Traffic Forwarding for a cSRX Container
You can change the traffic forwarding mode of the cSRX container as a means to facilitate security service provisioning when running the cSRX in Contrail. For example, if you deploy a cSRX container inline of protected segments, the cSRX should be transparent to avoid changing the virtual network topology. In other deployments, the cSRX container should be able to specify the next-hop address of egress traffic. To address variations in cSRX network deployment, you can configure the traffic forwarding mode of the cSRX to operate in routing mode (static routing only) or secure-wire mode.
 | Note: The cSRX uses routing as the default environment variable for traffic forwarding mode. Only use routing to operate the cSRX container in routing mode. A Contrail service chain is currently unable to support traffic forwarding with the cSRX container configured for secure-wire mode. |
This section includes the following topics:
Configuring Routing Mode
When running the cSRX container in routing mode, the cSRX uses a static route to forward traffic for routes destined to interfaces ge-0/0/0 and ge-0/0/1. You will need to create a static route and specify the next-hop address.
Include the CSRX_FORWARD_MODE=routing environment variable in the –meta option as part of the nova boot command syntax.
To configure the cSRX container to run in static routing mode:
- Launch the cSRX container in routing forwarding mode.
root@csrx-ubuntu3:~/csrx# nova boot --image csrx-registry:5050/csrx:20171214 --flavor m1.small --availability-zone az-docker --nic net-id=039e73e4-6033-4851-8379-21e1cedf1a30 --nic net-id=326eb329-1e66-46b7-8438-a8f41c88bec9 --nic net-id=3e744a74-2579-455f-aea9-92e0655abec6 --meta CSRX_FORWARD_MODE=routing --meta CSRX_ROOT_PASSWORD=<password> csrx-fw
- After you start the cSRX container, log in to it and
configure static routes.
root@csrx# cli
root@csrx> configure
[edit]
root@csrx# show | display set
root@csrx# set interfaces ge-0/0/0 unit 0 family inet address 1.0.0.1/8
root@csrx# set interfaces ge-0/0/1 unit 0 family inet address 2.0.0.1/8
root@csrx# set routing-options static route 3.0.0.0/28 next-hop 1.0.0.10/32
- View the forwarding table to verify the static routes.
root@csrx> show route forwarding-table
Routing table: default.inet Internet: Destination Type RtRef Next hop Type Index NhRef Netif 0.0.0.0 perm 0 dscd 517 1 1.0.0.1 perm 0 1.0.0.1 locl 2006 1 1.0.0.10 perm 0 1.0.0.10 ucast 5501 1 1.255.255.255 perm 0 bcst 2007 1 1/8 perm 0 rslv 2009 1 2.0.0.1 perm 0 2.0.0.1 locl 2001 1 2.0.0.10 perm 0 2.0.0.10 ucast 5500 1 2.255.255.255 perm 0 bcst 2002 1 2/8 perm 0 rslv 2004 1 224.0.0.1 perm 0 mcst 515 1 224/4 perm 0 mdsc 516 1 3.0.0.0/28 perm 0 1.0.0.10 ucast 5501 1 Routing table: default.inet6 Internet6: Destination Type RtRef Next hop Type Index NhRef Netif :: perm 0 dscd 527 1 ff00::/8 perm 0 mdsc 526 1 ff02::1 perm 0 mcst 525 1
- Specify a route for the management interface. Static routes
can only configure routes destined for interfaces ge-0/0/0 and ge-0/0/1.
The route destined for the management interfaces (eth0) must be added
by using the Linux route shell command.
root@csrx% route add -net 10.10.10.0/24 gw 172.31.12.1
root@csrx% route -n
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 pfe_tun 1.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 tap1 2.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 tap0 3.0.0.0 1.0.0.10 255.255.255.240 UG 0 0 0 tap1 10.10.10.0 172.31.12.1 255.255.255.0 UG 0 0 0 eth0 172.31.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
- If required for your network environment, you can configure
an IPv6 static route for the cSRX using the set routing-options
rib inet6.0 static route command.
[edit routing-options]
root@csrx# set routing-options rib inet6.0 static route 3000::0/64 next-hop 1000::10/128
[edit interfaces]
root@csrx# commit
root@csrx# show routing-options rib inet6.0
static {
route 3000::0/64 next-hop 1000::10/128;
}
- Under routing mode, the control plane ARP/NDP learning/response
is provided by the Linux kernel through the TAP 0 and TAP 1 interfaces
created to host the traffic for eth1 and eth2 through srxpfe. You
can view ARP entries by using the Linux arp shell command.
Note: While there are multiple interfaces created inside the cSRX container, only two interfaces, ge-0/0/0 and ge-0/0/1, are visible in srxpfe and added to security zones by default.
root@csrx% arp -a
? (2.0.0.10) at 6e:81:38:41:5e:0e [ether] on tap0 ? (1.0.0.10) at 96:33:66:a1:e5:03 [ether] on tap1 ? (172.31.12.1) at 02:c4:39:fa:0a:0d [ether] on eth0
The default ARP/NDP entries timeout is set to 1200 seconds. You can adjust this value by modifying either the ARP_TIMEOUT or NDP_TIMEOUT environment variable when launching the cSRX container. For example:
root@csrx-ubuntu3:~/csrx# nova boot --image csrx-registry:5050/csrx:20171214 --flavor m1.small --availability-zone az-docker --nic net-id=039e73e4-6033-4851-8379-21e1cedf1a30 --nic net-id=326eb329-1e66-46b7-8438-a8f41c88bec9 --nic net-id=3e744a74-2579-455f-aea9-92e0655abec6 --meta CSRX_ARP_TIMEOUT=<seconds> --meta CSRX_ROOT_PASSWORD=<password> csrx-fw
The maximum ARP entry number is controlled by the Linux host kernel. If there are a large number of neighbors, you might need to adjust the ARP or NDP entry limitations on the Linux host. There are options in the sysctl command on the Linux host to adjust the ARP or NDP entry limitations.
For example, to adjust the maximum ARP entries to 4096:
# sysctl -w net.ipv4.neigh.default.gc_thresh1=1024
# sysctl -w net.ipv4.neigh.default.gc_thresh2=2048
# sysctl -w net.ipv4.neigh.default.gc_thresh3=4096
For example, to adjust the maximum NDP entries to 4096:
# sysctl -w net.ipv6.neigh.default.gc_thresh1=1024
# sysctl -w net.ipv6.neigh.default.gc_thresh1=2048
# sysctl -w net.ipv6.neigh.default.gc_thresh1=4096
