Contents

Overview·· 1

Preprovisioning basic configuration· 2

Configuration tasks at a glance· 2

Physical device configuration tasks at a glance· 2

Manually added firewall configuration tasks at a glance· 2

Manually added load balancer configuration tasks at a glance· 3

Manually added gateway configuration tasks at a glance· 3

Configuration items· 4

Enabling L2VPN· 4

Configuring local users and enabling the NETCONF service· 4

Configuring a routing protocol 4

Configuring the management interface· 5

Configuring the interface where the VTEP IP addresses reside· 5

Configuring the external network VPN and the external network outgoing Reth interface· 6

Configuring an IRF fabric· 7

Configuring track entries· 7

Configuring redundancy groups· 8

Configuring stateful failover 9

Creating the interface where the vLB's virtual server IP resides· 9

Configuring the firewall to permit traffic by default 10

Configuring the OVSDB VTEP function and site-facing interface· 10

Reserving VLAN interface resources· 11

Assigning the physical interfaces connecting to the security devices to the same VLAN· 11

Activating the DPI feature on physical security devices· 11

Configuring the IRF bridge MAC address to be permanent 11

Configuration examples· 12

Physical device preprovisioning· 12

Physical gateway· 12

Physical access device (L2VTEP) 13

VNFM and NGFWM template configuration· 14

VNFM 3.0 template· 14

NGFWM template· 18

Preprovisioning manually added devices· 21

Manually adding a firewall as a service chain node· 21

Manually adding a load balancer as a service chain node· 22

Manually adding a VNF firewall as a VNF gateway· 23

Manually adding a VSR as a VNF gateway· 24

Manually adding bare-metal devices managed by NGFW manager 25

Overview

The devices mentioned in this document refer to devices managed by the controller. To ensure the devices can correctly access the underlay network and the devices and the controller are reachable at Layer 3, you must preprovision the devices. This document describes how to preprovision devices in different scenarios. Then, you can manually preprovision devices by device type.

Depending on the carriers of devices, devices include the following types:

·     Physical device—Devices carried on physical devices, for example, physical switches. Depending on the type of services provided, physical devices include physical access devices (L2VTEPs) and physical gateways. You must preprovision physical devices.

·     Virtual device—Devices (for example, VNF devices and NGFW devices) virtualized on a physical server or physical network device (for example, M9000). Depending on the type of services provided, virtual devices include virtual gateway, virtual firewall, and virtual load balancer. Depending on how virtual devices are created, virtual devices include the following types:

¡     Manually added device—Devices that are manually created and then manually added to the controller for management. You must preprovision this type of devices.

¡     Devices allocated by a resource pool—Virtual devices allocated by the NGFW resource pool or VNF resource pool. When creating this type of devices, you must use the related template. Preprovisioned configuration is generated when the template is created. You do not need to preprovision this type of devices. You can learn the preprovisioned functions in the template through the configuration items described in "Configuration items." Also, you can modify the preprovisioned configuration in the template as needed.

Preprovisioning basic configuration

This chapter describes the configuration items and configuration tasks for devices of different types. The Configuration items section describes all possible functions for devices of different types. You can preprovision devices of the specified type according to the corresponding part in the Configuration tasks at a glance section. Also, you can learn which configuration items are preprovisioned in the templates for devices of different types.

Configuration tasks at a glance

Physical device configuration tasks at a glance

Manually added firewall configuration tasks at a glance

Manually added load balancer configuration tasks at a glance

Manually added gateway configuration tasks at a glance

Configuration items

Enabling L2VPN

# Enable L2VPN on the device.

[Device] l2vpn enable

Configuring local users and enabling the NETCONF service

# Create a local user named sdn and set the password to 123.

To ensure security, the device needs to perform authentication and authorization for the connections initiated by the controller. Typically, local authentication and authorization are used in the current solution. Therefore, you need to create a local user and configure properties for the user.

[Device] local-user sdn

[Device-luser-manage-sdn] password simple 123

[Device-luser-manage-sdn] service-type ssh

[Device-luser-manage-sdn] authorization-attribute user-role network-admin

# Configure the device to communicate with the controller by using NETCONF over SSH channels.

[Device] ssh server enable

[Device] netconf ssh server enable

# Enable scheme authentication for VTY lines 0 through 63.

[Device] line vty 0 63

[Device-line-vty0-63] authentication-mode scheme

Configuring a routing protocol

# Configure OSPF processes.

One process (for example, process 1) is used as the area for advertising the underlay network routes. The other process (for example, process 10) is used as the area for advertising the management network routes.

[Device] ospf 1

[Device] ospf 10

Configuring the management interface

·     For devices allocated by the resource pool (for example, VNF devices):

¡     When the VNF operates in IRF mode: Create interface Reth 999 on the VNF in IRF mode. The IP address of the interface is allocated by the VNF manager. Add management interfaces on the two VNFs forming the IRF fabric (for example, GigabitEthernet 1/1/0 and GigabitEthernet 2/1/0) to Reth 999 as member interfaces. Add Reth 999 to the area for advertising the management network routes, for example, area 0 of OSPF process 10.

[Device] interface Reth 999

[Device-Reth999] member interface GigabitEthernet 1/1/0 priority 100

[Device-Reth999] member interface GigabitEthernet 2/1/0 priority 80

[Device-Reth999] ospf 10 area 0

¡     When the VNF operates in standalone mode: The IP address of the management interface (for example, GigabitEthernet 1/1/0) is assigned by the VNF manager. Add the management interface to the area for advertising management network routes (for example, area 0 of OSPF process 10).

[Device] interface GigabitEthernet 1/1/0

[Device-GigabitEthernet1/1/0] ospf 10 area 0

·     For physical devices and manually added virtual devices: Create the management interface (LoopBack 0 or another interface as needed) and configure an IP address for the interface. Add the interface to the area for advertising the management network routes (for example, area 0 of OSPF process 10).

[Device] interface LoopBack 0

[Device-LoopBack0] ip address 31.0.7.126 255.255.255.255

[Device-LoopBack0] ospf 10 area 0

Configuring the interface where the VTEP IP addresses reside

Perform this task to create the interface where the VTEP IP addresses reside. The VTEP IP addresses are deployed by the controller rather than manually configured. To ensure VTEP IPs are reachable at Layer 3, advertise the VTEP IP addresses and the addresses of underlay network interconnecting interfaces to the area for underlay network routes.

# Create interface Loopback 1 where the VTEP IP resides. Add the interface to the area for advertising underlay network routes (for example, area 0 of OSPF process 1).

[Device] interface LoopBack 1

[Device-LoopBack1] ospf 1 area 0

# Add all underlay network interconnecting interfaces (for example, Reth 2) to the area for advertising the underlay network routes (for example, area 0 of OSPF process 1). When the underlay network interconnecting interface is a physical interface, the configuration is similar.

On a device, the interface connected to the TOR switch or another device is an underlay network interconnecting interface. The IP addresses of the underlay network interconnecting interfaces are deployed by the VNF manager.

[Device] interface Reth 2

[Device-Reth2] member interface GigabitEthernet 1/4/0 priority 100

[Device-Reth2] member interface GigabitEthernet 2/4/0 priority 80

[Device-Reth2] mtu 9216

[Device-Reth2] ospf 1 area 0

Configuring the external network VPN and the external network outgoing Reth interface

(Applicable to VNF gateways and NGFW gateways.) The internal network traffic of the network managed by the controller is forwarded in a VPN. To make the internal network and external network communicate, you must create an external network VPN and add the external network outgoing interface to the VPN.

# Create an external network VPN.

[Device] ip vpn-instance external_vpn

# Configure the external network outgoing interface Reth1.

·     When Reth1 connects to TOR switches through interfaces sending VLAN-tagged (for example, VLAN tag 2) packets, perform the following tasks:

¡     Configure VLAN termination on the physical subinterfaces on the device.

¡     Configure the physical subinterfaces (for example, GigabitEthernet 1/5/0.2 and GigabitEthernet 2/5/0.2) as the member interfaces of Reth1.

[Device] interface GigabitEthernet 1/5/0.2

[Device-GigabitEthernet1/5/0.2] vlan-type dot1q vid 2

[Device-GigabitEthernet1/5/0.2] interface GigabitEthernet 2/5/0.2

[Device-GigabitEthernet2/5/0.2] vlan-type dot1q vid 2

[Device-GigabitEthernet2/5/0.2] interface Reth 1

[Device-Reth1] member interface GigabitEthernet 1/5/0.2 priority 100

[Device-Reth1] member interface GigabitEthernet 2/5/0.2 priority 80

[Device-Reth1] ip binding vpn-instance external_vpn

·     When Reth1 connects to a TOR switch through an interface sending untagged packets, configure the physical interfaces (for example, GigabitEthernet 1/5/0 and GigabitEthernet 2/5/0) as the member interfaces of Reth1.

[Device] interface Reth 1

[Device-Reth1] member interface GigabitEthernet 1/5/0 priority 100

[Device-Reth1] member interface GigabitEthernet 2/5/0 priority 80

[Device-Reth1] ip binding vpn-instance external_vpn

Configuring an IRF fabric

(Applicable to VNF devices in IRF mode.) To improve availability for devices, you configure devices to operate in IRF mode.

# Specify member IDs, priorities, and bind IRF ports to IRF physical interfaces for devices.

The data channel and the control channel must use different IRF physical interfaces.

[DeviceA] irf member 1

[DeviceA] irf member 1 priority 32

[DeviceA] irf-port 1

[DeviceA-irf-port1] port group interface GigabitEthernet1/2/0 type data

[DeviceA-irf-port1] port group interface GigabitEthernet1/3/0 type control

[DeviceB] irf member 2

[DeviceB] irf member 2 priority 31

[DeviceB] irf-port 2

[DeviceB-irf-port2] port group interface GigabitEthernet2/2/0 type data

[DeviceB-irf-port2] port group interface GigabitEthernet2/3/0 type control

Configuring track entries

Track entries are used for monitoring the status of the external network outgoing interfaces, downlink interfaces, and management interfaces.

# (Applicable to VNF gateways and NGFW gateways.) Configure track entries to monitor the three types of interfaces on the virtual gateway.

The virtual gateway forwards internal network traffic at Layer 3 and implements communication between the internal network and external network.

[Device] track 1 interface GigabitEthernet 1/1/0

[Device] track 2 interface GigabitEthernet 1/4/0

[Device] track 3 interface GigabitEthernet 1/5/0

[Device] track 4 interface GigabitEthernet 2/1/0

[Device] track 5 interface GigabitEthernet 2/4/0

[Device] track 6 interface GigabitEthernet 2/5/0

# (Applicable to service-chain vFWs and service-chain vLBs.) Configure track entries to monitor management interfaces and downlink interfaces.

The service-chain nodes forward traffic of the current service chain, and is not used for implementing communication between the internal network and external network. You do not need to monitor the external network outgoing interfaces.

[Device] track 1 interface GigabitEthernet 1/1/0

[Device] track 2 interface GigabitEthernet 1/5/0

[Device] track 3 interface GigabitEthernet 2/1/0

[Device] track 4 interface GigabitEthernet 2/5/0

Configuring redundancy groups

Redundancy groups are supported only in IRF mode. A redundancy group must contain two nodes, each of which is bound to an IRF member device. The two nodes implement device-level backup and ensure service packets are received, processed, and sent out on the same IRF member device.

# (Applicable to VNF gateways and NGFW gateways.) Create node 1 as the primary node, bind the node to IRF member device 1, and associate it with track entries 1, 2, and 3. Create node 2 as the secondary node, bind the node to IRF member device 2, and associate it with track entries 4, 5, and 6.

When the uplink interface, downlink interface, or management interface of member device 1 fails or member device 1 fails, traffic is switched to member device 2. When the failure recovers, traffic is switched back to member device 1.

[Device] redundancy group reth

[Device-redundancy-group-reth] member interface Reth1

[Device-redundancy-group-reth] member interface Reth2

[Device-redundancy-group-reth] member interface Reth999

[Device-redundancy-group-reth] node 1

[Device-redundancy-group-right-node1] bind slot 1

[Device-redundancy-group-right-node1] priority 100

[Device-redundancy-group-right-node1] track 1 interface GigabitEthernet1/1/0

[Device-redundancy-group-right-node1] track 2 interface GigabitEthernet1/4/0

[Device-redundancy-group-right-node1] track 3 interface GigabitEthernet1/5/0

[Device-redundancy-group-right-node1] quit

[Device-redundancy-group-reth] node 2

[Device-redundancy-group-right-node2] bind slot 2

[Device-redundancy-group-right-node2] priority 80

[Device-redundancy-group-right-node2] track 4 interface GigabitEthernet2/1/0

[Device-redundancy-group-right-node2] track 5 interface GigabitEthernet2/4/0

[Device-redundancy-group-right-node2] track 6 interface GigabitEthernet2/5/0

# (Applicable to service-chain vFWs and service-chain vLBs.) Create node 1 as the primary node, bind the node to IRF member device 1, and associate it with track entries 1 and 2. Create node 2 as the secondary node, bind the node to IRF member device 2, and associate it with track entries 3 and 4.

When the downlink interface or management interface of member device 1 fails or member device 1 fails, traffic is switched to member device 2. When the failure recovers, traffic is switched back to member device 1.

[Device] redundancy group reth

[Device-redundancy-group-reth] member interface Reth999

[Device-redundancy-group-reth] member interface Reth2

[Device-redundancy-group-reth] node 1

[Device-redundancy-group-right-node1] bind slot 1

[Device-redundancy-group-right-node1] priority 100

[Device-redundancy-group-right-node1] track 1 interface GigabitEthernet1/1/0

[Device-redundancy-group-right-node1] track 2 interface GigabitEthernet1/4/0

[Device-redundancy-group-right-node1] quit

[Device-redundancy-group-reth] node 2

[Device-redundancy-group-right-node2] bind slot 2

[Device-redundancy-group-right-node2] priority 80

[Device-redundancy-group-right-node2] track 3 interface GigabitEthernet2/1/0

[Device-redundancy-group-right-node2] track 4 interface GigabitEthernet2/4/0

Configuring stateful failover

When devices operate in IRF mode, you must configure stateful failover-related functions on the two virtual devices.

# (Applicable to vFWs, vLBs, VNF gateways, and NGFW gateways.) Enable session synchronization.

[Device] session synchronization enable

# (Applicable to VNF gateways and NGFW gateways.) Enable dynamic NAT444 service synchronization.

[Device] nat port-block synchronization enable

# (Applicable to VNF gateways and NGFW gateways.) Enable IPsec redundancy.

[Device] ipsec redundancy enable

Creating the interface where the vLB's virtual server IP resides

The virtual server is a virtual carrier for user services on the load balancer. Only packets matching the virtual server can be processed by the load balancer.

# (Applicable to vLBs.) Create interface Loopback 127, and use this interface to carry the virtual server IP address.

The virtual server IP address configured on the controller will be automatically deployed to the interface.

[Device] interface LoopBack 127

Configuring the firewall to permit traffic by default

Some firewalls (for example, vFWs created by the VNF manager or the vFWs virtualized on the M9K device) drop packets matching no security policies by default. As a result, the underlay network or management network might be unreachable.

# Add the interfaces that permit traffic to the default SDN security zone, configure an object policy to permit traffic to pass through, and set the default action to permit for packets exchanged between interfaces in the same security zone.

Then, underlay data link packets and management packets are permitted, and the network is reachable.

[Device] security-zone name SDN_ZONE_DEFAULT

[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet1/0

[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet2/0

[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet3/0

[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet3/0.2

[Device-security-zone-SDN_ZONE_DEFAULT] quit

[Device] object-policy ip SDN_POLICY_DEFAULT

[Device-object-policy-ip-SDN_POLICY_DEFAULT] rule 0 pass

[Device-object-policy-ip-SDN_POLICY_DEFAULT] quit

[Device] security-zone intra-zone default permit

[Device] zone-pair security source any destination any

[Device-zone-pair-security-Any-Any] object-policy apply ip SDN_POLICY_DEFAULT

Configuring the OVSDB VTEP function and site-facing interface

# Configure the OVSDB VTEP function on the physical access device (L2VTEP).

Then, the controller can automatically sense the online events of VMs or physical servers and learn ARP entries, so that the physical access device (L2VTEP) can run like a vSwitch.

[Device] ovsdb server ptcp

[Device] ovsdb server enable

[Device] vtep enable

# Specify the site-facing interface as a VTEP access port.

The interface that connects the physical access device (L2VTEP) to a VM or physical server is a site-facing interface, for example, Ten-GigabitEthernet 2/0/5:1. To display and control the site-facing interface on the controller, you must specify the interface as a VTEP access port on the physical access device (L2VTEP).

[Device] interface Ten-GigabitEthernet2/0/5

[Device-Ten-GigabitEthernet2/0/5] vtep access port

Reserving VLAN interface resources

Because of the restrictions of the chips used in products (for example, the F series chips used in S12500-X switches), you must reserve VLAN interface resources before creating Layer 3 interfaces or subinterfaces other than VLAN interfaces or configuring features that use Layer 3 interface hardware resources.

# Reserve global VLAN interface resources before creating VXLANs in VSI view when VXLAN tunnels operate in Layer 3 forwarding mode.

One global VLAN interface resource must be reserved for one VXLAN.

<Sysname> system-view

[Sysname] reserve-vlan-interface 3400 to 3500 global

Assigning the physical interfaces connecting to the security devices to the same VLAN

Perform this task when a service gateway group is used in the networking scheme,

# Assign the physical interfaces (for example, GigabitEthernet 11/0/13) connecting service gateway group member devices to security devices (for example, firewalls and load balancers) to the same VLAN.

This configuration ensure the member devices and security devices can communicate at Layer 2.

[Device] interface GigabitEthernet 11/0/13

[Device-GigabitEthernet11/0/13] port link-mode bridge

[Device-GigabitEthernet11/0/13] port link-type trunk

[Device-GigabitEthernet11/0/13] port trunk permit vlan all

Activating the DPI feature on physical security devices

To deploy DPI services (for example, IPS, antivirus, and URL filtering) on firewall resources (contexts) virtualized from physical security devices, you must activate the DPI feature on these physical security devices. Otherwise, the controller cannot successfully deploy DPI service configurations to contexts on these devices.

# Activate the DPI feature on physical security devices.

[Device] inspect activate

Configuring the IRF bridge MAC address to be permanent

# Configure the IRF bridge MAC address to be permanent.

Perform this task when a device operates in IRF mode. The IRF bridge MAC address does not change after the address owner leaves the fabric.

[Device] irf mac-address persistent always

Configuration examples

Physical device preprovisioning

Physical gateway

Local user and NETCONF configuration

[Device] local-user sdn

[Device-luser-manage-sdn] password simple 123

[Device-luser-manage-sdn] service-type ssh

[Device-luser-manage-sdn] authorization-attribute user-role network-admin

[Device] ssh server enable

[Device] netconf ssh server enable

[Device] line vty 0 63

[Device-line-vty0-63] authentication-mode scheme

Underlay network configuration

[Device] l2vpn enable

[Device] ospf 1

[Device] ospf 10

[Device] interface LoopBack 0

[Device-LoopBack0] ip address 31.0.7.126 255.255.255.255

[Device-LoopBack0] ospf 10 area 0

[Device-LoopBack0] quit

[Device] interface GigabitEthernet 1/0/1

[Device-GigabitEthernet1/0/1] ip address 97.0.6.126 255.255.0.0

[Device-GigabitEthernet1/0/1] ospf 10 area 0

[Device-GigabitEthernet1/0/1] quit

[Device] interface LoopBack 1

[Device-LoopBack1] ospf 1 area 0

[Device-LoopBack1] quit

[Device] interface GigabitEthernet 2/0/1

[Device-GigabitEthernet2/0/1] ip address 111.0.9.126 255.255.0.0

[Device-GigabitEthernet2/0/1] mtu 9216

[Device-GigabitEthernet2/0/1] ospf 1 area 0

[Device-GigabitEthernet2/0/1] ospf cost 1

Physical access device (L2VTEP)

Local user and NETCONF configuration

[Device] local-user sdn

[Device-luser-manage-sdn] password simple 123

[Device-luser-manage-sdn] service-type ssh

[Device-luser-manage-sdn] authorization-attribute user-role network-admin

[Device] ssh server enable

[Device] netconf ssh server enable

[Device] line vty 0 63

[Device-line-vty0-63] authentication-mode scheme

Underlay network configuration

[Device] l2vpn enable

[Device] ospf 1

[Device] ospf 10

[Device]interface LoopBack 0

[Device-LoopBack0] ip address 31.0.7.128 255.255.255.255

[Device-LoopBack0] ospf 10 area 0

[Device-LoopBack0] quit

[Device] interface GigabitEthernet 2/0/33

[Device-GigabitEthernet2/0/33] ip address 97.0.6.128 255.255.0.0

[Device-GigabitEthernet2/0/33] ospf 10 area 0

[Device-GigabitEthernet2/0/33] quit

[Device] interface LoopBack 1

[Device-LoopBack1] ospf 1 area 0

[Device-LoopBack1] quit

[Device] interface GigabitEthernet 2/0/34

[Device-GigabitEthernet2/0/34] ip address 111.0.9.128 255.255.0.0

[Device-GigabitEthernet2/0/34] mtu 9216

[Device-GigabitEthernet2/0/34] ospf 1 area 0

[Device-GigabitEthernet2/0/34] ospf cost 1

[Device-GigabitEthernet2/0/34] quit

OVSDB VTEP function and site-facing interface configuration

[Device] ovsdb server ptcp

[Device] ovsdb server enable

[Device] vtep enable

[Device] interface Ten-GigabitEthernet2/0/5

[Device-Ten-GigabitEthernet2/0/5] port link-mode bridge

[Device-Ten-GigabitEthernet2/0/5] port link-type trunk

[Device-Ten-GigabitEthernet2/0/5] vtep access port

VNFM and NGFWM template configuration

When you use the VNF manager or NGFW manager to create devices of the specified type, the controller will deploy the preprovisioned configuration to devices according to the type of template used for creating the devices. This section describes the configuration deployed by the controller.

This section describes only the simplest configuration for devices to function. The deployed configuration might vary with the interfaces used for configuring templates.

VNFM 3.0 template

VNF gateway in standalone mode

ip vpn-instance external_vpn

interface GigabitEthernet 3/0.2

vlan-type dot1q vid 2

interface Reth 1

 member interface GigabitEthernet 3/0.2 priority 100

 ip binding vpn-instance external_vpn

ospf 1

ospf 10

interface LoopBack 0

 ospf 10 area 0

interface GigabitEthernet 1/0

 ospf 10 area 0

interface LoopBack 1

 ospf 1 area 0

interface GigabitEthernet 2/0

 mtu 9216

 ospf 1 area 0

VNF gateway in IRF mode

session synchronization enable

nat port-block synchronization enable

ipsec redundancy enable

ip vpn-instance external_vpn

interface GigabitEthernet 1/5/0.2

 vlan-type dot1q vid 2

interface GigabitEthernet 2/5/0.2

 vlan-type dot1q vid 2

interface Reth 1

 member interface GigabitEthernet 1/5/0.2 priority 100

 member interface GigabitEthernet 2/5/0.2 priority 80

 ip binding vpn-instance external_vpn

interface Reth2

 member interface GigabitEthernet 1/4/0 priority 100

 member interface GigabitEthernet 2/4/0 priority 80

track 1 interface GigabitEthernet 1/1/0

track 2 interface GigabitEthernet 1/4/0

track 3 interface GigabitEthernet 1/5/0

track 4 interface GigabitEthernet 2/1/0

track 5 interface GigabitEthernet 2/4/0

track 6 interface GigabitEthernet 2/5/0

redundancy group reth

 preempt-delay 0

 member interface Reth1

 member interface Reth2

 member interface Reth999

 node 1

  bind slot 1

  priority 100

  track 1 interface GigabitEthernet 1/1/0

  track 2 interface GigabitEthernet 1/4/0

  track 3 interface GigabitEthernet 1/5/0

node 2

  bind slot 2

  priority 80

  track 4 interface GigabitEthernet 2/1/0

  track 5 interface GigabitEthernet 2/4/0

  track 6 interface GigabitEthernet 2/5/0

ospf 1

 non-stop-routing

interface Reth2

 ospf 1 area 0

interface LoopBack 1

 ospf 1 area 0

interface LoopBack 127

interface Reth 2

 mtu 9216

Service-chain vFW in standalone mode

ospf 1

ospf 10

interface GigabitEthernet 1/0

 ospf 10 area 0

interface LoopBack 1

 ospf 1 area 0

interface GigabitEthernet 2/0

 mtu 9216

 ospf 1 area 0

security-zone name SDN_ZONE_DEFAULT

 import interface GigabitEthernet1/0

 import interface GigabitEthernet2/0

Object-policy ip SDN_POLICY_DEFAULT

 rule 0 pass

security-zone intra-zone default permit

zone-pair security source Any destination Any

 object-policy apply ip SDN_POLICY_DEFAULT

Service-chain vFW in IRF mode

session synchronization enable

interface Reth2

 member interface GigabitEthernet 1/4/0 priority 100

 member interface GigabitEthernet 2/4/0 priority 80

track 1 interface GigabitEthernet 1/1/0

track 2 interface GigabitEthernet 1/4/0

track 3 interface GigabitEthernet 2/1/0

track 4 interface GigabitEthernet 2/4/0

redundancy group reth

 preempt-delay 0

 member interface Reth2

 member interface Reth999

 node 1

  bind slot 1

  priority 100

  track 1 interface GigabitEthernet 1/1/0

  track 2 interface GigabitEthernet 1/4/0

 node 2

  bind slot 2

  priority 80

  track 3 interface GigabitEthernet 2/1/0

  track 4 interface GigabitEthernet 2/4/0

ospf 1

 non-stop-routing

interface Reth2

 ospf 1 area 0

interface LoopBack 1

 ospf 1 area 0

interface Reth2

 mtu 9216

security-zone name SDN_ZONE_DEFAULT

 import interface Reth2

 import interface Reth999

Object-policy ip SDN_POLICY_DEFAULT

 rule 0 pass

security-zone intra-zone default permit

zone-pair security source Any destination Any

 object-policy apply ip SDN_POLICY_DEFAULT

Service-chain vLB in IRF mode

session synchronization enable

interface Reth2

 member interface GigabitEthernet 1/4/0 priority 100

 member interface GigabitEthernet 2/4/0 priority 80

track 1 interface GigabitEthernet 1/1/0

track 2 interface GigabitEthernet 1/4/0

track 3 interface GigabitEthernet 2/1/0

track 4 interface GigabitEthernet 2/4/0

redundancy group reth

 preempt-delay 0

 member interface Reth2

 member interface Reth999

 node 1

  bind slot 1

  priority 100

  track 1 interface GigabitEthernet 1/1/0

  track 2 interface GigabitEthernet 1/4/0

 node 2

  bind slot 2

  priority 80

  track 3 interface GigabitEthernet 2/1/0

  track 4 interface GigabitEthernet 2/4/0

ospf 1

 non-stop-routing

interface Reth2

 ospf 1 area 0

interface LoopBack 1

 ospf 1 area 0

interface LoopBack 127

interface Reth2

 mtu 9216

Service-chain vLB in standalone mode

ospf 1

ospf 10

interface GigabitEthernet 1/0

 ospf 10 area 0

interface LoopBack 1

 ospf 1 area 0

interface GigabitEthernet 2/0

 mtu 9216

 ospf 1 area 0

interface LoopBack 127

NGFWM template

NGFW gateway

session synchronization enable

ip vpn-instance external_vpn

interface GigabitEthernet 3/0.2

 vlan-type dot1q vid 2

interface Reth 1

 member interface GigabitEthernet 3/0.2 priority 100

 ip binding vpn-instance external_vpn

ospf 1

ospf 10

interface GigabitEthernet 1/0

 ospf 10 area 0

interface LoopBack 1

 ospf 1 area 0

interface GigabitEthernet 2/0

 mtu 9216

 ospf 1 area 0

 ospf cost 1

security-zone name SDN_ZONE_DEFAULT

 import interface GigabitEthernet1/0

 import interface GigabitEthernet2/0

 import interface GigabitEthernet3/0

 import interface GigabitEthernet3/0.2

Object-policy ip SDN_POLICY_DEFAULT

 rule 0 pass

security-zone intra-zone default permit

zone-pair security source Any destination Any

 object-policy apply ip SDN_POLICY_DEFAULT

Service-chain vFW

session synchronization enable

nat port-block synchronization enable

ospf 1

ospf 10

interface GigabitEthernet 1/0

 ospf 10 area 0

interface LoopBack 1

 ospf 1 area 0

interface GigabitEthernet 2/0

 mtu 9216

 ospf 1 area 0

security-zone name SDN_ZONE_DEFAULT

 import interface GigabitEthernet1/0

 import interface GigabitEthernet2/0

Object-policy ip SDN_POLICY_DEFAULT

 rule 0 pass

security-zone intra-zone default permit

zone-pair security source Any destination Any

 object-policy apply ip SDN_POLICY_DEFAULT

Gateway service-type vFW

session synchronization enable

ipsec redundancy enable

nat port-block synchronization enable

ip vpn-instance external_vpn

ospf 1 vpn-instance external_vpn

 import-route direct

 import-route static

 area 0.0.0.0

interface LoopBack2

 ip binding vpn-instance external_vpn

interface Ten-GigabitEthernet2/0/4

 description internal

interface Ten-GigabitEthernet2/0/9

 description external

 ip binding vpn-instance external_vpn

 ospf 1 area 0.0.0.0

interface Ten-GigabitEthernet2/0/15

 description management

security-zone name SEC_ZONE_DEFAULT

 import interface Ten-GigabitEthernet2/0/15

object-policy ip SEC_POLICY_DEFAULT

 rule 0 pass

security-zone intra-zone default permit

zone-pair security source Any destination Any

 object-policy apply ip SEC_POLICY_DEFAULT

ip route-static 0.0.0.0 0 192.168.67.254

Service-chain vLB

session synchronization enable

nat port-block synchronization enable

session synchronization http

ospf 1

ospf 10

interface GigabitEthernet 1/0

 ospf 10 area 0

interface LoopBack 1

 ospf 1 area 0

interface GigabitEthernet 2/0

 mtu 9216

 ospf 1 area 0

 ospf cost 1

interface LoopBack 127

Gateway service-type vLB

session synchronization enable

nat port-block synchronization enable

session synchronization http

interface LoopBack127

interface GigabitEthernet1/0/1

 description management

interface Ten-GigabitEthernet1/0/26

 description internal

interface Ten-GigabitEthernet1/0/27

 description external

ip route-static 0.0.0.0 0 192.168.67.254

Preprovisioning manually added devices

Manually adding a firewall as a service chain node

Local user and NETCONF configuration

[Device] local-user sdn

[Device-luser-manage-sdn] password simple 123

[Device-luser-manage-sdn] service-type ssh

[Device-luser-manage-sdn] authorization-attribute user-role network-admin

[Device] ssh server enable

[Device] netconf ssh server enable

[Device] line vty 0 63

[Device-line-vty0-63] authentication-mode scheme

Underlay network configuration

[Device] l2vpn enable

[Device] ospf 1

[Device] ospf 10

[Device]interface LoopBack 0

[Device-LoopBack0] ip address 31.0.7.123 255.255.255.255

[Device-LoopBack0] ospf 10 area 0

[Device-LoopBack0] interface GigabitEthernet 1/0

[Device-GigabitEthernet1/0] ip address 97.0.6.126 255.255.0.0

[Device-GigabitEthernet1/0] ospf 10 area 0

[Device-GigabitEthernet1/0] interface LoopBack 1

[Device-LoopBack1] ip address 21.0.6.126 255.255.255.255

[Device-LoopBack1] ospf 1 area 0

[Device-LoopBack1] interface GigabitEthernet 2/0

[Device-GigabitEthernet2/0] ip address 111.0.9.125 255.255.0.0

[Device-GigabitEthernet2/0] mtu 9216

[Device-GigabitEthernet2/0] ospf 1 area 0

[Device-GigabitEthernet2/0] ospf cost 1

Security configuration

[Device] security-zone name SDN_ZONE_DEFAULT

[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet1/0

[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet2/0

[Device-security-zone-SDN_ZONE_DEFAULT] quit

[Device] Object-policy ip SDN_POLICY_DEFAULT

[Device-object-policy-ip-SDN_POLICY_DEFAULT] rule 0 pass

[Device-object-policy-ip-SDN_POLICY_DEFAULT] quit

[Device] security-zone intra-zone default permit

[Device] zone-pair security source any destination any

[Device-zone-pair-security-Any-Any] object-policy apply ip SDN_POLICY_DEFAULT

Manually adding a load balancer as a service chain node

Local user and NETCONF configuration

[Device] local-user sdn

[Device-luser-manage-sdn] password simple 123

[Device-luser-manage-sdn] service-type ssh

[Device-luser-manage-sdn] authorization-attribute user-role network-admin

[Device] ssh server enable

[Device] netconf ssh server enable

[Device] line vty 0 63

[Device-line-vty0-63] authentication-mode scheme

Underlay network configuration

[Device] l2vpn enable

[Device] ospf 1

[Device] ospf 10

[Device] interface LoopBack 0

[Device-LoopBack0] ip address 31.0.7.123 255.255.255.255

[Device-LoopBack0] ospf 10 area 0

[Device-LoopBack0] interface GigabitEthernet 1/0

[Device-GigabitEthernet1/0] ip address 97.0.6.126 255.255.0.0

[Device-GigabitEthernet1/0] ospf 10 area 0

[Device-GigabitEthernet1/0] interface LoopBack 1

[Device-LoopBack1] ospf 1 area 0

[Device-LoopBack1] interface GigabitEthernet 2/0

[Device-GigabitEthernet2/0] ip address 111.0.9.125 255.255.0.0

[Device-GigabitEthernet2/0] mtu 9216

[Device-GigabitEthernet2/0] ospf 1 area 0

[Device-GigabitEthernet2/0] ospf cost 1

Configuring the interface where the virtual server IP resides

[Device] interface LoopBack 127

Manually adding a VNF firewall as a VNF gateway

Local user and NETCONF configuration

[Device] local-user sdn

[Device-luser-manage-sdn] password simple 123

[Device-luser-manage-sdn] service-type ssh

[Device-luser-manage-sdn] authorization-attribute user-role network-admin

[Device] ssh server enable

[Device] netconf ssh server enable

[Device] line vty 0 63

[Device-line-vty0-63] authentication-mode scheme

Underlay network configuration

[Device] l2vpn enable

[Device] ip vpn-instance external_vpn

[Device] interface GigabitEthernet 3/0.2

[Device-GigabitEthernet3/0.2] vlan-type dot1q vid 2

[Device-GigabitEthernet3/0.2] interface Reth 1

[Device-Reth1] member interface GigabitEthernet 3/0.2 priority 100

[Device-Reth1] ip binding vpn-instance external_vpn

[Device-Reth1] quit

[Device] ospf 1

[Device] ospf 10

[Device] interface LoopBack 0

[Device-LoopBack0] ospf 10 area 0

[Device-LoopBack0] interface GigabitEthernet 1/0

[Device-GigabitEthernet1/0] ospf 10 area 0

[Device-GigabitEthernet1/0] interface LoopBack 1

[Device-LoopBack1] ospf 1 area 0

[Device-LoopBack1] interface GigabitEthernet 2/0

[Device-GigabitEthernet2/0] mtu 9216

[Device-GigabitEthernet2/0] ospf 1 area 0

[Device-GigabitEthernet2/0] ospf cost 1

Security configuration

[Device] security-zone name SDN_ZONE_DEFAULT

[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet1/0

[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet2/0

[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet3/0

[Device-security-zone-SDN_ZONE_DEFAULT] import interface GigabitEthernet3/0.2

[Device-security-zone-SDN_ZONE_DEFAULT] quit

[Device] Object-policy ip SDN_POLICY_DEFAULT

[Device-object-policy-ip-SDN_POLICY_DEFAULT] rule 0 pass

[Device-object-policy-ip-SDN_POLICY_DEFAULT] quit

[Device] security-zone intra-zone default permit

[Device] zone-pair security source any destination any

[Device-zone-pair-security-Any-Any] object-policy apply ip SDN_POLICY_DEFAULT

Manually adding a VSR as a VNF gateway

Local user and NETCONF configuration

[Device] local-user sdn

[Device-luser-manage-sdn] password simple 123

[Device-luser-manage-sdn] service-type ssh

[Device-luser-manage-sdn] authorization-attribute user-role network-admin

[Device] ssh server enable

[Device] netconf ssh server enable

[Device] line vty 0 63

[Device-line-vty0-63] authentication-mode scheme

Underlay network configuration

[Device] l2vpn enable

[Device] ip vpn-instance external_vpn

[Device] interface GigabitEthernet 3/0.2

[Device-GigabitEthernet3/0.2] vlan-type dot1q vid 2

[Device-GigabitEthernet3/0.2] interface Reth 1

[Device-Reth1] member interface GigabitEthernet 3/0.2 priority 100

[Device-Reth1] ip binding vpn-instance external_vpn

[Device-Reth1] quit

[Device] ospf 1

[Device] ospf 10

[Device] interface LoopBack 0

[Device-LoopBack0] ospf 10 area 0

[Device-LoopBack0] interface GigabitEthernet 1/0

[Device-GigabitEthernet1/0] ospf 10 area 0

[Device-GigabitEthernet1/0] interface LoopBack 1

[Device-LoopBack1] ospf 1 area 0

[Device-LoopBack1] interface GigabitEthernet 2/0

[Device-GigabitEthernet2/0] mtu 9216

[Device-GigabitEthernet2/0] ospf 1 area 0

[Device-GigabitEthernet2/0] ospf cost 1

Manually adding bare-metal devices managed by NGFW manager

Local user and NETCONF configuration

[Device] local-user sdn

[Device-luser-manage-sdn] password simple 123

[Device-luser-manage-sdn] service-type ssh

[Device-luser-manage-sdn] authorization-attribute user-role network-admin

[Device] ssh server enable

[Device] netconf ssh server enable

[Device] line vty 0 63

[Device-line-vty0-63] authentication-mode scheme

Management interface and route configuration

Configure an IP address for the management interface, and configure a route to ensure the IP address and the controller IP address are reachable. (Details not shown.)