Aruba IMC Orchestrator 6.2 Security Scenario Security Service Resource Configuration Guide

Category
Networking
Type
Configuration Guide

This manual is also suitable for

i
IMC Orchestrator 6.2 Security Scenario
Security Service Resource Configuration
Guide
The information in this document is subject to change without notice.
© Copyright 2022 Hewlett Packard Enterprise Development LP
i
Contents
Overview ························································································1
Basic configuration ···········································································2
Configure basic controller settings ··································································································· 2
Log in to the controller ············································································································ 2
Create fabric 1 ······················································································································ 2
Configure VDS1 ···················································································································· 3
Create a tenant ····················································································································· 4
Configure service chain service resources for the third-party device ············6
Network planning ························································································································· 6
Single-arm mode ··················································································································· 6
Dual-arm mode ····················································································································· 8
Deployment workflow ···················································································································· 9
Procedure ································································································································· 10
Connect the third-party device in single-arm mode ····································································· 10
Connect the third-party device in dual-arm mode ······································································· 17
Restrictions and guidelines ······························································· 25
O&M monitoring ············································································· 26
1
Overview
This document provides configuration examples for service gateway resources and service chain
resources, including basic configuration for security devices, device incorporation from the controller,
L4-L7 resource pool and template configuration, and service resource assignment for tenants.
The security devices form an Remote Backup Management (RBM) system. In the RBM system, two
security devices are assigned the primary and secondary roles, and they synchronize session entries
over the RBM data channel conveyed by the direct links between them. The security devices use
Layer 3 aggregate interfaces to connect to the Layer 2 aggregate interfaces of a DR system at the
border or leaf layer. VRRP is enabled on the service subinterfaces of the contexts on the security
devices. When the primary device fails, the service traffic will be switched to the secondary device.
IMPORTANT:
If contexts are shared, service gateway resources and service chain resources cannot be collated on a
physical firewall.
If dedicated contexts are used, a VRRP switchover on one context will trigger VRRP switchovers on the
other contexts. This issue will cause packet loss or network interruption. As a best practice, do not use
dedicated contexts. If you must use them, contact HPE Support.
For vFW resources to be created successfully, make sure both the primary and secondary security
devices are online.
2
Basic configuration
Configure basic controller settings
Log in to the controller
1. Access the URL http://ucenter_ip_address:30000/central/index.html via a browser.
The ucenter_ip_address address is the northbound service virtual IP address of the Installer
where IMC PLAT resides.
Figure 1 Logging in to IMC PLAT
2. Log in to IMC PLAT.
Create fabric 1
1. Access the Automation > Data Center Networks > Fabrics > Fabrics page.
2. Click Add, and configure the following parameters.
Name: Enter fabric1.
Overlay BGP AS Number: Enter the BGP AS number configured on the devices in the
fabric. This step uses 100 as an example.
Multicast Network: Enable the multicast network feature as needed. You cannot enable
this feature after you create fabric connections.
Epg Controller: Enable EPG as needed. You can edit this parameter after you create the
fabric.
Configure the other parameters as needed. This step uses the default settings.
3
Figure 2 Adding a fabric
3. Click OK.
4. Click the icon in the Actions column for fabric 1, and then click the Settings tab.
5. Configure the advanced parameters as needed. This step uses the default settings.
Figure 3 Fabric advanced parameters
Configure VDS1
1. Access the Automation > Data Center Networks > Common Network Settings > Virtual
Distributed Switch page.
2. Click the icon for VDS1.
3. Click the Carrier Fabric tab, click Add Fabric, and then add fabric 1.
4
Figure 4 Adding fabric 1 on VDS1
4. Click the Advanced Settings tab, and configure the following parameters:
Bridge Name: Enter vds1-br.
VXLAN Tunnel Interface Name: Enter vxlan_vds1-br.
vSwitch Learned Flow Entries Aging Time (seconds): Enter 300.
Configure the other parameters as needed. This step uses the default settings.
Figure 5 VDS advanced parameters
5. Click Apply.
Create a tenant
1. Access the Automation > Data Center Networks > Tenants Management > All Tenants
page, click Add, and configure the following parameters:
Tenant Name: Enter publictenant1.
VDS Name: Select VDS1.
5
Figure 6 Creating a tenant
2. Click Apply.
6
Configure service chain service
resources for the third-party device
Network planning
Single-arm mode
Network topology
Figure 7 Single-arm third-party device network diagram
For information about switching device connections, see IMC Orchestrator 6.2 Underlay Network
Configuration Guide. Connect the interfaces on the leaf nodes to the third-party firewall as shown in
Table 1.
Table 1 Device IP addresses and interfaces on the network
Device
Purpose
Management IP
Service IP and
interface
Leaf3
EVPN access device
192.168.11.6
Loopback0 10.1.1.6/32
XGE1/0/11 (connecting to
the third-party firewall), a
member port of BAGG3
DR3
Leaf4
EVPN access device
192.168.11.7
Loopback0: 10.1.1.7/32
XGE1/0/11 (connecting to
7
Device
Purpose
Management IP
Service IP and
interface
the third-party firewall), a
member port of BAGG3
DR3
Resource plan
Table 2 Resource plan
Category
Configuration example
Remarks
Fabric
Name: fabric1
AS number: 100
N/A
VDS
Name: VDS1
Bearer fabric: fabric1
VXLAN ID range: 1 to
16777215
The VXLAN ID range must
contain the VXLAN IDs in all
subnets of the VDS. The
VXLAN ID must be unique in a
LAN. Different VDSs cannot be
configured with the same
VXLAN ID.
Internetwork connecting the third-party
firewall and leaf nodes
Name: thirdnet1
VLAN ID: 2121
IPv4: thirdnet1v4,
11.31.1.0/24
IPv6: thirdnet1v6,
2001:11:31:1::/64
N/A
Virtual router connecting the third-party
firewall
Name: thirdrouter1
Segment ID: 11501
N/A
8
Dual-arm mode
Network topology
Figure 8 Dual-arm third-party device network diagram
For information about switching device connections, see IMC Orchestrator 6.2 Underlay Network
Configuration Guide. Connect the interfaces on the leaf nodes to the third-party firewall as shown in
Table 3.
Table 3 Device IP addresses and interfaces on the network
Device
Purpose
Management IP
Service IP and
interface
Leaf3
EVPN access device
192.168.11.6
Loopback0 10.1.1.6/32
XGE1/0/11 (connecting to
the third-party firewall), a
member port of BAGG3
DR3
XGE1/0/12 (connecting to
the third-party firewall), a
member port of BAGG4
DR4
Leaf4
EVPN access device
192.168.11.7
Loopback0: 10.1.1.7/32
XGE1/0/11 (connecting to
the third-party firewall), a
member port of BAGG3
DR3
XGE1/0/12 (connecting to
the third-party firewall), a
member port of BAGG4
9
Device
Purpose
Management IP
Service IP and
interface
DR4
Resource plan
Table 4 Resource plan
Category
Configuration example
(Fabric1)
Remarks
Fabric
Name: fabric1
AS number: 100
N/A
VDS
Name: VDS1
Bearer fabric: fabric1
VXLAN ID range: 1 to
16777215
The VXLAN ID range must
contain the VXLAN IDs in all
subnets of the VDS. The
VXLAN ID must be unique in a
LAN. Different VDSs cannot be
configured with the same
VXLAN ID.
Internetwork connecting the third-party
firewall and leaf nodes
Name: thirdnet1
VLAN ID: 2121
IPv4: thirdnet1v4,
11.31.1.0/24
IPv6: thirdnet1v6,
2001:11:31:1::/64
Name: thirdnet2
VLAN ID: 2122
IPv4: thirdnet1v4,
11.31.2.0/24
IPv6: thirdnet1v6,
2001:11:31:2::/64
N/A
Virtual router connecting the third-party
firewall
Name: thirdrouter1
Segment ID: 11501
N/A
Deployment workflow
Figure 9 Flowchart
Configure the underlay networkPreconfigure the third-party device Configure the tenant network End
Add a VLAN-VXLAN mapping
Add a virtual network
Add a vRouter
Required sub-process
Required main process
Configure security service
resources
Add a third-party service resource
Start
10
Procedure
Connect the third-party device in single-arm mode
Preconfigure the third-party device
This example uses an HPE device for illustration. For the actual commands, see the product manual
of the third-party device.
1. Configure the VLAN interface that connects to the leaf nodes.
[device] interface vlan 2121
[device-Vlan-interface2121] ip address 11.31.1.2 24
[device-Vlan-interface2121] ipv6 address 2001:11:31:1::2 64
[device-Vlan-interface2121] quit
2. Configure the aggregate interface that connects to the leaf nodes.
[device] interface Bridge-Aggregation3
[device-Bridge-Aggregation3] port link-type trunk
[device-Bridge-Aggregation3] undo port trunk permit vlan 1
[device-Bridge-Aggregation3] port trunk permit vlan 2121
[device-Bridge-Aggregation3] link-aggregation mode dynamic
[device-Bridge-Aggregation3] quit
3. Configure static routes.
[device] ip route-static 0.0.0.0 0 11.31.1.1
[device] ipv6 route-static :: 0 2001:11:31:1::1
Configure the underlay network
Configure and incorporate switching devices on the network. For more information, see IMC
Orchestrator 6.2 Underlay Network Configuration Guide.
Add a virtual network
1. Navigate to the Automation > Data Center Networks > Tenant [default] Network > Virtual
Network. Click Add. On the page that opens, configure the following parameters:
Name: thirdnet1.
Segment ID: 2121.
Configure the other parameters as needed. In this example, use the default settings.
Figure 10 Adding a virtual network
2. Click Add on the Subnets tab to add an IPv4 subnet. In the dialog box that opens, configure
the following parameters
11
IP Version: IPv4.
DHCP: Off.
Name: thirdnet1v4.
Subnet Address: 11.31.1.0/24.
Gateway IP: 11.31.1.1.
Configure the other parameters as needed. In this example, use the default settings.
Figure 11 Adding an IPv4 subnet
3. Click Apply to complete the adding of the IPv4 subnet. Click Add on the Subnets tab to add
an IPv6 subnet. In the dialog box that opens, configure the following parameters:
IP Version: IPv6.
DHCP: Off.
Name: thirdnet1v6.
Subnet Address: 2001:11:31:1::/64.
Gateway IP: 2001:11:31:1::1.
Configure the other parameters as needed. In this example, use the default settings.
12
Figure 12 Adding an IPv6 subnet
4. Click Apply to complete the adding of the IPv6 subnet. Click the Advanced Configuration
tab, and configure packet suppression functions. In this example, use the default settings.
Figure 13 Advanced Configuration
5. Click Apply at the upper-right corner to complete the adding of the virtual network.
Add a vRouter
1. Navigate to the Automation > Data Center Networks > Tenant [default] Network >
vRouter. Click Add. On the page that opens, configure the following parameters:
Name: thirdrouter1.
13
Segment ID: 11501. This parameter must be within the VXLAN ID range of the VDS.
2. Click Add on the Subnets tab, select subnets thirdnet1v4 and thirdnet1v6, and click Apply.
Figure 14 Adding subnets
3. Configure the other parameters as needed. In this example, use the default settings.
4. Click Apply at the upper-right corner to complete the adding of the vRouter.
Figure 15 Adding a vRouter
Configure VLAN-VXLAN mappings
1. Navigate to the Automation > Data Center Networks > Pools > VNID Pools > VLAN-
VXLAN Mappings page. Click Add. Select VLAN-VXLAN Mapping, and enter a mapping
name.
Figure 16 VLAN-VXLAN mapping configuration
14
2. To add a VLAN-VXLAN mapping, click Add Mapping, and configure the following
parameters:
Start VLAN ID: 2121
Start VXLAN ID: 2121
Mapping Range Length: 1
Access Mode: VLAN
Figure 17 Adding a VLAN-VXLAN mapping
3. Click Apply to complete the adding of the mapping. On the Mapping Rule tab, click Apply.
Figure 18 VLAN-VXLAN mapping configuration
4. Click the Apply to Devices or Apply to Interfaces tab to apply the VLAN-VXLAN mapping.
In this example, apply the VLAN-VXLAN mapping to interfaces. Because the VLAN-VXLAN
mapping is used to connect the third-party device, apply it to the aggregate interfaces on the
leaf nodes that connect to the third-party device. Click the link in the Applied to Interfaces
column, and select the aggregate interfaces on leaf3 and leaf4 that connect to the third-party
device.
15
Figure 19 Applying the VLAN-VXLAN mapping to interfaces
5. Click Apply to complete the application of the VLAN-VXLAN mapping. The VLAN-VXLAN
mapping appears in the mapping list.
Figure 20 Mapping information
6. Navigate to the Automation > Data Center Networks > Tenant [tenant1] Network > Virtual
Port > vRouter. You can see that the third-party device has been onboarded.
Figure 21 Third-party device onboarding
Add a third-party service resource
1. Navigate to the Automation > Data Center Networks > Tenant Management > All Tenants
page. Select tenant1 and click the icon in the Actions column. The Edit Tenant page
opens.
2. In the Allocate Service Resources area, select Third-Party Service Resource.
Figure 22 Selecting Third-Party Service Resource
16
3. Click the Third-Party Service Device tab, and click Add. On the page that opens, configure
the following parameters:
Name: thirddevice1.
Connection Mode: Single vPort.
vPort VXLAN ID: 2121.
vPort IP Address: 11.31.1.2. This address can be an IPv4 or IPv6 address. This example
uses an IPv4 address.
Figure 23 Adding a third-party service device
4. Click Apply to complete the adding of the third-party service device.
5. Click the Third-Party Service Resource tab, and click Add. On the page that opens,
configure the following parameters:
Name: thirdresource1.
Third-Party Service Device: Select thirddevice1.
Share Node: Off. If you enable this option, the third-party service resource can be used by
multiple service chains.
Configure the other parameters as needed. In this example, use the default settings.
Figure 24 Adding a third-party service resource
6. Click Apply to complete the adding of the third-party service resource. It will appear in the
resource list.
Figure 25 Viewing third-party service resources
17
7. On the Edit Tenant page, click Apply at the upper-right corner to complete the binding of the
third-party service resource.
Connect the third-party device in dual-arm mode
Preconfigure the third-party device
This example uses an HPE device for illustration. For the actual commands, see the product manual
of the third-party device.
1. Configure the VLAN interfaces that connect to the leaf nodes.
[device] interface vlan 2121
[device-Vlan-interface2121] ip binding vpn-instance third1
[device-Vlan-interface2121] ip address 11.31.1.2 24
[device-Vlan-interface2121] ipv6 address 2001:11:31:1::2 64
[device-Vlan-interface2121] quit
[device] interface vlan 2122
[device-Vlan-interface2121] ip binding vpn-instance third2
[device-Vlan-interface2122] ip address 11.31.2.2 24
[device-Vlan-interface2122] ipv6 address 2001:11:31:2::2 64
[device-Vlan-interface2122] quit
2. Configure the aggregate interfaces that connect to the leaf nodes.
[device] interface Bridge-Aggregation3
[device-Bridge-Aggregation3] port link-type trunk
[device-Bridge-Aggregation3] undo port trunk permit vlan 1
[device-Bridge-Aggregation3] port trunk permit vlan 2121
[device-Bridge-Aggregation3] link-aggregation mode dynamic
[device-Bridge-Aggregation3] quit
[device] interface Bridge-Aggregation4
[device-Bridge-Aggregation4] port link-type trunk
[device-Bridge-Aggregation4] undo port trunk permit vlan 1
[device-Bridge-Aggregation4] port trunk permit vlan 2122
[device-Bridge-Aggregation4] link-aggregation mode dynamic
[device-Bridge-Aggregation4] quit
3. Configure static routes.
[device] ip route-static vpn-instance third1 0.0.0.0 0 vpn-instance third2
11.31.2.1
[device] ip route-static vpn-instance third2 0.0.0.0 0 vpn-instance third1
11.31.1.1
[device] ipv6 route-static vpn-instance third1 :: 0 vpn-instance third2
2001:11:31:2::1
[device] ipv6 route-static vpn-instance third2 :: 0 vpn-instance third1
2001:11:31:1::1
Add a virtual network
1. Navigate to the Automation > Data Center Networks > Tenant [default] Network > Virtual
Network. Click Add. On the page that opens, configure the following parameters:
Name: thirdnet1.
Segment ID: 2121.
Configure the other parameters as needed. In this example, use the default settings.
18
Figure 26 Adding a virtual network
2. Click Add on the Subnets tab to add an IPv4 subnet. In the dialog box that opens, configure
the following parameters
IP Version: IPv4.
DHCP: Off.
Name: thirdnet1v4.
Subnet Address: 11.31.1.0/24.
Gateway IP: 11.31.1.1.
Configure the other parameters as needed. In this example, use the default settings.
Figure 27 Adding an IPv4 subnet
3. Click Apply to complete the adding of the IPv4 subnet. Click Add on the Subnets tab to add
an IPv6 subnet. In the dialog box that opens, configure the following parameters:
IP Version: IPv6.
DHCP: Off.
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28

Aruba IMC Orchestrator 6.2 Security Scenario Security Service Resource Configuration Guide

Category
Networking
Type
Configuration Guide
This manual is also suitable for

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI