Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[NFX] Sample configuration for spinning up a VNF between the L2 and L3 interfaces

0

0

Article ID: KB34913 KB Last Updated: 30 Sep 2019Version: 1.0
Summary:

This article demonstrates how to spin up a Virtual-Network-Function (VNF) with ingress through the L2 interface and egress through the L3 interface with an example.

Symptoms:

The requirement is to configure a VNF, where ingress is via L2 ethernet-switching and egress is via the L3 inet interface.

Solution:

The example scenario is best described by using the following illustration:

In this example, we will use an NFX250-Next Gen device that is running on nfx-3 software.

  • The ASA VNF will have its eth2 VNF interface mapped to the front panel physical interface ge-0/0/0, whereas the eth3 VNF interface will connect through the OVS bridge, and then traverse through ge-1/0/0. ge-1/0/0 is an interface that connects the OVS bridge with the L3 FPC1 flowd RE.

  • The egress packet will then exit interface ge-1/0/1, go back to OVS, and then traverse through the WAN port at ge-0/0/9.

  • The ingress packet will enter ge-0/0/0 by using vlan 100. The JCP trunk interface, sxe-0/0/0, will allow vlan 100 through, and the ASA VNF would then have vlan 100 applied to its VNF interface. 

  • The packet egresses the VNF through vlan 150 on VNF interface eth3. The packet traverses through the OVS bridge and goes through interface ge-1/0/0 via vlan 150 on FPC1 flowd RE.  The interface ge-1/0/0 will be an inet interface with vlan-tagging applied, with vlan 150.

  • The packet egresses flowd on vlan 200 through interface ge-1/0/1. It traverses through the OVS bridge to the JCP trunk interface sxe-0/0/1, which allows vlan 200 through. 

  • The packet egresses through the L2 interface ge-0/0/9, on vlan 200, and then to its destination out the front panel.

 

Sample Configuration (NFX250-NG running Junos OS release 19.1R1):

set security policies default-policy permit-all
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces all
 
set vlans lan_vlan100 vlan-id 100
set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members lan_vlan100
set interfaces sxe-0/0/0 unit 0 family ethernet-switching interface-mode trunk
set interfaces sxe-0/0/0 unit 0 family ethernet-switching vlan members lan_vlan100
set vmhost vlans vlan100 vlan-id 100
set vmhost vlans vlan150 vlan-id 150
set virtual-network-functions asa image /var/public/asa.img
set virtual-network-functions asa image image-type raw
set virtual-network-functions asa virtual-cpu 0 physical-cpu 2
set virtual-network-functions asa virtual-cpu count 1
set virtual-network-functions asa interfaces eth2 mapping vlan mode trunk
set virtual-network-functions asa interfaces eth2 mapping vlan members vlan100
set virtual-network-functions asa interfaces eth3 mapping vlan mode trunk
set virtual-network-functions asa interfaces eth3 mapping vlan members vlan150
set virtual-network-functions asa memory size 1048576
set virtual-network-functions asa memory features hugepages
set interfaces ge-1/0/0 vlan-tagging
set interfaces ge-1/0/0 unit 0 vlan-id 150
set interfaces ge-1/0/0 unit 0 family inet address 150.150.150.1/30
 
set vmhost virtualization-options interfaces ge-1/0/1
set interfaces ge-1/0/1 vlan-tagging
set interfaces ge-1/0/1 unit 0 vlan-id 200
set interfaces ge-1/0/1 unit 0 family inet address 200.200.200.1/30
set vlans wan_vlan200 vlan-id 200
set interfaces sxe-0/0/1 unit 0 family ethernet-switching interface-mode trunk
set interfaces sxe-0/0/1 unit 0 family ethernet-switching vlan members wan_vlan200
set interfaces ge-0/0/9 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members wan_vlan200
 
set routing-options static route 100.100.100.0/24 next-hop 150.150.150.2

 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search