Juniper Networks supports packet-based forwarding on virtual interfaces using
Cloud-Native Contrail® Networking™ Release 22.1 or later in a Kubernetes-orchestrated
environment.
Overview
By default, Contrail compute nodes use flow mode for packet forwarding on a virtual
interface. This means that every vRouter has a flow table to keep track of all flows that
passes through it. In flow mode, the virtual interface processes all traffic by analyzing
the state or session of traffic. However, there might be instances when you want to switch
from flow mode to packet mode. Specifically, to achieve higher traffic forwarding
performance, or to get around certain limitations of flow mode.
In packet mode, the virtual interface processes the traffic on a per-packet basis and
ignores all flow information. The main advantage of this mode is that the processing type is
stateless. Stateless mode means that the virtual interface does not keep track of session
information or go through traffic analysis to determine how a session is established.
Note:
Features that require a network policy (such as ACLs, security groups, floating IP's)
are unable to work in packet mode.
Configure Packet Mode on a Virtual Interface
Follow these steps to enable packet mode on a virtual interface.
-
Verify that you are running flow mode. Flow mode is the default forwarding mode.
Generate some traffic by pinging another pod in the same network. In this example, the
pod's IP address is 25.26.27.2.
root@pod-vn-1:/# ping -q -c5 25.26.27.2
PING 25.26.27.2 (25.26.27.2) 56(84) bytes of data.
--- 25.26.27.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4057ms
rtt min/avg/max/mdev = 0.059/1.721/7.620/2.955 ms
-
Use the flow command-line tool to check for flows. The following example indicates that
the
virtualMachineInterface is in flow mode.
root@minikube:/# flow -l --match 25.26.27.3
...
...
Listing flows matching ([25.26.27.3]:*)
Index Source:Port/Destination:Port Proto(V)
-----------------------------------------------------------------------------------
159692<=>400664 25.26.27.2:28 1 (3)
25.26.27.3:0
(Gen: 1, K(nh):39, Action:F, Flags:, QOS:-1, S(nh):39, Stats:5/490, SPort 64222,
TTL 0, UnderlayEcmpIdx:0, Sinfo 7.0.0.0)
400664<=>159692 25.26.27.3:28 1 (3)
25.26.27.2:0
(Gen: 1, K(nh):33, Action:F, Flags:, QOS:-1, S(nh):33, Stats:5/490, SPort 56567,
TTL 0, UnderlayEcmpIdx:0, Sinfo 5.0.0.0)
-
Enable packet mode on the
virtualMachineInterface.
Create a patch file named packet-mode-patch.yaml and set the VMI
policy to true.
spec:
virtualMachineInterfaceDisablePolicy:true
-
Apply the patch.
[user@machine:~]$ kubectl -n vmi-disablepolicy patch vmi pod-vn-1-7d622c4d --patch "$(cat packet-mode-patch.yaml)"
virtualmachineinterface.core.contrail.juniper.net/pod-vn-1-7d622c4d patched
-
After you apply the patch, flow mode switches to packet mode.
[user@machine:~]$ kubectl -n vmi-disablepolicy get vmi pod-vn-1-7d622c4d -oyaml | yq .spec.virtualMachineInterfaceDisablePolicy
true
-
Verify that packet mode is active.
Generate traffic by pinging another pod in the same network that you pinged in Step
1.
root@pod-vn-1:/# ping -q -c5 25.26.27.2
PING 25.26.27.2 (25.26.27.2) 56(84) bytes of data.
--- 25.26.27.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4105ms
rtt min/avg/max/mdev = 0.051/2.725/13.388/5.331 ms
-
Use the flow command-line tool to check for flows.
root@minikube:/# flow -l --match 25.26.27.3
...
...
Listing flows matching ([25.26.27.3]:*)
Index Source:Port/Destination:Port Proto(V)
Success! No flows exist which indicates you are in packet mode.
