Kaspersky SD-WAN

Scenario: Deploying an SD-WAN instance for a tenant

The SD-WAN instance deployment scenario for a tenant involves the following steps:

1. Creating a tenant

   Create the tenant for which you want to deploy an SD-WAN instance.

2. Creating an SD-WAN instance template

   Create and configure an SD-WAN instance template. For details about managing SD-WAN instance templates, see the Managing SD-WAN instance templates section. You can use the created SD-WAN instance template to deploy other SD-WAN instances.

3. Adding a tenant to an SD-WAN instance template

   Add the tenant to the SD-WAN instance template to have the SD-WAN instance template settings applied to the SD-WAN instance when you deploy the SD-WAN instance for that tenant.

4. Preparing virtual machines or physical servers for controller deployment

   While deploying Kaspersky SD-WAN, you prepared virtual machines or physical servers for deployment of all solution components, including the controller.

   If you have not prepared virtual machines or physical servers for the controller, you can specify them in the nodes section of the configuration file, and then run the solution deployment command again. When you run the solution deployment command again, the missing virtual machines or physical servers are prepared. Solution components that are already deployed are not affected.

5. Preparing the PNF package of the controller

   Prepare the controller PNF package of the SD-WAN instance on your local device:

   1. Extract the installation archive and go to one of the following directories:
      • If you want to deploy a single controller node, go to the /pnfs/pnf_sdwan_ctl directory.
      • If you want to deploy three controller nodes, go to the /pnfs/pnf_sdwan_ctl_3 directory.
      • If you want to deploy five controller nodes, go to the /pnfs/pnf_sdwan_ctl_5 directory.
   2. If you want to change the PNF descriptor of the controller, go to the /src directory of the extracted installation archive and edit the pnfd.xml file.
   3. Create the PNF package by running the following command:

      make

   The PNF package is placed in the /build directory of the extracted installation archive.

6. Uploading the PNF package of the controller to the orchestrator web interface

   Upload the PNF package of the SD-WAN instance controller to the orchestrator web interface.

7. Configuring the controller PNF

   Configure the controller PNF of the SD-WAN instance:

   1. In the menu, go to the Catalog section and in the Catalog pane, click the controller PNF.
   2. In the displayed settings area, select the DC placement tab and in the Data center field, specify the added data center in which you want to deploy the controller.
   3. Select the Management IP tab and specify the IP addresses of the controller nodes. Specify standard or virtual IP addresses of virtual machines or physical servers for controller deployment that you specified in the nodes section of the configuration file when you deployed the solution.
8. Assigning the controller PNF to the tenant

   Assign the controller PNF of the SD-WAN instance to the tenant.

9. Logging in to the tenant self-service portal

   Log in to the tenant self-service portal

10. Creating an SD-WAN network service

    Create an SD-WAN network service. When creating the SD-WAN network service, you need to add the controller PNF of the SD-WAN instance to the topology, and then do the following:

    1. In the topology, click the PNF of the controller.
    2. In the displayed settings area, select the CA_certificates tab and in the CA certificate field, enter the root certificate in PEM format that the orchestrator certificate is signed with. Standalone root certificates as well as certificate chains consisting of a root certificate and multiple intermediate certificates are supported. If you specify a chain of certificates, you must start each certificate on a new line.
    3. Select the Orchestrator tab, and in the Orchestrator's API IP field, enter the IP address of one of the orchestrator nodes. You need to specify one of the standard or virtual IP addresses of the virtual machines or physical servers for orchestrator deployment that you specified in the nodes section of the configuration file.
    4. Select the CTL1–5 tabs and enter the controller node information:
       1. In the IP for ORC connection field, enter the IP address of the controller node for connecting the orchestrator. You need to specify one of the standard or virtual IP addresses of the virtual machines or physical servers for controller deployment that you specified in the nodes section of the configuration file.
       2. In the IP for CPE connections field, enter the IP address of the controller node for connecting CPE devices.
       3. In the PORT for CPE connections field, enter the TCP port of the controller node for connecting CPE devices.
11. Deploying the SD-WAN network service

    Deploy the SD-WAN network service.

The SD-WAN instance is deployed for the tenant, and the SD-WAN instance controller is displayed on the administrator portal and the tenant self-service portal in the Infrastructure section.

If at step 10 of this scenario, you specified a wrong root certificate:

1. Connect to the virtual machine or physical server on which the controller node is deployed. Together with each controller node, the MOCKPNF component is automatically deployed on the virtual machine or physical server to ensure the security of the Docker container configuration of the controller node.
2. Log in to the user account that has access to the Docker group, then log in to the Docker container of the MOCKPNF component by running the following command:

   docker exec -it mockpnf-<controller node number> /bin/ash

3. Run the cleanup.sh script. You can download the script from the /pnfs/pnf_sdwan_ctl<number of controller nodes>/scr/scripts directory of the installation archive.

   You must complete steps 2 and 3 for each controller node.

4. Repeat step 10 of this scenario with the correct root certificate.