Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-text | 130.49 KB |
The network elements (NEs) mentioned in this document refer to devices managed by the VCF controller. To ensure the NEs can correctly access the underlay network and the NEs and the VCF controller are reachable at Layer 3, you must preprovision the NEs. This document describes how to preprovision NEs in different scenarios. Then, you can manually preprovision NEs by NE type.
Depending on the carriers of NEs, NEs include the following types:
· Physical NE—NEs carried on physical devices, for example, physical switches. Depending on the type of services provided, physical NEs include access devices and physical gateways. You must preprovision physical NEs.
· Virtual NE—NEs (for example, VNF NEs and NGFW NEs) virtualized on a physical server or physical network device (for example, M9000). Depending on the type of services provided, virtual NEs include virtual gateway, virtual firewall, and virtual load balancer. Depending on how virtual NEs are created, virtual NEs include the following types:
? Manually added NE—NEs that are manually created and then manually added to the VCF controller for management. You must preprovision this type of NEs.
? NEs allocated by a resource pool—Virtual NEs allocated by the NGFW resource pool or VNF resource pool. When creating this type of NEs, you must use the related template. Preprovisioned configuration is generated when the template is created. You do not need to preprovision this type of NEs. You can learn the preprovisioned functions in the template through the configuration items described in "Configuration items." Also, you can modify the preprovisioned configuration in the template as needed.
Preprovisioning basic configuration
This chapter describes the configuration items and configuration tasks for NEs of different types. The Configuration items section describes all possible functions for NEs of different types. You can preprovision NEs of the specified type according to the Configuration tasks at a glance section. Also, you can learn which configuration items are preprovisioned in the templates for NEs of different types.
Configuration tasks at a glance
Physical NE configuration tasks at a glance
|
Task |
Physical access devices |
Physical gateways |
|
Y |
Y |
|
|
Y |
Y |
|
|
Y |
Y |
|
|
Y |
Y |
|
|
Configuring the interface where the VTEP IP addresses reside |
Y |
Y |
|
Configuring the OVSDB VTEP function and site-facing interface |
Y |
N |
|
N |
Y |
|
|
Assigning the physical interfaces connecting to the security devices to the same VLAN |
N |
Required only for gateways that are members of a service gateway group. |
|
Required only for access devices in IRF mode. |
Required only for gateways in IRF mode. |
Manually added firewall configuration tasks at a glance
|
Task |
Service-chain firewalls (VNF NE) |
|
Y |
|
|
Y |
|
|
Y |
|
|
Y |
|
|
Configuring the interface where the VTEP IP addresses reside |
Y |
|
Required only for service-chain firewalls in IRF mode. |
|
|
Y |
Manually added load balancer configuration tasks at a glance
|
Task |
Service-chain load balancers (VNF NEs) |
|
Y |
|
|
Y |
|
|
Y |
|
|
Y |
|
|
Configuring the interface where the VTEP IP addresses reside |
Y |
|
Required only for service-chain load balancers in IRF mode. |
|
|
Creating the interface where the vLB's virtual server IP resides |
Y |
Manually added gateway configuration tasks at a glance
|
Task |
Gateways (VNF NEs) |
|
Y |
|
|
Y |
|
|
Y |
|
|
Y |
|
|
Configuring the interface where the VTEP IP addresses reside |
Y |
|
Configuring the external network VPN and the external network outgoing interface |
Y |
|
Required only for gateways in IRF mode. |
|
|
Creating the interface where the vLB's virtual server IP resides |
Required only for gateways that also act as load balancers. |
Configuration items
Enabling L2VPN
# Enable L2VPN on the device.
[Device] l2vpn enable
Configuring local users and enabling the NETCONF service
# Create a local user named sdn and set the password to 123.
To ensure security, the device needs to perform authentication and authorization for the connections initiated by the VCF controller. Typically, local authentication and authorization are used in the current solution. Therefore, you need to create a local user and configure properties for the user.
[Device] local-user sdn
[Device-luser-manage-sdn] password simple 123
[Device-luser-manage-sdn] service-type http https
[Device-luser-manage-sdn] authorization-attribute user-role network-admin
# Configure the device to communicate with the VCF controller by using NETCONF over HTTPS channels.
[Device] ip http enable
[Device] ip https enable
[Device] netconf soap http enable
[Device] netconf soap https enable
# Enable scheme authentication for VTY lines 0 through 63.
[Device] line vty 0 63
[Device-line-vty0-63] authentication-mode scheme
Configuring a routing protocol
|
|
IMPORTANT: · You can select a routing protocol as needed. As a best practice, use OSPF. · You must configure OSPF processes before enabling OSPF on an interface. · When the device is a VNF NE, IS-IS cannot be used. |
# Configure OSPF processes.
One process (for example, process 10) is used as the area for advertising the management network routes. The other process (for example, process 1) is used as the area for advertising the underlay network routes.
[Device] ospf 10
[Device] ospf 1
Configuring the management interface
|
|
IMPORTANT: Loopback 0 is reserved as the management interface of an NE. Do not use this interface for any other purposes. |
# Configure the management interface, and add the interface to the area for advertising management network routes to make management network routes reachable.
· For NEs allocated by the resource pool (for example, VNF NEs):
? When the VNF operates in IRF mode: Create interface Loopback 0 on the NE in IRF mode. The IP address of the interface is allocated by the NFV manager. Add Loopback 0 and management interfaces on the two NEs forming the IRF fabric to the area for advertising the management network routes. For example, add Loopback 0, GigabitEthernet 1/1/0, and GigabitEthernet 2/1/0 to area 0 of OSPF process 10.
[Device] interface LoopBack 0
[Device-LoopBack0] ospf 10 area 0
[Device-LoopBack0] interface GigabitEthernet 1/1/0
[Device-GigabitEthernet1/1/0] ospf 10 area 0
[Device-GigabitEthernet1/1/0] interface GigabitEthernet 2/1/0
[Device-GigabitEthernet2/1/0] ospf 10 area 0
? When the VNF operates in standalone mode: The IP address of the management interface (for example, GigabitEthernet 1/0) is assigned by the NFV manager. Add the management interface to the area for advertising management network routes (for example, area 0 of OSPF process 10).
[Device] interface GigabitEthernet 1/0
[Device-GigabitEthernet1/0] ospf 10 area 0
· For physical NEs and manually added virtual NEs: Create the management interface (LoopBack 0 or another interface as needed) and configure an IP address for the interface. Add the interface to the area for advertising the management network routes (for example, area 0 of OSPF process 10).
[Device] interface LoopBack 0
[Device-LoopBack0] ip address 31.0.7.126 255.255.255.255
[Device-LoopBack0] ospf 10 area 0
Configuring the interface where the VTEP IP addresses reside
|
|
IMPORTANT: · Loopback 1 is reserved as the interface for configuring the VTEP IP addresses. Do not use this interface for any other purposes. · The packets sent out of VMs are large and might be dropped because the MTU of an interface is too small during the forwarding process. As a practice, set a greater MTU size for the interface. |
Perform this task to create the interface where the VTEP IP addresses reside. The VTEP IP addresses are deployed by the VCF controller rather than manually configured. To ensure VTEP IPs are reachable at Layer 3, advertise the VTEP IP addresses and the addresses of underlay network interconnecting interfaces to the area for underlay network routes.
# Create interface Loopback 1 where the VTEP IP resides. Add the interface to the area for advertising underlay network routes (for example, area 0 of OSPF process 1).
[Device] interface LoopBack 1
[Device-LoopBack1] ospf 1 area 0
# Add all interconnecting interfaces (for example, GigabitEthernet 1/4/0 and GigabitEthernet 2/4/0) to the area for advertising the underlay network routes (for example, area 0 of OSPF process 1).
On an NE, the interface connected to the TOR switch or another NE is an underlay network interconnecting interface. The IP addresses of the underlay network interconnecting interfaces are deployed by the NFV manager.
[Device] interface GigabitEthernet 1/4/0
[Device-GigabitEthernet1/4/0] mtu 9216
[Device-GigabitEthernet1/4/0] ospf 1 area 0
[Device-GigabitEthernet1/4/0] ospf cost 1
[Device-GigabitEthernet1/4/0] interface GigabitEthernet 2/4/0
[Device-GigabitEthernet2/4/0] mtu 9216
[Device-GigabitEthernet2/4/0] ospf 1 area 0
[Device-GigabitEthernet2/4/0] ospf cost 1000
Configuring the external network VPN and the external network outgoing interface
|
|
IMPORTANT: · The VPN external_vpn is reserved as the external network VPN. Do not use this VPN for any other purposes. · The interface Reth 1 is reserved as the external network outgoing interface. Do not use this interface for any other purposes. |
(Applicable to VNF gateways and NGFW gateways.) The internal network traffic of the network managed by the VCF controller is forwarded in a VPN. To make the internal network and external network communicate, you must create an external network VPN and add the external network outgoing interface to the VPN.
# Create an external network VPN.
[Device] ip vpn-instance external_vpn
# Configure the external network outgoing interface Reth1.
· When Reth1 connects to TOR switches through interfaces sending VLAN-tagged packets, perform the following tasks:
? Configure VLAN termination on the physical subinterfaces on the device.
? Configure the physical subinterfaces (for example, GigabitEthernet 1/5/0.2 and GigabitEthernet 2/5/0.2) as the member interfaces of Reth1.
[Device] interface GigabitEthernet 1/5/0.2
[Device-GigabitEthernet1/5/0.2] vlan-type dot1q vid 2
[Device-GigabitEthernet1/5/0.2] interface GigabitEthernet 2/5/0.2
[Device-GigabitEthernet2/5/0.2] vlan-type dot1q vid 2
[Device-GigabitEthernet2/5/0.2] interface Reth 1
[Device-Reth1] member interface GigabitEthernet 1/5/0.2 priority 100
[Device-Reth1] member interface GigabitEthernet 2/5/0.2 priority 80
[Device-Reth1] ip binding vpn-instance external_vpn
· When Reth1 connects to a TOR switch through an interface sending untagged packets, configure the physical interfaces (for example, GigabitEthernet 1/5/0 and GigabitEthernet 2/5/0) as the member interfaces of Reth1.
[Device] interface Reth 1
[Device-Reth1] member interface GigabitEthernet 1/5/0 priority 100
[Device-Reth1] member interface GigabitEthernet 2/5/0 priority 80
[Device-Reth1] ip binding vpn-instance external_vpn
Configuring an IRF fabric
(Applicable to VNF NEs in IRF mode.) To improve availability for NEs, you configure NEs to operate in IRF mode.
# Specify member IDs, priorities, and bind IRF ports to IRF physical interfaces for NEs.
The data channel and the control channel must use different IRF physical interfaces.
[DeviceA] irf member 1
[DeviceA] irf member 1 priority 32
[DeviceA] irf-port 1
[DeviceA-irf-port1] port group interface GigabitEthernet1/2/0 type data
[DeviceA-irf-port1] port group interface GigabitEthernet1/3/0 type control
[DeviceA] irf member 2
[DeviceB] irf member 2 priority 31
[DeviceB] irf-port 2
[DeviceB-irf-port2] port group interface GigabitEthernet2/2/0 type data
[DeviceB-irf-port2] port group interface GigabitEthernet2/3/0 type control
|
|
NOTE: When the server where the NFV manager agent resides uses an Intel 82599 10-Gigabit Ethernet controller for virtualization, modify the IRF physical interface names to Ten-GigabitEthernet X/X/X. |
Configuring track entries
Track entries are used for monitoring the status of the external network outgoing interfaces, downlink interfaces, and management interfaces.
|
|
NOTE: You can modify interface names as needed. In this configuration example, GigabitEthernet 1/1/0 and GigabitEthernet 2/1/0 are used as management interfaces, GigabitEthernet 1/4/0 and GigabitEthernet 2/4/0 are used as member interfaces of the downlink interface Reth2, and GigabitEthernet 1/5/0 and GigabitEthernet 2/5/0 are used as the member interfaces of the uplink interface Reth1. |
# (Applicable to VNF gateways and NGFW gateways.) Configure track entries to monitor the three types of interfaces on the virtual gateway.
The virtual gateway forwards internal network traffic at Layer 3 and implements communication between the internal network and external network.
[Device] track 1 interface GigabitEthernet 1/1/0
[Device] track 2 interface GigabitEthernet 1/4/0
[Device] track 3 interface GigabitEthernet 1/5/0
[Device] track 4 interface GigabitEthernet 2/1/0
[Device] track 5 interface GigabitEthernet 2/4/0
[Device] track 6 interface GigabitEthernet 2/5/0
# (Applicable to service-chain vFWs and service-chain vLBs.) Configure track entries to monitor management interfaces and downlink interfaces.
The service-chain nodes forward traffic of the current service chain, and is not used for implementing communication between the internal network and external network. You do not need to monitor the external network outgoing interfaces.
[Device] track 1 interface GigabitEthernet 1/4/0
[Device] track 2 interface GigabitEthernet 1/1/0
[Device] track 3 interface GigabitEthernet 2/4/0
[Device] track 4 interface GigabitEthernet 2/1/0
Configuring redundancy groups
Redundancy groups are supported only in IRF mode. A redundancy group must contain two nodes, each of which is bound to an IRF member device. The two nodes implement device-level backup and ensure service packets are received, processed, and sent out on the same IRF member device.
|
|
NOTE: The redundancy group names, interface names, and IRF member IDs can be modified as needed. For information about interfaces used in this example, see the note in "Configuring track entries." |
# (Applicable to VNF gateways and NGFW gateways.) Create node 1 as the primary node, bind the node to IRF member device 1, and associate it with track entries 1, 2, and 3. Create node 2 as the secondary node, bind the node to IRF member device 2, and associate it with track entries 4, 5, and 6.
When the uplink interface, downlink interface, or management interface of member device 1 fails or member device 1 fails, traffic is switched to member device 2. When the failure recovers, traffic is switched back to member device 1.
[Device] redundancy group SDN_R_Group
[Device-redundancy-group-SDN_R_Group] node 1
[Device-redundancy-group-SDN_R_Group-node1] bind slot 1
[Device-redundancy-group-SDN_R_Group-node1] priority 100
[Device-redundancy-group-SDN_R_Group-node1] track 1 interface GigabitEthernet 1/1/0
[Device-redundancy-group-SDN_R_Group-node1] track 2 interface GigabitEthernet 1/4/0
[Device-redundancy-group-SDN_R_Group-node1] track 3 interface GigabitEthernet 1/5/0
[Device-redundancy-group-SDN_R_Group-node1] node-member interface GigabitEthernet 1/1/0
[Device-redundancy-group-SDN_R_Group-node1] node-member interface GigabitEthernet 1/4/0
[Device-redundancy-group-SDN_R_Group-node1] node-member interface GigabitEthernet 1/5/0
[Device-redundancy-group-SDN_R_Group-node1] quit
[Device-redundancy-group-SDN_R_Group] node 2
[Device-redundancy-group-SDN_R_Group-node2] bind slot 2
[Device-redundancy-group-SDN_R_Group-node2] priority 80
[Device-redundancy-group-SDN_R_Group-node2] track 4 interface GigabitEthernet 2/1/0
[Device-redundancy-group-SDN_R_Group-node2] track 5 interface GigabitEthernet 2/4/0
[Device-redundancy-group-SDN_R_Group-node2] track 6 interface GigabitEthernet 2/5/0
[Device-redundancy-group-SDN_R_Group-node2] node-member interface GigabitEthernet 2/1/0
[Device-redundancy-group-SDN_R_Group-node2] node-member interface GigabitEthernet 2/4/0
[Device-redundancy-group-SDN_R_Group-node2] node-member interface GigabitEthernet 2/5/0
# (Applicable to service-chain vFWs and service-chain vLBs.) Create node 1 as the primary node, bind the node to IRF member device 1, and associate it with track entries 1 and 2. Create node 2 as the secondary node, bind the node to IRF member device 2, and associate it with track entries 3 and 4.
When the downlink interface or management interface of member device 1 fails or member device 1 fails, traffic is switched to member device 2. When the failure recovers, traffic is switched back to member device 1.
[Device] redundancy group SDN_R_Group
[Device-redundancy-group-SDN_R_Group] node 1
[Device-redundancy-group-SDN_R_Group-node1] bind slot 1
[Device-redundancy-group-SDN_R_Group-node1] priority 100
[Device-redundancy-group-SDN_R_Group-node1] track 1 interface GigabitEthernet 1/4/0
[Device-redundancy-group-SDN_R_Group-node1] track 2 interface GigabitEthernet 1/1/0
[Device-redundancy-group-SDN_R_Group-node1] node-member interface GigabitEthernet 1/4/0
[Device-redundancy-group-SDN_R_Group-node1] node-member interface GigabitEthernet 1/1/0
[Device-redundancy-group-SDN_R_Group-node1] quit
[Device-redundancy-group-SDN_R_Group] node 2
[Device-redundancy-group-SDN_R_Group-node2] bind slot 2
[Device-redundancy-group-SDN_R_Group-node2] priority 80
[Device-redundancy-group-SDN_R_Group-node2] track 3 interface GigabitEthernet 2/4/0
[Device-redundancy-group-SDN_R_Group-node2] track 4 interface GigabitEthernet 2/1/0
[Device-redundancy-group-SDN_R_Group-node2] node-member interface GigabitEthernet 2/4/0
[Device-redundancy-group-SDN_R_Group-node2] node-member interface GigabitEthernet 2/1/0
Configuring stateful failover
When NEs operate in IRF mode, you must configure stateful failover-related functions on the two virtual NEs.
# (Applicable to vFWs, vLBs, VNF gateways, and NGFW gateways.) Enable session synchronization.
[Device] session synchronization enable
# (Applicable to VNF gateways and NGFW gateways.) Enable dynamic NAT444 service synchronization.
[Device] nat port-block synchronization enable
# (Applicable to VNF gateways and NGFW gateways.) Enable IPsec redundancy.
[Device] ipsec redundancy enable
Creating the interface where the vLB's virtual server IP resides
|
|
IMPORTANT: Loopback 127 is reserved as the interface where the virtual server IP resides. Do not use this interface for any other purposes. |
The virtual server is a virtual carrier for user services on the load balancer. Only packets matching the virtual server can be processed by the load balancer.
# (Applicable to vLBs.) Create interface Loopback 127, and use this interface to carry the virtual server IP address.
The virtual server IP address configured on the VCF controller will be automatically deployed to the interface.
[Device] interface LoopBack 127
Configuring the firewall to permit traffic by default
|
|
IMPORTANT: · The security zone SDN_ZONE_DEFAULT is reserved as the default permit zone. Do not use this zone for any other purposes. · The object policy SDN_POLICY_DEFAULT is reserved as the default permit policy. Do not use this object policy for any other purposes. |
Some firewalls (for example, vFWs created by the NFV manager or the vFWs virtualized on the M9K device) drop packets matching no security policies by default. As a result, the underlay network or management network might be unreachable.
# Add the interfaces that permit traffic to the default SDN security zone, configure an object policy to permit traffic to pass through, and set the default action to permit for packets exchanged between interfaces in the same security zone.
Then, underlay data link packets and management packets are permitted, and the network is reachable.
[Device] security-zone name SDN_ZONE_DEFAULT
[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet1/0
[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet2/0
[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet3/0
[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet3/0.2
[Device-security-zone-SDN_ZONE_DEFAULT] quit
[Device] object-policy ip SDN_POLICY_DEFAULT
[Device-object-policy-ip-SDN_POLICY_DEFAULT] rule 0 pass
[Device-object-policy-ip-SDN_POLICY_DEFAULT] quit
[Device] security-zone intra-zone default permit
[Device] zone-pair security source any destination any
[Device-zone-pair-security-Any-Any] object-policy apply ip SDN_POLICY_DEFAULT
Configuring the OVSDB VTEP function and site-facing interface
# Configure the OVSDB VTEP function on the physical access device.
Then, the VCF controller can automatically sense the online events of VMs or physical servers and learn ARP entries, so that the physical access device can run like a vSwitch.
[Device] ovsdb server ptcp
[Device] ovsdb server enable
[Device] vtep enable
# Specify the site-facing interface as a VTEP access port.
The interface that connects the physical access device to a VM or physical server is a site-facing interface, for example, Ten-GigabitEthernet 2/0/5:1. To display and control the site-facing interface on the VCF controller, you must specify the interface as a VTEP access port.
[Device] interface Ten-GigabitEthernet2/0/5
[Device-Ten-GigabitEthernet2/0/5] vtep access port
Reserving VLAN interface resources
Because of the restrictions of the chips used in products (for example, the F series chips used in S12500-X switches), you must reserve VLAN interface resources before creating Layer 3 interfaces or subinterfaces other than VLAN interfaces or configuring features that use Layer 3 interface hardware resources.
# Reserve global VLAN interface resources before creating VXLANs in VSI view when VXLAN tunnels operate in Layer 3 forwarding mode.
One global VLAN interface resource must be reserved for one VXLAN.
[Device] reserve-vlan-interface 3400 to 3500 global
Assigning the physical interfaces connecting to the security devices to the same VLAN
Perform this task when a service gateway group is used in the networking scheme,
# Assign the physical interfaces (for example, GigabitEthernet 11/0/13) connecting service gateway group member devices to security devices (for example, firewalls and load balancers) to the same VLAN.
This configuration ensure the member devices and security devices can communicate at Layer 2.
[Device] interface GigabitEthernet 11/0/13
[Device-GigabitEthernet11/0/13] port link-mode bridge
[Device-GigabitEthernet11/0/13] port link-type trunk
[Device-GigabitEthernet11/0/13] port trunk permit vlan all
Configuring the IRF bridge MAC address to be permanent
# Configure the IRF bridge MAC address to be permanent.
Perform this task when an NE operates in IRF mode. The IRF bridge MAC address does not change after the address owner leaves the fabric.
[Device] irf mac-address persistent always
Configuration examples
Physical NE preprovisioning
Physical gateway
Local user and NETCONF configuration
[Device] local-user sdn
[Device-luser-manage-sdn] password simple 123
[Device-luser-manage-sdn] service-type http https
[Device-luser-manage-sdn] authorization-attribute user-role network-admin
[Device] ip http enable
[Device] ip https enable
[Device] netconf soap http enable
[Device] netconf soap https enable
[Device] line vty 0 63
[Device-line-vty0-63] authentication-mode scheme
Underlay network configuration
[Device] l2vpn enable
[Device] ospf 1
[Device] ospf 10
[Device] interface LoopBack 0
[Device-LoopBack0] ip address 31.0.7.126 255.255.255.255
[Device-LoopBack0] ospf 10 area 0
[Device-LoopBack0] quit
[Device] interface GigabitEthernet 1/0/1
[Device-GigabitEthernet1/0/1] ip address 97.0.6.126 255.255.0.0
[Device-GigabitEthernet1/0/1] ospf 10 area 0
[Device-GigabitEthernet1/0/1] quit
[Device] interface LoopBack 1
[Device-LoopBack1] ospf 1 area 0
[Device-LoopBack1] quit
[Device] interface GigabitEthernet 2/0/1
[Device-GigabitEthernet2/0/1] ip address 111.0.9.126 255.255.0.0
[Device-GigabitEthernet2/0/1] mtu 9216
[Device-GigabitEthernet2/0/1] ospf 1 area 0
[Device-GigabitEthernet2/0/1] ospf cost 1
Physical access device
Local user and NETCONF configuration
[Device] local-user sdn
[Device-luser-manage-sdn] password simple 123
[Device-luser-manage-sdn] service-type http https
[Device-luser-manage-sdn] authorization-attribute user-role network-admin
[Device] ip http enable
[Device] ip https enable
[Device] netconf soap http enable
[Device] netconf soap https enable
[Device] line vty 0 63
[Device-line-vty0-63] authentication-mode scheme
Underlay network configuration
[Device] l2vpn enable
[Device] ospf 1
[Device] ospf 10
[Device] interface LoopBack 0
[Device-LoopBack0] ip address 31.0.7.128 255.255.255.255
[Device-LoopBack0] ospf 10 area 0
[Device-LoopBack0] quit
[Device] interface GigabitEthernet 2/0/33
[Device-GigabitEthernet2/0/33] ip address 97.0.6.128 255.255.0.0
[Device-GigabitEthernet2/0/33] ospf 10 area 0
[Device-GigabitEthernet2/0/33] quit
[Device] interface LoopBack 1
[Device-LoopBack1] ospf 1 area 0
[Device-LoopBack1] quit
[Device] interface GigabitEthernet 2/0/34
[Device-GigabitEthernet2/0/34] ip address 111.0.9.128 255.255.0.0
[Device-GigabitEthernet2/0/34] mtu 9216
[Device-GigabitEthernet2/0/34] ospf 1 area 0
[Device-GigabitEthernet2/0/34] ospf cost 1
[Device-GigabitEthernet2/0/34] quit
OVSDB VTEP function and site-facing interface configuration
[Device] ovsdb server ptcp
[Device] ovsdb server enable
[Device] vtep enable
[Device] interface Ten-GigabitEthernet2/0/5
[Device-Ten-GigabitEthernet2/0/5] port link-mode bridge
[Device-Ten-GigabitEthernet2/0/5] port link-type trunk
[Device-Ten-GigabitEthernet2/0/5] vtep access port
NFVM and NGFWM template configuration
When you use the NFV manager or NGFW manager to create NEs of the specified type, the VCF controller will deploy the default configuration to NEs according to the type of template used for creating the NEs. This section describes the configuration deployed by the VCF controller.
This section describes only the simplest configuration for a type of NEs to function. The deployed configuration varies with the interfaces used for configuring templates.
NFVM template
|
|
IMPORTANT: When the server where the NFV manager agent resides uses an Intel 82599 10-Gigabit Ethernet controller for virtualization, modify the IRF physical interface names to Ten-GigabitEthernet X/X/X. |
VNF gateway in standalone mode
ip vpn-instance external_vpn
interface GigabitEthernet 3/0.2
vlan-type dot1q vid 2
interface Reth 1
member interface GigabitEthernet 3/0.2 priority 100
ip binding vpn-instance external_vpn
ospf 1
ospf 10
interface LoopBack 0
ospf 10 area 0
interface GigabitEthernet 1/0
ospf 10 area 0
interface LoopBack 1
ospf 1 area 0
interface GigabitEthernet 2/0
mtu 9216
ospf 1 area 0
ospf cost 1
VNF gateway in IRF mode
session synchronization enable
nat port-block synchronization enable
ipsec redundancy enable
ip vpn-instance external_vpn
netconf ssh server enable
interface GigabitEthernet 1/5/0.2
vlan-type dot1q vid 2
interface GigabitEthernet 2/5/0.2
vlan-type dot1q vid 2
interface Reth 1
member interface GigabitEthernet 1/5/0.2 priority 100
member interface GigabitEthernet 2/5/0.2 priority 80
ip binding vpn-instance external_vpn
track 1 interface GigabitEthernet 1/1/0
track 2 interface GigabitEthernet 1/4/0
track 3 interface GigabitEthernet 1/5/0
track 4 interface GigabitEthernet 2/1/0
track 5 interface GigabitEthernet 2/4/0
track 6 interface GigabitEthernet 2/5/0
redundancy group SDN_R_Group
node 1
bind slot 1
priority 100
track 1 interface GigabitEthernet 1/1/0
track 2 interface GigabitEthernet 1/4/0
track 3 interface GigabitEthernet 1/5/0
node-member interface GigabitEthernet 1/1/0
node-member interface GigabitEthernet 1/4/0
node-member interface GigabitEthernet 1/5/0
node 2
bind slot 2
priority 80
track 3 interface GigabitEthernet 2/1/0
track 3 interface GigabitEthernet 2/4/0
track 4 interface GigabitEthernet 2/5/0
node-member interface GigabitEthernet 2/1/0
node-member interface GigabitEthernet 2/4/0
node-member interface GigabitEthernet 2/5/0
ospf 1
ospf 10
interface LoopBack 0
ospf 10 area 0
interface GigabitEthernet 1/1/0
ospf 10 area 0
interface GigabitEthernet 2/1/0
ospf 10 area 0
interface LoopBack 1
ospf 1 area 0
interface GigabitEthernet 1/4/0
mtu 9216
ospf 1 area 0
ospf cost 1
interface GigabitEthernet 2/4/0
mtu 9216
ospf 1 area 0
ospf cost 1000
irf member 1 priority 32
irf member 2 priority 31
irf-port 1
port group interface GigabitEthernet1/2/0 type data
port group interface GigabitEthernet1/3/0 type control
irf-port 2
port group interface GigabitEthernet2/2/0 type data
port group interface GigabitEthernet2/3/0 type control
Service-chain vFW in standalone mode
ospf 1
ospf 10
interface GigabitEthernet 1/0
ospf 10 area 0
interface LoopBack 1
ospf 1 area 0
interface GigabitEthernet 2/0
mtu 9216
ospf 1 area 0
security-zone name SDN_ZONE_DEFAULT
import interface GigabitEthernet1/0
import interface GigabitEthernet2/0
Object-policy ip SDN_POLICY_DEFAULT
rule 0 pass
security-zone intra-zone default permit
zone-pair security source Any destination Any
object-policy apply ip SDN_POLICY_DEFAULT
Service-chain vFW in IRF mode
session synchronization enable
track 1 interface GigabitEthernet 1/4/0
track 2 interface GigabitEthernet 1/1/0
track 3 interface GigabitEthernet 2/4/0
track 4 interface GigabitEthernet 2/1/0
redundancy group SDN_R_Group
node 1
bind slot 1
priority 100
track 1 interface GigabitEthernet 1/4/0
track 2 interface GigabitEthernet 1/1/0
node-member interface GigabitEthernet 1/4/0
node-member interface GigabitEthernet 1/1/0
node 2
bind slot 2
priority 80
track 3 interface GigabitEthernet 2/4/0
track 4 interface GigabitEthernet 2/1/0
node-member interface GigabitEthernet 2/4/0
node-member interface GigabitEthernet 2/1/0
ospf 1
ospf 10
interface LoopBack 0
ospf 10 area 0
interface GigabitEthernet 1/1/0
ospf 10 area 0
interface GigabitEthernet 2/1/0
ospf 10 area 0
interface LoopBack 1
ospf 1 area 0
interface GigabitEthernet 1/4/0
mtu 9216
ospf 1 area 0
ospf cost 1
interface GigabitEthernet 2/4/0
mtu 9216
ospf 1 area 0
ospf cost 1000
irf member 1 priority 32
irf member 2 priority 31
irf-port 1
port group interface GigabitEthernet1/2/0 type data
port group interface GigabitEthernet1/3/0 type control
irf-port 2
port group interface GigabitEthernet2/2/0 type data
port group interface GigabitEthernet2/3/0 type control
security-zone name SDN_ZONE_DEFAULT
import interface GigabitEthernet1/1/0
import interface GigabitEthernet1/4/0
import interface GigabitEthernet2/1/0
import interface GigabitEthernet2/4/0
Object-policy ip SDN_POLICY_DEFAULT
rule 0 pass
security-zone intra-zone default permit
zone-pair security source Any destination Any
object-policy apply ip SDN_POLICY_DEFAULT
Service-chain vLB in IRF mode
session synchronization enable
track 1 interface GigabitEthernet 1/4/0
track 2 interface GigabitEthernet 1/1/0
track 3 interface GigabitEthernet 2/4/0
track 4 interface GigabitEthernet 2/1/0
redundancy group SDN_R_Group
node 1
bind slot 1
priority 100
track 1 interface GigabitEthernet 1/4/0
track 2 interface GigabitEthernet 1/1/0
node-member interface GigabitEthernet 1/4/0
node-member interface GigabitEthernet 1/1/0
node 2
bind slot 2
priority 80
track 3 interface GigabitEthernet 2/4/0
track 4 interface GigabitEthernet 2/1/0
node-member interface GigabitEthernet 2/4/0
node-member interface GigabitEthernet 2/1/0
ospf 1
ospf 10
interface LoopBack 0
ospf 10 area 0
interface GigabitEthernet 1/1/0
ospf 10 area 0
interface GigabitEthernet 2/1/0
ospf 10 area 0
interface LoopBack 1
ospf 1 area 0
interface LoopBack 127
interface GigabitEthernet 1/4/0
mtu 9216
ospf 1 area 0
ospf cost 1
interface GigabitEthernet 2/4/0
mtu 9216
ospf 1 area 0
ospf cost 1000
irf member 1 priority 32
irf member 2 priority 31
irf-port 1
port group interface GigabitEthernet1/2/0 type data
port group interface GigabitEthernet1/3/0 type control
irf-port 2
port group interface GigabitEthernet2/2/0 type data
port group interface GigabitEthernet2/3/0 type control
Service-chain vLB in standalone mode
ospf 1
ospf 10
interface GigabitEthernet 1/0
ospf 10 area 0
interface LoopBack 1
ospf 1 area 0
interface GigabitEthernet 2/0
mtu 9216
ospf 1 area 0
ospf cost 1
interface LoopBack 127
NGFWM template
Gateway-type vFW
ip vpn-instance external_vpn
interface GigabitEthernet 3/0.2
vlan-type dot1q vid 2
interface Reth 1
member interface GigabitEthernet 3/0.2 priority 100
ip binding vpn-instance external_vpn
ospf 1
ospf 10
interface GigabitEthernet 1/0
ospf 10 area 0
interface LoopBack 1
ospf 1 area 0
interface GigabitEthernet 2/0
mtu 9216
ospf 1 area 0
ospf cost 1
security-zone name SDN_ZONE_DEFAULT
import interface GigabitEthernet1/0
import interface GigabitEthernet2/0
import interface GigabitEthernet3/0
import interface GigabitEthernet3/0.2
Object-policy ip SDN_POLICY_DEFAULT
rule 0 pass
security-zone intra-zone default permit
zone-pair security source Any destination Any
object-policy apply ip SDN_POLICY_DEFAULT
Service-chain vFW
ospf 1
ospf 10
interface GigabitEthernet 1/0
ospf 10 area 0
interface LoopBack 1
ospf 1 area 0
interface GigabitEthernet 2/0
mtu 9216
ospf 1 area 0
security-zone name SDN_ZONE_DEFAULT
import interface GigabitEthernet1/0
import interface GigabitEthernet2/0
Object-policy ip SDN_POLICY_DEFAULT
rule 0 pass
security-zone intra-zone default permit
zone-pair security source Any destination Any
object-policy apply ip SDN_POLICY_DEFAULT
Gateway service-type vFW
session synchronization enable
ipsec redundancy enable
nat port-block synchronization enable
ip vpn-instance external_vpn
ospf 1 vpn-instance external_vpn
import-route direct
import-route static
area 0.0.0.0
interface LoopBack2
ip binding vpn-instance external_vpn
interface Ten-GigabitEthernet2/0/3
description internal
interface Ten-GigabitEthernet2/0/9
description external
ip binding vpn-instance external_vpn
ospf 1 area 0.0.0.0
interface Ten-GigabitEthernet2/0/15
description management
security-zone name SEC_ZONE_DEFAULT
import interface Ten-GigabitEthernet2/0/15
object-policy ip SEC_POLICY_DEFAULT
rule 0 pass
security-zone intra-zone default permit
zone-pair security source Any destination Any
object-policy apply ip SEC_POLICY_DEFAULT
ip route-static 0.0.0.0 0 192.168.67.254
Service-chain vLB
netconf ssh server enable
ospf 1
ospf 10
interface GigabitEthernet 1/0
ospf 10 area 0
interface LoopBack 1
ospf 1 area 0
interface GigabitEthernet 2/0
mtu 9216
ospf 1 area 0
ospf cost 1
interface LoopBack 127
Gateway service-type vLB
nat port-block synchronization enable
session synchronization enable
session synchronization http
interface LoopBack127
interface GigabitEthernet1/0/1
description management
interface Ten-GigabitEthernet1/0/24
description internal
ip route-static 0.0.0.0 0 192.168.67.254
Preprovisioning manually added NEs
Manually adding a firewall as a service chain node
Local user and NETCONF configuration
[Device] local-user sdn
[Device-luser-manage-sdn] password simple 123
[Device-luser-manage-sdn] service-type http https
[Device-luser-manage-sdn] authorization-attribute user-role network-admin
[Device] ip http enable
[Device] ip https enable
[Device] netconf soap http enable
[Device] netconf soap https enable
[Device] line vty 0 63
[Device-line-vty0-63] authentication-mode scheme
Underlay network configuration
[Device] l2vpn enable
[Device]ospf 1
[Device]ospf 10
[Device]interface LoopBack 0
[Device-LoopBack0] ip address 31.0.7.123 255.255.255.255
[Device-LoopBack0] ospf 10 area 0
[Device-LoopBack0]interface GigabitEthernet 1/0
[Device-GigabitEthernet1/0] ip address 97.0.6.126 255.255.0.0
[Device-GigabitEthernet1/0] ospf 10 area 0
[Device-GigabitEthernet1/0] interface LoopBack 1
[Device-LoopBack1] ip address 21.0.6.126 255.255.255.255
[Device-LoopBack1] ospf 1 area 0
[Device-LoopBack1] interface GigabitEthernet 2/0
[Device-GigabitEthernet2/0] ip address 111.0.9.125 255.255.0.0
[Device-GigabitEthernet2/0] mtu 9216
[Device-GigabitEthernet2/0] ospf 1 area 0
[Device-GigabitEthernet2/0] ospf cost 1
Security configuration
[Device] security-zone name SDN_ZONE_DEFAULT
[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet1/0
[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet2/0
[Device-security-zone-SDN_ZONE_DEFAULT] quit
[Device] Object-policy ip SDN_POLICY_DEFAULT
[Device-object-policy-ip-SDN_POLICY_DEFAULT] rule 0 pass
[Device-object-policy-ip-SDN_POLICY_DEFAULT] quit
[Device] security-zone intra-zone default permit
[Device] zone-pair security source any destination any
[Device-zone-pair-security-Any-Any] object-policy apply ip SDN_POLICY_DEFAULT
Manually adding a load balancer as a service chain node
Local user and NETCONF configuration
[Device] local-user sdn
[Device-luser-manage-sdn] password simple 123
[Device-luser-manage-sdn] service-type http https
[Device-luser-manage-sdn] authorization-attribute user-role network-admin
[Device] ip http enable
[Device] ip https enable
[Device] netconf soap http enable
[Device] netconf soap https enable
[Device] line vty 0 63
[Device-line-vty0-63] authentication-mode scheme
Underlay network configuration
[Device] l2vpn enable
[Device] ospf 1
[Device] ospf 10
[Device] interface LoopBack 0
[Device-LoopBack0] ip address 31.0.7.123 255.255.255.255
[Device-LoopBack0] ospf 10 area 0
[Device-LoopBack0] interface GigabitEthernet 1/0
[Device-GigabitEthernet1/0] ip address 97.0.6.126 255.255.0.0
[Device-GigabitEthernet1/0] ospf 10 area 0
[Device-GigabitEthernet1/0] interface LoopBack 1
[Device-LoopBack1] ip address 21.0.6.126 255.255.255.255
[Device-LoopBack1] ospf 1 area 0
[Device-LoopBack1] interface GigabitEthernet 2/0
[Device-GigabitEthernet2/0] ip address 111.0.9.125 255.255.0.0
[Device-GigabitEthernet2/0] mtu 9216
[Device-GigabitEthernet2/0] ospf 1 area 0
[Device-GigabitEthernet2/0] ospf cost 1
Configuring the interface where the virtual server IP resides
[Device] interface LoopBack 127
Manually adding a VNF firewall as a VNF gateway
Local user and NETCONF configuration
[Device] local-user sdn
[Device-luser-manage-sdn] password simple 123
[Device-luser-manage-sdn] service-type http https
[Device-luser-manage-sdn] authorization-attribute user-role network-admin
[Device] ip http enable
[Device] ip https enable
[Device] netconf soap http enable
[Device] netconf soap https enable
[Device] line vty 0 63
[Device-line-vty0-63] authentication-mode scheme
Underlay network configuration
[Device] l2vpn enable
[Device] ip vpn-instance external_vpn
[Device] interface GigabitEthernet 3/0.2
[Device-GigabitEthernet3/0.2] vlan-type dot1q vid 2
[Device-GigabitEthernet3/0.2]interface Reth 1
[Device-Reth1] member interface GigabitEthernet 3/0.2 priority 100
[Device-Reth1] ip binding vpn-instance external_vpn
[Device-Reth1] quit
[Device] ospf 1
[Device] ospf 10
[Device] interface LoopBack 0
[Device-LoopBack0] ospf 10 area 0
[Device-LoopBack0]interface GigabitEthernet 1/0
[Device-GigabitEthernet1/0] ospf 10 area 0
[Device-GigabitEthernet1/0] interface LoopBack 1
[Device-LoopBack1] ospf 1 area 0
[Device-LoopBack1] interface GigabitEthernet 2/0
[Device-GigabitEthernet2/0] mtu 9216
[Device-GigabitEthernet1/0] ospf 1 area 0
[Device-GigabitEthernet1/0] ospf cost 1
Security configuration
[Device] security-zone name SDN_ZONE_DEFAULT
[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet1/0
[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet2/0
[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet3/0
[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet3/0.2
[Device-security-zone-SDN_ZONE_DEFAULT] quit
[Device] Object-policy ip SDN_POLICY_DEFAULT
[Device-object-policy-ip-SDN_POLICY_DEFAULT] rule 0 pass
[Device-object-policy-ip-SDN_POLICY_DEFAULT] quit
[Device] security-zone intra-zone default permit
[Device] zone-pair security source any destination any
[Device-zone-pair-security-Any-Any] object-policy apply ip SDN_POLICY_DEFAULT
Manually adding a VSR as a VNF gateway
Local user and NETCONF configuration
[Device] local-user sdn
[Device-luser-manage-sdn] password simple 123
[Device-luser-manage-sdn] service-type http https
[Device-luser-manage-sdn] authorization-attribute user-role network-admin
[Device] ip http enable
[Device] ip https enable
[Device] netconf soap http enable
[Device] netconf soap https enable
[Device] line vty 0 63
[Device-line-vty0-63] authentication-mode scheme
Underlay network configuration
[Device] l2vpn enable
[Device] ip vpn-instance external_vpn
[Device] interface GigabitEthernet 3/0.2
[Device-GigabitEthernet3/0.2] vlan-type dot1q vid 2
[Device-GigabitEthernet3/0.2] interface Reth 1
[Device-Reth1] member interface GigabitEthernet 3/0.2 priority 100
[Device-Reth1] ip binding vpn-instance external_vpn
[Device-Reth1] quit
[Device] ospf 1
[Device] ospf 10
[Device] interface LoopBack 0
[Device-LoopBack0] ospf 10 area 0
[Device-LoopBack0] interface GigabitEthernet 1/0
[Device-GigabitEthernet1/0] ospf 10 area 0
[Device-GigabitEthernet1/0] interface LoopBack 1
[Device-LoopBack1] ospf 1 area 0
[Device-LoopBack1] interface GigabitEthernet 2/0
[Device-GigabitEthernet2/0] mtu 9216
[Device-GigabitEthernet2/0] ospf 1 area 0
[Device-GigabitEthernet2/0] ospf cost 1
Manually adding bare-metal devices managed by NGFWM
Local user and NETCONF configuration
[Device] local-user sdn
[Device-luser-manage-sdn] password simple 123
[Device-luser-manage-sdn] service-type http https
[Device-luser-manage-sdn] authorization-attribute user-role network-admin
[Device] ip http enable
[Device] ip https enable
[Device] netconf soap http enable
[Device] netconf soap https enable
[Device] line vty 0 63
[Device-line-vty0-63] authentication-mode scheme
Management interface and route configuration
Configure an IP address for the management interface, and configure a route to ensure the IP address and the VCF controller IP address are reachable. (Details not shown.)
