Cloud-Native Router L3 Features
SUMMARY Read this chapter to learn about operation, and monitoring of the Juniper Cloud-Native Router running in L3 mode. We discuss cloud-native router deployment modes, interface types, and segment routing MPLS tunnels.
Juniper Cloud-Native Router Deployment Modes
Starting in Juniper Cloud-Native Router Release 22.4, you can deploy and operate
Juniper Cloud-Native Router in either L2 or L3 mode. You control the deployment mode
by editing the appropriate values.yaml file prior to deployment.
To deploy the cloud-native router in L2 mode, retain or modify the values in the file Juniper_Cloud_Native_Router_version-number/helmchart/values.yaml.
Throughout the rest of this chapter we identify those features that are only available in L2 mode by beginning the feature name with L2.
In L2 mode, the cloud-native router behaves like a switch and so performs no routing functions and runs no routing protocols. The pod network uses VLANs to direct traffic to various destinations.
To deploy the cloud-native router in L3 mode, retain or modify the values in the file Juniper_Cloud_Native_Router_version-number/helmchart/values_L3.yaml,
In L3 mode, the cloud-native router behaves like a router and so performs routing functions and runs routing protocols such as ISIS, BGP, OSPF, and segment routing-MPLS. In L3 mode, the pod network is divided into an IPv6 underlay network and an IPv4 or IPv6 overlay network. The IPv6 underlay network is used for control plane traffic.
Juniper Cloud-Native Router Security Groups
Starting in Juniper Cloud-Native Router Release 22.4, you control the types of traffic with the use of security groups when you use cloud-native router in L3 mode.
A security group is a container for security group rules. Security groups and security group rules allow administrators to specify the type of traffic that passes through an interface port. When you create a pod in a virtual network (VN), you can associate a security group with the pod and its virtual machine interface (VMI). The VMI is the interface connecting the pod to the vrouter-dpdk. When the cloud-native router launches the pod, it applies the rules in the security group to the pod's VMI port. If you do not specify a security group for the pod, the cloud-native router associates a default security group with the pod's VMI. The default security group rule is to allow all traffic to and from the port. The default security group allows both ingress and egress traffic. Security rules can be added to the default security group to change the traffic behavior.
You can apply each rule in the security group to either ingress or egress traffic. Ingress traffic is the traffic coming to the pod's VMI. Egress traffic is the traffic that leaves the pod through the VMI.
Juniper Cloud-Native Router Interface Types
Juniper Cloud-Native Router supports the following types of interfaces:
-
Agent interface
vRouter has only one agent interface. The agent interface enables communication between the vRouter-agent and the vRouter. On the vRouter CLI when you issue the
vif --listcommand, the agent interface looks like this:vif0/0 Socket: unix Type:Agent HWaddr:00:00:5e:00:01:00 Vrf:65535 Flags:L2 QOS:-1 Ref:3 RX queue errors to lcore 0 0 0 0 0 0 0 0 0 0 0 0 RX packets:0 bytes:0 errors:0 TX packets:650 bytes:99307 errors:0 Drops:0 -
Data Plane Development Kit (DPDK) Virtual Function (VF) workload interfaces
These interfaces connect to the radio units (RUs) or millimeter-wave distributed units (mmWave-DUs) On the vRouter CLI when you issue the
vif --listcommand, the DPDK VF workload interface looks like this:vif0/5 PCI: 0000:ca:19.1 (Speed 10000, Duplex 1) Type:Workload HWaddr:9e:52:29:9e:97:9b Vrf:0 Flags:L2Vof QOS:-1 Ref:9 RX queue packets:29087 errors:0 RX queue errors to lcore 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Fabric Interface: 0000:ca:19.1 Status: UP Driver: net_iavf Vlan Mode: Access Vlan Id: 1250 OVlan Id: 1250 RX packets:29082 bytes:6766212 errors:5 TX packets:0 bytes:0 errors:0 Drops:29896 -
DPDK VF fabric interfaces
DPDK VF fabric interfaces, which are associated with the physical network interface card (NIC) on the host server, accept traffic from multiple VLANs. On the vRouter CLI when you issue the
vif --listcommand, the DPDK VF fabric interface looks like this:vif0/1 PCI: 0000:31:01.0 (Speed 10000, Duplex 1) Type:Physical HWaddr:d6:22:c5:42:de:c3 Vrf:65535 Flags:L2Vof QOS:-1 Ref:12 RX queue packets:11813 errors:1 RX queue errors to lcore 0 0 0 0 0 0 0 0 0 0 0 0 1 0 Fabric Interface: 0000:31:01.0 Status: UP Driver: net_iavf Vlan Mode: Trunk Vlan: 1001-1100 RX packets:0 bytes:0 errors:49962 TX packets:18188356 bytes:2037400554 errors:0 Drops:49963 -
Active or standby bond interfaces
Bond interfaces accept traffic from multiple VLANs. A bond interface runs in the active or standby mode (mode 0).
On the vRouter CLI when you issue the
vif --listcommand, the bond interface looks like this:vif0/2 PCI: 0000:00:00.0 (Speed 10000, Duplex 1) Type:Physical HWaddr:32:f8:ad:8c:d3:bc Vrf:65535 Flags:L2Vof QOS:-1 Ref:8 RX queue packets:1882 errors:0 RX queue errors to lcore 0 0 0 0 0 0 0 0 0 0 0 0 Fabric Interface: eth_bond_bond0 Status: UP Driver: net_bonding Slave Interface(0): 0000:81:01.0 Status: UP Driver: net_iavf Slave Interface(1): 0000:81:03.0 Status: UP Driver: net_iavf Vlan Mode: Trunk Vlan: 751-755 RX packets:8108366000 bytes:486501960000 errors:4234 TX packets:65083776 bytes:4949969408 errors:0 Drops:8108370394 -
Pod interfaces using virtio and the DPDK data plane
Virtio interfaces accept traffic from multiple VLANs and are associated with pod interfaces that use virtio on the DPDK data plane.
On the vRouter CLI when you issue the
vif --listcommand, the virtio with DPDK data plane interface looks like this:vif0/3 PMD: vhost242ip-93883f16-9ebb-4acf-b Type:Virtual HWaddr:00:16:3e:7e:84:a3 Vrf:65535 Flags:L2 QOS:-1 Ref:13 RX queue errors to lcore 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Vlan Mode: Trunk Vlan: 1001-1003 RX packets:0 bytes:0 errors:0 TX packets:10604432 bytes:1314930908 errors:0 Drops:0 TX port packets:0 errors:10604432 -
Pod interfaces using virtual Ethernet (veth) pairs and the DPDK data plane
Pod interfaces that use veth pairs and the DPDK data plane are access interfaces rather than trunk interfaces. This type of a pod interface allows traffic from only one VLAN to pass.
On the vRouter CLI when you issue the
vif --listcommand, the veth pair with DPDK data plane interface looks like this:vif0/4 Ethernet: jvknet1-88c44c3 Type:Virtual HWaddr:02:00:00:3a:8f:73 Vrf:0 Flags:L2Vof QOS:-1 Ref:10 RX queue packets:524 errors:0 RX queue errors to lcore 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Vlan Mode: Access Vlan Id: 3001 OVlan Id: 3001 RX packets:9 bytes:802 errors:515 TX packets:0 bytes:0 errors:0 Drops: 525 -
VLAN sub-interfaces
Starting in Juniper Cloud-Native Router Release 22.4, the cloud-native router supports . VLAN sub-interfaces are like logical interfaces on a physical switch or router. When we run the cloud-native router in L2 mode, each sub-interface must be associated with a specific VLAN. On the JCNR-vRouter, a VLAN sub-interface look like this:
vif0/5 Virtual: vhostnet1-71cd7db1-1a5e-49.3003 Vlan(o/i)(,S): 3003/3003 Parent:vif0/4 Type:Virtual(Vlan) HWaddr:00:99:99:99:33:09 Vrf:0 Flags:L2 QOS:-1 Ref:3 RX queue errors to lcore 0 0 0 0 0 0 0 0 0 0 0 0 RX packets:0 bytes:0 errors:0 TX packets:0 bytes:0 errors:0 Drops:0 -
Physical Function (PF) workload interfaces
-
PF fabric interfaces
vRouter does not support the vhost0 interface when run in L2
mode.
The vRouter-agent detects L2 mode in values.yaml during
deployment, so does not wait for the vhost0 interface to come
up before completing installation. The vRouter-agent does not send a vhost
interface add message so the vRouter doesn't create the vhost0
interface.
In L3 mode, the vhost0 interface is present and functional.
Pods are the Kubernetes element that contains the interfaces used in cloud-native router. You control interface creation by manipulating the value portion of the key:value pairs in YAML configuration files. The cloud-native router uses a pod-specific file and a network attachment device (NAD)-specific file for pod and interface creation. During pod creation, Kubernetes consults the pod and NAD configuration files and creates the needed interfaces from the values contained within the NAD configuration file.
You can see example NAD and pod YAML files in the L2 - Add User Pod with Kernel Access to a Cloud-Native Router Instance and L2 - Add User Pod with virtio Trunk Ports to a Cloud-Native Router Instance examples.
Security Groups
A security group is a construct for holding security rules. When you create a pod in a virtual network, the cloud-native router associates a security group with the Virtual Management Interface (VMI). The VMI is the interface connecting the Pod and the vRouter container. Each rule in the security group is applied to either ingress or egress traffic. Ingress traffic is the traffic coming from the Pod over the VMI. Egress traffic is the traffic going from the VMI to the Pod.
With the Cloud-Native Router, you configure networking policy, including security groups, locally using gRPC messages from the cloud-native router controller. You can configure security groups using API calls, NETCONF, or the cloud-native router controller CLI by using the edit routing-options flow security-group security group name rule rule name command hierarchy.
L2 API to Force Bond Link Switchover
When you use bond interfaces on cascaded nodes in L2 mode, you can make an API call to force traffic to switch from the active interface to the standby interface.
MPLS Support in Juniper Cloud-Native Router
The Juniper Cloud-Native Router contains support for MPLS routing protocols. You use the JCNR-controller, or cRPD, to configure MPLS. The cRPD then sends the configuration to the vRouter-agent, using gRPC. The vRouter-agent then converts the configuration to network policies that it imlements in the vRouter. The cloud-native router supports the following MPLS-based routing protocols:
-
L3 MPLS VPN (MPLS)–L3 MPLS VPNs are also known as BGP/MPLS VPNs because BGP is used to distribute VPN routing information across the provider’s backbone, and MPLS is used to forward VPN traffic across the backbone to remote VPN sites. The cloud-native router can particpate as a sending, receiving, or transit router using the MPLS protocol
-
Segment Routing-MPLS (SR-MPLS)–Segment routing is a control-plane architecture that enables an ingress router to steer a packet through a specific set of nodes and links in the network without relying on the intermediate nodes in the network to determine the actual path it should take. SR-MPLS employs segment routing in MPLS. The cloud-native router can participate as a sending, receiving or transit router in SR-MPLS networks.
-
MPLS over UDP (MPLSoUDP)–MPLSoUDP is an overlay technology that encapsulates MPLS packets within UDP packets to traverse through some networks that do not support native MPLS or SR-MPLS. The cloud-native router can participate as a sending, receiving, or transit router using MPLSoUDP.