/
inputs_vsphere_firewall_v1.2.1.yaml
307 lines (284 loc) · 17.4 KB
/
inputs_vsphere_firewall_v1.2.1.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
## NETWORKING CONFIG ##
mgmt_net: norbert_MGMT
mgmt_subnet_cidr: 10.0.0.0/24 # The subnet and netmask for the management network; for example, 10.146.130.0/23.
mgmt_default_gw: 10.0.0.254. # Default gateway used for management network.
mgmt_dns: 8.8.8.8 # DNS server address used for management network.
mgmt_ip_range: 10.0.0.128/26 # The range of host IP addresses you will use to assign to BIG-IP VEs; for example, 10.50.50.2-10.50.50.100, enabling you to assign 98 addresses. You can also create multiple, smaller IP address groups with that larger range; for example, 10.50.50.2-10.50.50.20, 10.50.50.21-10.50.50.30, and so forth.
mgmt_net_sw_dist: true # The name of the pre-existing management network, connecting the BIG-IQ licensing utility, VNFM, and related blueprints that orchestrate BIG-IP VE service layers.
ctrl_net: changeme_CTRL # Name of the control network, where F5 NFV solutions connect to processes such as, your policy and control rules function engine, subscriber service-charging functions, signaling, and other similar processes.
ctrl_subnet_cidr: 10.1.0.0/24
ctrl_ip_range: 10.1.0.128/26 # The IP range defined for the control network; for example, 10.30.0.2-10.30.0.100.
ctrl_net_sw_dist: true. # vSphere switch distributed flag for Control network. Set to true if your system uses a distributed switch on this network or false if not.
ha_net: changeme_HA # The name of the high availability network (for config. sync and network failover purposes).
ha_subnet_cidr: 10.2.0.0/24 # The subnet and netmask for the HA network; for example, 10.2.149.0/24.
ha_ip_range: 10.2.0.128/26 # The IP range defined for the high availability network; for example, 10.40.0.2-10.40.0.100.
ha_net_sw_dist: true # The vSphere switch distributed flag for HA network. Set to true if your system uses a distributed switch on this network or false if not.
pdn_net: norbert_PDN
pdn_subnet_cidr: 10.3.0.0/24 # The subnet and netmask for the provider network; for example, 10.3.149.0/24.
pdn_ip_range: 10.3.0.128/26 # The range of host IP addresses you will use to assign to BIG-IP VEs; for example, 10.0.0.2-10.0.0.100, enabling you to assign 98 addresses. You can also create multiple, smaller IP address groups with that larger range; for example, 10.0.0.2-10.0.0.20, 10.0.0.21-10.0.0.30, and so forth.
pdn_net_sw_dist: true # The name of the pre-existing PDN network.
pgw_net: changeme_PGW # The name of the pre-existing PGW network.
pgw_subnet_cidr: 10.4.0.0/24 # The subnet and netmask for the provider network for the DAG group; for example, 10.4.149.0/24.
pgw_ip_range: 10.4.0.128/26 # The range of host IP addresses you will use to assign to BIG-IP VEs; for example, 10.10.0.2-10.10.0.100, enabling you to assign 98 addresses. You can also create multiple, smaller IP address groups with that larger range; for example, 10.10.0.2-10.10.0.20, 10.10.0.21-10.10.0.30, and so forth.
pgw_net_sw_dist: true # The vSphere switch distributed flag for PGW network. Set to true if your system uses a distributed switch on this network or false if not.
pdn_dag_net: changeme_PDN_DAG # The name of the pre-existing PDN-DAG (VNF egress) network.
pdn_dag_subnet_cidr: 10.5.0.0/24 # The subnet and netmask for the provider network; for example, 10.5.149.0/24.
pdn_dag_ip_range: 10.5.0.128/26 # The range of host IP addresses you will use to assign to BIG-IP VEs; for example, 10.15.0.2-10.15.0.100, enabling you to assign 98 addresses. You can also create multiple, smaller IP address groups with that larger range; for example, 10.15.0.2-10.15.0.20, 10.15.0.21-10.15.0.30, and so forth.
pdn_dag_net_sw_dist: true # The vSphere switch distributed flag for PDN DAG network. Set to true if your system uses a distributed switch on this network or false if not.
pgw_dag_net: norbert_PGW_DAG
pgw_dag_subnet_cidr: 10.6.0.0/24 # The subnet and netmask for the package gateway network for the DAG group; for example, 10.6.149.0/24.
pgw_dag_ip_range: 10.6.0.128/26 # The range of host IP addresses you will use to assign to BIG-IP VEs; for example, 10.20.0.2-10.20.0.100, enabling you to assign 98 addresses. You can also create multiple, smaller IP address groups with that larger range; for example, 10.20.0.2-10.20.0.20, 10.20.0.21-10.20.0.30, and so forth.
pgw_dag_net_sw_dist: true # The vSphere switch distributed flag for PGW DAG network. Set to true if your system uses a distributed switch on this network or false if not.
bgp_dag_pgw_peer_ip: 10.4.0.1 # If your environment uses Border Gateway Protocol (BGP) on the client-side, then enter the neighbor address of the PGW to which the DAG BIG-IPs will advertise their default routes.
bgp_vnf_pgw_peer_ip: 10.6.0.1 # If using BGP on the client-side, then enter the neighbor address of the PGW, enabling the VNF to send traffic directly back to the client without passing it back through the DAG.
bgp_pgw_peer_as: '65001' # If using BGP on the client-side, then enter the autonomous system number (ASN) for the BGP neighbor.
bgp_dag_egw_peer_ip: 10.3.0.1 # If using BGP on the external-side, then enter the BGP neighbor address.
bgp_egw_peer_as: '65002' # If using BGP on the external-side, then enter the BGP ASN.
default_gateway: 10.5.0.1 #PDN_DAG Default Gateway
## ACCESS CONFIG ##
manager_mgmt_host: 10.0.0.106 # The internal IP address of the VNF Manager instance.
## DEVICE CONFIG ##
sw_ref_nagios: # The dictionary that defines the image/template name, flavor/configuration name, availability zone (OpenStack only), and revision number to use for the CentOS monitoring nodes.
data:
template: Centos7-GenericCloud # The flavor/configuration name
configuration: quadcpu # The image/template name
revision: 0
sw_ref_dag: # The dictionary that defines the image/template name, flavor/configuration name, availability zone (OpenStack only), and revision number to use for the BIG-IP VE disaggregation instances.
data:
template: BIGIP-13.1.0.5-0.0.5 # The flavor/configuration name
configuration: quadcpu # The image/template name
revision: 0
sw_ref_vnf: # The dictionary that defines the image/template name, flavor/configuration name, availability zone (OpenStack only), and revision number to use for the BIG-IP VE virtual network functions instances.
data:
template: BIGIP-13.1.0.5-0.0.5 # The image/template name
configuration: quadcpu # The flavor/configuration name
revision: 0
## BIGIP LICENSING ##
big_iq_host: 10.0.0.105 # The IP address of the BIG-IQ VE instance that will assign licenses to the BIG-IP VE instances.
big_iq_lic_pool: BIGIP_1 # Name of the BIG-IQ key or pool that will be used to assign licenses to the BIG-IP VE instances.
## VNF Resource Information Collector ##
ric_purchasing_model: subscription # The purchasing model for licensing (options include: subscription or perpetual).
ric_vnfm_serial: "12345" # The VNFM license key provided in your email from F5 (used for support purposes only).
auto_last_hop: "disabled" # Controls how the DAG receives return traffic from the internet. Enable this input, if you are using an F5 device to NAT outbound connections; otherwise, disable.
## GiLAN SETTINGS (MAY IMPACT VNFM PERFORMANCE)##
max_scale_dag_group: '10' # The maximum number of layers to which the DAG group will scale.
max_scale_vnf_group: '10' # The maximum number of layers to which the VNF group will scale.
max_heal_vnfd_dag_ve: '10' # Maximum number of times a DAG VE will heal before it stops trying and shows an error.
max_heal_vnf_layer: '10' # Maximum number of times a layer will heal before it stops trying and returns an error.
max_heal_vnf_slave_ve: '10' # Maximum number of times a slave VE will heal before it stops trying and returns an error.
vnf_layer_cpu_threshold: '85' # Maximum number of times a slave VE will heal before it stops trying and returns an error.
vnf_layer_cpu_threshold_check_interval: '1' # Interval between checks, in minutes.
vnf_group_throughput: '20' # The desired aggregate throughput (Gigabits In Out) for every layer in the group. Example values: 5 for 5 gig, 0 for 10 gig, 0.5 for 500mb.
vnf_group_throughput_threshold: '75' # New layer is added to group when the percentage of average aggregate layer throughput exceeds this value (for example, 75).
vnf_group_throughput_check_interval: '1' # Interval between checks, in minutes.
dag_group_cpu_threshold: '89' # New instance is added to group when the percentage of average aggregate Global TMM CPU usage of all DAG group instances exceeds this value (for example, 75).
dag_group_cpu_threshold_check_interval: '1' # Interval between checks, in minutes.
## Common inputs ##
bigip_ssh_key: mykey # Name of the VIM SSH key that you will import into the BIG-IP VE instances.
ntp_server: 'string' # The IP address or DNS name of the NTP server. If not specified, the default 132.163.96.1 value is used (for example, pool.ntp.org)
timezone: America/Los_Angeles # Enter the local timezone using the TZ database name for the location of your application server; for example, Pacific/Pago_Pago. Default value is UTC.
## CGNAT Inputs ##
cgnat_ip_ranges: # Change to your IP address range for each LSN pool list (for example, '192.168.1.100-192.168.1.150' and '192.168.1.155-192.168.1.160').
- '10.9.200.32-10.9.200.64'
- '10.9.201.32-10.9.201.64'
cgnat_resource_id: '/f5vnf/gilan_http/natSourceTranslation/addresses' # Change to your reference/pointer to your NAT source translation pool that you want VNFM to manage and that you defined in your AS3 declaration (policyNAT). For example, "/Sample_22/A1/natSourceTranslation/addresses"
starting_ip_number: '5' # Enter the number of IP addresses initially assigned to each VNF VE. Default value is 5.
increment_ip_number: '2' # Enter the number of IP addresses to add during the Increment IPs workflow. Default value is 2.
vnf_as3_nsd_payload:
class: AS3
action: deploy
persist: true
declaration:
class: ADC
schemaVersion: 3.0.0
id: cfy_vnf_01
label: vnf
remark: VNF
f5vnf:
class: Tenant
Shared:
class: Application
template: shared
fwAllowedAddressList:
addresses:
- 10.0.0.0/8
- 172.20.0.0/16
- 192.168.0.0/16
class: Firewall_Address_List
fwAllowedPortList:
class: Firewall_Port_List
ports:
- 8080-8081
- 22
- 443
- 53
- 80
fwDefaultDenyAddressList:
addresses:
- 0.0.0.0/0
class: Firewall_Address_List
fwLogDestinationHsl:
class: Log_Destination
distribution: adaptive
pool:
use: poolHsl
protocol: tcp
type: remote-high-speed-log
fwLogDestinationSyslog:
class: Log_Destination
format: rfc5424
remoteHighSpeedLog:
use: fwLogDestinationHsl
type: remote-syslog
fwLogPublisher:
class: Log_Publisher
destinations:
- use: fwLogDestinationSyslog
fwPolicy:
class: Firewall_Policy
rules:
-
use: fwRuleList
fwRuleList:
class: Firewall_Rule_List
rules:
-
action: accept
destination:
portLists:
-
use: fwAllowedPortList
loggingEnabled: true
name: tcpAllow
protocol: tcp
source:
addressLists:
- use: fwAllowedAddressList
-
action: accept
loggingEnabled: true
name: udpAllow
protocol: udp
source:
addressLists:
- use: fwAllowedAddressList
-
action: drop
loggingEnabled: true
name: defaultDeny
protocol: any
source:
addressLists:
- use: fwDefaultDenyAddressList
fwSecurityLogProfile:
class: Security_Log_Profile
network:
logIpErrors: true
logRuleMatchAccepts: true
logRuleMatchDrops: true
logRuleMatchRejects: true
logTcpErrors: true
logTcpEvents: true
logTranslationFields: true
publisher:
use: fwLogPublisher
storageFormat:
fields:
- action
- bigip-hostname
- context-name
- context-type
- date-time
- dest-ip
- dest-port
- drop-reason
- protocol
- src-ip
- src-port
poolHsl:
class: Pool
members:
-
enable: true
serverAddresses:
- 255.255.255.254
servicePort: 514
monitors:
-
bigip: /Common/udp
lbSelectedRule:
class: iRule
iRule: when LB_SELECTED {log local0. "Selected server [LB::server]"}
remark: Log load balanced server
profileL4:
class: L4_Profile
serviceAddress:
class: Service_Address
arpEnabled: False
icmpEcho: disable
spanningEnabled: True
virtualAddress: 0.0.0.0
firewall_any:
class: Application
template: generic
serviceMain:
allowVlans:
- bigip: /Common/network_PGW_DAG
class: Service_Generic
iRules:
- /f5vnf/Shared/lbSelectedRule
layer4: any
policyFirewallEnforced:
use: /f5vnf/Shared/fwPolicy
profileL4:
use: /f5vnf/Shared/profileL4
securityLogProfiles:
- use: /f5vnf/Shared/fwSecurityLogProfile
snat: none
lastHop: disable
translateServerAddress: false
translateServerPort: false
virtualAddresses:
- use: /f5vnf/Shared/serviceAddress
virtualPort: 0
firewall_fastL4:
class: Application
template: l4
serviceMain:
class: Service_L4
layer4: tcp
allowVlans:
- bigip: /Common/network_PGW_DAG
profileL4:
use: /f5vnf/Shared/profileL4
virtualAddresses:
- use: /f5vnf/Shared/serviceAddress
virtualPort: 0
translateServerAddress: false
translateServerPort: false
snat: none
lastHop: disable
iRules:
- /f5vnf/Shared/lbSelectedRule
policyFirewallEnforced:
use: /f5vnf/Shared/fwPolicy
securityLogProfiles:
- use: /f5vnf/Shared/fwSecurityLogProfile
firewall_inbound:
class: Application
template: generic
serviceMain:
allowVlans:
- bigip: /Common/network_PDN_DAG
class: Service_Generic
iRules:
- /f5vnf/Shared/lbSelectedRule
layer4: any
profileL4:
use: /f5vnf/Shared/profileL4
snat: none
translateServerAddress: false
translateServerPort: false
virtualAddresses:
- use: /f5vnf/Shared/serviceAddress
virtualPort: 0