Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Creating VNF Service Chains for Inter-LR Traffic

Contrail Networking Release 1912 extends the service chaining functionality to bare metal servers (BMS). In earlier releases, Contrail Networking supports traffic flow between a virtual machine in one virtual network and a virtual machine in another virtual network. However, traffic flow between a virtual machine and BMS through a service chain was not supported. With Release 1912, Contrail Networking supports the movement of inter-LR traffic by using virtual network functions (VNF). This EVPN-based VXLAN (Ethernet VPN-based Virtual Extensible LAN) service chain supports bidirectional traffic flow through a service virtual machine.

VNF service chaining uses EVPN with VXLAN to enable traffic flow between:

  • Two bare metal servers.

    Figure 1: Traffic Flow Between Two Bare Metal ServersTraffic Flow Between Two Bare Metal Servers

    Figure 1 shows traffic flowing between two bare metal servers. Each bare metal server is connected to a logical router (virtual routing engine). These logical routers are configured in order to send traffic from the bare metal server in the red virtual network to the bare metal server in the green virtual network, through the service virtual machine.

  • A bare metal server and a virtual machine.

    Figure 2: Traffic Flow Between a Bare Metal Server and a Virtual MachineTraffic Flow Between a Bare Metal Server and a Virtual Machine

    Figure 2 shows traffic flowing between a bare metal server and a virtual machine. The bare metal server and the virtual machine are connected to logical routers. These logical routers are configured in order to send traffic from the bare metal server in the red virtual network to the virtual machine in the green virtual network, through the service virtual machine.

  • A virtual machine and a bare metal server.

    Figure 3: Traffic Flow Between a Virtual Machine and a Bare Metal ServersTraffic Flow Between a Virtual Machine and a Bare Metal Servers

    Figure 3 shows traffic flowing between a virtual machine and a bare metal server. The virtual machine and the bare metal server and are connected to logical routers. These logical routers are configured in order to send traffic from the virtual machine in the red virtual network to the bare metal server in the green virtual network, through the service virtual machine.

These topics provide instructions to create an EVPN-based VXLAN service chain.

Onboard Devices

Follow these steps to onboard brownfield devices from the Contrail Command user interface (UI):

  1. Click Fabrics.

    The Fabrics page is displayed.

  2. Click Create.

    You are prompted to select a provisioning option.

  3. Click Existing Fabric to import existing (brownfield) devices by discovery.
    Figure 4: Select Provisioning OptionSelect Provisioning Option
  4. Click Provision.

    The Create Fabric page is displayed.

  5. Enter the following information:
    Table 1: Provision Existing Fabric

    Field

    Action

    Name

    Enter a name for the fabric.

    Username

    Enter a username for the device.

    Password

    Enter a password for the device.

    Overlay ASN (iBGP)

    Enter autonomous system (AS) number in the range of 1-65,535.

    If you enable 4 Byte ASN in Global Config, you can enter 4-byte AS number in the range of 1-4,294,967,295.

    Node profiles

    Add node profiles.

    You can add more than one node profile.

    All preloaded node profiles are added to the fabric by default. You can remove a node profile by clicking X on the node profile.

    Management subnets

    Enter the following information:

    CIDR—Enter CIDR network address.

    Gateway—Enter gateway address.

    Note:

    You enter the CIDR address range in the Management subnets field to search for devices. Any device that has a previously configured management IP on the subnet is discovered.

    Underlay ASNs (eBGP)

    Enter autonomous system (AS) number in the range of 1-65,535.

    If you enable 4 Byte ASN in Global Config, you can enter 4-byte AS number in the range of 1-4,294,967,295.

    • Enter minimum value in ASN From field.

    • Enter maximum value in ASN To field.

    Fabric subnets (CIDR)

    Enter fabric CIDR address.

    Note:

    Fabric subnets are used to assign IP addresses to interfaces that connect to leaf or spine devices.

    Loopback subnets (CIDR)

    Enter loopback address.

    Note:

    Loopback subnets are used to auto-assign loopback IP addresses to the fabric devices.

    PNF Servicechain subnets (CIDR)

    Enter PNF device CIDR address.

    Note:

    Starting in Contrail Networking Release 5.1, enter the subnet for allocating IP addresses in the PNF Servicechain subnets field to establish EBGP session between PNF device and SPINE switch.
  6. Click Next.

    The Discovered devices page is displayed.

    The Device discovery progress bar on the Discovered devices page displays the progress of the device discovery job.

    Figure 5: Device Discovery Progress BarDevice Discovery Progress Bar

    The list of devices discovered are listed in the Discovered devices page.

  7. Select the device(s) you want to add to the fabric and then click Add.

    The device is added to the fabric.

  8. Click Next to assign roles.

    The Assign to devices page is displayed.

  9. Click the Assign icon at the end of the row to assign roles.

    The Assign role to devices pop-up is displayed.

  10. Assign physical roles and routing bridging roles.

    For Spine Devices:

    • Select spine from the Physical Role list.

    • Select CRB-Gateway from the Routing Bridging Roles list.

    For Leaf Devices:

    • Select leaf from the Physical Role list.

    • Select CRB-Access from the Routing Bridging Roles list.

    For PNF Devices:

    • Select PNF from the Physical Role list.

    • Select CRB-Access and PNF-Servicechain from the Routing Bridging Roles list.

    Note:

    The number of PNF instances you can create depends on the subnet mask of the pnf-servicechain-subnet that you provided during fabric onboarding. You can create multiple /29 subnets from the pnf-servicechain-subnet.

    For example, if a /24 subnet is provided for the pnf-servicechain-subnet, then, you can create 25= 32(29-24=5) subnets out of it. Each PNF uses a pair of /29 subnets. Thus, for a /24 subnet, you can have a maximum of 16 PNFs.

    For VNF Devices:

    • Select VNF from the Physical Role list.

    • Select CRB-Access from the Routing Bridging Roles list.

      Note:

      ERB-UCAST-Gateway routing bridging role is also supported.

    Note:

    When you configure a QFX series device as a data center gateway, ensure that you assign DC-Gateway role to the spine device.

    To assign a DC-Gateway role to a spine device,

    • Select spine from the Physical Role list.

    • Select DC-Gateway from the Routing Bridging Role list.

  11. Click Assign to confirm selection and then click Autoconfigure to initiate the auto-configuration job.

    The Autoconfigure page is displayed.

    The Autoconfigure progress bar on the Discovered devices page displays the progress of the auto-configuration job. Once the auto-configuration job is completed, click Next.

  12. From the Assign Telemetry Profiles page, click Finish to exit the Create Fabric wizard.

    The onboarding job is now complete.

Create Virtual Network

A virtual network is a collection of endpoints, such as virtual machine instances, that can communicate with each other. You can also connect virtual networks to your on-premises network. A virtual network in a EVPN VXLAN data center corresponds to a bridge domain for one tenant in a multi-tenant data center fabric.

  1. Click Overlay>Virtual Networks.

    The All Networks page is displayed.

  2. Click Create to create a network.

    The Create Virtual Network page is displayed.

  3. Enter a name for the network in the Name field.
  4. Select network policies from the Network Policies list. You can select more than one network policy.

    Network policies provide connectivity between virtual networks by allowing or denying specified traffic. They define the access control lists to virtual networks. To create a new network policy, navigate to Overlay>Network Policies.

    For more information on creating network policies, see Create Network Policy.

    Note:

    You can attach a network policy to the virtual network after you have created the virtual network.

  5. Select any one of the following preferred allocation mode.

    • Flat subnet only

    • Flat subnet preferred

    • (Default) User defined subnet only

    • User defined subnet preferred

    An allocation mode indicates how you choose a subnet. You select Flat subnet only or Flat subnet preferred allocation mode when the subnet is shared by multiple virtual networks. However, you select (Default) User defined subnet only or User defined subnet preferred allocation mode when you want to define a subnet range.

  6. Enter subnet information as given in Table 2.
    Table 2: Subnet Information

    Field

    Action

    Network IPAM

    Select the IP address management method that controls IP address allocation, DNS, and DHCP for the subnet.

    CIDR

    Enter the overlay subnet CIDR.

    Allocation Pools

    Enter a list of ranges of IP addresses for vRouter-specific allocation.

    Gateway

    Enter the gateway IP address of the overlay subnet. This field is disabled by default. To configure this field, uncheck Auto Gateway.

    Service Address

    Specify the user configured IP address for DNS Service instead of the default system allocated one.

    Auto Gateway

    This check box is enabled by default and gateway address is allocated by the system. When this box is unchecked, gateway address is user configurable.

    DHCP

    Select this check box if you want Contrail to provide DHCP service.

    DNS

    Select this check box if you want the vRouter agent to provide DNS service.
  7. Enter host route information.

    Host routes are a list of prefixes and next hops that are passed to the virtual machine through DHCP.

    1. Route Prefix—Enter a full CIDR value with an IP address and a subnet mask. For example, 10.0.0.0/24.

    2. Next Hop—Enter next hop address.

  8. Enter floating IP pool information.

    A floating IP address is an IP address (typically public) that can be dynamically assigned to a running virtual instance. You can configure floating IP address pools in project networks, then allocate floating IP addresses from the pool to virtual machine instances in other virtual networks.

    1. Pool Name—Enter pool name.

    2. Projects—Select project from the list.

  9. Enter fat flows information. See Table 3.

    You can apply fat flows to all VMIs under the configured VN. Fat flows help reduce the number of flows that are handled by Contrail.

    Table 3: Configure Fat Flow

    Field

    Action

    Protocol

    Select the application protocol.

    Port

    Enter a value between 0 through 65,535. Enter 0 to ignore both source and destination port numbers.

    Note:

    If you select ICMP as the protocol, the Port field is not enabled.

    Ignore Address

    Configure fat flows to support aggregation of multiple flows into a single flow by ignoring source and destination ports or IP addresses. If you select Destination, only the Prefix Aggregation Source fields are enabled. If you select Source, only the Prefix Aggregation Destination fields are enabled. If you select the None (selected by default), both Prefix Aggregation Source and Prefix Aggregation Destination fields are enabled.

    Prefix Aggregation Source

    Source Subnet

    Enter the source IP address.

    Ensure that the source subnet of the flows match. For example, enter 10.1.0.0/24 to create fat flows with 10.1.0.0/24 as the subnet. The valid subnet mask range is /8 through /32.

    Note:

    For packets from the local virtual machine, source refers to the source IP of the packet. For packets from the physical interface, source refers to the destination IP of the packet.

    Prefix

    Enter source subnet prefix length.

    The prefix length you enter is used to aggregate flows matching the source subnet. For example, when the source subnet is 10.1.0.0/16 and prefix length is 24, the flows matching the source subnet is aggregated to 10.1.x.0/24 flows. The valid the prefix length range is /(subnet mask of the source subnet) through /32.

    Prefix Aggregation Destination

    Destination Subnet

    Enter the destination IP address.

    Ensure that the destination subnet of the flows match. Enter 10.1.0.0/24 to create fat flows with 10.1.0.0/24 as the subnet. The valid subnet mask range is /8 through /32.

    Note:

    For packets from the local virtual machine, destination refers to the destination IP of the packet. For packets from the physical interface, destination refers to the source IP of the packet.

    Prefix

    Enter the destination subnet prefix length.

    The prefix length you enter is used to aggregate flows matching the destination subnet. For example, when the source subnet is 10.1.0.0/16 and prefix length is 24, the flows matching the source subnet is aggregated to 10.1.x.0/24 flows. The valid prefix length range is /(subnet mask of the destination subnet) through /32.
  10. Enter routing policy and bridge domain information as given below.

    1. Select routing policy from the Routing Policies list.

      To create a routing policy, navigate to Overlay>Routing>Routing Policy.

    2. Define a list of route target prefixes.

      Enter an IP address in the ASN field and Target in the range 0 through 65,535, or ASN in the range 1 through 65,535 and Target in the range 1 through 4,294,967,295 if 4-byte ASN is disabled. If 4-byte ASN is enabled, enter ASN in the range 1 through 4,294,967,295 and Target in the range 0 through 65,535.

    3. Define export route targets.

      You can advertise the matched routes from the local virtual routing and forwarding (VRF) table to the MPLS routing table.

      Enter an IP address in the ASN field and Target in the range 0 through 65,535, or ASN in the range 1 through 65,535 and Target in the range 1 through 4,294,967,295 if 4-byte ASN is disabled. If 4-byte ASN is enabled, enter ASN in the range 1 through 4,294,967,295 and Target in the range 0 through 65,535.

    4. Define import route targets.

      Import the matched routes from the MPLS routing table and to the local virtual routing and forwarding (VRF) table.

      Enter an IP address in the ASN field and Target in the range 0 through 65,535, or ASN in the range 1 through 65,535 and Target in the range 1 through 4,294,967,295 if 4-byte ASN is disabled. If 4-byte ASN is enabled, enter ASN in the range 1 through 4,294,967,295 and Target in the range 0 through 65,535.

    5. Enter bridge domain information. See Table 4.

      A bridge domain is a set of logical interfaces that share the same flooding or broadcast characteristics.

      Table 4: Bridge Domains

      Field

      Action

      Name

      Enter a name for the Layer 2 or Layer 3 bridge domain.

      I-SID

      Enter a Service Identifier in the range from 1 through 16777215.

      MAC Learning

      Enable or disable MAC learning.

      MAC learning is the process of obtaining the MAC addresses of all the nodes in a virtual network. It is enabled by default.

      MAC Limit

      Configure the maximum number of MAC addresses that can be learned.

      MAC Move Limit

      Configure the maximum number of times a MAC address move occurs in the MAC move time window.

      A MAC move is when a MAC address appears on a different physical interface or within a different unit of the same physical interface.

      Time Window (secs)

      Configure the period of time over which the MAC address move occurs.

      The default period is 10 seconds.

      Aging Time (secs)

      Configure the MAC table aging time, the maximum time that an entry can remain in the Ethernet Switching table before it is removed.

      The default time period is 300 seconds.
  11. Enter advanced configuration information as given in Table 5.
    Table 5: Advanced Configuration

    Field

    Action

    Admin State

    Select the administrative state of the virtual network.

    Reverse Path Forwarding

    Enable or disable Reverse Path Forwarding (RPF) check for the virtual network.

    Shared

    Select to share the virtual network with all tenants.

    External

    Select the check box to make the virtual networks reachable externally.

    Allow Transit

    Select to enable the transitive property for route imports.

    Mirroring

    Select to mark the virtual network as a mirror destination network.

    Flood Unknown Unicast

    Select to flood the network with packets with unknown unicast MAC address.

    By default, the packets are dropped.

    Multiple Service Chains

    Select to allow multiple service chains within two networks in a cluster.

    IP Fabric Forwarding

    Select to enable fabric based forwarding.

    Forwarding Mode

    Select the packet forwarding mode for the virtual network.

    Extend to Physical Router(s)

    Select the physical router to which you want to extend the logical router.

    The physical router provides routing capability to the logical router.

    Static Route(s)

    Select the static routes to be added to this virtual network.

    QoS

    Select the QoS to be used for this forwarding class.

    Security Logging Object(s)

    Select the security logging object configuration for specifying session logging criteria.

    ECMP Hashing Fields

    Configure one or more ECMP hashing fields.

    When configured all traffic destined to that VN will be subject to the customized hash field selection during forwarding over ECMP paths by vRouters.

    PBB Encapsulation

    Select to enable Provider Backbone Bridging (PBB) EVPN tunneling on the network.

    PBB ETree

    Select to enable PBB ETREE mode on the virtual network which allows L2 communication between two end points connected to the vRouters.

    When the check box is deselected, end point communication happens through an L3 gateway provisioned in the remote PE site.

    Layer2 Control Word

    Select to enable adding control word to the Layer 2 encapsulation.

    SNAT

    Select to provide connectivity to the underlay network by port mapping.

    MAC Learning

    Enable or disable MAC learning.

    MAC learning is the process of obtaining the MAC addresses of all the nodes in a virtual network. It is enabled by default.

    Provider Network

    Select the provider network.

    The provider network specifies VLAN tag and the physical network name.

    IGMP enable

    Enable or disable IGMP.

    Multicast Policies

    Select the multicast policies.

    To create a policy, navigate to Overlay>Multicast Policies.

    Max Flows

    Enter the maximum number of flows permitted on each virtual machine interface of the virtual network.
  12. Click Create.

    The All Networks page is displayed. The virtual network that you created is displayed on this page.

Configuring Virtual Port Groups

This topic describes how to create virtual port groups from Contrail Command UI.

To create virtual port groups:

  1. Navigate to Overlay > Virtual Port Group > Create Virtual Port Group.

    The Create Virtual Port Group page is displayed.

  2. Enter the VLAN ID and network to which the VLAN is associated and select a security group to which the VLAN is to be attached.

    You can select multiple VLANs to include in the virtual port group. Based on the need, you can add or remove VLANs from virtual port group by using the Edit Virtual Port Group function.

  3. Select the fabric from the Fabric Name list.

    The available physical interfaces on the devices in the selected fabric are listed.

  4. From the Available Physical Interface box, select the physical interfaces to be included in the virtual port group by clicking the arrow next each physical interface. The available physical interfaces are the interfaces available on TORs that are already onboarded.

    The selected interfaces are displayed in the Assigned Physical Interface box.

    If you select more than one interface on the same TOR as shown in Figure 6, a link aggregation group (LAG) is automatically created on the device.

    Figure 6: Select Interfaces on the Same TORSelect Interfaces on the Same TOR
  5. Click Create.

    The newly created virtual port group is displayed on the Virtual Port Group page with details of the interfaces and the TORs as shown in Figure 7.

    Figure 7: Virtual Port GroupsVirtual Port Groups

    You can delete a virtual port group by clicking the delete icon against the virtual port group. To delete a virtual port group, you must first remove the referenced VMI and the associated BMS instance from the virtual port group.

See Also

Create Logical Routers

A logical router replicates the functions of a physical router. It connects multiple virtual networks. A logical router performs a set of tasks that can be handled by a physical router, and contains multiple routing instances and routing tables.

Follow these steps to create a logical router (LR).

  1. Click Overlay>Logical Routers.

    The Logical Routers page is displayed.

  2. Click Create.

    The Create Logical Router page is displayed.

  3. Enter the following information.

    Field

    Action

    Name

    Enter a name for the Logical Router.

    Admin State

    Select the administrative state that you want the device to be in when the router is activated.

    Up is selected by default.

    Extend to Physical Router

    Select the physical router(s) to which you want to extend virtual networks or routed virtual networks to, from the Extend to Physical Router list.

    A physical router provides routing capability to the logical router.

    Logical Router Type

    Select SNAT Routing or VXLAN Routing from the list.

    Connected Networks

    Select the networks that you want to connect this logical router to.

    Public Logical Router

    (Optional) Select this check box if you want the logical router to function as a public logical router.

    VxLAN Network Identifier

    Enter VXLAN network identifier in the range from 1 through 16,777,215.

    This field is disabled by default.

    Route Target(s)

    Click +Add to add route targets.

    Enter Autonomous System (AS) number in the ASN field.

    • Enter ASN in the range of 1-4,294,967,295, when 4 Byte ASN is enabled in Global Config.

    • Enter ASN in the range of 1-65,535, when 4 Byte ASN is disabled.

    • You can also add suffix L or l (lower-case L) at the end of a value in the ASN field to assign an AS number in 4-byte range. Even if the value provided in the ASN field is in the range of 1-65,535, adding L or l (lower-case L) at the end of the value assigns the AS number in 4-byte range. If you assign the ASN field a value in the 4-byte range, you must enter a value in the range of 0-65,535 in the Target field.

    Enter route target in the Target field.

    • Enter route target in the range of 0-65,535, when 4 Byte ASN is enabled and ASN field is assigned a 4-byte value.

    • Enter route target in the range of 0-4,294,967,295, when the ASN field is assigned a 2-byte value.
  4. Click Create to create the logical router.

    The Logical Routers page is displayed.

  5. Repeat Step 3 and Step 4 to create another logical router.
Note:

The router_interface object (Virtual Port) is created as part of the LR creation. While planning the Virtual Network IP address scheme, you must be aware that an extra one IP address is required for the router_interface object which gets created automatically.

Create VNF Service Template

Follow these steps to create a service template by using the Contrail Command UI:

  1. Click Services>Catalog.

    The VNF Service Templates page is displayed.

  2. Click Create.

    The Create VNF Service Template page is displayed.

  3. Enter a name for the service template in the Name field.
  4. Select v2 as the version type.
    Note:

    Starting with Release 3.2, Contrail supports only Service Chain Version 2 (v2).

  5. Select Virtual Machine as the virtualization type.
  6. Select a service mode from the Service Mode list.
  7. Select a service type from the Service Type list.
  8. From the Interface section,

    • Select left as the interface type from the Interface Type list.

    • Click + Add.

      The Interface Type list is added to the table.

      Select right as the interface type.

    • Click + Add again.

      Another Interface Type list is added to the table.

      Select management as the interface type.

    Note:

    The interfaces created on the virtual machine must follow the same sequence as that of the interfaces in the service template.

  9. Click Create to create the service template.

    The VNF Service Templates page is displayed. The service template that you created is displayed in the VNF Service Templates page.

Create VNF Service Instance

Follow these steps to add a service instance by using the Contrail Command UI:

  1. Click Services>Deployments.

    The VNF Service Instances page is displayed.

  2. Click Create.

    The Create VNF Service Instance page is displayed.

  3. Enter a name for the service instance in the Name field.
  4. Select the service template that you created from the Service Template list.

    The Interface Type and Virtual Network fields are displayed.

  5. Select the virtual network for each interface type as given below.

    • left—Select the left virtual network that you created.

    • right—Select the right virtual network that you created.

    • management—Select the management virtual network that you created.

  6. Click Create to create the service instance.

    The VNF Service Instances page is displayed. The service instance that you created is displayed in the VNF Service Instances page.

Related Documentation

Release History Table
Release
Description
1912
Contrail Networking Release 1912 extends the service chaining functionality to bare metal servers (BMS).