This chapter provides information about the sample network services that are provided with Network Service Orchestration.
Network Service Orchestration includes the following sample cartridges that you can use as references for designing and implementing your own network services:
Juniper_vSRX_VNF. This sample cartridge contains the Juniper vSRX firewall VNF to use with the network protection service.
Checkpoint_NG_FW_VNF. This sample cartridge contains the Checkpoint firewall VNF to use with the network protection service.
Cisco_xRV_PNF. This sample cartridge contains the Cisco XRV router PNF to use with the residential gateway network service or the network protection service.
NPaaS_NetworkService. This sample cartridge provides the functionality to implement a Network Protection as a Service (NPaaS) network service.
ResidentialGateway_NetworkService. This sample cartridge provides the functionality to implement a Residential Gateway network service
Before you implement the sample network services, you must configure the software image of the Juniper vSRX firewall VNF. You use this VNF with the Network Protection and the Residential Gateway network services.
To configure the Juniper vSRX base image:
Download the Juniper vSRX base image from Juniper's web site.
Install OpenStack and source the tenant's credentials file.
In OpenStack, upload the downloaded base image to the Glance repository by running the following command:
glance image-create --name vsrx-vmdisk-15.1X49-D40_base --is-public true --container-format bare --disk-format qcow2 --file media-vsrx-vmdisk-15.1X49-D40.6.qcow2
where:
vsrx-vmdisk-15.1X49-D40_base is the name of the image uploaded into the repository
media-vsrx-vmdisk-15.1X49-D40.6.qcow2 is the name of the base image downloaded from the vendor's web portal.
In OpenStack, create a flavor with the following specifications by running the following command:
Specifications:
Name: vsrx.medium
VCPUs: 2
Root Disk: 20 GB
Ephemeral Disk: 0 GB
RAM: 4096 MB
Command:
nova flavor-create vsrx.medium auto 4096 20 2
Boot the image by running the following command:
nova boot --flavor vsrx.medium --image vsrx-vmdisk-15.1X49-D40_base --nic net_ID=109ae4cf-3cea-4729-a24f-957c4ed6d3c6 vsrx_base_instance
where:
net_ID is the ID of your management network in OpenStack.
vsrx_base_instance is the name of the vsrx instance you are spawning in OpenStack.
vsrx-vmdisk-15.1X49-D40_base is the name of the base image that is uploaded into the repository.
After the image boots up, navigate to the Instances console in OpenStack and run the following commands:
root@%cli root>config root# delete security set system root-authentication plain-text-password New password: Enter a password Retype new password:Enter a password
OpenStack prompts for a password.
Enter any password and run the following commands:
set system login user admin class super-user authentication plain-text-password New password:password Retype new password:password
OpenStack prompts for a password.
Enter any password.
The username and the password that you specify here become the username and password of the VNF image that you specify in the VNF descriptor. Network Service Orchestration uses these credentials to update the configuration.
Run the following commands:
set system services netconf ssh set interfaces fxp0 description "Managament Interface" unit 0 family inet dhcp set interfaces ge-0/0/0 description "Customer Interface" unit 0 family inet dhcp set interfaces ge-0/0/1 description "Internet interface" unit 0 family inet dhcp set security zones security-zone Customer host-inbound-traffic system-services ping set security zones security-zone Internet host-inbound-traffic system-services ping set security zones security-zone Customer interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp set security zones security-zone Customer interfaces ge-0/0/0.0 host-inbound-traffic system-services ping set security zones security-zone Internet interfaces ge-0/0/1.0 host-inbound-traffic system-services dhcp set security zones security-zone Internet interfaces ge-0/0/1.0 host-inbound-traffic system-services ping set routing-instances Traffic instance-type virtual-router set routing-instances Traffic interface ge-0/0/0.0 set routing-instances Traffic interface ge-0/0/1.0 set groups security-rules security policies from-zone <*> to-zone <*> policy <*> then log session-init session-close set security policies apply-groups security-rules set security policies from-zone Customer to-zone Internet policy Customer-Internet-Access match source-address any destination-address any application any set security policies from-zone Customer to-zone Internet policy Customer-Internet-Access then permit set security policies from-zone Internet to-zone Customer policy Deny-All match source-address any destination-address any application any set security policies from-zone Internet to-zone Customer policy Deny-All then deny set security utm custom-objects url-pattern bad-sites value http://www.example.com set security utm custom-objects custom-url-category bad-category value bad-sites set security utm feature-profile web-filtering juniper-local profile wf-profile custom-block-message "Website blocked by NPaaS. Powered by Oracle" default log-and-permit fallback-settings default block too-many-requests block set security utm utm-policy utm-protect web-filtering http-profile wf-profile commit exit exit
Create a snapshot of the running instance of the Juniper vSRX image by running the following command:
nova image-create --poll vsrx_base_instance vsrx-vmdisk-15.1X49-D40_updated
where:
vsrx_base_instance is the name of the vsrx instance
vsrx-vmdisk-15.1X49-D40_updated is the name of the vsrx image snapshot uploaded to OpenStack Glance.
Use this snapshot as the software image for instantiation of the Juniper vSRX VNF.
Network Service Orchestration provides sample cartridges that you can use as references for designing and implementing a network protection service.
The NPaaS_NetworkService sample cartridge contains the functionality to implement the sample Network Protection as a Service (NPaaS) network service.
The network protection service constitutes and uses the following VNFs:
Juniper vSRX firewall
The Juniper_vSRX_VNF sample cartridge contains the functionality to implement a Juniper vSRX firewall as a VNF.
Checkpoint firewall
The Checkpoint_NG_FW_VNF sample cartridge contains the functionality to implement a Checkpoint firewall as a VNF.
The network protection service requires and uses the following software components:
UIM 7.3.4 and the Network Service Orchestration 7.3.4 cartridges
OpenStack VIM, with Open vSwitch capability
OpenDaylight SDN Controller
Software images of the firewall VNFs
To implement the network protection service:
Configure the Juniper vSRX base image. See "Configuring the Juniper vSRX Base Image" for instructions.
In OpenStack, create a tenant or reference an existing tenant with administrator privileges.
Reference an existing management network that can be shared by all the components of Network Service Orchestration.
The management network requires, at a minimum:
One IP address for each:
Machine on which UIM is installed
Virtual machine on which Open vSwitch is installed
Machine on which OpenDaylight is installed
One IP address for each virtual machine on which you want to bring up the VNFs
Connect the management network and the external network to a virtual router. This enables you to use floating IP addresses for providing access to the data center.
Create a customer-side network that facilitates the customer's network traffic to reach the VNFs.
Table 5-1 shows examples of IP addresses and IP address ranges of network and subnet configuration for the customer-side network.
Create an Internet-side network that facilitates the traffic from the customer-side network to the Internet.
Table 5-2 shows examples of IP addresses and IP address ranges of network and subnet configuration for the Internet-side network.
Create packet-in and packet-out networks.
Table 5-3 shows examples of IP addresses and IP address ranges of network and subnet configuration for the packet-in network.
Table 5-3 Example of Network and Subnet Configuration for Packet-in Network
| CIDR | IP Allocation Pool | Gateway IP | DHCP Enabled | Additional Routes | DNS Name Server |
|---|---|---|---|---|---|
|
192.168.2.128/25 |
Start 192.0.2.129 End 192.0.2.140 |
- |
Yes |
None |
None |
Table 5-4 shows examples of IP addresses and IP address ranges of network and subnet configuration for the packet-out network.
Start the OpenDaylight virtual machine on the management network.
Start the Open vSwitch virtual machines on the management network, customer-side network, Internet-side network, packet-in network, and packet-out network.
On the Open vSwitch virtual machine, do the following:
Create a steering bridge:
ovs-vsctl add-br steering
where steering is the name of the integration bridge.
Add the interfaces of the networks you created to the steering bridge:
ovs-vsctl add-port steering networkInterface
where networkInterface is the name of the network interface. For example, eth1.
ovs-vsctl add-port steering eth1 ovs-vsctl add-port steering eth2 ovs-vsctl add-port steering eth3 ovs-vsctl add-port steering eth4 ovs-vsctl add-port steering eth5
Set the IP address and port number of the OpenDaylight virtual machine as the controller to the steering bridge:
ovs-vsctl set-controller steering tcp:OpenDaylight_IPAddress
ovs-vsctl set bridge steering protocols="OpenFlow13"
where OpenDaylight_IPAddress is the IP address of the OpenDaylight virtual machine.
Get the port numbers:
ovs-vsctl -- --columns=name_of_port list Interface
where name_of_port is the name of the Open vSwitch port.
Open the UIM_Home/config/nso.properties file and update the following parameters.
startIpAddress. Specify the subnet start IP address. By default, when Network Service Orchestration creates a network, the subnet IP address starts with 192.168.0.0.
NSO_HOST: IPv4address. Specify the host on which UIM is installed. By default, Network Service Orchestration considers the host on which the UIM server is running. If the server is running on a private network that is unavailable to external network, specify a reachable IP address for the server.
NSO_USERNAME: username
where username is the username of the server on which UIM is installed.
NSO_PASSWORD: encrypted_password
where encrypted_password is the encrypted password of the server on which UIM is installed. See "Setting Network Service Orchestration Properties" for information about encrypting the password.
Open the UIM_Home/config/NPaaS_NSD.properties file and specify values for the parameters listed in Table 5-5:
Table 5-5 Parameters in the NPaaS Network Service Descriptor Properties File
| Parameter | Description |
|---|---|
|
NPaaS_NSD.default.dataCenter |
Specify a default data center. |
|
VIM_Id.NPaaS_NSD.ManagementNetwork |
Specify the VIM ID and the name of the management network. By default, the VIM ID is OpenStack. The management network is the VLD Name that is specified in the NPaaS_NSD.xml file. If you use multiple VIMs, add another entry of the same parameter and specify the VIM ID and the management network. |
|
VIM_Id.NPaaS_NSD.Data_IN |
Specify the VIM ID and the name of the data-in network. By default, the VIM ID is OpenStack. If you use multiple VIMs, add another entry of the same parameter and specify the VIM ID and the data-in network. |
|
VIM_Id.NPaaS_NSD.Data_OUT |
Specify the VIM ID and the name of the data-out network. By default, the VIM ID is OpenStack. If you use multiple VIMs, add another entry of the same parameter and specify the VIM ID and the data-out network. |
|
sdnController.NPaaS_NSD |
Specify an implementation class for the SDN controller interface. The default implementation class is com.oracle.communications.inventory.nso.nfvi.sdn.ODLManager. |
|
npaas.ovs.pktInToOVSPort |
Specify the Open vSwitch port number of the packet-in network. |
|
npaas.ovs.pktOutToOVSPort |
Specify the Open vSwitch port number of the packet-out network. |
|
npaas.ovs.custNetToOVSPort |
Specify the Open vSwitch port number of the customer-side network. |
|
npaas.ovs.internetToOVSPort |
Specify the Open vSwitch port number of the internet-side network. |
|
npaas.ovs.bridge_id |
Specify the bridge ID for the Open VSwitch and prefix it with openflow. For example, openflow:OpenFlow_ID, where OpenFlow_ID is the OpenFlow ID. To retrieve the OpenFlow ID, in OpenDaylight call the following OpenDaylight REST API: http://odlIPaddress:port/restconf/operational/opendaylight-inventory:nodes/ where odlIPaddress is the IP address and port is the port number of the OpenDaylight virtual machine. |
Deploy the Network Service Orchestration cartridges into UIM. See "Installing and Integrating the Network Service Orchestration Components" for information about deploying the cartridges in the specified order.
Register the VIM by calling the corresponding RESTful API. See "Registering the VIM" for instructions.
Discover the VIM resources. See "Discovering VIM Resources" for instructions.
The Network Protection service is ready for instantiation.
Network Service Orchestration provides sample cartridges that you can use as references for designing and implementing a residential gateway network service.
The ResidentialGateway_NetworkService sample cartridge contains the functionality to implement the Residential Gateway network service.
The Residential Gateway network service constitutes and uses the following VNFs and PNFs:
Juniper vSRX firewall VNF
The Juniper_vSRX_VNF sample cartridge contains the functionality to implement a Juniper vSRX firewall as a VNF.
Cisco xRV router PNF
The Cisco_xRV_PNF sample cartridge contains the functionality to implement a Cisco xRV router as a PNF.
The Residential Gateway network service requires and uses the following software components:
UIM 7.3.4 and the Network Service Orchestration 7.3.4 cartridges
OpenStack VIM, with Open vSwitch capability
Software image of the Juniper firewall VNF
Cisco xRV PNF. Ensure that the PNF is up and running on a management IP address.
To implement the Residential Gateway network service:
Configure the Juniper vSRX base image. See "Configuring the Juniper vSRX Base Image" for instructions.
In OpenStack, create a tenant or reference an existing tenant with administrator privileges.
Reference an existing management network that can be shared by all the components of Network Service Orchestration.
Reference the existing provider network and create or reference a virtual router that can provide external access to the PNF.
Specify the details of the provider network and the virtual router in the Residential Gateway network service descriptor file. This enables you to use floating IP addresses for providing access to the PNF.
Open the UIM_Home/config/ResidentialGateway_NSD.properties file and specify values for the parameters listed in Table 5-6.
Table 5-6 Parameters in the Residential Gateway Descriptor Properties File
| Parameter | Description |
|---|---|
|
ResidentialGateway_NSD.default.dataCenter |
Specify a default data center. |
|
VIM_Id.ResidentialGateway_NSD.ManagementNetwork |
Specify the VIM ID and the name of the management network. By default, the VIM ID is OpenStack. The management network is the VLD Name that is specified in the ResidentialGateway_NSD.xml file. If you use multiple VIMs, add another entry of the same parameter and specify the VIM ID and the management network. |
|
VIM_Id.ResidentialGateway_NSD.Data_IN |
Specify the VIM ID and the name of the data-in network. By default, the VIM ID is OpenStack. If you use multiple VIMs, add another entry of the same parameter and specify the VIM ID and the data-in network. |
|
VIM_Id.ResidentialGateway_NSD.Data_OUT |
Specify the VIM ID and the name of the data-out network. By default, the VIM ID is OpenStack. If you use multiple VIMs, add another entry of the same parameter and specify the VIM ID and the data-out network. |
|
sdnController.ResidentialGateway_NSD |
Specify an implementation class for the SDN controller interface. The default implementation class is com.oracle.communications.inventory.nso.nfvi.sdn.ODLManager. |
If you use multiple data centers, override the provider network and the virtual router details specified in the network service descriptor file with the provider network and virtual router details of your data center:
vim_Id.network_service_descriptor.external_network_name = provider_network vim_Id.network_service_descriptor.virtual_router_name = virtual_router
For example, if you deploy the Residential Gateway network service on an OpenStack VIM with VIM ID pod5, specify:
pod5.ResidentialGateway_NSD.ext-net = publicNet
Deploy the Network Service Orchestration cartridges into UIM. See "Installing and Integrating the Network Service Orchestration Components" for information about deploying the cartridges in the specified order.
Register the PNF by using the REST API. See "Network Service Orchestration RESTful API Reference" for a sample request for registering PNFs.
See "Working with PNFs in Network Services" for more information about working with PNFs.
Register the VIM by using the REST API. See "Registering the VIM" for instructions.
Discover the VIM resources. See "Discovering VIM Resources" for instructions.
To enable connectivity between the VNF and PNF, the VNF is assigned with a floating IP address. Configure the static routes corresponding to the floating IP in the PNF manually or by extending the cartridges.
The Residential Gateway network service is ready for instantiation.