Step 3: Keep Going

The overlay networks you just created all share the same physical infrastructure, but are completely separate from each other. Users in one overlay network won’t be able to communicate with users in another overlay network.

We’ll show you how to open a path between networks through a physical network function (PNF), in this case, an SRX Series firewall. You do this by creating a PNF service chain that runs from one logical router to another through the firewall.

Onboard the PNF Device

To create a PNF service chain, you first have to onboard the PNF device. You do this by using the same Create Fabric wizard you used when you onboarded the fabric underlay, but this time you’re discovering an existing (brownfield, already configured) device. By onboarding this device, you’re telling Contrail Networking to add this device to the fabric.

Contrail Networking then assigns IP addresses to the fabric ports on the SRX Series device and on the attached switches from the PNF service chain subnet you specified earlier when you onboarded the fabric (Step 4 in Onboard a New Fabric (Greenfield)). Contrail Networking also configures the routing protocols to allow the SRX Series device to exchange routes with the fabric.

Here’s the PNF device you’ll be onboarding and the PNF service chain you’ll be setting up:

Before you begin, physically connect the SRX Series firewall to both spine switches (in a centrally routed and bridged model). Make sure the SRX Series device is already up and running and contains basic configuration such as a username and password, hostname, management and loopback IP addresses, but no IP addresses on the interfaces that you’ll use to connect to the fabric nor any policies that govern traffic to and from the fabric.

Select INFRASTRUCTURE>Fabrics and click the fabric underlay that you onboarded previously.
The Fabric devices window appears listing all the devices in the fabric.
Select Action>Brownfield wizard.
The Create Fabric wizard is launched, but you’re not creating a fabric in this procedure. You’re using the wizard to add a PNF device to the fabric you onboarded earlier.

Fill in the PNF configuration. Here are mandatory fields along with example values. Because this is an existing SRX Series device, you supply the existing login credentials and the existing management IP address. You can leave all other settings at their default values.

Fields	Meaning	Example
Device credentials>Username	The username to log in to the device.	<existing-username>
Device credentials>Password	The password to log in to the device.	<existing-password>
Management subnets>CIDR	The IP address of the device on the management network.	<existing-management-IP-address> This is a /32 address.

Fields

Meaning

Example

Device credentials>Username

The username to log in to the device.

<existing-username>

Device credentials>Password

The password to log in to the device.

<existing-password>

Management subnets>CIDR

The IP address of the device on the management network.

<existing-management-IP-address>

This is a /32 address.

Click Next to launch the device discovery process.
When you see the message Job execution completed successfully in the log section, click Next to progress to role assignment.
Select the row for the PNF device you just discovered and click the Assign Role icon on the far right of the row.
The Assign role to devices window appears.
Set the role for the SRX Series device and click Assign.
Role
Setting
Physical
pnf
Routing Bridging Roles
PNF-Servicechain
Note: You had set this same role on the spine switches earlier.
Click Autoconfigure to push the new configuration onto the devices based on their assigned roles.
When the progress panel displays Job summary: Job execution completed successfully, click Next and then click Finish to skip the assignment of telemetry profiles.

Role	Setting
Physical	pnf
Routing Bridging Roles	PNF-Servicechain Note: You had set this same role on the spine switches earlier.

Create the PNF Service Chain

With the PNF device now part of the fabric, you can logically insert it between two overlay networks. You insert the PNF device by setting up a PNF service chain.

To create the service chain, you first create a template that describes how the PNF device is connected to the fabric. The PNF device can be reused for multiple overlay applications. Creating a template saves you from configuring this information for future service chains.

Create the service chain template.

Select SERVICES>Catalog to bring up the Catalog page.
Click the PNF tab to bring up the PNF Service Templates window and click Create>Template.
The Create PNF Service Template page appears.

Fill in the fields on this page according to your desired setup. Here are the mandatory fields along with values that match our example PNF configuration.

Field	Meaning	Example
Name	The name you want to call this service template.	my-service-chain
PNF Device	The name of the device. This is the existing hostname of the SRX Series device.	SRX-FW
PNF Left Interface	The interface on one side of the SRX Series device.	et-1/2/0
PNF Left Fabric	The name of the fabric on one side of the SRX Series device.	my-fabric
PNF Left Attachment Points>Physical Router	The router attached to the left interface of the SRX Series device.	Border-Spine-1
PNF Left Attachment Points>Left Interface	The interface on the router attached to the left interface of the SRX Series device.	et-0/0/3
PNF Right Interface	The interface on the other side of the SRX Series device.	et-1/2/1
PNF Right Fabric	The name of the fabric on the other side of the SRX Series device.	my-fabric
PNF Right Attachment Points>Physical Router	The router attached to the right interface of the SRX Series device.	Border-Spine-2
PNF Right Attachment Points>Right Interface	The interface on the router attached to the right interface of the SRX Series device.	et-0/0/3

Click Create to create the template. The name of the template is the name you specified appended by the template designation (for example, my-service-chain-template).

Create the service chain using this template.

Select SERVICES>Deployments to bring up the Deployments page.
Click the PNF tab to bring up the PNF Service Instances window and click Create>Instance.
The Create PNF Service Instance page appears.

Fill in the fields on this page according to your desired setup. Here are the mandatory fields along with values that match our example PNF configuration.

Fields	Meaning	Example
Name	The name you want to call this service chain instance.	my-service-chain
Service Template	The service template you want to use. This is the name of the service template you created earlier.	my-service-chain-template
PNF eBGP ASN	The ASN for the PNF device. This is used by eBGP to exchange routes in the overlay.	65100
Left Tenant Logical Router	The logical router attached to the left interface. Deciding which is the left logical router and which is the right logical router is arbitrary because each spine switch has the same two logical routers instantiated.	LR-A
PNF Left BGP Peer ASN	The ASN for the left overlay network. There is one ASN for the entire overlay.	65000
Left Service VLAN	The VLAN ID for the left interface.	1001
Right Tenant Logical Router	The logical router attached to the right interface. This is the other logical router.	LR-B
PNF Right BGP Peer ASN	The ASN for the right overlay network. There is one ASN for the entire overlay.	65000
Right Service VLAN	The VLAN ID for the right interface.	1002

Click Create to push the configuration to the devices.

You have now created the service chain. The SRX Series device uses eBGP to learn routes from one logical router and advertises the routes to the other logical router. Once the routes are known, internetwork traffic begins to traverse the SRX Series device.

By default, Contrail Networking configures the SRX Series device to be permissive (that is, an <any>-<any>-<any> permit policy). To change the policy, log in to the SRX Series device and configure the policy as you normally do.

What’s Next?

Now that you've set up Contrail Networking with a basic configuration, here are some things you can do next.

If you want to	Then
See a Contrail Networking use case with a deeper explanation of the steps you’ve just learned	See In Focus: How to Onboard a Fabric and Create an Overlay
See a cheatsheet of the steps you’ve just learned	See Contrail Enterprise Multicloud Getting Started Guide - Fabric Management
Configure advanced fabric management features	See the Contrail Networking Fabric Lifecycle Management Guide

General Information

If you want to	Then
See all documentation available for Contrail Networking	Visit Contrail Networking Documentation
See all documentation available for Contrail Insights	Visit Contrail Insights Documentation
See a solutions guide for fabric management	See Data Center: Contrail Enterprise Multicloud for Fabric Management
Stay up-to-date with new and changed features and known and resolved issues	See the Contrail Networking Release Notes

Learn With Videos

Our video library continues to grow! We’ve created many, many videos that demonstrate how to do everything from install your hardware to configure advanced Junos OS network features. Here are some great video and training resources that will help you expand your knowledge of Junos OS.

If you want to	Then
View a video that shows you how to install the Contrail Command GUI and use it to deploy Contrail Networking 2005 and Contrail Insights in your network.	Watch Contrail Networking 2005 and Contrail Insights Installation
Get short and concise tips and instructions that provide quick answers, clarity, and insight into specific features and functions of Juniper technologies	See Learning with Juniper on the Juniper Networks main YouTube page
View a list of the many free technical trainings we offer at Juniper	Visit the Getting Started page on the Juniper Learning Portal

ON THIS PAGE