Example: Creating an In-Network or In-Network-NAT Service Chain

Creating an In-Network or In-Network-NAT Service Chain

To create an in-network or in-network-nat service chain:

1. Create a left and a right virtual network. Select Configure > Networking > Networks and create left_vn and right_vn; see Figure 1.

   Figure 1: Create Networks

2. Configure a service template for an in-network service template for NAT. Navigate to Configure > Services > Service Templates and click the Create button on Service Templates. The Add Service Template window appears; see Figure 2.

   Figure 2: Add Service Template

   Table 1: Add Service Template Fields

   Field	Description
   Name	Enter a name for the service template.
   Service Mode	Select the service mode: In-Network (for firewall service), In-Network-NAT (for NAT service), or Transparent.
   Service Scaling	If you will be using multiple virtual machines for a single service instance to scale out the service, select the Service Scaling check box. When scaling is selected, you can choose to use the same IP address for a particular interface on each virtual machine interface or to allocate new addresses for each virtual machine. For a NAT service, the left (inner) interface should have the same IP address, and the right (outer) interface should have a different IP address.
   Image Name	Select from a list of available images the image for the service. Note: Only images that have been tagged as public in Glance will appear in the drop-down list.
   Interface Types	Select the interface type or types for this service: For firewall or NAT services, both Left Interface and Right Interface are required. For an analyzer service, only a Left Interface is required. For Juniper Networks virtual images, Management Interface is also required, in addition to any left or right requirement.

3. On Add Service Template, complete the following for the in-network service template:

   • Name: nat-template

   • Service Mode: In-Network

   • Service Scaling: Select from Advanced

   • Image Name: nat-service

   • Interface Types: Select Left Interface and Right Interface. For Juniper Networks virtual images, select Management Interface as the first interface.

   • The Left Interface will be automatically marked for sharing the same IP address

4. If multiple instances are to be launched for a particular service instance, select the Service Scaling check box, which enables the Shared IP feature. Figure 3 shows the Left interface selected, with the Shared IP check box selected, so the left interface will share the IP address.

   Note:

   The Shared IP for Service Scaling is an internal infrastructure feature used only for service scaling, it cannot be used for other features.

   Figure 3: Add Service Template Shared IP

5. Click Save.

   The service template is created and appears on the Service Templates screen, see Figure 4.

   Figure 4: Service Templates

6. Create the service instance. Navigate to Configure > Services > Service Instances, and click Create, then select the template to use and select the corresponding left, right, or management networks; see Figure 5.

   Figure 5: Create Service Instances

   Table 2: Create Service Instances Fields

   Field	Description
   Instance Name	Enter a name for the service instance.
   Services Template	Select from a list of available service templates the service template to use for this instance.
   Number of Instances	If scaling is enabled, enter a value in the Number of Instances field to define the number of instances of service virtual machines to launch.
   Interface List and Virtual Networks	An ordered list of interfaces as defined in the Service Template. If you are using the Management Interface, select Auto Configured. The software will use an internally-created virtual network. For Left Interface , select left_vn and for Right Interface, select right_vn.

7. If static routes are enabled for specific interfaces, open the Static Routes field below each enabled interface and enter the static route address details; see Figure 6.

   Figure 6: Create Service Instances

8. The console for the service instances can be viewed. At Configure > Services > Service Instances, click the arrow next to the name of the service instance to reveal the details panel for that instance, then click View Console to see the console details; see Figure 7 and Figure 8.

   Figure 7: Service Instance Details
   Figure 8: Service Instance Console

9. Configure the network policy. Navigate to Configure > Networking > Policies.

   • Name the policy and associate it with the networks created earlier: left_vn and right_vn.

   • Set source network as left_vn and destination network as right_vn.

   • Select Apply Service and select the service (nat-ecmp).

   Figure 9: Create Policy

10. Associate the policy with both the left_vn and the right_vn. Navigate to Configure > Networking > Network.

    • On the right side of left_vn, click the gear icon to enable Edit Network.

    • In the Edit Network dialog box for left_vn, select nat-policy in the Network Policy(s) field.

    • Repeat the same process for the right_vn.

    Figure 10: Edit Network

11. Launch virtual machines (from OpenStack) and test the traffic through the service chain by doing the following:

    1. Navigate to Configure > Networking > Policies.

    2. Launch left_vm in virtual network left_vn.

    3. Launch right_vm in virtual network right_vn.

    4. Ping from left_vm to right_vm IP address (2.2.2.252 in Figure 11).

    5. A TCPDUMP on the right_vm should show that packets are NAT-enabled and have the source IP set to 2.2.2.253.

    Figure 11: Launch Instances