Aruba IMC Orchestrator 6.2 Security Scenario Security Service Resource Configuration Guide

Brand: Aruba

Model: IMC Orchestrator 6.2 Security Scenario Security Service Resource

Category: Networking

Type: Configuration Guide

This manual is also suitable for

IMC Orchestrator 6.2 Security Scenario

Security Service Resource Configuration

Guide

The information in this document is subject to change without notice.

 
i 
Contents 
Overview ························································································1 
Basic configuration ···········································································2 
Configure basic controller settings ··································································································· 2 
Log in to the controller ············································································································ 2 
Create fabric 1 ······················································································································ 2 
Configure VDS1 ···················································································································· 3 
Create a tenant ····················································································································· 4 
Configure service chain service resources for the third-party device ············6 
Network planning ························································································································· 6 
Single-arm mode ··················································································································· 6 
Dual-arm mode ····················································································································· 8 
Deployment workflow ···················································································································· 9 
Procedure ································································································································· 10 
Connect the third-party device in single-arm mode ····································································· 10 
Connect the third-party device in dual-arm mode ······································································· 17 
Restrictions and guidelines ······························································· 25 
O&M monitoring ············································································· 26 
 

Overview

This document provides configuration examples for service gateway resources and service chain

resources, including basic configuration for security devices, device incorporation from the controller,

L4-L7 resource pool and template configuration, and service resource assignment for tenants.

The security devices form an Remote Backup Management (RBM) system. In the RBM system, two

security devices are assigned the primary and secondary roles, and they synchronize session entries

over the RBM data channel conveyed by the direct links between them. The security devices use

Layer 3 aggregate interfaces to connect to the Layer 2 aggregate interfaces of a DR system at the

border or leaf layer. VRRP is enabled on the service subinterfaces of the contexts on the security

devices. When the primary device fails, the service traffic will be switched to the secondary device.

IMPORTANT:

• If contexts are shared, service gateway resources and service chain resources cannot be collated on a

physical firewall.

• If dedicated contexts are used, a VRRP switchover on one context will trigger VRRP switchovers on the

other contexts. This issue will cause packet loss or network interruption. As a best practice, do not use

dedicated contexts. If you must use them, contact HPE Support.

• For vFW resources to be created successfully, make sure both the primary and secondary security

devices are online.

Basic configuration

Configure basic controller settings

1. Access the URL http://ucenter_ip_address:30000/central/index.html via a browser.

The ucenter_ip_address address is the northbound service virtual IP address of the Installer

where IMC PLAT resides.

Figure 1 Logging in to IMC PLAT

2. Log in to IMC PLAT.

Create fabric 1

1. Access the Automation > Data Center Networks > Fabrics > Fabrics page.

2. Click Add, and configure the following parameters.

 Name: Enter fabric1.

 Overlay BGP AS Number: Enter the BGP AS number configured on the devices in the

fabric. This step uses 100 as an example.

 Multicast Network: Enable the multicast network feature as needed. You cannot enable

this feature after you create fabric connections.

 Epg Controller: Enable EPG as needed. You can edit this parameter after you create the

fabric.

 Configure the other parameters as needed. This step uses the default settings.

Figure 2 Adding a fabric

3. Click OK.

4. Click the icon in the Actions column for fabric 1, and then click the Settings tab.

5. Configure the advanced parameters as needed. This step uses the default settings.

Figure 3 Fabric advanced parameters

Configure VDS1

1. Access the Automation > Data Center Networks > Common Network Settings > Virtual

Distributed Switch page.

2. Click the icon for VDS1.

3. Click the Carrier Fabric tab, click Add Fabric, and then add fabric 1.

Figure 4 Adding fabric 1 on VDS1

4. Click the Advanced Settings tab, and configure the following parameters:

 Bridge Name: Enter vds1-br.

 VXLAN Tunnel Interface Name: Enter vxlan_vds1-br.

 vSwitch Learned Flow Entries Aging Time (seconds): Enter 300.

 Configure the other parameters as needed. This step uses the default settings.

Figure 5 VDS advanced parameters

5. Click Apply.

Create a tenant

1. Access the Automation > Data Center Networks > Tenants Management > All Tenants

page, click Add, and configure the following parameters:

 Tenant Name: Enter publictenant1.

 VDS Name: Select VDS1.

Figure 6 Creating a tenant

2. Click Apply.

Configure service chain service

resources for the third-party device

Network planning

Single-arm mode

Network topology

Figure 7 Single-arm third-party device network diagram

For information about switching device connections, see IMC Orchestrator 6.2 Underlay Network

Configuration Guide. Connect the interfaces on the leaf nodes to the third-party firewall as shown in

Table 1.

Table 1 Device IP addresses and interfaces on the network

Device

Purpose

Management IP

Service IP and

interface

Leaf3

EVPN access device

192.168.11.6

Loopback0 10.1.1.6/32

XGE1/0/11 (connecting to

the third-party firewall), a

member port of BAGG3

DR3

Leaf4

EVPN access device

192.168.11.7

Loopback0: 10.1.1.7/32

XGE1/0/11 (connecting to

Border1 Border2

Leaf1 Leaf2 Leaf3 Leaf4

Server1 Server2

IPL

IPL IPL

Spine1 Spine2

Leaf5

Server3 Server4

IPL Leaf6

Third-party firewall

Internet

IMC Orchestrator

Component

Device

Purpose

Management IP

Service IP and

interface

the third-party firewall), a

member port of BAGG3

DR3

Resource plan

Table 2 Resource plan

Category

Configuration example

(Fabric1)

Remarks

Fabric

Name: fabric1

AS number: 100

N/A

VDS

Name: VDS1

Bearer fabric: fabric1

VXLAN ID range: 1 to

16777215

The VXLAN ID range must

contain the VXLAN IDs in all

subnets of the VDS. The

VXLAN ID must be unique in a

LAN. Different VDSs cannot be

configured with the same

VXLAN ID.

Internetwork connecting the third-party

firewall and leaf nodes

Name: thirdnet1

VLAN ID: 2121

IPv4: thirdnet1v4,

11.31.1.0/24

IPv6: thirdnet1v6,

2001:11:31:1::/64

Name: thirdnet2

VLAN ID: 2122

IPv4: thirdnet1v4,

11.31.2.0/24

IPv6: thirdnet1v6,

2001:11:31:2::/64

N/A

Virtual router connecting the third-party

firewall

Name: thirdrouter1

Segment ID: 11501

N/A

Deployment workflow

Figure 9 Flowchart

Configure the underlay networkPreconfigure the third-party device Configure the tenant network End

Add a VLAN-VXLAN mapping

Add a virtual network

Add a vRouter

Required sub-process

Required main process

Configure security service

resources

Add a third-party service resource

Start

Procedure

Connect the third-party device in single-arm mode

Preconfigure the third-party device

This example uses an HPE device for illustration. For the actual commands, see the product manual

of the third-party device.

1. Configure the VLAN interface that connects to the leaf nodes.

[device] interface vlan 2121

[device-Vlan-interface2121] ip address 11.31.1.2 24

[device-Vlan-interface2121] ipv6 address 2001:11:31:1::2 64

[device-Vlan-interface2121] quit

2. Configure the aggregate interface that connects to the leaf nodes.

[device] interface Bridge-Aggregation3

[device-Bridge-Aggregation3] port link-type trunk

[device-Bridge-Aggregation3] undo port trunk permit vlan 1

[device-Bridge-Aggregation3] port trunk permit vlan 2121

[device-Bridge-Aggregation3] link-aggregation mode dynamic

[device-Bridge-Aggregation3] quit

3. Configure static routes.

[device] ip route-static 0.0.0.0 0 11.31.1.1

[device] ipv6 route-static :: 0 2001:11:31:1::1

Configure the underlay network

Configure and incorporate switching devices on the network. For more information, see IMC

Orchestrator 6.2 Underlay Network Configuration Guide.

Add a virtual network

1. Navigate to the Automation > Data Center Networks > Tenant [default] Network > Virtual

Network. Click Add. On the page that opens, configure the following parameters:

 Name: thirdnet1.

 Segment ID: 2121.

 Configure the other parameters as needed. In this example, use the default settings.

Figure 10 Adding a virtual network

2. Click Add on the Subnets tab to add an IPv4 subnet. In the dialog box that opens, configure

the following parameters

 IP Version: IPv4.

 DHCP: Off.

 Name: thirdnet1v4.

 Subnet Address: 11.31.1.0/24.

 Gateway IP: 11.31.1.1.

 Configure the other parameters as needed. In this example, use the default settings.

Figure 11 Adding an IPv4 subnet

3. Click Apply to complete the adding of the IPv4 subnet. Click Add on the Subnets tab to add

an IPv6 subnet. In the dialog box that opens, configure the following parameters:

 IP Version: IPv6.

 DHCP: Off.

 Name: thirdnet1v6.

 Subnet Address: 2001:11:31:1::/64.

 Gateway IP: 2001:11:31:1::1.

 Configure the other parameters as needed. In this example, use the default settings.

Figure 12 Adding an IPv6 subnet

4. Click Apply to complete the adding of the IPv6 subnet. Click the Advanced Configuration

tab, and configure packet suppression functions. In this example, use the default settings.

Figure 13 Advanced Configuration

5. Click Apply at the upper-right corner to complete the adding of the virtual network.

Add a vRouter

1. Navigate to the Automation > Data Center Networks > Tenant [default] Network >

vRouter. Click Add. On the page that opens, configure the following parameters:

 Name: thirdrouter1.

 Segment ID: 11501. This parameter must be within the VXLAN ID range of the VDS.

2. Click Add on the Subnets tab, select subnets thirdnet1v4 and thirdnet1v6, and click Apply.

Figure 14 Adding subnets

3. Configure the other parameters as needed. In this example, use the default settings.

4. Click Apply at the upper-right corner to complete the adding of the vRouter.

Figure 15 Adding a vRouter

Configure VLAN-VXLAN mappings

1. Navigate to the Automation > Data Center Networks > Pools > VNID Pools > VLAN-

VXLAN Mappings page. Click Add. Select VLAN-VXLAN Mapping, and enter a mapping

name.

Figure 16 VLAN-VXLAN mapping configuration

2. To add a VLAN-VXLAN mapping, click Add Mapping, and configure the following

parameters:

 Start VLAN ID: 2121

 Start VXLAN ID: 2121

 Mapping Range Length: 1

 Access Mode: VLAN

Figure 17 Adding a VLAN-VXLAN mapping

3. Click Apply to complete the adding of the mapping. On the Mapping Rule tab, click Apply.

Figure 18 VLAN-VXLAN mapping configuration

4. Click the Apply to Devices or Apply to Interfaces tab to apply the VLAN-VXLAN mapping.

In this example, apply the VLAN-VXLAN mapping to interfaces. Because the VLAN-VXLAN

mapping is used to connect the third-party device, apply it to the aggregate interfaces on the

leaf nodes that connect to the third-party device. Click the link in the Applied to Interfaces

column, and select the aggregate interfaces on leaf3 and leaf4 that connect to the third-party

device.

Figure 19 Applying the VLAN-VXLAN mapping to interfaces

5. Click Apply to complete the application of the VLAN-VXLAN mapping. The VLAN-VXLAN

mapping appears in the mapping list.

Figure 20 Mapping information

6. Navigate to the Automation > Data Center Networks > Tenant [tenant1] Network > Virtual

Port > vRouter. You can see that the third-party device has been onboarded.

Figure 21 Third-party device onboarding

Add a third-party service resource

1. Navigate to the Automation > Data Center Networks > Tenant Management > All Tenants

page. Select tenant1 and click the icon in the Actions column. The Edit Tenant page

opens.

2. In the Allocate Service Resources area, select Third-Party Service Resource.

Figure 22 Selecting Third-Party Service Resource

3. Click the Third-Party Service Device tab, and click Add. On the page that opens, configure

the following parameters:

 Name: thirddevice1.

 Connection Mode: Single vPort.

 vPort VXLAN ID: 2121.

 vPort IP Address: 11.31.1.2. This address can be an IPv4 or IPv6 address. This example

uses an IPv4 address.

Figure 23 Adding a third-party service device

4. Click Apply to complete the adding of the third-party service device.

5. Click the Third-Party Service Resource tab, and click Add. On the page that opens,

configure the following parameters:

 Name: thirdresource1.

 Third-Party Service Device: Select thirddevice1.

 Share Node: Off. If you enable this option, the third-party service resource can be used by

multiple service chains.

 Configure the other parameters as needed. In this example, use the default settings.

Figure 24 Adding a third-party service resource

6. Click Apply to complete the adding of the third-party service resource. It will appear in the

resource list.

Figure 25 Viewing third-party service resources

7. On the Edit Tenant page, click Apply at the upper-right corner to complete the binding of the

third-party service resource.

Connect the third-party device in dual-arm mode

Preconfigure the third-party device

This example uses an HPE device for illustration. For the actual commands, see the product manual

of the third-party device.

1. Configure the VLAN interfaces that connect to the leaf nodes.

[device] interface vlan 2121

[device-Vlan-interface2121] ip binding vpn-instance third1

[device-Vlan-interface2121] ip address 11.31.1.2 24

[device-Vlan-interface2121] ipv6 address 2001:11:31:1::2 64

[device-Vlan-interface2121] quit

[device] interface vlan 2122

[device-Vlan-interface2121] ip binding vpn-instance third2

[device-Vlan-interface2122] ip address 11.31.2.2 24

[device-Vlan-interface2122] ipv6 address 2001:11:31:2::2 64

[device-Vlan-interface2122] quit

2. Configure the aggregate interfaces that connect to the leaf nodes.

[device] interface Bridge-Aggregation3

[device-Bridge-Aggregation3] port link-type trunk

[device-Bridge-Aggregation3] undo port trunk permit vlan 1

[device-Bridge-Aggregation3] port trunk permit vlan 2121

[device-Bridge-Aggregation3] link-aggregation mode dynamic

[device-Bridge-Aggregation3] quit

[device] interface Bridge-Aggregation4

[device-Bridge-Aggregation4] port link-type trunk

[device-Bridge-Aggregation4] undo port trunk permit vlan 1

[device-Bridge-Aggregation4] port trunk permit vlan 2122

[device-Bridge-Aggregation4] link-aggregation mode dynamic

[device-Bridge-Aggregation4] quit

3. Configure static routes.

[device] ip route-static vpn-instance third1 0.0.0.0 0 vpn-instance third2

11.31.2.1

[device] ip route-static vpn-instance third2 0.0.0.0 0 vpn-instance third1

11.31.1.1

[device] ipv6 route-static vpn-instance third1 :: 0 vpn-instance third2

2001:11:31:2::1

[device] ipv6 route-static vpn-instance third2 :: 0 vpn-instance third1

2001:11:31:1::1

Add a virtual network

1. Navigate to the Automation > Data Center Networks > Tenant [default] Network > Virtual

Network. Click Add. On the page that opens, configure the following parameters:

 Name: thirdnet1.

 Segment ID: 2121.

 Configure the other parameters as needed. In this example, use the default settings.

Figure 26 Adding a virtual network

2. Click Add on the Subnets tab to add an IPv4 subnet. In the dialog box that opens, configure

the following parameters

 IP Version: IPv4.

 DHCP: Off.

 Name: thirdnet1v4.

 Subnet Address: 11.31.1.0/24.

 Gateway IP: 11.31.1.1.

 Configure the other parameters as needed. In this example, use the default settings.

Figure 27 Adding an IPv4 subnet

3. Click Apply to complete the adding of the IPv4 subnet. Click Add on the Subnets tab to add

an IPv6 subnet. In the dialog box that opens, configure the following parameters:

 IP Version: IPv6.

 DHCP: Off.

Page is loading ...

Aruba IMC Orchestrator 6.2 Security Scenario Security Service Resource Configuration Guide

Brand: Aruba

Model: IMC Orchestrator 6.2 Security Scenario Security Service Resource

Category: Networking

Type: Configuration Guide

This manual is also suitable for

Download PDF

report

Aruba IMC Orchestrator 6.2 Security Scenario Security Service Resource Configuration Guide

This manual is also suitable for

Aruba IMC Orchestrator 6.2 Security Scenario Security Service Resource Configuration Guide

Related papers

Other documents