From c809d907776503d4bdae0056a78ebb4d8840d559 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Mon, 7 Oct 2019 13:43:34 +0200 Subject: ExampleUsecases: Update Example Usecases - Update Example Usecases manual each chapter. - Add "uCPE system requirements" for all examples, specify number of physical NICs, RAM and cores (not vCPUs!) - Remove all figures - Remove all tables - Remove In-band Management example usecase Change-Id: Id183ba0cd1e9fca370d992273d797faadfcf9e3b Signed-off-by: Sona Sarmadi --- .../doc/book.xml | 7 +- .../doc/clav_vnf_examples.xml | 127 ++-- .../doc/enea_test_vnf_examples.xml | 291 ++++++++ .../doc/enea_vnf_examples.xml | 319 -------- .../doc/forti_vnf_examples.xml | 814 +++++---------------- .../doc/inband_management.xml | 237 ------ .../doc/introduction.xml | 10 +- .../doc/vnf_chaining.xml | 186 +++-- 8 files changed, 622 insertions(+), 1369 deletions(-) create mode 100644 doc/book-enea-nfv-access-example-usecases/doc/enea_test_vnf_examples.xml delete mode 100644 doc/book-enea-nfv-access-example-usecases/doc/enea_vnf_examples.xml delete mode 100644 doc/book-enea-nfv-access-example-usecases/doc/inband_management.xml (limited to 'doc') diff --git a/doc/book-enea-nfv-access-example-usecases/doc/book.xml b/doc/book-enea-nfv-access-example-usecases/doc/book.xml index 5071e01..fb9db8d 100644 --- a/doc/book-enea-nfv-access-example-usecases/doc/book.xml +++ b/doc/book-enea-nfv-access-example-usecases/doc/book.xml @@ -18,18 +18,15 @@ - - - - diff --git a/doc/book-enea-nfv-access-example-usecases/doc/clav_vnf_examples.xml b/doc/book-enea-nfv-access-example-usecases/doc/clav_vnf_examples.xml index db4525a..806430a 100644 --- a/doc/book-enea-nfv-access-example-usecases/doc/clav_vnf_examples.xml +++ b/doc/book-enea-nfv-access-example-usecases/doc/clav_vnf_examples.xml @@ -8,29 +8,47 @@
Prerequisites - The following files provided with your Enea NFV Access release are - needed for this example use case: FIXME - These filenames may need - to be updated + System requirements for the uCPE devices: - enea-nfv-access-vnf-qemux86-64.wic.qcow2 + 1 Network Interface - clavister-cos-stream-<version>-virtual-x64-generic.qcow2 + 2 GB of RAM memory + + + The following files are needed for this example use case: + + + VNF images: + + + Enea Test VNF. Please contact Enea to get this image. + + + + Clavister VNF. Please contact Clavister to get this + image. + + + + + VNF Configuration files, these files are provided with your Enea + NFV Access release: - clavister-cloudinit.conf + clavister-cloudinit.conf. - enea-vnf-iperf-client.conf + enea-vnf-iperf-client.conf. - enea-vnf-iperf-server.conf + enea-vnf-iperf-server.conf.
@@ -39,22 +57,9 @@ Clavister VNF using an Open vSwitch Bridge In this use-case, uCPE device 1 runs the Clavister VNF, while uCPE - device 2 runs two Enea NFV Access VNFs with iPerf client and server - applications. The uCPE devices are connected using OVS-DPDK bridges. - - - FIXME: New image needed - -
- Clavister VNF using Open vSwitch Bridge Overview - - - - - - -
+ device 2 runs two Enea Test VNFs with iPerf client and server + applications. The uCPE devices are connected using OVS-DPDK + bridges.
Use-case Setup @@ -63,8 +68,9 @@ - Select uCPE device 1, access Configuration, add the network - interface that will be used and configure it for DPDK. + Select uCPE device 1, access Configuration, + add the network interface that will be used and configure it for + DPDK. @@ -81,8 +87,8 @@ - Onboard the Clavister VNF by filling the required fields with the following - values: + Onboard the Clavister VNF by filling the required fields with + the following values: @@ -120,11 +126,11 @@ - Onboard the Enea VNF by filling the required fields with the following values: - + Onboard the Enea Test VNF by filling the required fields with + the following values: VM Image File: Provide - the path to the Enea NFV Access VNF qcow2 image + the path to the Enea Test VNF qcow2 image @@ -187,16 +193,16 @@ - Interfaces: Set the interface type - to DPDK and select the OVS bridge created - above, for both interfaces. + Interfaces: Set the + interface type to DPDK and select the OVS + bridge created above, for both interfaces. - Instantiate the Enea iPerf server VNF on uCPE device 2 by filling - the required fields with the values below: + Instantiate the Enea iPerf server VNF on uCPE device 2 by + filling the required fields with the values below: @@ -206,7 +212,7 @@ VNF Type: Select Enea - NFV Access VNF + Test VNF @@ -221,15 +227,16 @@ - Interfaces: Set the interface type to - DPDK and select the OVS bridge created above. + Interfaces: Set the + interface type to DPDK and select the OVS + bridge created above. - Instantiate the Enea iPerf client VNF on uCPE device 2 by - filling the required fields with the values below: + Instantiate the Enea iPerf client VNF on uCPE device 2 by + filling the required fields with the values below: @@ -239,7 +246,7 @@ VNF Type: Select Enea - NFV Access VNF + Test VNF @@ -254,8 +261,9 @@ - Interfaces: Set the interface - type to DPDK and select the OVS bridge created above. + Interfaces: Set the + interface type to DPDK and select the OVS + bridge created above. @@ -282,22 +290,9 @@ root@qemux86-64:~# iperf3 -c 192.168.10.10
Clavister VNF using SR-IOV - The following use-case is essentially the same as the one detailed above, - in this scenario however, the uCPE devices are connected using SR-IOV, - with two virtual functions. - - FIXME: New image needed - -
- Clavister VNF using SR-IOV Overview - - - - - - -
+ The following use-case is essentially the same as the one detailed + above, in this scenario however, the uCPE devices are connected using + SR-IOV, with two virtual functions.
Use-case Setup @@ -306,9 +301,10 @@ root@qemux86-64:~# iperf3 -c 192.168.10.10 - Select uCPE device 1, access Configuration, - add the network interface that will be used and configure it for SR-IOV. - For sriov-mode select "adapter-pool" and "sriov-num-vfs:2". + Select uCPE device 1, access Configuration, + add the network interface that will be used and configure it for + SR-IOV. For sriov-mode select "adapter-pool" and + "sriov-num-vfs:2". @@ -323,13 +319,14 @@ root@qemux86-64:~# iperf3 -c 192.168.10.10 Instantiating the VNFs: Use the same instantiation parameters as above, but select - interface type SrIovAdapterPool instead. + interface type SrIovAdapterPool instead.
Testing the Use-case - Use the same test instructions as detailed in the use-case above. + Use the same test instructions as detailed in the use-case + above.
diff --git a/doc/book-enea-nfv-access-example-usecases/doc/enea_test_vnf_examples.xml b/doc/book-enea-nfv-access-example-usecases/doc/enea_test_vnf_examples.xml new file mode 100644 index 0000000..985e299 --- /dev/null +++ b/doc/book-enea-nfv-access-example-usecases/doc/enea_test_vnf_examples.xml @@ -0,0 +1,291 @@ + + + Enea Test VNF Example Use-cases + + The Enea Test VNF is a simple Enea Linux based VM, which can be used + for various testing purposes, by using basic DPDK applications (e.g. + testpmd) as well as non-DPDK tools (e.g. iPerf3). For more information about + the Testpmd application please see the Testpmd Application User + Guide. + +
+ Prerequisites + + System requirements for the uCPE devices: + + + + 1 Network Interface + + + + 2 GB of RAM memory + + + + The following files are needed for this example use case: + + + VNF image: + + + Enea Test VNF, please contact Enea to get this image. + + + + + VNF Configuration files, these files are provided with your Enea + NFV Access release: + + + enea-vnf-testpmd-fwd.conf. + + + + enea-vnf-testpmd-term.conf. + + +
+ +
+ TestPMD VNF + + In this use-case, uCPE device 1 runs the pktgen DPDK application to + generate traffic and uCPE device 2 runs two Enea Test VNFs. One VNF runs + the TestPMD DPDK application forwarding traffic, and the other runs the + TestPMD in order to terminate traffic. + +
+ Use-case Setup + + Network Configuration: + + + + Select uCPE device 1, access Configuration, + add the network interface that will be used and configure it for + DPDK. Note the PCI address of the interface, it will be used later + to run the pktgen application. + + + + Select uCPE device 2, access Configuration, + add the network interface that will be used and configure it for + DPDK. + + + + Create an OVS bridge on uCPE device 2 and attach the DPDK + interface. + + + + Onboarding the VNF: + + Onboard the Enea Test VNF by filling the required fields with the + following values: + + + + VM Image File: Provide the + path to the Enea Test VNF qcow2 image. + + + + Memory in MB: 2048 + + + + Num of CPUs: 2 + + + + Storage in GB: 10 + + + + Interfaces: Add 1 + interface. + + + + Cloud-init Datasource: + NoCloud + + + + Cloud-init Disk Type: + disk + + + + Instantiating the VNFs: + + + + Instantiate the Enea NFV Access TestPMD forwarding VNF on uCPE + Device 2 by filling the required fields with the following + values: + + + + Name: testpmd_fwd + + + + VNF Type: Select Enea + Test VNF. + + + + uCPE Device: Select uCPE + device 2. + + + + Cloud Init File: Provide + the path to the Enea VNF TestPMD forwarding cloud-init + file. + + + + Interfaces: Set the + interface type to DPDK and select the OVS + bridge created above. + + + + + + Instantiate the Enea NFV Access TestPMD termination VNF on + uCPE Device 2 by filling the required fields with the following + values: + + + + Name: testpmd_term + + + + VNF Type: Select Enea + Test VNF. + + + + uCPE Device: Select uCPE + device 2. + + + + Cloud Init File: Provide + the path to the Enea VNF TestPMD termination cloud-init + file. + + + + Interfaces: Set the + interface type to DPDK and select the OVS + bridge created above. + + + + + + Creating OVS flow rules: + + Select uCPE device 2, access Configuration, + open the OVS bridge and add two flow rules: + + + + Source: DPDK interface, Target: testpmd_fwd + + + + Source: testpmd_fwd, Target: testpmd_term + + +
+ +
+ Testing the Use-case + + + + SSH to uCPE device 1 (Username: root) and start the pktgen + application: + + cd /usr/share/apps/pktgen/ +./pktgen -c 0x7 -n 4 --proc-type auto --socket-mem 256 -w 0000:01:00.0 -- \ + -P -m "[1:2].0" + +Pktgen:/> start 0 + + + Replace 0000:01:00.0 with the actual PCI address of the + network interface used on uCPE device 1. + + + + + SSH to uCPE device 2 and connect to the TestPMD forwarding VNF + console: + + virsh list +virsh console <id of testpmd fwd> + + + + Check the TestPMD traffic forwarding statistics: + + # qemux86-64 login: root +tail -f /var/log/testpmd-out + + +
+ +
+ TestPMD VNF using PCI passthrough + + In this use case, uCPE device 1 will run the Pktgen and uCPE + device 2 will run the TestPMD VNF. Both will be using PCI + passthrough: + + + + Make sure that neither uCPE device 1 nor uCPE device 2 have + any configured host interfaces by selcting uCPE device : + Configuration -> + OpenVSwitch -> Host + Interfaces. + + + + On uCPE device 1 start the Pktgen VNF. Select + PciPassthrough as the Interface type. + + From the drop-down list, select the PCI interface + corresponding to the NIC which is connected to uCPE device 2: + + + + On uCPE device 2, start the TestPmdForwarder VNF. Select + "PciPassthrough" as the Interface type. From the drop-down list, + select the PCI interface corresponding to the NIC which is connected + to uCPE device 1: + + + + To check that traffic is being forwarded from uCPE device 2, + SSH to the uCPE device and connect to the VNFs console: + + Right click on uCPE device 2 and select SSH. +Run: virsh list +Run: virsh console [VM NAME] +Run: tail -f /opt/testpmd-out + + +
+
+ diff --git a/doc/book-enea-nfv-access-example-usecases/doc/enea_vnf_examples.xml b/doc/book-enea-nfv-access-example-usecases/doc/enea_vnf_examples.xml deleted file mode 100644 index 9809cb3..0000000 --- a/doc/book-enea-nfv-access-example-usecases/doc/enea_vnf_examples.xml +++ /dev/null @@ -1,319 +0,0 @@ - - - Enea NFV Access VNF Example Use-cases - -
- Prerequisites - - The following files are needed for this example use-case: - - FIXME: These filenames may need to be updated - - - - enea-nfv-access-vnf-qemux86-64.wic.qcow2 - - - - enea-vnf-testpmd-fwd.conf - - - - enea-vnf-testpmd-term.conf - - -
- -
- TestPMD VNF - - In this use-case, uCPE device 1 runs the pktgen DPDK application to - generate traffic and uCPE device 2 runs two Enea NFV Access VNFs. One VNF - runs the TestPMD DPDK application forwarding traffic, and the other runs - the TestPMD in order to terminate traffic. - - FIXME: New image needed - -
- Enea TestPMD VNF Overview - - - - - - -
- -
- Use-case Setup - - Network Configuration: - - - - Select uCPE device 1, access Configuration, - add the network interface that will be used and configure it for - DPDK. Note the PCI address of the interface, it will be used later - to run the pktgen application. - - - - Select uCPE device 2, access Configuration, - add the network interface that will be used and configure it for - DPDK. - - - - Create an OVS bridge on uCPE device 2 and attach the DPDK - interface. - - - - Onboarding the VNF: - - Onboard the Enea NFV Access VNF by filling the required fields - with the following values: - - - - VM Image File: Provide the - path to the Enea NFV Access VNF qcow2 image. - - - - Memory in MB: 2048 - - - - Num of CPUs: 2 - - - - Storage in GB: 10 - - - - Interfaces: Add 1 - interface. - - - - Cloud-init Datasource: - NoCloud - - - - Cloud-init Disk Type: - disk - - - - Instantiating the VNFs: - - - - Instantiate the Enea NFV Access TestPMD forwarding VNF on uCPE - Device 2 by filling the required fields with the following - values: - - - - Name: testpmd_fwd - - - - VNF Type: Select Enea NFV - Access VNF. - - - - uCPE Device: Select uCPE - device 2. - - - - Cloud Init File: Provide - the path to the Enea VNF TestPMD forwarding cloud-init - file. - - - - Interfaces: Set the - interface type to DPDK and select the OVS - bridge created above. - - - - - - Instantiate the Enea NFV Access TestPMD termination VNF on - uCPE Device 2 by filling the required fields with the following - values: - - - - Name: testpmd_term - - - - VNF Type: Select Enea NFV - Access VNF. - - - - uCPE Device: Select uCPE - device 2. - - - - Cloud Init File: Provide - the path to the Enea VNF TestPMD termination cloud-init - file. - - - - Interfaces: Set the - interface type to DPDK and select the OVS - bridge created above. - - - - - - Creating OVS flow rules: - - Select uCPE device 2, access Configuration, - open the OVS bridge and add two flow rules: - - - - Source: DPDK interface, Target: testpmd_fwd - - - - Source: testpmd_fwd, Target: testpmd_term - - -
- -
- Testing the Use-case - - - - SSH to uCPE device 1 (Username: root) and start the pktgen - application: - - cd /usr/share/apps/pktgen/ -./pktgen -c 0x7 -n 4 --proc-type auto --socket-mem 256 -w 0000:01:00.0 -- \ - -P -m "[1:2].0" - -Pktgen:/> start 0 - - - Replace 0000:01:00.0 with the actual PCI address of the network - interface used on uCPE device 1. - - - SSH to uCPE device 2 and connect to the TestPMD forwarding VNF - console: - - virsh list -virsh console <id of testpmd fwd> - - Check the TestPMD traffic forwarding statistics: - - # qemux86-64 login: root -tail -f /var/log/testpmd-out - -
- Traffic Statistics - - - - - - -
- -
- -
- TestPMD VNF using PCI passthrough - - In this use case, uCPE device 1 will run the Pktgen and uCPE - device 2 will run the TestPMD VNF. Both will be using PCI - passthrough: - -
- TestPMD VNF using PCI passthrough Overview - - - - - - -
- - - - Make sure that neither uCPE device 1 nor uCPE device 2 have - any configured host interfaces by selcting uCPE device : - Configuration -> - OpenVSwitch -> Host - Interfaces. - - - - On uCPE device 1 start the Pktgen VNF. Select - PciPassthrough as the Interface type. - - From the drop-down list, select the PCI interface - corresponding to the NIC which is connected to uCPE device 2: - -
- Selecting the Pktgen VNF Interface - - - - - - -
- - - - On uCPE device 2, start the TestPmdForwarder VNF. Select - "PciPassthrough" as the Interface type. From the drop-down list, - select the PCI interface corresponding to the NIC which is connected - to uCPE device 1: - -
- Selecting the TestPmdForwarder VNF Interface - - - - - - -
- - - - To check that traffic is being forwarded from uCPE device 2, - SSH to the uCPE device and connect to the VNFs console: - - Right click on uCPE device 2 and select SSH. -Run: virsh list -Run: virsh console [VM NAME] -Run: tail -f /opt/testpmd-out - - -
-
- diff --git a/doc/book-enea-nfv-access-example-usecases/doc/forti_vnf_examples.xml b/doc/book-enea-nfv-access-example-usecases/doc/forti_vnf_examples.xml index 4a9a8a5..fcb8c87 100644 --- a/doc/book-enea-nfv-access-example-usecases/doc/forti_vnf_examples.xml +++ b/doc/book-enea-nfv-access-example-usecases/doc/forti_vnf_examples.xml @@ -14,39 +14,38 @@ - 3 x Network Interfaces + 4 x Network Interfaces - 1 x vCPU + 4 cores - 1 GB of RAM memory + 4 GB of RAM memory The following files are needed for this example use case: - - FortiGate VNF image. This file is provided by the local Fortinet - sales representatives in your region. - + VNF image: - FortiGate VNF license file. This file is provided by the local - Fortinet sales representatives in your region. + FortiGate VNF. Please contact Fortinet to get a VNF image and its license file. + + + + VNF Configuration files, provided with your Enea + NFV Access release: - FortiGate specific documentation. This is provided by the local - Fortinet sales representatives in your region. + fortigate-basic-fw.conf. - FortiGate configuration example files. These files are provided - with your Enea NFV Access release. + fortigate-sdwan<x>.conf.
@@ -54,202 +53,22 @@
FortiGate VNF as a Firewall - Enea provides an example of a simple base firewall configuration for - the FortiGate VNF. - - - FortiGate VNF Example Configuration - - - - - - - - - Component - - Setting/Description - - - - - - Firewall - - "All pass" mode - - - - WAN (Virtual Port1) - - DHCP Client, dynamically assigned IP - address.FortiGate In-Band - Management1. - - - - WAN (Virtual Port2) - - IP address: - 172.168.16.1DHCP server (IP range 172.168.16.1 - - 172.168.16.255). - - - - WAN (Virtual Port3) - - Ignored - - - -
- - 1FortiGate In-Band Management is a + Enea provides an example of a simple basic firewall configuration + for the FortiGate VNF. FortiGate In-Band Management is a feature used for running FortiGate Management traffic over WAN. - Instructions on how to alter the default configuration are provided in section - FortiGate VNF Web Management in Instructions on how to alter the default configuration are provided + in section FortiGate VNF Web Management in the + . - -
- Lab Setup - - Before starting the configuration of the FortiGate Firewall, a lab - setup concerning hardware and software components has to be created. The - following table illustrates the requirements for this setup. - - - Lab Setup Prerequisites - - - - - - - Component - - Description/Requirements - - - - - - Lab Network - - - - - DHCP enabled Lab Network. - - - - Internet Connectivity. - - - - - - - Setup of an Intel Whitebox uCPE - device - - - - - Minimum 4 Physical Network Devices. - - - - 4 GB RAM and 4 cores (C3000 or Xeon D). - - - - Enea NFV Access Installed. - - - - WAN Connected to the Lab Network. - - - - LAN1 Connected to the Test Machine. - - - - LAN2 Unconnected. - - - - ETH0 connected to the Lab Network (for Enea uCPE - Manager communications). - - - - - - - Setup of a Lab Machine - - - - - Connected to the Lab Network. - - - - Running either Windows or CentOS. - - - - The Enea uCPE Manager installed. - - - - - - - Setup of a Test Machine - - - - - Connected to Whitebox LAN. - - - - Internet Connectivity via LAN. - - - - Configured as the DHCP client on LAN. - - - - - - -
- -
- Lab Setup Overview - - - - - - -
-
+ xpointer="element(book_enea_nfv_access_example_usecases/1)" /> + Manual.
Use-case Setup - Network Configuration: + Network Configuration: Since the firewall uses three External Network Interfaces, three bridges need to be configured. Each bridge provides the ability to @@ -273,30 +92,40 @@ connection points for the FortiGate VNF, by replacing the OVS-DPDK bridges with SR-IOV connection points. - Please note that while previously three physical interfaces were - presumed necessary for VNF connection, in the case of a firewall setup - only two physical interfaces are required for the data path - (one for WAN and one for LAN). - - Only two interfaces will be configured as DPDK, with two bridges - created, one for each type of connection. - - At VNF instantiation instead of assigning distinct bridges for - each LAN interface, only one will be used for both LAN1 and LAN2, - with no changes in WAN interface configuration. - - See the picture below for the final setup: - -
- Two-Interface Configuration - - - - - - -
+ Please note that while previously three physical interfaces were + presumed necessary for VNF connection, in the case of a firewall setup + only two physical interfaces are required for the data path (one for WAN + and one for LAN). + + Only two interfaces will be configured as DPDK, with two bridges + created, one for each type of connection. + + + At VNF instantiation instead of assigning distinct bridges for + each LAN interface, only one will be used for both LAN1 and LAN2, with + no changes in WAN interface configuration. + + + Setup of the uCPE device: + + + + WAN connected to the Lab Network. + + + + LAN1 connected to the Test Machine. + + + + LAN2 unconnected. + + + + ETH0 connected to the Lab Network (for Enea uCPE Manager + communications). + + Onboarding the VNF: @@ -347,84 +176,54 @@ Instantiate the FortiGate VNF by filling the required fields with the following values: - - Instantiation Requirements - - - - - - - - - Field - - Description - - - - - - Name - - Name of the VM which will be created on the - uCPE device. - - - - VNF Type - - Name of the onboarded VNF. - - - - uCPE Device - - Select the uCPE device where the VNF will be - instantiated. - - - - License file - - The FortiGate license file provided by - Fortinet. - - - - Configuration file + + + Name: Name of the VM which + will be created on the uCPE device. + - The Firewall example configuration file provided - by Enea - (fortigate-basic-fw.conf). - + + VNF Type: Name of the + onboarded VNF. + - - Port1 - WAN + + uCPE Device: Select the uCPE + device where the VNF will be instantiated. + - Set the External Interface type to - DPDK and connect it to the wanmgrbr ovs - bridge. - + + License file: The FortiGate + license file provided by Fortinet. + - - Port2 - LAN1 + + Configuration file: The + Firewall example configuration file provided by Enea + (fortigate-basic-fw.conf). + - Set the Incoming Interface type to - DPDK and connect it to the lan1 ovs - bridge. - + + Port1 - WAN: Set the + External Interface type to + DPDK and connect it to the + wanmgrbr ovs bridge. + - - Port3 - LAN2 + + Port2 - LAN1: Set the + Incoming Interface type to + DPDK and connect it to the + lan1 ovs bridge. + - Set the Outgoing Interface type to - DPDK and connect it to the lan2 ovs - bridge. - - - -
+ + Port3 - LAN2: Set the + Outgoing Interface type to + DPDK and connect it to the + lan2 ovs bridge. + +
@@ -455,268 +254,19 @@
- FortiGate VNF as an SD-WAN VPN + FortiGate VNF as an SD-WAN or a VPN SD-WAN decouples the network from the management plane, detaching traffic management and monitoring functions from hardware. Most forms of SD-WAN technology create a virtual overlay that is transport-agnostic, i.e. it abstracts underlying private or public WAN connections. - For deployment, the user plugs in WAN links into the device, - which automatically configures itself with the network. + For deployment, the user plugs in WAN links into the device, which + automatically configures itself with the network. Example SD-WAN configurations for the FortiGate VNF are provided by Enea. -
- Prerequisites - - The following table illustrates the use-case prerequisites for the - setup: - - - Prerequisites - - - - - - - Component - - Description - - - - - - Lab Network - - - - - DHCP enabled Lab Network. - - - - Internet Connectivity. - - - - - - - Two Intel Whitebox uCPE devices - - - - - Minimum 4 Physical Network Devices. - - - - 4 GB RAM and 4 cores (C3000 or Xeon D). - - - - Enea NFV Access Installed. - - - - VNFMgr connected to the Lab Network for VNF management - access. - - - - WAN interfaces directly connected through the Ethernet - cable. - - - - LAN connected to the Test Machine. - - - - ETH0 connected to the Lab Network (for Enea uCPE - Manager communications). - - - - - - - One Lab Machine - - - - - Connected to the Lab Network. - - - - Running either Windows or CentOS. - - - - The Enea uCPE Manager installed. - - - - - - - Two Test Machines - - - - - Connected to Whitebox LANs. - - - - Internet Connectivity via LAN. - - - - Configured as the DHCP client on LAN. - - - - - - -
-
- -
- Lab Setup - - The following will detail an SD-WAN setup for a branch to branch - connection using the FortiGate VNF. FortiGate provides native SD-WAN - along with integrated advanced threat protection. - - - FortiGate VNF Example Configuration - SD-WAN uCPE device - 1 - - - - - - - Component - - Description - - - - - - SD-WAN - - VPN connection between two branches (uCPE device 1 and - uCPE device 2). - - - - VNFMgr (Virtual Port1) - - DHCP Client, dynamically assigned IP address. - - - - WAN (Virtual Port2) - - IP address: 10.0.0.1 - - - - LAN (Virtual Port3) - - - - - IP address: 172.16.1.1 - - - - DHCP server (IP range 172.16.1.2 - - 172.16.1.254) - - - - - - -
- - - FortiGate VNF Example Configuration - SD-WAN uCPE device - 2 - - - - - - - Component - - Description - - - - - - SD-WAN - - VPN connection between two branches (uCPE device 2 and - uCPE device 1). - - - - VNFMgr (Virtual Port1) - - DHCP Client, dynamically assigned IP address. - - - - WAN (Virtual Port2) - - IP address: 10.0.0.2 - - - - LAN (Virtual Port3) - - - - - IP address: 172.16.2.1 - - - - DHCP server (IP range 172.16.2.2 - - 172.16.2.254) - - - - - - -
- -
- SD-WAN: VPN Configuration - - - - - - -
-
-
Use-case Setup @@ -725,8 +275,8 @@ Since the SD-WAN VNF uses three External Network Interfaces, three bridges need to be configured. Each bridge provides the ability to connect a physical network interface to the VM's virtual network - interface. - + interface. + Each VNF instance will have a virtual interface for VNF management, for the WAN network and for LAN communication. @@ -746,105 +296,96 @@ - Onboarding the FortiGate VNF - - See the onboarding parameters detailed in the previous use-case above. - - Instantiating the FortiGate VNF - - Instantiate the FortiGate VNF by filling the required fields with - the following values: - - - Instantiation Requirements - - - - - - - - - Field - - Description - - - - - - Name - - Name of the VM which will be created on the - uCPE device. - + Setup of an Intel Whitebox uCPE + device: - - VNF Type + + + VNFMgr. Connected to the Lab Network for + VNF management access. + - Name of the onboarded VNF. - + + WAN interfaces. Directly connected through + the Ethernet cable. + - - uCPE Device + + LAN. Connected to the Test Machine. + - Select the uCPE device where the VNF will be - instantiated. - + + ETH0. Connected to the Lab Network (for + Enea uCPE Manager communications). + + - - License file + Onboarding the FortiGate + VNF: - The FortiGate license file provided by - Fortinet. - + See the onboarding parameters detailed in the previous use-case + above. - - Configuration files + Instantiating the FortiGate + VNF: - The SD-WAN example configuration files provided - by Enea: - fortigate-sdwan1.conf - fortigate-sdwan2.conf - + Instantiate the FortiGate VNF by filling the required fields with + the following values: - - Port1 - VNFMgr + + + Name: Name of the VM which + will be created on the uCPE device. + - Set the type to DPDK and connect it to the - vnfmgrbr bridge. - + + VNF Type: Name of the + onboarded VNF. + - - Port2 - WAN + + uCPE Device: Select the uCPE + device where the VNF will be instantiated. + - Set the type to DPDK and connect it to the - wanbr bridge. - + + License file: The FortiGate + license file provided by Fortinet. + - - Port3 - LAN + + Configuration file: The + SD-WAN example configuration files provided by Enea: + fortigate-sdwan1.conf and + fortigate-sdwan2.conf. + - Set the type to DPDK and connect it to the - lanbr bridge. - - - -
+ + Port1 - VNF Mgr: Set the type + to DPDK and connect it to the + vnfmgrbr bridge. + - - Instantiate the FortiGate VNF on uCPE device 1 using the - sdwan1 example configuration file. + Port2 - WAN: Set the type to + DPDK and connect it to the + wanbr bridge. - To complete the branch-to-branch setup, configure uCPE device - 2 in the same way as uCPE device 1. Make sure to - use the sdwan2 configuration file for the second VNF - instantiation. + Port3 - LAN: Set the type to + DPDK and connect it to the + lanbr bridge. - + + + Instantiate the FortiGate VNF on uCPE device 1 using the + sdwan1 example configuration file. + + To complete the branch-to-branch setup, configure uCPE + device 2 in the same way as uCPE device 1. + Make sure to use the sdwan2 configuration file for + the second VNF instantiation.
@@ -914,16 +455,16 @@ virsh console <id of FortiGate VNF> - Browse through the configuration and perform changes - according to your setup: + Browse through the configuration and perform changes according + to your setup:
The FortiGate VNF Web Management Interface - +
@@ -954,11 +495,6 @@ virsh console <id of FortiGate VNF> at the next FortiGate VNF instantiation. - - - Editing the default configuration is only recommended for - FortiGate configuration experts. -
diff --git a/doc/book-enea-nfv-access-example-usecases/doc/inband_management.xml b/doc/book-enea-nfv-access-example-usecases/doc/inband_management.xml deleted file mode 100644 index a27075c..0000000 --- a/doc/book-enea-nfv-access-example-usecases/doc/inband_management.xml +++ /dev/null @@ -1,237 +0,0 @@ - - - In-band Management Example Use-case - - In the case of an NFV Access device installed on a network with - limited access, In-band management can be a solution to manage the device - and to pass data traffic (through only one physical interface). This example - use-case will show how to enable In-band management on the NFV Access - device and to access a VNF on the same physical interface. - -
- Prerequisites - - System requirements for the uCPE device: - - - - 1 x Network Interface for WAN and management. - - - - 1 x Network Interface for LAN. - - - - - No other physical port for In-band management can be used. - FIXME: What does this mean? - - - The following files are needed for this example use case: - - - - FortiGate VNF image. This file is provided by the local Fortinet - sales representatives in your region. - - - - FortiGate VNF license file. This file is provided by the local - Fortinet sales representatives in your region. - - - - FortiGate specific documentation. This is provided by the local - Fortinet sales representatives in your region. - - - - FortiGate configuration example files. These files are provided - with your Enea NFV Access release. - - -
- -
- In-band Management Activation - - In-band management activation is done by creating a special bridge - which manages all traffic from the WAN interface. The active physical port - of the device (used by the device manager to communicate with the uCPE - Manager) will be connected to the In-band management bridge. - - Once the In-band management bridge is activated, communication to - the uCPE Manager will be reactivated, passing through the bridge. - - For further details, please see in_band_managemen in . - -
- NFV Access In-band management solution setup - - - - - - -
- -
- Use-case Setup - - Network Configuration: - - - - Create an In-band management WAN Bridge (set - dpdkWan as the bridge type). - - - - Bind the physical network interface that will be used for LAN - access to the DPDK. - - - - Create a LAN Bridge and attach the DPDK LAN interface. - - - - - The WAN port of the very first VNF instantiated on the device - must be connected to the WAN bridge. All other VNFs - must be connected in chain with the first VNF. - - - Onboarding the VNF: - - See onboarding parameters in . - - Instantiating the VNF: - - Instantiate the FortiGate VNF by filling the required fields with - the following values: - - - Instantiation Requirements - - - - - - - - - Field - - Description - - - - - - Name - - Name of the VM which will be created on the - uCPE device. - - - - VNF Type - - Name of the onboarded VNF. - - - - uCPE Device - - Select the uCPE device where the VNF will be - instantiated. - - - - License file - - The FortiGate license file provided by - Fortinet. - - - - Configuration file - - The Firewall example configuration file provided - by Enea - (fortigate-basic-fw.conf). - - - - Port1 - WAN - - Set the External Interface type to - DPDK and connect it to the ibm-wan-br ovs - bridge. - - - - Port2 - LAN1 - - Set the Incoming Interface type to - DPDK and connect it to the lan-br ovs - bridge. - - - - Port3 - LAN2 - - Set the Outgoing Interface type to - DPDK and connect it to the lan-br ovs - bridge. - - - -
-
- -
- Testing the Use-case - - Once the VNF is instantiated, the setup is complete and ready for - testing. Connect the test machine to the LAN port. It will receive an IP - address from the FortiGate VNF and be able to access the - internet. - - At this stage, three types of traffic are passing through the WAN - port on the same IP address: - - - - Device management traffic from the uCPE Manager. - - - - FortiGate management interface traffic from a web - browser. - - - - Data traffic from the LAN to the internet. - - - - If you have access from the uCPE Manager to the device as shown - above, this demonstrates that device management traffic passes through - the In-band management WAN bridge successfully. - - To access the management interface of the VNF, connect from a web - browser to the public IP address of the device e.g. - https://<IP>. From a Test machine connected on - the LAN port, try a test ping to the internet e.g. "ping - 8.8.8.8". -
-
- diff --git a/doc/book-enea-nfv-access-example-usecases/doc/introduction.xml b/doc/book-enea-nfv-access-example-usecases/doc/introduction.xml index 74c11f3..456ab50 100644 --- a/doc/book-enea-nfv-access-example-usecases/doc/introduction.xml +++ b/doc/book-enea-nfv-access-example-usecases/doc/introduction.xml @@ -4,10 +4,10 @@ This document describes several example use-cases concerning uCPE configuration, onboarding and instantiation of certain VNFs, VNF chaining, - and In-band management. + etc. - Before running any example make sure the uCPE device(s) have been + Before running any example use case make sure the uCPE device(s) have been added to the uCPE Manager and placed on the map. For detailed information on how to add a device to the uCPE Manager, @@ -18,4 +18,8 @@ xpointer="element(book_enea_nfv_access_getting_started/1)" /> Manual. - \ No newline at end of file + + Examples presented in this document use 3rd-party VNFs, which + are not provided by Enea. To procure and use these VNF image files and license files, + where applicable, please contact the VNF provider. + diff --git a/doc/book-enea-nfv-access-example-usecases/doc/vnf_chaining.xml b/doc/book-enea-nfv-access-example-usecases/doc/vnf_chaining.xml index 27b83aa..f58e252 100644 --- a/doc/book-enea-nfv-access-example-usecases/doc/vnf_chaining.xml +++ b/doc/book-enea-nfv-access-example-usecases/doc/vnf_chaining.xml @@ -14,33 +14,49 @@
Prerequisites + System requirements for the uCPE device: + + + + 3 x Network Interfaces + + + + 4 GB of RAM memory + + + The following files are needed for this example use case: + VNF images: + - vSRX-Site<x>.iso. The Juniper vSRX - VNF image, as the Cloud-Init files. This VNF image is not provided by - Enea. Please contact Juniper to get this image. + Fortigate VNF. - Fortigate VNF image. This image is provided by Enea. + Juniper vSRX VNF. + + + For VNF images and their license files, please contact the + VNF provider. + + + VNF Configuration files, provided with your Enea + NFV Access Release: - vSRX-domain-update-script. This file is - provided by Enea. + vSRX-domain-update-script. - FortiFW-Site<x>.conf as the - Cloud-Init file(s). This file is provided by Enea. + vSRX-Site<x>.conf. - License file(s) as the Cloud-Init content in the Cloud-Init tab. - For license files for the VNFs, please contact the VNF - provider. + FortiFW-Site<x>.conf.
@@ -58,27 +74,10 @@ Optionally, one additional device (PC/laptop) can be connected on the LAN port of each branch to run LAN-to-LAN connectivity tests. -
- VNF Chaining with FortiGate Setup - - - - - - -
- - - For simplicity, the image above does not present the - management-plane, which will be described in the Setup steps. - -
Use-case Setup - Configuring Network Interfaces on uCPE - devices: + Network Configuration: Both branches in the example have similar setups, therefore necessary step details are presented for only one branch. The second @@ -135,16 +134,17 @@ - Onboarding the VNFs: + Onboarding the VNFs: - Onboard Juniper vSRX using the VNF Onboarding Wizard: + Onboard Juniper vSRX using the VNF by filling the required + fields with the following values: - The Flavor selected must have at least 2 vCPUs and 4 GB - RAM since vSRX is quite resource consuming. + The Flavor selected must have at least 2 CPUs and 4 GB RAM + since vSRX is quite resource consuming. Tested-inhouse with 4 vCPUs/ 6 GB RAM. @@ -166,8 +166,8 @@ - The Flavor selected can be quite light in resources, e.g. - 1 vCPU and 2 GB RAM. + The Flavor selected can be quite light in resource + consumption, e.g. 1 CPU and 2 GB RAM. @@ -203,6 +203,11 @@ Use vSRX-Site1.iso as the Cloud-Init file. + + + Please follow the Juniper's documentation to create + vSRX-Site1.iso file. + @@ -300,17 +305,16 @@ established and LAN to LAN visibility can be verified by connecting one device on each uCPE LAN port.
-
-
- Testing the Use-case +
+ Testing the Use-case - Before testing LAN to LAN connectivity, preliminary tests of service - can be run to ensure everything was set up properly. For instance, by - connecting to vSRX CLI (any site), one can test IKE security - associations: + Before testing LAN to LAN connectivity, preliminary tests of + service can be run to ensure everything was set up properly. For + instance, by connecting to vSRX CLI (any site), one can test IKE + security associations: - root@Atom-C3000:~ # cli + root@Atom-C3000:~ # cli root@Atom-C3000> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 1588673 UP 2f2047b144ebfce4 0000000000000000 Aggressive 10.1.1.2 @@ -318,91 +322,71 @@ Index State Initiator cookie Responder cookie Mode Remote Address root@Atom-C3000> show security ike security-associations index 1588673 detail ... - Also, from the vSRX CLI, a user can check that the VPN tunnel was - established and get statistics of the packets passing the tunnel: + Also, from the vSRX CLI, a user can check that the VPN tunnel was + established and get statistics of the packets passing the tunnel: - root@Atom-C3000> show security ipsec security-associations + root@Atom-C3000> show security ipsec security-associations ... root@Atom-C3000> show security ipsec statistics index <xxxxx> ... - From the Fortigate Firewall CLI on Site 1, one can check - connectivity to the remote Fortigate FW (from Site 2): + From the Fortigate Firewall CLI on Site 1, one can check + connectivity to the remote Fortigate FW (from Site 2): - FGVM080000136187 # execute ping 192.168.168.2 + FGVM080000136187 # execute ping 192.168.168.2 PING 192.168.168.2 (192.168.168.2): 56 data bytes 64 bytes from 192.168.168.2: icmp_seq=0 ttl=255 time=0.0 ms 64 bytes from 192.168.168.2: icmp_seq=1 ttl=255 time=0.0 ms 64 bytes from 192.168.168.2: icmp_seq=2 ttl=255 time=0.0 ms ... - Since VNF management ports were configured to get IPs through DHCP, - the user can use a Web-based management UI to check and modify the - configuration settings of both vSRX and Fortigate. + Since VNF management ports were configured to get IPs through + DHCP, the user can use a Web-based management UI to check and modify the + configuration settings of both vSRX and Fortigate. - For example, in the case of vSRX, from the VNF CLI you can list the - virtual interfaces as below: + For example, in the case of vSRX, from the VNF CLI you can list + the virtual interfaces as below: - root@Atom-C3000> show interfaces terse + root@Atom-C3000> show interfaces terse ... fxp0.0 up up inet 172.24.15.92/22 gre up up ipip up up ... - When using provided configurations, the VNF management port for - Juniper vSRX is always fxp0.0. + When using provided configurations, the VNF management port for + Juniper vSRX is always fxp0.0. - In the case of Fortigate, from the VNF CLI you can list the virtual - interfaces as such: + In the case of Fortigate, from the VNF CLI you can list the + virtual interfaces as such: - FGVM080000136187 # get system interface + FGVM080000136187 # get system interface == [ port1 ] name: port1 mode: dhcp ip: 172.24.15.94 255.255.252.0 status: up netbios-forward: disable type: physical netflow-sampler: disable sflow-sampler: disable... ... - When using provided configurations, the VNF management port for - Fortigate is always port1. - - If functionality is as intended, LAN-to-LAN connectivity can be - checked (through the VPN tunnel) by using two devices (PC/laptop) - connected to the LAN ports of each uCPE. Optionally, these devices can be - simulated by using Enea's sample VNF running on both uCPEs and connected - to the lan_br on each side. Please note that - instructions for onboarding and instantiating this VNF is not in the scope - of this document. - - Since Fortigate VNF, which is acting as router and firewall, is - configured to be the DHCP server for the LAN network, the device interface - connected to the uCPE LAN port has to be configured to get dinamically - assigned IPs. These IPs are in the 172.0.0.0/24 network for Site1 and the - 172.10.10.0/24 network for Site2. Therefore, site-to-site connectivity can - be checked (from Site1) as such: - - root@atom-c3000:~# ping 172.10.10.2 + When using provided configurations, the VNF management port for + Fortigate is always port1. + + If functionality is as intended, LAN-to-LAN connectivity can be + checked (through the VPN tunnel) by using two devices (PC/laptop) + connected to the LAN ports of each uCPE. Optionally, these devices can + be simulated by using Enea's sample VNF running on both uCPEs and + connected to the lan_br on each side. Please note + that instructions for onboarding and instantiating this VNF is not in + the scope of this document. + + Since Fortigate VNF, which is acting as router and firewall, is + configured to be the DHCP server for the LAN network, the device + interface connected to the uCPE LAN port has to be configured to get + dinamically assigned IPs. These IPs are in the 172.0.0.0/24 network for + Site1 and the 172.10.10.0/24 network for Site2. Therefore, site-to-site + connectivity can be checked (from Site1) as such: + + root@atom-c3000:~# ping 172.10.10.2 PING 172.10.10.1 (172.10.10.2): 56 data bytes ... +
- -
- Limitations - - Below is a list of known limitations: - - - - The vSRX VNF has no trust-to-untrust and untrust-to-trust - policies (only trust-to-vpn and vpn-to-trust were configured). - Therefore, uCPEs were not configured for a "direct Internet access" - use-case. - - - - The Fortigate VNF has no "real" firewall policies set, i.e. all - traffic from LAN is allowed to pass through the WAN interface and - vice-versa. - - -
- \ No newline at end of file + -- cgit v1.2.3-54-g00ecf