Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Creating VNF Service Chains for Inter-LR Traffic

Contrail Networking Release 1912 extends the service chaining functionality to bare metal servers (BMS). In earlier releases, Contrail Networking supports traffic flow between a virtual machine in one virtual network and a virtual machine in another virtual network. However, traffic flow between a virtual machine and BMS through a service chain was not supported. With Release 1912, Contrail Networking supports the movement of inter-LR traffic by using virtual network functions (VNF). This EVPN-based VXLAN (Ethernet VPN-based Virtual Extensible LAN) service chain supports bidirectional traffic flow through a service virtual machine.

VNF service chaining uses EVPN with VXLAN to enable traffic flow between:

  • Two bare metal servers.

    Figure 1: Traffic Flow Between Two Bare Metal ServersTraffic Flow Between Two Bare Metal Servers

    Figure 1 shows traffic flowing between two bare metal servers. Each bare metal server is connected to a logical router (virtual routing engine). These logical routers are configured to send traffic from the bare metal server in one virtual network to the bare metal server in the other virtual network, through the service virtual machine.

  • A bare metal server and a virtual machine.

    Figure 2: Traffic Flow Between a Bare Metal Server and a Virtual MachineTraffic Flow Between a Bare Metal Server and a Virtual Machine

    Figure 2 shows traffic flowing between a bare metal server and a virtual machine. The bare metal server and the virtual machine are connected to logical routers. These logical routers are configured to send traffic from the bare metal server in one virtual network to the virtual machine in the other virtual network, through the service virtual machine.

  • A virtual machine and a bare metal server.

    Figure 3: Traffic Flow Between a Virtual Machine and a Bare Metal ServerTraffic Flow Between a Virtual Machine and a Bare Metal Server

    Figure 3 shows traffic flowing between a virtual machine and a bare metal server. The virtual machine and the bare metal server are connected to logical routers. These logical routers are configured to send traffic from the virtual machine in one virtual network to the bare metal server in the other virtual network, through the service virtual machine.

Figure 4 shows how the service virtual machine, acting as a VNF, conceptually connects to the virtual networks.

Figure 4: VNF Connectivity VNF Connectivity

The VNF does not connect to VN1 and VN2 directly. Instead, the VNF connects to virtual networks (labelled LR::LR1 and LR::LR2) that are internally generated by Contrail Networking. These internal virtual networks learn of routes in VN1 and VN2 through route leaking, as shown in Figure 5.

Figure 5: Route Leaking Between Internally-Generated and Explicitly-Created Virtual NetworksRoute Leaking Between Internally-Generated and Explicitly-Created Virtual Networks

Contrail Networking creates LR::LR1 when you associate Logical Router LR1 with Virtual Network VN1, and LR::LR2 when you associate Logical Router LR2 with Virtual Network VN2. If you’re not working with VNFs, then you can safely ignore these internally-generated virtual networks. If you’re working with VNFs, as you are in this topic, then you must configure each of these internally-generated virtual networks with a subnet and associate these networks with the VNF. We’ll show you how to do this later.

Routes are learned through route leaking and re-origination. This works as follows:

  1. Routes to endpoints in VN1 are leaked to LR::LR1, and routes to endpoints in VN2 are leaked to LR::LR2.

  2. Contrail Networking then installs LR::LR1 routes into LR::LR2, and LR::LR2 routes into LR::LR1. Prior to installing these routes, Contrail Networking re-originates the routes so that the service virtual machine is the next hop. This means that traffic going from LR::LR1 to LR::LR2 and from LR::LR2 to LR::LR1 will be routed to the service virtual machine.

  3. The re-originated routes are then leaked from LR::LR1 to VN1, and from LR::LR2 to VN2.

  4. Additionally, Contrail Networking configures the routing tables in the vRouter (on the server where the service virtual machine resides) so that it too has routes to VN1 and VN2.

The end result is that packets in one virtual network destined for the other virtual network are sent to the service virtual machine for processing.

These topics provide instructions to create an EVPN-based VXLAN service chain.

Onboard Brownfield Devices

Follow these steps to onboard brownfield devices from the Contrail Command user interface (UI):

  1. Click Infrastructure>Fabrics.

    The Fabrics page is displayed.

  2. Click Create.

    You are prompted to select a provisioning option.

  3. Click Existing Fabric to import existing (brownfield) devices by discovery. See Figure 6.
    Figure 6: Select Existing FabricSelect Existing Fabric
  4. Click Provision.

    The Create Fabric page is displayed.

  5. Enter the information as given in Table 1.
    Table 1: Provision Existing Fabric

    Field

    Action

    Name

    Enter a name for the fabric.

    Overlay ASN (iBGP)

    Enter autonomous system (AS) number in the range of 1-65,535.

    If you enable 4 Byte ASN in Global Config, you can enter 4-byte AS number in the range of 1-4,294,967,295.

    Node profiles

    Add node profiles.

    You can add more than one node profile.

    All preloaded node profiles are added to the fabric by default. You can remove a node profile by clicking X on the node profile. For more information, see View Node Profile Information.

    For more information on supported hardware platforms, associated node profiles and roles, see Contrail Networking Supported Hardware Platforms and Associated Roles And Node Profiles.

    Disable VLAN-VN Uniqueness Check

    Select this check box when you are using the enterprise style of configuration but want to disable the requirement that every VLAN ID must have a 1:1 mapping with a VNI. Enterprise style of configuration is enabled by selecting the VLAN-ID Fabric-Wide Significance check box.

    VLAN-ID Fabric Wide Significance

    Select the check box to enable enterprise style of configuration for the CRB-Access role on QFX devices. De-select the check box to enable service provider style of configuration for the CRB-Access role. The check box is selected by default since enterprise style is the default setting.

    Once configured you can modify the enterprise style setting to service provider style of configuration. However, you cannot modify the service provider style to enterprise style of configuration without having to recreate the fabric.

    The service provider style of configuration allows for customization of Ethernet-based services at the logical interface level. Each logical interface is bound to a unique VLAN ID. With the enterprise style of configuration, logical interfaces are placed into Layer 2 mode by specifying ethernet-switching as the interface family. The ethernet-switching family can be configured only on a single logical unit, unit 0. For more information on enterprise and service provider type of configurations, see Flexible Ethernet Services Encapsulation.

    Note:

    Contrail Networking Release 1909 supports QFX10002-60C device running Junos OS Release 19.1R2 and later. QFX10002-60C device works only if enterprise style of configuration is enabled. To enable enterprise style of configuration, select the VLAN-ID Fabric Wide Significance check box when onboarding the QFX10002-60C device. For more information on enterprise style of configuration, see Configuring EVPN VXLAN Fabric with Multitenant Networking Services.

    For more information on supported hardware platforms and roles, see Contrail Networking Supported Hardware Platforms and Associated Roles And Node Profiles.

    Device credentials

    Enter the device credentials to access the fabric devices for discovery. If your fabric devices have different username and password combinations for device access, click the + Addoption to add additional username and password credentials.

    Management subnets

    Enter the following information to auto-assign management IP addresses to devices:

    CIDR—Enter the block of IP addresses that will be assigned as management IP addresses. The field value must include a CIDR with an IP address and a subnet mask. For example, 192.0.20/24.

    Gateway—Enter gateway address for the devices in the management subnet that connect to the fabric.

    Loopback subnets

    Enter loopback subnet (lo0) address.

    The field value must include a CIDR with an IP address and a subnet mask. For example, 192.0.20/24.

    Loopback subnets are used to auto-assign loopback IP addresses to the fabric devices.

    Underlay ASNs (eBGP)

    Enter autonomous system (AS) number in the range of 1-65,535.

    If you enable 4 Byte ASN in Global Config, you can enter 4-byte AS number in the range of 1-4,294,967,295.

    • Enter minimum value in ASN From field.

    • Enter maximum value in ASN To field.

    Fabric subnets

    Enter fabric CIDR address. The field value must include a CIDR with an IP address and a subnet mask. For example, 192.0.20/24.

    Fabric subnets are used to assign IP addresses to interfaces that connect to leaf or spine devices.

    LR Loopback subnets

    Enter an IP subnet to be assigned as loopback interface (lo0) addresses used in Logical Routers (LR). The LR loopback interface IP address is required for eBGP peering to external or unmanaged devices.

    The field value must include a CIDR with an IP address and a subnet mask. For example, 192.0.20/24.

    Loopback subnets (CIDR)

    Enter loopback address.

    Loopback subnets are used to auto-assign loopback IP addresses to the fabric devices.

    If you assign the AR-Replicator and AR-Client roles to enable assisted replication on the QFX10000 devices in a datacenter, you must enter loopback address. For more information, see Assign a Role to a Device.

    PNF Servicechain subnets

    Enter the IP subnet for allocating IP addresses in the PNF Servicechain subnets field to establish EBGP session between PNF device and SPINE switch.

    This is an optional field that should be left blank when you are not creating service chains.

    Advanced interface filters

    Create an interface filter to filter the interfaces to include in the fabric. By default, all interfaces identified as participating in Contrail are imported into the fabric during the fabric provisioning process. If an interface filter is set, the fabric provisioning process includes the interfaces that are participating in Contrail and that match the interface filter in the fabric.

    To create an interface filter, choose the operation as regex and enter the filter characters in the Expression field. The Expression field supports all characters - including metacharacters - allowed in Python regex filters. For example, you can enter ^xe in the Expression field to filter out all 10Gbps xe interfaces from the fabric.

    Import configured interfaces

    Choose this option if configured interfaces need to be imported into the fabric in addition to runtime interfaces. With some exceptions, a configured interface is generally an interface that has been configured in the Junos OS software.

    A runtime interface is generally an interface that has not been configured in Junos OS. You can confirm which interfaces are configured interfaces by entering the show interfaces command at the configuration mode prompt(#) in Junos. Only runtime interfaces are imported into the fabric by default.

  6. Click Next.

    The Device discovery page is displayed.

    The Device discovery progress bar on the Device discovery page displays the progress of the device discovery job.

    Figure 7: Device Discovery Progress BarDevice Discovery Progress Bar

    The list of devices discovered are listed in the Discovered devices page.

  7. Select the device you want to add by selecting the check box next to the device name.

    You can select more than one device.

  8. Click Next to assign roles.

    Assign the Roles page is displayed.

  9. From the assign to devices table, select the device you want to assign a role to by selecting the check box next to the device name.

    Click the Assign icon at the end of the row to assign roles. The Assign role to devices pop-up is displayed.

  10. You can now assign physical roles and routing-bridging roles.
    1. Select a physical role from the Physical Role list.

    2. Select a routing-bridging role from the Routing Bridging Roles list.

    Assigning Roles for Spine Devices:

    • Select spine from the Physical Role list.

    • Select CRB-Gateway from the Routing Bridging Roles list.

    Assigning Roles for Leaf Devices:

    • Select leaf from the Physical Role list.

    • Select CRB-Access from the Routing Bridging Roles list.

    Assigning Roles for PNF Devices:

    • Select PNF from the Physical Role list.

    • Select CRB-Access and PNF-Servicechain from the Routing Bridging Roles list.

    Note:

    The number of PNF instances you can create depends on the subnet mask of the pnf-servicechain-subnet that you provided during fabric onboarding. You can create multiple /29 subnets from the pnf-servicechain-subnet.

    For example, if a /24 subnet is provided for the pnf-servicechain-subnet, then, you can create 25= 32(29-24=5) subnets out of it. Each PNF uses a pair of /29 subnets. Thus, for a /24 subnet, you can have a maximum of 16 PNFs.

    Assigning Roles for VNF Devices:

    • Select VNF from the Physical Role list.

    • Select CRB-Access from the Routing Bridging Roles list.

      Note:

      ERB-UCAST-Gateway routing bridging role is also supported.

    Note:

    When you configure a QFX series device as a data center gateway, ensure that you assign DC-Gateway role to the spine device.

    To assign a DC-Gateway role to a spine device,

    • Select spine from the Physical Role list.

    • Select DC-Gateway from the Routing Bridging Role list.

    Click Assign to confirm selection.

  11. Click Autoconfigure to initiate the auto-configuration job.

    The Autoconfigure page is displayed.

    The Autoconfigure progress bar on the Discovered devices page displays the progress of the auto-configuration job. Once the auto-configuration job is completed, click Next. The Assign Telemetry Profiles page is displayed.

    Starting with Contrail Networking Release 2008, you can apply MTU, admin state, flow control, LACP force up, interface type attributes to physical interfaces; and MTU to logical interfaces. These attributes are applied to physical and logical interfaces after you Autoconfigure the devices.

    To apply these attributes to interfaces:

    1. Navigate to Infrastructure > Fabric.
    2. Select the desired fabric from the list.
    3. Select the desired fabric device from the list.
    4. Click Physical Interfaces > Create.
    5. Enter the required details.
      Figure 8: Create Physical InterfaceCreate Physical Interface
    6. Click Create.
    7. Click Logical Interfaces > Create.
    8. Enter the required details.
    9. Click Create.
  12. (Optional) Assign telemetry profiles. For more information, see Assign Telemetry Profiles.

    PNF service chain and VNF service chain does not use telemetry profiles.

  13. Click Finish to exit the Create Fabric wizard.

    The onboarding job is now complete.

Note:

After the devices are onboarded, if you edit the fabric topology by adding new spine or leaf devices or by adding new links between devices, you must onboard the edited devices again. If you do not onboard the devices after edits to the initial configuration, underlay formation for the edited devices fails. You can choose to onboard individual devices by clicking the Onboard button for the selected device in the Fabric Devices tab of the Infrastructure > Fabrics > Fabric_Name page.

Create Virtual Network

A virtual network is a collection of endpoints, such as virtual machine instances, that can communicate with each other. You can also connect virtual networks to your on-premises network. A virtual network in a EVPN VXLAN data center corresponds to a bridge domain for one tenant in a multi-tenant data center fabric.

Follow these steps to create a virtual network from the Contrail Command user interface (UI).

  1. Navigate to Overlay>Virtual Networks.

    The All Networks page is displayed.

  2. Click Create to create a network.

    The Create Virtual Network page is displayed.

  3. Enter a name for the network in the Name field.
  4. Select VN Fabric Type.

    Select Routed to enable routed virtual network functionality. A routed virtual network represents a layer 3 subnet between the fabric (border gateway) and the third-party physical network device. For more information, see Using Static, eBGP, PIM, and OSPF Protocols to Connect to Third-Party Network Devices.

    Select Switched (default option) for tenant virtual network on leaf, bare metal server, or vRouter.

  5. Select network policies from the Network Policies list. You can select more than one network policy.

    Network policies provide connectivity between virtual networks by allowing or denying specified traffic. They define the access control lists to virtual networks. To create a new network policy, navigate to Overlay>Network Policies.

    For more information on creating network policies, see Create Network Policy.

    Note:

    You can attach a network policy to the virtual network after you have created the virtual network.

  6. Select any one of the following preferred allocation mode.
    • Flat subnet only

    • Flat subnet preferred

    • (Default) User defined subnet only

    • User defined subnet preferred

    An allocation mode indicates how you choose a subnet. You select Flat subnet only or Flat subnet preferred allocation mode when the subnet is shared by multiple virtual networks. However, you select (Default) User defined subnet only or User defined subnet preferred allocation mode when you want to define a subnet range.

  7. Enter subnet information as given in Table 2.
    Table 2: Subnet Information

    Field

    Action

    Network IPAM

    Select the IP address management method that controls IP address allocation, DNS, and DHCP for the subnet.

    CIDR

    Enter the overlay subnet CIDR.

    Allocation Pools

    Enter a list of ranges of IP addresses for vRouter-specific allocation.

    Gateway

    Enter the gateway IP address of the overlay subnet. This field is disabled by default. To configure this field, uncheck Auto Gateway.

    Service Address

    Specify the user configured IP address for DNS Service instead of the default system allocated one.

    Auto Gateway

    This check box is enabled by default and gateway address is allocated by the system. When this box is unchecked, gateway address is user configurable.

    DHCP

    Select this check box if you want Contrail to provide DHCP service.

    DNS

    Select this check box if you want the vRouter agent to provide DNS service.

  8. Enter host route information.

    Host routes are a list of prefixes and next hops that are passed to the virtual machine through DHCP.

    1. Route Prefix—Enter a full CIDR value with an IP address and a subnet mask. For example, 10.0.0.0/24.

    2. Next Hop—Enter next hop address.

  9. Enter floating IP pool information.

    A floating IP address is an IP address (typically public) that can be dynamically assigned to a running virtual instance. You can configure floating IP address pools in project networks, then allocate floating IP addresses from the pool to virtual machine instances in other virtual networks.

    1. Pool Name—Enter pool name.

    2. Projects—Select project from the list.

  10. Enter fat flows information. See Table 3.

    You can apply fat flows to all VMIs under the configured VN. Fat flows help reduce the number of flows that are handled by Contrail.

    Table 3: Configure Fat Flow

    Field

    Action

    Protocol

    Select the application protocol.

    Port

    Enter a value between 0 through 65,535. Enter 0 to ignore both source and destination port numbers.

    Note:

    If you select ICMP as the protocol, the Port field is not enabled.

    Ignore Address

    Configure fat flows to support aggregation of multiple flows into a single flow by ignoring source and destination ports or IP addresses. If you select Destination, only the Prefix Aggregation Source fields are enabled. If you select Source, only the Prefix Aggregation Destination fields are enabled. If you select the None (selected by default), both Prefix Aggregation Source and Prefix Aggregation Destination fields are enabled.

    Prefix Aggregation Source

    Source Subnet

    Enter the source IP address.

    Ensure that the source subnet of the flows match. For example, enter 10.1.0.0/24 to create fat flows with 10.1.0.0/24 as the subnet. The valid subnet mask range is /8 through /32.

    Note:

    For packets from the local virtual machine, source refers to the source IP of the packet. For packets from the physical interface, source refers to the destination IP of the packet.

    Prefix

    Enter source subnet prefix length.

    The prefix length you enter is used to aggregate flows matching the source subnet. For example, when the source subnet is 10.1.0.0/16 and prefix length is 24, the flows matching the source subnet is aggregated to 10.1.x.0/24 flows. The valid the prefix length range is /(subnet mask of the source subnet) through /32.

    Prefix Aggregation Destination

    Destination Subnet

    Enter the destination IP address.

    Ensure that the destination subnet of the flows match. Enter 10.1.0.0/24 to create fat flows with 10.1.0.0/24 as the subnet. The valid subnet mask range is /8 through /32.

    Note:

    For packets from the local virtual machine, destination refers to the destination IP of the packet. For packets from the physical interface, destination refers to the source IP of the packet.

    Prefix

    Enter the destination subnet prefix length.

    The prefix length you enter is used to aggregate flows matching the destination subnet. For example, when the source subnet is 10.1.0.0/16 and prefix length is 24, the flows matching the source subnet is aggregated to 10.1.x.0/24 flows. The valid prefix length range is /(subnet mask of the destination subnet) through /32.

  11. Enter routing policy and bridge domain information as given below.
    1. Select routing policy from the Routing Policies list.

      To create a routing policy, navigate to Overlay>Routing>Routing Policy.

    2. Define a list of route target prefixes.

      Enter an IP address in the ASN field and Target in the range 0 through 65,535, or ASN in the range 1 through 65,535 and Target in the range 1 through 4,294,967,295 if 4-byte ASN is disabled. If 4-byte ASN is enabled, enter ASN in the range 1 through 4,294,967,295 and Target in the range 0 through 65,535.

    3. Define export route targets.

      You can advertise the matched routes from the local virtual routing and forwarding (VRF) table to the MPLS routing table.

      Enter an IP address in the ASN field and Target in the range 0 through 65,535, or ASN in the range 1 through 65,535 and Target in the range 1 through 4,294,967,295 if 4-byte ASN is disabled. If 4-byte ASN is enabled, enter ASN in the range 1 through 4,294,967,295 and Target in the range 0 through 65,535.

    4. Define import route targets.

      Import the matched routes from the MPLS routing table and to the local virtual routing and forwarding (VRF) table.

      Enter an IP address in the ASN field and Target in the range 0 through 65,535, or ASN in the range 1 through 65,535 and Target in the range 1 through 4,294,967,295 if 4-byte ASN is disabled. If 4-byte ASN is enabled, enter ASN in the range 1 through 4,294,967,295 and Target in the range 0 through 65,535.

    5. Enter bridge domain information. See Table 4.

      A bridge domain is a set of logical interfaces that share the same flooding or broadcast characteristics.

      Table 4: Bridge Domains

      Field

      Action

      Name

      Enter a name for the Layer 2 or Layer 3 bridge domain.

      I-SID

      Enter a Service Identifier in the range from 1 through 16777215.

      MAC Learning

      Enable or disable MAC learning.

      MAC learning is the process of obtaining the MAC addresses of all the nodes in a virtual network. It is enabled by default.

      MAC Limit

      Configure the maximum number of MAC addresses that can be learned.

      MAC Move Limit

      Configure the maximum number of times a MAC address move occurs in the MAC move time window.

      A MAC move is when a MAC address appears on a different physical interface or within a different unit of the same physical interface.

      Time Window (secs)

      Configure the period of time over which the MAC address move occurs.

      The default period is 10 seconds.

      Aging Time (secs)

      Configure the MAC table aging time, the maximum time that an entry can remain in the Ethernet Switching table before it is removed.

      The default time period is 300 seconds.

  12. Enter advanced configuration information as given in Table 5.
    Table 5: Advanced Configuration

    Field

    Action

    Admin State

    Select the administrative state of the virtual network.

    Reverse Path Forwarding

    Enable or disable Reverse Path Forwarding (RPF) check for the virtual network.

    Shared

    Select to share the virtual network with all tenants.

    External

    Select the check box to make the virtual networks reachable externally.

    Allow Transit

    Select to enable the transitive property for route imports.

    Mirroring

    Select to mark the virtual network as a mirror destination network.

    Flood Unknown Unicast

    Select to flood the network with packets with unknown unicast MAC address.

    By default, the packets are dropped.

    Multiple Service Chains

    Select to allow multiple service chains within two networks in a cluster.

    IP Fabric Forwarding

    Select to enable fabric based forwarding.

    Forwarding Mode

    Select the packet forwarding mode for the virtual network.

    Extend to Physical Router(s)

    Select the physical router to which you want to extend the logical router.

    The physical router provides routing capability to the logical router.

    Static Route(s)

    Select the static routes to be added to this virtual network.

    QoS

    Select the QoS to be used for this forwarding class.

    Security Logging Object(s)

    Select the security logging object configuration for specifying session logging criteria.

    ECMP Hashing Fields

    Configure one or more ECMP hashing fields.

    When configured all traffic destined to that VN will be subject to the customized hash field selection during forwarding over ECMP paths by vRouters.

    PBB Encapsulation

    Select to enable Provider Backbone Bridging (PBB) EVPN tunneling on the network.

    PBB ETree

    Select to enable PBB ETREE mode on the virtual network which allows L2 communication between two end points connected to the vRouters.

    When the check box is deselected, end point communication happens through an L3 gateway provisioned in the remote PE site.

    Layer2 Control Word

    Select to enable adding control word to the Layer 2 encapsulation.

    SNAT

    Select to provide connectivity to the underlay network by port mapping.

    MAC Learning

    Enable or disable MAC learning.

    MAC learning is the process of obtaining the MAC addresses of all the nodes in a virtual network. It is enabled by default.

    Provider Network

    Select the provider network.

    The provider network specifies VLAN tag and the physical network name.

    IGMP enable

    Enable or disable IGMP.

    Multicast Policies

    Select the multicast policies.

    To create a policy, navigate to Overlay>Multicast Policies.

    Max Flows

    Enter the maximum number of flows permitted on each virtual machine interface of the virtual network.

  13. Click Create.

    The All Networks page is displayed. The virtual network that you created is displayed on this page.

Configuring Virtual Port Groups

This topic describes how to create virtual port groups (VPGs) from Contrail Command UI. Contrail Networking Release 2008 introduces a redesigned VPG-creation workflow. To create a VPG, perform the steps described in #id-configuring-virtual-port-groups__d18e47 if you are using release 2008 later and those described in #id-configuring-virtual-port-groups__d18e238 if you are using releases 2003 and 2005.

  • For release 2008:

    In Contrail Networking Release 2008, you can create a VPG without attaching VLANs. You have the ability to add VLANs after the VPG is created. In scaled setups, there can be a large number of VLANs, making it very hard to manage inside the create or edit Virtual Port Group pages. Release 2008 simplifies the assignment of VLANs by introducing a dedicated page for management. The VPG creation workflow comprises two steps with the first step being configuration of the VPG. Only when the configuration step is completed successfully can you assign the VLANs which is the second step.

    To create virtual port groups in Contrail Command in release 2008:

    1. Navigate to Overlay > Virtual Port Group > Create Virtual Port Group.

      The New Virtual Port Group wizard is displayed.

    2. Enter a name for the virtual port group in the Virtual Port Group Name field.

    3. Select the fabric from the Fabric Name list.

      The available physical interfaces on the devices in the selected fabric are listed.

    4. From the Available Physical Interface box, select the physical interfaces to be included in the virtual port group by clicking the arrow next to each physical interface. The available physical interfaces are the interfaces available on TORs that are already onboarded.

      The selected interfaces are displayed in the Assigned Physical Interface box.

      If you select more than one interface on the same TOR as shown in Figure 13, a link aggregation group (LAG) is automatically created on the device.

    5. Select a security group from the Security Groups list.

      For enterprise style fabric configuration, attach a security group to the virtual port group. The policies defined in the security group is assigned to all the ports in the virtual port group. For service provider style fabric configuration, you can attach a security group to every VLAN.

    6. Assign a port profile to the virtual port group by selecting a port profile from the Port Profile list.

      A port profile functions like a container that can support multiple port-related configurations, and allows you to apply those configurations by attaching them to the port profile.

    7. Click Next to create the VPG. If VPG creation fails, an error message is displayed. If VPG creation is successful, you will be directed to the second step in the process, in which you can add the VLANs.

    8. (Optional) You can assign VLANs in this step of the wizard. You can also add VLANs in the Overlay > Virtual Port Group page (see 10). To add VLANs here, enter the information as shown in Table 6.

      Table 6: Enter VLAN Information

      Field

      Action

      Virtual Network

      Select the virtual network to which the virtual port group belongs.

      VLAN ID

      Enter the VLAN ID and network to which the VLAN is associated. If you enable the VLAN-ID Fabric-Wide Significance option when creating a fabric, you can associate one VLAN ID to only one virtual network. This ensures that the same VLAN ID is not associated with more than one virtual network within the same enterprise style fabric.

      Native/untagged

      Select this check box to allow a native/untagged virtual network (optional). You can assign only one native/untagged VLAN in a virtual port group.

      Security Group

      This field is available only in service provider style fabric configuration. Select a security group from the Security Groups list.

      You can attach a security group to each VLAN.

      Figure 9: Assign VLANsAssign VLANs
    9. Click Create.

      The newly created virtual port group is displayed in the Virtual Port Group page with details of the interfaces as shown in Figure 10.

      Figure 10: Virtual Port GroupsVirtual Port Groups
    10. (Optional) To assign VLANs if not previously configured or to edit configured VLANs, perform one of the following steps.

      • To edit or add only VLANs, click a VLAN or click Add next to the VPG name. The VLANs assignment page is displayed.

      • To edit VPG information and/or edit VLANs, select a VPG and click the edit (pencil) icon. The Edit VPG page is displayed.

        Edit the VPG information as required. Click Save to save the changes and remain on this page. Alternatively, click Save and assign new VLANs to save the changes and assign VLANs. The VLANs assignment page is displayed.

        Figure 11: Edit VPGEdit VPG
    11. The VLANs assignment page has two panels. The left panel lists all currently configured VLANs, if any. The right panel enables you to assign additional VLANs. Enter VLAN information and click Assign to attach the VLANs. The VLANs appear in the left panel. You can attach up to 10 VLANs at a time. You can also edit existing VLANs from this page. Successful and failed attempts at assigning and editing are indicated through success or error message pop-ups.

      Figure 12: Edit VLANsEdit VLANs

      For better visibility, you can hide the right panel by clicking the blue expansion icon. You can also use this page to delete individual VLANs and bulk delete multiple VLANs.

  • For releases 2003 and 2005:

    To create virtual port groups in Contrail Command using releases 2003 and 2005:

    1. Navigate to Overlay > Virtual Port Group > Create Virtual Port Group.

      The Create Virtual Port Group page is displayed.

    2. Enter a name for the virtual port group in the Virtual Port Group Name field.

    3. Select virtual port group type.

      With Contrail Networking Release 2003, you can create a routed virtual port group from the Contrail Command UI. Select the Routed option button to create a routed virtual port group. Select Layer 2 option button to create a virtual port group.

    4. Select the fabric from the Fabric Name list.

      The available physical interfaces on the devices in the selected fabric are listed.

    5. From the Available Physical Interface box, select the physical interfaces to be included in the virtual port group by clicking the arrow next to each physical interface. The available physical interfaces are the interfaces available on TORs that are already onboarded.

      The selected interfaces are displayed in the Assigned Physical Interface box.

      If you select more than one interface on the same TOR as shown in Figure 13, a link aggregation group (LAG) is automatically created on the device.

      Figure 13: Select Interfaces on the Same TORSelect Interfaces on the Same TOR
    6. Assign a security group to the virtual port group by selecting a security group from the Security Groups list.

      The policies defined in the security group is assigned to all the ports in the virtual port group.

    7. Select and assign a port profile from the Port Profile list.

      A port profile functions like a container that can support multiple port-related configurations, and allows you to apply those configurations by attaching them to the port profile.

    8. Enter the following information as given in Table 7.

      Table 7: Enter VLAN Information

      Field

      Action

      Network

      Select the virtual network to which the virtual port group belongs.

      VLAN ID

      Enter the VLAN ID and network to which the VLAN is associated. If you enable the VLAN-ID Fabric-Wide Significance option when creating a fabric, you can associate one VLAN ID to only one virtual network. This ensures that the same VLAN ID is not associated with more than one virtual network within the same enterprise style fabric.

      Display Name

      Enter the VLAN name. If the Auto Display Name field is selected, this field is autogenerated from the virtual port group name.

      Auto Display Name

      Select Auto Display Name if you want the VLAN name to be autogenerated from the virtual port group name.

      Native/untagged

      Select this check box to allow a native/untagged virtual network (optional). You can assign only one native/untagged VLAN in a virtual port group.

    9. Click Create.

      The newly created virtual port group is displayed on the Virtual Port Group page with details of the interfaces and the TORs as shown in Figure 14.

      Figure 14: Virtual Port GroupsVirtual Port Groups

You can delete a virtual port group by clicking the delete icon against the virtual port group. To delete a virtual port group, you must first remove the referenced VMI and the associated BMS instance from the virtual port group.

Create Logical Routers

A logical router replicates the functions of a physical router. It connects multiple virtual networks. A logical router performs a set of tasks that can be handled by a physical router, and contains multiple routing instances and routing tables.

Follow these steps to create a logical router (LR).

  1. Navigate to Overlay>Logical Routers and click Create.

    The Create Logical Routers page is displayed.

  2. Enter the following information as given in Table 8.
    Table 8: Create a Logical Router

    Field

    Action

    Name

    Enter a name for the Logical Router.

    Admin State

    Select the administrative state that you want the device to be in when the router is activated.

    Up is selected by default.

    Logical Router Type

    Select SNAT Routing or VXLAN Routing from the list.

    Choose Fabric

    Select the fabric that you are associating this logical router to.

    Connected Networks

    Select the networks that you want to connect this logical router to.

    Extend to Physical Router

    Select the physical router(s) to which you want to extend virtual networks or routed virtual networks to, from the Extend to Physical Router list.

    A physical router provides routing capability to the logical router.

    Reconfigure Physical Routers

    This link is enabled when you select a routed virtual network from the Connected networks list. Click Reconfigure Physical Router to reconfigure a physical router that you want to extend a virtual network to.

    For more information, refer to the Create Logical Routers section of the Using Static, eBGP, PIM, and OSPF Protocols to Connect to Third-Party Network Devices topic.

    Public Logical Router

    (Optional) Select this check box if you want the logical router to function as a public logical router.

    NAT

    Select this check box to enable Network Address Translation (NAT).

    This check box is disabled by default.

    VxLAN Network Identifier

    Enter VXLAN network identifier in the range from 1 through 16,777,215.

    This field is disabled by default.

    DHCP IP Address

    Enter DHCP relay server IP address.

    You can add more than one IP address. To add another address, clicl +Add.

    Route Target(s)

    Click +Add to add route targets.

    Enter Autonomous System (AS) number in the ASN field.

    • Enter ASN in the range of 1-4,294,967,295, when 4 Byte ASN is enabled in Global Config.

    • Enter ASN in the range of 1-65,535, when 4 Byte ASN is disabled.

    • You can also add suffix L or l (lower-case L) at the end of a value in the ASN field to assign an AS number in 4-byte range. Even if the value provided in the ASN field is in the range of 1-65,535, adding L or l (lower-case L) at the end of the value assigns the AS number in 4-byte range. If you assign the ASN field a value in the 4-byte range, you must enter a value in the range of 0-65,535 in the Target field.

    Enter route target in the Target field.

    • Enter route target in the range of 0-65,535, when 4 Byte ASN is enabled and ASN field is assigned a 4-byte value.

    • Enter route target in the range of 0-4,294,967,295, when the ASN field is assigned a 2-byte value.

  3. Click Create to create the logical router.

    The Logical Routers page is displayed.

Note:

The router_interface object (Virtual Port) is created as part of the LR creation and VN extension to Spines workflow. While planning the IP address for spines, you must be aware that an extra one IP address is required for the router_interface object which gets created automatically.

Configure the Internal Virtual Networks

Use this procedure to configure the internal virtual networks.

When you connect a logical router to a virtual network, Contrail Networking automatically creates internal virtual networks. For logical routers named LR1 and LR2, the internal virtual networks are called LR::LR1 and LR::LR2 respectively. These networks attach to the service virtual machine.

  1. Select Overlay>Virtual Networks to bring up the list of virtual networks.
  2. Hover over the internal virtual network you want to configure (for example, LR::LR1) and click the Edit icon on far right of the row.

    The Edit Virtual Network page appears.

  3. In the Subnets section, click +Add.
  4. Use the drop-down list to select the Network IPAM you want to use.
  5. Specify the subnet in CIDR format (for example, 10.192.10.0/24).

    The Gateway and Service Address are automatically filled in based on the subnet you configured. You are free to change these addresses although there’s generally no need for you to do so.

  6. Click Save.
  7. Repeat these steps to configure the other internally-generated virtual network, but make sure to specify a different subnet.

Create the Service Virtual Machine

Use this procedure to create the service virtual machine, which is simply a compute workload.

  1. Select Workloads>Instances to bring up the Instances page.
  2. Click Create to create an instance.
  3. Select Virtual Machine as the Server Type.
  4. Specify the Instance Name.
  5. Specify Image as the Boot Source.
  6. Use the drop-down lists to select the Image and Flavor, which describe the image you want the VM to run and the compute specifications for the VM.

    The drop-down lists are populated with the images and flavors you create through Workloads>Images and Workloads>Flavors.

  7. Attach the VM to the internally-generated virtual networks LR::LR1 and LR::LR2 by using the arrows to move them from the Available Networks section to the Allocated Networks section.
  8. Click Create.

Create VNF Service Template

Follow these steps to create a service template by using the Contrail Command UI:

  1. Click Services>Catalog.

    The VNF Service Templates page is displayed.

  2. Click Create.

    The Create VNF Service Template page is displayed.

  3. Enter a name for the service template in the Name field.
  4. Select v2 as the version type.
    Note:

    Starting with Release 3.2, Contrail supports only Service Chain Version 2 (v2).

  5. Select Virtual Machine as the virtualization type.
  6. Select a service mode from the Service Mode list.
  7. Select a service type from the Service Type list.
  8. Add the left, right, and management interfaces in the Interface section.
    • Select left as the interface type from the Interface Type list.

    • Click + Add and select right as the interface type.

    Note:

    The interfaces created on the virtual machine must follow the same sequence as that of the interfaces in the service template.

  9. Click Create to create the service template.

    The VNF Service Templates page is displayed. The service template that you created is displayed in the VNF Service Templates page.

Create VNF Service Instance

Follow these steps to add a service instance by using the Contrail Command UI:

  1. Click Services>Deployments.

    The VNF Service Instances page is displayed.

  2. Click Create.

    The Create VNF Service Instance page is displayed.

  3. Enter a name for the service instance in the Name field.
  4. Select the service template that you created from the Service Template list.

    The Interface Type and Virtual Network fields are displayed for each interface.

  5. Select the virtual network for each interface type as given below.
    • left—Select the left virtual network that you created.

    • right—Select the right virtual network that you created.

  6. Associate this service instance to the VNF you created earlier.
    1. Expand the Port Tuples section.
    2. Click +Add.
    3. Use the drop-down list to specify the Virtual Machine Interface for the left and right interfaces.
  7. Click Create to create the service instance.

    The VNF Service Instances page is displayed. The service instance that you created is displayed in the VNF Service Instances page.

Create the Network Policy

Use this procedure to create the network policy that governs traffic going through the VNF.

  1. Select Overlay>Network Policies to bring up the Network Policies page.
  2. Click Create.
  3. Provide a Policy Name.
  4. In the Policy Rule(s) section, select Network as the Source Type and use the drop-down lists to specify the Source (for example, LR::LR1) and Destination (for example, LR::LR2) networks.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
2008
Starting with Contrail Networking Release 2008, you can apply MTU, admin state, flow control, LACP force up, interface type attributes to physical interfaces; and MTU to logical interfaces.
2008
In Contrail Networking Release 2008, you can create a VPG without attaching VLANs. You have the ability to add VLANs after the VPG is created.
2003
With Contrail Networking Release 2003, you can create a routed virtual port group from the Contrail Command UI. Select the Routed option button to create a routed virtual port group.
1912
Contrail Networking Release 1912 extends the service chaining functionality to bare metal servers (BMS).