Deployment Overview
Versa uCPE support allows customers to leverage VOS and any 3rd party KVM capable systems to be hosted and service chained with VOS capabilities. This allows the customers to get flexibility into the deployment and comfort while leveraging “branch in a box” solution or comfort of using firewall services from their preferred vendor and leverage VOS services for Advanced SDWAN.
As part of this evaluation, we had incorporated CHECKPOINT QUANTUM EDGE version 80.20.30 image along with DCA infra and VOS instance of 21.2.2. And hardware used for this testing is CSG1500 with 2 devices simulating hub and branch.
Pre-requisites
- uCPE variants can be deployed in white boxes or CSG platforms, as part of this testing the platforms used are CSG770, CSG1300 and CSG1500
- VOS version of 21.2.2 (trusty)
- Custom vendor catalogue creation for Checkpoint required
- Checkpoint uCPE’s were required to be managed by the CP manager, so as part of the POC there was a paired TVI built between Control-VR and LAN-VR to extend the reachability (details of this will be explained subsequently)
Topology Reference
- Split tunnel traffic after inspecting from Checkpoint uCPE
- Inspect Site-Site traffic
- Manage Checkpoints using the checkpoint Manager
- Configure SDWAN policies for traffic steering
Pre-Requisite configuration VD
- Create a new Vendor Catalog for Checkpoint
- This is a 2 steps process
- Creating a “vendor” specification
- Creating a “product” specification
- Click on + and create the Checkpoint VNF
- Click on the “+” sign and add a new vendor name
- Click on “manage products” and click on the “+” sign to create the specifications for the VNF
Enter the name to the specified and select the service function from the list of options, in our case its “NextGen Firewall”
- Next step, select the CPU, MEM and Disk to be allocated for the VNF and click “ok”, these values are changeable as per the deployment size and recommendations from the Checkpoint team
- Select the required uCPE image from your local drive using the “choose file” option and upload the image to director and click “ok”
Configuration for uCPE
- Click workflows-------->Service chains drag and drop the checkpoint from the list and attach it in the LAN side in L2 mode
- Support for L3 available, but not covered as part of this document
- Add the LAN-VR corresponding to the Tenant
- Create template as per the topology in my case it’s a full-mesh and workflow for device created by attaching service chain
- You could also attach the service-chain template to the device group instead of applying to each device workflow, for this service to be applicable to all devices matching this service-chain requirement.
- Navigate to Configuration-------->devices---------->device groups
- Edit the device group by clicking on the device group, in this case “device-group-CHECKPOINT-CUSTOMER-A” and click on “device service template association”
- Click on “+” and select the drop down with the following selection of category and service-chain template created and click ok
- Now you can observe that the service-chain configuration is applicable to all CPE’s part of this device group and proceed to the next step
- Navigate to device Bind data and select the service template to fill the variable information
- Navigate to device Bind data and select the service template to fill the variable information
Fill information for the following variables:
Management IP pool denotes the IP that would be assigned to the WAN interface of Checkpoint
- uCPE-Local-MgmtIntf__ucpeLocMgmtIntAddress
- uCPE-MgmtIntf_Pool_Range_Begin_IP__apRangeBegin
- uCPE-MgmtIntf_Pool_Range_End_IP__apRangeEnd
WAN and LAN IP in L2 mode allocates IP address between VOS and Checkpoint and these will be used for bypass-on-fail setting conditions to fallback, VOS will run monitor ping between these interface Ips which will go through the VNFs L2 data path
- CHECKPOINT-VLAN-0-LAN-Side-Intf__ucpeLanIntAddress
- CHECKPOINT-VLAN-0-WAN-Side-Intf__ucpeWanIntAddress
- Management IP will be assigned to the WAN interface of checkpoint and connection of WAN interface will be with the CONTROL-VR and this IP will be used by the Director to ssh and manage the VNF.
- VD workflows will by default configure service-chain and service filters configuration in VOS. These service-chain configurations can be modified for different use-cases i.e. traffic destined to SDWAN overlay or towards local Internet breakout
- uCPE related configuration like Interfaces, required CPU, RAM and disk can be modified from service chain template hierarchy. Selection of other parameters like health monitor is explained in other KB’s
- Recommendation is to select CPU allocation exclusive; this ensures dedicated cores are mapped to uCPE for optimal performance
- Configure static route in VD southbound to ensure the VD can communicate with the management segment of uCPE
Checkpoint end:
- Ensure that the Interfaces connect to VOS are configured as Bridge
- Default route will always point to the CONTROL-VR where the vni-0/300(mgmt. interface) will be mapped
Behaviour
- VNI-0/300 to VNI-0/309 are allocated within VOS for uCPE
- VNI-0/300 to vni-0/303 is used in the workflow created service chain configuration
- VNI-0/302 is configured as LAN (INGRESS point for LAN traffic)
- VNI-0/303 is configured as WAN (Egress from Checkpoint to LAN-VRF)
- Traffic ingresses from VNI-0/x (LAN-VRF) and processed by services enabled in checkpoint and given back to the LAN-VRF where further processing can be done based on the destination of the traffic i.e. either LBO or B2B
- Default DIA configuration which matches destination zone L-ST will drop the traffic originated from uCPE, to fix this problem you need to configure the match condition with source-zone as W-ST
- As the MGMT-Link of Checkpoint is mapped to the control-VR of VOS, if it’s a dedicated setup the reachability for the Checkpoint manager can be arranged from the southbound of controller for easier approach.
- If the suggested approach is not viable in a shared head end, please follow the following steps.
Checkpoint Management & Integration options
- uCPE can be managed from the monitor dashboard of individual uCPE
Integration to Checkpoint manager:
- MGMT-Link of Checkpoint is mapped to the control-VR of VOS, if it’s a dedicated setup the reachability for the Checkpoint manager can be arranged from the southbound of controller for easier approach.
- How to manage the checkpoint uCPE, when the checkpoint manager is on customer premise and controller is hosted by Versa.
Summary of changes needed for above use-case(2)
- Configure paired-tvi and configure non-routable IP and add the interfaces to limits
- Add the Paired TVI interfaces to zones
- Add 1 end of each paired TVI to LAN-VR and Control-VR respectively
- Configure static route in Control-VR with next-hop as LAN-VR paired TVI
- Configure static default route in control-VR, If Internet reachability needed for uCPE for security update purposes
Control-VR static routes (192.168.0.0 is Checkpoint manager IP segment)
- set routing-instances CHECPOINT-MTECH-POC-Control-VR routing-options static route 0.0.0.0/0 100.100.100.2 tvi-0/1002.0 preference 1
- set routing-instances CHECPOINT-MTECH-POC-Control-VR routing-options static route 192.168.0.0/16 100.100.100.2 tvi-0/1002.0 preference 1
LAN-VRF static routes (192.168.209.x is MGMT-IP of checkpoint)
- set routing-instances CHECPOINT-MTECH-POC-LAN-VR routing-options static route 192.168.209.0/24 100.100.100.1 tvi-0/1003.0 preference 1
Security restrictions on VOS to protect Control-VR route leaking
- Enable stateful firewall in VOS
- Configure traffic allow from uCPE over 80,443 or any other restricted ports needed by uCPE
- Restrict inbound access from LAN-VRF only for the Checkpoint manager IP to destination the Mgmt.-IP of Checkpoint uCPE oversubscribed ports, and deny all traffic destined to management IP pool of uCPE
- Other control-plane protection policies can be applied (as needed)
Bugs identified
[Bug 80578] VOS not creating all the uCPE interfaces in CSG1500 with physical NIC present upto vni-0/15
- The above Bug causes the uCPE VM to not start and moves the VM into “paused state”, this caused because VOS is unable to allocate required Interfaces
- Another issue observed, is that “TCPDUMP” fails only VNI either physical or logical
Workaround
Exclude a few interfaces like WIFI and interfaces 0/8 to 16 in vsboot.conf
Debugging & management
admin@CHECKPOIN-UCPE-1-cli> show guest-vnfs virtual-machines info
NAME STATE UPTIME
-------------------------------
CHECKPOINT running 21:47:13
Virtual Machine CHECKPOINT
State running
Uptime 21:47:13
Creation Timestamp 2022-04-27 04:48:53.948236
Management IP 0.0.0.0
Management MAC 52:54:00:00:01:01
Number of CPUs 4
Memory 8144
VNC Port 5901
Management Interface vni-0/300.0
Auxiliary Interface vni-0/301.0
Left Interface vni-0/302.0
Right Interface vni-0/303.0
Primary-volume
Disk Path /var/lib/libvirt/images/98be5922-bef3-11ec-b938-ac4330f87c35
Disk format qcow2
Secondary Volume
Disk Path n/a
Disk format n/a
dmin@CHECKPOIN-UCPE-1-cli> show guest-vnfs virtual-machines statistics
guest-vnfs virtual-machines statistics CHECKPOINT
cpu-load 0.09
memory-load 8.53
disk-load 0.0
management-interface vni-0/300.0
auxiliary-interface vni-0/301.0
left-interface vni-0/302.0
right-interface vni-0/303.0
RX RX TX TX
NAME PACKETS RX BYTES ERRORS PACKETS TX BYTES ERRORS
---------------------------------------------------------------------
vni-0/300.0 272689 39197507 0 104645 21051151 0
vni-0/301.0 0 0 0 1 78 0
vni-0/302.0 1233514 309661655 0 425687 131748253 0
vni-0/303.0 224578 113604864 0 1176996 279147817 0
CLI reboot or shutdown of guest-VNF
admin@CHECKPOIN-UCPE-1-cli> request guest-vnfs virtual-machines CHECKPOINT
Possible completions:
increase-disk - Increase disk size
reboot - Reboot virtual machine
reset - Forcefully reset virtual machine
show-user-data - Display contents of user-data
shutdown - Shutdown virtual machine
start - Start virtual machine
Shell commands:
- Check VNF status
admin@CHECKPOIN-UCPE-1-cli> exit
[admin@CHECKPOIN-UCPE-1: ~] $ sudo virsh list
[sudo] password for admin:
Id Name State
----------------------------------------------------
1 CHECKPOINT running
- Take console to uCPE from VOS shell
[admin@CHECKPOIN-UCPE-1: ~] $ sudo virsh console 1
Connected to domain CHECKPOINT
Escape character is ^]
Gateway-ID-00000101 login: