summaryrefslogtreecommitdiffstats
path: root/doc/book-enea-nfv-access-example-usecases/doc/example_usecases.xml
diff options
context:
space:
mode:
Diffstat (limited to 'doc/book-enea-nfv-access-example-usecases/doc/example_usecases.xml')
-rw-r--r--doc/book-enea-nfv-access-example-usecases/doc/example_usecases.xml2525
1 files changed, 0 insertions, 2525 deletions
diff --git a/doc/book-enea-nfv-access-example-usecases/doc/example_usecases.xml b/doc/book-enea-nfv-access-example-usecases/doc/example_usecases.xml
deleted file mode 100644
index 7934d71..0000000
--- a/doc/book-enea-nfv-access-example-usecases/doc/example_usecases.xml
+++ /dev/null
@@ -1,2525 +0,0 @@
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<chapter id="example_usecases">
3 <title>Example Use Cases Manual</title>
4
5 <para>This book will detail various example use cases that a user can
6 experiment with.</para>
7
8 <section id="clav_vnf_example">
9 <title>Clavister VNF Examples</title>
10
11 <section id="clav_vnf">
12 <title>Clavister VNF</title>
13
14 <para>In this use case, <literal>target_1</literal> will run the
15 Clavister VNF and an Open vSwitch bridge and <literal>target_2</literal>
16 two iPerf VNFs.</para>
17
18 <figure>
19 <title>Clavister VNF Example Overview</title>
20
21 <mediaobject>
22 <imageobject>
23 <imagedata align="center"
24 fileref="images/clavister_vnf_diagram.png" scale="50" />
25 </imageobject>
26 </mediaobject>
27 </figure>
28
29 <para><emphasis role="bold">How to setup the target to run the Clavister
30 VNF and an Open vSwitch Bridge</emphasis></para>
31
32 <orderedlist>
33 <para><emphasis role="bold">Network Configuration for target_1 and
34 target_2</emphasis></para>
35
36 <listitem>
37 <para>From uCPE Manager select the target_1:
38 <literal>Configuration</literal> -&gt;
39 <literal>OpenVSwitch</literal> -&gt; H<literal>ost
40 Interfaces</literal> -&gt; <literal>Add</literal></para>
41 </listitem>
42
43 <listitem>
44 <para>Select the network interface that will be used to connect to
45 the second target, configure it for DPDK, and click
46 <literal>Create</literal> to send the configuration to the
47 target:</para>
48
49 <figure>
50 <title>Host Interface Creation</title>
51
52 <mediaobject>
53 <imageobject>
54 <imagedata align="center"
55 fileref="images/host_interface_creation.png" />
56 </imageobject>
57 </mediaobject>
58 </figure>
59 </listitem>
60
61 <listitem>
62 <para>Create an Open vSwitch bridge (<literal>ovsbr0</literal>) with
63 one DPDK interface by selecting the <literal>Add</literal> button
64 from the <literal>Bridges</literal> tab.</para>
65 </listitem>
66
67 <listitem>
68 <para>Once the bridge creation popup appears, fill the fields and
69 add the physical interface:</para>
70
71 <figure>
72 <title>OVS bridge</title>
73
74 <mediaobject>
75 <imageobject>
76 <imagedata align="center" fileref="images/ovs_bridge_zero.png"
77 scale="80" />
78 </imageobject>
79 </mediaobject>
80 </figure>
81 </listitem>
82
83 <listitem>
84 <para>Repeat the steps above on the target_2, by also using one DPDK
85 interface and creating an OVS bridge.</para>
86 </listitem>
87 </orderedlist>
88
89 <orderedlist>
90 <para><emphasis role="bold">Instantiate the VNFs:</emphasis></para>
91
92 <para>Once the network configuration has been completed on both
93 targets instantiate the VNFs:</para>
94
95 <para><emphasis role="bold">A) Instantiate Clavister VNF on
96 target_1:</emphasis></para>
97
98 <listitem>
99 <para>Select the target_1, then the VNF option from the top toolbar:
100 <literal>VNF</literal> -&gt; <literal>Instances</literal> -&gt;
101 <literal>Add</literal>.</para>
102 </listitem>
103
104 <listitem>
105 <para>Fill in the required information about the
106 <literal>Clavister</literal> VNF, (the default network configuration
107 can be used):</para>
108
109 <figure>
110 <title>VNF Instance</title>
111
112 <mediaobject>
113 <imageobject>
114 <imagedata align="center" fileref="images/vnf_instance.png"
115 scale="80" />
116 </imageobject>
117 </mediaobject>
118 </figure>
119 </listitem>
120 </orderedlist>
121
122 <orderedlist>
123 <para><emphasis role="bold">B) Instantiate two iPerf VNFs (one as
124 client and one as server) on target_2: </emphasis></para>
125
126 <listitem>
127 <para>Instantiate two <literal>iPerf</literal> VNFs on target_2. One
128 will act as the server and the second as the client.</para>
129 </listitem>
130
131 <listitem>
132 <para>Select target_2, then the VNF option from the top toolbar:
133 <literal>VNF</literal> -&gt; <literal>Instances</literal> -&gt;
134 <literal>Add</literal>.</para>
135 </listitem>
136
137 <listitem>
138 <para>In the <literal>VNF Instance</literal> window, select the
139 first <literal>iPerf</literal> VNF from the dropdown menu, configure
140 it to act as a server by unchecking the <literal>Client mode
141 IPerf</literal> box, and click the <literal>Create</literal>
142 button.</para>
143 </listitem>
144
145 <listitem>
146 <para>Select <literal>Add</literal>, enable the <literal>Client mode
147 IPerf</literal> checkbox and then click <literal>Create</literal> to
148 instantiate the second <literal>iPerf VNF</literal> as a client, and
149 to run it in client mode.</para>
150 </listitem>
151
152 <listitem>
153 <para>In order to check that traffic is forwarded between the VNFs,
154 connect to the iPerf VNF client console:</para>
155
156 <para>Connect to the target_2 by using: <literal>SSH</literal> -&gt;
157 <literal>user</literal> (root) -&gt;<literal>Connect</literal> and
158 run the following:</para>
159
160 <programlisting>virsh list
161virsh console
162root@qemux86-64:~# iperf3 -c 192.168.10.10</programlisting>
163 </listitem>
164 </orderedlist>
165 </section>
166
167 <section id="clav_example_sriov">
168 <title>Clavister VNF using SR-IOV</title>
169
170 <para>In this use case, target 1 will run the iPerf server and iPerf
171 client VNFs using SR-IOV and target 2 will run the Clavister VNF using
172 SR-IOV with two virtual functions (vf1 and vf2):</para>
173
174 <figure>
175 <title>Example Overview</title>
176
177 <mediaobject>
178 <imageobject>
179 <imagedata align="center"
180 fileref="images/clav_VNF_demo_SR-IOV.png" scale="60" />
181 </imageobject>
182 </mediaobject>
183 </figure>
184
185 <orderedlist>
186 <listitem>
187 <para>On target 2, create an SR-IOV configuration with 2 virtual
188 functions: <literal>Configuration</literal> -&gt;
189 <literal>OpenVSwitch</literal> -&gt; <literal>Host
190 Interfaces</literal> -&gt; <literal>Add</literal>:</para>
191
192 <figure>
193 <title>SR-IOV configuration with 2 virtual functions</title>
194
195 <mediaobject>
196 <imageobject>
197 <imagedata align="center"
198 fileref="images/sriov_configuration.png" scale="80" />
199 </imageobject>
200 </mediaobject>
201 </figure>
202 </listitem>
203
204 <listitem>
205 <para>Instantiate the Clavister VNF on target 2, by clicking
206 <literal>VNF</literal> -&gt; <literal>Instances</literal> -&gt;
207 <literal>Add</literal>.</para>
208
209 <para>Select <literal>SrIovAdapterPool</literal> as an Interface
210 type for both Interface1 type and 2 type, before clicking
211 <literal>Create</literal>:</para>
212
213 <figure>
214 <title>Instantiating the Clavister VNF on target 2</title>
215
216 <mediaobject>
217 <imageobject>
218 <imagedata align="center" fileref="images/srlov_adap_pool.png"
219 scale="70" />
220 </imageobject>
221 </mediaobject>
222 </figure>
223 </listitem>
224
225 <listitem>
226 <para>On target 1, create an SR-IOV interface as done in step
227 1.</para>
228 </listitem>
229
230 <listitem>
231 <para>Create the iPerf server on target 1. Select
232 <literal>SrIovAdapterPool</literal> as an Interface type:</para>
233
234 <figure>
235 <title>IPerf Server Interface Type</title>
236
237 <mediaobject>
238 <imageobject>
239 <imagedata align="center"
240 fileref="images/iperf_server_inttype.png"
241 scale="70" />
242 </imageobject>
243 </mediaobject>
244 </figure>
245 </listitem>
246
247 <listitem>
248 <para>Create the iPerf client on target 1. Select
249 <literal>SrIovAdapterPool</literal> as an Interface type and tick
250 the <literal>Client mode IPer</literal> checkbox:</para>
251
252 <figure>
253 <title>IPerf Client Interface Type</title>
254
255 <mediaobject>
256 <imageobject>
257 <imagedata align="center"
258 fileref="images/iperf_client_inttype.png"
259 scale="70" />
260 </imageobject>
261 </mediaobject>
262 </figure>
263 </listitem>
264
265 <listitem>
266 <para>In order to check that traffic is forwarded between the VNFs,
267 connect to the iPerf VNF client console by using:
268 <literal>SSH</literal> -&gt; <literal>user</literal> (root)
269 -&gt;<literal>Connect</literal> and run the following
270 commands:<programlisting>virsh list
271virsh console
272root@qemux86-64:~# iperf3 -c 192.168.10.10</programlisting></para>
273 </listitem>
274 </orderedlist>
275 </section>
276 </section>
277
278 <section id="enea_vnf_examples">
279 <title>Enea VNF Examples</title>
280
281 <section id="enea_vnf">
282 <title>TestPMD VNF</title>
283
284 <para>Use case description: pktgen[DPDK] - PHY1 - PHY2 - [DPDK]OVS -
285 VM[DPDK]testpmd(forwarding) - OVS[DPDK] - VM[DPDK]
286 testpmd(termination).</para>
287
288 <figure>
289 <title>Enea VNF Example Overview</title>
290
291 <mediaobject>
292 <imageobject>
293 <imagedata align="center"
294 fileref="images/enea_vnf_demo_overview.png" scale="80" />
295 </imageobject>
296 </mediaobject>
297 </figure>
298
299 <para><emphasis role="bold">How to setup the Enea VNF
300 Example</emphasis></para>
301
302 <orderedlist>
303 <listitem>
304 <para>Bind the host interfaces to the DPDK by selecting the
305 target_1: <literal>Configuration</literal> -&gt;
306 <literal>OpenVSwitch</literal> -&gt; <literal>Host
307 Interfaces</literal> -&gt; <literal>Add</literal>:</para>
308
309 <figure>
310 <title>Adding OVS Host Interfaces</title>
311
312 <mediaobject>
313 <imageobject>
314 <imagedata align="center"
315 fileref="images/ovs_host_interface.png" scale="80" />
316 </imageobject>
317 </mediaobject>
318 </figure>
319 </listitem>
320
321 <listitem>
322 <para>Select the network interface that will be used to connect to
323 the second target and configure it for the DPDK:</para>
324
325 <figure>
326 <title>Configuring the host interface</title>
327
328 <mediaobject>
329 <imageobject>
330 <imagedata align="center"
331 fileref="images/secondtar_hostinterface.png"
332 scale="90" />
333 </imageobject>
334 </mediaobject>
335 </figure>
336 </listitem>
337
338 <listitem>
339 <para>Select the <literal>Create</literal> button to send the
340 configuration to the target. The same steps must also be performed
341 on the target_2.</para>
342 </listitem>
343
344 <listitem>
345 <para>Create an OpenVSwitch bridge (<literal>ovsbr0</literal>) on
346 target_1 that uses one DPDK interface, by selecting the
347 <literal>Add</literal> button from the Bridges tab and then
348 selcting: <literal>Configuration</literal> -&gt;
349 <literal>OpenVSwitch</literal>-&gt;
350 <literal>Bridges</literal>:</para>
351
352 <figure>
353 <title>OVS Bridge Table</title>
354
355 <mediaobject>
356 <imageobject>
357 <imagedata align="center" fileref="images/ovs_bridge_tab.png"
358 scale="75" />
359 </imageobject>
360 </mediaobject>
361 </figure>
362
363 <figure>
364 <title>Adding the interface to the OVS Bridge</title>
365
366 <mediaobject>
367 <imageobject>
368 <imagedata align="center" fileref="images/ovs_bridge_two.png"
369 scale="90" />
370 </imageobject>
371 </mediaobject>
372 </figure>
373 </listitem>
374
375 <listitem>
376 <para>Instantiate the TestPMD VNFs on target_1 by selecting:
377 <literal>VNF</literal> -&gt; <literal>Instances</literal> -&gt;
378 <literal>Add</literal>.</para>
379 </listitem>
380
381 <listitem>
382 <para>Configure the VNF that forwards traffic:</para>
383
384 <figure>
385 <title>Configuring the fwdVNF</title>
386
387 <mediaobject>
388 <imageobject>
389 <imagedata align="center" fileref="images/traffic_forward.png"
390 scale="85" />
391 </imageobject>
392 </mediaobject>
393 </figure>
394 </listitem>
395
396 <listitem>
397 <para>Configure the VNF that terminates traffic:</para>
398
399 <figure>
400 <title>Configuring the termVNF</title>
401
402 <mediaobject>
403 <imageobject>
404 <imagedata align="center"
405 fileref="images/traffic_terminate.png" scale="85" />
406 </imageobject>
407 </mediaobject>
408 </figure>
409 </listitem>
410
411 <listitem>
412 <para>Add OpenVSwitch flows to control this traffic:</para>
413
414 <figure>
415 <title>Configuring the FWD flow</title>
416
417 <mediaobject>
418 <imageobject>
419 <imagedata align="center" fileref="images/flow_fwd.png"
420 scale="90" />
421 </imageobject>
422 </mediaobject>
423 </figure>
424
425 <figure>
426 <title>Configuring the TERM flow</title>
427
428 <mediaobject>
429 <imageobject>
430 <imagedata align="center" fileref="images/flow_term.png"
431 scale="90" />
432 </imageobject>
433 </mediaobject>
434 </figure>
435 </listitem>
436
437 <listitem>
438 <para>Start pktgen on target_2. Connect to the target by using:
439 <literal>SSH</literal> -&gt; <literal>user</literal> (root) and
440 perform the following:</para>
441
442 <programlisting>killall ovsdb-server ovs-vswitchd
443rm -rf /etc/openvswitch/*
444mkdir -p /var/run/openvswitch
445modprobe igb_uio
446dpdk-devbind --bind=igb_uio 0000:05:00.3
447cd /usr/share/apps/pktgen/
448./pktgen -c 0x7 -n 4 --proc-type auto --socket-mem 256 -w 0000:05:00.3 -- \
449 -P -m "[1:2].0"
450Pktgen:/&gt; start 0</programlisting>
451 </listitem>
452
453 <listitem>
454 <para>Connect to the forwarder VNF in order to check the traffic
455 statistics by selecting target_1: <literal>SSH</literal> -&gt;
456 <literal>user</literal> (root):</para>
457
458 <programlisting>Virsh list
459Virsh console 1
460# Qemux86-64 login: root
461tail -f /opt/testpmd-out</programlisting>
462
463 <figure>
464 <title>Traffic Statistics</title>
465
466 <mediaobject>
467 <imageobject>
468 <imagedata align="center"
469 fileref="images/connection_information.png"
470 scale="70" />
471 </imageobject>
472 </mediaobject>
473 </figure>
474 </listitem>
475 </orderedlist>
476 </section>
477
478 <section id="vnf_pci">
479 <title>TestPMD VNF using PCI passthrough</title>
480
481 <para>In this use case, target 1 will run the Pktgen and target 2 will
482 run the TestPMD VNF. Both will be using PCI passthrough:</para>
483
484 <figure>
485 <title>TestPMD VNF using PCI passthrough Overview</title>
486
487 <mediaobject>
488 <imageobject>
489 <imagedata align="center" fileref="images/testPMD_VNF_PCI.png"
490 scale="65" />
491 </imageobject>
492 </mediaobject>
493 </figure>
494
495 <orderedlist>
496 <listitem>
497 <para>Make sure that neither target 1 nor target 2 have any
498 configured host interfaces by selcting target:
499 <literal>Configuration</literal> -&gt;
500 <literal>OpenVSwitch</literal> -&gt; <literal>Host
501 Interfaces</literal>.</para>
502 </listitem>
503
504 <listitem>
505 <para>On target 1 start the Pktgen VNF. Select
506 <literal>PciPassthrough</literal> as the Interface type.</para>
507
508 <para>From the drop-down list, select the PCI interface
509 corresponding to the NIC which is connected to target 2:</para>
510
511 <figure>
512 <title>Selecting the Pktgen VNF Interface</title>
513
514 <mediaobject>
515 <imageobject>
516 <imagedata align="center"
517 fileref="images/pciPass_interface.png" scale="70" />
518 </imageobject>
519 </mediaobject>
520 </figure>
521 </listitem>
522
523 <listitem>
524 <para>On target 2, start the TestPmdForwarder VNF. Select
525 "PciPassthrough" as the Interface type. From the drop-down list,
526 select the PCI interface corresponding to the NIC which is connected
527 to target 1:</para>
528
529 <figure>
530 <title>Selecting the TestPmdForwarder VNF Interface</title>
531
532 <mediaobject>
533 <imageobject>
534 <imagedata align="center"
535 fileref="images/testpmd_fwdvnf_int.png" scale="70" />
536 </imageobject>
537 </mediaobject>
538 </figure>
539 </listitem>
540
541 <listitem>
542 <para>To check that traffic is being forwarded from target 2, SSH to
543 the target and connect to the VNFs console:</para>
544
545 <programlisting>Right click on target 2 and select SSH.
546Run: virsh list
547Run: virsh console [VM NAME]
548Run: tail -f /opt/testpmd-out</programlisting>
549 </listitem>
550 </orderedlist>
551 </section>
552 </section>
553
554 <section id="vnf_fortigate">
555 <title>FortiGate VNF Example</title>
556
557 <para>FortiGate virtual appliances <remark>is "appliances" the correct
558 word to use here?</remark> feature all of the security and networking
559 services common to traditional hardware-based FortiGate appliances. The
560 virtual appliances can be integrated in Firewall or SD-WAN solution
561 development.</para>
562
563 <para>Enea provides a prepared VNF bundle for download from the Enea
564 Portal, for usage with the Enea NFV Access product. The prepared VNF
565 bundle includes the FortiGate VNF image as well as a VNF Descriptor and
566 other onboarding related configuration files. The VNF Descriptor provided
567 configures a setup, which requires the following resources:</para>
568
569 <itemizedlist>
570 <listitem>
571 <para>3 x Network Interfaces</para>
572 </listitem>
573
574 <listitem>
575 <para>1 x vCPU</para>
576 </listitem>
577
578 <listitem>
579 <para>1 GB of RAM memory</para>
580 </listitem>
581 </itemizedlist>
582
583 <para>The VNF Descriptor represents one specific setup, suitable for usage
584 with the Firewall and SD-WAN VPN instructions in this guide. Alternative
585 VNF Descriptor configurations may be needed to support other
586 configurations required by the customer.</para>
587
588 <para>Enea can provide assistance to provide alternative VNF Descriptor
589 configurations.</para>
590
591 <note>
592 <para>While the prepared FortiGate bundle is provided from Enea Portal,
593 additional content needs to be received from Fortinet directly. The
594 FortiGate VNF license as well as any FortiGate specific documentation
595 shall be requested from the local Fortinet sales representatives in your
596 region, before FortiGate can be used.</para>
597 </note>
598
599 <section id="fortigate_firewall">
600 <title>FortiGate VNF as a Firewall</title>
601
602 <para>FortiGate Next Generation Firewall utilizes purpose-built security
603 processors and threat intelligence security services to deliver
604 top-rated protection and high performance, including encrypted traffic.
605 FortiGate reduces complexity with automated visibility into
606 applications, users and networks, and provides security ratings to adopt
607 security best practices.</para>
608
609 <para>An example firewall configuration for the FortiGate VNF is
610 provided in the Enea Portal. It is a simple firewall base
611 configuration.</para>
612
613 <table>
614 <title>FortiGate VNF Example Configuration</title>
615
616 <tgroup cols="2">
617 <colspec align="center" />
618
619 <thead>
620 <row>
621 <entry align="center">Component</entry>
622
623 <entry align="center">Setting/Description</entry>
624 </row>
625 </thead>
626
627 <tbody>
628 <row>
629 <entry>Firewall</entry>
630
631 <entry>"All pass" mode</entry>
632 </row>
633
634 <row>
635 <entry>WAN (Virtual Port1)</entry>
636
637 <entry><para>DHCP Client, dynamically assigned IP
638 address.</para>FortiGate In-Band
639 Management<superscript>1</superscript></entry>
640 </row>
641
642 <row>
643 <entry>WAN (Virtual Port2)</entry>
644
645 <entry><para>IP address: 172.168.16.1</para>DHCP server (IP
646 range 172.168.16.1 - 172.168.16.255).</entry>
647 </row>
648
649 <row>
650 <entry>WAN (Virtual Port3)</entry>
651
652 <entry>Ignored</entry>
653 </row>
654 </tbody>
655 </tgroup>
656 </table>
657
658 <para><superscript>1</superscript>FortiGate In-Band Management is a
659 feature for running FortiGate Management traffic over WAN.</para>
660
661 <para>Instructions on how to alter the default configuration is provided
662 in the Fortigate VNF management chapter.</para>
663
664 <para><emphasis role="bold">Lab Setup</emphasis></para>
665
666 <para>Before starting the configuration of the FortiGate Firewall, a lab
667 setup of hardware and software configurations has to be built. The
668 following table illustrates the required lab setup:</para>
669
670 <table>
671 <title>Lab Setup Prerequisites</title>
672
673 <tgroup cols="2">
674 <colspec align="center" />
675
676 <thead>
677 <row>
678 <entry align="center">Component</entry>
679
680 <entry align="center">Description/Requirements</entry>
681 </row>
682 </thead>
683
684 <tbody>
685 <row>
686 <entry>Lab Network</entry>
687
688 <entrytbl cols="1">
689 <tbody>
690 <row>
691 <entry>DHCP enabled Lab Network</entry>
692 </row>
693
694 <row>
695 <entry>Internet Connectivity</entry>
696 </row>
697 </tbody>
698 </entrytbl>
699 </row>
700
701 <row>
702 <entry>Setup of an Intel Whitebox target device</entry>
703
704 <entrytbl cols="1">
705 <tbody>
706 <row>
707 <entry>Minimum 4 Physical Network Devices</entry>
708 </row>
709
710 <row>
711 <entry>4 GB RAM and 4 cores (C3000 or Xeon D)</entry>
712 </row>
713
714 <row>
715 <entry>Enea NFV Access Installed</entry>
716 </row>
717
718 <row>
719 <entry>WAN Connected to Lab Network</entry>
720 </row>
721
722 <row>
723 <entry>LAN1 Connected to Test Machine</entry>
724 </row>
725
726 <row>
727 <entry>LAN2 Unconnected</entry>
728 </row>
729
730 <row>
731 <entry>ETH0 connected to Lab Network (for Enea uCPE
732 Manager communications)</entry>
733 </row>
734 </tbody>
735 </entrytbl>
736 </row>
737
738 <row>
739 <entry>Setup of a Lab Machine</entry>
740
741 <entrytbl cols="1">
742 <tbody>
743 <row>
744 <entry>Connected to Lab Network</entry>
745 </row>
746
747 <row>
748 <entry>Running either Windows or CentOS</entry>
749 </row>
750
751 <row>
752 <entry>Enea uCPE Manager installed</entry>
753 </row>
754 </tbody>
755 </entrytbl>
756 </row>
757
758 <row>
759 <entry>Setup of a Test Machine</entry>
760
761 <entrytbl cols="1">
762 <tbody>
763 <row>
764 <entry>Connected to Whitebox LAN</entry>
765 </row>
766
767 <row>
768 <entry>Internet Connectivity via LAN</entry>
769 </row>
770
771 <row>
772 <entry>Configured as DHCP client on LAN</entry>
773 </row>
774 </tbody>
775 </entrytbl>
776 </row>
777
778 <row>
779 <entry>FortiGate VNF</entry>
780
781 <entrytbl cols="1">
782 <tbody>
783 <row>
784 <entry>Downloaded the FortiGate VNF Bundle from Enea
785 Portal to the Lab Machine file system. Please see the
786 Download Chapter for more details.</entry>
787 </row>
788
789 <row>
790 <entry>Downloaded FortiGate configuration examples from
791 the Enea Portal to the Lab Machine file system. Please
792 check the Download Chapter for more details. Unpack the
793 configuration examples on the Lab Machine.</entry>
794 </row>
795
796 <row>
797 <entry>Retrieve FortiGate VNF license from Fortinet and
798 store it on the Lab Machine file system. See FortiGate VNF
799 for details.</entry>
800 </row>
801
802 <row>
803 <entry>Optionally retrieve FortiGate VNF documentation
804 from Fortinet. See FortiGate VNF for details.</entry>
805 </row>
806 </tbody>
807 </entrytbl>
808 </row>
809 </tbody>
810 </tgroup>
811 </table>
812
813 <figure>
814 <title>Lab Setup Overview</title>
815
816 <mediaobject>
817 <imageobject>
818 <imagedata align="center" fileref="images/intel_whitebox.png"
819 scale="35" />
820 </imageobject>
821 </mediaobject>
822 </figure>
823
824 <para><emphasis role="bold">uCPE Networking Setup</emphasis></para>
825
826 <para>Before deploying the FortiGate Firewall, the Enea NFV Access
827 platform has to be configured to the specific networking setup.</para>
828
829 <para>Since the firewall is using three External Network Interfaces,
830 three bridges need to be configured. Each bridge provides the ability to
831 connect a physical network interface to the virtual machines' virtual
832 network interface. Each physical to virtual network interface connection
833 is setup in two steps:</para>
834
835 <itemizedlist>
836 <listitem>
837 <para>Bind the physical network interfaces with a DPDK
838 driver.</para>
839 </listitem>
840
841 <listitem>
842 <para>Create a named bridge for each physical network
843 interface.</para>
844 </listitem>
845 </itemizedlist>
846
847 <note>
848 <para>For more details about interface configuration, please see the
849 Network Configuration section in the chapter on Configuration
850 Options.</para>
851 </note>
852
853 <orderedlist>
854 <listitem>
855 <para>Start the setup by preparing each interface for attachment to
856 a bridge. Bind the physical network interfaces to the DPDK by
857 selecting the target: <literal>Configuration</literal> -&gt;
858 <literal>OpenVSwitch</literal> -&gt; <literal>Host Interfaces
859 </literal>-&gt; <literal>Add</literal>:</para>
860
861 <figure>
862 <title>Binding the physical network interface</title>
863
864 <mediaobject>
865 <imageobject>
866 <imagedata align="center"
867 fileref="images/bind_phys_interface.png" scale="80" />
868 </imageobject>
869 </mediaobject>
870 </figure>
871
872 <para>The result of binding these three physical network interfaces
873 should look like the following:</para>
874
875 <figure>
876 <title>Successful Binding</title>
877
878 <mediaobject>
879 <imageobject>
880 <imagedata align="center"
881 fileref="images/result_of_binding.png" scale="65" />
882 </imageobject>
883 </mediaobject>
884 </figure>
885 </listitem>
886
887 <listitem>
888 <para>Create one OpenVSwitch bridge for each firewall network
889 connection (WAN, LAN1 and LAN2), by selecting the
890 <literal>Add</literal> button from Bridges tab:
891 <literal>Configuration</literal> -&gt;
892 <literal>OpenvSwitch</literal>-&gt; <literal>Bridges</literal>. A
893 popup like the following should appear:</para>
894
895 <figure>
896 <title>Creating a bridge each Firewall Net. Connection</title>
897
898 <mediaobject>
899 <imageobject>
900 <imagedata align="center" fileref="images/bridge_net_conn.png"
901 scale="80" />
902 </imageobject>
903 </mediaobject>
904 </figure>
905 </listitem>
906
907 <listitem>
908 <para>Repeat this step for each type of connection until all are
909 bridges are configured.</para>
910
911 <figure>
912 <title>Configured Bridges per Connection Type</title>
913
914 <mediaobject>
915 <imageobject>
916 <imagedata align="center"
917 fileref="images/configured_bridges.png" scale="65" />
918 </imageobject>
919 </mediaobject>
920 </figure>
921 </listitem>
922 </orderedlist>
923
924 <para><emphasis role="bold">Onboarding the FortiGate
925 VNF</emphasis></para>
926
927 <orderedlist>
928 <listitem>
929 <para>To on-board the Fortigate VNF click the <literal>VNF</literal>
930 tab in the top toolbar: <literal>VNF</literal> -&gt;
931 <literal>Descriptors</literal> -&gt; <literal>On-board
932 </literal>-&gt; <literal>Browse</literal> options, and select the
933 <literal>Fortigate.zip</literal> file, before clicking
934 <literal>Send</literal>:</para>
935
936 <figure>
937 <title>Selecting Descriptors</title>
938
939 <mediaobject>
940 <imageobject>
941 <imagedata align="center"
942 fileref="images/descriptor_button.png" scale="45" />
943 </imageobject>
944 </mediaobject>
945 </figure>
946 </listitem>
947
948 <listitem>
949 <para>Wait for the <literal>Onboarding Status</literal> popup to
950 display the confirmation message (listed in green) and select
951 <literal>OK</literal>:</para>
952
953 <figure>
954 <title>Onboarding the new VNF</title>
955
956 <mediaobject>
957 <imageobject>
958 <imagedata align="center"
959 fileref="images/onboarding_status.png" scale="80" />
960 </imageobject>
961 </mediaobject>
962 </figure>
963 </listitem>
964 </orderedlist>
965
966 <para><emphasis role="bold">Instantiate the FortiGate
967 VNF</emphasis></para>
968
969 <orderedlist>
970 <listitem>
971 <para>Select the target, then from the top toolbar the select:
972 <literal>VNF</literal> -&gt; <literal>Instances</literal> -&gt;
973 <literal>Add</literal>:</para>
974
975 <figure>
976 <title>Adding Instances to Target</title>
977
978 <mediaobject>
979 <imageobject>
980 <imagedata align="center" fileref="images/vnf_instances.png"
981 scale="50" />
982 </imageobject>
983 </mediaobject>
984 </figure>
985
986 <para>Make sure you have downloaded valid license files for the
987 Fortigate VNF from Fortinet, and the configuration file provided by
988 Enea as examples according to previous instructions.</para>
989
990 <figure>
991 <title>Example License and Configuration files</title>
992
993 <mediaobject>
994 <imageobject>
995 <imagedata align="center"
996 fileref="images/fortigate_licenses.png" scale="75" />
997 </imageobject>
998 </mediaobject>
999 </figure>
1000 </listitem>
1001
1002 <listitem>
1003 <para>Fortigate VNF instantiation requires the following
1004 settings:</para>
1005
1006 <table>
1007 <title>Instantiation Requirements</title>
1008
1009 <tgroup cols="2">
1010 <colspec align="center" colwidth="2*" />
1011
1012 <colspec align="center" colwidth="4*" />
1013
1014 <thead>
1015 <row>
1016 <entry align="center">Component</entry>
1017
1018 <entry align="center">Description</entry>
1019 </row>
1020 </thead>
1021
1022 <tbody>
1023 <row>
1024 <entry align="left">Name</entry>
1025
1026 <entry>The name of the VM which will be created on the
1027 target device.</entry>
1028 </row>
1029
1030 <row>
1031 <entry align="left">VNF Type</entry>
1032
1033 <entry>Name of the on-boarded VNF bundle.</entry>
1034 </row>
1035
1036 <row>
1037 <entry align="left">VIM</entry>
1038
1039 <entry>Name and IP address of the device where the VNF has
1040 to be instantiated.</entry>
1041 </row>
1042
1043 <row>
1044 <entry align="left">License file</entry>
1045
1046 <entry>FortiGate license file provided by Fortinet.</entry>
1047 </row>
1048
1049 <row>
1050 <entry align="left">Configuration file</entry>
1051
1052 <entry>Firewall example configuration file provided by Enea
1053 <filename>FGVM080000136187_20180828_0353_basic_fw.conf
1054 </filename></entry>
1055 </row>
1056
1057 <row>
1058 <entry align="left">Port1 - WAN</entry>
1059
1060 <entry>Set as dpdk type and connect it to wanmgrbr
1061 bridge.</entry>
1062 </row>
1063
1064 <row>
1065 <entry align="left">Port2 - LAN1</entry>
1066
1067 <entry>Set as dpdk type and connect it to lan1
1068 bridge.</entry>
1069 </row>
1070
1071 <row>
1072 <entry align="left">Port3 - LAN2</entry>
1073
1074 <entry>Set as dpdk type and connect it to lan2
1075 bridge.</entry>
1076 </row>
1077 </tbody>
1078 </tgroup>
1079 </table>
1080
1081 <para>When the instantiation process is completed, the setup is
1082 ready for testing.</para>
1083 </listitem>
1084 </orderedlist>
1085
1086 <para><emphasis role="bold">Test the FortiGate
1087 Firewall</emphasis></para>
1088
1089 <para>Connect the Test Machine on the LAN interface and access the
1090 internet from the Test Machine to use the firewall on the target
1091 device.</para>
1092
1093 <note>
1094 <para>The connected Test Machine can be a laptop or a target that has
1095 one interface configured to get an dynamic IP from a DHCP server. The
1096 <literal>dhclient &lt;interface&gt;</literal> command can be used to
1097 request an IP address. The received IP must be in the 172.16.1.2 -
1098 172.16.1.255 range.</para>
1099 </note>
1100
1101 <figure>
1102 <title>Testing Overview</title>
1103
1104 <mediaobject>
1105 <imageobject>
1106 <imagedata align="center" fileref="images/testing_fortigate.png"
1107 scale="50" />
1108 </imageobject>
1109 </mediaobject>
1110 </figure>
1111
1112 <para>In the example above, the FortiGate VNF management interface is
1113 accessible through the WAN interface, the WAN IP address can be used
1114 from a web browser on the Lab Machine to access the Fortigate VNF
1115 Management Web UI. Please check the Fortigate VNF web management section
1116 for more information.</para>
1117
1118 <para>In another example, the firewall can be setup to use bridges as
1119 connection points for the Fortigate VNF. It is possible to replace
1120 OVS-DPDK bridges with SR-IOV connection points. <remark>The previous
1121 sentence in the original was very hard to understand, please confirm if
1122 this is what you intended to say</remark> Please check the network
1123 configuration chapter on how to configure an interface for
1124 SR-IOV.</para>
1125
1126 <para>It was previously assumed that three physical interfaces are
1127 available for VNF connection. In the case of a firewall setup it is
1128 possible to use only two physical interfaces for the data path (one for
1129 WAN and one for LAN). In the example below only two interfaces will be
1130 configured as DPDK and two bridges are created, one for each type of
1131 connection.</para>
1132
1133 <para>At VNF instantiation instead of assigning distinct bridges for
1134 each LAN interface, only one will be used for both LAN1 and LAN2, with
1135 no changes in WAN interface configuration. Please see the picture below
1136 for final setup:</para>
1137
1138 <figure>
1139 <title>Two Interface Configuration</title>
1140
1141 <mediaobject>
1142 <imageobject>
1143 <imagedata align="center" fileref="images/two_inst_firewall.png"
1144 scale="45" />
1145 </imageobject>
1146 </mediaobject>
1147 </figure>
1148 </section>
1149
1150 <section id="fortigate_webmg">
1151 <title>FortiGate VNF web management</title>
1152
1153 <para>In order to check the IP address assigned to Fortigate VNF you
1154 need to connect to the Fortigate CLI.</para>
1155
1156 <para><emphasis role="bold">Connecting to the Fortigate
1157 CLI</emphasis></para>
1158
1159 <orderedlist>
1160 <listitem>
1161 <para>Connect to the Fortigate VNF by using: <literal>SSH</literal>
1162 -&gt; <literal>user</literal> (root) and attach to the VNF's console
1163 using the <literal>virsh console</literal> command shown
1164 below:</para>
1165
1166 <figure>
1167 <title>Attaching to the VNF Console</title>
1168
1169 <mediaobject>
1170 <imageobject>
1171 <imagedata align="center" fileref="images/virsh_console.png"
1172 scale="80" />
1173 </imageobject>
1174 </mediaobject>
1175 </figure>
1176 </listitem>
1177
1178 <listitem>
1179 <para>To access Fortigate CLI, use the credential
1180 <literal>admin</literal> for the user, leaving the password blank,
1181 then press enter.</para>
1182
1183 <para>Use the CLI command <literal>get system interface</literal> to
1184 get the dynamic interfaces configuration.</para>
1185
1186 <figure>
1187 <title>Acessing and configuring Fortigate CLI</title>
1188
1189 <mediaobject>
1190 <imageobject>
1191 <imagedata align="center"
1192 fileref="images/access_fortigate_cli.png"
1193 scale="58" />
1194 </imageobject>
1195 </mediaobject>
1196 </figure>
1197 </listitem>
1198
1199 <listitem>
1200 <para>Use the IP address assigned for the management interface in
1201 the web browser (<literal>https://&lt;IP&gt;</literal>), to access
1202 the Fortinet VNF web management interface. Use the same credentials
1203 as before to login:</para>
1204
1205 <figure>
1206 <title>Accessing the web management interface</title>
1207
1208 <mediaobject>
1209 <imageobject>
1210 <imagedata align="center"
1211 fileref="images/fortinet_vnf_login.png" scale="50" />
1212 </imageobject>
1213 </mediaobject>
1214 </figure>
1215 </listitem>
1216
1217 <listitem>
1218 <para>You can browse through the configuration and perform changes
1219 according to your setup:</para>
1220
1221 <figure>
1222 <title>The Fortinet Web Interface</title>
1223
1224 <mediaobject>
1225 <imageobject>
1226 <imagedata align="center"
1227 fileref="images/fortinet_interface.png" scale="30" />
1228 </imageobject>
1229 </mediaobject>
1230 </figure>
1231 </listitem>
1232
1233 <listitem>
1234 <para>Optional, alter the default Fortinet example configuration
1235 provided by Enea, through the following steps:</para>
1236
1237 <orderedlist>
1238 <listitem>
1239 <para>Deploy the FortiGate Firewall in its default
1240 settings.</para>
1241 </listitem>
1242
1243 <listitem>
1244 <para>Connect to the FortiGate VNF Web Management with a web
1245 browser.</para>
1246 </listitem>
1247
1248 <listitem>
1249 <para>Modify the FortiGate configuration in the FortiGate VNF
1250 Web Management as needed.</para>
1251 </listitem>
1252
1253 <listitem>
1254 <para>Store the updated configuration in a file, by saving in
1255 the FortiGate VNF Web Management interface, so it may be used at
1256 the next FortiGate VNF instantiation.</para>
1257 </listitem>
1258 </orderedlist>
1259
1260 <note>
1261 <para>Editing the default configuration is only recommended for
1262 FortiGate configuration experts.</para>
1263 </note>
1264 </listitem>
1265 </orderedlist>
1266 </section>
1267
1268 <section id="fortigate_sdwan_vpn">
1269 <title>FortiGate VNF as an SD-WAN VPN</title>
1270
1271 <para>The software-defined wide-area network (SD-WAN or SDWAN) is a
1272 specific application of software-defined networking (SDN) technology
1273 applied to WAN connections. It connects enterprise networks, including
1274 branch offices and data centers, over large geographic distances.</para>
1275
1276 <para>SD-WAN decouples the network from the management plane, detaching
1277 the traffic management and monitoring functions from hardware. Most
1278 forms of SD-WAN technology create a virtual overlay that is
1279 transport-agnostic, i.e. it abstracts underlying private or public WAN
1280 connections. With an overlay SD-WAN, a vendor provides an edge device to
1281 the customer that contains the software necessary to run the SD-WAN
1282 technology. For deployment, the customer plugs in WAN links into the
1283 device, which automatically configures itself with the network.</para>
1284
1285 <para>The following will detail an SD-WAN setup for a branch to branch
1286 connection using the FortiGate VNF. FortiGate provides native SD-WAN
1287 along with integrated advanced threat protection.</para>
1288
1289 <note>
1290 <para>Example SD-WAN configurations for the FortiGate VNF are provided
1291 in the Enea Portal.</para>
1292 </note>
1293
1294 <table>
1295 <title>FortiGate VNF Example Configuration - SD-WAN Target 1</title>
1296
1297 <tgroup cols="2">
1298 <colspec align="center" />
1299
1300 <thead>
1301 <row>
1302 <entry align="center">Component</entry>
1303
1304 <entry align="center">Description</entry>
1305 </row>
1306 </thead>
1307
1308 <tbody>
1309 <row>
1310 <entry>SD-WAN</entry>
1311
1312 <entry>VPN connection between two branches (Target 1 and Target
1313 2).</entry>
1314 </row>
1315
1316 <row>
1317 <entry>VNFMgr (Virtual Port1)</entry>
1318
1319 <entry>DHCP Client, dynamically assigned IP address.</entry>
1320 </row>
1321
1322 <row>
1323 <entry>WAN (Virtual Port2)</entry>
1324
1325 <entry>IP address: 10.0.0.1</entry>
1326 </row>
1327
1328 <row>
1329 <entry>LAN (Virtual Port3)</entry>
1330
1331 <entrytbl cols="1">
1332 <tbody>
1333 <row>
1334 <entry>IP address: 172.16.1.1</entry>
1335 </row>
1336
1337 <row>
1338 <entry>DHCP server (IP range 172.16.1.2 -
1339 172.16.1.254)</entry>
1340 </row>
1341 </tbody>
1342 </entrytbl>
1343 </row>
1344 </tbody>
1345 </tgroup>
1346 </table>
1347
1348 <table>
1349 <title>FortiGate VNF Example Configuration - SD-WAN Target 2</title>
1350
1351 <tgroup cols="2">
1352 <colspec align="center" />
1353
1354 <thead>
1355 <row>
1356 <entry align="center">Component</entry>
1357
1358 <entry align="center">Description</entry>
1359 </row>
1360 </thead>
1361
1362 <tbody>
1363 <row>
1364 <entry>SD-WAN</entry>
1365
1366 <entry>VPN connection between two branches (Target 2 and Target
1367 1).</entry>
1368 </row>
1369
1370 <row>
1371 <entry>VNFMgr (Virtual Port1)</entry>
1372
1373 <entry>DHCP Client, dynamically assigned IP address.</entry>
1374 </row>
1375
1376 <row>
1377 <entry>WAN (Virtual Port2)</entry>
1378
1379 <entry>IP address: 10.0.0.2</entry>
1380 </row>
1381
1382 <row>
1383 <entry>LAN (Virtual Port3)</entry>
1384
1385 <entrytbl cols="1">
1386 <tbody>
1387 <row>
1388 <entry>IP address: 172.16.2.1</entry>
1389 </row>
1390
1391 <row>
1392 <entry>DHCP server (IP range 172.16.2.2 -
1393 172.16.2.254)</entry>
1394 </row>
1395 </tbody>
1396 </entrytbl>
1397 </row>
1398 </tbody>
1399 </tgroup>
1400 </table>
1401
1402 <para><emphasis role="bold">Lab Setup</emphasis></para>
1403
1404 <para>The following table illustrates the use-case prerequisites of the
1405 setup:</para>
1406
1407 <table>
1408 <title>Lab Setup Prerequisites</title>
1409
1410 <tgroup cols="2">
1411 <colspec align="center" />
1412
1413 <thead>
1414 <row>
1415 <entry align="center">Component</entry>
1416
1417 <entry align="center">Description</entry>
1418 </row>
1419 </thead>
1420
1421 <tbody>
1422 <row>
1423 <entry>Lab Network</entry>
1424
1425 <entrytbl cols="1">
1426 <tbody>
1427 <row>
1428 <entry>DHCP enabled Lab Network.</entry>
1429 </row>
1430
1431 <row>
1432 <entry>Internet Connectivity.</entry>
1433 </row>
1434 </tbody>
1435 </entrytbl>
1436 </row>
1437
1438 <row>
1439 <entry>Two Intel Whitebox target devices</entry>
1440
1441 <entrytbl cols="1">
1442 <tbody>
1443 <row>
1444 <entry>Minimum 4 Physical Network Devices.</entry>
1445 </row>
1446
1447 <row>
1448 <entry>4 GB RAM and 4 cores (C3000 or Xeon D).</entry>
1449 </row>
1450
1451 <row>
1452 <entry>Enea NFV Access Installed.</entry>
1453 </row>
1454
1455 <row>
1456 <entry>VNFMgr Connected to Lab Network for VNF management
1457 access.</entry>
1458 </row>
1459
1460 <row>
1461 <entry>WAN interfaces directly connected through Ethernet
1462 cable.</entry>
1463 </row>
1464
1465 <row>
1466 <entry>LAN Connected to Test Machine.</entry>
1467 </row>
1468
1469 <row>
1470 <entry>ETH0 connected to Lab Network (for Enea uCPE
1471 Manager communications).</entry>
1472 </row>
1473 </tbody>
1474 </entrytbl>
1475 </row>
1476
1477 <row>
1478 <entry>One Lab Machine</entry>
1479
1480 <entrytbl cols="1">
1481 <tbody>
1482 <row>
1483 <entry>Connected to Lab Network.</entry>
1484 </row>
1485
1486 <row>
1487 <entry>Running either Windows or CentOS.</entry>
1488 </row>
1489
1490 <row>
1491 <entry>Enea uCPE Manager installed.</entry>
1492 </row>
1493 </tbody>
1494 </entrytbl>
1495 </row>
1496
1497 <row>
1498 <entry>Two Test Machines</entry>
1499
1500 <entrytbl cols="1">
1501 <tbody>
1502 <row>
1503 <entry>Connected to Whitebox LANs.</entry>
1504 </row>
1505
1506 <row>
1507 <entry>Internet Connectivity via LAN.</entry>
1508 </row>
1509
1510 <row>
1511 <entry>Configured as DHCP client on LAN.</entry>
1512 </row>
1513 </tbody>
1514 </entrytbl>
1515 </row>
1516
1517 <row>
1518 <entry>FortiGate VNF</entry>
1519
1520 <entrytbl cols="1">
1521 <tbody>
1522 <row>
1523 <entry>Downloaded the FortiGate VNF Bundle from Enea
1524 Portal to the Lab Machine file system.</entry>
1525 </row>
1526
1527 <row>
1528 <entry>Downloaded FortiGate configuration examples from
1529 Enea Portal to Lab Machine file system. Unpack the
1530 configuration examples specific for SD-WAN on the Lab
1531 Machine.</entry>
1532 </row>
1533
1534 <row>
1535 <entry>Retrieve the FortiGate VNF license from Fortinet
1536 and store it on the Lab Machine file system.</entry>
1537 </row>
1538
1539 <row>
1540 <entry>Optionally, retrieve FortiGate VNF documentation
1541 from Fortinet.</entry>
1542 </row>
1543 </tbody>
1544 </entrytbl>
1545 </row>
1546 </tbody>
1547 </tgroup>
1548 </table>
1549
1550 <figure>
1551 <title>SD-WAN: VPN Configuration</title>
1552
1553 <mediaobject>
1554 <imageobject>
1555 <imagedata align="center"
1556 fileref="images/sdwan_vpn_overview_1.png" scale="50" />
1557 </imageobject>
1558 </mediaobject>
1559 </figure>
1560
1561 <para><emphasis role="bold">uCPE Networking Setup</emphasis></para>
1562
1563 <para>Before deploying the FortiGate SD-WAN, the Enea NFV Access
1564 platform has to be configured to the specific networking setup.</para>
1565
1566 <para>Since the SD-WAN VNF uses three External Network Interfaces, three
1567 bridges need to be configured. Each bridge provides the ability to
1568 connect a physical network interface to the virtual machine's virtual
1569 network interface. Each physical to virtual network interface connection
1570 is setup in two steps:</para>
1571
1572 <itemizedlist>
1573 <listitem>
1574 <para>Bind the physical network interfaces with a DPDK
1575 driver.</para>
1576 </listitem>
1577
1578 <listitem>
1579 <para>Create a named bridge for each physical network
1580 interface.</para>
1581 </listitem>
1582 </itemizedlist>
1583
1584 <para>Start the setup by preparing each physical interface for
1585 attachment to a bridge. Each VNF instance will have a virtual interface
1586 for VNF management, for the WAN network and for LAN
1587 communication.</para>
1588
1589 <orderedlist>
1590 <listitem>
1591 <para>Bind physical interface to DPDK by selecting the target_1:
1592 <literal>Configuration</literal> -&gt;
1593 <literal>OpenVSwitch</literal> -&gt; <literal>Host
1594 Interfaces</literal> -&gt; <literal>Add</literal>:</para>
1595
1596 <figure>
1597 <title>Binding the Physical Interface</title>
1598
1599 <mediaobject>
1600 <imageobject>
1601 <imagedata align="center"
1602 fileref="images/bind_phys_interface.png" scale="90" />
1603 </imageobject>
1604 </mediaobject>
1605 </figure>
1606
1607 <para>The result of binding these three interfaces should look like
1608 the following:</para>
1609
1610 <figure>
1611 <title>Results of Binding</title>
1612
1613 <mediaobject>
1614 <imageobject>
1615 <imagedata align="center" fileref="images/binding_results.png"
1616 scale="70" />
1617 </imageobject>
1618 </mediaobject>
1619 </figure>
1620 </listitem>
1621
1622 <listitem>
1623 <para>Create one OpenVSwitch bridge for each SD-WAN network
1624 connection (VNF management, WAN and LAN) by selecting the
1625 <literal>Add</literal> button from the Bridges tab by selecting the
1626 target: <literal>Configuration</literal> -&gt;
1627 <literal>OpenvSwitch</literal>-&gt; <literal>Bridges</literal>. A
1628 popup like this should appear:</para>
1629
1630 <figure>
1631 <title>Creating an OpenVSwitch bridge for an SD-WAN network
1632 connection</title>
1633
1634 <mediaobject>
1635 <imageobject>
1636 <imagedata align="center" fileref="images/ovs_bridge_four.png"
1637 scale="70" />
1638 </imageobject>
1639 </mediaobject>
1640 </figure>
1641 </listitem>
1642
1643 <listitem>
1644 <para>Repeat this step for all network connections. Three bridges
1645 will be created:</para>
1646
1647 <figure>
1648 <title>The three newly created Bridges</title>
1649
1650 <mediaobject>
1651 <imageobject>
1652 <imagedata align="center" fileref="images/created_bridges.png"
1653 scale="70" />
1654 </imageobject>
1655 </mediaobject>
1656 </figure>
1657 </listitem>
1658 </orderedlist>
1659
1660 <para>Once the interfaces and bridges are ready, only the on-boarding
1661 and instantiation of the VNF remains to be done.</para>
1662
1663 <para><emphasis role="bold">Onboarding the FortiGate
1664 VNF</emphasis></para>
1665
1666 <orderedlist>
1667 <listitem>
1668 <para>To on-board a VNF, select target on the map and click the
1669 <literal>VNF</literal> button in the top toolbar. Then, click the
1670 <literal>Descriptors</literal> -&gt; <literal>On-board</literal>
1671 -&gt; <literal>Browse</literal> options, and select the
1672 <filename>Fortigate.zip</filename> file, before clicking
1673 <literal>Send</literal>:</para>
1674
1675 <figure>
1676 <title>On-boarding FortiGate VNF</title>
1677
1678 <mediaobject>
1679 <imageobject>
1680 <imagedata align="center" fileref="images/onboard.png"
1681 scale="45" />
1682 </imageobject>
1683 </mediaobject>
1684 </figure>
1685 </listitem>
1686
1687 <listitem>
1688 <para>Wait for the <literal>Onboarding Status</literal> popup to
1689 display the confirmation message and select
1690 <literal>OK</literal>:</para>
1691
1692 <figure>
1693 <title>Successful Confirmation</title>
1694
1695 <mediaobject>
1696 <imageobject>
1697 <imagedata align="center"
1698 fileref="images/onboarded_successfully.png"
1699 scale="42" />
1700 </imageobject>
1701 </mediaobject>
1702 </figure>
1703 </listitem>
1704 </orderedlist>
1705
1706 <para><emphasis role="bold">Instantiating the FortiGate
1707 VNF</emphasis></para>
1708
1709 <para>The following steps describe how to instantiate the Fortigate
1710 VNF.</para>
1711
1712 <orderedlist>
1713 <listitem>
1714 <para>Select the target, then from the top toolbar click on
1715 <literal>VNF</literal>-&gt; <literal>Instances</literal> -&gt;
1716 <literal>Add</literal> options:</para>
1717
1718 <figure>
1719 <title>Adding an Instance</title>
1720
1721 <mediaobject>
1722 <imageobject>
1723 <imagedata align="center" fileref="images/adding_instance.png"
1724 scale="50" />
1725 </imageobject>
1726 </mediaobject>
1727 </figure>
1728
1729 <note>
1730 <para>Download locally the valid license files for the Fortigate
1731 VNF from Fortinet and the configuration file provided by Enea as
1732 examples.</para>
1733 </note>
1734 </listitem>
1735
1736 <listitem>
1737 <para>Use the <literal>sdwan1</literal> example configuration file
1738 for the first target:</para>
1739
1740 <figure>
1741 <title>Configuring target_1</title>
1742
1743 <mediaobject>
1744 <imageobject>
1745 <imagedata align="center"
1746 fileref="images/sdwan1_eg_config.png" scale="70" />
1747 </imageobject>
1748 </mediaobject>
1749 </figure>
1750 </listitem>
1751 </orderedlist>
1752
1753 <para>Fortigate VNF instantiation requires the following
1754 settings:</para>
1755
1756 <table>
1757 <title>Fortigate VNF Instantiation Requirements</title>
1758
1759 <tgroup cols="2">
1760 <colspec align="left" colwidth="2*" />
1761
1762 <colspec align="left" colwidth="4*" />
1763
1764 <thead>
1765 <row>
1766 <entry align="center">Component</entry>
1767
1768 <entry align="center">Description</entry>
1769 </row>
1770 </thead>
1771
1772 <tbody>
1773 <row>
1774 <entry>Name</entry>
1775
1776 <entry>The name of the VM which will be created on target
1777 device.</entry>
1778 </row>
1779
1780 <row>
1781 <entry>VNF Type</entry>
1782
1783 <entry>The name of the on-boarded VNF bundle.</entry>
1784 </row>
1785
1786 <row>
1787 <entry>VIM</entry>
1788
1789 <entry>Name and IP address of the device where the VNF has to be
1790 instantiated.</entry>
1791 </row>
1792
1793 <row>
1794 <entry>License file</entry>
1795
1796 <entry>FortiGate license file provided by Fortinet.</entry>
1797 </row>
1798
1799 <row>
1800 <entry>Configuration file</entry>
1801
1802 <entry>SD-WAN example configuration files provided by Enea: -
1803 FGVM080000136187_20180215_0708_sdwan1.conf -
1804 FGVM080000136188_20180215_0708_sdwan2.conf</entry>
1805 </row>
1806
1807 <row>
1808 <entry>Port1 - VNFMgr</entry>
1809
1810 <entry>Set as dpdk type and connect it to vnfmgrbr
1811 bridge.</entry>
1812 </row>
1813
1814 <row>
1815 <entry>Port2 - WAN</entry>
1816
1817 <entry>Set as dpdk type and connect it to wanbr bridge.</entry>
1818 </row>
1819
1820 <row>
1821 <entry>Port3 - LAN</entry>
1822
1823 <entry>Set as dpdk type and connect it to lanbr bridge.</entry>
1824 </row>
1825 </tbody>
1826 </tgroup>
1827 </table>
1828
1829 <para>To complete the branch-to-branch setup, configure the peer target
1830 in the same way as <literal>target_1</literal>. Make sure to use the
1831 <filename>FGVM080000136188_20180215_0708_sdwan2.conf</filename>
1832 configuration file for the second VNF instantiation.</para>
1833
1834 <para><emphasis role="bold">Testing the FortiGate SD-WAN
1835 VPN</emphasis></para>
1836
1837 <para>Once the full SD-WAN setup is in place a VPN connection needs to
1838 established between the two targets. The Test Machines can be connected
1839 to the LAN interface on each target.</para>
1840
1841 <para>The connected Test Machine can be a laptop or a target that has
1842 one interface configured to get dynamic IP from a DHCP server. The
1843 <command>dhclient &lt;interface&gt;</command> command can be used to
1844 request an IP address.</para>
1845
1846 <note>
1847 <para>The received IP must be in the 172.16.1.2 - 172.16.1.255 range
1848 for Test Machine-1 and in the 172.16.2.2 - 172.16.2.255 range for Test
1849 Machine-2.</para>
1850 </note>
1851
1852 <figure>
1853 <title>Overview: Testing Machines Setup</title>
1854
1855 <mediaobject>
1856 <imageobject>
1857 <imagedata align="center" fileref="images/test_machines.png"
1858 scale="40" />
1859 </imageobject>
1860 </mediaobject>
1861 </figure>
1862
1863 <para>Target 1 should be able to ping Test target 2 in this setup over
1864 the WAN connection.</para>
1865
1866 <para>In the figure above and this example, the FortiGate VNF management
1867 interface is accessible through a dedicated Mgmt interface. The Mgmt IP
1868 address can be used from a web browser on the Lab Machine to access the
1869 Fortigate VNF Management Web UI.</para>
1870
1871 <note>
1872 <para>In this SD-WAN VPN setup example, bridges were used as
1873 connection points for Fortigate VNF. It is possible to replace
1874 OVS-DPDK bridges with SR-IOV connection points.</para>
1875 </note>
1876 </section>
1877 </section>
1878
1879 <section id="inband_management">
1880 <title>In-band Management</title>
1881
1882 <para>In the case of an NFV Access device installed on a network with
1883 limited access, In-band management can be a solution to manage the device
1884 and to pass data traffic (through only one physical interface). This
1885 example use-case will show how to enable the In-band management on the NFV
1886 Access device and to access a VNF on the same physical interface.</para>
1887
1888 <figure>
1889 <title>NFV Access In-band management solution setup</title>
1890
1891 <mediaobject>
1892 <imageobject>
1893 <imagedata align="center" fileref="images/uc_ibm_solution.png"
1894 scale="50" />
1895 </imageobject>
1896 </mediaobject>
1897 </figure>
1898
1899 <para>Setup uses the following network configuration:</para>
1900
1901 <itemizedlist>
1902 <listitem>
1903 <para>1 x Network Interface for WAN and management.</para>
1904 </listitem>
1905
1906 <listitem>
1907 <para>1 x Network Interface for LAN.</para>
1908 </listitem>
1909 </itemizedlist>
1910
1911 <para>For prerequisites and further details, please see <xref
1912 linkend="inband_management" /> and <xref
1913 linkend="vnf_fortigate" />.</para>
1914
1915 <section id="mg_activation">
1916 <title>In-band management activation for FortiGate VNF
1917 Instantiation</title>
1918
1919 <para>In-band management activation is done by creating a special bridge
1920 which manages all traffic from the WAN interface. The active physical
1921 port of the device (used by the device manager to communicate with the
1922 uCPE Manager) will be connected to the In-band management bridge. Once
1923 the In-band management bridge is activated, communication to the uCPE
1924 Manager will be reactivated, passing through the bridge.</para>
1925
1926 <note>
1927 <para>No other physical port for In-band management can be
1928 used.</para>
1929 </note>
1930
1931 <orderedlist>
1932 <listitem>
1933 <para>Create an In-band management WAN Bridge:</para>
1934
1935 <itemizedlist>
1936 <listitem>
1937 <para>Select the <literal>Device</literal> menu.</para>
1938 </listitem>
1939
1940 <listitem>
1941 <para>In the Configuration tab select
1942 <literal>OpenVSwitch.</literal></para>
1943 </listitem>
1944
1945 <listitem>
1946 <para>Select <literal>Bridges</literal> and click
1947 <literal>Add</literal>.</para>
1948 </listitem>
1949
1950 <listitem>
1951 <para>Use <literal>dpdkWAN</literal> as the
1952 <literal>ovs-bridge-type</literal>.</para>
1953 </listitem>
1954 </itemizedlist>
1955
1956 <figure>
1957 <title>Create In-band management WAN bridge</title>
1958
1959 <mediaobject>
1960 <imageobject>
1961 <imagedata align="center" fileref="images/uc_ibm_br.png"
1962 scale="75" />
1963 </imageobject>
1964 </mediaobject>
1965 </figure>
1966 </listitem>
1967
1968 <listitem>
1969 <para>Bind the physical port which will be used for LAN access to
1970 <literal>dpdk</literal>:</para>
1971
1972 <itemizedlist>
1973 <listitem>
1974 <para>Select the <literal>Device</literal> menu.</para>
1975 </listitem>
1976
1977 <listitem>
1978 <para>In the Configuration tab select
1979 <literal>OpenVSwitch</literal>.</para>
1980 </listitem>
1981
1982 <listitem>
1983 <para>Select the <literal>Host Interfaces</literal> menu and
1984 click <literal>Add</literal>.</para>
1985 </listitem>
1986
1987 <listitem>
1988 <para>Use <literal>dpdk</literal> as the
1989 <literal>ovs-bridge-type</literal>.</para>
1990 </listitem>
1991 </itemizedlist>
1992
1993 <figure>
1994 <title>Bind LAN physical port to dpdk</title>
1995
1996 <mediaobject>
1997 <imageobject>
1998 <imagedata align="center"
1999 fileref="images/uc_ibm_dpdk_int_bind.png"
2000 scale="75" />
2001 </imageobject>
2002 </mediaobject>
2003 </figure>
2004 </listitem>
2005
2006 <listitem>
2007 <para>Create a LAN Bridge:</para>
2008
2009 <itemizedlist>
2010 <listitem>
2011 <para>Select the <literal>Device.</literal></para>
2012 </listitem>
2013
2014 <listitem>
2015 <para>In the Configuration menu select
2016 <literal>OpenVSwitch.</literal></para>
2017 </listitem>
2018
2019 <listitem>
2020 <para>Open the <literal>Bridges</literal> menu and click
2021 <literal>Add.</literal></para>
2022 </listitem>
2023 </itemizedlist>
2024
2025 <figure>
2026 <title>Create LAN bridge</title>
2027
2028 <mediaobject>
2029 <imageobject>
2030 <imagedata align="center" fileref="images/uc_ibm_lanbr.png"
2031 scale="75" />
2032 </imageobject>
2033 </mediaobject>
2034 </figure>
2035
2036 <para>At this step the following bridges should exist:</para>
2037
2038 <figure>
2039 <title>Bridges</title>
2040
2041 <mediaobject>
2042 <imageobject>
2043 <imagedata align="center" fileref="images/uc_ibm_br2.png"
2044 scale="65" />
2045 </imageobject>
2046 </mediaobject>
2047 </figure>
2048
2049 <note>
2050 <para>The WAN port of the very first VNF instantiated on the
2051 device must be connected to the <literal>ibm-wan-br
2052 bridge</literal>. All other VNFs must be connected in chain with
2053 the first VNF.</para>
2054 </note>
2055 </listitem>
2056
2057 <listitem>
2058 <para>Onboard the first VNF and instantiate it on the device:</para>
2059
2060 <itemizedlist>
2061 <listitem>
2062 <para>Select the <literal>Device.</literal></para>
2063 </listitem>
2064
2065 <listitem>
2066 <para>Select the <literal>VNF</literal> menu.</para>
2067 </listitem>
2068
2069 <listitem>
2070 <para>In the <literal>Descriptors</literal> menu, choose the
2071 <literal>VNF Package</literal> option.</para>
2072 </listitem>
2073
2074 <listitem>
2075 <para>Browse and select the Fortigate bundle you require, before
2076 pressing the <literal>Send</literal> button.</para>
2077 </listitem>
2078 </itemizedlist>
2079
2080 <figure>
2081 <title>Onboard Fortigate VNF</title>
2082
2083 <mediaobject>
2084 <imageobject>
2085 <imagedata align="center"
2086 fileref="images/uc_ibm_fortigate_onboard.png"
2087 scale="50" />
2088 </imageobject>
2089 </mediaobject>
2090 </figure>
2091 </listitem>
2092
2093 <listitem>
2094 <para>Add the VNF instance:</para>
2095
2096 <itemizedlist>
2097 <listitem>
2098 <para>Select the <literal>Device.</literal></para>
2099 </listitem>
2100
2101 <listitem>
2102 <para>Select the <literal>VNF</literal> menu.</para>
2103 </listitem>
2104
2105 <listitem>
2106 <para>Choose the <literal>Instances</literal> option, select the
2107 VNF configuration you desire and press
2108 <literal>Add.</literal></para>
2109 </listitem>
2110
2111 <listitem>
2112 <para>Browse and select the Fortigate bundle you require, before
2113 pressing the <literal>Send</literal> button.</para>
2114 </listitem>
2115 </itemizedlist>
2116
2117 <figure>
2118 <title>Instantiate Fortigate VNF</title>
2119
2120 <mediaobject>
2121 <imageobject>
2122 <imagedata align="center"
2123 fileref="images/uc_ibm_fg_instantiation.png"
2124 scale="65" />
2125 </imageobject>
2126 </mediaobject>
2127 </figure>
2128 </listitem>
2129 </orderedlist>
2130
2131 <para>Once the VNF is instantiated, the setup is complete and ready for
2132 testing. Connect the test machine to the LAN port. It will receive an IP
2133 address from the Fortigate VNF and be able to access the
2134 internet.</para>
2135 </section>
2136
2137 <section id="test_fortvnf_inband">
2138 <title>Testing the Fortigate VNF In-band management activation</title>
2139
2140 <figure>
2141 <title>Test setup</title>
2142
2143 <mediaobject>
2144 <imageobject>
2145 <imagedata align="center"
2146 fileref="images/uc_ibm_solution_test.png" scale="50" />
2147 </imageobject>
2148 </mediaobject>
2149 </figure>
2150
2151 <para>At this stage, three types of traffic are passing through the WAN
2152 port on the same IP address:</para>
2153
2154 <itemizedlist>
2155 <listitem>
2156 <para>Device management traffic from uCPE Manager.</para>
2157 </listitem>
2158
2159 <listitem>
2160 <para>Fortigate management interface traffic from a web
2161 browser.</para>
2162 </listitem>
2163
2164 <listitem>
2165 <para>Data traffic from the LAN to the internet.</para>
2166 </listitem>
2167 </itemizedlist>
2168
2169 <para>Having access from the uCPE Manager to the device as shown above,
2170 demonstrates that device management traffic passes through the in-band
2171 management WAN bridge successfully.</para>
2172
2173 <para>To access the management interface of the VNF, connect from a web
2174 browser to the public IP address of the device e.g.
2175 <literal>https://&lt;IP&gt;</literal>. From a Test machine connected on
2176 LAN port, try a test ping to the internet e.g. "ping 8.8.8.8".</para>
2177 </section>
2178 </section>
2179
2180 <section id="vnf_chaining">
2181 <title>VNF Chaining Example</title>
2182
2183 <section id="VNF_chain_intro">
2184 <title>Introduction</title>
2185
2186 <para>The purpose of this chapter is to describe an example of how to
2187 setup and configure a branch-to-branch service comprised on two
2188 commercial VNFs (SD-WAN + Firewall), running in a service chain on top
2189 of Enea NFV Access virtualization platform and deployed through Enea
2190 uCPE Manager. In the example setup the following commercial VNFs are
2191 used: Juniper vSRX as SD-WAN VNF and Fortigate as
2192 Router/Firewall.</para>
2193
2194 <para>The setup requires two physical appliances (uCPEs), each of them
2195 having three DPDK-compatible NICs and one interface available for uCPE
2196 management (i.e. connected to Enea uCPE Manager). On each uCPE, one of
2197 the DPDK-compatible interfaces shall be connected back-to-back with one
2198 interface from the other uCPE device - this link is simulating
2199 WAN/uplink connection.</para>
2200
2201 <para>Optionally, one additional device (PC/laptop) can be connected on
2202 the LAN port of each branch for running LAN-to-LAN connectivity
2203 tests.</para>
2204
2205 <figure>
2206 <title>Example Setup</title>
2207
2208 <mediaobject>
2209 <imageobject>
2210 <imagedata align="center" fileref="images/example_setup.png"
2211 scale="90" />
2212 </imageobject>
2213 </mediaobject>
2214 </figure>
2215
2216 <note><para>For simplicity, image does not present management-plane, which will be
2217 described in the Setup steps.</para></note>
2218 </section>
2219
2220 <section id="crateing_setup">
2221 <title>Creating the setup</title>
2222
2223 <para>Both branches in the example have similar setups, therefore
2224 necessary step details are presented on only one branch. The second
2225 branch shall be configured in the same way, by changing corresponding
2226 VNFs configurations files.</para>
2227
2228 <orderedlist>
2229 <listitem>
2230 <para>Assign three physical interfaces to DPDK (for management, wan
2231 and lan). In the example, one of them gets IP through DHCP and it
2232 will be used exclusively for management plane.</para>
2233 </listitem>
2234
2235 <listitem>
2236 <para>Create the following OVS-DPDK bridges:</para>
2237
2238 <itemizedlist>
2239 <listitem>
2240 <para>vnf_mgmt_br : used by VNFs management ports.</para>
2241 </listitem>
2242
2243 <listitem>
2244 <para>wan_br : used by service uplink connection. In our case,
2245 Juniper vSRX will have its WAN virtual interface in this
2246 bridge.</para>
2247 </listitem>
2248
2249 <listitem>
2250 <para>sfc_br : used for creating the service chain. Each VNF
2251 will have a virtual interface in this bridge.</para>
2252 </listitem>
2253
2254 <listitem>
2255 <para>lan_br : used for LAN interface of the Fortigate
2256 FW.</para>
2257 </listitem>
2258 </itemizedlist>
2259 </listitem>
2260
2261 <listitem>
2262 <para>Add corresponding DPDK ports (see Step 1) to the management,
2263 wan and lan bridges (sfc_br does not have a physical port attached
2264 to it).</para>
2265
2266 <note>
2267 <para>This networking setup (Steps 1-3) can be modeled using
2268 Offline Configuration entry, so it is automatically provisioned on
2269 the uCPE, once it gets enrolled into the management system (uCPE
2270 Manager).</para>
2271 </note>
2272 </listitem>
2273
2274 <listitem>
2275 <para>Onboard Juniper vSRX using Onboarding Wizard:</para>
2276
2277 <itemizedlist>
2278 <listitem>
2279 <para>Flavor shall have at least 2 vCPUs and 4 GB RAM since vSRX
2280 is quite resource consuming. (We actually tested with 4 vCPUs/ 6
2281 GB RAM).</para>
2282 </listitem>
2283
2284 <listitem>
2285 <para>Add three virtual interfaces: management, wan and
2286 lan.</para>
2287 </listitem>
2288
2289 <listitem>
2290 <para>Select ISO/cdrom on the Cloud-Init tab.</para>
2291 </listitem>
2292 </itemizedlist>
2293 </listitem>
2294
2295 <listitem>
2296 <para>Onboard Fortigate FW using Onboarding Wizard:</para>
2297
2298 <itemizedlist>
2299 <listitem>
2300 <para>Flavor can be quite light in resources, e.g. 1 vCPU and 2
2301 GB RAM.</para>
2302 </listitem>
2303
2304 <listitem>
2305 <para>Add three virtual interfaces: management, wan and
2306 lan.</para>
2307 </listitem>
2308
2309 <listitem>
2310 <para>Select ConfigDrive/cdrom on the Cloud-Init tab.</para>
2311 </listitem>
2312
2313 <listitem>
2314 <para>Add <literal>license</literal> as Cloud-Init content on the Cloud-Init tab
2315 files.</para>
2316 </listitem>
2317 </itemizedlist>
2318
2319 <note>
2320 <para>Steps 4-5 shall be done only once, i.e. they will not be
2321 repeated for Site 2.</para>
2322 </note>
2323 </listitem>
2324
2325 <listitem>
2326 <para>Create vSRX instance:</para>
2327
2328 <itemizedlist>
2329 <listitem>
2330 <para>Use vSRX-Site1.iso as Cloud Init file.</para>
2331 </listitem>
2332
2333 <listitem>
2334 <para>Domain Update Script can be left empty for Atom C3000
2335 architecture, while for XeonD please use
2336 vSRX-domain-update-script file.</para>
2337 </listitem>
2338
2339 <listitem>
2340 <para>Add virtual interfaces:</para>
2341
2342 <itemizedlist>
2343 <listitem>
2344 <para>Management interface added to vnf_mgmt_br.</para>
2345 </listitem>
2346 </itemizedlist>
2347
2348 <itemizedlist>
2349 <listitem>
2350 <para>Wan interface added to wan_br.</para>
2351 </listitem>
2352 </itemizedlist>
2353
2354 <itemizedlist>
2355 <listitem>
2356 <para>Lan interface added to sfc_br.</para>
2357 </listitem>
2358 </itemizedlist>
2359 </listitem>
2360 </itemizedlist>
2361
2362 <note>
2363 <para>login/password for vSRX VNF are root/vsrx1234.</para>
2364 </note>
2365 </listitem>
2366
2367 <listitem>
2368 <para>Create Fortigate FW instance</para>
2369
2370 <itemizedlist>
2371 <listitem>
2372 <para>Use FortiFW-Site1.conf as Cloud Init file.</para>
2373 </listitem>
2374
2375 <listitem>
2376 <para>Add .lic file (not part of the folder) as license
2377 file.</para>
2378 </listitem>
2379
2380 <listitem>
2381 <para>Add virtual interfaces:</para>
2382
2383 <itemizedlist>
2384 <listitem>
2385 <para>Management interface added to vnf_mgmt_br.</para>
2386 </listitem>
2387 </itemizedlist>
2388
2389 <itemizedlist>
2390 <listitem>
2391 <para>Wan interface added to sfc_br.</para>
2392 </listitem>
2393 </itemizedlist>
2394
2395 <itemizedlist>
2396 <listitem>
2397 <para>Lan interface added to lan_br.</para>
2398 </listitem>
2399 </itemizedlist>
2400 </listitem>
2401 </itemizedlist>
2402
2403 <note>
2404 <para>login/password for Juniper VNF are admin/&lt;empty
2405 password&gt;.</para>
2406 </note>
2407 </listitem>
2408 </orderedlist>
2409
2410 <para>At this stage service shall be up and running on Site1. Repeat
2411 necessary steps of Site2, by changing configuration files. After service
2412 is deployed on both branches, VPN tunnel is established and we can
2413 verify LAN to LAN visibility by connecting one device on each uCPE LAN
2414 port (see below).</para>
2415 </section>
2416
2417 <section id="test_setup">
2418 <title>Testing the setup</title>
2419
2420 <para>Before testing LAN to LAN connectivity, one can run preliminary
2421 tests of service to ensure everything was set-up properly. For instance,
2422 by connecting to vSRX CLI (any site), one can test IKE security
2423 associations:</para>
2424
2425 <programlisting>root@Atom-C3000&gt; show security ike security-associations
2426Index State Initiator cookie Responder cookie Mode Remote Address
24271588673 UP 2f2047b144ebfce4 0000000000000000 Aggressive 10.1.1.2
2428...
2429root@Atom-C3000&gt; show security ike security-associations index 1588673 detail
2430...</programlisting>
2431
2432 <para>Also, from vSRX CLI, one can check that VPN tunnel was established
2433 and get statistics of the packets passing the tunnel:</para>
2434
2435 <programlisting>root@Atom-C3000&gt; show security ipsec security-associations
2436...
2437root@Atom-C3000&gt; show security ipsec statistics index &lt;xxxxx&gt;
2438...</programlisting>
2439
2440 <para>From Fortigate Firewall CLI on Site 1, one can check connectivity
2441 to remote Fortigate FW (from Site 2):</para>
2442
2443 <programlisting>FGVM080000136187 # execute ping 192.168.168.2
2444PING 192.168.168.2 (192.168.168.2): 56 data bytes
244564 bytes from 192.168.168.2: icmp_seq=0 ttl=255 time=0.0 ms
244664 bytes from 192.168.168.2: icmp_seq=1 ttl=255 time=0.0 ms
244764 bytes from 192.168.168.2: icmp_seq=2 ttl=255 time=0.0 ms
2448...</programlisting>
2449
2450 <para>As VNFs management ports were configured to get IPs through DHCP,
2451 one can use Web-based management UI to check and modify the
2452 configurations of both vSRX and Fortigate.</para>
2453
2454 <para>For example, in case of vSRX, from VNF CLI you can list the
2455 virtual interfaces as below:</para>
2456
2457 <programlisting>root@Atom-C3000&gt; show interfaces terse
2458...
2459fxp0.0 up up inet 172.24.15.92/22
2460gre up up
2461ipip up up
2462...
2463</programlisting>
2464
2465 <para>When using provided configurations, VNF management port of Juniper
2466 vSRX is always "fxp0.0".</para>
2467
2468 <para>In case of Fortigate, from VNF CLI you can list the virtual
2469 interfaces like :</para>
2470
2471 <programlisting>FGVM080000136187 # get system interface
2472== [ port1 ]
2473name: port1 mode: dhcp ip: 172.24.15.94 255.255.252.0 status: up netbios-forward:
2474disable type: physical netflow-sampler: disable sflow-sampler: disable...
2475...</programlisting>
2476
2477 <para>When using provided configurations, VNF management port of
2478 Fortigate is always "port1".</para>
2479
2480 <note>
2481 <para>Please note that VNFs' management ports will get dynamically
2482 allocated IPs only if physical NIC used for management is configured
2483 to get its IP through DHCP (see Step 1 from above).</para>
2484 </note>
2485
2486 <para>If everything is working, we can check LAN-to-LAN connectivity
2487 (through VPN tunnel) by using two devices (PC/laptop) connected to the
2488 LAN ports of each uCPE. Optionally, these devices can be simulated by
2489 using Enea's sample VNF running on both uCPEs and connected to the
2490 lan_br on each side. However, instructions for onboarding and
2491 instantiating this VNF is not in the scope of this document.</para>
2492
2493 <para>Since Fortigate VNF, which is acting as router and firewall, is
2494 configured to be DHCP server for LAN network, device interface connected
2495 to uCPE LAN port has to be configured to get dinamically assigned IP.
2496 These IPs are in 172.0.0.0/24 network for Site1 and 172.10.10.0/24
2497 network for Site2. Therefore, site-to-site connectivity can be checked
2498 like (from Site1):</para>
2499
2500 <programlisting>root@atom-c3000:~# ping 172.10.10.2
2501PING 172.10.10.1 (172.10.10.2): 56 data bytes
2502...
2503</programlisting>
2504 </section>
2505
2506 <section id="limitation">
2507 <title>Out-of-Scope/Limitations</title>
2508 <para>Below is a list of known limitations:</para>
2509 <itemizedlist>
2510 <listitem>
2511 <para>vSRX VNF has no trust-to-untrust and untrust-to-trust policies
2512 (only trust-to-vpn and vpn-to-trust were configured). Therefore,
2513 uCPEs were not configured for "direct Internet access"
2514 use-case.</para>
2515 </listitem>
2516
2517 <listitem>
2518 <para>Fortigate VNF has no "real" firewall policies set, i.e. all
2519 traffic from LAN is allowed to pass through WAN interface and
2520 vice-versa.</para>
2521 </listitem>
2522 </itemizedlist>
2523 </section>
2524 </section>
2525</chapter>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-11-01 21:55:39 +0000