Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Configure Service Chaining With PNF

This section shows how to create Layer 3 PNF service chains for inter-LR traffic.

Service Chaining Using a PNF

Service Chaining provides security control and enforcement through a physical firewall on traffic between virtual networks that are attached to logical routers. By default, virtual networks attached to the same logical router can communicate only using Layer 3 routing. Virtual networks connected to different logical routers cannot communicate. Service chaining using a firewall (a physical network function) between the logical routers allows virtual networks on separate logical routers to communicate and to communicate in a secure way.

For CEM service chaining you insert a physical network function (PNF) device between two logical routers on a border spine or border leaf device. The PNF device allows for Layer 3 communication between the logical routers. Only Juniper SRX Services Gateways are supported as PNF devices.

Figure 1 shows a logical view of service chaining. VLANs provide connectivity between the logical routers and the PNF device. EBGP advertises routes between the logical routers and the PNF.

Figure 1: Logical View of Service ChainingNetwork architecture with service chaining using SRX Series PNF, left and right side VRFs, and bidirectional route advertisement.

In a topology that uses border leaf devices, attach the PNF to the border leaf devices as shown in Figure 2.

Figure 2: PNF in Topology with Border Leaf Network topology diagram featuring Juniper QFX5110 spine-leaf switches, BMS servers, PNF SRX5400, and Contrail cluster for scalable data center networking.

Service Chaining Configuration Overview

In this example we are configuring service chaining In the following topology to provide inter-LR routing on the blue and green networks as shown in Figure 3. SRX4k and SRX5k Services Gateways are supported as managed PNFs. Our PNF is an SRX5400 Services Gateway.

Figure 3: Inter-LR Service ChainingData center network diagram with spine-leaf architecture showing two QFX10002 spine switches, four QFX5100 leaf switches, PNF SRX5400, BMS 1-4 with IP subnets, VLANs, VPGs, logical routers LR-Green and LR-Blue, and management tools Contrail Command and Contrail Insights.

The virtual networks show in Figure 3 have already been configured. See Configure Virtual Networks for Multi-tenant Service Operations. We are adding PNF service chaining so that devices on each network can communicate with each other as shown with the purple line.

To configure service chaining for inter-LR traffic:

  1. Onboard an SRX device as the PNF device connected to an existing fabric—you can connect the PNF device to a border spine or a border leaf.

  2. Assign PNF service chaining device role to the PNF device and to the border spines or border leaf devices that connect to the PNF device.

  3. Connect the PNF to the fabric using a PNF service template.

  4. Connect the right and left LRs by configuring VLANs and EBGP peering between the PNF and the LRs using a PNF service instance.

Onboard an SRX Services Gateway as the PNF Device

This section shows how to use Contrail Command to integrate an SRX device into our data center fabric to serve as a PNF device.

This configuration assumes that you have already created your fabric. You must use the Brownfield Wizard to onboard the PNF device. You can’t onboard a PNF using the Greenfield Wizard.

SRX clusters are not supported for PNF service chaining.

To selectively onboard an SRX Series router as a PNF device onto an existing fabric:

  1. Select Infrastructure > Fabrics, and then select the fabric to which you want to add the SRX Series gateway.
  2. Select Action > Brownfield Wizard.
  3. On the Create Fabric screen, configure the Management subnet, then select Additional Configuration, and enter the PNF ServiceChain subnets.

    In this example, we are assigning 10.1.1.15/32 as the Management subnet and 10.100.0.0/24 as the PNF ServiceChain subnet. The Management subnet searches for the device. The PNF ServiceChain subnet establishes the EBGP session between the PNF device and the spine.

    Screenshot of Contrail Command UI showing Create Fabric step in network fabric configuration. Admin user with CIDR block 10.100.0.0/24 entered.

    Name

    DC1

    Overlay ASN

    64532

    Node Profile

    Select the SRX device

    VLAN-ID Fabric-Wide Significance

    Check box

    Management subnets

    (used to search for the device)

    10.1.1.15

    PNF ServiceChain subnets (subnet used to establish EBGP session between the PNF device and the spine)

    10.200.0.0/24
  4. Click Next, and then click Finish.

Assign Device Roles for the PNF Device

In this procedure we will assign the PNF service chaining role for the spine or border leaf devices that connect to the PNF.

To assign roles:

  1. On the Fabric Devices summary screen, select the PNF device, and then select Action>Reconfigure Roles.
    Juniper Contrail Command interface showing Fabric Devices section under Infrastructure tab, listing network devices with status, name, management IP, loopback IP, vendor, product name, role, and routing details. Navigation menu on the left sidebar includes Monitoring, Infrastructure, and more. Action dropdown for managing devices and right panel displays network namespaces and placeholders for network intent and device credentials.
  2. Next to the PNF device, select Assign Roles.
    User interface for assigning a device role with dropdowns for Physical Role set to pnf and Routing Bridging Roles set to PNF-Servicechain. Buttons: Cancel and Assign.
  3. Assign the Physical Role as pnf and assign the Routing Bridging Roles as PNF-Servicechain role and click Assign.

Create a PNF Service Template

The service template provides Contrail Command with information about how the PNF device attaches to the spine or border leaf device. In our example, we are using the following interface numbers:

Network topology diagram with service chaining using a Juniper SRX Series as PNF. Shows routing from left and right Border Leafs to SRX, including interfaces xe-2/2/1, xe-0/0/34:0, xe-2/2/2.

To create a PNF service template:

  1. Click Services>Catalog.

    The VNF Service Instances page is displayed.

  2. Click the PNF tab.

    The Create PNF Service Template page is displayed.

  3. Click Create and select Instance (with Template) from the list that appears.
    Creating PNF Service Template in Contrail Command Step 1 with fields for service name, PNF device, interfaces, and attachment points. Sidebar shows service options.
  4. Enter the following information in the PNF Service Template pane and click Create.

    Field

    Value

    Name

    PNF

    PNF Device

    vSRX1-05

    PNF Left Interface

    ge-0/0/0

    PNF Left Fabric

    DC1

    PNF Left Attachment Points (Attachment points on the spine or border leaf.)

    Specify how the spine or border leaf device attaches to the left interface of the PNF device:

    Physical Router—QFX1-05

    Left Interface—xe-0/0/1

    PNF Right Interface

    ge-0/0/1

    PNF Right Fabric

    DC1

    PNF Right Attachment Points (Attachment points on the spine or border leaf.)

    Specify how the spine or border leaf device attaches to the right interface of the PNF device:

    Physical Router—QFX2-06

    Right Interface—xe-0/0/2
  5. Click Next and the PNF service instance configuration screen appears.

A PNF service instance defines how logical routers are interconnected and how BGP reachability is exchanged between the PNF and the logical routers. The configuration includes VLANs that are created between the PNF and the logical routers along with EBGP peering.

Figure 4: Completed PNF ConfigurationNetwork topology with service chaining between two logical routers on spines with AS 64512. SRX device acts as PNF. VLAN 201 connects left router via xe-2/2/1, VLAN 202 connects right router via xe-2/2/2, using EBGP.

To create a PNF Service Instance:

  1. Navigate to Services > Deployments, and select the PNF tab.

    The PNF Service Instances screen displays.

  2. Select Create Instance.

    Configure the screen as shown here:

    Configuration interface for creating a PNF Service Instance in Contrail Command. Name: Spine-to-PNF. Service Template: PNF-template. PNF eBGP ASN: 65231. Interface Types: Left - LR1, Right - LR2. PNF BGP Peer ASN: 64512. Left Service VLAN: 201. Right Service VLAN: 202. Options to Create or Cancel.

  3. Enter the following information in the PNF Service Template pane and click Create.

    Field

    Value

    Name

    Spine-to-PNF

    Service Template

    PNF-template

    PNF eBGP ASN

    65231

    Left Tenant Logical Router

    LR1-Green

    PNF Left BGP Peer ASN

    64512

    Left Service VLAN (VLAN between the PNF and the LR1)

    201

    Right Tenant Logical Router

    LR2-Green

    Right BGP Peer ASN

    64512

    Right Service VLAN (VLAN between the PNF and LR2)

    202