Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Example: Creating a Transparent Service Chain

This section provides an example of creating a transparent mode service chain using the Juniper Networks Contrail user interface. Also called bridge mode, transparent mode is used for services that do not modify the packet, such as Layer 2 firewall, Intrusion Detection and Prevention (IDP), and so on. The following service chain example also shows scaling of service instances.

Creating a Transparent Mode Service Chain

To create a transparent mode service chain:

  1. Create a left and a right virtual network. Select Configure > Networking > Networks and create left_vn and right_vn; see Figure 1.

    Figure 1: Create NetworksCreate Networks

  2. Configure a service template for a transparent mode. Navigate to Configure > Services > Service Templates and click the Create button on Service Templates. The Add Service Template window appears; see Figure 2.

    Figure 2: Add Service TemplateAdd Service Template
    Table 1: Add Service Template Fields

    Field

    Description

    Name

    Enter a name for the service template.

    Service Mode

    Select the service mode: In-Network or Transparent.

    Service Scaling

    If you will be using multiple virtual machines for a single service instance to scale out the service, select the Service Scaling check box. When scaling is selected, you can choose to use the same IP address for a particular interface on each virtual machine interface or to allocate new addresses for each virtual machine. For a NAT service, the left (inner) interface should have the same IP address, and the right (outer) interface should have a different IP address.

    Image Name

    Select from a list of available images the image for the service.

    Interface Types

    Select the interface type or types for this service:

    • For firewall or NAT services, both Left Interface and Right Interface are required.

    • For an analyzer service, only Left Interface is required.

    • For Juniper Networks virtual images, Management Interface is also required, in addition to any left or right requirement.

  3. On Add Service Template, complete the following for the transparent mode service template:

    • Name: firewall-template

    • Service Mode: Transparent

    • Service Scaling: Select this.

    • Image Name: vsrx-bridge

    • Interface Types: Select Left Interface, Right Interface, and Management Interface.

    If multiple instances are to be launched for a particular service instance, select the Service Scaling check box, which enables the Shared IP feature.

  4. Click Save.

  5. Create the service instance. Navigate to Configure > Services > Service Instances, and click Create, then select the template to use and select the corresponding left, right, or management networks; see Figure 3.

    Figure 3: Create Service InstancesCreate Service Instances
    Table 2: Create Service Instances Fields

    Field

    Description

    Instance Name

    Enter a name for the service instance.

    Services Template

    Select from a list of available service templates the service template to use for this instance.

    Left Network

    Select from a list of available virtual networks the network to use for the left interface. For transparent mode, select Auto Configured.

    Right Network

    Select from a list of available virtual networks the network to use for the right interface. For transparent mode, select Auto Configured

    Management Network

    If you are using the Management Interface, select Auto Configured. The software will use an internally-created virtual network. For transparent mode, select Auto Configured

  6. If scaling is enabled, enter a value in the Number of Instances field to define the number of instances of service virtual machines to launch; see Figure 4.

    Figure 4: Service Instance DetailsService Instance Details

  7. Next, configure the network policy. Navigate to Configure > Networking > Policies.

    • Name the policy fw-policy.

    • Set source network as left_vn and destination network as right_vn.

    • Check Apply Service and select the service (fw-instance ).

    Figure 5: Create PolicyCreate Policy

  8. Next, associate it to the networks created earlier – left_vn and right_vn. Navigate to Configure > Networking > Policies.

    • On the right side of left_vn, click the gear icon to enable Edit Network.

    • In the Edit Network dialog box for left_vn, select nat-policy in the Network Policy(s) field.

    • Repeat the process for the right_vn.

  9. Next, launch virtual machines (from OpenStack) and test the traffic through the service chain by doing the following:

    1. Navigate to Configure > Networking > Policies.

    2. Launch left_vm in virtual network left_vn.

    3. Launch right_vm in virtual network right_vn.

    4. Ping from left_vm to right_vm IP address (2.2.2.252 in Figure 6).

    5. A TCPDUMP on the right_vm should show that packets have the source IP set to 2.2.2.253.

    Figure 6: Launch InstancesLaunch Instances

Related Documentation