Академический Документы
Профессиональный Документы
Культура Документы
puru@versa-networks.com
parbhat@versa-networks.com
1 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Purpose/Audience:
1. This document is for Comcast usage only and not meant to be shared externally.
2. Bugs/PR which are mentioned in this document are just for reference/knowledge only and most likely those bugs will be
fixed in 20.2 FRS release.
3. Service-Chain association method is different in R2 and 20.X release. Please refer release notes for further info.
2 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Provisioning v220 as uCPE Device: Creating a bootable USB Drive
3. Open “rufus” application and insert a USB drive with your laptop.
7. Select “Start”
3 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Provisioning v220 as uCPE Device: Creating a bootable USB Drive
*If you receive “Mounting” related error, please refer below url to mitigate the issue:
https://support.versa-networks.com/support/solutions/articles/23000009663-bootable-usb-retry-mounting-the-cd-r
om-error
4 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Verification:
admin@versa-flexvnf-cli> show interfaces brief | tab
NAME MAC OPER ADMIN TENANT VRF IP
------------------------------------------------------------------------------------------------
eth-0/0 08:35:71:ec:e1:83 down up 0 global 10.10.10.10/8
tvi-0/0 n/a up up - -
tvi-0/0.0 n/a up up 1 Versa-Provider-Control-VR
tvi-0/1 n/a up up - -
tvi-0/1.0 n/a up up 1 Versa-Provider-Control-VR 10.0.33.248/24
vni-0/0 08:35:71:ec:e1:7c up up - - Default config with vni0/0(Physical Port “0”) in up
vni-0/0.0 08:35:71:ec:e1:7c up up 1 WAN1-Transport-VR 192.168.2.6/24 state and receiving DHCP ip address from my Home
vni-0/0.1 08:35:71:ec:e1:7c up up 1 WAN1-Transport-VR Internet Gateway
vni-0/1 08:35:71:ec:e1:7d down up - -
vni-0/1.0 08:35:71:ec:e1:7d down up 1 global 192.168.1.1/24
vni-0/100 02:aa:bb:cc:dd:01 down up - -
vni-0/100.0 02:aa:bb:cc:dd:01 down up 1 WAN1-Transport-VR
vni-0/101 02:aa:bb:cc:dd:02 down up - -
vni-0/101.0 02:aa:bb:cc:dd:02 down up 1 WAN1-Transport-VR
vni-0/102 02:aa:bb:cc:dd:03 down down - -
vni-0/103 02:aa:bb:cc:dd:04 down down - -
vni-0/2 08:35:71:ec:e1:7e down up - -
vni-0/2.0 08:35:71:ec:e1:7e down up 1 WAN1-Transport-VR
vni-0/2.1 08:35:71:ec:e1:7e down up 1 WAN1-Transport-VR
vni-0/3 08:35:71:ec:e1:7f down down - -
vni-0/4 08:35:71:ec:e1:80 down down - -
vni-0/5 08:35:71:ec:e1:81 down up - -
vni-0/5.0 08:35:71:ec:e1:81 down up 1 WAN1-Transport-VR
vni-0/5.1 08:35:71:ec:e1:81 down up 1 WAN1-Transport-VR
vni-0/6 08:35:71:ec:e1:82 down down - -
[ok][2019-01-25 18:43:44]
admin@versa-flexvnf-cli>
5 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
1. Install Hypervisor Packages:
a. For
For greenfield
greenfield based
based uCPE
uCPE deployment
deployment please
please execute
execute below
below command:
a. command:
“request
“request system
system hypervisor
hypervisor enable
enable no-confirm”
no-confirm”
-The
-The above
above command
command will
will create
create the
the OVS-bridges
OVS-bridges &
& interfaces
interfaces from
from vni-0/300
vni-0/300 to
to vni-0/309.
vni-0/309. And
And if
if this
this command
command is
is not
not
executed then installation of 3 rd Party VNF will not go through.
rd
executed then installation of 3 Party VNF will not go through.
-- hypervisor.sh
hypervisor.sh [/opt/versa/scripts/hyperviser.sh]
[/opt/versa/scripts/hyperviser.sh] gets
gets triggered
triggered after
after executing
executing above
above command.
command.
Puru(QA) provided a new image and also need to execute 2 additional linux commands:
versa-flexvnf-20190125-102558-06ea83a-20.1.1-wsm
sudo apt-get update
sudo apt-get –f install
6 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Verification: Before enabling & Post enabling Hypervisor
admin@versa-flexvnf-cli> show system details admin@versa-flexvnf-cli> show system details
7 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Verification: OVS Bridges existence/Default Vlan association
8 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Negative event: Caswell Issue (Raised a PR # 37241)
Post enabling hypervisor, all uCPE based VNI interfaces came up properly. As a part of negative event, I powered down the v120 hardware and powered it back post which all Ucpe
interfaces got removed from “/var/run/vinterfaces”.
1. “sudo ovs-vsctl list-br/sudo ovs-vsctl show” command outputs were showing proper UCPE bridges and respective ports
9 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Negative event: Caswell Issue Resolution
10 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Steps to onboard uCPE via VD GUI: Create Vendor Catelog
1. Go to Administration Inventory Vendor Catalog
Given below we are trying to create Vendor Catalog from Predefined Vendor and Product type.
Provide Description & Version number of the NFV. “Version” is any used defined value
11 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Steps to onboard uCPE via VD GUI: Create Service Chain
Drag & Drop Fortinet image into SC, Provide appropriate values in the fields.
12 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Steps to onboard uCPE via VD GUI: Create Service Chain(contd.)
2b. Default mode of operation for 3rd Party FW is Layer2 . Click on 3rd Party VNF to change the mode of operation as Layer 3. You can also
change other parameters such as CPU/Memory. Once all changes are made, click @ “Create”
13 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Steps to onboard uCPE via VD GUI: Create Workflow Template
Please create a workflow template just like any other normal template. No special parameter need to be selected.
14 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Steps to onboard uCPE via VD GUI: Create Workflow Template (contd)
In Interfaces section I had selected “DHCP” option as my CPE was connected with Home internet gateway and will be getting DHCP based ip from it.
15 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Steps to onboard uCPE via VD GUI: Create Device group & associate SC
4a. Before creating Device template, please create DG and associate it with SC (this is applicable in 20.1 going forward)
In 20.1 Service chain association is moved to Device group level and same hold true in 20.2. Please click at “Edit post-staging” icon and associate SC as shown below.
16 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Steps to onboard uCPE via VD GUI: Create Device template and provide bind data
5. Create a device template and provide bind data information for Ucpe based interfaces by selecting the Service template and deploy it:
Provided bind data variables will be configured @ FlexVNF end. You need to configure 3 rd party FW interfaces/ip’s separately
17 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Steps need to take before initiating ZTP PROCESS 1: System level knob required
1. If you are going to deploy Palo Alto with default:
Memory: 6gig PLEASE READ CAREFULLY
CPU: 2
By configuring above knob you are allocating 6gig Memory to Palo Alto VM and
2gig to FlexVNF host. Post configuring this command system reboot is required:
And if your hardware default hugepages is 4. You do not need to give above command. As FlexVNF will automatically reserve 2GIG for
Fortigate and 2GIG for FlexVNF.
Conclusion: It’s a n + 2 formula which you need to adhere here while configuring above command. 2gig is reserved for FLEXVNF.
18 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Steps need to take before initiating ZTP PROCESS 2: Manually upload the image on uCPE hardware
1. This step is equally more important and need to be followed if you do not want to wait for 2 days waiting on your AWS VD to transfer 2gig of Palo Alto/vSRXV
image(We are assuming that if you have uCPE hardware with you, you will be bootstrapping it from AWS based VD) PLEASE READ CAREFULLY
2. Please go back to “Administration” “Vendor Catolog” and copy the file name as shown in below snapshot(This is VD auto-generated file name even
though we had uploaded the file from the laptop with this original name: “PA-VM-KVM-8.1.0.qcow2”
3. Transfer the “PA-VM-KVM-8.1.0.qcow2” image (which will be around 2gig in size) to flexvnf /home/versa/images path
By executing above steps you will be preventing VD to upload 2gig size of VM image over AWS Cloud to your CPE (which is wastage of time).
19 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Post ZTP: How to access Palo Alto via FlexVNF
20 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Scalability:
Total number of 3rd Party VNF’s that can be deployed on single host is dependent on:
Default Ucpe interface configuration which is from vni-0/300 to 309 can support total 4 VNF’s/3rd Party FW’s:
VNI-0/300-301 are dedicated for Management interfaces and shared by all 3rd Party FWs. Riverbed utilizes 2 management interfaces. Palo
Alto utilizes just 1
Remaining VNI-0/302-309 can be divided among VNFs and having each VNF use 2 interfaces for datapath.
21 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Post ZTP: How to access Palo Alto via VD
1. Access the respective uCPE & click @ “Guest VNF’s”
2. Click “Connect” against SSH and new shell window will open up
Accessing 3rd Party VNF over Web http/https is broken: Bug 34682
CPU/Memory information is not shown correctly: Bug 36642
22 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
“Show interface brief” output post onboarding the device
admin@PA-uCPE-Marriott-cli> show interfaces brief | tab
NAME MAC OPER ADMIN TENANT VRF IP
----------------------------------------------------------------------------------------------
eth-0/0 08:35:71:ec:e1:83 up up 0 global 192.168.2.7/24
ptvi10 n/a up up 2 Marriott-Control-VR 172.29.44.3/32
ptvi11 n/a up up 2 Marriott-Control-VR 172.29.44.1/32
tvi-0/10 n/a up up - -
tvi-0/10.0 n/a up up 2 Marriott-Control-VR 172.29.40.101/32
tvi-0/11 n/a up up - -
tvi-0/11.0 n/a up up 2 Marriott-Control-VR 172.29.44.101/32
tvi-0/2602 n/a up up - -
tvi-0/2602.0 n/a up up 2 PK-INET-Transport-VR 169.254.7.210/31
tvi-0/2603 n/a up up - -
tvi-0/2603.0 n/a up up 2 global 169.254.7.211/31
tvi-0/602 n/a up up - -
tvi-0/602.0 n/a up up 2 PK-INET-Transport-VR 169.254.0.2/31
tvi-0/603 n/a up up - -
tvi-0/603.0 n/a up up 2 Marriott-LAN-VR 169.254.0.3/31
vni-0/0 08:35:71:ec:e1:7c up up - -
vni-0/0.0 08:35:71:ec:e1:7c up up 2 PK-INET-Transport-VR 192.168.2.6/24
vni-0/1 08:35:71:ec:e1:7d up up - -
vni-0/1.0 08:35:71:ec:e1:7d up up 2 Marriott-LAN-VR 172.16.191.1/24
……
vni-0/300 22:83:85:20:2e:4a up up - -
vni-0/300.0 22:83:85:20:2e:4a up up 2 Marriott-Control-VR 172.16.30.1/24
vni-0/301 76:f7:c1:60:50:43 up up - -
vni-0/301.0 76:f7:c1:60:50:43 up up 2 Marriott-Control-VR
vni-0/302 56:48:4f:53:54:00 up up - -
vni-0/302.0 56:48:4f:53:54:00 up up 2 Marriott-LAN-VR 172.16.10.1/24 ----Connected with TRUST LAN Interface of Palo Alto
vni-0/303 56:48:4f:53:54:01 up up - -
vni-0/303.0 56:48:4f:53:54:01 up up 2 Marriott-LAN-VR 172.16.20.1/24 ----Connected with UNTRUST LAN Interface of Palo Alto
………
[ok][2019-02-06 12:41:00]
admin@PA-uCPE-Marriott-cli>
23 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Vni0/0.0
Internet-Transport-VR
tvi0/602.0 W-ST-Marriott-LAN-VR-PK-INET
mpls-vpn-core-instance
tvi0/603.0 L-ST-Marriott-LAN-VR-PK-INET
Palo Alto VM
172.16.20.2 Untrust
VRF: Marriott-LAN-VR Vni-0/303.0 172.16.20.1
Vni-0/302.0 172.16.10.1
172.16.10.2 Trust
172.16.191.2/24
24 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential
Thank You
25 © 2017 Versa and/or its affiliates. All rights reserved. Versa Networks Confidential