Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Small Branch Deployment Using NFX150 NextGen uCPE

 

This example shows how to configure 802.1X authentication on the LAN ports of the NFX150 device and how to onboard an Ubuntu-based VNF. The RADIUS server for authentication is based on FreeRADIUS.

Note

The configuration of the FreeRADIUS server is beyond the scope of this document.

Requirements

  • One NFX150 device.

    Note

    This example is tested using a NFX150-S1 device. This example also supports the use of NFX150-C-S1, NFX150-C-S1-AE, NFX150-C-S1-AA, NFX150-C-S1E-AE, NFX150-C-S1E-AA, NFX150-S1, or NFX150-S1E devices.

  • Junos OS Release 20.1R1 or later.

  • Ubuntu 20.04 operating system.

  • FreeRADIUS version 3.

Note

The workstation used in this example to generate the iso and the qcow2 files is based on Ubuntu 20.04 operating system. If you are using a workstation other than Ubuntu, such as Windows, then the steps to generate the iso and the qcow2 files might differ slightly.

Overview

In this example, we set up a branch NFX150 uCPE to provide wired Internet and Intranet access to employees on site. The broadband Internet access is through an Ethernet link. An Ubuntu 20.04-based VNF is onboarded on the NFX150 device. FreeRADIUS RADIUS server provides 802.1X authentication to the LAN ports of the NFX150 device.

Topology

Figure 1 shows a remote branch office, which is connected to the Internet using NFX150. The 802.1X authentication is configured on the LAN ports of the NFX150 device to provide Internet and Intranet access.

Figure 1: Branch Office with Internet Connectivity
Branch Office with
Internet Connectivity

The service chaining of the VNF, as well as the interface configuration details on the NFX150 are depicted in Figure 2:

Figure 2: Describes the service chaining details
Describes the service
chaining details

In the topology Figure 2:

  • Broadband Internet link is connected to interface ge-1/0/1. The interface is directly connected to the physical interface heth-0-0.

  • 1 Gbps host Ethernet links (heth-0-1 through heth-0-4) of the NFX150 device are connected to the default VLAN 1.

  • Default VLAN 1 is propagated further to interface sxe-0/0/0 and is configured on the interface ge-1/0/0 as unit 1. The sub-interface is used for the DHCP server to provide network address configuration to the devices connected to the front ports of the NFX150 device. The Layer 2 interfaces of ports heth-0-1 through heth-0-4 are ge-0/0/1 through ge-0/0/4, respectively.

  • Interfaces ge-1/0/2 and eth2 are connected to the custom bridge radius-br. The interface eth2 of the VNF is recognized by the Ubuntu operating system as ens5.

In this example, there are two security zones (untrust and trust) configured on the NFX150. The separation of the interfaces into security zones enables the separation of traffic and mitigates the risks the corporate Intranet is exposed to. Security zones also serve as a vehicle to achieve clear and simplified implementation of security policies. The untrust zone hosts the interfaces that have access to the Internet. The internal interfaces in the corporate Intranet are in trust zone. Specifically, interface ge-1/0/1 is in untrust zone, while rest of the LAN interfaces are in trust zone. Figure 3 and the following table show the interfaces, security zones, and security policy configurations:

Figure 3: Security Zones
Security Zones

Table 1: Security Policies by Zone

From Zone

To Zone

Security Policy Behavior to Allow Traffic

trust

trust

No

untrust

untrust

No

trust

untrust

Yes

untrust

trust

Trust-initiated only.

Allow the traffic initiated in the trust zone and the return traffic.

Table 2 summarizes the VLAN information and the IP address information for the interfaces.

Table 2: Interfaces Configuration

Interface

VLAN ID

IP Address

Network Mask

ge-1/0/1

DHCP

ge-1/0/0.1

default

Note: The default VLAN has VLAN ID value as 1.

192.168.2.1

255.255.255.0

ge-1/0/2

radius-br

10.10.10.2

255.255.255.0

Configuration

To deploy branch office with virtualized 802.1X authentication with NFX150 NextGen universal CPE device, perform these tasks:

Stage Ubuntu 20.04-based VNF

Step-by-Step Procedure

The following steps describe how to stage Ubuntu 20.04-based VNF:

  1. Download the cloud-based ubuntu-20.04-server-cloudimg-amd64.vmdk image file of Ubuntu 20.04 from the official Ubuntu website on the workstation.
  2. Convert the ubuntu-20.04-server-cloudimg-amd64.vmdk image file to qcow2 file format.
  3. Create a copy of the qcow2 file for your VNF. The name of the VNF is radius-ubuntu and the name of the qcow2 file is radius-ubuntu.qcow2.
  4. Open your favorite text editor on the workstation and create the cloud-init configuration file for the VNF. The cloud-init configuration contains basic information such as the line #cloud-config, password for the default user (ubuntu), configuration stanzas that do not allow password expiration for the user, and the configuration to allow the password authentication to the VNF. By default, the cloud-based Ubuntu image allows only the SSH key-based authentication. The hostname for the VNF is also defined in the file. The VNF is named radius-ubuntu. In this example, the cloud-init configuration file for the VNF is named radius-ubuntu.txt.
  5. Create an iso file from the radius-ubuntu.txt config-init file as radius-ubuntu.iso. The radius-ubuntu.iso file is stored in the same directory.Note

    You may need to install cloud-image-utils on your Ubuntu workstation to run the cloud-localds command.

  6. Copy the radius-ubuntu.qcow2 and the radius-ubuntu.iso files to the /var/public directory on the NFX150 device. Make sure to use the correct credentials if you want to use the following method to copy the files to the NFX150 uCPE. For example, root user’s credentials are used here to copy the files to the NFX150 device.

Fine-tune the NFX Operation Mode

Step-by-Step Procedure

The following steps describe how to fine-tune the NFX mode of operation:

  1. Set the NFX in compute mode. Compute mode provides maximum resources for third-party VNFs. The NFX150 device reboots after setting the NFX in compute mode.
  2. Enable the usage of hugepages on the device. The hugepages are memory pages that do not get swapped out of memory. In this example, there are four hugepages created that will be used for the VNF.
  3. Reboot the NFX150 device for the hugepages to take effect.

Configure VNF and Set Up Custom OVS Bridge

Step-by-Step Procedure

The following steps describe how to configure the VNF and set up the custom OVS bridge. The custom OVS bridge acts as the NFV backplane to which the VNFs and FPCs connect. Additionally, you can create custom OVS bridges to isolate connectivity between different VNFs.

  1. Create the VNF and set the name radius-ubuntu. You need to set the path to the image (/var/public/radius-ubuntu.qcow2) for the VNF.
  2. Configure the VNF to have two CPUs, enable the hardware virtualization for the CPUs, and dedicate 4 GB of memory for the VNF. It is mandatory to configure CPUs and allocate memory for the VNF. For Ubuntu 20.04 cloud image, it is recommended to configure a minimum of 1 CPU and at least 1 GB of memory.
  3. Map the eth2 interface with the custom bridge radius-br.
  4. Mount the cloud-init image radius-ubuntu.iso file as CD-ROM drive.
  5. Create the custom OVS bridge radius-br and configure the interface ge-1/0/2 to it.

Results

Map Physical Ports to Layer 2 and Layer 3 Interfaces

Step-by-Step Procedure

The following steps describe how to map the physical ports to the Layer 2 and Layer 3 interfaces. The physical interfaces represent the physical ports on the NFX150 chassis and expansion module. The physical ports on the front panel of the NFX150 device can be mapped to Layer 2 or Layer 3 interfaces, or VNFs.

  1. Map the physical port heth-0-0 to the Layer 3 (FPC1) interface.
  2. Map the physical ports heth-0-1 through heth-0-4 to the Layer 3 (FPC1) interfaces.
  3. Add the interfaces ge-0/0/1 through ge-0/0/4 and interface sxe-0/0/0 as members of the default VLAN.

Results

Configure Zone-based Firewall and NAT

Step-by-Step Procedure

The following steps describe how to configure zone-based firewall filters and NAT:

  1. Create a security zone, trust, and assign Layer 3 interfaces (ge-1/0/0.0 and ge-1/0/2) to that zone. The ge-1/0/0.0 Layer 3 interface act as a DHCP server for the LAN connected device and the radius-br interface. The ge-1/0/0.0 interface is the default interface and it is part of the default configuration of the NFX150 device.
  2. Create a security zone, untrust, and assign the Layer 3 interface ge-1/0/1.0. You can configure the system services and protocols as per your setup.
    Note

    In a production environment you should restrict the protocols and services that you only want to be allowed in the network.

  3. Create security policies to allow the traffic within the security zone trust.
  4. Create security policies to allow traffic from security zone trust to security zone untrust.
  5. Create source NAT rule to NAT traffic from zone trust into zone untrust.

Configure DHCP Server for LAN Users

Step-by-Step Procedure

The following steps describe how to configure the DHCP server:

  1. Create a sub-interface for ge-1/0/0.1 in the default VLAN because an interface is required for the DHCP server.
  2. Create the DHCP address pool and set the interface as ge-1/0/0.1. The following DHCP address pool parameters are used in this example:
    • Name of the DHCP address pool is jdhcp-group.

    • User-assigned IP addresses range from 192.168.2.2 to 192.168.2.254.

    • Gateway IP address is 192.168.2.1.

    • DNS server address is set to 8.8.8.8.

Configure 802.1X Authentication

Step-by-Step Procedure

The following steps describe how to configure 802.1X authentication.

Note

The configuration of network interfaces and the RADIUS server on the Ubuntu VNF is beyond the scope of this document.

  1. Configure the RADIUS server, which is running on the VNF. The following RADIUS server parameters are used in this example:
    • IP address of the RADIUS server is 10.10.10.2. This is the IP address of eth2 and ens5 of the radius-ubuntu VNF.

    • Secret password used by the NFX to communicate with the RADIUS server is $ABC123.

  2. Add the RADIUS server to a profile and allow RADIUS authentication using that profile. The profile name used in this example is vnf-radius.
  3. Configure the profile vnf-radius as the 802.1X authenticator. The 802.1X authenticator validates the user-entered credentials with the RADIUS server and acts accordingly.
  4. Configure supplicants (users) to be authenticated on the interface ge-0/0/1.0 and request reauthentication every 90 minutes (5400 seconds). You can allow multiple supplicants to be authenticated as shown in this example.
  5. Set the timeout timers for both the supplicant authentication and the RADIUS server, for example 60 seconds.
  6. Configure the behavior for the port. In case the RADIUS server is unreachable, you can configure the authentication behavior for the port to specifically use the available cache. In this case, the supplicants authenticated already can continue to use the port and other supplicants will not be allowed.
  7. Commit the configuration.

Repeat the steps 4 through 6 for configuring authentication on the interfaces ge-0/0/2.0 through ge-0/0/4.0.

Verification

To confirm that the configuration is working properly, perform the following tasks:

Verifying the VNF is Up and Running

Purpose

Verify that the VNF was spun successfully.

Action

From operational mode, enter the show virtual-network-functions radius-ubuntu detail command.

user@host> show virtual-network-functions radius-ubuntu detail

Meaning

The output shows the details of radius-ubuntu VNF such as state, liveliness, errors, as well as memory usage.

Verifying the Resource Utilization for the VNF

Purpose

Verify what resources the VNF system is currently using such as CPU time, memory usage, and also the MAC address information of the interface.

Action

From operational mode, enter the show system visibility vnf radius-ubuntu command.

user@host> show system visibility vnf radius-ubuntu

Meaning

The output shows the system details of radius-ubuntu VNF such as memory usage, CPU time, MAC addresses, and IP addresses.

Verifying the Interfaces on the Custom Bridge

Purpose

Verify the status of the interfaces on the custom bridge.

Action

From operational mode, enter the show vmhost network nfv-back-plane command.

user@host> show vmhost network nfv-back-plane

Meaning

In the output, you can see the interfaces l3_h_ge_1_0_2 and radius-ubuntu_eth2 are linked to ge-1/0/2 and eth2, respectively. The output also shows the link status details (admin and link state) of the interfaces and the number of packets received and the transmitted through the respective interfaces.

Related Documentation