6WIND VNF Onboarding – A vCPE with IPSEC VPN Use Case Demo

In our previous post, The Cloud Native VNF Explosion at MWC18, we discussed  the VNF on-boarding process and its challenges. Cloudify and 6Wind have partnered to demonstrate how the VNF on-boarding process can be simplified significantly. The secret sauce is to use a proper orchestration engine… As a result,Cloudify has built a demo where it orchestrates a vCPE use case in which  6WIND Turbo IPSEC Edition is used as a virtual router VNF. Below is a simple walk-through to demonstrate how easy it is to on-board a typical vRouter VNF along with its services through a simple TOSCA blueprint.

Register to watch the Deploying VNFs at scale with Cloudify Webinar on demand!

This scenario demonstrates how high performance networking software combined with commercial off the shelf servers (COTS) and open source orchestration powered by TOSCA can offer alternatives to expensive networking equipment. This scenario is based on a hypothetical company that has its HQ (headquarters) and a few distributed branches, where there’s a need to connect these branches over IPSEC VPN to the HQ.
Cloudify blueprints to run this scenario can be found in here:  https://github.com/astianseb/6wind-demo
There are  two similar scenarios:

• Demo Scenario #1: This is a two-stage demo, where in the first stage we instantiate the HQ router with a baseline configuration, and in the second stage we instantiate a branch router which is then connected with the HQ over IPSEC VPN.
• Demo Scenario #2: This is a three-stage demo, where in the first stage we instantiate the HQ router with a baseline configuration, in the second stage we instantiate a branch router with a baseline configuration, and in the third stage we instantiate a VPN service between the branch and HQ routers.

The purpose of the two scenarios is to showcase how a service can be modeled depending on the requirements: it can be part of the VNF instantiation or it can be provisioned on top as a distinct service.
This post will focus on the three-stage demo scenario #2.

How it Was Achieved

Instantiate 6WIND Image with Day0 Configuration

The prerequisite is to have a 6WIND Turbo IPSEC  image with Day0 configuration which allows a management address assigned by DHCP and SSH access.

Step 1: Instantiate HQ VNF

Download the demo repository to the machine which is running the CFY CLI:

Execute script “hq-start.sh”

After few minutes we should see VNF running in Openstack:

…and we should be able to now see deployment in Cloudify Console:

… we can then log into the VNF via the management interface’s floating IP:

The 6wind-hq router is now configured with a baseline configuration with no VPN configured.

Now it’s time to instantiate branch-1 router.

Step 2: Instantiate the Branch VNF

Execute “branch-1-start.sh”:

…after few minutes we should be able to see VNF available on Openstack and see the deployment in the Cloudify Console:


…now we can login again to the management IP address of branch-1 VNF and see that no IPSEC VPN is configured (see IPSEC stats) :

Step 3: Instantiate VPN Between Branch and HQ

Execute “vpn-1-start.sh”:

…after a minute we should see the VPN deployment (branch-1-vpn) being instantiated in the Cloudify Console:

…and once we log into the branch and execute a ping to the HQ LAN IP (192.168.10.4) from the branch LAN IP (192.168.101.4) : “ping 192.168.10.4 from 192.168.101.4” we should trigger an IPSEC tunnel:

Bonus

Now having VPN as a separate deployment, where we can uninstall it from devices directly from the Cloudify Console – which will remove the VPN configuration from the VNF. Once we run the install workflow again – it will re-initiate the VPN configuration.
That’s it!
Watch how 6Wind built a VNF onboarding use case of their own with Cloudify, 6Wind, and Advantech – >> WATCH

You can visit the 6Wind booth – Hall 5 Booth 5B85 – to see this demo live.