Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Juniper Networks OpenStack Neutron Plug-in for VXLAN L2 and L3 Gateways

    Note: Please check the plug-in download page for the latest version of this document.

    Plug-In Overview

    This document describes the Juniper OpenStack Neutron plug-in for VXLAN L2 and L3 gateways using QFX5100 with VMware NSX-MH controller. The VXLAN L2 Gateway functionality allows devices that do not support VXLAN termination to participate in a VXLAN based network. Example of such devices include bare-metal servers, legacy file servers.

    The Juniper plug-in for VXLAN L2 and L3 gateways is supported on the following releases of Junos OS, OpenStack and VMware NSX-MH:

    • Junos OS version 14.1R2 with Junos SDN package
    • OpenStack: IceHouse and Juno
    • VMware NSX-MH: 4. 2

    Deployment of Juniper Neutron VXLAN L2 and L3 Gateway Plug-in assumes a fully functional NSX cluster configured for OpenStack Neutron. This involves configuring the NSX cluster (including NSX controller, Service Node, NSX Manager), adding Transport Nodes (all compute and network nodes in the OpenStack cluster), and configuring the VMware NSX plug-in for Neutron. The details of this process are not covered by this document. Refer to the NSX-MH documentation for the detailed procedure.

    What is new in this release?

    In the 2.0 release, the Juniper OpenStack Neutron plug-in supports VXLAN L2 gateway configuration using QFX 5100 switches. Juniper Neutron plug-in for VXLAN L2 gateway extends the VMware NSX Neutron plug-in by adding support for the QFX5100 switch to provide a L2 gateway.

    The support for the Inter VXLAN Routing using layer 3 gateways on MX series routers is available in this release as well.

    Pre-requisites for Using the Plug-In

    Before you use the plug-in:

    • Install the NSX Plug-in

      The NSX plug-in configuration must provide the following mandatory configuration values in the /etc/neutron/plugins/vmware/nsx.ini file:

      • nsx_controller
      • default_tz_uuid
      • nsx_user
      • nsx_password
      • default_transport_type must be set to vxlan

      Ensure that the Neutron server loads this configuration file by updating the init scripts.

      Refer to for the complete installation procedure.

    • Install ncclient Python library for NETCONF client (see on Neutron server

      Install the Juniper Neutron plug-in on Neutron Server using the Operating System package installer. To install Juniper plug-in for inter-VXLAN routing use one of the following commands:

      • # dpkg –i python-neutron-plugin-juniper_X.XXX-X_all.deb (Ubuntu)
      • # rpm –ivh neutron-plugin-juniper-X.XXX-X.noarch.rpm (RedHat/CentOS)

    The functionality of L2 Gateway is also made available as a Horizon Dashboard extension. Install the Horizon extension to enable creation of L2 gateways from Horizon dashboard, using the following commands:

    • # dpkg –I python-horizon-plugin-juniper_X.XXX-X_all.deb (Ubuntu)
    • # rpm –ivh horizon-plugin-juniper-X.XXX-X.noarch.rpm (RedHat/CentOS)

    After installing the Horizon extension, restart the Apache server to load the plug-in.


    This section describes:

    1. Configuring the Juniper Plug-In
    2. Configuring the Juniper device with VMware NSX
    3. Plug-In Configuration Options

    Configuring the Juniper Plug-In

    To configure Juniper plug-in for Neutron:

    1. Update the core plug-in in /etc/neutron/neutron.conf to juniper_nsx plug-in with the following details:

      core_plugin = neutron.plugins.juniper_nsx.plugin.JuniperNsx

      Note: Ensure that the Juniper device is running Junos OS version 14.1 R2 along with the Junos SDN package.

    2. Add the QFX5100 switch or MX router to the topology database using the steps below.

      Register the QFX5100 switch as a switch with –c switch option as shown below:

      jnpr_device add -d dns_name_OR_IP_address_of_the_switch -c switch -u root_user -p root_password -t VTEP_IP


      • –d : DNS resolvable name or management IP address of the router
      • –t : The VTEP IP address to be configured on the device. This IP address must be routable from all other VTEP IPs on the compute and service nodes.
      • –u: username for ssh login to QFX switch
      • –p: password for ssh login to QFX switch
      • –h: option to be used with the command to get full usage text.

      This command configures the device with VTEP IP, setup the VXLAN interface for VXLAN to VLAN conversion.

      For MX routers register the device as router with option –c router option as shown below:

      jnpr_device add -d dns_name_OR_IP_address_of_the_router -c router -u root_user -p root_password -t VTEP_IP

    3. Update the init script to start the Neutron server with both NSX and Juniper plug-in configuration, and restart the Neutron server.

    Configuring the Juniper device with VMware NSX

    This section describes the steps to be followed to add a QFX5100 switch or MX router to the VMware NSX cluster as a Gateway node on NSX Manager.

    To configure the device:

    1. The QFX5100 switch or MX router must be added to NSX as a Transport Node of type GATEWAY.
    2. In the Gateway screen, select the option VTEP enabled.
    3. In the Credentials section, select Management Address and enter the IP address.
    4. In the Transport Connector section, add a VXLAN connector for the router. Select the transport zone that was provided in the NSX plug-in configuration. In the IP Address field, enter the VTEP IP address of the device.
    5. Create and copy client certificate for the device. This step needs to be done on any Linux server installed with Open vSwitch (can be done on one of the compute nodes)
      # mkdir /tmp/mx_certs
      # cd /tmp/mx_certs # ovs-pki init # ovs-pki req+sign vtep # ls vtep-cert.pem vtep-privkey.pem vtep-req.pem # scp *.pem root@management_ip_of_the_ device:/var/db/certs/
    6. On the Juniper device enter the following command to check whether the device is connected to the controller
      show ovsdb controller
      VTEP controller information:
      Controller IP address controller IP
      Controller protocol: ssl
      Controller port: 6632
      Controller connection: up
      Controller seconds-since-connect: 1303122
      Controller seconds-since-disconnect: 0
      Controller connection status: active

      The controller IP is picked up from the VMWare NSX plug-in configuration file.

    Plug-In Configuration Options

    The plug-in can be configured to use custom values for orchestrating QFX 5100 and MX devices.

    Table 1: Plug-in Configuration Options


    Default Value




    VLAN pool for allocation of VLAN ID



    VRF route distinguisher pool



    Timeout for committing changes to the Juniper devices



    Number of times to retry connection to the Juniper devices

    Given below is a sample configuration section that can be added to the /etc/neutron/neutron.conf file.

    vxlan_vlan_pool = 10:4000
    vxlan_rd_pool = 10:4000
    vxlan_vswitch_routing_instance = default-OVSDB

    Note: The value for vxlan_vswitch_routing_instance must be set before using the CLI on the Juniper device and must remain constant thereafter.

    Using Horizon Dashboard to Manage a L2 Gateway

    This section describes:

    1. Creating the L2 Gateway
    2. Viewing L2 Gateway Details
    3. Deleting L2 Gateways

    Creating the L2 Gateway

    Note: These capabilities are available after you have installed the Horizon Dashboard extension as described earlier.

    1. Login to the Horizon Dashboard as an administrator user.
    2. Navigate to Juniper > VXLAN L2 Gateway in the left navigation bar

      Figure 1: L2 Gateway

      L2 Gateway
    3. Click the + Create L2 Gateway option. The Create L2 Gateway Server Mapping screen is displayed.

      Figure 2: L2 Gateway Server Mapping

      L2 Gateway Server Mapping
    4. Enter the required details, such as the IP address of the switch, the port, and network. Click Create L2 Gateway. When the L2 gateway is created, the details are displayed in the L2 gateway list.

    Viewing L2 Gateway Details

    1. Login to the Horizon Dashboard as an administrator user.
    2. Navigate to Juniper > VXLAN L2 Gateway in the left navigation bar. A list of all L2 Gateways is displayed.

      Figure 3: L2 Gateway List

      L2 Gateway List
    3. To view the details of the L2 gateway port, click on the IP address in the Port IP column.

    Deleting L2 Gateways

    1. Log in to the Horizontal Dashboard as an administrator user.
    2. Navigate to Juniper -> VXLAN L2 Gateway in the left navigation bar. The list of all L2 Gateways is displayed
    3. In order to delete a specific L2 Gateway, click Delete L2 Gateway in the Actions column as highlighted below:

      Figure 4: Deleting L2 gateways

      Deleting L2 gateways
    4. To delete multiple L2 gateways, select the gateway using the checkbox on the left. Click Delete L2 Gateways as shown below:

      Figure 5: Deleting multiple L2 gateways

      Deleting multiple L2 gateways

    Additional Notes

    This section describes:

    1. Planning the Underlay Network

    Planning the Underlay Network

    The Underlay network is the IP network over which VXLAN tunnels are created. All VTEP IPs are part of the underlay network. VTEP IPs are configured on each compute node, the NSX service node, and NSX gateway nodes.

    All the VTEP IPs in a transport zone must be able to reach each other. On the QFX5100 switch, the VTEP IP is configured on the loopback interface typically on the lo0 interface. This is automatically done by the jnpr_device command provided with the plug-in. Additional routes might needed to be added to the hypervisors and service node.

    Additional Information

    For more information about the plug-in, write to

    Published: 2015-03-16