Configuring the HFE Node

In this section...

HFE Node Network Setup

The HFE node is a public-facing node which allows subsecond switchover to occur on the SBCs, as it negates the need for any IP reassignment.

GCP requires each Interface on a instance to be in a separate VPCs. A minimum of six VPCs need to be created for a full HFE set up (assuming all Mgmt interfaces for SBC and HFE node are in the same VPC).

The HFE must be configured with the five Interfaces:

Standard interface Name	NIC	Function	Requires External IP?
ens4	nic0	Public Interface for SBC PKT0	Yes
ens5	nic1	Private interface in for SBC PKT1 (Can only be connected to from instances in same subnet)	No
ens6	nic2	Management interface to HFE	Yes
ens7	nic3	Interface to SBC PKT0 (must be in the same VPC and subnet as SBC pkt0)	No
ens8	nic4	Interface to SBC PKT1 (must be in the same VPC and subnet as SBC pkt1)	No

Prerequisites for Creating the HFE Node

The following configuration options must be set before creating the HFE node

Six VPC Networks must be configured, refer to Creating VPC and Subnets.
You must correctly set the GCE Service Account permission, refer to GCP Service Account Permissions.
You must create a GCP Bucket in Cloud Storage for the HFE script, refer to Creating a Bucket in Cloud Storage for the HFE Script Upload.
A Static External IP address must be reserved for the nic0. Refer to Reserving Static External IP Addresses.

Manual HFE Node Instance Creation

The following steps are required to set up a GCE HFE instance with five interfaces to interact to communicate with PKT0 and PKT1.

Go to Compute Engine > VM instances.
Click CREATE INSTANCE.
Select: Name, Region and Zone.
Select: Machine Type - Custom.
1. Select six CPUs with 15GB RAM.
  
  Machine Type - Custom
To configure the OS, select Boot Disk - Change.
1. Select Ubuntu 19.04.
2. Set the Size as 10 (GB).
  
  Boot Disk - OS Images
  
  Currently only Ubuntu 19.04 is supported as the HFE node boot disk.
In the Identity and API access - Service account, select the Service account which was created earlier.
In the Security tab update the SSH Keys as to include:
1. SSH Key for ubuntu user - Insert ssh-rsa ... ubuntu.
2. Select the Block project-wide SSH keys.
  
  Security

Update the Metadata to include the user-datafor the HFE. The user data is can be found here: GCE_HFE_userdata.txt, with the following variables populated appropriately:

Variable	Description
HFE_SCRIPT_LOCATION	The location of the HFE script stored in Google storage (See Creating a Bucket in Cloud Storage for the HFE Script Upload).
ACTIVE_SBC_NAME	Instance name of the Active SBC.
STANDBY_SBC_NAME	Instance name of the Standby SBC.
REMOTE_SSH_MACHINE_IP	IP address of the remote machine to SSH from on the Management Interface. This can be a comma-separated list.
ZONE	The Zone in which the SBCs are configured,

An example of User Data can be found in User Data Example

9. Update the Network Interfaces on the HFE by selecting the Networking tab - Update the Network interfaces:

Network interface

Configure Network Interfaces

Configure the following five interfaces outlined in HFE Network set up:
1. Add a Network interface for the Public Interface to receive traffic for SBC PKT0:
  1. Select VPC which was created for the HFE Public facing for PKT0 traffic.
  2. Select Subnet which was created for the HFE Public facing for PKT0 traffic.
  3. Set the Primary internal IP as Ephemeral (Automatic).
  4. Set External IP as one of the static External IPs created earlier.
  5. Set IP forwarding to On.
    
    Network interface (continued)
2. Add a Network interface for the Private interface to receive traffic for SBC PKT1:
  1. Select VPC which was created for the HFE Public facing for PKT1 traffic.
  2. Select Subnet which was created for the HFE Public facing for PKT1 traffic.
  3. Set the Primary internal IP as Ephemeral (Automatic).
  4. Set External IP as None.
    
    Network interface (continued)
3. Add a Network interface for the Management interface to HFE:
  1. Select VPC which was created for SBC MGT0.
  2. Select Subnet which was created for SBC MGT0.
  3. Set the Primary internal IP as Ephemeral (Automatic).
  4. Set External IP as Ephemeral (Automatic).
    
    Network interface - External IP
4. Add a Network interface for the interface to communicate with SBC PKT0.
  1. Select VPC which was created for SBC PKT0.
  2. Select Subnet which was created for SBC PKT0.
  3. Set the Primary internal IP as Ephemeral (Automatic).
  4. Set the External IP as None.
    
    Network interface (PKT0)
5. Add a Network interface for the interface to communicate with SBC PKT1.
  1. Select VPC which was created for SBC PKT1.
  2. Select Subnet which was created for SBC PKT1.
  3. Set the Primary internal IP as Ephemeral (Automatic).
  4. Set the External IP as None
    
    Network interface (PKT1)
Click CREATE

As the the SBCs are not yet configured, there will be error messages occurring in the HFE.log. After the HFE node instance is created, to stop the instance from running until the SBCs are created and configured.

The GCE HFE script will fail until the SBCs have been created (due to the inability to read the information from the SBC). This means SSH to mgmt interface will not work until the SBCs have been created. The HFE node will be able to be accessed via NIC0.

User Data Example

Below is an example of the user data for the HFE node with data completed:

Content-Type: multipart/mixed; boundary="//" 
MIME-Version: 1.0 
--// 
Content-Type: text/cloud-config; charset="us-ascii" 
MIME-Version: 1.0 
Content-Transfer-Encoding: 7bit 
Content-Disposition: attachment; filename="cloud-config.txt" 
#cloud-config 
cloud_final_modules: 
- [scripts-user, always] 
--// 
Content-Type: text/x-shellscript; charset="us-ascii" 
MIME-Version: 1.0 
Content-Transfer-Encoding: 7bit 
Content-Disposition: attachment; filename="userdata.txt" 
#!/bin/bash 
HFE_DIR="/home/ubuntu/HFE" 
HFE_LOG_DIR="$HFE_DIR/log" 
HFE_FILE="$HFE_DIR/HFE_GCE.sh" 
LOG_FILE="$HFE_LOG_DIR/cloud-init-nat.log" 
NAT_VAR="$HFE_DIR/natVars.input" 
timestamp() 
{ 
date +"%Y-%m-%d %T" 
} 
if [ ! -d $HFE_LOG_DIR ]; then 
mkdir -p $HFE_LOG_DIR; 
fi; 
/bin/echo $(timestamp) " ========================= cloud-init configuration for HFE ==========================================" >> $LOG_FILE 
if [ $(grep -c 169.254.169.254 /etc/resolv.conf) -eq 0 ]; then 
sed -i.orig '/^nameserver.*/i nameserver 169.254.169.254' /etc/resolv.conf 
fi 
gsutil cp gs://rbbn-sbc/HFE_GCE.sh $HFE_FILE 
if [ $? -ne 0 ]; then 
/bin/echo $(timestamp) "Error:Could not copy HFE script from Google Storage." >> $LOG_FILE 
else 
/bin/echo $(timestamp) "Copied HFE script from Google Storage." >> $LOG_FILE 
fi; 
/bin/echo > $NAT_VAR 
/bin/echo "ACTIVE_SBC_VM_NAME=\"rbbn-sbc1\"" >> $NAT_VAR 
/bin/echo "STANDBY_SBC_VM_NAME=\"rbbn-sbc2\"" >> $NAT_VAR 
/bin/echo "REMOTE_SSH_MACHINE_IP=\"10.27.178.4\"" >> $NAT_VAR 
/bin/echo "ZONE=\"us-central1-a\"" >> $NAT_VAR 
/bin/echo $(timestamp) "Copied natVars.input" >> $LOG_FILE 
sudo chmod 744 $HFE_FILE 
/bin/echo "Configured using HFE script - $HFE_FILE" >> $LOG_FILE 
/bin/echo $(timestamp) " ========================= Done ==========================================" >> $LOG_FILE 
nohup $HFE_FILE set up > /dev/null 2>&1 &

HFE Network Security Configuration

Specific extra rules need to be added at the Google Network level to allow use of the HFE. Both routes and firewall rules must be configured on the VPC networks which contain the subnets in which PKT0 and PKT1 interfaces on the SBC are located.

Google Network Routes

Routes must be created to send all of the traffic that leaves the PKT0 and PKT1 interfaces return through the HFE:

Go to VPC networks
Click on the VPC you are using for the PKT0 interface and then click Routes
Click Add route:
1. Give name.
2. Set Destination IP range to 0.0.0.0/0.
3. Set Priority to anything under 1000 (The priority value for the default routes created).
4. Set an Instance tag. This is used to specify which instances use this rule.
  
  This tag must be set as Network Tag when creating an instance.
5. Set next hop to either:
  1. Specify an instance - In this case, you need an instance already created with an interface in this VPC. However, if the instance is deleted and another is created with the same name, Google will route traffic to this new instance
  2. Specify an IP address - Specify the private IP address of nic3 / nic4 (for the VPCs for PKT0, PKT1 respectively) interface on the HFE.
    
    To use the Specify instance method, the HFE instance must be created first.
    
    VPC route rules cannot be edited in GCP.
  Create a route
6. Repeat for the VPC used for the SBC PKT1 interface.

Google Firewall Rules

By default, the Google network will drop all packets unless firewall rules are configured. Rules must be set up for the VPCs to allow traffic from specific locations to reach the instances.

Go to VPC networks.
Click on the VPCs you are using for the PKT0 port on the SBCs and then click Firewall Rules.
There are two types of firewall required for using the HFE:
1. An ingress and egress rule to allow all traffic (protocol and port) types from the source IP(s) of the traffic.
  1. Set Targets to All instances in the network.
  2. The Source filter should be IP ranges.
  3. Set Source IP ranges as the source IPs for the traffic.
  4. Set Protocols and ports as Allow all.
2. An ingress and egress rule to allow all traffic from within the subnet to communicate (this should have been created by default):
  1. Set Targets to All instances in the network.
  2. The Source filter should be IP ranges.
  3. Set Source IP ranges as the subnet CIDR.
  4. Set Protocols and ports as Allow all.
Repeat for the VPC used for the SBC PKT1 interface.

VPC network details

HFE Node Logging

The HFE will generate the following logs under /home/ubuntu/HFE/log/:

cloud-init-nat.log: Logs generated from commands from the user-data
HFE_conf.log: Logs generated from the set up of the HFE node. They contain information about:
- SBC instance names
- IPs for allowing SSH into the HFE node
- The configured zone
- SBC IPs being used to forward traffic
- Iptables rules
- Routing rules
HFE_conf.log.prev: A copy of the previous HFE_conf.log
HFE.log:
- Logs which contain messages about any switchover action, as well as connection errors. The logs generated are as follows:
  1. Connection error detected to Active SBC: <<IP>>. Attempting switchover.
    - We have lost connection to the SBC. HFE node now performing switchover action .
  2. Connection error ongoing - No connection to SBC PKT ports from HFE
    - This error means that a switchover has been attempted, but no connection could be established to the new SBC.
    - The HFE node then continually switches between the SBCs until a connection is established.
    - This usually means there is a network issue or a configuration issue on the SBCs.
  3. Switchover from old Active <<Old Active SBC IP>> to new Active <<New Active SBC IP>> complete. Connection established.
    - The switchover action is complete and connection has been established to the Active SBC.
- This log is rotated when it reaches 250 MB:
  - Up to four previous logs are saved.
  - The previous logs are compressed to save disk space.

Space shortcuts

Page tree