Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Related Documentation


    Example: Creating a Transparent Service Chain

    This section provides an example of creating a transparent mode service chain using the Contrail Controller Juniper Networks user interface. Also called bridge mode, transparent mode is used for services that do not modify the packet, such as Layer 2 firewall, Intrusion Detection and Prevention (IDP), and so on. The following service chain example also shows scaling of service instances.

    Creating a Transparent Mode Service Chain

    To create a transparent mode service chain:

    1. First create a left and a right virtual network. Select Configure > Networking > Networks and create left_vn and right_vn; see Figure 1.

      Figure 1: Create Networks

      Create Networks
    2. Next, configure a service template for a transparent mode. Navigate to Configure > Services > Service Templates and click the Create button on Service Templates. The Add Service Template window appears; see Figure 2.

      Figure 2: Add Service Template

      Add Service Template

      Table 1: Add Service Template Fields




      Enter a name for the service template.

      Service Mode

      Select the service mode: In-Network or Transparent

      Service Scaling

      If you will be using multiple virtual machines for a single service instance to scale out the service, select the Service Scaling check box. When scaling is selected, you can choose to use the same IP address for a particular interface on each virtual machine interface or to allocate new addresses for each virtual machine. For a NAT service, the left (inner) interface should have the same IP address, and the right (outer) interface should have a different IP address.

      Image Name

      Select from a list of available images the image for the service.

      Interface Types

      Select the interface type or types for this service:

      • For firewall or NAT services, both Left Interface and Right Interface are required.
      • For an analyzer service, only Left Interface is required.
      • For Juniper Networks virtual images, Management Interface is also required, in addition to any left or right requirement.

    3. On Add Service Template, complete the following for the transparent mode service template:
      • Name: firewall-template
      • Service Mode: Transparent
      • Service Scaling: select
      • Image Name: vsrx-bridge
      • Interface Types: select Left Interface, Right Interface, and Management Interface

      If multiple instances are to be launched for a particular service instance, select the Service Scaling check box, which enables the Shared IP feature.

    4. When finished, click Save.
    5. Now create the service instance. Navigate to Configure > Services > Service Instances, and click Create, then select the template to use and select the corresponding left, right, or management networks; see Figure 3.

      Figure 3: Create Service Instances

      Create Service Instances

      Table 2: Create Service Instances Fields



      Instance Name

      Enter a name for the service instance.

      Services Template

      Select from a list of available service templates the service template to use for this instance.

      Left Network

      Select from a list of available virtual networks the network to use for the left interface. For transparent mode, select Auto Configured.

      Right Network

      Select from a list of available virtual networks the network to use for the right interface. For transparent mode, select Auto Configured

      Management Network

      If you are using the Management Interface, select Auto Configured. The software will use an internally-created virtual network. For transparent mode, select Auto Configured

    6. If scaling is enabled, enter a value in the Number of Instances field to define the number of instances of service virtual machines to launch; see Figure 4. .

      Figure 4: Service Instance Details

      Service Instance Details
    7. Next, configure the network policy. Navigate to Configure > Networking > Policies.
      • Name the policy fw-policy.
      • Set source network as left_vn and destination network as right_vn.
      • Check Apply Service and select the service (fw-instance ).

      Figure 5: Create Policy

      Create Policy
    8. Next, associate it to the networks created earlier – left_vn and right_vn. Navigate to Configure > Networking > Policies.
      • On the right side of left_vn, click the gear icon to enable Edit Network.
      • In the Edit Network dialog box for left_vn, select nat-policy in the Network Policy(s) field.
      • Repeat the process for the right_vn.
    9. Next, launch virtual machines (from OpenStack) and test the traffic through the service chain by doing the following:
      1. Navigate to Configure > Networking > Policies.
      2. Launch left_vm in virtual network left_vn.
      3. Launch right_vm in virtual network right_vn.
      4. Ping from left_vm to right_vm IP address ( in Figure 6).
      5. A TCPDUMP on the right_vm should show that packets have the source IP set to

      Figure 6: Launch Instances

      Launch Instances

    Related Documentation


    Modified: 2015-09-02