Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Setting Up a Centralized Deployment

 

Before you set up a centralized deployment, complete the following tasks:

In this Centralized deployment example, you will use the Contrail Service Orchestration (CSO) platform to instantiate a centralized CPE solution to provide the customer with Internet access. As part of this solution, you will provide basic firewall functionality and NAT the outgoing customer traffic to the interface address of the VNF.

To do that, you will:

  • Create a Network Service using Network Service Designer

  • Create a POP

  • Create a Tenant

  • Create a Tenant Site

  • Deploy a VNF to the tenant site

In this deployment example, we assume that your CSO software is installed at 192.168.101.12 and that you know the login credentials for the cspadmin user of the Administration Portal. This ensures that you have full access to both the Administration Portal and the Customer Portal of your CSO installation. If policy doesn’t allow you to have the cspadmin user credentials, then you will need to have Administration Portal credentials with Tenant Admin, Tenant Operator, and Configure Sites roles enabled. You will also need a Customer Portal login so that you can create sites.

To set up a centralized deployment.

Create Network Service

In this part of the deployment, you create a network service using CSO Designer Tools. For an overview about using Designer Tools, see Designing and Publishing Network Services. You access the CSO Designer Tools at the same URL as the CSO Administration Portal, but on port 83. For example, if the IP address of the Administration Portal is 192.168.101.12, then the URL for Designer Tools would be: https://192.169.101.12:83

  1. Login using the cspadmin or equivalent credentials.
  2. Click on the New Request button

    The window is replaced with a mult-tabbed form that you fill out to complete the request.

  3. On the Request Information tab, fill in the following information:
    • Name: nat-vnf

    • Deployment Type: vCPE-Only

    The rest of the fields on the page can be left blank. However, as you create more and more services, it will become useful to fill in at least some of the information for each request.

  4. Click Next

    The page advances to the Service Chain and Design Goals tab.

  5. Drag the NAT building block from the Function Palette to the Functional Service Design area

    The NAT building block will stick in the Functional Service Design area.

  6. Click on the + Add Goal link on the left side of the window

    A pop-up window, titled New Goal appears.

  7. Select Session from the pull-down type menu of the New Goal window.

    This expands the New Goal window to show multiple fields including Goal Value, Acceptable Value, and Must Value.

  8. Enter 100 in the Goal Value field.

    Leave the other fields blank for this example.

  9. Click Save
  10. Click Next

    This advances the window to the Summary page.

  11. Review the summary and click Create

    This resets the window and selects the requests tab on the left. Your new request appears in the main part of the window.

  12. Click the Begin button once it becomes available.

    This advances the window to the Build tab with the Functional Service Design (NAT) section is at the top and Network Service Design is at the bottom of the window.

  13. Click on the NAT icon in the Functional Service Design section.

    This changes the icon from grey to colored.

  14. From the right portion of the Network Service Design section, find the vSRX box, drag it to the left, and drop it on the Network Service Design pane.

    This allows the vSRX service to be placed in a service chain.

  15. Click on the I icon in the Network Service Design banner that splits the page.

    This pulls down a menu with I and E icons on it. The I stands for ingress and the E stands for egress. You will connect these icons to the service chain in the next step.

  16. Click the I icon and then click the small circle on the left side of the vSRX service box in the Network Service Design pane.

    This attaches an ingress point to the vSRX VNF.

  17. Click the E icon and then click the small circle on the right side of the vSRX service box in the Network Service Design pane.

    This attaches an egress point to the vSRX VNF.

  18. Click the Management tab at the bottom of the window.

    Ensure that there is an arrow pointing to an M icon. This indicates that the management interface is added.

  19. Click on the Functional Configuration button.

    This is a grey bar at the right side of the window. This pops up a new window with a title that ends in vnf.

  20. The Basic Configuration tab is selected. Configure the following:
    • DNS Servers: <Enter the IP address of a known DNS server such as 8.8.8.8>

    • NTP Servers: <Enter the IP address of a known NTP server on your network> 10.210.8.72

    • Select the NAT tab

    • NAT Source Address: <Enter an address prefix for source NAT traffic, like 192.0.2.0/24>

    • NAT Destination Address: <Enter an address prefix for destination NAT traffic, like 172.16.24.0/24>

    • Click OK to close this window.

  21. Back in the Build window, click the Save button

    The save button is shaped like an old-fashioned floppy disk.

  22. Click the Publish icon

    The publish icon looks like a cloud with an up-arrow inside of it. Clicking it brings us a Publish NSD window.

  23. Click the Publish button in the Publish NSD window.
  24. Click the Cspadmin logo at the top right of the window and select Logout from the pull-down menu.

    You can now close the browser or the tab in the browser for the Network Service Designer.

Create POP

A POP is a location within the service provider’s cloud in which PE routers and IPSec Concentrators are located. It is a regionally located access point through which customers gain access to the network services that are deployed within. SPs often place POPs in their network so that they are geographically close to customer sites.

  1. Navigate to the Resources > POPs page.

    Here you can see a list of POPs. If you have not created any POPs, the list is empty.

  2. At the top-right part of the list, click the + icon to create a new POP.

    A pop-up window appears that requires you to enter basic information about the POP such as POP name and Address Information.

  3. Give the POP a name that makes sense, like east-region-pop, and enter the appropriate address information. CSO uses this information to place the POP on a map in certain monitoring screens.
  4. Click Next twice

    This advances the window past the Devices page to the VIM page. VIMs are virtual infrastructure managers. Since the Centralized Deployment requires the use of Contrail Cloud, you must create a VIM for each POP that you create.

  5. In the Add VIM area, click the + to add a new VIM.

    This brings up a new window titled Add Cloud VIM.

  6. In the Add Cloud VIM window, fill in the following information:
    • Name: <Enter a name that makes sense for this VIM, like contrail-cloud.

    Connection Information

    • IP address: <Enter the IP address of the Contrail Controller Node in the Contrail Cloud Platform, such as: 192.168.10.225>

    • Auth URL: <Enter the authentication URL for the Contrail OpenStack Keystone, such as:http://192.168.10.225:35357/v3/>

    • User Name: <Enter the user name for logging into CSO, such as: tenantadmin

    • Password: <Enter the password for the user above>

    • Domain: <Specify the name of the Contrail OpenStack domain that you configured for the Contrail Cloud Platform, such as: Default>

    • Tenant: <Specify the name of the Contrail OpenStack tenant that you configured for the Contrail Cloud Platform, such as: admin>

    Network Information (Resource Pools)

    • Click the + above the resource pools list to add a resource pool

      Fill in the following information in the resource pool:

    • Pool Name: internal

    • Compute Zone: nova

    • Click the check mark to save the entry

    • Does Management Network Exist: <Yes or No>

      Select Yes to use an existing network in Contrail or select No to create a new network in Contrail.

    • Management Network Name: <Enter the name of the management network in Contrail, such as: mgmt-network

      Specify the name of the existing management network in Contrail or the new management network that you want to create in Contrail.

    • Click the check-mark to save the resource pool.

    Internet Network Information

    • Click the + above the list of Internet Networks

      Fill in the following information in the Internet Networks

    • Network Name: public

    • Exists: No

    • Route Target: <Click Edit and then enter an appropriate route target like: 64512:10000>

    • Subnet: <Click Edit and then enter an appropriate subnet like: 172.40.5.0/24

    • Click the check-mark to save the Internet Network Information.

    Service Profile Information

    • Click the + above the list of service profiles

      Fill in the following information in the Service Profile

    • Profile Name: <Enter a profile name that makes sense for this deployment, such as: first-profile>

    • Tenant Name: <Enter a tenant name that makes sense for this deployment, such as: Tenant1>

    • Domain Name: <Enter a Contrail domain name that makes sense for this deployment, such as: Default>

    • User Name: <Enter the CSO Tenant Admin user name, or equivalent, such as: cspadmin>

    • Password: <Enter the password for the user above>

    • Click the check-mark to save the resource pool.

  7. Click Save to complete the VIM configuration.

    This clears the VIM create window and returns to the Add POP window.

  8. Click Next twice to advance to the Summary tab of the Add POP window

    Review the summary information to confirm that it is what you intended.

  9. Click OK to finish creating the POP

    You will see notification pop-ups that inform you when the job is started and when it’s finished.

Add Tenant

In this section we use the Administrator Portal to add a tenant to CSO.

  1. Select Tenants from the left-nav panel
  2. Click the Add Tenant button

    If there are no tenants created yet, Add Tenant will be a button. If there are tenants, click the “+” to create a new tenant.

  3. In the Add Tenant window that appears:
    • Enter a name for your tenant such as Tenant1

    • Fill in the Admin User information

    • Select the check-boxes next to all three Roles in the Available section and click the arrow link to move them to the Selected section

    • Set the User Password to never expire

    • Click Next

    • In the Deployment Type window, select the check-box next to Hybrid WAN

    • Click Next

      The window advances to the Tenant Properties section.

    • Expand the Service Profiles (Optional) section by clicking on the > icon or the gear icon.

    • Click the + to add a service profile

      From the VIM Name pull-down, select the VIM that you created in the previous section.

      From the Service Profile Name pull-down, select the service profile that you created in the previous section.

    • Click Save

    • Click Next

      The window advances to the Summary section. Review the summary.

    • Click OK

      A pop-up message appears that tells you that the Add Tenant job was started. After some time, your new tenant appears in the list of tenants.

Allocate Network Service

Return to the list of tenants in the Tenants window. In this section, we will allocate network services to your new tenant.

  1. In the list of tenants, there is an Assigned Services column. Click the link Allocate Network Services

    This brings up a new window in which you can see all the available network services. The network service nat-vnf should be listed there based on the work you did in the Create Network Service section.

  2. Click the check-box next to the nat-vnf network service and then click OK.

    The number of assigned services will change from 0 to 1.

Create Cloud Site

There are 3 types of cloud sites available: Local Service Edge, Regional Service Edge, Hybrid Spoke Site. For this deployment, we will create a Regional Service Edge site. See Adding Local Service Edge Sites for Hybrid WAN Deployment, Adding Regional Service Edge Sites for Hybrid WAN Deployment, and Adding Spoke Sites for Hybrid WAN Deployment in the CSO User Guide for more information about these site types.

  1. Click on the link that is named for the tenant that you just created.

    This takes you to the CSO Customer Portal.

  2. Navigate to the Sites page by clicking Sites tab on the left-nav bar.
  3. Click the Add Regional Service Edge Site button

    This brings up a new window titled Add Regional Service Edge Site. Fill in the following information:

    • Site Name: <Enter a name for the site that makes sense to you, like New-York1>

    • Fill out the Address and Contact Information sections as appropriate.

      None of this information is required but is used in monitoring and alerting functions in CSO.

    • In the Configuration section

      • Service POP: <Select the recently created POP from the pull-down menu, like east-region-pop>

      • VIM: <Select the recently created VIM from the pull-down menu, like contrail-cloud>

      • Resource Pool: <Select the recently created resource pool from the pull-down menu, like internal>

      • Route Target: <Enter a route target for the virtual network, like 64512:1>

      • Virtual Network Name: <Enter a unique string of alphanumerics and special characters, such as CustomerA-VNet>

        This network name is a representation of your network in the cloud

      • Left Subnet Prefix: <Select one or more IP prefixes from the list>

    • In the Service Attachment Points section, set Local Internet Breakout: ON

  4. Click OK

    You will see messages pop up indicating the start and stop of the Site Creation Job. Wait for the job to complete successfully.

  5. Click on the Site Name Link (New-York1)

    This brings up the site-specific window for New-York1.

  6. Click the Services tab
  7. Click on the attachment point between the Site and Local Breakout icons.

    This brings up the Deploy Network Services menu.

  8. Drag the nat-vnf network service onto the attachment point and drop it there.

    This brings up the Service window.

  9. In the Service window, click the Basic Configuration tab.

    Fill in the following information on this page:

    • Host Name: vsrx-nat-vnf

    • Loopback Address: <Enter an IP address for the loopback interface, such as: 192.168.100.100>

    • DNS Server: <Enter the IP address of a DNS server such as: 8.8.8.8>

    • NTP Server: <Enter the IP address of an NTP server such as: 10.210.8.72>

    • Enable Default Screens: Disable

    • Ping Prefix List: 0.0.0.0/0

  10. Click on the NAT tab

    Enter the following information on this page:

    • Nat Source Address: 0.0.0.0/0

    • Policy Name: <Enter a policy name that makes sense, like: nat-outgoing>

    • Source Zone: left

    • Destination zone: right

    • Source Address: any

    • Source Address: any

    • Action: permit

    • Application: any

  11. Click OK

    This takes you back to the Site specific window.

  12. Click the Start Service button to deploy the VNF

    This causes a pop-up confirmation window to appear.

  13. Click OK in the confirmation window

    The deployment status shows the percentage of completion for the deployment job. Wait for the status to reach 100%. This can take 10 minutes or more.

You can verify the effects of your changes by logging in to the CLI of the various devices and confirming:

  • Learned BGP routes in each table for the local network that is attached through the GRE tunnel to the vSRX VNF.

  • MPLS label for traffic from CustomerA-VNet instance to the left interface of the VNF is using one label. and

  • Traffic in mgmt instance is using another label

  • Traffic in the public instance to the right interface is using a third label.

  • If you login to the host-hub device and leave a ping running to the DNS name server at 8.8.8.8, you can then login to the vSRX VNF and see security flows by using the show security flow session command.