Example: Setting Up a VXLAN Layer 2 Gateway and OVSDB Connections in a Contrail Environment (Trunk Interfaces That Support Tagged Packets)
In a physical network, a Juniper Networks switch that supports Virtual Extensible LANs (VXLANs) can function as a hardware virtual tunnel endpoint (VTEP). In this role, the Juniper Networks switch encapsulates in VXLAN packets Layer 2 Ethernet frames received from software applications that run directly on a physical server. The VXLAN packets are tunneled over a Layer 3 transport network. Upon receipt of the VXLAN packets, software VTEPs in the virtual network de-encapsulate the packets and forward the packets to virtual machines (VMs).
In this VXLAN environment, you can also include Contrail controllers and implement the Open vSwitch Database (OVSDB) management protocol on the Juniper Networks switch that functions as a hardware VTEP.
The Junos OS implementation of OVSDB provides a means through which Contrail controllers and Juniper Networks switches can exchange MAC addresses of entities in the physical and virtual networks. This exchange of MAC addresses enables the Juniper Networks switch that functions as a hardware VTEP to forward traffic to software VTEPs in the virtual network and software VTEPs in the virtual network to forward traffic to the Juniper Networks switch in the physical network.
This example explains how to configure a Juniper Networks switch as a hardware VTEP, which serves as a Layer 2 gateway, and set up this switch with an OVSDB connection to a Contrail controller.
In this example, two VXLANs are deployed. Given this scenario, the packets exchanged between the applications that are running on a physical server and the VMs in the VXLANs are tagged. As a result, trunk interfaces, which can handle the tagged packets, are used for the connection between the physical server and the Juniper Networks switch.
Requirements
This example includes the following hardware and software components:
A physical server on which software applications directly run.
A QFX10002 switch running Junos OS Release 15.1X53-D30 or later.
On the Juniper Networks switch, physical interface ge-1/0/0 provides a connection to physical server 1.
A Contrail controller.
A top-of-rack service node (TSN) that handles the replication and forwarding of Layer 2 broadcast, unknown unicast, and multicast (BUM) traffic within the two VXLANs used in this example.
Note:You must explicitly configure the replication of unknown unicast traffic in a Contrail environment.
The Contrail Web user interface.
Two vRouters that include VMs. Each vRouter is managed by a hypervisor, and each hypervisor includes a software VTEP.
All components in the Contrail environment (Contrail controller, TSN, Contrail Web user interface, and vRouters) must be running Contrail Release 2.20 or later.
For information about the Contrail components, see Using TOR Switches and OVSDB to Extend the Contrail Cluster to Other Instances.
Before you begin:
Create an SSL private key and certificate, if they do not already exist. The private key and certificate must be installed in the /var/db/certs directory of the Juniper Networks switch. See Creating and Installing an SSL Key and Certificate on a Juniper Networks Device for Connection with SDN Controllers.
Overview and Topology
Figure 1 shows a topology in which a software application running directly on physical server 1 in the physical network needs to communicate with virtual machine VM 1 in VXLAN 1, and vice versa; and another software application on physical server 1 needs to communicate with virtual machines VM 3 and VM 4 in VXLAN 2, and vice versa. To enable this communication, a Juniper Networks switch is configured as hardware VTEP 1. Further, the Juniper Networks switch is connected to a Contrail controller by way of management interface em0 on the switch.
Some entities in the VXLAN-OVSDB topology must be configured in both the Contrail Web user interface and on the Juniper Networks switch. Table 1 provides a summary of the entities that must be configured and where they must be configured.
The term used for an entity that is configured in the Contrail Web user interface can differ from the term used for essentially the same entity that is configured on the Juniper Networks switch. To prevent confusion, Table 1 shows the Contrail Web user interface and the Junos OS entities side by side.
Entity |
Entity to Be Configured in the Contrail Web User Interface |
Entity to Be Configured on the Juniper Networks Switch |
|---|---|---|
VXLAN 1 VXLAN 2 |
Virtual network for VXLAN 1 Virtual network for VXLAN 2 |
VXLAN 1 VXLAN 2 Note:
The Juniper Networks switch dynamically configures these VXLANs. |
Physical interface ge-1/0/0 between physical server 1 and Juniper Networks switch |
– |
OVSDB management. Specify that interface ge-1/0/0 is managed by OVSDB. |
One logical interface (ge-1/0/0.10) associated with VXLAN 1 One logical interface (ge-1/0/0.20) associated with VXLAN 2 |
One logical interface for VXLAN 1. For this interface, specify VLAN ID 10. One logical interface for VXLAN 2. For this interface, specify VLAN ID 20. Note:
A VLAN ID from 3 through 4000 indicates that the interface must handle tagged packets. |
One logical interface (ge-1/0/0.10) for VXLAN 1. One logical interface (ge-1/0/0.20) for VXLAN 2. Note:
The Juniper Networks switch dynamically configures these logical interfaces. |
Juniper Networks switch (hardware VTEP 1) |
Physical router |
Hardware VTEP functionality. Configure the Juniper Networks switch to function as a hardware VTEP. |
Based on the configuration of the entities in the Contrail Web user interface as described in Table 1, the Juniper Networks switch dynamically creates VXLANs 1 and 2 and their associated logical interfaces. Table 2 provides the relevant Contrail Web user interface configuration and the resulting VXLANs and associated logical interfaces that the Juniper Networks switch dynamically configures.
Contrail Web User Interface Configuration: Virtual Network and Logical Interface |
VXLANs and Associated Logical Interfaces Dynamically Configured By Juniper Networks Switch |
|---|---|
Virtual network configuration: UUID: Contrail-28805c1d-0122-495d-85df-19abd647d772 VXLAN Identifier: 100 Logical Interface configuration: VLAN ID: 10 |
For VXLAN 1: set vlans Contrail-28805c1d-0122-495d-85df-19abd647d772 vxlan vni 100 For associated logical interface ge-1/0/0.10: set interfaces ge-1/0/0 flexible-vlan-tagging set interfaces ge-1/0/0 encapsulation extended-vlan-bridge set interfaces ge-1/0/0 unit 10 vlan-id 10 set vlans Contrail-28805c1d-0122-495d-85df-19abd647d772 interfaces ge-1/0/0.10 |
Virtual network configuration: UUID: Contrail-9acc24b3-7b0a-4c2e-b572-3370c3e1acff VXLAN Identifier: 200 Logical Interface configuration: VLAN ID: 20 |
For VXLAN 2: set vlans Contrail-9acc24b3-7b0a-4c2e-b572-3370c3e1acff vxlan vni 200 For associated logical interface ge-1/0/0.20: set interfaces ge-1/0/0 flexible-vlan-tagging set interfaces ge-1/0/0 encapsulation extended-vlan-bridge set interfaces ge-1/0/0 unit 20 vlan-id 20 set vlans Contrail-9acc24b3-7b0a-4c2e-b572-3370c3e1acff interfaces ge-1/0/0.20 |
In the Contrail environment, a numerical value that identifies a VXLAN is known as a VXLAN identifier. In the Junos OS environment, the same numerical value is known as a VXLAN network identifier (VNI).
For VXLANs 1 and 2, the Juniper Networks switch uses the UUIDs and VXLAN Identifier values that were provided for the corresponding virtual networks.
In the logical interface configurations in the Contrail Web user interface, VLAN ID values 10 and 20 and virtual network mappings are specified. As a result, the Juniper Networks switch creates logical interfaces ge-1/0/0.10 and ge-1/0/0.20, respectively. Both of these logical interfaces function as trunk interfaces that handle tagged packets. The Juniper Networks switch also maps the logical interfaces ge-1/0/0.10 and ge-1/0/0.20 to their respective VXLANs.
Based on the configurations generated by the Juniper Networks switch, interface ge-1/0/0.10 accepts packets with a VLAN tag of 10 from VXLAN 1, and interface ge-1/0/0.20 accepts packets with a VLAN tag of 20 from VXLAN 2. On receiving packets from VXLAN 1, a VLAN tag of 100 is added to the packets, and a VLAN tag of 200 is added to packets from VXLAN 2. These tags are added to the respective packet streams to map the VLAN ID in a particular VXLAN to the corresponding VNI.
Topology
Table 3 provides a summary of the components that are configured on the Juniper Networks switch. Unless noted, all configurations are performed manually in the Junos OS CLI.
Components |
Settings |
|---|---|
Contrail controller |
IP address: 10.94.184.1 |
OVSDB-managed interface |
Interface name: ge-1/0/0 |
VXLAN 1 and associated logical interface |
Note:
The Juniper Networks switch dynamically configures the VXLAN and associated logical interface, which are based on the virtual network and associated logical interface configurations in the Contrail Web user interface. Therefore, no manual configuration is required. VXLAN name: Contrail-28805c1d-0122-495d-85df-19abd647d772 VNI: 100 Logical interface name: ge-1/0/0.10 VLAN ID: 10 Interface type: trunk |
VXLAN 2 and associated logical interface |
Note:
The Juniper Networks switch dynamically configures the VXLAN and associated logical interface, which are based on the virtual network and associated logical interface configurations in the Contrail Web user interface. Therefore, no manual configuration is required. VXLAN name: Contrail-VXLAN 9acc24b3-7b0a-4c2e-b572-3370c3e1acff VNI: 200 Logical interface name: ge-1/0/0.20 VLAN ID: 20 Interface type: trunk |
OVSDB tracing operations |
Filename: /var/log/ovsdb File size: 10 MB Flag: All |
Hardware VTEP functionality |
Hostname: hw-vtep1 Source interface: loopback (lo0.0) Source IP address: 10.17.17.17/32 |
Handling of Layer 2 BUM traffic within VXLAN Contrail-28805c1d-0122-495d-85df-19abd647d772 and Contrail-VXLAN 9acc24b3-7b0a-4c2e-b572-3370c3e1acff |
TSN Note:
By default, one or more TSNs handle Layer 2 BUM traffic within a VXLAN; therefore, no configuration is required. |
Hardware VTEP source identifier |
Source interface: loopback (lo0.0) Source IP address: 10.17.17.17/32 |
OVSDB tracing operations |
Filename: /var/log/ovsdb File size: 10 MB Flag: All |
Non-OVSDB and Non-VXLAN Configuration
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your configuration, copy and
paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set interfaces ge-1/0/9 unit 0 family inet address 10.40.40.1/24 set routing-options static route 10.19.19.19/32 next-hop 10.40.40.2 set routing-options router-id 10.17.17.17 set protocols ospf area 0.0.0.0 interface lo0.0 set protocols ospf area 0.0.0.0 interface ge-1/0/9.0
Procedure
Step-by-Step Procedure
To configure the Layer 3 network over which the packets exchanged between the physical servers and VMs are tunneled:
Configure the Layer 3 interface.
[edit interfaces] user@switch# set ge-1/0/9 unit 0 family inet address 10.40.40.1/24
Set the routing options.
user@switch# set static route 10.19.19.19/32 next-hop 10.40.40.2 user@switch# set router-id 10.17.17.17
Configure the routing protocol.
[edit protocols] user@switch# set ospf area 0.0.0.0 interface lo0.0 user@switch# set ospf area 0.0.0.0 interface ge-1/0/9.0
OVSDB and VXLAN Configuration
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your configuration, copy and
paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set system host-name hw-vtep1 set switch-options ovsdb-managed set protocols ovsdb controller 10.94.184.1 set protocols ovsdb interfaces ge-1/0/0 set protocols ovsdb traceoptions file ovsdb set protocols ovsdb traceoptions file size 10m set protocols ovsdb traceoptions flag all set interfaces lo0 unit 0 family inet address 10.17.17.17/32 primary set interfaces lo0 unit 0 family inet address 10.17.17.17/32 preferred set switch-options vtep-source-interface lo0.0
Procedure
Step-by-Step Procedure
To configure the Juniper Networks switch as a hardware VTEP with an OVSDB connection to the Contrail controller:
Configure a unique hostname for the Juniper Networks switch.
[edit system] user@switch# set host-name hw-vtep1
Enable the Juniper Networks switch to dynamically configure OVSDB-managed VXLANs and associated interfaces.
[edit switch-options] user@switch# ovsdb-managed
Configure a connection with the Contrail controller.
[edit protocols] user@switch# set ovsdb controller 10.94.184.1
Specify that the interface between hardware VTEP 1 and physical server 1 is managed by OVSDB.
[edit protocols] user@switch# set ovsdb interfaces ge-1/0/0
Set up OVSDB tracing operations.
[edit protocols] user@switch# set ovsdb traceoptions file ovsdb user@switch# set ovsdb traceoptions file size 10m user@switch# set ovsdb traceoptions flag all
Specify an IP address for the loopback interface. This IP address serves as the source IP address in the outer header of any VXLAN-encapsulated packet.
[edit interfaces] user@switch# set lo0 unit 0 family inet address 10.17.17.17/32 primary user@switch# set lo0 unit 0 family inet address 10.17.17.17/32 preferred
-
Set the loopback interface as the interface that identifies hardware VTEP 1.
[edit switch-options] user@switch# set vtep-source-interface lo0.0
In the Contrail Web user interface, configure a virtual network for VXLAN 1 and a virtual network for VXLAN 2. See Contrail Configuration for Juniper Networks Devices That Function as Hardware VTEPs.
In the Contrail Web user interface, configure a logical interface for each of the virtual networks that you created in Step 8. See Contrail Configuration for Juniper Networks Devices That Function as Hardware VTEPs.
In the Contrail Web user interface, configure a physical router, which enables the Contrail controller to recognize the Juniper Networks switch as a VTEP. See Contrail Configuration for Juniper Networks Devices That Function as Hardware VTEPs.
Verification
Confirm that the configuration is working properly:
- Verifying the Logical Switch Configuration
- Verifying the MAC Addresses of VM 1, VM 3, and VM 4
- Verifying the Contrail Controller Connection
- Verifying the OVSDB-Managed Interface
Verifying the Logical Switch Configuration
Purpose
In the Contrail Web user interface, you configured
a virtual network for VXLAN 1 and a virtual network for VXLAN 2. Using
the same terminology as in the OVSDB schema for physical devices,
a virtual network is also known as a logical switch. Verify that the configuration of the logical switches with the
UUIDs of Contrail-28805c1d-0122-495d-85df-19abd647d772 and Contrail-9acc24b3-7b0a-4c2e-b572-3370c3e1acff
are present in the OVSDB schema and that the Flags field for each
logical switch is Created by both.
Action
Issue the show ovsdb logical-switch command.
user@switch> show ovsdb logical-switch Logical switch information: Logical Switch Name: Contrail-28805c1d-0122-495d-85df-19abd647d772 Flags: Created by both VNI: 100 Num of Remote MAC: 1 Num of Local MAC: 0 Logical Switch Name: Contrail-9acc24b3-7b0a-4c2e-b572-3370c3e1acff Flags: Created by both VNI: 200 Num of Remote MAC: 2 Num of Local MAC: 0
Meaning
The output verifies that the configurations for the
logical switches are present. The Created by both state
indicates that the logical switches were configured in the Contrail
Web user interface, and that the Juniper Networks switch dynamically
created the corresponding VXLANs. In this state, the virtual networks
and VXLANs are operational.
If the state of the logical switches is something other than Created by both, see Troubleshooting a Nonoperational Logical Switch and Corresponding Junos OS OVSDB-Managed VXLAN.
Verifying the MAC Addresses of VM 1, VM 3, and VM 4
Purpose
Verify that the MAC addresses of VM 1, VM 3, and VM 4 are present in the OVSDB schema.
Action
Issue the show ovsdb mac remote operational
mode command.
user@switch> show ovsdb mac remote Logical Switch Name: Contrail-28805c1d-0122-495d-85df-19abd647d772 Mac IP Encapsulation Vtep Address Address Address a8:59:5e:f6:38:90 0.0.0.0 Vxlan over Ipv4 10.17.17.17 Logical Switch Name: Contrail-9acc24b3-7b0a-4c2e-b572-3370c3e1acff Mac IP Encapsulation Vtep Address Address Address 00:23:9c:5e:a7:f0 0.0.0.0 Vxlan over Ipv4 10.17.17.17 00:23:9c:5e:a7:f0 0.0.0.0 Vxlan over Ipv4 10.17.17.17
Meaning
The output shows that the MAC addresses for VM 1, VM 3, and VM 4 are present and are associated with their respective logical switches. Given that the MAC addresses are present, VM 1, VM 3, and VM 4 are reachable through the Juniper Networks switch, which functions as a hardware VTEP.
Verifying the Contrail Controller Connection
Purpose
Verify that the connection with the Contrail controller is up.
Action
Issue the show ovsdb controller operational
mode command to verify that the Contrail controller connection state
is up.
user@switch> show ovsdb controller VTEP controller information: Controller IP address: 10.94.184.1 Controller protocol: ssl Controller port: 6632 Controller connection: up Controller seconds-since-connect: 542325 Controller seconds-since-disconnect: 542346 Controller connection status: active
Meaning
The output shows that the state of the connection is up, in addition to other information about the connection.
By virtue of this connection being up, OVSDB is enabled on the Juniper
Networks switch.
Verifying the OVSDB-Managed Interface
Purpose
Verify that interface ge-1/0/0 is managed by OVSDB.
Action
Issue the show ovsdb interface operational
mode command, and verify that interface ge-1/0/0 is managed by OVSDB.
user@switch> show ovsdb interface Interface VLAN ID Bridge-domain ge-1/0/0 10 Contrail-28805c1d-0122-495d-85df-19abd647d772 ge-1/0/0 20 Contrail-9acc24b3-7b0a-4c2e-b572-3370c3e1acff
Meaning
The output shows that interface ge-1/0/0 is managed
by OVSDB. It also indicates that the interface is associated with
VXLAN Contrail-28805c1d-0122-495d-85df-19abd647d772, which has a VLAN ID of 10, and VXLAN Contrail-9acc24b3-7b0a-4c2e-b572-3370c3e1acff, which
has a VLAN ID of 20.