Page 2 END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at http://www.juniper.net/support/eula/.
Page 3: Table Of Contents
Installation ............19 Managing Software Installation on NFX250 Network Services Platform ..19 Upgrading an Image on the Disaggregated Junos OS Platform .
Page 4 JDM User Guide for NFX250 Network Services Platform Accessing the ipsec-nm from the JDM CLI ......30 Understanding User Accounts .
Page 6 Configuring Service Chaining Using DHCP Services on VLANs ....155 Example: Configuring Service Chaining Using VLANs on NFX250 Network Services Platform ............156 Example: Configuring Service Chaining Using SR-IOV on NFX250 Network Services Platform .
Page 9 Architecture Overview ..........3 Figure 1: Position of the Juniper Device Manager ......4 Figure 2: Basic Disaggregated Junos OS Architecture .
Page 11 Table 20: Physical CPU Allocation for NFX250-LS1 ..... . . 107 Table 21: Physical CPU Allocation for NFX250 ......108...
Page 12 JDM User Guide for NFX250 Network Services Platform Table 25: show security ike sa Output Fields ......198 Table 26: show security ike sa detail Output Fields .
Page 13: About The Documentation
® To obtain the most current version of all Juniper Networks technical documentation, see the product documentation page on the Juniper Networks website at http://www.juniper.net/techpubs/ If the information in the latest release notes differs from the information in the documentation, follow the product Release Notes.
Page 14: Merging A Full Example
JDM User Guide for NFX250 Network Services Platform If the example configuration does not start at the top level of the hierarchy, the example is a snippet. In this case, use the command. These procedures are load merge relative described in the following sections.
Page 15: Documentation Conventions
Alerts you to the risk of personal injury from a laser. Indicates helpful information. Best practice Alerts you to a recommended use or implementation. Table 2 on page xvi defines the text and syntax conventions used in this guide. Copyright © 2017, Juniper Networks, Inc.
Page 16: Table 2: Text And Syntax Conventions
JDM User Guide for NFX250 Network Services Platform Table 2: Text and Syntax Conventions Convention Description Examples Bold text like this Represents text that you type. To enter configuration mode, type the configure command: user@host> configure Fixed-width text like this Represents output that appears on the user@host>...
Page 17: Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can provide feedback by using either of the following methods: Online feedback rating system—On any page of the Juniper Networks TechLibrary site http://www.juniper.net/techpubs/index.html , simply click the stars to rate the content, and use the pop-up form to provide us with information about your experience.
Page 18: Opening A Case With Jtac
JDM User Guide for NFX250 Network Services Platform Find CSC offerings: http://www.juniper.net/customers/support/ Search for known bugs: https://prsearch.juniper.net/ Find product documentation: http://www.juniper.net/documentation/ Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/ Download the latest versions of software and review release notes: http://www.juniper.net/customers/csc/software/...
Page 21: Architecture Overview
(disaggregation) of the tightly bound Junos OS software and proprietary hardware into virtualized components that can potentially run not only on Juniper Networks hardware, but also, on white boxes or bare-metal servers. In this new architecture, the Juniper Device Manager (JDM) is a virtualized root container that manages software components.
Page 22: Figure 1: Position Of The Juniper Device Manager
Note that some implementations of the basic architecture include a Packet Forwarding Engine as well as the usual Linux platform hardware ports. This allows better integration of the Juniper Networks data plane with the bare-metal hardware of a generic platform. The disaggregated Junos OS architecture enables JDM to handle virtualized network functions such as a firewall or Network Address Translation (NAT) functions.
Page 23 This supports the chaining of services as traffic enters and exits the device. JDM provides users with a familiar Junos OS CLI and handles all interactions with underlying Linux kernel to maintain the “look and feel” of a Juniper Networks device. Some of the benefits of the disaggregated Junos OS are: The whole system can be managed like managing a server platform.
Page 24: Disaggregated Junos Os Vms
JDM User Guide for NFX250 Network Services Platform Disaggregated Junos OS VMs Cloud computing enables applications to run in a virtualized environment, both for end-user server functions and network functions needed to connect scattered endpoints across a large data center, or even among multiple data centers. Applications and network functions can be implemented by virtualized network functions (VNFs).
Page 25: Figure 4: Containers-Overall Architecture
Shipping containers are standard delivery units that can be loaded, labelled, stacked, lifted, and unloaded by equipment built specifically to handle the containers. No matter what is inside, the container can be handled in a standard Copyright © 2017, Juniper Networks, Inc.
Page 26: Understanding Virtio Usage
JDM User Guide for NFX250 Network Services Platform fashion, and each container has its own user space that cannot be used by other containers. Although is a popular container management system to run containers Docker on a physical server, there are alternatives such as Drawbridge or Rocket to consider.
Page 27: Figure 5: Vnf Bridging With Virtio
Note that much of the traffic is concentrated on the host OS CPU—more explicitly, on the virtualized internal bridges. Therefore, the host CPU must be able to perform adequately as the device scales. Copyright © 2017, Juniper Networks, Inc.
Page 28: Understanding Sr-Iov Usage
JDM User Guide for NFX250 Network Services Platform Related Understanding Disaggregated Junos OS on page 3 Documentation Understanding Physical and Virtual Components on page 12 Disaggregated Junos OS VMs on page 6 Understanding SR-IOV Usage on page 10 Comparing Virtio and SR-IOV on page 11...
Page 29: Comparing Virtio And Sr-Iov
Generally, using virtio is quick and easy. Libvirt is part of every Linux distribution and the commands to establish the bridges are well-understood. However, virtio places all of Copyright © 2017, Juniper Networks, Inc.
Page 30: Understanding Physical And Virtual Components
While support for virtio is nearly universal, support for SR-IOV varies by NIC hardware and platform. The Juniper Networks NFX250 Network Services Platform supports SR-IOV capabilities and allows 16 partitions on each physical NIC port.
Page 31: Figure 7: Physical And Virtual Layers In The Disaggregated Junos Os
SRX device (vSRX) or the Junos Control Plane (JCP). The JCP works with the JDM to make the device resemble a dedicated Juniper Networks platform, but one with a lot more flexibility. Much of this flexibility comes from the ability to support one or more VNFs that implement a virtualized network function (VNF).
Page 32: Figure 8: Physical And Virtual Component Communication
JDM User Guide for NFX250 Network Services Platform Generally, there are a fixed number of CPU cores, and a finite amount of disk space. But in a virtual environment, resource allocation and use is more complex. Virtual resources such as interfaces, disk space, memory, or cores are parceled out among the VNFs running at the time, as determined by the VNF image.
Page 37: Installation
This topic lists the commands to be used for installing a software package and upgrading an image on NFX250 Network Services Platform and rebooting the NFX250 platform. It also lists the commands to be used for formatting and reverting the system to factory state.
Page 38: Upgrading An Image On The Disaggregated Junos Os Platform
JDM User Guide for NFX250 Network Services Platform NOTE: commands work only for primary zeroize clean-install installation and do not work for backup installation. CAUTION: commands might remove all user zeroize clean-install installed software packages, VNF files of the user, and so on. After completing these operations, you must fetch these information and reinstall the software.
Page 39 OK version.txt: OK upgrade_platform: Checksum verified and OK... 1528703 blocks upgrade_platform: Staging of /var/tmp/jinstall-nfx-2-junos-15.1X53-D45.3.secure-linux.tgz completed upgrade_platform: System need *REBOOT* to complete the upgrade upgrade_platform: Run upgrade_platform with option -r | --rollback to rollback Copyright © 2017, Juniper Networks, Inc.
Page 40 JDM User Guide for NFX250 Network Services Platform the upgrade Host OS upgrade staged. Reboot the system to complete installation! Rebooting ... System going down for reboot in 30 seconds... System reboot in progress... Shutting down virtual-machines... Waiting for virtual-machines to shutdown, retry = 0...
Page 41: Reverting The System To The Factory-Default Configuration
Reboot the system ? [yes,no] (no) yes System reboot operation started, please wait... System going down for reboot in 30 seconds... System reboot in progress... Shutting down virtual-machines..Copyright © 2017, Juniper Networks, Inc.
Page 42 JDM User Guide for NFX250 Network Services Platform NOTE: The time taken to reboot the system depends on the number of active VNFs. The system is rebooted only after all the active VNFs are shut down. Related Upgrading an Image on the Disaggregated Junos OS Platform on page 20...
Page 45: Management
Viewing and Managing Centralized Log Files in a Disaggregated Junos OS Platform on page 42 Managing Core Files for a Disaggregated Junos OS Platform on page 43 Synchronizing Time Using NTP on page 44 Copyright © 2017, Juniper Networks, Inc.
Page 46: Understanding The Jdm Cli
JDM User Guide for NFX250 Network Services Platform Understanding the JDM CLI Junos Device Manager (JDM) can be configured using the JDM CLI. In most cases, you are logged into the JDM CLI by default when you access a disaggregated Junos OS platform.
Page 47: Accessing The Jdm Cli
Accessing the Hypervisor from the JDM CLI To access the Hypervisor from the JDM CLI, enter the ssh hypervisor statement at the JDM CLI prompt: root@jdm> ssh hypervisor Last login: Sun Jan 18 15:01:55 2015 from jdm Copyright © 2017, Juniper Networks, Inc.
Page 48: Accessing The Ipsec-Nm From The Jdm Cli
JDM User Guide for NFX250 Network Services Platform NOTE: Only a root user can use this option. Accessing the ipsec-nm from the JDM CLI To access the ipsec-nm from the JDM CLI, enter the ssh ipsec-nm statement at the JDM CLI prompt: root@jdm>...
Page 50: Understanding Jdm Management Interfaces
The jmgmt0 interface in a disaggregated Junos OS platform is analogous to the em0, me0, or fxp0 interfaces on a Juniper Networks switch or a router running traditional Junos OS software. To use jmgmt0 as a management port, you must configure a logical interface (jmgmt0.0) on it with a valid IP address.
Page 51: In-Band Management Interface
Configuring the Out-of-Band Management Interface with IPv4 Addressing for JDM on page 34 Configuring the Out-of-Band Management Interface with IPv6 Addressing for JDM on page 34 Copyright © 2017, Juniper Networks, Inc.
Page 52: For Jdm
JDM User Guide for NFX250 Network Services Platform Configuring the Out-of-Band Management Interface with IPv4 Addressing for JDM To configure the management interface with IPv4 addressing: Configure the logical interface and the IP address: root@jdm# set interfaces jmgmt0 unit 0 family inet address ipv4-address/mask Set the default route: root@jdm# set routing-options static route 0.0.0.0/0 nexthop ipv4-address...
Page 53: Configuring The In-Band Management Interface For Jdm
Configure the physical network port as a trunk port: [edit] root# set interfaces interface-name unit 0 family ethernet-switching interface-mode trunk For example: [edit] root# set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode trunk Configure a JCP service port as a trunk port: Copyright © 2017, Juniper Networks, Inc.
Page 54: Configuring The Out-Of-Band Management Interface For Hypervisor
JDM User Guide for NFX250 Network Services Platform root# set interfaces service-interface-name unit 0 family ethernet-switching interface-mode trunk For example: [edit] root# set interfaces sxe-0/0/0 unit 0 family ethernet-switching interface-mode trunk Configure the management VLAN and add the physical network interface and the service interface as members of the VLAN:.
Page 55: Configuring The Out-Of-Band Management Interface With Ipv4 Addressing
SSH as an access service. To do so: Access the system services SSH configuration: [edit] user@jdm#set system services netconf ssh Configure the TCP port used for NETCONF-over-SSH connections: [edit system services netconf ssh] user@jdm#user@jdm# port port-number Copyright © 2017, Juniper Networks, Inc.
Page 56: Configuring Http Access To The Disaggregated Junos Os Platform
JDM User Guide for NFX250 Network Services Platform The configured port only accepts NETCONG-over-SSH connections. Regular SSH connections to the port are ignored. Related Understanding the JDM CLI on page 28 Documentation Accessing the JDM Shell, JDM CLI, and JCP Prompts in a Disaggregated Junos OS...
Page 57: Configuring Snmp On Jdm
SNMP implementation of JDM and hypervisor. For JCP, see the Junos documentation. On the NFX250 platform, JDM plays the role of the SNMP agent and at the same time it acts as an SNMP proxy for the hypervisor (host OS). When SNMP is configured in JDM, hypervisor also takes the same SNMP configuration.
Page 58: Configuring Snmp V3
JDM User Guide for NFX250 Network Services Platform Configuring SNMP v3 In contrast to SNMP version 1 (SNMPv1) and SNMP version 2 (SNMPv2), SNMP version 3 (SNMPv3) supports authentication and encryption. SNMPv3 uses the user-based security model (USM) for message security and the view-based access control model (VACM) for access control.
Page 59: Managing Traps
To enable ipsec-nm: [edit system services] user@jdm# set system services ipsec-nm To disable ipsec-nm: [edit system services] user@jdm# delete system services ipsec-nm NOTE: CPU core 7 is available for use after you delete the ipsec-nm. Copyright © 2017, Juniper Networks, Inc.
Page 60: Platform
JDM User Guide for NFX250 Network Services Platform NOTE: Ensure that you reboot the system after enabling or disabling the ipsec-nm mode for the changes to take effect. Related Understanding Disaggregated Junos OS on page 3 Documentation Viewing and Managing Centralized Log Files in a Disaggregated Junos OS Platform On a disaggregated Junos OS platform, a centralized logging server collects all system logs for all computing entities in the disaggregated Junos OS.
Page 61: Managing Core Files For A Disaggregated Junos Os Platform
To view all core files displayed in JDM, open the core files using Unix commands. The core files are stored in the directory on Hypervisor. /var/tmp/corefiles/ Related Viewing and Managing Centralized Log Files in a Disaggregated Junos OS Platform on Documentation page 42 Copyright © 2017, Juniper Networks, Inc.
Page 62: Synchronizing Time Using Ntp
JDM User Guide for NFX250 Network Services Platform Synchronizing Time Using NTP You can synchronize time on the following components of the NFX platform using Network Time Protocol (NTP): Junos Control Plane (JCP) - JCP runs the NTP server, and synchronizes time using the external NTP servers that are configured.
Page 64: Enhanced-Orchestration
Hierarchy Level [edit system services] Release Information Statement introduced in Junos OS Release 15.1X53-D45 for the NFX250 Network Services Platform. Description An option that toggles between set of configuration options used for the existing VNF configuration options and for the VNF orchestration that is based on vlan-aware bridges.
Page 65: Https
Chapter 4: Management Configuration Statements and Operational Commands https Syntax https; Hierarchy Level [edit system services] Release Information Statement introduced in Junos OS Release 15.1X53-D45 for the NFX250 Network Services Platform. Description Enable HTTPS services. Required Privilege system—To view this statement in the configuration. Level...
Page 66: Netconf
{ file-name; size file-size; Hierarchy Level [edit system services] Release Information Statement introduced in Junos OS Release 15.1X53-D45 for the NFX250 Network Services Platform. Description Allow NETCONF connections. Options ssh —Allow NETCONF connection over SSH. port-number—Identifier of the service port.
Page 67: Ntp
Hierarchy Level [edit system] Release Information Statement introduced in Junos OS Release 15.1X53-D47 for the NFX250 Network Services Platform. Description Network Time Protocol (NTP) is used to synchronize the system clocks of routers, switches, and other network equipment. It provides the mechanisms to synchronize time and coordinate time distribution in a large, diverse network.
Page 68: Outbound-Ssh
Hierarchy Level [edit system services] Release Information Statement introduced in Junos OS Release 15.1X53-D45 for the NFX250 Network Services Platform. Description Initiate outbound SSH connection. Options client- id—Identifier of a client application that initiates the SSH connection.
Page 69: Phone-Home
Hierarchy Level [edit system services] Release Information Statement introduced in Junos OS Release 15.1X53-D45 for the NFX250 Network Services Platform. Description An option that is used for initial boot up and configuration of the device when the client device is switched on.
Page 70: Rest
Hierarchy Level [edit system services] Release Information Statement introduced in Junos OS Release 15.1X53-D45 for the NFX250 Network Services Platform. Description Allow remote procedure call (RPC ) over HTTP or HTTPS connection Options control—Control of the REST API process.
Page 71: System
{ flag [all | configuration | connectivity]; file { file-name; size file-size; http; https; netconf { ssh { port port-number; traceoptions { flag [all | incoming | outgoing]; file { file-name; size file-size; Copyright © 2017, Juniper Networks, Inc.
Page 72 Hierarchy Level [edit] Release Information Statement introduced in Junos OS Release 15.1X53-D45 for the NFX250 Network Services Platform. Description Configure system management properties. Options client- id—Identifier of a client application that initiates the SSH connection. address—Address of the client to which the connection must be established.
Page 73: Traceoptions
Hierarchy Level [edit system] Release Information Statement introduced in Junos OS Release 15.1X53-D45 for the NFX250 Network Services Platform. Description An option that is used for the phone-home trace operations. Options traceoptions—Options that are available for the phone-home trace operations.
Page 74: Upgrade-Image-Before-Configuration
Syntax upgrade-image-before-configuration; Hierarchy Level [edit system] Release Information Statement introduced in Junos OS Release 15.1X53-D45 for the NFX250 Network Services Platform. Description An option to upgrade the image before applying the configuration received from the Network Activator. Required Privilege system—To view this statement in the configuration.
Page 75: Show Connections
Syntax show connections Release Information Command introduced in Junos OS Release 15.1X53-D47 for the NFX250 Network Services Platform. Description Displays information such as network connection, function, interface name, and the connection status for the following types of cross-connect:...
Page 76 JDM User Guide for NFX250 Network Services Platform push_pop_cc centos1 eth2 none down centos2 eth3 none swap_cc centos1 eth2 centos2 eth2 uncond_cc centos1 eth2 none centos2 eth2 none vlan_cc centos1 eth2 centos2 eth2 Copyright © 2017, Juniper Networks, Inc.
Page 77: Show Forwarding-Options Analyzer
Syntax show forwarding-options analyzer [analyzer-instance-name] Release Information Command introduced in Junos OS Release 15.1X53-D40 for the NFX250 Network Services Platform. Description Displays information about the VNF analyzers that are configured for port mirroring on a disaggregated Junos OS platform.
Page 79: Show System Inventory Hardware Cpu
Chapter 4: Management Configuration Statements and Operational Commands show system inventory hardware cpu Syntax show system inventory hardware cpu Release Information Command introduced in Junos OS Release 15.1X53-D40 for the NFX250 Network Services Platform. Description Display system CPU statistics for a disaggregated Junos OS platform. Required Privilege...
Page 80 JDM User Guide for NFX250 Network Services Platform Table 5: show system inventory hardware cpu Output Fields (continued) Field Name Field Description Fields for CPU Statistics User Time The amount of user time, in seconds. The amount of system time, in seconds.
Page 81 Chapter 4: Management Configuration Statements and Operational Commands Virtual Machine vCPU CPU --------------------------- ---- --- vjunos0 vjunos0 vjunos0 Copyright © 2017, Juniper Networks, Inc.
Page 82: Show System Inventory Hardware Memory
JDM User Guide for NFX250 Network Services Platform show system inventory hardware memory Syntax show system inventory hardware memory Release Information Command introduced in Junos OS Release 15.1X53-D40 for the NFX250 Network Services Platform. Description Display hardware memory statistics for a disaggregated Junos OS platform. Required Privilege...
Page 83 Inventory Memory Information ---------------------------- Virtual Memory: --------------- Total (KiB): 15949116 Used (KiB): 5542256 Free (KiB): 10406860 Percent Used: 28.6 Swap Memory: ------------ Total (KiB): 1249996 Used (KiB): 0 Free (KiB): 1249996 Percent Used: 0.0 Copyright © 2017, Juniper Networks, Inc.
Page 84: Show System Inventory Hardware Network
Syntax show system inventory hardware network Release Information Command introduced in Junos OS Release 15.1X53-D40 for the NFX250 Network Services Platform. Description Display details such as MAC address pool and internal IP address range for VNFs and the number of free Virtual Functions available per Physical Function for VNFs for a disaggregated Junos OS platform.
Page 85 -------------------- Start MAC Address: 30:7c:5e:4c:3f:54 Range: VNF Internal IP Address Range ----------------------------- Start IP Address: 192.168.1.100 End IP Address: 192.168.1.199 Number of VFs per PF ---------------------------------- Physical Function Virtual Function ----------------- ---------------- hsxe0 hsxe1 Copyright © 2017, Juniper Networks, Inc.
Page 86: Show System Inventory Hardware Storage
Syntax show system inventory hardware storage Release Information Command introduced in Junos OS Release 15.1X53-D40 or the NFX250 Network Services Platform. Description Display hardware storage details such as the list of partitions, disk usage per partition, and disk I/O statistics for a disaggregated Junos OS platform.
Page 87 -------------------------------------------------------------------------------------- Disk Total (MiB) Used (MiB) Free (MiB) % Used ------------------------------------------- ----------- ----------- ----------- ------ /dev/sda4 1409 58.0 /dev/sda5 5639 5128 /dev/sda2 58.0 /dev/sda1 /dev/sda3 /dev/mapper/vg0_vjunos-lv_junos 9951 3986 5436 40.0 /dev/mapper/vg0_vjunos-lv_var_third_party 94849 5734 84274 Copyright © 2017, Juniper Networks, Inc.
Page 88 JDM User Guide for NFX250 Network Services Platform Disk I/O Information -------------------- Read Count: 304501 Write Count: 1176577 Read Bytes: 4199641600 Write Bytes: 16493698560 Read Time: 45528 Write Time: 1181938 Copyright © 2017, Juniper Networks, Inc.
Page 89: Show System Inventory Software Vnf
Syntax show system inventory software vnf Release Information Command introduced in Junos OS Release 15.1X53-D40 for the NFX250 Network Services Platform. Description Display the list of the virtual network functions available on a disaggregated Junos OS platform.
Page 90: Show System Services Ipsec-Nm
Syntax show system services ipsec-nm Release Information Command introduced in Junos OS Release 15.1X53-D40 for the NFX250 Network Services Platform. Description Display details such as status and mode of an ipsec-nm docker container for a disaggregated Junos OS platform.
Page 92: Show System Visibility Cpu
Syntax show system visibility cpu Release Information Command introduced in Junos OS Release 15.1X53-D40 for the NFX250 Network Services Platform. Description Display details such as per CPU statistics, per CPU usage, and CPU pinning for a disaggregated Junos OS platform.
Page 93 ------ --------- ----------- --------- --------- ----------- ------------------ 11267 4476 395088 14204 5195 392493 413638 413448 412850 413476 11908 4470 395821 413678 413679 413680 413677 413675 CPU Usages ---------------- CPU Id CPU Usage ------ --------- 6.9000000000000004 7.7999999999999998 100.0 4.9000000000000004 Copyright © 2017, Juniper Networks, Inc.
Page 94 JDM User Guide for NFX250 Network Services Platform CPU Pinning Information ------------------------------------ Virtual Machine vCPU CPU --------------------------- ---- --- vjunos0 Copyright © 2017, Juniper Networks, Inc.
Page 95: Show System Visibility Host
Syntax show system visibility host Release Information Command introduced in Junos OS Release 15.1X53-D40 for the NFX250 Network Services Platform. Description Display details such as the host uptime, number of tasks, CPU statistics, list of disk partitions, disk usage, disk I/O statistics, list of network interfaces, and per port statistics for a disaggregated Junos OS platform.
Page 96 JDM User Guide for NFX250 Network Services Platform Table 12: show system visibility host Output Fields (continued) Field Name Field Description Fields for Host CPU Information User Time The amount of user time, in seconds. The amount of system time, in seconds.
Page 97 Host Tasks ---------- Total: Running: Sleeping: 225 Stopped: Zombie: Host CPU Information (Time in sec) ---------------------------------- User Time: 451464 System Time: Idle Time: 4491938 I/O Wait Time: Nice Time: 14378 Interrupt Service Time: 0 Copyright © 2017, Juniper Networks, Inc.
Page 98 JDM User Guide for NFX250 Network Services Platform Host Disk Partitions ---------------------------------------------------------------------------------------------------------- Device Mount Point File System Options ----------------------------------------- ---------------- ----------- ---------------------------------- /dev/sda4 ext4 rw,relatime,data=ordered /dev/sda5 /var ext4 rw,relatime,data=ordered /dev/sda2 /boot vfat rw,noatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro /dev/sda1 /boot/efi vfat rw,noatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro /dev/sda3 /app_disk ext4...
Page 99 18460 hsxe1 hsxe0 1016 docker0 dcapi-tap 0 sit0 virbr0-nic 0 virbr0 110199537 18210327 290265 298091 vnet3 53436 1024 46845 eth0br 122171753 955407 ctrlbr0 30250640 70328038 371418 1256002 eth1br jdm_jsxe0 4158 vjunos0_em1 4158 jdm_phc 4158 Copyright © 2017, Juniper Networks, Inc.
Page 100: Show System Visibility Jcp
Syntax show system visibility jcp Release Information Command introduced in Junos OS Release 15.1X53-D40 for the NFX250 Network Services Platform. Description Display details such as CPU statistics, memory usage, internal IP address, list of network interfaces, interface statistics, and the list of disks for Junos VM.
Page 101 The type of disk. File The path to the disk. Sample Output show system visibility jcp user@jdm> show system visibility jcp JCP CPU Statistics (Time in sec) ----------------------------- CPU Time: 21435526 System Time: 4981660 Copyright © 2017, Juniper Networks, Inc.
Page 102 JDM User Guide for NFX250 Network Services Platform User Time: 780770 JCP Memory Usage ---------------- Maximum Memory (KiB): 200089 Used Memory (KiB): 200089 JCP Internal IP Addresses ------------------------- Interface: em2.32768 Address : 192.168.1.2 JCP Interfaces ------------------------------------------------------------- Interface Type Source Model...
Page 103: Show System Visibility Jdm
Syntax show system visibility jdm Release Information Command introduced in Junos OS Release 15.1X53-D40 for the NFX250 Network Services Platform. Description Display details such as uptime, number of tasks, CPU statistics, disk usage, disk I/O statistics, memory usage, the list of network interfaces, and internal IP address for JDM container.
Page 104 JDM User Guide for NFX250 Network Services Platform Table 14: show system visibility jdm Output Fields (continued) Field Name Field Description Fields for JDM Disk Usage Information Total The total amount of disk usage space, in mebibytes (MiB). The amount of used disk usage space, in mebibytes (MiB).
Page 105 Interrupt Service Time: 0 JDM Disk Usage Information -------------------------- Total (MiB): 9951 Used (MiB): 3986 Free (MiB): 5436 Percentage Used: 40.1 JDM Disk I/O Information ------------------------ Read Count: 304517 Write Count: 1180759 Read Bytes: 4200104448 Copyright © 2017, Juniper Networks, Inc.
Page 106 JDM User Guide for NFX250 Network Services Platform Write Bytes: 16527707648 Read Time: 45534 Write Time: 1185936 JDM Memory Information ---------------------- Virtual Memory: --------------- Total (KiB): 15949116 Used (KiB): 5533316 Free (KiB): 10415800 Percent Used: 31.3 Swap Memory: ------------ Total...
Page 107: Show System Visibility Memory
Syntax show system visibility memory Release Information Command introduced in Junos OS Release 15.1X53-D40 for the NFX250 Network Services Platform. Description Display the details about virtual memory and shared memory for a disaggregated Junos OS platform.
Page 108 JDM User Guide for NFX250 Network Services Platform Table 15: show system visibility memory Output Fields (continued) Field Name Field Description The total amount of free swap memory, in kibibytes (KiBs). Free The percentage of buffer swap memory used. Percent Used...
Page 109: Show System Visibility Network
Syntax show system visibility network Release Information Command introduced in Junos OS Release 15.1X53-D40 for the NFX250 Network Services Platform. Description Display details such as the list of MAC addresses assigned to VNF interfaces, the list of internal IP addresses for VNFs, the list of VFs used by VNFs, and the list of VNF interfaces for a disaggregated Junos OS platform.
Page 110 JDM User Guide for NFX250 Network Services Platform Table 16: show system visibility network Output Fields (continued) Field Name Field Description The names of the Physical Functions available. The names of the Virtual Functions available for each Physical Function. Fields for List of Free Virtual Functions The names of the Physical Functions available.
Page 111 0000:03:12:7 hsxe1 0000:03:13:1 VNF Interfaces ---------------------------------------------------------------------------------- Interface Type Source Model -------------------- --------- --------- ------------ ---------- ----------------- vnf1 vnet5 network default virtio 84:c1:c1:a3:39:15 vnf1 vnet6 bridge eth0br virtio 84:c1:c1:a3:39:16 vnf1 vhostuser -- virtio 84:c1:c1:a3:39:17 Copyright © 2017, Juniper Networks, Inc.
Page 112: Show System Visibility Storage
Syntax show system visibility storage Release Information Command introduced in Junos OS Release 15.1X53-D40 for the NFX250 Network Services Platform. Description Display details such as the list of disk partitions, the list of per disk I/O statistics, and the list of VNF disks for a disaggregated Junos OS platform.
Page 113 Disk Usage Information -------------------------------------------------------------------------------------- Disk Total (MiB) Used (MiB) Free (MiB) % Used ------------------------------------------- ----------- ----------- ----------- ------ /dev/sda4 1409 64.0 /dev/sda5 5639 5009 /dev/sda2 72.0 /dev/sda1 Copyright © 2017, Juniper Networks, Inc.
Page 114 JDM User Guide for NFX250 Network Services Platform 26.0 /dev/sda3 /dev/mapper/vg0_vjunos-lv_junos 9951 3889 5534 39.0 /dev/mapper/vg0_vjunos-lv_var_third_party 159317 6888 144313 Disk I/O Information ---------------------------------------------------------------------------------------------------- Disk Read Count Write Count Read Bytes Write Bytes Read time Write Time -------------------- ----------- ----------- --------------- ---------------...
Page 115: Show System Visibility Vnf
Syntax show system visibility vnf vnf name Release Information Command introduced in Junos OS Release 15.1X53-D40 for the NFX250 Network Services Platform. Description If a VNF name is not specified, display the details of the VNFs present on the system.
Page 116 JDM User Guide for NFX250 Network Services Platform Table 18: show system visibility vnf Output Fields (continued) Field Name Field Description Fields for VNF Memory Usage Name Name of the VNF. The maximum amount of memory, in kibibytes (KiBs). Maximum Memory The total amount of used memory, in kibibytes (KiBs).
Page 117 Rcvd Drop The number of drops received. Trxd Bytes The number of bytes transferred. Trxd Packets The number of packets transferred. Trxd Error The number of errors transferred. Trxd Drop The number of drops transferred. Copyright © 2017, Juniper Networks, Inc.
Page 118 JDM User Guide for NFX250 Network Services Platform Sample Output show system visibility vnf user@jdm> show system visibility vnf List of VNFs ----------------------------------------------------------- Name State ---- -------------------------------------- --------------- vnf1 Running VNF Memory Usage ----------------------------------------------------------------------------- Name Maximum Memory (KiB) Used Memory (KiB)
Page 119 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Port Rcvd Bytes Rcvd Packets Rcvd Error Rcvd Drop Trxd Bytes Trxd Packets Trxd Error Trxd Drop -------------------- --------- ------------ ------------ ---------- --------- ------------ ------------ ---------- --------- vnf1 vnet5 252654 vnf1 vnet6 8893085 Copyright © 2017, Juniper Networks, Inc.
Page 121: Virtual Network Functions
PART 4 Virtual Network Functions Virtual Network Functions on page 105 Virtual Network Functions Configuration Statements and Operational Commands on page 121 Copyright © 2017, Juniper Networks, Inc.
Page 123: Virtual Network Functions
Understanding Virtual Network Functions Virtualized network functions (VNFs) include all virtual entities that can be launched and managed from the Juniper Device Manager (JDM). Currently, virtual machines (VMs) are the only VNF type that is supported. There are several components in a JDM environment: JDM—Manages the life cycle for all service VMs.
Page 124: Managing The Vnf Life Cycle
JDM User Guide for NFX250 Network Services Platform All VMs run in isolation and a state change in one VM does not affect another VM. When the system restarts, the service VMs are brought online as specified in the persistent configuration file.
Page 125: Planning Resources For A Vnf
Some of the physical CPUs are reserved by the system. Except for the following physical CPUs, all others are available for user-defined VNFs: Table 20 on page 107 provides the list of physical CPUs that are reserved for NFX250-LS1. Table 20: Physical CPU Allocation for NFX250-LS1 CPU Core...
Page 126: Managing The Vnf Image
JDM User Guide for NFX250 Network Services Platform Table 21: Physical CPU Allocation for NFX250 CPU Core Allocation Host, JDM, and JCP Host bridge IPSec For more information, see the following: show system inventory hardware cpu show system inventory hardware memory...
Page 127: Allocating Resources For A Vnf
CPU that is not pinned to any physical CPU. NOTE: You cannot change the CPU configuration of a VNF when the VNF is running state. Restart the VNF for changes to take effect. Copyright © 2017, Juniper Networks, Inc.
Page 128: Allocating Memory For A Vnf
JDM User Guide for NFX250 Network Services Platform To enable hardware-virtualization or hardware-acceleration for VNF CPUs, type the following command: user@jdm# set virtual-network-functions vnf-name virtual-cpu features hardware-virtualization Allocating Memory for a VNF To specify the maximum primary memory that the VNF can use, enter the following...
Page 129: Configuring Vnf Interfaces And Vlans
VLAN ID. To create VLAN: user@jdm# set host-name vlan vlan-name To attach a VNF interface to a VLAN: user@jdm# set virtual-network-functions vnf-name interfaces interface-name mapping vlan members list-of-vlans [mode trunk|access] Copyright © 2017, Juniper Networks, Inc.
Page 130 JDM User Guide for NFX250 Network Services Platform NOTE: The interfaces attached to the VNF are persistent across VNF restarts. If the VNF supports hot-plugging, you can attach the interfaces when the VNF is in state. Otherwise, add the interfaces, and then running restart the VNF.
Page 131: Managing Vnf States
To configure a specific MAC address for a VNF interface: user@jdm# set virtual-network-functions vnf-name interfaces interface-name mac-address mac-address To delete the MAC address configuration of a VNF interface: Copyright © 2017, Juniper Networks, Inc.
Page 132: Managing Mtu
JDM User Guide for NFX250 Network Services Platform user@jdm# delete virtual-network-functions vnf-name interfaces interface-name mac-address mac-address NOTE: To delete or modify the MAC address of a VNF interface, you must stop the VNF, make the necessary changes, and then start the VNF.
Page 134 JDM User Guide for NFX250 Network Services Platform user@jdm# set virtual-network-functions vnf2 interfaces eth3 mapping vlan members user@jdm# set virtual-network-functions vnf2 interfaces eth3 mapping vlan members user@jdm# set virtual-network-functions vnf2 interfaces eth3 mapping vlan members user@jdm# set virtual-network-functions vnf2 interfaces eth3 mapping vlan mode...
Page 135: Configuring Analyzer Vnf And Port-Mirroring
Accessing a VNF from JDM You can access a VNF from JDM using either SSH or a VNF console. To access a VNF using SSH: Copyright © 2017, Juniper Networks, Inc.
Page 136: Viewing List Of Vnfs
JDM User Guide for NFX250 Network Services Platform user@jdm> ssh vnf-name To access a VNF using a virtual console: user@jdm> request virtual-network-functions vnf-name console NOTE: to exit the virtual console. ctrl-] Do not use Telnet session to run the command.
Page 139: Commands
135 size on page 135 storage on page 136 type on page 137 virtual-cpu on page 138 virtual-network-functions on page 139 vjunos0 on page 142 vnf-name on page 143 show virtual-network-functions show vlans Copyright © 2017, Juniper Networks, Inc.
Page 140: Cross-Connect
JDM User Guide for NFX250 Network Services Platform cross-connect Syntax cross-connect { cross-connect-name { physical-interface { hsxe0 { vlan-id vlan-id; hsxe1 { vlan-id vlan-id; virtual-network-function vnf-name { interfaceinterface-name; vlan-id vlan-id; push-pop-cross-connect-name { virtual-network-function vnf-name { interfaceinterface-name; vlan-id vlan-id; virtual-network-function vnf-name { interfaceinterface-name;...
Page 141 Chapter 6: Virtual Network Functions Configuration Statements and Operational Commands Hierarchy Level [edit] Release Information Statement introduced in Junos OS Release 15.1X53-D47 for the NFX250 Network Services Platform. Description Connects any two VNF interfaces, VLANs on physical interfaces such as hsxe0 and hsxe1,...
Page 142: Features
Syntax features { hugepages; Hierarchy Level [edit virtual-network-functions] Release Information Statement introduced in Junos OS Release 15.1X53-D40 for the NFX250 Network Services Platform. Description Displays the supported features of a VNF. Options features—Features of a VNF. hugepages—Option to support memory pages with a size of 2 MB and 1 GB.
Page 143: Host-Os Forwarding-Options Analyzer
Hierarchy Level [edit] Release Information Statement introduced in Junos OS Release 15.1X53-D40 for the NFX250 Network Services Platform. Description Configures an analyzer for port mirroring and configures port mirroring for either ingress or egress traffic of a VNF interface to an analyzer VNF.
Page 144: Hugepages
Syntax hugepages; Hierarchy Level [edit virtual-network-functions] Release Information Statement introduced in Junos OS Release 15.1X53-D40 for the NFX250 Network Services Platform. Description An option to support of 2 MB and 1 GB size memory pages. Required Privilege routing—To view this statement in the configuration.
Page 145: Image
[qcow2 | raw]; Hierarchy Level [edit virtual-network-functions] Release Information Statement introduced in Junos OS Release 15.1X53-D45 for the NFX250 Network Services Platform. Description Specify the VNF image source file. VNF image is virtual hard disk, which contains the bootable file-system for the VNF.
Page 146: Init-Descriptor
Hierarchy Level [edit virtual-network-functions] Release Information Statement introduced in Junos OS Release 15.1X53-D45 for the NFX250 Network Services Platform. Description Create an XML descriptor file to launch a VNF. You can launch a VNF by configuring the VNF name, and specifying either the path to the XML descriptor file or to an image.
Page 147: Interfaces
[access | trunk]; native-vlan-id vlan-id; Hierarchy Level [edit virtual-network-functions] Release Information Statement introduced in Junos OS Release 15.1X53-D50 for the NFX250 Network Services Platform. Description Configure Virtual Network Functions (VNF) interfaces on platforms running disaggregated Junos OS. Options interface-name—Name of the VNF interfaces.
Page 148: Ipsec-Nm
Hierarchy Level [edit virtual-network-functions] Release Information Statement introduced in Junos OS Release 15.1X53-D45 for the NFX250 Network Services Platform. Description An option that enables or disables the ipsec virtual network function if the ipsec-nm option is configured in the system.
Page 149: Mac-Address
Syntax mac-address mac-address; Hierarchy Level [edit virtual-network-functions] Release Information Statement introduced in Junos OS Release 15.1X53-D47 for the NFX250 Network Services Platform. Description MAC address for the VNF interfaces. Required Privilege interface—To view this statement in the configuration. Level interface-control—To add this statement to the configuration.
Page 150: Mapping
[access | trunk]; native-vlan-id vlan-id; Hierarchy Level [edit virtual-network-functions] Release Information Statement introduced in Junos OS Release 15.1X53-D50 for the NFX250 Network Services Platform. Description Mapping Virtual Network Functions (VNF) interfaces on platforms running disaggregated Junos OS. Options vlan-id—SR-IOV virtual function to use to attach a VNF to a physical interface.
Page 151: Memory
Hierarchy Level [edit virtual-network-functions] Release Information Statement introduced in Junos OS Release 15.1X53-D40 for the NFX250 Network Services Platform. Description Configure memory parameters for VNFs on a platform that is running a disaggregated Junos OS. Options memory size—Amount of memory allocated to a VNF in kilobytes. The default size is 1 GB.
Page 152: Mtu
Hierarchy Level [edit interfaces interface-name] Release Information Statement introduced in Junos OS Release 15.1X53-D47 for the NFX250 Network Services Platform. Description Specify the maximum transmission unit (MTU) size for the media in bytes. MTU size can be either 1500 bytes or 2048 bytes.
Page 153: Pci-Address
Syntax pci-address pci-address; Hierarchy Level [edit virtual-network-functions] Release Information Statement introduced in Junos OS Release 15.1X53-D50 for the NFX250 Network Services Platform. Description PCI address for the VNF interfaces. Required Privilege interface—To view this statement in the configuration. Level interface-control—To add this statement to the configuration.
Page 154: Storage
{ file filename; Hierarchy Level [edit virtual-network-functions] Release Information Statement introduced in Junos OS Release 15.1X53-D40 for the NFX250 Network Services Platform. Description Configure storage parameters on VNFs. Options storage device-name—Name of the storage device. For example, hda, hdb, sdb, or vdb.
Page 155: Type
Syntax type linux-container | virtual-machine; Hierarchy Level [edit virtual-network-functions] Release Information Statement introduced in Junos OS Release 15.1X53-D40 for the NFX250 Network Services Platform. Description Type of the VNF. Options linux-container—The VNF type is Linux container. virtual-machine—The VNF type is virtual machine.
Page 156: Virtual-Cpu
Hierarchy Level [edit virtual-network-functions] Release Information Statement introduced in Junos OS Release 15.1X53-D40 for the NFX250 Network Services Platform. Description Specify the number of virtual CPUs the VNF can use. By default, a VNF is assigned one virtual CPU, which is independent of any specific physical CPU.
Page 157: Virtual-Network-Functions
[ide | virtio]; image-type [qcow2 | raw]; init-descriptor file-path; memory size size; features hugepages no-autostart; storage device-name { type { cdrom { source { file filename; disk { bus-type [ide | virtio]; file-type [qcow2 | raw]; Copyright © 2017, Juniper Networks, Inc.
Page 158 { vlan-id vlan-id; hsxe1 { virtual-function { vlan-id vlan-id; vlan { members vlan-name; mode [access | trunk]; native-vlan-id vlan-id; Release Information Statement introduced in Junos OS Release 15.1X53-D45 for the NFX250 Network Services Platform. Copyright © 2017, Juniper Networks, Inc.
Page 159 VNF in kilobytes. The default size is 1 GB. device-name—Name of the storage device. file-name—Name of the source file of the storage device. Required Privilege routing—To view this statement in the configuration. Level routing-control—To add this statement to the configuration. Copyright © 2017, Juniper Networks, Inc.
Page 160: Vjunos0
Hierarchy Level [edit virtual-network-functions] Release Information Statement introduced in Junos OS Release 15.1X53-D45 for the NFX250 Network Services Platform. Description An option that enables or disables the vjunos virtual network function if the vjunos0 option is configured in the system.
Page 161: Vnf-Name
[qcow2 | raw]; source { file filename; usb { source { file filename; virtual-cpu virtual-cpu-number { physical-cpu number | range; count number; features { hardware-virtualization; interfaces interface-name { pci-address pci-address; mapping hsxe0 { virtual-function { Copyright © 2017, Juniper Networks, Inc.
Page 162 [access | trunk]; native-vlan-id vlan-id; Hierarchy Level [edit virtual-network-functions] Release Information Statement introduced in Junos OS Release 15.1X53-D45 for the NFX250 Network Services Platform. Description Name of the virtual network function. Options interfaces—Name of the interface. For example, em1.
Page 163: Show Virtual-Network-Functions
Release Information Command introduced in Junos OS Release 15.1X53-D45 for the NFX250 Network Services Platform. Description Display Virtual Network Function (VNF) information. Options vnf-name—(Optional) Display information for a specific VNF.
Page 164 JDM User Guide for NFX250 Network Services Platform Table 22: show virtual-network functions Output Fields (continued) Field Name Field Description Name Name of the VNF State Status of the VNF. Possible values are Running, Shutdown, or Undefined. Liveliness Indicates whether or not the IP address of the VNF is reachable.
Page 165 | /junos/images/0/vjunos.img | /junos/images/0/vjunos-data.img | /junos/images/0/vjunos-config.img | /junos/images/0/vjunos-platform.img Virtual Network Function Information ------------------------------------- Name: :vsrx State: :Running Liveliness: :Down IP Address: :192.168.1.101 VCPUs: Maximum Memory: :4194304 KiB Used Memory: :4194304 KiB Block Devices ---------------------------- Copyright © 2017, Juniper Networks, Inc.
Page 166 JDM User Guide for NFX250 Network Services Platform Target | Source ---------------------------- /var/third-party/images/media-vsrx-vmdisk-15.1-2016-07-18.0_DEV_S3_UCPE_VSRX.qcow2 Virtual Network Function Information ------------------------------------- :8659 Name: :jdm State: :Running Liveliness: IP Address: :192.168.1.254 VCPUs: Maximum Memory: :1048576 KiB Used Memory: :1025492 KiB Copyright © 2017, Juniper Networks, Inc.
Page 167: Show Vlans
Chapter 6: Virtual Network Functions Configuration Statements and Operational Commands show vlans Syntax show vlans vlan-name Release Information Command introduced in Junos OS Release 15.1X53-D40 for the NFX250 Network Services Platform. Description Display the details about the VLANs. Options vlan-name—Display information for a specific VLAN.
Page 168 JDM User Guide for NFX250 Network Services Platform host-os vlan200-202-vlan-0200 200 vsrx1_eth7.0 vsrx2_eth7.0 host-os vlan200-202-vlan-0202 202 vsrx1_eth7.0 vsrx2_eth7.0 Copyright © 2017, Juniper Networks, Inc.
Page 171: Service Chaining
Configuring Service Chaining Using VLANs on page 154 Configuring Service Chaining Using DHCP Services on VLANs on page 155 Example: Configuring Service Chaining Using VLANs on NFX250 Network Services Platform on page 156 Example: Configuring Service Chaining Using SR-IOV on NFX250 Network Services...
Page 172: Configuring Service Chaining Using Vlans
Related Understanding Service Chaining on Disaggregated Junos OS Platforms on page 153 Documentation Example: Configuring Service Chaining Using VLANs on NFX250 Network Services Platform on page 156 Copyright © 2017, Juniper Networks, Inc.
Page 173: Configuring Service Chaining Using Dhcp Services On Vlans
To check the assigned IP address, use the show system visibility vnf <vnf> command. Related Understanding Service Chaining on Disaggregated Junos OS Platforms on page 153 Documentation Example: Configuring Service Chaining Using VLANs on NFX250 Network Services Platform on page 156 Copyright © 2017, Juniper Networks, Inc.
Page 174: Example: Configuring Service Chaining Using Vlans On Nfx250 Network Services Platform
JDM User Guide for NFX250 Network Services Platform Example: Configuring Service Chaining Using VLANs on NFX250 Network Services Platform This example shows how to configure service chaining using VLANs on the host bridge. Requirements on page 156 Overview on page 156...
Page 175 Chapter 7: Service Chaining This example is configured using the Juniper Device Manager (JDM) and Junos Control Plane (JCP). The key configuration elements include: The Packet Forwarding Engine’s front panel ports. The Packet Forwarding Engine’s internal-facing ports. A routing instance named host-os. The host-os routing instance is the CLI construct that provides the ability to configure host OS elements from the JDM.
Page 176 JDM User Guide for NFX250 Network Services Platform Configure the Packet Forwarding Engine’s LAN-side front panel port and add it to the LAN-side VLAN. The LAN-side port is typically an access port, but could be a trunk port if appropriate.
Page 177 77 user@jdm# set host-os vlans vlan2 vlan-id 1177 user@jdm# set host-os vlans glue-vlan vlan-id 123 Bring up the VM1 with one virtio interface mapped to VLAN, and another interface mapped to glue-vlan. Copyright © 2017, Juniper Networks, Inc.
Page 178: Example: Configuring Service Chaining Using Sr-Iov On Nfx250 Network Services Platform
Documentation Disaggregated Junos OS VMs on page 6 Understanding Virtio Usage on page 8 Example: Configuring Service Chaining Using SR-IOV on NFX250 Network Services Platform This example shows how to configure service chaining using SR-IOV on platforms running the disaggregated Junos OS software.
Page 179: Figure 15: Service Chaining Using Sr-Iov-Device Infrastructure
NIC ports, it is necessary to use their abstracted versions, hsxe0 and hsxe1. This example is configured using the Juniper Device Manager (JDM) and Junos Control Plane (JCP). The key configuration elements include: The Packet Forwarding Engine’s front panel ports.
Page 180 JDM User Guide for NFX250 Network Services Platform NIC ports. Because NIC interfaces (sxe ports) cannot be configured directly, the host OS construct for these interfaces (hsxe) must be used. The VNF interfaces. In the JDM, VNF interfaces must use the format eth#, where # is from 2 through to 9.
Page 181 Results From configuration mode, check the results of your configuration by entering the following show commands: [edit] user@jcp# show interfaces xe-0/0/12 unit 0 { family ethernet-switching { vlan { Copyright © 2017, Juniper Networks, Inc.
Page 182 JDM User Guide for NFX250 Network Services Platform members Vlan11; [edit] user@jcp# show interfaces xe-0/0/13 unit 0 { family ethernet-switching { interface-mode trunk; vlan { members Vlan22; [edit] user@jcp# show interfaces sxe-0/0/0 unit 0 { family ethernet-switching { interface-mode trunk;...
Page 183 Related Understanding Service Chaining on Disaggregated Junos OS Platforms on page 153 Documentation Disaggregated Junos OS VMs on page 6 Understanding SR-IOV Usage on page 10 Copyright © 2017, Juniper Networks, Inc.
Page 187: Understanding Ipsec-Nm
The native IPSec virtual private network (VPN) supported on JUNOS is used in various Juniper products to provide secure VPN connectivity. To address certain use cases, the IPSec VPN functionality depends on various JUNOS components and interworks across the modules.
Page 188: Configuring Ip Security Network Manager
JDM User Guide for NFX250 Network Services Platform Anti-replay services Internet Key Exchange (IKE) gateway Internet Key Exchange (IKE) v1 policy in Aggressive and Main mode with pre-shared key (PSK). One IKE security associations (SA) with multiple IPSec SA based on traffic selector.
Page 189: Configuring Ipsec-Nm Interfaces
Assign an IPv6 address to the logical interface: root@ipsec-nm# set interfaces interface-name unit interface-logical-unit-number family inet6 address interface-address Enable VLAN tagging support on the logical interface: root@ipsec-nm# set interfaces interface-name vlan-tagging Copyright © 2017, Juniper Networks, Inc.
Page 190: Configuring Autokey Internet Key Exchange
IPSec-NM supports the automated generation and negotiation of keys and security associations (SAs) using the Internet Key Exchange (IKE) protocol. This automation is termed as AutoKey IKE. Juniper Networks supports AutoKey IKE with pre-shared keys and certificates. Dynamic SAs require IKE configuration. With dynamic SAs, you can configure IKE and then the SA.
Page 191 Define a pre-shared key for IKE: root@ipsec-nm# set security ike policy ike-policy-name pre-shared-key ascii-text text-format Configuring IKE Gateway An IKE gateway initiates and terminates network connections between a firewall and a security device. Copyright © 2017, Juniper Networks, Inc.
Page 192 JDM User Guide for NFX250 Network Services Platform To configure IPSec-NM as xauth client and configure IKE gateway, complete the following steps: Configure username of the xauth client: root@ipsec-nm# set security ike gateway gateway-name xauth client username xauth-client-username Configure password of the xauth client:...
Page 193: Configuring Ipsec
Define an IPSec proposal and protocol for the proposal: root@ipsec-nm# set security ipsec proposal ipsec-proposal-name protocol esp Define an authentication algorithm for the IPSec proposal: root@ipsec-nm# set security ipsec proposal ipsec-proposal-name authentication-algorithm hmac-sha1-96 Define an encryption algorithm for the IPSec proposal: Copyright © 2017, Juniper Networks, Inc.
Page 194 JDM User Guide for NFX250 Network Services Platform root@ipsec-nm# set security ipsec proposal ipsec-proposal-name encryption-algorithm aes-256-cbc Set a lifetime for the IPSec proposal in seconds: root@ipsec-nm# set security ipsec proposal ipsec-proposal-name lifetime-seconds 180..86400 seconds Configuring IPSec Policies An IPSec policy defines a combination of security parameters (IPSec proposals) used during IPSec negotiation.
Page 195: Example: Configuring Ike, Ipsec, And Security Zones
Configuration on page 179 Verification on page 184 Requirements Before you begin: Log in to the master logical system as the master administrator. See “Understanding the Master Logical System and the Master Administrator Role. Copyright © 2017, Juniper Networks, Inc.
Page 196: Table 24: Ike, Ipsec Sas, And Security Zones Configuration
JDM User Guide for NFX250 Network Services Platform Read “Overview of IP Security” on page 169 “Configuring IP Security Network Manager” on page 170 topics. Overview In this example you configure IKE, IPSec SAs, and security zones. This example configures...
Page 197 IKE_POL pre-shared-key ascii-text <enter psk> set security ike gateway GW1 ike-policy IKE_POL set security ike gateway GW1 address 2.2.2.2 set security ike gateway GW1 local-identity user-at-hostname "r0r2_store1@juniper.net" set security ike gateway GW1 external-interface ge-0/0/0 set security ike gateway GW1 local-address 3.3.3.2...
Page 198 JDM User Guide for NFX250 Network Services Platform set security ipsec proposal IPSEC_PROP authentication-algorithm hmac-sha-256-128 set security ipsec proposal IPSEC_PROP encryption-algorithm aes-256-cbc set security ipsec proposal IPSEC_PROP lifetime-seconds 2600 set security ipsec policy IPSEC_POL perfect-forward-secrecy keys group14 set security ipsec policy IPSEC_POL proposals IPSEC_PROP...
Page 199 Configure the IPSec VPN. [edit security ipsec] root@ipsec-nm# set security ipsec vpn VPN1 ike gateway GW1 root@ipsec-nm# set security ipsec vpn VPN1 ike ipsec-policy IPSEC_POL root@ipsec-nm# set security ipsec vpn VPN1 traffic-selector VPN1_TS1 local-ip 51.0.1.0/24 Copyright © 2017, Juniper Networks, Inc.
Page 200 JDM User Guide for NFX250 Network Services Platform root@ipsec-nm# set security ipsec vpn VPN1 traffic-selector VPN1_TS1 remote-ip 41.0.1.0/24 root@ipsec-nm# set security ipsec vpn VPN1 establish-tunnels immediately Configure security flow: [edit security] root@ipsec-nm# set security flow tcp-mss all-tcp mss 1300 Configure security policies:...
Page 201 VPN1 { ike gateway GW1; ike ipsec-policy IPSEC_POL; traffic-selector VPN1_TS1 { local-ip 51.0.1.0/24; remote-ip 41.0.1.0/24; establish-tunnels immediately; [edit] root@ipsec-nm# show security flow tcp-mss { all-tcp mss 1300; [edit] root@ipsec-nm# show security policies default-policy { Copyright © 2017, Juniper Networks, Inc.
Page 202 JDM User Guide for NFX250 Network Services Platform permit-all; [edit] root@ipsec-nm# show security zones security-zone { trust { host-inbound-traffic { system-services all; protocols all; interfaces ge-0/0/0.0; untrust { host-inbound-traffic { system-services all; protocols all; interfaces ge-0/0/1.0; [edit] root@ipsec-nm# show interfaces ge-0/0/0 unit 0 { vlan-id 100;...
Page 203 Chapter 8: Understanding IPSec-NM Related Configuring IPSec-NM Interfaces on page 171 Documentation Configuring AutoKey Internet Key Exchange on page 172 Configuring IPSec on page 175 Copyright © 2017, Juniper Networks, Inc.
Page 205: Ipsec-Nm Configuration Statements And Operational Commands
194 policies on page 196 interfaces on page 197 show security ike sa show security ike active-peer show security ipsec sa show security ipsec statistics show security ipsec inactive-tunnels show security ipsec tunnel-events-statistics Copyright © 2017, Juniper Networks, Inc.
Page 206: Ipsec-Nm
JDM User Guide for NFX250 Network Services Platform ipsec-nm Syntax ipsec-nm configuration { security { proposal ike-proposal-name { authentication-method { pre-shared-keys; authentication-algorithm { md5; sha-256; sha-384; sha1; dh-group { group1; group14; group2; group5; encryption-algorithm { 3des-cbc; aes-128-cbc; aes-192-cbc; aes-256-cbc; des-cbc;...
Page 207 { ike { gateway remote-gateway-name; ipsec-policy ipsec-policy-name; traffic-selector { traffic-selector-name1 { local-ip local-traffic-selector-ip-address; remote-ip remote-traffic-selector-ip-address; traffic-selector-name2 { local-ip local-traffic-selector-ip-address; remote-ip remote-traffic-selector-ip-address; establish-tunnels immediately; policies from-zone { from-zone-name { to-zone to--zone-name; Copyright © 2017, Juniper Networks, Inc.
Page 208 JDM User Guide for NFX250 Network Services Platform trust { to-zone to--zone-name; trust; untrust; untrust { to-zone to--zone-name; trust; untrust; zones { security-zone { security-zone-name { trust { host-inbound-traffic { system-services { all; protocols { all; untrust { host-inbound-traffic { system-services { all;...
Page 209 Chapter 9: IPSec-NM Configuration Statements and Operational Commands Release Information Statement introduced in Junos OS Release 15.1X53-D47 for the NFX250 Network Services Platform. Description Provides confidentiality, security, and authentication of data that is shared within a network. It also provides data security at the IP layer of the network.
Page 210: Ike
JDM User Guide for NFX250 Network Services Platform Syntax ike { proposal ike-proposal-name { authentication-method { dsa-signatures; pre-shared-keys; rsa-signatures; authentication-algorithm { md5; sha-256; sha-384; sha1; dh-group { group1; group14; group2; group5; encryption-algorithm { 3des-cbc; aes-128-cbc; aes-128-gcm; aes-192-cbc; aes-256-cbc; aes-256-gcm; des-cbc;...
Page 211 Hierarchy Level [ipsec-nm configuration security] Release Information Statement introduced in Junos OS Release 15.1X53-D47 for the NFX250 Network Services Platform. Description IPSec-NM supports the automated generation and negotiation of keys and security associations (SAs) using the Internet Key Exchange (IKE) protocol. This automation is termed as AutoKey IKE.
Page 212: Ipsec
Hierarchy Level [ipsec-nm configuration security] Release Information Statement introduced in Junos OS Release 15.1X53-D47 for the NFX250 Network Services Platform. Description IPSec is a suite of related protocols for cryptographically securing communications at the IP Packet Layer. IPSec also provides methods for the manual and automatic...
Page 213 IPSec policy. gateway remote-gateway-name—Name of the remote gateway. Required Privilege routing—To view this statement in the configuration. Level routing-control—To add this statement to the configuration. Related Configuring IPSec on page 175 Documentation Copyright © 2017, Juniper Networks, Inc.
Page 214: Policies
Hierarchy Level [ipsec-nm configuration security] Release Information Statement introduced in Junos OS Release 15.1X53-D47 for the NFX250 Network Services Platform. Description You can configure network security policies for IPSec-NM. Options from-zone —Define a policy context from this zone.
Page 215: Interfaces
Hierarchy Level [ipsec-nm configuration security] Release Information Statement introduced in Junos OS Release 15.1X53-D47 for the NFX250 Network Services Platform. Description You can configure interfaces for IPSec-NM. Required Privilege routing—To view this statement in the configuration.
Page 216: Show Security Ike Sa
Syntax show security ike sa show security ike sa detail Release Information Command introduced in Junos OS Release 15.1X53-D47 for the NFX250 Network Services Platform. Description Display information about the Internet Key Exchange (IKE) Security Association (SA). Required Privilege...
Page 217: Table 26: Show Security Ike Sa Detail Output Fields
Address of the local peer. Remote Address of the remote peer. Lifetime Number of seconds remaining until the IKE SA expires. Reauth Lifetime When enabled, number of seconds remaining until re-authentication triggers a new IKEv2 SA negotiation. Copyright © 2017, Juniper Networks, Inc.
Page 218 JDM User Guide for NFX250 Network Services Platform Table 26: show security ike sa detail Output Fields (continued) Field Name Field Description means that both the IKEv2 initiator and responder support message IKE Fragmentation Enabled fragmentation and have negotiated the support during the IKE_SA_INIT message exchange.
Page 219 Remote Access Client Info: Unknown Client Peer ike-id: 2.2.2.2 AAA assigned IP: 0.0.0.0 Algorithms: Authentication : hmac-sha256-128 Encryption : aes256-cbc Pseudo random function: hmac-sha256 Diffie-Hellman group : DH-group-14 Traffic statistics: Input bytes 1056 Output bytes 1311 Input packets: Copyright © 2017, Juniper Networks, Inc.
Page 220 JDM User Guide for NFX250 Network Services Platform Output packets: Input fragmentated packets: Output fragmentated packets: IPSec security associations: 1 created, 0 deleted Phase 2 negotiations in progress: 1 Negotiation type: Quick mode, Role: Initiator, Message ID: 0 Local: 3.3.3.2:500, Remote: 2.2.2.2:500 Local identity: r0r2_store1@juniper.net...
Page 221: Show Security Ike Active-Peer
Chapter 9: IPSec-NM Configuration Statements and Operational Commands show security ike active-peer Syntax show security ike active-peer Release Information Command introduced in Junos OS Release 15.1X53-D47 for the NFX250 Network Services Platform. Description Display information about IKE active peers. Required Privilege...
Page 222: Show Security Ipsec Sa
Syntax show security ipsec sa show security ike sa detail Release Information Command introduced in Junos OS Release 15.1X53-D47 for the NFX250 Network Services Platform. Description Display information about the IPSec Security Association (SA). Required Privilege...
Page 223: Table 29: Show Security Ipsec Sa Detail Output Fields
If VPN monitoring is enabled, then the field displays . A hyphen VPN Monitoring U (up) D (down) (-) means VPN monitoring is not enabled for this SA. A V means that IPSec datapath verification is in progress. Copyright © 2017, Juniper Networks, Inc.
Page 224 JDM User Guide for NFX250 Network Services Platform Table 29: show security ipsec sa detail Output Fields (continued) Field Name Field Description The hard lifetime specifies the lifetime of the SA. Hard lifetime - Number of seconds left until the SA expires.
Page 225 Hard lifetime: Expires in 2552 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1988 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Copyright © 2017, Juniper Networks, Inc.
Page 226: Show Security Ipsec Statistics
JDM User Guide for NFX250 Network Services Platform show security ipsec statistics Syntax show security ipsec statistics Release Information Command introduced in Junos OS Release 15.1X53-D47 for the NFX250 Network Services Platform. Description Display IPSec statistics. Required Privilege view Level...
Page 227 Decrypted packets: AH Statistics: Input bytes: Output bytes: Input packets: Output packets: Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 Copyright © 2017, Juniper Networks, Inc.
Page 228: Show Security Ipsec Inactive-Tunnels
JDM User Guide for NFX250 Network Services Platform show security ipsec inactive-tunnels Syntax show security ipsec inactive-tunnels Release Information Command introduced in Junos OS Release 15.1X53-D47 for the NFX250 Network Services Platform. Description Display information about IPSec tunnels that are inactive on a disaggregated Junos OS platform.
Page 230: Show Security Ipsec Tunnel-Events-Statistics
JDM User Guide for NFX250 Network Services Platform show security ipsec tunnel-events-statistics Syntax show security ipsec inactive-tunnels Release Information Command introduced in Junos OS Release 15.1X53-D47 for the NFX250 Network Services Platform. Description Display tunnel event statistics. Required Privilege view...

Juniper NFX250 User Manual

Chapter 1 Architecture Overview

Chapter 2 Installation

Chapter 3 Management

Chapter 4 Management Configuration Statements and Operational Commands

Chapter 5 Virtual Network Functions

Chapter 6 Virtual Networkfunctionsconfigurationstatementsandoperational

Chapter 7 Service Chaining

Chapter 8 Understanding Ipsec-NM

Chapter 9 Ipsec-NM Configuration Statements and Operational Commands

Quick Links

Related Manuals for Juniper NFX250

Summary of Contents for Juniper NFX250

Table of Contents