p001 example 0 - nihole/PSEFABRIC GitHub Wiki

video guide

Brief descrition

This example shows how to create

• structure
• addresses
• address-sets
• services
• service-sets
• policies (access between networks)

Prerequisites

• Installation procedure has to be done
• EVE lab environment has to be installed

Zero configuration

Ensure that you are in p001 project (Projects )

It is assumed that this test starts with a zero configuration. So, let's start by cleaning some of the possible previous configurations.

cd $PSEFABRIC
sh psef_clean.sh

Run the CONFD

cd $CONFD_DIR/myprojects/psefabric
sudo make all start

Don't close this window.

• create one more terminal session

• in the new window execute the command

cd $CONFD_DIR/myprojects/psefabric
sudo make cli

All configuration of PSEFABRIC will be performed in this window.

• Create one more terminal session

In this point, we have 3 terminal sessions.

Now we may begin our configurations. ( See also $PROJECT/DOCS/EXAMPLES/EXAMPLE_0 )

Create structure

A structure is a predetermined list of variables that an administrator can assign to configuration items (addresses in our examples). Then it will be used at the Demultiplexer Layer to determine which network equipment should be configured uniquely.

In our examples, we use the next list of variables:

• data-centers
• VRFs
• zones
• equipment
• interfaces
• vlans

The idea is to use these variables in demultiplexing decision process.

So we have to set possible values for these parameters. For our sheme it will be:

• data-centers: [ none DC1 DC2 DC3 ]
• equipment: [ none dc1_sw1 dc1_fw1 dc3_r1 dc3_sw1 dc2_fw1 dc2_sw1 ]
• VRFs: [ none DMZ TRUST VRF1 VRF2 VRF3 ]
• zone: [ none ]
• interfaces: [ none e0/0 e0/1 e0/2 e0/3]
• vlans: [(name:Vlan111, number:111) (name:Vlan112, number:112) (name:Vlan121, number:121) ...]

So let's create the structure.

conf t
structure data-centers [ none DC1 DC2 DC3 ]
structure equipment [ none dc1_sw1 dc1_fw1 dc3_r1 dc3_sw1 dc2_fw1 dc2_sw1 ]
structure VRFs [ none DMZ TRUST VRF1 VRF2 VRF3 ]
structure zones [ none ]
structure interfaces [ none e0/0 e0/1 e0/2 e0/3 ]
structure vlans none vlan-number 0
structure vlans  Vlan111 vlan-number 111
structure vlans Vlan112 vlan-number 112
structure vlans Vlan121 vlan-number 121
structure vlans Vlan122 vlan-number 122
structure vlans Vlan131 vlan-number 131
structure vlans Vlan132 vlan-number 132
structure vlans Vlan211 vlan-number 211
structure vlans Vlan212 vlan-number 212
structure vlans Vlan221 vlan-number 221
structure vlans Vlan222 vlan-number 222
structure vlans Vlan311 vlan-number 311
structure vlans Vlan312 vlan-number 312 

(COPY & PASTE may be used)

Create addresses

There are 3 mandatory attributes for addresses

• name
• ipv4-address
• structure

addresses dc1-vlan111 ipv4-prefix 10.101.1.0/24 structure dc DC1 zone none device dc1_sw1 interface e0/0 vlan 111  vrf VRF1
addresses dc1-vlan112 ipv4-prefix 10.101.2.0/24 structure dc DC1  zone none device dc1_sw1 interface e0/0 vlan 112 vrf VRF1
addresses dc1-vlan121 ipv4-prefix 10.102.1.0/24 structure dc DC1  zone none device dc1_sw1 interface e0/0 vlan 121 vrf VRF2
addresses dc2-vlan211 ipv4-prefix 10.201.1.0/24 structure  dc DC2 zone none device dc2_sw1 interface e0/1 vlan 211 vrf DMZ

Create address-sets

In our realization, we always use address-sets in the policies. You may open access only between address-sets. So if you even want to open access only between single networks we have to create address-sets for them. So we have to create dc1-vlan111-set, dc1-vlan112-set and dc2-vlan221-set.

address-sets dc1-vlan111-set addresses dc1-vlan111
address-sets dc1-vlan112-set addresses dc1-vlan112
address-sets dc1-vlan121-set addresses dc1-vlan121
address-sets dc2-vlan211-set addresses dc2-vlan211
address-sets dc1-vrf1-set addresses [ dc1-vlan111 dc1-vlan112 ]

Create services

services http-app prot 6 ports destination-port-range lower-port 80 upper-port 80
services https-app prot 6 ports destination-port-range lower-port 443 upper-port 443
services icmp-app prot 1

As in the previous examples, we have to create service-sets.

service-sets web-app-set services [ http-app https-app ]
service-sets icmp-app-set services  [ icmp-app ]

Create applications

applications none
application-set none applications none

Create policies

policies test match source-address-sets [ dc1-vlan111-set dc1-vlan112-set ] destination-address-sets dc2-vlan211-set service-sets [ icmp-app-set web-app-set ] application-sets [ none ]

Commit

commit

Equipment configs

cd $PSEFABRIC/PSEFABRIC/PSEF_CONF/EQ_CONF

more dc1_fw1.xml
more dc1_sw1.txt  
more dc2_fw1.txt  
more dc2_sw1.txt  
more dc3_r1.txt  
more dc3_sw1.txt

Upload configs to the equipment

cd $PSEFABRIC/PSEFABRIC/PSEF_SCRIPTS/EQ_SCRIPTS
sudo perl load_all.pl 

Check the access

dc1-sw1#ping vrf VRF1 10.202.1.1 source vlan 111
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.202.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.101.1.1 
!!!!!

dc1-sw1#ping vrf VRF1 10.202.1.1 source vlan 112
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.202.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.101.2.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/14/59 ms

Rollback configuration

rollback configuration 0
commit

cd $PSEFABRIC/PSEFABRIC/PSEF_SCRIPTS/EQ_SCRIPTS
sudo perl load_all.pl 

Check that now we have zero configuration on equipment.