry>
922 </row>
923
924 <row>
925 <entry>Running either Windows or CentOS.</entry>
926 </row>
927
928 <row>
929 <entry>Enea uCPE Manager installed.</entry>
930 </row>
931 </tbody>
932 </entrytbl>
933 </row>
934
935 <row>
936 <entry>Two Test Machines</entry>
937
938 <entrytbl cols="1">
939 <tbody>
940 <row>
941 <entry>Connected to Whitebox LANs.</entry>
942 </row>
943
944 <row>
945 <entry>Internet Connectivity via LAN.</entry>
946 </row>
947
948 <row>
949 <entry>Configured as DHCP client on LAN.</entry>
950 </row>
951 </tbody>
952 </entrytbl>
953 </row>
954
955 <row>
956 <entry>FortiGate VNF</entry>
957
958 <entrytbl cols="1">
959 <tbody>
960 <row>
961 <entry>Downloaded the FortiGate VNF Bundle from Enea Portal
962 to the Lab Machine file system.</entry>
963 </row>
964
965 <row>
966 <entry>Downloaded FortiGate configuration examples from Enea
967 Portal to Lab Machine file system. Unpack the configuration
968 examples specific for SD-WAN on the Lab Machine.</entry>
969 </row>
970
971 <row>
972 <entry>Retrieve the FortiGate VNF license from Fortinet and
973 store it on the Lab Machine file system.</entry>
974 </row>
975
976 <row>
977 <entry>Optionally, retrieve FortiGate VNF documentation from
978 Fortinet.</entry>
979 </row>
980 </tbody>
981 </entrytbl>
982 </row>
983 </tbody>
984 </tgroup>
985 </table>
986
987 <figure>
988 <title>SD-WAN: VPN Configuration</title>
989
990 <mediaobject>
991 <imageobject>
992 <imagedata align="center" fileref="images/sdwan_vpn_overview_1.png"
993 scale="50" />
994 </imageobject>
995 </mediaobject>
996 </figure>
997
998 <para><emphasis role="bold">uCPE Networking Setup</emphasis></para>
999
1000 <para>Before deploying the FortiGate SD-WAN, the Enea NFV Access platform
1001 has to be configured to the specific networking setup.</para>
1002
1003 <para>Since the SD-WAN VNF uses three External Network Interfaces, three
1004 bridges need to be configured. Each bridge provides the ability to connect
1005 a physical network interface to the virtual machine's virtual network
1006 interface. Each physical to virtual network interface connection is setup
1007 in two steps:</para>
1008
1009 <itemizedlist>
1010 <listitem>
1011 <para>Bind the physical network interfaces with a DPDK driver.</para>
1012 </listitem>
1013
1014 <listitem>
1015 <para>Create a named bridge for each physical network
1016 interface.</para>
1017 </listitem>
1018 </itemizedlist>
1019
1020 <para>Start the setup by preparing each physical interface for attachment
1021 to a bridge. Each VNF instance will have a virtual interface for VNF
1022 management, for the WAN network and for LAN communication.</para>
1023
1024 <orderedlist>
1025 <listitem>
1026 <para>Bind physical interface to DPDK by selecting the target_1:
1027 <literal>Configuration</literal> -&gt; <literal>OpenVSwitch</literal>
1028 -&gt; <literal>Host Interfaces</literal> -&gt;
1029 <literal>Add</literal>:</para>
1030
1031 <figure>
1032 <title>Binding the Physical Interface</title>
1033
1034 <mediaobject>
1035 <imageobject>
1036 <imagedata align="center"
1037 fileref="images/bind_phys_interface.png" scale="90" />
1038 </imageobject>
1039 </mediaobject>
1040 </figure>
1041
1042 <para>The result of binding these three interfaces should look like
1043 the following:</para>
1044
1045 <figure>
1046 <title>Results of Binding</title>
1047
1048 <mediaobject>
1049 <imageobject>
1050 <imagedata align="center" fileref="images/binding_results.png"
1051 scale="70" />
1052 </imageobject>
1053 </mediaobject>
1054 </figure>
1055 </listitem>
1056
1057 <listitem>
1058 <para>Create one OpenVSwitch bridge for each SD-WAN network connection
1059 (VNF management, WAN and LAN) by selecting the <literal>Add</literal>
1060 button from the Bridges tab by selecting the target:
1061 <literal>Configuration</literal> -&gt;
1062 <literal>OpenvSwitch</literal>-&gt; <literal>Bridges</literal>. A
1063 popup like this should appear:</para>
1064
1065 <figure>
1066 <title>Creating an OpenVSwitch bridge for an SD-WAN network
1067 connection</title>
1068
1069 <mediaobject>
1070 <imageobject>
1071 <imagedata align="center" fileref="images/ovs_bridge_four.png"
1072 scale="70" />
1073 </imageobject>
1074 </mediaobject>
1075 </figure>
1076 </listitem>
1077
1078 <listitem>
1079 <para>Repeat this step for all network connections. Three bridges will
1080 be created:</para>
1081
1082 <figure>
1083 <title>The three newly created Bridges</title>
1084
1085 <mediaobject>
1086 <imageobject>
1087 <imagedata align="center" fileref="images/created_bridges.png"
1088 scale="70" />
1089 </imageobject>
1090 </mediaobject>
1091 </figure>
1092 </listitem>
1093 </orderedlist>
1094
1095 <para>Once the interfaces and bridges are ready, only the on-boarding and
1096 instantiation of the VNF remains to be done.</para>
1097
1098 <para><emphasis role="bold">Onboarding the FortiGate VNF</emphasis></para>
1099
1100 <orderedlist>
1101 <listitem>
1102 <para>To on-board a VNF, select target on the map and click the
1103 <literal>VNF</literal> button in the top toolbar. Then, click the
1104 <literal>Descriptors</literal> -&gt; <literal>On-board</literal> -&gt;
1105 <literal>Browse</literal> options, and select the
1106 <filename>Fortigate.zip</filename> file, before clicking
1107 <literal>Send</literal>:</para>
1108
1109 <figure>
1110 <title>On-boarding FortiGate VNF</title>
1111
1112 <mediaobject>
1113 <imageobject>
1114 <imagedata align="center" fileref="images/onboard.png"
1115 scale="45" />
1116 </imageobject>
1117 </mediaobject>
1118 </figure>
1119 </listitem>
1120
1121 <listitem>
1122 <para>Wait for the <literal>Onboarding Status</literal> popup to
1123 display the confirmation message and select
1124 <literal>OK</literal>:</para>
1125
1126 <figure>
1127 <title>Successful Confirmation</title>
1128
1129 <mediaobject>
1130 <imageobject>
1131 <imagedata align="center"
1132 fileref="images/onboarded_successfully.png"
1133 scale="42" />
1134 </imageobject>
1135 </mediaobject>
1136 </figure>
1137 </listitem>
1138 </orderedlist>
1139
1140 <para><emphasis role="bold">Instantiating the FortiGate
1141 VNF</emphasis></para>
1142
1143 <para>The following steps describe how to instantiate the Fortigate
1144 VNF.</para>
1145
1146 <orderedlist>
1147 <listitem>
1148 <para>Select the target, then from the top toolbar click on
1149 <literal>VNF</literal>-&gt; <literal>Instances</literal> -&gt;
1150 <literal>Add</literal> options:</para>
1151
1152 <figure>
1153 <title>Adding an Instance</title>
1154
1155 <mediaobject>
1156 <imageobject>
1157 <imagedata align="center" fileref="images/adding_instance.png"
1158 scale="50" />
1159 </imageobject>
1160 </mediaobject>
1161 </figure>
1162
1163 <note>
1164 <para>Download locally the valid license files for the Fortigate VNF
1165 from Fortinet and the configuration file provided by Enea as
1166 examples.</para>
1167 </note>
1168 </listitem>
1169
1170 <listitem>
1171 <para>Use the <literal>sdwan1</literal> example configuration file for
1172 the first target:</para>
1173
1174 <figure>
1175 <title>Configuring target_1</title>
1176
1177 <mediaobject>
1178 <imageobject>
1179 <imagedata align="center" fileref="images/sdwan1_eg_config.png"
1180 scale="70" />
1181 </imageobject>
1182 </mediaobject>
1183 </figure>
1184 </listitem>
1185 </orderedlist>
1186
1187 <para>Fortigate VNF instantiation requires the following settings:</para>
1188
1189 <table>
1190 <title>Fortigate VNF Instantiation Requirements</title>
1191
1192 <tgroup cols="2">
1193 <colspec align="left" colwidth="2*" />
1194
1195 <colspec align="left" colwidth="4*" />
1196
1197 <thead>
1198 <row>
1199 <entry align="center">Component</entry>
1200
1201 <entry align="center">Description</entry>
1202 </row>
1203 </thead>
1204
1205 <tbody>
1206 <row>
1207 <entry>Name</entry>
1208
1209 <entry>The name of the VM which will be created on target
1210 device.</entry>
1211 </row>
1212
1213 <row>
1214 <entry>VNF Type</entry>
1215
1216 <entry>The name of the on-boarded VNF bundle.</entry>
1217 </row>
1218
1219 <row>
1220 <entry>VIM</entry>
1221
1222 <entry>Name and IP address of the device where the VNF has to be
1223 instantiated.</entry>
1224 </row>
1225
1226 <row>
1227 <entry>License file</entry>
1228
1229 <entry>FortiGate license file provided by Fortinet.</entry>
1230 </row>
1231
1232 <row>
1233 <entry>Configuration file</entry>
1234
1235 <entry>SD-WAN example configuration files provided by Enea: -
1236 FGVM080000136187_20180215_0708_sdwan1.conf -
1237 FGVM080000136188_20180215_0708_sdwan2.conf</entry>
1238 </row>
1239
1240 <row>
1241 <entry>Port1 - VNFMgr</entry>
1242
1243 <entry>Set as dpdk type and connect it to vnfmgrbr bridge.</entry>
1244 </row>
1245
1246 <row>
1247 <entry>Port2 - WAN</entry>
1248
1249 <entry>Set as dpdk type and connect it to wanbr bridge.</entry>
1250 </row>
1251
1252 <row>
1253 <entry>Port3 - LAN</entry>
1254
1255 <entry>Set as dpdk type and connect it to lanbr bridge.</entry>
1256 </row>
1257 </tbody>
1258 </tgroup>
1259 </table>
1260
1261 <para>To complete the branch-to-branch setup, configure the peer target in
1262 the same way as <literal>target_1</literal>. Make sure to use the
1263 <filename>FGVM080000136188_20180215_0708_sdwan2.conf</filename>
1264 configuration file for the second VNF instantiation.</para>
1265
1266 <para><emphasis role="bold">Testing the FortiGate SD-WAN
1267 VPN</emphasis></para>
1268
1269 <para>Once the full SD-WAN setup is in place a VPN connection needs to
1270 established between the two targets. The Test Machines can be connected to
1271 the LAN interface on each target.</para>
1272
1273 <para>The connected Test Machine can be a laptop or a target that has one
1274 interface configured to get dynamic IP from a DHCP server. The
1275 <command>dhclient &lt;interface&gt;</command> command can be used to
1276 request an IP address.</para>
1277
1278 <note>
1279 <para>The received IP must be in the 172.16.1.2 - 172.16.1.255 range for
1280 Test Machine-1 and in the 172.16.2.2 - 172.16.2.255 range for Test
1281 Machine-2.</para>
1282 </note>
1283
1284 <figure>
1285 <title>Overview: Testing Machines Setup</title>
1286
1287 <mediaobject>
1288 <imageobject>
1289 <imagedata align="center" fileref="images/test_machines.png"
1290 scale="40" />
1291 </imageobject>
1292 </mediaobject>
1293 </figure>
1294
1295 <para>Target 1 should be able to ping Test target 2 in this setup over the
1296 WAN connection.</para>
1297
1298 <para>In the figure above and this example, the FortiGate VNF management
1299 interface is accessible through a dedicated Mgmt interface. The Mgmt IP
1300 address can be used from a web browser on the Lab Machine to access the
1301 Fortigate VNF Management Web UI.</para>
1302
1303 <note>
1304 <para>In this SD-WAN VPN setup example, bridges were used as connection
1305 points for Fortigate VNF. It is possible to replace OVS-DPDK bridges
1306 with SR-IOV connection points.</para>
1307 </note>
1308 </section>
1309</chapter> \ No newline at end of file
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-10-26 01:48:38 +0000