Contrail Platform Developers
Highlighted
Contrail Platform Developers

Question about service chain in-network mode. Is the services-VM need routing lookup ?

‎12-05-2017 07:12 AM

Question about service chain in-network mode. Is the services-VM need routing lookup if I use vSRX routed mode for service VM ? 

 

example1

VM1(VN1 192.168.1.0/24)--------Service VM ----------VM2(VN2 192.168.2.0/24)

This example service VM need 2 legs? one legs on VN1 and others VN2 right ?  service VM use directed route to route traffic from Left-to-Right 

 

example2

VM1(VN1 192.168.1.0/24)---------------------VM2(VN1 192.168.1.0/24)

                                                            |

                                                   Service VM

This example service VM need only one leg ? and service VM use directed route to route traffic between 2 VM ?

 

example3

VM1(VN1)------(VN1) Service VM (VN2 export RT INTERNET) -----------SDN-GW--------INTERNET

This example service VM need default route to SDN GW .. Service VM can be one or two legs  one leg on VN1 others to VN2 and

how to route traffic to SDN GW   

option 1 : we need default route config on service VM next-hop to vRouter on VN2 segment ?

option 2 : use BGPaas peering service VM to vRouter on VN2 ?

-------------------------------------------------------------------------------------------------
3 REPLIES 3
Contrail Platform Developers

Re: Question about service chain in-network mode. Is the services-VM need routing lookup ?

‎12-05-2017 08:46 AM
Hi



To the best of my knowledge:



1) Yes, 2 legs, will work just by using directly connected interface routes
on a service VM.



2) Will not work. Service chaining with Contrail is always inter-subnet.



3) In such a scenario you want to setup service VM so that anything that
comes in from the left is forwarded to the right and vice versa. Filter
based forwarding can be done to accomplish this.
Best Regards,
PK

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
Twitter: @JuniperTrain
GitHub: https://github.com/pklimai
[Juniper Authorized Education & Support in Russia]
Contrail Platform Developers

Re: Question about service chain in-network mode. Is the services-VM need routing lookup ?

‎12-05-2017 06:37 PM

Hi Pk

 

          From your answer that mean service VM use routing to forward traffic ?  for standard deployment of service-chaining I should make service VM do the routing or FBF from Left-to-Right ,Right-to-Left  ? if service VM is vSRX. Is FBF break  the firewall ,NAT rule ?

-------------------------------------------------------------------------------------------------
Contrail Platform Developers

Re: Question about service chain in-network mode. Is the services-VM need routing lookup ?

‎12-06-2017 12:55 AM

Hi

For InNetwork / InNetworkNAT service chains - yes, VNF VM uses routing. NAT and firewall will not break if configured properly.

If you are doing a transparent service chain, then VM must be in L2 mode.

 

Best Regards,
PK

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
Twitter: @JuniperTrain
GitHub: https://github.com/pklimai
[Juniper Authorized Education & Support in Russia]