Knowledge Search


×
 

[NFX] Sample configuration for spinning up a VNF between the L2 and L3 interfaces

  [KB34913] Show Article Properties


Summary:

This article demonstrates how to spin up a Virtual-Network-Function (VNF) with ingress through the L2 interface and egress through the L3 interface with an example.

Symptoms:

The requirement is to configure a VNF, where ingress is via L2 ethernet-switching and egress is via the L3 inet interface.

Solution:

The example scenario is best described by using the following illustration:

In this example, we will use an NFX250-Next Gen device that is running on nfx-3 software.

  • The ASA VNF will have its eth2 VNF interface mapped to the front panel physical interface ge-0/0/0, whereas the eth3 VNF interface will connect through the OVS bridge, and then traverse through ge-1/0/0. ge-1/0/0 is an interface that connects the OVS bridge with the L3 FPC1 flowd RE.

  • The egress packet will then exit interface ge-1/0/1, go back to OVS, and then traverse through the WAN port at ge-0/0/9.

  • The ingress packet will enter ge-0/0/0 by using vlan 100. The JCP trunk interface, sxe-0/0/0, will allow vlan 100 through, and the ASA VNF would then have vlan 100 applied to its VNF interface. 

  • The packet egresses the VNF through vlan 150 on VNF interface eth3. The packet traverses through the OVS bridge and goes through interface ge-1/0/0 via vlan 150 on FPC1 flowd RE.  The interface ge-1/0/0 will be an inet interface with vlan-tagging applied, with vlan 150.

  • The packet egresses flowd on vlan 200 through interface ge-1/0/1. It traverses through the OVS bridge to the JCP trunk interface sxe-0/0/1, which allows vlan 200 through. 

  • The packet egresses through the L2 interface ge-0/0/9, on vlan 200, and then to its destination out the front panel.

 

Sample Configuration (NFX250-NG running Junos OS release 19.1R1):

set security policies default-policy permit-all
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces all
 
set vlans lan_vlan100 vlan-id 100
set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members lan_vlan100
set interfaces sxe-0/0/0 unit 0 family ethernet-switching interface-mode trunk
set interfaces sxe-0/0/0 unit 0 family ethernet-switching vlan members lan_vlan100
set vmhost vlans vlan100 vlan-id 100
set vmhost vlans vlan150 vlan-id 150
set virtual-network-functions asa image /var/public/asa.img
set virtual-network-functions asa image image-type raw
set virtual-network-functions asa virtual-cpu 0 physical-cpu 2
set virtual-network-functions asa virtual-cpu count 1
set virtual-network-functions asa interfaces eth2 mapping vlan mode trunk
set virtual-network-functions asa interfaces eth2 mapping vlan members vlan100
set virtual-network-functions asa interfaces eth3 mapping vlan mode trunk
set virtual-network-functions asa interfaces eth3 mapping vlan members vlan150
set virtual-network-functions asa memory size 1048576
set virtual-network-functions asa memory features hugepages
set interfaces ge-1/0/0 vlan-tagging
set interfaces ge-1/0/0 unit 0 vlan-id 150
set interfaces ge-1/0/0 unit 0 family inet address 150.150.150.1/30
 
set vmhost virtualization-options interfaces ge-1/0/1
set interfaces ge-1/0/1 vlan-tagging
set interfaces ge-1/0/1 unit 0 vlan-id 200
set interfaces ge-1/0/1 unit 0 family inet address 200.200.200.1/30
set vlans wan_vlan200 vlan-id 200
set interfaces sxe-0/0/1 unit 0 family ethernet-switching interface-mode trunk
set interfaces sxe-0/0/1 unit 0 family ethernet-switching vlan members wan_vlan200
set interfaces ge-0/0/9 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members wan_vlan200
 
set routing-options static route 100.100.100.0/24 next-hop 150.150.150.2

 
Related Links: