Contrail Service Orchestration User Guide - Juniper Networks · providestheEMS,andresidesontheContrailServiceOrchestrationNode.Administration ... (VIM ... SpecifytheIPaddressofthemanagementinterface

Contrail Service Orchestration

User Guide

Release

1.5

Modified: 2016-06-02

Copyright © 2016, Juniper Networks, Inc.

Juniper Networks, Inc.1133 InnovationWaySunnyvale, California 94089USA408-745-2000www.juniper.net

Copyright © 2016, Juniper Networks, Inc. All rights reserved.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.

Contrail Service Orchestration User Guide1.5Copyright © 2016, Juniper Networks, Inc.All rights reserved.

The information in this document is current as of the date on the title page.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through theyear 2038. However, the NTP application is known to have some difficulty in the year 2036.

ENDUSER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networkssoftware. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted athttp://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions ofthat EULA.

Copyright © 2016, Juniper Networks, Inc.ii

http://www.juniper.net/support/eula.html

Table of Contents

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Part 1 Contrail Service Orchestration

Chapter 1 Contrail Service Orchestration Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Contrail Service Orchestration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Contrail Service Orchestration Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Part 2 Administration Portal

Chapter 2 Administration Portal Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Administration Portal Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Setting Up the Cloud CPE Centralized Deployment Model with Administration

Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Accessing Administration Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Chapter 3 Configuring Network Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

VIM Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Creating a VIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

EMS Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Creating an EMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Resource Pool Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Creating a Resource Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Activating and Deactivating Resource Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

POPManagement Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Creating a POP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Device Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Creating Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

iiiCopyright © 2016, Juniper Networks, Inc.

Chapter 4 Configuring Customers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Tenant Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Creating a Customer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Creating an Administrative User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Creating a Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Importing Sites from a File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Creating a File of Site information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Importing Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Allocating Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Chapter 5 Managing Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Viewing Details for an Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Modifying an Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Deleting an Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Modifying a Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Deleting a Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Creating a Transit Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Terminating a Transit Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Part 3 Customer Portal

Chapter 6 Customer Portal Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Customer Portal Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Accessing Customer Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Chapter 7 Configuring Sites and Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Activating Sites in a Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Configuring a Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

vSRX Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

LxCIPtable VNF Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Cisco CSR-1000v VNF Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Chapter 8 Managing Sites and Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Managing Sites and Network Services Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Monitoring a Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Deactivating a Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Adding a Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Replacing a Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Deactivating and Reactivating a Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Removing a Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Part 4 Network Service Designer

Chapter 9 Network Service Designer introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Network Service Designer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Accessing Network Service Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Getting Started with Network Service Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Network Services and Service Chains Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Copyright © 2016, Juniper Networks, Inc.iv

User Guide

Chapter 10 Creating Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Creating Requests for Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Designing Service Chains for Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Defining Ingress and Egress Points for a Service Chain . . . . . . . . . . . . . . . . . . . . . 69

Connecting VNFs in a Service Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

VNF Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Viewing Information About VNFs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Performance Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Meeting Performance Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Chapter 11 Configuring Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Configuring Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

vSRX Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

LxCIPtable VNF Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Cisco CSR-1000v VNF Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Chapter 12 Managing Requests and Designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Managing Requests for Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Managing Service Chain Designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Part 5 Service and Infrastructure Monitor

Chapter 13 Service and Infrastructure Monitor introduction . . . . . . . . . . . . . . . . . . . . . . 89

Service and Infrastructure Monitor Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Accessing the Service and Infrastructure Monitor GUI . . . . . . . . . . . . . . . . . . . . . . 90

Chapter 14 Monitoring Activities in the Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Monitoring Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Monitoring VNFs Used in Network Services and the VMs That Host the VNFs . . . 92

Monitoring Microservices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Monitoring Microservices and Their Host VMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Monitoring Physical Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

vCopyright © 2016, Juniper Networks, Inc.

Table of Contents

Copyright © 2016, Juniper Networks, Inc.vi

User Guide

List of Figures


Chapter 9 Network Service Designer introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Figure 1: Service Chain with One VNF Instance That Provides All Functions . . . . . 63

Figure2:ServiceChainwithEitherMultiple Instancesof theSameVNForMultiple

VNFs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

viiCopyright © 2016, Juniper Networks, Inc.

Copyright © 2016, Juniper Networks, Inc.viii

User Guide

List of Tables

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii

Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii

Part 1 Contrail Service Orchestration

Chapter 1 Contrail Service Orchestration Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Table 3: Cloud CPE Centralized Deployment Model Licenses . . . . . . . . . . . . . . . . . 4

Part 2 Administration Portal

Chapter 3 Configuring Network Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Table 4: VIM Configuration Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Table 5: EMS Configuration Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Table 6: Resource Pool Configuration Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Table 7: POP Configuration Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Table 8: Device Discovery Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Table 9: MX Series Router PNE Configuration Fields . . . . . . . . . . . . . . . . . . . . . . . 20

Chapter 4 Configuring Customers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Table 10: Tenant Configuration Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Table 11: Administrator User Configuration Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Table 12: Sites Configuration Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Table 13: VPN Configuration Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Part 3 Customer Portal

Chapter 7 Configuring Sites and Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Table 14: vSRX Base Configuration Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Table 15: vSRX Firewall Configuration Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Table 16: vSRX NAT Configuration Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Table 17: vSRX UTM Configuration Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Table 18: LxCIP Base Configuration Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Table 19: LxCIP Firewall Policy Configuration Fields . . . . . . . . . . . . . . . . . . . . . . . . 48

Table 20: LxCIP NAT Policy Configuration Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Table 21: CSR-1000v Base Configuration Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Table 22: CSR-1000v Firewall Configuration Fields . . . . . . . . . . . . . . . . . . . . . . . . 50


Chapter 11 Configuring Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Table 23: vSRX Base Configuration Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

ixCopyright © 2016, Juniper Networks, Inc.

Table 24: vSRX Firewall Configuration Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Table 25: vSRX NAT Configuration Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Table 26: vSRX UTM Configuration Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Table 27: LxCIP Base Configuration Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Table 28: LxCIP Firewall Policy Configuration Fields . . . . . . . . . . . . . . . . . . . . . . . 80

Table 29: LxCIP NAT Policy Configuration Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Table 30: CSR-1000v Base Configuration Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Table 31: CSR-1000v Firewall Configuration Fields . . . . . . . . . . . . . . . . . . . . . . . . 82

Part 5 Service and Infrastructure Monitor

Chapter 14 Monitoring Activities in the Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Table 32: Parameters for Monitoring Network Services . . . . . . . . . . . . . . . . . . . . . 91

Table 33: Parameters for Monitoring VNFs and Their Host VMs . . . . . . . . . . . . . . 93

Table 34: Parameters for Monitoring Microservices . . . . . . . . . . . . . . . . . . . . . . . . 94

Table 35: Parameters for Monitoring VNFs and Their Host VMs . . . . . . . . . . . . . . 95

Table 36: Parameters for Monitoring Physical Servers . . . . . . . . . . . . . . . . . . . . . . 97

Copyright © 2016, Juniper Networks, Inc.x

User Guide

About the Documentation

• Documentation and Release Notes on page xi

• Documentation Conventions on page xi

• Documentation Feedback on page xiii

• Requesting Technical Support on page xiv

Documentation and Release Notes

To obtain the most current version of all Juniper Networks®technical documentation,

see the product documentation page on the Juniper Networks website at

http://www.juniper.net/techpubs/.

If the information in the latest release notes differs from the information in the

documentation, follow the product Release Notes.

Juniper Networks Books publishes books by Juniper Networks engineers and subject

matter experts. These books go beyond the technical documentation to explore the

nuances of network architecture, deployment, and administration. The current list can

be viewed at http://www.juniper.net/books.

Documentation Conventions

Table 1 on page xii defines notice icons used in this guide.

xiCopyright © 2016, Juniper Networks, Inc.

http://www.juniper.net/techpubs/

http://www.juniper.net/books

Table 1: Notice Icons

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardware damage.Caution

Alerts you to the risk of personal injury or death.Warning

Alerts you to the risk of personal injury from a laser.Laser warning

Indicates helpful information.Tip

Alerts you to a recommended use or implementation.Best practice

Table 2 on page xii defines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

ExamplesDescriptionConvention

To enter configuration mode, type theconfigure command:

user@host> configure

Represents text that you type.Bold text like this

user@host> show chassis alarms

No alarms currently active

Represents output that appears on theterminal screen.

Fixed-width text like this

• A policy term is a named structurethat defines match conditions andactions.

• Junos OS CLI User Guide

• RFC 1997,BGPCommunities Attribute

• Introduces or emphasizes importantnew terms.

• Identifies guide names.

• Identifies RFC and Internet draft titles.

Italic text like this

Configure themachine’s domain name:

[edit]root@# set system domain-namedomain-name

Represents variables (options for whichyou substitute a value) in commands orconfiguration statements.

Italic text like this

Copyright © 2016, Juniper Networks, Inc.xii

User Guide

Table 2: Text and Syntax Conventions (continued)

ExamplesDescriptionConvention

• To configure a stub area, include thestub statement at the [edit protocolsospf area area-id] hierarchy level.

• Theconsoleport is labeledCONSOLE.

Represents names of configurationstatements, commands, files, anddirectories; configurationhierarchy levels;or labels on routing platformcomponents.

Text like this

stub <default-metricmetric>;Encloses optional keywords or variables.< > (angle brackets)

broadcast | multicast

(string1 | string2 | string3)

Indicates a choice between themutuallyexclusive keywords or variables on eitherside of the symbol. The set of choices isoften enclosed in parentheses for clarity.

| (pipe symbol)

rsvp { # Required for dynamicMPLS onlyIndicates a comment specified on thesame lineas theconfiguration statementto which it applies.

# (pound sign)

community namemembers [community-ids ]

Encloses a variable for which you cansubstitute one or more values.

[ ] (square brackets)

[edit]routing-options {static {route default {nexthop address;retain;

}}

}

Identifies a level in the configurationhierarchy.

Indention and braces ( { } )

Identifies a leaf statement at aconfiguration hierarchy level.

; (semicolon)

GUI Conventions

• In the Logical Interfaces box, selectAll Interfaces.

• To cancel the configuration, clickCancel.

Representsgraphicaluser interface(GUI)items you click or select.

Bold text like this

In the configuration editor hierarchy,select Protocols>Ospf.

Separates levels in a hierarchy of menuselections.

> (bold right angle bracket)

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can

improve the documentation. You can provide feedback by using either of the following

methods:

• Online feedback rating system—On any page of the Juniper Networks TechLibrary site

athttp://www.juniper.net/techpubs/index.html, simply click the stars to rate thecontent,

and use the pop-up form to provide us with information about your experience.

Alternately, you can use the online feedback form at

http://www.juniper.net/techpubs/feedback/.

xiiiCopyright © 2016, Juniper Networks, Inc.


http://www.juniper.net/techpubs/index.html

http://www.juniper.net/techpubs/feedback/

• E-mail—Sendyourcommentsto [email protected]. Includethedocument

or topic name, URL or page number, and software version (if applicable).

Requesting Technical Support

Technical product support is available through the JuniperNetworksTechnicalAssistance

Center (JTAC). If you are a customer with an active J-Care or Partner Support Service

support contract, or are covered under warranty, and need post-sales technical support,

you can access our tools and resources online or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies,

review the JTAC User Guide located at

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.

• Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/.

• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,

7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online

self-service portal called the Customer Support Center (CSC) that provides youwith the

following features:

• Find CSC offerings: http://www.juniper.net/customers/support/

• Search for known bugs: http://www2.juniper.net/kb/

• Find product documentation: http://www.juniper.net/techpubs/

• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

• Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications:

http://kb.juniper.net/InfoCenter/

• Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

Toverify serviceentitlementbyproduct serial number, useourSerialNumberEntitlement

(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Casewith JTAC

You can open a case with JTAC on theWeb or by telephone.

• Use the Case Management tool in the CSC at http://www.juniper.net/cm/.

• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

Copyright © 2016, Juniper Networks, Inc.xiv

User Guide

mailto:[email protected]?subject=

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf

http://www.juniper.net/support/warranty/

http://www.juniper.net/customers/support/

http://www2.juniper.net/kb/

http://www.juniper.net/techpubs/

http://kb.juniper.net/

http://www.juniper.net/customers/csc/software/

http://kb.juniper.net/InfoCenter/

http://www.juniper.net/company/communities/

http://www.juniper.net/cm/

https://tools.juniper.net/SerialNumberEntitlementSearch/

http://www.juniper.net/cm/

For international or direct-dial options in countries without toll-free numbers, see

http://www.juniper.net/support/requesting-support.html.

xvCopyright © 2016, Juniper Networks, Inc.


http://www.juniper.net/support/requesting-support.html

Copyright © 2016, Juniper Networks, Inc.xvi

User Guide

PART 1

Contrail Service Orchestration

• Contrail Service Orchestration Introduction on page 3

1Copyright © 2016, Juniper Networks, Inc.

Copyright © 2016, Juniper Networks, Inc.2

User Guide

CHAPTER 1

Contrail Service OrchestrationIntroduction

• Contrail Service Orchestration Overview on page 3

• Contrail Service Orchestration Licensing on page 4

Contrail Service Orchestration Overview

Contrail Service Orchestration is a suite of products for designing and deploying network

services in the Cloud CPE Centralized DeploymentModel. Contrail Service Orchestration

provides a RESTful API to connect with service providers’ operational support systems

(OSS) and business support systems (BSS) applications and is responsible for many

management and network orchestration (MANO) activities in the deployment. Contrail

Service Orchestration consists of the following components:

• Administration Portal, which is an application that you use to manage resources,

customers, andavailability of network services throughagraphical user interface (GUI).

Administration Portal uses the RESTful APIs of other Contrail Service Orchestration

components.

• Cloud CPE Tenant Site and Service Manager and its auxiliary component, Identity and

AccessManager,whichmanagecustomersandmapeachcustomer’snetworkservices

to theappropriategateway resources, suchas theLayer 2access interfacesand routing

instances. These applications provide northbound RESTful APIs to which you can

connect OSS/BSS systems.

• Customer Portal, which is an application that you can provide to customers to enable

them tomanage sites and services for their organizations through a GUI. Customer

Portal uses the RESTful APIs of other Contrail Service Orchestration components.

• Network Service Designer, which enables design, creation, management, and

configuration of network services through a GUI. Network services are stored in the

network service catalog.

• Network Service Orchestrator, which is responsible for ETSI-compliant management

of the life cycle of network service instances. This application provides a northbound

RESTful API to which you can connect OSS/BSS systems.

• Service and InfrastructureMonitor, whichworks with Icinga, an open source enterprise

monitoringsystemtoprovidedataabout theCloudCPECentralizedDeploymentModel,


such as the status of virtualized network functions (VNFs), virtual machines (VMs),

and physical servers; information about physical servers’ resources; components of a

network service (VNFs and VMs hosting a VNF); counters and other information for

VNFs; and software components running in Contrail Cloud Platform.

• VNFManager, which creates VNF instances andmanages their life cycles.

This user guide provides information about using the Contrail Service Orchestration

components with GUIs. For information about installing Contrail Service Orchestration

components, see the Cloud CPE Centralized Deployment Model Deployment Guide. For

information about the REST APIs, see the Contrail Service Orchestration API Reference

documentation.

RelatedDocumentation

Contrail Service Orchestration Licensing on page 4•

• Customer Portal Overview on page 37

• Network Service Designer Overview on page 61

• Service and Infrastructure Monitor Overview on page 89

Contrail Service Orchestration Licensing

Youmust have licenses to download and use Contrail Service Orchestration. When you

order licenses, you receive the information you need to download and use the product.

If youdidnotorder the licenses, contact your account teamor JuniperNetworksCustomer

Care for assistance.

Contrail ServiceOrchestration licensing is based onVNF capacity, which also determines

the number of separate Contrail CloudPlatformand Junos SpaceNetworkManagement

Platform licenses required. SeeTable 3 onpage4. Contrail ServiceOrchestration licenses

are also included with Cloud CPE Centralized Deployment Model licenses.

Table 3: Cloud CPE Centralized Deployment Model Licenses

Number of Junos Space NetworkManagement Platform Licenses Required

Number of Contrail Cloud PlatformLicenses RequiredNumber of VNFs Supported

21500

212000

8510,000

181325,000

342550,000


• Contrail Service Orchestration Overview on page 3


User Guide

PART 2

Administration Portal

• Administration Portal Introduction on page 7

• Configuring Network Resources on page 11

• Configuring Customers on page 23

• Managing Objects on page 31



User Guide

CHAPTER 2

Administration Portal Introduction

• Administration Portal Overview on page 7

• Setting Up the Cloud CPE Centralized Deployment Model with Administration

Portal on page 8

• Accessing Administration Portal on page 9

Administration Portal Overview

Administration Portal offers service providers a convenient way to set up andmanage

resources, customers, and availability of network services through a graphical user

interface (GUI).

When you use Administration Portal, you are actually creating andmanaging objects

used by the following APIs in the Cloud CPE Centralized Deployment Model:

• Cloud CPE Tenant, Site and Service Manager APIs, which manage customers (also

called tenants), manage customer sites, andmap each customer’s network services

to theappropriategateway resources, suchas theLayer 2access interfacesand routing

instances.

• Identity and Access Manager APIs, which manage identifiers and roles for customers

and users.

• NetworkServiceOrchestrationAPIs,whichmanagenetworkservicesandcommunicate

with Contrail OpenStack, the virtualized infrastructure manager (VIM).

• Contrail OpenStack API, which manages network points of presence (POPs), service

chains, and virtual machines (VMs) that contain service chains.

You can also set up andmanage the Cloud CPE Centralized Deployment Model through

API calls, eithermanuallyor fromyouroperational support systemsandbusinesssupport

systems (OSS/BSS). This method is more complex, however, and, if you use your own

OSS/BSS, requires development and integration work. Use of Administration Portal is

particularly beneficial for companies who require a turnkey solution and do not want to

expend effort on developing programs to set up andmanage the deployment through

APIs. Even if youplan to use your ownOSS/BSSsystems to set upandmanage theCloud

CPE Centralized Deployment Model in a production environment, Administration Portal

can prove useful for demonstrations and trials of the deployment.



Setting Up the Cloud CPE Centralized Deployment Model with Administration Portal

on page 8

•

• Accessing Administration Portal on page 9

Setting Up the Cloud CPE Centralized Deployment Model with Administration Portal

In the Cloud CPE Centralized Deployment Model, end users at a specific customer site

access most network services in a regional point of presence (POP), andmight access

a few specialist network services in the central POP. Using Administration Portal, you

createandconfigure the resources for eachPOP, thencreateandconfigure thecustomers

and sites that access network services in the POP.

You use the following workflow to set up each POP in the Cloud CPE Centralized

Deployment Model with Administration Portal:

1. Create a virtualized infrastructure manager (VIM).

2. Create an element management system (EMS).

3. Createoneormore resourcepools—thesetof resources, excluding thevirtual networks

usedwithin customers’ organizations, that you use to instantiate andmanage a group

of virtualized network functions (VNFs).

4. Enable each resource pool.

5. Create the POP.

6. Createphysical networkelements (PNEs)—physical networkdevices that youmanage

through a Network Functions Virtualization (NFV) implementation.

7. Create one or more customers—the organizations that use the network services that

you provide.

AdministrationPortal automatically creates a transit network or hub for the customer.

A transit network is a virtual network for the customer’s organization that transports

traffic from one site to another and from a site to the Internet.

You then use the following workflow to set up each customer:

1. Createsites—thegeographical locations fromwhichendusersaccessnetwork services

in the customer’s organizations.

2. Create an administrative user—an administrator at the customer’s organization who

manages sites and network services in the organization’s network.

3. Allocate network services.


Accessing Administration Portal on page 9•


• VIMManagement Overview on page 11

• EMSManagement Overview on page 13


User Guide

• Resource Pool Management Overview on page 14

• POPManagement Overview on page 17

• Tenant Management Overview on page 23

Accessing Administration Portal

To start Administration Portal:

1. ReviewtheKeystoneusernameandpassword that youdefined forContrailOpenStack.

You can view these settings on the Contrail Configure and Control Node in the files

/etc/contrail/keystonerc and /etc/contrail/openstackrc.

2. Using aWeb browser, access the URL for Administration Portal.

For example, if the IP address of the virtual machine (VM) on which Administration

Portal resides is 192.0.2.1, the URL is http://192.0.2.1/admin-portal-ui/index.html.

3. Log in with the Keystone username and password that you specified for Contrail

OpenStack.

The VIMManagement page appears.





Chapter 2: Administration Portal Introduction

http://192.0.2.1/admin-portal-ui/index.html


User Guide

CHAPTER 3

Configuring Network Resources


• Creating a VIM on page 12

• EMSManagement Overview on page 13

• Creating an EMS on page 13

• Resource Pool Management Overview on page 14

• Creating a Resource Pool on page 15

• Activating and Deactivating Resource Pools on page 16

• POPManagement Overview on page 17

• Creating a POP on page 17

• Device Management Overview on page 18

• Creating Devices on page 19

VIMManagement Overview

Thevirtualized infrastructuremanager (VIM) in aNetwork FunctionsVirtualization (NFV)

implementationmanages the hardware and software resources that the service provider

uses to create service chains and deliver network services to customers. The network

service orchestration component notifies the VIM when a customer activates a network

service. In the Cloud CPE Centralized Deployment Model, Contrail OpenStack provides

the VIM, and Network Service Orchestrator provides the network service orchestration.

The Contrail Cloud Reference Architecture (CCRA) provides the hardware and software

resources for the creation of service chains and for delivery of network services in the

service provider’s cloud.

You create one VIM object for each POP in your network. Because the CCRA provides

the VIM, you specify several Contrail OpenStack settings when you create a VIM.

The VIMManagement page displays some of the settings for a VIM. For complete

information about the settings for a VIM, see Table 4 on page 12.


Creating a VIM on page 12•


• Modifying an Object on page 31


• Deleting an Object on page 32

Creating a VIM

Use the VIMManagement page to create the virtualized infrastructuremanagers (VIMs).

To create a VIM:

1. Click Resources.

The VIMManagement page appears.

2. In the VIMManagement page, click the plus (+) icon.

The VIM Configuration page appears.

3. Configure the fields using the information provided in Table 4 on page 12.

Table 4: VIM Configuration Fields

ExampleGuidelinesField

test-setupSpecify the name of the VIM instance.

You can use an unlimited number of alphanumericcharacters, including symbols.

VIM name

VIM deployed inregion one.

Specify a description of the VIM instance.


Description

10.102.28.36Specify the IP address of the primary ContrailConfigure and Control node for the Contrail CloudReference Architecture (CCRA) for this POP.

VIM IP Address

adminSpecify the OpenStack Keystone username that youconfigured.

User Name

contrail123Specify the OpenStack Keystone password that youconfigured.

Password

Default ishttp://ip:5000/v3

Specify the uniform resource indicator (URI) for theOpenStack Keystone.

Auth URI

defaultSpecify the name of the OpenStack domain that youconfigured.

Domain Name

adminSpecify the name of the OpenStack tenant that youconfigured.

Tenant Name

4. Click Save. If you want to discard your changes, click Cancel instead.

The VIM that you configured appears on the VIMManagement page.


User Guide


VIMManagement Overview on page 11•


EMSManagement Overview

The element management system (EMS) in a Network Functions Virtualization (NFV)

implementation provides network management of the virtualized network functions

(VNFs) and physical network elements (PNEs). The VNFManager notifies the EMS that

it needs to provide element management for a new VNF or PNE.

In the Cloud CPE Centralized Deployment Model, the Junos Space Virtual Appliance

provides theEMS,and resideson theContrail ServiceOrchestrationNode.Administration

Portal automatically detects and adds an object for the EMS, using the name that you

specify when you deploy the Junos Space Virtual Appliance. You need to configure some

settings for the EMS, so that the virtual appliance can communicate with other

components in the deployment. For a redundant Contrail Service Orchestration

configuration, configure only the primary Junos Space Virtual Appliance. When you

configure the virtual appliance, you specify the information displayed on the EMS

Management page.

The EMSManagement page displays some of the settings that you specify when you

configure an EMS. For complete information about the settings for an EMS, see Table 5

on page 14.


Creating an EMS on page 13•




Creating an EMS

Use the EMSManagement page to configure the primary instance of each element

management system (EMS) that you use for the Cloud CPE Centralized Deployment

Model. Administration Portal automatically adds an object for the EMS, using the name

that you specify when you deploy the Junos Space Virtual Appliance.

Before You Begin

• Verify that the VIMManagement page displays the virtualized infrastructuremanagers

(VIMs).

To configure an EMS:

1. Click Resources.

2. In the left navigation pane, click EMS.

The EMSManagement page appears.


Chapter 3: Configuring Network Resources

3. Click the plus (+) icon.

The EMS Configuration page appears.

4. Complete the configurationaccording to theguidelinesprovided inTable 5onpage 14.

Table 5: EMS Configuration Fields


JunosSpaceName of the EMS. This field is auto-populated with thename that you specified when you deployed the JunosSpace Virtual Appliance.

EMS Name

Juniper NetworksSpecify the vendor for the EMS.Vendor

15.1R1Specify the version number of the EMS.Version

192.0.2.3Specify the IP address of the Junos SpaceWeb userinterface (UI).

Fora redundantContrailServiceOrchestration, configurethe IPaddressof theWebUI for theprimary JunosSpaceVirtual Appliance.

IP Address

superSpecify the username for the EMS.Username

pwd123Specify the password that you configured for the EMS.Password



EMSManagement Overview on page 13•


• Creating a VIM on page 12

Resource Pool Management Overview

A resource pool consists of the following components, which enable in the instantiation

andmanagement of virtualized network functions (VNFs) in the Cloud CPE Centralized

Deployment Model:

• Compute zone

• Element management system (EMS)

• Virtualized infrastructure manager (VIM)

Use the following guidelines for managing resource pools:

• Youmust create at least one resource pool for each VIM in the deployment.

• Because theCloudCPECentralizedDeploymentModel supports oneEMS, all resource

pools share the same EMS.


User Guide

• Youmaydefine resourcepoolswith thesameVIMandEMS,butwithdifferent compute

zones.

• Defining multiple compute zones enables scaling of the deployment within a POP.

The Resource Pool Management page displays some of the settings for a resource pool.

For complete information about the settings for a resource pool, see Table 6 on page 15.


Activating and Deactivating Resource Pools on page 16•




Creating a Resource Pool

Use the Resource Pool Management page to define the objects in the network point of

presence (POP) that instantiate andmanage VNFs.

Before You Begin

• Create the virtualized infrastructure manager (VIM) for the POP.

• Create the element management system (EMS) for the POP.

To create a resource pool:

1. Click Resources.

2. In the left navigation pane, click Resource Pool.

The Resource Pool Management page appears.


The Resource Pool Configuration page appears.

4. Complete the configurationaccording to theguidelinesprovided inTable6onpage 15.

Table 6: Resource Pool Configuration Fields


north-eastSpecify a name for the resource pool.

Youcanuseanunlimitednumberofalphanumericcharacters, including symbols.

Resource Poolname

Resource pool for theNorth East region.

Specify notes about the resource pool.Description

CCRA-16Choose a VIM from themenu.VIM



Table 6: Resource Pool Configuration Fields (continued)


• availability-zone1

• Nova

Specify theavailability zone inContrailOpenStackin which the VMs for network services reside.

The default availability zone is Nova.

Compute Zone

Junos SpaceChoose an EMS from themenu.

The same EMS can support multiple VIMs.

EMS



Resource Pool Management Overview on page 14•



Activating and Deactivating Resource Pools

Use theResource PoolManagement page to activate and deactivate resource pools that

you have created.

Before You Begin

• Before you activate a resource pool, create the virtualized infrastructure manager

(VIM), elementmanagement system(EMS), and resourcepoolobjects for thenetwork

point of presence (POP).

• Before you deactivate a resource pool, remove customer-associated objects in the

opposite order towhich you added them, and then remove the associated POPobject.

To activate or deactivate a resource pool:

1. Click Resources > Resource Pool.

The Resource Pool Management page appears.

2. Select the check box of the resource pool.

3. ClickMore, and select Enable Resource Pool or Disable Resource Pool.

A message indicating the result of the action appears.

• If the action was successful, clickOK.

On the Resource Pool Management page, the state of the resource pool changes

from created to enabled.

• If the action was not successful, make sure that you completed the prerequisite

actions, then repeat the process.


User Guide


Resource Pool Management Overview on page 14•

• Creating a POP on page 17


POPManagement Overview

InaNetworkFunctionsVirtualization (NFV) implementation, anetworkpointofpresence

(POP) is a location at which a service provider instantiates a network function, such as

a virtualized network function (VNF).

The Cloud CPE Centralized Deployment Model supports multiple POPs. A scaled

deployment contains a central POP andmultiple regional POPs. End users at customer

sites in a specific geographic region access most network services in their regional POP,

andmight access a few specialist services in the central POP. Each POP contains a

dedicated Contrail Cloud Reference Architecture, which provides one virtualized

infrastructure manager (VIM).

Contrail CloudPlatformcreates one virtualmachine (VM) for eachVNFused in theCloud

CPE Centralized Deployment Model. Contrail uses amanagement virtual network to

assign IPaddresses to theEthernetmanagementports for theseVMs. Inaddition,Contrail

uses an Internet gateway next hop to enable Internet access for the VMs.

When you configure a POPwith Administration Portal, you specify:

• The universally unique identifier (UUID) for the Contrail virtual management network

to allow access to the VNFs from the POP.

• The UUID for the Internet gateway next hop in Contrail to enable access to the VMs

from the Internet.

The POPManagement page displays some of the settings that you specify when you

configure a POP. For complete information about the settings for a POP, see Table 7 on

page 18.


Creating a POP on page 17•




Creating a POP

Use the POPManagement page to create a network point of presence (POP).

Before You Begin

• Create the virtualized infrastructure manager (VIM), element management system

(EMS), and resource pool objects for the POP.



• Obtain the UUIDs of the following objects in Contrail:

• Management virtual network

• Internet virtual network

To create a POP:

1. Click Resources.

2. In the left navigation pane, click POP.

The POPManagement page appears.


The POP Configuration page appears.

4. Complete the configuration according to the guidelines provided inTable 7 onpage 18.

Table 7: POP Configuration Fields


north-eastSpecify the name of the POP.

You can use an unlimitednumber of alphanumericcharacters, including symbols.

POP name

03441f03-45cd-4d03-bb3b-704597e870b0Specify theUUID for theContrailmanagement virtual network.

MgmtNetwork

239c844e-d1de-4f34-aaa9-fcef64d99103Specify theUUID for theContrailInternet gateway next hop.

InternetNetwork



POPManagement Overview on page 17•



DeviceManagement Overview

Device management in Administration Portal enables use of physical network elements

(PNEs) for specific customer sites. APNE is adevice in thenetwork that youcanprovision

and configure through Contrail Service Orchestration. An element management system

(EMS)manages both PNEs and virtualized network functions (VNFs). Use of PNEs and

VNFs together in anNFV implementation simplifiesprovisioningandenablesend-to-end

automation of network configuration workflows.

The Cloud CPE Centralized Deployment Model enables the MX Series router PNE to

provide a Layer 3 routing service to customer sites through use of virtual routing and


User Guide

forwarding (VRF) instances (known in Junos OS as Layer 3 VPN routing instances). A

unique routing table for eachVRF instance results in separationof eachcustomer’s traffic

from other customers’ traffic.

The MX Series router receives traffic associated with network service activation from

customer sites and transmits it to the virtual machines (VMs) in which the VNFs reside

on the Contrail compute node. TheMXSeries router exchanges BGP routeswith Contrail

to enable this traffic flow.

When you configure the MX Series router in Administration Portal, you configure:

• Settings that enable Junos Space to discover a PNE.

• Settings for BGP routing that correspond to values in Contrail.

• Management VPN settings that correspond to values in Contrail.

• Internet VPN settings that correspond to values for the specific customer site.

The Devices page displays some of the settings for a PNE. For complete information

about the settings for a PNE, see Table 8 on page 20. For complete information about

the settings for the MX Series router, see Table 9 on page 20.


Creating Devices on page 19•




Creating Devices

Use the Devices page to create and configure physical network elements (PNEs)

associated with a specific customer site.

Before You Begin

• Create the virtualized infrastructure manager (VIM), element management system

(EMS), resource pool, and point of presence (POP).

• Activate the resource pool.

• Determine the route target for the customer site associated with the PNE.

To create a device:

1. Click Resources.

2. In the left navigation pane, click DeviceManagement.

The Devices page appears.


The Discover Device page appears.



4. Specify the device settings for discovery according to the guidelines provided in

Table 8 on page 20.

Table 8: Device Discovery Fields


router1Specify the hostname of the device.Device ObjectName

192.0.2.15Specify the IP address of the management interfacefor the device.

Device IP

adminSpecify the username for logging in to the device.User name

pwd123Specify the password for logging in to the device.Password

SDN-GWMXSelect the device from themenu.

• SDN-GWMX—MX Series router. For mostinstallations, select this option.

• Juniper-MX-MIS—CustomizeddeviceprofilewithMXconfigurationwhichavoids internet traffic black-holeat sites during VNF service instantiation.

Device Profile

5. Click Discover.

A status message appears advising that the EMS has started the device discovery

process.

6. ClickOK.

The device you created appears in theDevices pagewith the statusdiscovering.When

the discovery process is complete:

a. The EMS starts to manage the device.

b. The Device Status field for the device changes to discovered.

c. The Configuration Device page appears.

7. Complete theconfigurationaccording to theguidelinesprovided inTable9onpage20.

Table 9: MX Series Router PNE Configuration Fields


BGP Configuration

64512Specify the number of theAS for BGP routingwith theContrail Configure and Control Node.

AS Number

192.0.2.15Specify an IP address, such as the loopback address,that the router uses for BGP sessions.

You can use an IPv4 or IPv6 address.

Local Address


User Guide

Table 9: MX Series Router PNE Configuration Fields (continued)


192.0.2.25Specify the IP address of the data interface for theprimary Contrail Configure and Control node.


Remote Address(Contrail Controller)

192.0.2.0/24Specify one or more prefixes that define the subnetsfor the Contrail Compute nodes.


Contrail ComputePrefix

Management VRF Configuration

xe-1/1/1Specify the MX Series router interface.Interface Name

Specify the VLAN interface.Interface VLAN

192.0.2.40(Optional) Specify the IP address (IPv4 or IPv6) forthe router for thedefault route formanagement traffic.


Default Gateway

64512:10000Specify the route target for themanagement networkin Contrail.

Route Target

64512:10000Specify the route distinguisher for the managementnetwork in Contrail.

Route Distinguisher

Internet VRF Configuration

xe-2/2/2Specify the MX Series router interface that connectsto the customer site.

You can specify multiple interfaces.

Interface Name

Specify the VLAN interface.Interface VLAN

64512:12000Specify the route target for traffic on this interface.

This value matches the Route Target value that youconfigure for the VPN associated with the site.

Route Target

64512:12000Specify a unique route distinguisher for traffic on thisinterface.

This valuematches the Route Distinguisher value thatyouconfigure for theVPNassociatedwith the site. Youcan specify any unique route distinguisher, such as theroute target for the site VPN.

Route Distinguisher



Table 9: MX Series Router PNE Configuration Fields (continued)


192.0.2.50(Optional) Specify the IP address (IPv4 or IPv6) forthe router for the default route for Internet traffic fromthe site.


Gateway for DefaultRoute



• Device Management Overview on page 18

• Creating a Customer on page 23

• Creating a Site on page 25


User Guide

CHAPTER 4

Configuring Customers



• Creating an Administrative User on page 25

• Creating a Site on page 25

• Importing Sites from a File on page 27

• Allocating Network Services on page 29

Tenant Management Overview

A tenant in a Cloud CPE Centralized Deployment Model represents a customer who

accesses virtualized network functions (VNFs) in a service provider’s centralized cloud

through a Layer 3 VPN. You assign users and sites to customers in the Administration

Portal to represent the staff in thecustomer’s organizationand thegeographical locations

in the customer’s network. Youalso useAdministrationPortal to allocate network service

profiles to customers.

TheTenantspagedisplays someof the settings for a customer. For complete information

about the settings for a customer, see Table 10 on page 24.


Creating a Customer on page 23•




Creating a Customer

Use the Tenants page to create customers and other objects associatedwith customers,

such as administrative users and sites.

Before You Begin


• Create all the resources required for the network point of presence (POP).

To create a customer:

1. Click Tenants.

The Tenants page appears.


The Tenant Configuration page appears.

3. Complete theconfigurationaccording to theguidelinesprovided inTable 10onpage24.

Table 10: Tenant Configuration Fields


customerASpecify the name of the customer.


Name

BostonSelect the identifier of the POP in Cloud CPE Tenant,Site and Service Manager.

POP

resource-poolSelect the resource pool from the drop-down list.Resource Pool

64512:12000Specify the route target of the transit network for thecustomer.

Route Target

192.0.2.0/24Specify the subnet of the transit network for thecustomer.

Subnet


The tenant that you configured appears on the Tenants page.

NOTE: After you create a tenant, access Contrail and add the following ruleto the security group in the Contrail project.

Ingress IPv4 network 0.0.0.0/0 protocol any ports any

This rule allows the network to accept traffic from all subnets.


Tenant Management Overview on page 23•

• Creating an Administrative User on page 25

• Terminating a Transit Network on page 34


User Guide

Creating an Administrative User

Use the Create Administration User page to configure an administrative user for each

customer that accessesnetwork services through the serviceprovider’s centralizedcloud.

To create an administrative user:

1. Click Tenants.


2. In theTenantspage, select a customer forwhomadministrative user has tobe created

and clickMore.

3. Select Create Admin user.

The Create Administration User page appears.

4. Complete theconfigurationaccording to theguidelinesprovided inTable 11 onpage25.

Table 11: Administrator User Configuration Fields

ExampleDescriptionField

customer-adminSpecify a unique name of the customeradministrator.

Name

pwd123Specify the password for the customeradministrator.

Password


The administrative user that you configured for the customer appears on the Tenants

page.


Creating a Site on page 25•


Creating a Site

Use the Tenants > Site Configuration page to create one or more sites for a customer.

Site information is stored in Cloud CPE Tenant, Site and Service Manager. Each site has

a corresponding virtual network in Contrail. When a user activates a network service for

a site, Contrail OpenStack creates a corresponding virtual network.

To create a site:

1. Click Tenants.


2. Click the customer name for whom you want to create the site.


Chapter 4: Configuring Customers

The list of existing sites for the customer appears.


The Site Configuration page appears.

4. Complete theconfigurationaccording to theguidelinesprovided inTable 12onpage26.

Table 12: Sites Configuration Fields


BostonSpecify a unique alphanumeric name for the site.


Name

Site in Bostonfor customerA

Specify the description for the site.


Description

resource-poolSelect the resource pool from the drop-down list.Resource Pool

BostonSelect the identifier of the POP in Cloud CPE Tenant, Siteand Service Manager from the drop-down list.

Pop

64512:4001Specify the route target of the site virtual network.Left RouteTarget

192.0.2.0/24(Optional) If the site connectsdirectly to the Internet, specifythe IP address of the subnet that connects the site to theInternet.

The site can connect to the Internet:

• Directly

• Through the VPN

• Both directly and through the VPN

Complete this setting if the site connects directly to theInternet or to the Internet bothdirectly and through theVPN.

Left SubnetInternet

192.0.2.1/24(Optional) If the site connects to the Internet through theVPN, specify the IP address of the subnet for the site virtualnetwork.

The site can connect to the Internet:

• Directly

• Through the VPN

• Both directly and through the VPN

Complete this setting if the site connects to the Internetthrough theVPNor to the Internet both directly and throughthe VPN..

Left SubnetService

MX-GWSelect the device from the drop-down list.Device


User Guide


The site that you configured appears on the sites page of the customer.

6. Click the check box of the site.

7. SelectMore > Advanced Configuration.

The Configure Device page appears.

8. Complete the VPN configuration according to the guidelines provided in

Table 13 on page 27.

Table 13: VPN Configuration Fields


customerA-VPNSpecify the name of the VPN for this customer.CustomerVPNName

xe-2/2/2Specify the MX Series router interface that connectsto the customer site.

This value matches the interface that you configurefor the MX Series router physical network element(PNE).

Customer VPNInterface

64512:1102Specify the route target for the site.

This value matches the Route Target value that youconfigure for the MX Series router PNE.

Route Target

64512:1102Specify a unique route distinguisher for the site.

You can specify any unique route distinguisher, suchas the route target for the site.

Route Distinguisher

192.0.2.50(Optional) Specify the IP address (IPv4 or IPv6) forthe router for the default route for internet traffic.

Gateway for DefaultRoute

9. ClickOK.


Creating a Customer on page 23•


Importing Sites from a File

Use the Tenants > Site > Import Sites page to import a comma-separated values (CSV)

file or JavaScript Object Notation (JSON) file of sites for the customer.

• Creating a File of Site information on page 28

• Importing Sites on page 28



Creating a File of Site information

To create a file of sites:

1. Click Tenants.


2. Click the customer name for whom you want to import the sites.

The list of existing sites for the customer is displayed on the sites page.

3. Click Import Sites.

The Import Sites page appears.

4. Click Download Sample CSV to download a CSV template or Download SampleJSON to download a JSON template.

The file appears at the bottom of the page.

5. In the Import Sites page, click Cancel.

6. Open the sample file.

7. Save the template to your computer with an appropriate name.

8. Customize the template for the customer sites, using Table 12 on page 26 as a guide.

CAUTION: The resource pool name in the file must match an existingresource pool in the system. Otherwise, the import operation can fail.

9. Save the customized file.

Importing Sites

To import sites:

1. Click Tenants.


2. Click the customer name for whom you want to import the sites.


3. Click Import Sites.

The Import Sites page appears.

4. Click Browse and navigate to the directory containing the site file.

5. Select the file and clickOpen.

6. Click Import.

The site information for the customer is updated on the sites page.


User Guide



Allocating Network Services

Use the Tenants page to create and save network services in Network Service Designer.

When setting up customers with Administration Portal, you must import the network

services and allocate them to customers. After the allocation, customers can see and

activate the network services in Customer Portal.

Before You Begin

• Create network services in Network Service Designer. See “Configuring Network

Services” on page 73 topic.

To allocate network services:

1. Click Tenants.


2. Select a customer and click Import & Assign Service Profiles.

All network services are imported and allocated to the customer.


• Creating a Transit Network on page 33




User Guide

CHAPTER 5

Managing Objects

• Viewing Details for an Object on page 31



• Modifying a Site on page 32

• Deleting a Site on page 33


• Terminating a Transit Network on page 34

Viewing Details for an Object

Use theDetailedViewpage toviewall theconfiguredparametersof anobject.Only some

of the configured parameters appear in the list of features on themain page.

To view details for an object:

• Right-click the object that youwant to see the detailed view for, or selectDetails from

theMoremenu.

• Alternatively, hoverover theobjectnameandclick theDetailedView icon thatappears

before it.

The Detailed View page appears showing the configuration information.


Modifying an Object on page 31•


Modifying an Object

Use the pencil icon in the top right of a page to modify or edit an object on that page.

Tomodify an object:

1. Select the check box of the object that you want to modify, and click the pencil icon.

The object configuration page appears.

2. Update the configuration as needed.


3. Click Save.

The object information that you updated appears in the main page.


Deleting an Object on page 32•

Deleting an Object

Use the delete (X) icon in the top right corner of a page to delete an object on that page.

To delete an object:

1. Select the check box of the object that you want to delete and click the X icon.

The Confirm Delete page appears.

2. Click Yes to delete the object or No to cancel the deletion.

The object information is deleted from themain page.


Modifying an Object on page 31•


Modifying a Site

Use the Tenants > Site Configuration page to modify a site.

Tomodify a site:

1. Click Tenants.


2. Click the customer name for whom you want to modify the site.


3. Select the site that you want to modify and click the pencil icon.

The Site Configuration page appears.

4. Update the configurations according to the guidelines provided inTable 12 onpage 26.

5. Click Save.

The site information that you updated is displayed on the sites page.





User Guide

Deleting a Site

Use the Tenants > Site Configuration page to delete a site. Before deleting a site, remove

the service instances associated with the site.

To delete a site:

1. Click Tenants.


2. Click the customer name for whom you want to delete the site.


3. Select the site that you want to delete and click the delete (X) icon.

The Confirm Delete page appears.

4. Click Yes to delete the site.

The site information is deleted from the sites page.



• Modifying a Site on page 32

Creating a Transit Network

When you create a customer, Administration Portal automatically creates a transit

network for the customer. Use the Tenants page to create a new transit network for a

customer if you terminated the previous transit network.

To create a transit network:

1. Click Tenants.


2. Select a customer for whom you want to create a transit network and clickMore.

3. Select Create Transit Network.

TheCreatingTransitNetworkpageappearsdisplayingwhether theoperation is success

or failure.


Terminating a Transit Network on page 34•

• Setting Up the Cloud CPE Centralized Deployment Model with Administration Portal

on page 8


Chapter 5: Managing Objects

Terminating a Transit Network

Use the Tenants page to terminate a transit network, or hub, that transports traffic from

one site to another and from a site to the Internet.

NOTE: Youmust terminate the transit network before deleting a customerfrom the network.

To terminate a transit network:

1. Click Tenants.


2. Select a customer for whom you want to terminate a transit network and clickMore.

3. Select Terminate Transit Network.

The Terminate Transit Network page appears, displaying the status of the operation.





User Guide

PART 3

Customer Portal

• Customer Portal Introduction on page 37

• Configuring Sites and Network Services on page 39

• Managing Sites and Network Services on page 53



User Guide

CHAPTER 6

Customer Portal Introduction


• Accessing Customer Portal on page 38

Customer Portal Overview

CustomerPortal providesavisual topologyofacustomer’s sitesandservices inanetwork,

and enables the customer’s administrator to activate andmanage sites and network

services in thatnetwork. Serviceproviders setup thenetwork topologyandservicecatalog

for the customer, and they provide login credentials for Customer Portal.

The Cloud CPE Centralized Deployment Model supports access to the Internet in two

ways, either independently or simultaneously, even for the same site:

• Sites in the network connects to the Layer 3 virtual private network (VPN) and theVPN

connects directly to the Internet.

• Sites in the network connect directly to the Internet.

Each connection in the topology can support one network service, although use of a

network service on any link is optional.

With Customer Portal, you can:

• Activate and deactivate sites in the network.

• Add network services on connections.

• Configure network services.

• Disable and remove network services on a connection.

• Replace a network service on a connection with another network service.


Accessing Customer Portal on page 38•

• Managing Sites and Network Services Overview on page 53


Accessing Customer Portal

To start Customer Portal:

1. Obtain the following information from your service provider:

• IP address for the Customer Portal host.

• Login credentials:

• Username

• Password

• Customer name

2. Using aWeb browser, access the URL for Customer Portal.

For example, if the IPaddressof thehost onwhichCustomerPortal resides is 192.0.2.1,

the URL is http://192.0.2.1/self-care-portal-ui/index.html.

3. Log in with the credentials provided.

The start up wizard page appears.

• To activate sites in the network, click NEXT.

• To exit the wizard and view the topology of sites and services, click EXIT.

• To prevent the wizard from appearing next time you log in, select the DoNot Show

Start UpWizard Next Time check box.

When you log in again, you see the topology of sites and services in the network.


• Activating Sites in a Network on page 39




User Guide

http://192.0.2.1/self-care-portal-ui/index.html

CHAPTER 7

Configuring Sites and Network Services


• Configuring a Service on page 41

• vSRX Configuration Settings on page 42

• LxCIPtable VNF Configuration Settings on page 47

• Cisco CSR-1000v VNF Configuration Settings on page 49

Activating Sites in a Network

Service providers add sites to customers’ networks and assign network services to

customers. Customers can then activate the sites and deploy services between sites and

the VPN.

To activate sites in a network:

1. Access the startup wizard.

• When you log in to Customer Portal for the first time, the wizard appears

automatically.

You can then configure the Customer Portal to display either the wizard or the

Monitor page for future logins.

• From the Monitor page, click Add Sites.

2. Click NEXT.

The wizard displays the sites that you can activate.

NOTE: If thewizarddoesnotdisplayanysites, all available sitesareactive.Click Exit to access the Monitor page.

3. For each site that youwant to activate, click the appropriate check box in the site box.

4. Click NEXT.

The wizard displays the site names in white boxes in the left navigation bar.

5. If you do not want to add services to the individual sites, proceed to Step 14.

6. In the left navigation bar, click one site.


The wizard displays the possible topologies for connecting the sites to the VPN.

7. Select the check box in the All-Site Specific topology.

NOTE: If a topology is not supported from this page, you cannot select it.If the service provider configured your network to allow direct Internetaccess from one or more sites, you configure services on those links fromtheMonitor page, after you complete the setup process with the wizard.

8. Click NEXT.

The wizard displays a page of network services that you can add to sites.

9. Select the check box in the network service that you want to add.

The Service page appears.

CAUTION: Do notmodify the settings on the Base Configure tab. Theservice provider has configured these settings for your network, and youcannot activate the network service if you override these settings.

10. On each function tab, specify at least one setting.

Refer to the specific VNF settings for details about configuring the network functions,

such as a firewall or Network Address Translation (NAT).

11. ClickOK.

The wizard displays the page of network services that you can add to sites.

12. Click NEXT.

The Copy Configuration page appears.

13. Decide whether you want to use the same service and configuration for other sites,

or use a different service and configuration for those sites:

• If you want to use the same service and configuration for other sites:

a. Click Yes in the Copy Configuration page.

The Select CPEs to Match Configuration page appears.

b. Select the check box for each site where you want to use the network service.

c. Click Configure.

The wizard displays the Configure Site page. A message indicating failure or

success of the service configuration at each site appears briefly on the page.

• If you want to use a different service or configuration for other sites:

a. Click No in the Copy Configuration page.


User Guide

Thewizard displays theConfigureSite page. In the left navigationbar, configured

sites are shownasgreenboxesandunconfigured sites are shownaswhiteboxes.

b. Repeat Step 5 through Step 13.

The wizard displays the Configure Site page. In the left navigation bar, all sites

are shown as green boxes.

14. Click DoneWith Step 2.

The wizard displays the site summary and the service summary for the new sites.

15. Review the details in the summaries andmake any corrections. Use the PREVIOUS

and NEXT options to navigate through the pages.

16. Click DONE.

Thesitesareactivatedand thenetwork servicesare started.TheMonitorpageappears,

displaying the VPN Services view, which shows the topology of sites and services

relative to the VPN. Blue service icons on the connections indicate that a service is

active, and gray icons indicate that a service is disabled. It may take a short time for

a new service to become active.

17. (Optional) If the service provider configured your network to allow direct Internet

access from one or more sites, click the Internet Services tab to view the topology of

sites and services relative to the Internet.

You can then add network services to the links between sites and the Internet.


vSRX Configuration Settings on page 42•




• Adding a Service on page 55


Configuring a Service

You can configure a network service on a connection between a site and the VPNwhen

you activate the site in the network. Use the Monitor page to configure a network service

if you did not configure the network service when you activated a site or if you want to

reconfigure the service.

To configure a service:

1. Click the service icon on the connection.

2. Click Configure on the bottom left vertex of the hexagon.



Chapter 7: Configuring Sites and Network Services

Refer to the section for the specific VNF settings for details on the configuration

settings. Settings that you configure override configurations that the service provider

specified.

3. (Optional) On the Base Configure tab, specify your preferred settings.


5. ClickOK.







vSRX Configuration Settings

When you are configuring the vSRX VNF, use the following information to provide values

for the available settings:

• Table 14 on page 42 shows the settings you can configure for the virtual machine that

contains the VNF.

• Table 15 on page 43 shows the firewall settings you can configure.

• Table 16 on page 45 shows the NAT settings you can configure.

• Table 17 on page 45 shows the UTM settings you can configure.

Table 14: vSRX Base Configuration Fields


vm-vsrxSpecify the hostname of the VM that contains the vSRX VNF.

The field has no limit on the number of characters and acceptsletters, numbers, and symbols.

Host Name

192.0.2.5Specify an IPv4 or IPv6 loopback address for the managementinterface of the VM.

Loopback Address

192.0.2.10Specify the fully qualified domain names (FQDNs) or IP addressesof one or more DNS name servers.

DNS Servers

192.0.2.15Specify the fully qualified domain names (FQDNs) or IP addressesof one or more NTP servers.

NTP Servers

192.0.2.30Specify the fully qualified domain names (FQDNs) or IP addressesof one or more Syslog servers.

Syslog Servers


User Guide

Table 14: vSRX Base Configuration Fields (continued)


TrueSelect True to enable a stateless firewall filter that protects theRouting Engine from denial-of-service (DoS) attacks or False toallow DoS attacks.

Enable Re-filter

FalseSelect True to enable the default screens security profile for thedestination zone or False to disable default screening.

Enable Default Screens

UTCSpecify the time zone for the VM.Time Zone

ge-0/0/1Specify the identifier of the VM interface that transmits data.Right Interface

ge-0/0/0Specify the identifier of the VM interface that receives data.Left Interface

192.0.2.0/24If you set the EnableRe-filter field to True, specify the routes that theJunos Space Virtual Appliance uses for SNMP operations when itdiscovers the vSRX VNF.

SNMP Prefix List

192.0.2.1/24If you set the EnableRe-filter field to True, specify the routes that theJunos Space Virtual Appliance uses for ping operations when itdiscovers the vSRX VNF.

Ping Prefix List

192.0.2.50If you set the Enable Re-filter field to True, specifiy the IP addressesof the VMs that contain the Junos Space Virtual Appliances.

Space Servers

Table 15: vSRX Firewall Configuration Fields


policy-1Specify the name of the rule.

The fieldhasno limit on thenumberof charactersandaccepts letters,numbers, and symbols.

Policy Name

leftZone policies are applied to traffic traveling from one security zone(source zone) to another security zone (destination zone). Thiscombination of a source zone and a destination zone is called acontext.

Select the security zone fromwhich packets originate.

• left—Interface that transmits data to the host.

• right— Interface to which the host transmits data.

Source Zone



Table 15: vSRX Firewall Configuration Fields (continued)


rightZone policies are applied to traffic traveling from one security zone(source zone) to another security zone (destination zone). Thiscombination of a source zone and a destination zone is called acontext.

Select the security zone to which packets are delivered.


• right—Interface to which the host transmits data.

Destination Zone

192.0.2.30Specify the source address prefixes that the network service uses asmatch criteria for incoming traffic.

To add source addresses:

1. Click the Source Address column.

The source-address page appears.

2. Select any to match any source IP address of packets or ipp tomatch a specific prefix in the source IP address for which theapplication enforces the policy.

3. If you select ipp, specify a prefix.

4. ClickOK.

Source Address

192.0.2.40/24Specify destination IPaddressprefixes that thenetwork service usesas match criteria for outgoing traffic.

To add a destination address:

1. Click the Destination Address column.

The destination-address page appears.



4. ClickOK.

Destination Address

permitSelectpermit to transmit packets thatmatch the rule or deny to droppackets that match the rule.

Action


User Guide



• junos-tcp-any

• junos-udp-any

Specify theapplications towhich thepolicy applies. Theapplicationsare based on protocols and ports.

To specify applications:

1. Click the Application column.

The application page appears.

2. In the allowed_apps field, select any to match any application orapp to choose specific applications.

If you selectapp, pressandhold theCtrl keyandclick the requiredapplications in the drop-down list.

• junos-tcp-any

• junos-udp-any

• junos-ftp

• junos-http

• junos-https

• junos-icmp-all

• junos-icmp-ping

• junos-telnet

• junos-tftp

3. ClickOK.

Application

Table 16: vSRXNAT Configuration Fields


192.0.2.2/24Specify the source IP address of packets that the policy rules match.NAT Source Name

192.0.2.3/24Specify the destination IP address of packets that the policy rulesmatch.

NAT Destination Name

NAT policy settings—For information about the following policy settings, see the firewall policy settings in Table 15 on page 43.

• Policy Name

• Source Zone

• Destination Zone

• Source Address

• Destination Address

• Action

• Application

Table 17: vSRXUTMConfiguration Fields


TrueSelect True to check for viruses in application layer traffic against a virussignature database. Select False to disable checking for viruses.

Antivirus



Table 17: vSRXUTMConfiguration Fields (continued)


TrueSelect True to block spam e-mails or False to allow spam e-mails.Antispam

[email protected] an address blacklist for local spam filtering.

Blacklists include addresses that you want to exclude.

NOTE: When both the whitelist and blacklist are in use, the whitelist ischecked first. If there is nomatch, then the blacklist is checked.

Antispam Black List

[email protected] an address whitelist for local spam filtering.

Whitelists include addresses that you want to exclude from undergoingantispam processing.


AntispamWhite List

blockSelect theantispamaction that youwant thedevice to takewhen it detectsspam:

• block—Blocks the message

• tag-subject—Tags the subject field with a preprogrammed string

• tag-header—Tags themessage header with a preprogrammed string

Antispam Action

TrueSelect True to block different types of traffic based on the MIME type, fileextension,protocol command,andembeddedobject typeorFalse topermitthese types of traffic.

Content Filter

exe, pdf, jsSpecify one or more file extensions to block over HTTP, FTP, SMTP, IMAP,and POP3.

Content FilterExtensions

application, exeSpecify theMIME types to be blocked or permitted over HTTP, FTP, SMTP,IMAP, and POP3 connections.

Content Filter Mime

put, mputSpecify commands for HTTP, FTP, SMTP, IMAP, and POP3 protocols toblock traffic based on these commands.

Content Filter ProtocolCommands

activex, exePress and hold the Ctrl key and click one or more of the following types ofcontent to specify filtering of traffic that is supported only for HTTP and isnot covered by file extensions or MIME types:

• Active X

• Windows executable files (.exe)

• HTTP cookie

• Java applet

• ZIP files

Content Filter ContentType


User Guide



http, ftpPress and hold theCtrl key and click one ormore of the following protocolsin the drop-down list to specify filtering of traffic associated with theseprotocols:

• HTTP

• FTP

• POP3

• IMAP

• SMTP

Content Filter Apply To

TrueSelect True to prevent access to specificWeb sites, and embedded objecttypes or False to permit access to all Web sites.

Webfilter

www.youtube.com

www.facebook.com

Specify URLs to create a blacklist of Web sites to block.

NOTE: AWeb filtering profile can contain one whitelist or one blacklistwith multiple user-defined categories, each with a permit or block action.

Web Filter Black List

www.juniper.netSpecify URLs to create a whitelist of Web sites that users can alwaysaccess.

With local Web filtering, the firewall intercepts every HTTP request in aTCP connection and extracts the URL. The network service then looks upthe URL to determine whether it is in the whitelist or blacklist based on itsuser-defined category.

NOTE: AWeb filtering profile can contain one whitelist or one blacklistwith multiple user-defined categories, each with a permit or block action.

Web Filter White List

Policy settings—For information about the following policy settings, see the firewall policy settings in Table 15 on page 43.

• Source Zone


• Source Address


• Action

• Application


Activating Sites in a Network on page 39•



• Replacing a Service on page 56

LxCIPtable VNF Configuration Settings

When you are configuring the LxCIPtable VNF, use the following information to provide

values for the available settings:



• Table 18 on page 48 shows the settings you can configure for the Linux container.



Table 18: LxCIP Base Configuration Fields


192.0.2.10Specify a loopback address.Loopback Address

addSelect add to apply the policies to a specific route or del toprevent use of the policies on specific routes.

Operation

192.0.2.20/24Specify the prefix of the route towhich the policies should apply.Route

192.0.2.20Specify the IP address of a Contrail gateway network to whichthe VM connects.

NextHop

Table 19: LxCIP Firewall Policy Configuration Fields


Firewall Policies

FalseSelect True to prevent SSH Brute attacks or False to allow SSHBrute attacks.

Prevent SSH Brute

FalseSelect True to prevent Ping Flood attacks or False to allow PingFlood attacks.

Prevent Ping Flood

Forwarding Rule Settings

192.0.2.25/24Specify thedestination IPaddressprefix that thenetwork serviceuses as amatch criterion for outgoing traffic.

Destination Address

appendSelect theoperation,whichapplies toachainof rulesof the sametype, fromthedrop-down list. The followingoptionsareavailable:

• append—Append the rule to a rule chain.

• insert-before—Insert the rulebeforea rulewith the samename.

• delete—Replace an existing rule with this name.

Operation

192.0.2.20/24Specify the source IPaddressprefix that thenetwork serviceusesas amatch criterion for outgoing traffic.

Source Address

vsrx-fw-policySpecify the name for the rule.


Name


User Guide

Table 19: LxCIP Firewall Policy Configuration Fields (continued)


acceptSelect the action for the rule, which applies to all traffic thatmatches the specified criteria.

• accept—Transmit packets that match the policy parameters.

• drop—Drop packets that match the policy parameters.

• reject—Reject packets that match the policy parameters.

Action

• http

• smtp

Specify the service that you want the rule to match.Service

inputFrom the drop-downmenu, select the type of packet that therule matches.

• input—Packets that the network service receives that areaddressed to this VM.

• forward—Packets that the network service receives that areaddressed to other VMs.

• output—Packets that the network service transmits.

The application creates a chain of all ruleswith a particular type.

Type

Table 20: LxCIP NAT Policy Configuration Fields


Eth1Specify the name of the interface on which the network serviceenforces NAT for incoming traffic.

Left Interface

Eth2Specify the name of the interface on which the network serviceenforces NAT for outgoing traffic.

Right Interface


Activating Sites in a Network on page 39•




Cisco CSR-1000v VNF Configuration Settings

When you are configuring the Cisco CSR-1000v VNF, use the following information to

provide values for the available settings:


contains the VNF.




Table 21: CSR-1000v Base Configuration Fields


host1Specify the hostname of the VM.Host Name

192.0.2.50Specify the IPv4 or IPv6 loopback address.Loopback Address

192.0.2.15Specify the fully qualified domain names (FQDNs) orIP addresses of one or more DNS name servers.

Name Servers

ntp.example.netSpecify the fully qualified domain names (FQDNs) orIP addresses of one or more NTP servers.

NTP Servers

Table 22: CSR-1000v Firewall Configuration Fields


GigabitEthernet2Specify the identifier of the interface that transmitsdata to the host.

Left Interface

GigabitEthernet3Specify the identifier of the interface towhich thehosttransmits data.

Right Interface

http, httpsSelect the applications from the drop-down list forwhich the policy is enforced in outgoing packets. Thefollowing applications are available:

• http

• https

• telnet

• ftp

• tcp

• udp

• icmp

Left to RightAllowed Apps

ftp, udpSelect the application from the drop-down list forwhich the policy is enforced for incoming packets. Thefollowing applications are available:

• http

• https

• telnet

• ftp

• tcp

• udp

• icmp

Right to LeftAllowed Apps






User Guide





User Guide

CHAPTER 8

Managing Sites and Network Services


• Monitoring a Service on page 54

• Deactivating a Site on page 54



• Deactivating and Reactivating a Service on page 56

• Removing a Service on page 57

Managing Sites and Network Services Overview

After you have activated services and sites with the wizard, the Monitor page appears

displaying the VPNServices view,which shows the topology of sites and services relative

to theVPN.This page showsa topologyof theactive sites in thenetwork and thenetwork

serviceson the links. If the serviceprovider configuredyour network toallowdirect Internet

access fromoneormore sites, click the Internet Services tab to view the topology of sites

and services relative to the Internet.

From the Monitor page, you can:

• Manage, configure, andmonitor network services on connections.

• Deactivate sites.

• Access the wizard to activate other sites.

Only active sites appear on theMonitor page. You can addmore sites through thewizard

by clicking Add Sites in the bottom left of the Monitor page.

A network service on a link appears as a hexagon. A gray hexagon indicates that the

service is disabled, and a blue hexagon indicates that the service is enabled. When you

click a service hexagon, it enlarges and small circles appear on several vertices of the

hexagon. If you hover over a circle on one of these vertices, you see the action that you

can performwhen you click the vertex. The circles that appear on the vertices depend

on the state of the service; only circles for actions that you can currently perform are

visible. For example, the Enable vertex circle is visible only if the service is disabled, and

not visible when the service is enabled.


Available network services appear in the bar below the topology graphic, at the bottom

of the page.


Deactivating a Site on page 54•







Monitoring a Service

Use theMonitor page to configure a network service if you did not configure the network

service when you activated a site or if you want to reconfigure the service.

Tomonitor a service:


2. ClickMonitor on the bottom right vertex of the hexagon.

The Status page appears.

• Uptimestatus indicates thepercentageof time the servicehasbeenavailableduring

the displayed elapsed time since you activated the service.

• Bandwidth status shows the rate of traffic for the service with the following

breakdown:

• Left—Interface that transmits traffic to the service

• Right—Interface to which the service transmits traffic

• Input—Rate of traffic arriving at an interface

• Output—Rate of traffic leaving at an interface

• Sessions status shows the number of end users currently using the service at the

site.

3. Click Cancel to hide the Status page.


Managing Sites and Network Services Overview on page 53•

Deactivating a Site

Use the Monitor page to deactivate a site that you added with the wizard.


User Guide

To deactivate a site in the network:

1. Hover over the site in the left navigation pane.

A blue close button appears at the end of the site.

2. Click the blue close button for the site.

The site is deactivated.




Adding a Service

You can add a network service on a connection between a site and the VPNwhen you

activate the site in the network. Use the Monitor page to add a network service if you did

not do so when you activated the site.

To add a service on a connection:

1. In the bar below the topology graphic, click the network service that you want to use.

The cursor changes to display the service icon.

2. Click the connection on which you want to use the network service.




specified.



5. ClickOK.

A gray icon for the service appears on the connection.


7. Click Enable Service on themiddle left vertex of the hexagon.

The new service starts on the connection, and is displayed as a blue icon on the

connection when it becomes active.








Chapter 8: Managing Sites and Network Services



Replacing a Service

You activate network services to connections between sites and the VPNwhen you

activate a site in the network.When you view the network topology on theMonitor page,

you canmanage existing sites and services and activate additional services.

To replace a service on a connection:

1. In the bar below the topology graphic, click the network service that you want to use.

The cursor changes to display the service icon.

2. Click the connection on which you want to use the network service.




specified.



5. ClickOK.

A gray icon for the service appears on the connection.








Deactivating and Reactivating a Service

You can select and activate a network service for a site when you activate the site. Use

the Monitor page to deactivate and reactivate a network service.


User Guide

To deactivate or activate a service for a site:


2. Click Disable Service on the top right vertex of the hexagon or Enable Service on the

middle left vertex of the hexagon.

A page requesting confirmation for the action appears.

3. Click Yes to confirm that you want to deactivate or activate the service.

Thecolor of the service iconchanges fromblue tograywhenyoudeactivate the service

and from gray to blue when you activate the service.







Removing a Service

Use the Monitor page to remove a network service on a connection between a site and

the VPN.

To remove a service from a connection:

1. Disable the service.


3. Click Remove Service on the top left vertex of the hexagon.

A page requesting confirmation for the deletion appears.

4. Click Yes to confirm that you want to delete the design.

The service icon disappears.







Chapter 8: Managing Sites and Network Services


User Guide

PART 4

Network Service Designer

• Network Service Designer introduction on page 61

• Creating Network Services on page 65

• Configuring Network Services on page 73

• Managing Requests and Designs on page 83



User Guide

CHAPTER 9

Network Service Designer introduction

• Network Service Designer Overview on page 61

• Accessing Network Service Designer on page 61

• Getting Started with Network Service Designer on page 62

• Network Services and Service Chains Overview on page 62

Network Service Designer Overview

Network Service Designer is a visual design tool that you use to create andmanage

network services for Juniper Networks Cloud CPE Centralized Deployment Model. With

Network Service Designer you can:

• Create requests for new network services.

• Design customized network services for your customers.

• Design new standard network services that you can offer to all your customers.

• Update existing network services.

• Publish services to the network service catalog.

• Manage network services that you are designing or have published to the network

catalog.

• Configure somebasicparameters for theVNFsused inanetwork serviceand thevirtual

containers in which the VNFs reside.


Network Services and Service Chains Overview on page 62•

• Getting Started with Network Service Designer on page 62

Accessing Network Service Designer

To start Network Service Designer:

1. Reviewthekeystoneusernameandpassword that youdefined forContrailOpenStack.

You can view these settings on the Contrail Configure and Control Node in the files

/etc/contrail/keystonerc and /etc/contrail/openstackrc.


2. Using a web browser, access the URL for Network Services Designer.

For example, if the IP address of the VM on which Network Service Designer resides

is 192.0.2.1, the URL is http://192.0.2.1/nsd-ui/index.html.

3. Log in with the keystone username and password that you specified for Contrail

OpenStack.


Network Service Designer Overview on page 61•

Getting Started with Network Service Designer

When you log in to Network Service Designer, the Requests page displays open requests

for new network services. Use this page to start designs for those open requests and to

create new requests for network services.

Before You Begin

• Learn about network services and service chains. See “Network Services and Service

Chains Overview” on page 62.

Creating a Network Service

You create a network service as follows:

1. Create a request for a network service.

2. Design a service chain—a structure that details specific VNFs, a performance

specification, and defined ingress and egress points for the network service.

3. Publish the final design—the network service—to the network service catalog.



• Creating Requests for Network Services on page 65

• Designing Service Chains for Network Services on page 67

• Managing Requests for Network Services on page 83

• Managing Service Chain Designs on page 84

Network Services and Service Chains Overview

The terms network service and service chain are sometimes used interchangeably, but

they are not the same; you need to understand the difference between them:

• A network service is a final product offered to end users with a full description of its

functionality and specified performance.

Administrators deploy network services between two locations in a virtual network,

so that traffic traveling in a specific direction on that link is subject to action from that


User Guide

http://192.0.2.1/nsd-ui/index.html

service. This term is defined in the ETSI Network Functions Virtualization (NFV)

standard.

• A service chain refers to the structure of a network service, and consists of a set of

linked network functions, which are provided by specific virtualized network functions

(VNFs), with a defined direction for traffic flow and defined ingress and egress points.

Although not defined in the ETSI NFV standard, this term is regularly used in NFV and

software-defined networking (SDN).

In Network Service Designer, you can create a service chain using:

• One VNF instance that provides one or more functions (Figure 1).

Using one VNF instance instead of multiple instances increases performance.

• Multiple instances of the same VNF, each providing certain functions (Figure 2).

Usingmultiple instancesof the sameVNF lowersperformance, suchaswhen youwant

to create differentiated services.

• Instances of different VNFs, each providing certain functions (Figure 2).

Youmight need to use different VNFs if one VNF cannot fulfill all network functions or

if a particular VNF offers an advantage for a network function.

Figure 1:ServiceChainwithOneVNFInstanceThatProvidesAllFunctions

Figure 2: Service Chain with Either Multiple Instances of the Same VNFor Multiple VNFs


• Performance Overview on page 71



Chapter 9: Network Service Designer introduction

• Defining Ingress and Egress Points for a Service Chain on page 69


User Guide

CHAPTER 10

Creating Network Services

• Creating Requests for Network Services on page 65



• Connecting VNFs in a Service Chain on page 69

• VNF Overview on page 70

• Viewing Information About VNFs on page 70


• Meeting Performance Goals on page 72

Creating Requests for Network Services

When you create a request for a network service, you define the requirements for the

service, including the required network functions and the performance.

Before You Begin

• Determinewhich functions to include in the network service and the order inwhich you

want the functions to be applied.

• Understand performance specifications for network services. See “Performance

Overview” on page 71.

To create a request for a network service:

1. Click HOME in the toolbar and Requests in the left navigation bar.

2. Click NEWREQUEST at the bottom right of the page.

A page in which you specify information about the request appears.

3. In the Name field, specify the name for the request.

TheName field accepts up to 60 characters, including letters, numbers, and symbols.

4. (Optional) If the request is urgent, select the Priority Request check box.

5. (Optional) In the Customer Name (Optional) field, specify a customer.

The Customer Name field accepts up to 60 characters, including letters, numbers,

and symbols.


6. In the Description field, specify a description for the service.

The Description field accepts up to 500 characters, including letters, numbers, and

symbols.

7. (Optional) In the Requirements field, specify the requirements for the request.

The Description field accepts up to 1000 characters, including letters, numbers, and

symbols.

8. (Optional) Click Select Files, navigate to a file you want to attach, and clickOpen.

The file is downloaded to the Attachments (Optional) field.

9. Click NEXT.

The Build page appears, displaying the Goals pane, the Functional Service Design

area, and the Function Palette.

10. Drag and drop the network functions in the required order from the Function Palette

to the Functional Service Design area.

• NetworkServiceDesigner automatically connects thenetwork functions in theorder

that you place them in the design area.

• You can insert a function between two functions already on the design pane.

• If youmake an error, you can right-click a component in the design area and delete

the component.

11. (Optional) In the Goals pane, click Add Goal.

The New Goal window appears.

BEST PRACTICE: Adding one ormore goals to the request enables you totrack performance of those parameters when you design a service chainfor the request. Although adding goals is not mandatory, we recommendthat you do so.

12. From the Typemenu, select a goal for the network service.

You can add goals in any order.

13. In the Goal Value field, specify the target value for this goal.

14. (Optional) In the Acceptable Value field, specify the value that you can accept if the

target value is not available.

15. (Optional) In the Must Value field, specify the minimum value for this goal.

16. In the Unit field (for the Bandwidth and Latency types only), select the units for the

goal.

17. Click SAVE.

18. (Optional) Repeat Step 12 through Step 17 to add the other goals.

19. Click NEXT.


User Guide

A page appears that displays the details you entered for the request.

20.Review the details andmake corrections if necessary, using the PREVIOUS andNEXT

options to navigate through the pages.

21. When you are satisfied with the information, click CREATE.

The request for the network service design appears on the Requests page.





Designing Service Chains for Network Services

When you save a request it appears on the Requests page. You can then design a service

chain to fulfill the request, using VNFs in the Vendor catalog to provide the requested

network functions.

Before You Begin

• Understand the structure of a network service. See “Network Services and Service

Chains Overview” on page 62.

• Review the VNFs in the Vendor catalog to determinewhich VNFs to use in your design.

See “Viewing Information About VNFs” on page 70.

• Learn how to add ingress and egress points to a service chain. See “Defining Ingress

and Egress Points for a Service Chain” on page 69.

• LearnhowtoconnectVNFs inaservicechain.See “ConnectingVNFs inaServiceChain”

on page 69.

• Learn how to track the performance of your design against the requested performance

goals. See “Meeting Performance Goals” on page 72.

• Learnhowtoconfigurenetworkservices.See “ConfiguringNetworkServices”onpage73.

Designing a Service Chain for a Network Service

To design a service chain:

1. Click HOME in the toolbar and Requests in the left navigation bar.

The Requests page appears, displaying requests created when you published service

chain designs.

2. Hover over the request.

A menu appears in the bottom right of the request.

3. Click BEGIN.

If the help overlay is visible, click Close Help.


Chapter 10: Creating Network Services

You can also select I knowmywayaround. Don’t show this again., and click Close Help.

The Network Service Design page displays the requested network functions and the

goals.

4. Click the first function in the chain.

The Vendor catalog at the bottom right of the page updates to show only the VNFs

that provide this function.

5. Drag and drop a VNF from the catalog to the Network Service Design workspace.

The function appears inside the VNF image.

6. Add an ingress point to the first VNF in the chain.

The performance Goals pane updates to indicate how the network service design

meets the customer goals.

7. Click the next function in the chain.

The Vendor catalog at the bottom right of the page updates to show only the VNFs

that provide this function, and, If a VNF in the Network Service Design workspace

supports this function, a faded image of the function appears inside the VNF image.

8. Choose a VNF for this function:

• To implement this function with the same VNF, click the faded image in the VNF

image.

• To implement this function with a different VNF, drag the VNF from the Vendor

catalog to the Network Service Design workspace.

9. Repeat Step 7 and Step 8 until you have assigned a VNF to each required network

function. If youmake an error, you can right-click a component in the design area and

delete the component.

10. If you usedmultiple VNFs in your design, connect them in the direction of packet flow.

11. Add an egress point to the last VNF in the chain.

The performance Goals pane again updates to indicate how the network service

design meets the customer goals.

12. Click Save NSD in the top right of the page to save the design.

13. (Optional) Configure the Network Service.

14. Click Publish NSD in the top right of the page to add the service to the catalog.

The Publish NSD page appears.

a. Specify an official name (that customers see) for this network service.

The field accepts up to 60 characters, including letters, numbers, and symbols.

b. Specify a description of the service for customers to read.



User Guide

c. Select the type of service from themenu.

d. Click Publish.





• Connecting VNFs in a Service Chain on page 69


Defining Ingress and Egress Points for a Service Chain

To define the ingress point and the egress point for a service chain you are designing:

1. Click Ingress.

The dots indicating potential ingress and egress points on VNFs enlarge.

2. Click the dot that represents the ingress point for the service chain.

An arrow indicating the direction of traffic flow with the label I appears.

3. Click Egress.

4. Click the dot that represents the egress point for the service chain.

An arrow indicating the direction of traffic flow with the label E appears.




Connecting VNFs in a Service Chain

To connect VNFs in a service chain you are designing:

1. Click Connect, then click ELAN.

The dots that represent potential ingress and egress points on the VNFs enlarge.

2. Hover over the egress point of the first VNF until a green circle appears.

3. Click and hold the green circle, then drag the cursor to the green circle that appears

around the ingress point for the next VNF, and release the mouse button.

A one-way arrow indicating the flow of traffic in the service chain appears.

4. Repeat Step 1 through Step 3 until you have connected all VNFs in the service chain.






VNFOverview

Avirtualizednetwork function (VNF) is a software application used inNetwork Functions

Virtualization(NFV) thathaswelldefined interfaces, andprovidesoneormorecomponent

networking functions in a well defined way. For example, a security VNFmight provide

Network Address Translation (NAT) and Firewall component functions.

For the Cloud CPE Centralized Deployment Model, you design network services for

enterprise customers based on VNFs. Each VNF used in the network service is deployed

in itsownvirtualmachine(VM).VNFs inanetworkserviceorcomponentnetwork functions

in a VNF are connected by the underlying Contrail software.

Vendors specify the following required resources for a VNF:

• Number of virtual CPUs

• Virtual memory (MB)

• Virtual disk capacity (MB)

TheCloudCPECentralizedDeploymentModel supports a rangeof JuniperNetworks and

third-partyVNFs. Vendors canprovidemultiple versionsof aVNF that offer differentiated

performance. You can see available VNFs and their specifications and resource

requirements in the Vendor catalog of the Network Service Designer tool.


Performance Overview on page 71•



Viewing Information About VNFs

You can view performance specifications, required resources, and component network

functions for each VNF in the Vendor catalog. Reviewing this information can help you

to determine which VNF to use when you are designing a network service.

Before You Begin

• Learn about VNFs. See “VNF Overview” on page 70.

• Understand performance parameters. See “Performance Overview” on page 71.

Viewing Information for a Specific VNF


User Guide

To view information for a specific VNF:

1. Click the network function in the Vendor catalog.

The information window for the network function appears, displaying the following

information on the Details tab:

• Agraphical representationof thecompletenetwork functionwith ingressandegress

points.

• A list of resources required for the network function.

2. Click Functions.

You see the category of the network function, such as security, and the component

functions, such as NAT and Firewall.

3. Click Service Chains to display:

• A list of the potential internal service chains (allowed combinations of component

functions) for this network function.

Lines without arrows connecting component functions in an internal service chain

indicate that the order of the functions does not matter.

• The performance specification for each internal service chain.

4. Close the VNF information window by clicking anywhere outside the window.


VNF Overview on page 70•


Performance Overview

The following parameters define the performance of a network service, a virtualized

network function (VNF), and the component functions of a VNF:

• Bandwidth (Mbps or Gbps)—Data rate for the function or service.

• Latency (ms or ns)—Time a packet takes to traverse the function or service.

• Bandwidth (Mbps or Gbps)—Data rate for the function or service.

Vendors provide specified values for these parameters for a VNF and for each allowed

combinationof components in theVNF(internal servicechain).Youcanviewthespecified

values in the Vendor catalog.

Network Service Designer evaluates the aggregate performance of the design against

the goals in the request and displays the information in the Goals pane.


VNF Overview on page 70•

• Meeting Performance Goals on page 72





Meeting Performance Goals

Network Service Designer provides comprehensive information about performance of

VNFsand their componentnetwork function in theVNFcatalog.NetworkServiceDesigner

also tracks the aggregate performance of a network service that you are designing and

saves this information to the network service catalog.

Minimizing the number of VNFs and VNF instances in a service chain optimizes the

performance of a network service. For example, using one VNF instance for both NAT

and firewall functions provides higher performance than using either separate instances

of the same VNF or different VNFs to provide the functions.

You specify performance goals for the service when you create a request for a network

service. When you are designing a service chain, you evaluate the performance of your

design against the requested goals.

Before You Begin

• Understand the definition of performance for a network service. See “Performance

Overview” on page 71.

• Review the performance specification of VNFs in the Vendor catalog. See “Viewing

Information About VNFs” on page 70.

Monitoring Performance of a Network Service Design

Youmonitor the performance of a service that you are designing as follows:

1. Click the right arrow in the Goals pane to view the performance goals.

2. Add an ingress point to the first VNF in the service chain immediately after you assign

that VNF to the first network function.

3. Monitor the values in the Goals pane as you design your service chain.







User Guide

CHAPTER 11

Configuring Network Services


• vSRX Configuration Settings on page 74



Configuring Network Services

When you are designing a service chain or after you have designed a service chain, you

can configure settings for the VNFs in the chain:

• The virtual container in which the VNF resides.

• The network functions, such as NAT or firewall, that the VNF provides.

The settings that you can configure depend on the actual VNF. Manual configurations

areoptional andoverrideautomatic configurations specifiedby theCloudCPECentralized

DeploymentModeldeploymentscript, otherContrail ServiceOrchestrationcomponents,

or default LxCIPTable VNF settings.

Before You Begin

• Review the configuration settings for the VNFs that you want to configure.

To configure the network service:

1. View the service chain design on the BUILD page.

If the design is not currently visible on the BUILD page:

a. Click HOME in the toolbar and Designs in the left navigation bar.

The list of saved and published designs appears.

b. Click Edit from themenu at the end of the row for the network service you want to

configure.

The BUILD page appears, displaying the service chain design.

2. Click Function Configuration at the right of the BUILD page.


The Service page appears, displaying the VNFs in the service chain and the Base

Configure tab for the first VNF in the Functional Service Design workspace.

3. Specify the settings on the Base Configure tab.

This action configures the VM in which the VNF resides.

BEST PRACTICE: Complete all the settings on the Base Configure tab tooptimize the Cloud CPE Centralized Deployment Model. End users cansee these settings in Customer Portal and should not override them.

4. (Optional) Specify settings on the other tabs for this VNF to customize a particular

function such as Network Address Translation (NAT).

End users can customize their own services with these settings in Customer Portal.

Settings that end users specify in Customer Portal override conflicting settings that

you specify in Network Service Designer.

5. Click the next VNF icon in the Configuration page.

6. Repeat Step 3 and Step 4.

7. Repeat Steps 5 through 7 for each VNF in the chain.

8. ClickOK.

The Service page closes.





vSRX Configuration Settings

When you are configuring the vSRX VNF, use the following information to provide values

for the available settings:


contains the VNF.



• Table 17 on page 45 shows the UTM settings you can configure.


User Guide

Table 23: vSRX Base Configuration Fields


vm-vsrxSpecify the hostname of the VM that contains the vSRX VNF.


Host Name

192.0.2.5Specify an IPv4 or IPv6 loopback address for the managementinterface of the VM.

Loopback Address

192.0.2.10Specify the fully qualified domain names (FQDNs) or IP addressesof one or more DNS name servers.

DNS Servers

192.0.2.15Specify the fully qualified domain names (FQDNs) or IP addressesof one or more NTP servers.

NTP Servers

192.0.2.30Select True to enable a stateless firewall filter that protects theRouting Engine from denial-of-service (DoS) attacks or False toallow DoS attacks.

Syslog Servers

TrueSelect True to enable the default screens security profile for thedestination zone or False to disable default screening.

Enable Re-filter

FalseEnable Default Screens

UTCSpecify the time zone for the VM.Time Zone

ge-0/0/1Specify the identifier of the VM interface that transmits data.Right Interface

ge-0/0/0Specify the identifier of the VM interface that receives data.Left Interface

192.0.2.0/24If you set the EnableRe-filter field to True, specify the routes that theJunos Space Virtual Appliance uses for SNMP operations when itdiscovers the vSRX VNF.

SNMP Prefix List

192.0.2.1/24If you set the EnableRe-filter field to True, specify the routes that theJunos Space Virtual Appliance uses for ping operations when itdiscovers the vSRX VNF.

Ping Prefix List

192.0.2.50If you set the Enable Re-filter field to True, specifiy the IP addressesof the VMs that contain the Junos Space Virtual Appliances.

Space Servers

Table 24: vSRX Firewall Configuration Fields


policy-1Specify the name of the rule.

The fieldhasno limit on thenumberof charactersandaccepts letters,numbers, and symbols.

Policy Name


Chapter 11: Configuring Network Services



leftZone policies are applied to traffic traveling from one security zone(source zone) to another security zone (destination zone). Thiscombination of a source zone and a destination zone is called acontext.

Select the security zone fromwhich packets originate.


• right— Interface to which the host transmits data.

Source Zone

rightZone policies are applied to traffic traveling from one security zone(source zone) to another security zone (destination zone). Thiscombination of a source zone and a destination zone is called acontext.

Select the security zone to which packets are delivered.


• right—Interface to which the host transmits data.

Destination Zone

192.0.2.30Specify the source address prefixes that the network service uses asmatch criteria for incoming traffic.

To add source addresses:

1. Click the Source Address column.

The source-address page appears.



4. ClickOK.

Source Address

192.0.2.40/24Specify destination IPaddressprefixes that thenetwork service usesas match criteria for outgoing traffic.

To add a destination address:

1. Click the Destination Address column.

The destination-address page appears.



4. ClickOK.

Destination Address

permitSelectpermit to transmit packets thatmatch the rule or deny to droppackets that match the rule.

Action


User Guide



• junos-tcp-any

• junos-udp-any

Specify theapplications towhich thepolicy applies. Theapplicationsare based on protocols and ports.

To specify applications:

1. Click the Application column.

The application page appears.

2. In the allowed_apps field, select any to match any application orapp to choose specific applications.

If you selectapp, pressandhold theCtrl keyandclick the requiredapplications in the drop-down list.

• junos-tcp-any

• junos-udp-any

• junos-ftp

• junos-http

• junos-https

• junos-icmp-all

• junos-icmp-ping

• junos-telnet

• junos-tftp

3. ClickOK.

Application

Table 25: vSRXNAT Configuration Fields


192.0.2.2/24Specify the source IP address of packets that the policy rules match.NAT Source Name

192.0.2.3/24Specify the destination IP address of packets that the policy rulesmatch.

NAT Destination Name

NAT policy settings—For information about the following policy settings, see the firewall policy settings in Table 15 on page 43.

• Policy Name

• Source Zone


• Source Address


• Action

• Application

Table 26: vSRXUTMConfiguration Fields


trueSelect True to check for viruses in application layer traffic against a virussignature database. Select False to disable checking for viruses.

Antivirus





trueSelect True to block spam e-mails or False to allow spam e-mails.Antispam

[email protected] an address blacklist for local spam filtering.

Blacklists include addresses that you want to exclude.


Antispam Black List

[email protected] an address whitelist for local spam filtering.

Whitelists include addresses that you want to exclude from undergoingantispam processing.


AntispamWhite List

blockSelect theantispamaction that youwant thedevice to takewhen it detectsspam:

• block—Blocks the message

• tag-subject—Tags the subject field with a preprogrammed string

• tag-header—Tags themessage header with a preprogrammed string

Antispam Action

TrueSelect True to block different types of traffic based on the MIME type, fileextension,protocol command,andembeddedobject typeorFalse topermitthese types of traffic.

Content Filter

exe, pdf, jsSpecify one or more file extensions to block over HTTP, FTP, SMTP, IMAP,and POP3.

Content FilterExtensions

application, exeSpecify theMIME types to be blocked or permitted over HTTP, FTP, SMTP,IMAP, and POP3 connections.

Content Filter Mime

put, mputSpecify commands for HTTP, FTP, SMTP, IMAP, and POP3 protocols toblock traffic based on these commands.

Content Filter ProtocolCommands

activex, exePress and hold the Ctrl key and click one or more of the following types ofcontent to specify filtering of traffic that is supported only for HTTP and isnot covered by file extensions or MIME types:

• Active X

• Windows executable files (.exe)

• HTTP cookie

• Java applet

• ZIP files

Content Filter ContentType


User Guide



http, ftpPress and hold theCtrl key and click one ormore of the following protocolsin the drop-down list to specify filtering of traffic associated with theseprotocols:

• HTTP

• FTP

• POP3

• IMAP

• SMTP

Content Filter Apply To

TrueSelect True to prevent access to specificWeb sites, and embedded objecttypes or False to permit access to all Web sites.

Webfilter

www.youtube.com

www.facebook.com

Specify URLs to create a blacklist of Web sites to block.

NOTE: AWeb filtering profile can contain one whitelist or one blacklistwith multiple user-defined categories each with a permit or block action.

Web Filter Black List

www.juniper.netSpecify URLs to create a whitelist of Web sites that users can alwaysaccess.

With local Web filtering, the firewall intercepts every HTTP request in aTCP connection and extracts the URL. The network service then looks upthe URL to determine whether it is in the whitelist or blacklist based on itsuser-defined category.

NOTE: AWeb filtering profile can contain one whitelist or one blacklistwith multiple user-defined categories each with a permit or block action.

Web Filter White List

Policy settings—For information about the following policy settings, see the firewall policy settings in Table 15 on page 43.

• Source Zone


• Source Address


• Action

• Application


Configuring Network Services on page 73•

LxCIPtable VNF Configuration Settings

When you are configuring the LxCIPtable VNF, use the following information to provide

values for the available settings:

• Table 18 on page 48 shows the settings you can configure for the Linux container.





Table 27: LxCIP Base Configuration Fields


192.0.2.10Specify a loopback address.Loopback Address

addSelect add to apply the policies to a specific route or del toprevent use of the policies on specific routes.

Operation

192.0.2.20/24Specify the prefix of the route towhich the policies should apply.Route

192.0.2.20Specify the IP address of a Contrail gateway network to whichthe VM connects.

NextHop

Table 28: LxCIP Firewall Policy Configuration Fields


Firewall Policies

FalseSelect True to prevent SSH Brute attacks or False to allow SSHBrute attacks.

Prevent SSH Brute

FalseSelect True to prevent Ping Flood attacks or False to allow PingFlood attacks.

Prevent Ping Flood

Forwarding Rule Settings

192.0.2.20/24Specify thedestination IPaddressprefix that thenetwork serviceuses as amatch criterion for outgoing traffic.

Destination Address

appendSelect theoperation,whichapplies toachainof rulesof the sametype, fromthedrop-down list. The followingoptionsareavailable:

• append—Append the rule to a rule chain.

• insert-before—Insert the rulebeforea rulewith the samename.

• delete—Replace an existing rule with this name.

Operation

192.0.2.20/24Specify the source IPaddressprefix that thenetwork serviceusesas amatch criterion for outgoing traffic.

Source Address

vsrx-fw-policySpecify the name for the rule.


Name

acceptSelect the action for the rule, which applies to all traffic thatmatches the specified criteria.

• accept—Transmit packets that match the policy parameters.

• drop—Drop packets that match the policy parameters.

• reject—Reject packets that match the policy parameters.

Action


User Guide

Table 28: LxCIP Firewall Policy Configuration Fields (continued)


• http

• smtp

Specify the service that you want the rule to match.Service

inputFrom the drop-downmenu, select the type of packet that therule matches.

• input—Packets that the network service receives that areaddressed to this VM.

• forward—Packets that the network service receives that areaddressed to other VMs.

• output—Packets that the network service transmits.

The application creates a chain of all ruleswith a particular type.

Type

Table 29: LxCIP NAT Policy Configuration Fields


Eth1Specify the name of the interface on which the network serviceenforces NAT for incoming traffic.

Left Interface

Eth2Specify the name of the interface on which the network serviceenforces NAT for outgoing traffic.

Right Interface


Configuring Network Services on page 73•

Cisco CSR-1000v VNF Configuration Settings

When you are configuring the Cisco CSR-1000v VNF, use the following information to

provide values for the available settings:


contains the VNF.


Table 30: CSR-1000v Base Configuration Fields


host1Specify the hostname of the VM.Host Name

192.0.2.50Specify the IPv4 or IPv6 loopback address.Loopback Address

192.0.2.15Specify the fully qualified domain names (FQDNs) orIP addresses of one or more DNS name servers.

Name Servers



Table 30: CSR-1000v Base Configuration Fields (continued)


ntp.example.netSpecify the fully qualified domain names (FQDNs) orIP addresses of one or more NTP servers.

NTP Servers

Table 31: CSR-1000v Firewall Configuration Fields


GigabitEthernet2Specify the identifier of the interface that transmitsdata to the host.

Left Interface

GigabitEthernet3Specify the identifier of the interface towhich thehosttransmits data.

Right Interface

http, httpsSelect the applications from the drop-down list forwhich the policy is enforced in outgoing packets. Thefollowing applications are available:

• http

• https

• telnet

• ftp

• tcp

• udp

• icmp

Left to RightAllowed Apps

ftp, udpSelect the application from the drop-down list forwhich the policy is enforced for incoming packets. Thefollowing applications are available:

• http

• https

• telnet

• ftp

• tcp

• udp

• icmp

Right to LeftAllowed Apps




User Guide

CHAPTER 12

Managing Requests and Designs

• Managing Requests for Network Services on page 83

• Managing Service Chain Designs on page 84

Managing Requests for Network Services

You use the Requests page to create andmanage requests for new network services.

When you start to design a network service for a request, the request is savedas adesign,

which you track on the Designs page. The request no longer appears on the Requests

page.

A request contains information about the required service, such as:

• The customer’s name.

• The requested functions in the network service, such as NAT.

• Attached notes about the performance goals for the service.

To view requests, click HOME in the toolbar and Requests in the left navigation bar.

• To start a design for a request:



2. Click BEGIN.

If the help overlay is visible, click Close Help.

You can also select I knowmyway around. Don’t show this again., and click Close

Help.

The BUILD page appears.

• To edit a request:



2. Click EDIT.


A page in which you specify information about the request appears.

• To delete a request for a network service:



2. Click DELETE.


3. Click Yes to confirm that you want to delete the request.

The request is deleted.

• To view complete details for a request:

1. Click ShowDetails (hierarchy icon at the top left of the page).

2. Click the request in the hierarchy.

You see complete details for the request on one page. You can add additional notes to

this entry, and navigate to other designs in the hierarchy.


Viewing Information About VNFs on page 70•


Managing Service Chain Designs

You use the Designs Page to manage service chain designs that you have saved or

published.

To view a list of designs that you have saved or published, click HOME in the toolbar and

Designs in the left navigation bar.

• Tomodify a design that you have saved or published, click Edit from themenu at the

end of the appropriate row.

The BUILD page appears, displaying information for the service chain.

• To post a completed design to the Network Service catalog:

1. Select Publish from themenu at the end of the appropriate row.

The Publish NSD page appears.

2. Specify an official name (that customers see) for this network service.


3. Specify a description of the service for customers to read.



User Guide

4. Select the type of service from themenu.

5. Click Publish.

A message indicating failure or success appears briefly in the bottom right of the

page.

• To delete a design that you have saved or published:

1. Click Delete from themenu at the end of the appropriate row.


2. Click Yes to confirm that you want to delete the design.

The design is deleted and is then displayed on the Requests Page.

• To delete multiple designs that you have saved or published:

1. From the list of Designs, select those that you want to delete.

2. Click Delete NSD at the top right of the page.


3. Click Yes to confirm that you want to delete the designs.

The designs are deleted and are then displayed on the Requests Page.

• To copy one or more designs that you have saved or published:

1. From the list of designs, select those that you want to you want to copy.

2. Click Copy NSD at the top right of the page.

A page requesting confirmation for the copying appears.

3. Click Yes to confirm that you want to copy the designs.

The additional services appear in the table with the status Validated.

• To view complete details for a design:

1. Click ShowDetails (hierarchy icon at the top left of the page).

2. Click the design in the hierarchy.

You see complete details for the design on one page.





Chapter 12: Managing Requests and Designs


User Guide

PART 5

Service and Infrastructure Monitor

• Service and Infrastructure Monitor introduction on page 89

• Monitoring Activities in the Deployment on page 91



User Guide

CHAPTER 13

Service and Infrastructure Monitorintroduction


• Accessing the Service and Infrastructure Monitor GUI on page 90

Service and Infrastructure Monitor Overview

Service and Infrastructure Monitor operates with the third-party monitoring software

Icinga to provide completemonitoring and troubleshooting of the CloudCPECentralized

Deployment Model.

When you deploy the Cloud CPE Centralized Deployment Model, an Icinga agent is

installed on servers and virtual machines (VMs), which enables Icinga to monitor data

on:

• Physical servers

• VMs that host virtualized network functions (VNFs)

• VMs that host microservices

Service and Infrastructure Monitor collects events frommicroservices in the Cloud CPE

Centralized Deployment Model, and correlates the events to provide information about

network service, their component VNFs, and the VMs that host the VNFs.

All data is presented through the IcingaGUI. You use theGUI to obtain both a quick visual

display of the Cloud CPE Centralized Deployment Model status andmore detailed lists

of event messages.

Colored squares, which may contain numbers, in the GUI provide a visual status of the

Cloud CPE Centralized Deployment Model network.

• A green square indicates the number of items that are working correctly.

• A yellow square indicates the number of items with potential problems to investigate.

• A red square indicates the number of items that are not working.

• A purple square indicates the number of items with a failed connection.


The following options in the left navigation pane of the Icinga GUI are customized for the

Cloud CPE Centralized Deployment Model:

• Dashboard

• Network Services

• Infrastructure

Other features in the Icinga GUI are not customized and appear in the standard Icinga

GUI.

Use this Service and Infrastructure Monitor documentation for information about using

the customized options in the GUI. See the Icinga documentation for a general overview

of the GUI and information about all non-customized features.


Monitoring Network Services on page 91•

• MonitoringVNFsUsed inNetworkServicesand theVMsThatHost theVNFsonpage92

• Monitoring Microservices on page 93

• Monitoring Microservices and Their Host VMs on page 95

• Monitoring Physical Servers on page 96

Accessing the Service and Infrastructure Monitor GUI

To access the GUI for Service and Infrastructure Monitor:

1. Using a web browser, access the URL for Service and Infrastructure Monitor.

For example, if the IP address is 192.0.2.9, the URL is http://192.0.2.9/icingaweb2.

2. Log in with the username icinga and the password csoJuniper.




User Guide

http://192.0.2.9/icingaweb2

CHAPTER 14

Monitoring Activities in the Deployment

• Monitoring Network Services on page 91

• MonitoringVNFsUsed inNetworkServicesand theVMsThatHost theVNFsonpage92

• Monitoring Microservices on page 93

• Monitoring Microservices and Their Host VMs on page 95

• Monitoring Physical Servers on page 96

Monitoring Network Services

Service and Infrastructure Monitor displays information about network services running

in each Cloud CPE Centralized Deployment Model implementation. This information is

related to the Network Service Overview on the dashboard, which displays information

about component VNFs of network services and the VMs in which the VNFs reside. In

this view, however, the focus is on the actual network service rather than its component

VNFs and the VMs in which they reside.

Tomonitor network services:

1. In the left navigation pane, click Network Services.

Serviceand InfrastructureMonitordisplaysanarrayofnetwork servicesandmonitoring

parameters.

2. In the array, hover over an entry to see additional information for the entry.

3. Click a colored square to see detailed information for the entry.

Table 32 on page 91 shows themeaning of the monitoring parameters for network

services.

Table 32: Parameters for Monitoring Network Services

MeaningParameter

Name of the network service.Network Service

State of the network service and the time it entered that state.

• Up—operational

• Down—not operational

Network Service status


Table 32: Parameters for Monitoring Network Services (continued)

MeaningParameter

Number of VNFs in the service chain.Num of Network Functions

Number of network functions in a colored square that indicates the status of the instance.When you click the square you see:

• An entry for each VNF in the service chain.

• The status of the host in which the VNF resides.

• The IP address of the host in which the VNF resides.

• The name of the VNF.

• The result from the last ping the Icinga agent sent to the host, including any loss of packets,and the round trip average (RTA) travel time.

Network Function

Total numberof commands issued tomonitor thestatusof thenetwork service since it becameoperational.

Commands

Result of the commands issued to monitor the status of the network service. When you clickthe square you see:

• A list of parameters for a specific network function and its host.

• The state of the parameter and how long the parameter has been in that state.

• Additional details about the state of the host.

Command Status


MonitoringVNFsUsed inNetworkServicesand theVMsThatHost theVNFsonpage92•

Monitoring VNFs Used in Network Services and the VMs That Host the VNFs

On the dashboard, the Network Service Overview provides information about the VNFs

used innetwork servicesand theVMs thathost thoseVNFs.Youcanalsoview information

about the component VNFs in a network service by clicking Monitor Network Services in

the left navigation bar.

To view information about VNFs used in network services and the VMs that host the

VNFs:

1. In the left navigation bar, click Dashboard.

The dashboard appears, displaying several arrays of information.

2. (Optional) In the Network Services Overview array, hover over a colored square in the

array to see the latest event message for a specific parameter and host.

3. (Optional) In the Network Services Overview array, click a colored square to see

detailed information for a specific parameter and host.

4. (Optional) In the Network Services Overview array, click an IP address to view all the

event messages for a host.

5. (Optional) In the Network Services Overview array, click a parameter name to view

event messages on all hosts for that parameter.


User Guide

SeeTable 33 on page 93 for information about themonitoring parameters used for VNFs

and the VMs that host them.

Table 33: Parameters for Monitoring VNFs and Their Host VMs

MeaningParameter

Rate of traffic entering the interface that transmits data to the host.left_net_interface_input_pckt_rate

Rate of traffic leaving the interface that transmits data to the host.left_net_interface_output_pckt_rate

State of the interface that transmits data to the network host.



left_net_interface_stats

State of the interface to which the host transmits data.



right_net_interface1_stats

Rate of traffic entering the interface to which the host transmits data.right_net_interface_input_packet_rate

Rate of traffic leaving the interface to which the host transmits data.right_net_interface_output_packet_rate

Percentage of the Routing Engine’s control planememory that VM is using.routing_engine_ctrlplane_memusage

Meanpercentageofavailable loadcapacity usedby theRoutingEngine’s controlplane.

routing_engine_load_average

Percentage of available CPU capacity used by the Routing Engine’s controlplane.

routing_engine_system_cpu

Number of active sessions of the VNF compared to the maximum number ofsessions allowed.

<VNF>_activesessions

Number of sessions of the VNF that VNF Manager failed to activate.<VNF>_failedsessions

Number of sessions added (ramp-up rate) for the last 60 seconds. The valuedoesnotdisplay the total numberof sessionsor thenumberofdeletedsessions.

<VNF>_performance_session

Services processing unit (SPU), percentage of CPU capacity that handles thedata plane for the security service.

<VNF>_performance_spu


Monitoring Network Services on page 91•

MonitoringMicroservices

Service and Infrastructure Monitor displays information about microservices running in

each Cloud CPE Centralized Deployment Model implementation. This information is

related to theCSPMicroserverviceOverviewon thedashboard,whichdisplays information


Chapter 14: Monitoring Activities in the Deployment

about the VMs in which the microservices reside. In this view, however, the focus is on

the actual microservice srather than the VMs in which they reside.

Tomonitor microservices:

1. In the left navigation pane, select Infrastructure > CSPMicroservices.

Service and Infrastructure Monitor displays an array of CSPmicroservices and

monitoring parameters.

2. (Optional) In the array, hover over an entry to see additional information for the entry.

3. (Optional) Click a colored square to see detailed information for the entry.

Table 34 on page 94 shows themonitoring parameters for microservices.

Table 34: Parameters for MonitoringMicroservices

MeaningParameter

Name of the microservice.CSPMicroservice

State of the microservice and the time it entered that state.



Microservice status

Number of instances of the microservice.Number of Instances

Number of microservices in a colored square that indicates the status of the instance. Whenyou click the square you see:

• The status of the host in which the micorservice resides.

• The IP address of the host in which the microservice resides.

• The name of the microservice.

• The result from the last ping the Icinga agent sent to the host, including any loss of packets,and the round trip average (RTA) travel time.

Instance Status

Total number of commands issued tomonitor the status of themicroservice since it becameoperational.

Monitor Commands

Result of the commands issued tomonitor the status of themicroservice.When you click thesquare you see:

• A list of parameters for a specific host.


• Additional details about the state of the host.

Command Status


Monitoring Microservices and Their Host VMs on page 95•


User Guide

MonitoringMicroservices and Their Host VMs

On the dashboard, the CSPMicroservices Overview provides information about the VMs

that host microservices. The focus of the CSPMicroservices Overview is the VMs that

host the microservices.

Tomonitor microservices and their host VMs:

1. In the left navigation bar, click Dashboard.

The dashboard appears, displaying several arrays of information.

2. (Optional) In the CSPMicroservices Overview array, hover over a colored square in

the array to see the latest event message for a specific parameter and host.

3. (Optional) In the CSPMicroservices Overview array, click a colored square to see

detailed information for a specific parameter and host.

4. (Optional) In the CSPMicroservices Overview array, click an IP address to view all the

event messages for a host.

5. (Optional) In the CSPMicroservices Overview array, click a parameter name to view

event messages on all hosts for that parameter.

See Table 35 on page95 for information about themonitoring parameters used for VNFs

and the VMs that host them.

Table 35: Parameters for Monitoring VNFs and Their Host VMs

MeaningParameter

Percentage of unused CPU capacitycheck cpu usage

Status of host’s input and output mechanisms for storagecheck disk IO

Available storage on the VM that hosts the microservicecheck disk usage

Number of processes associated with the databasecheck elasticsearch

Measure of load compared to specified values for warning and critical statescheck load average

Percentage of RAM and swapmemory usedcheck memory usage

Percentage of network resources usedcheck network usage

Availability of the Network Service Designer applicationcheck nsdui

Number of open files compared to specified values for warning and criticalstates

check open files

Amount of data moved from RAM to swapmemory compared to specifiedvalues for warning and critical states

check paging stats



Table 35: Parameters for Monitoring VNFs and Their Host VMs (continued)

MeaningParameter

Number of software connections compared to specified values for warningand critical states

check socket usage

Number of Contrail API processescheck_contrail_api

Number of Contrail configuration processescheck_contrail_config

Number of Contrail control processescheck_contrail_control

Number of Contrail database processescheck_contrail_database

Number of Contrail Vrouter processescheck_contrail_vrouter

Number of Contrail Vrouter agent processescheck_contrail_vrouter_agent

Number of Contrail web core processescheck_contrail_web

Number of Interface for Metadata Access Points (IF-MAP) processescheck_ifmap_server

Number of Nova API processescheck_nova_api


Monitoring Microservices on page 93•

Monitoring Physical Servers

Service and Infrastructure Monitor tracks the state of each physical server on which the

Icinga agent is installed.

Tomonitor physical servers:

1. In the left navigation bar, click select Infrastructure > CSP BareMetal.

Serviceand InfrastructureMonitordisplaysanarrayofphysical serversandmonitoring

parameters.

2. In the array, hover over an entry to see additional information for the entry.

3. Click a colored square to see detailed information for the entry.

See Table 36 on page 97 for information about the parameters.


User Guide

Table 36: Parameters for Monitoring Physical Servers

MeaningParameters

State of the server cluster and the time when it entered that state.

• Up—Operational

• Down—Not operational

Group Status

Number of servers in the server cluster.Number of Servers

Number of servers in a colored square that indicates the status of the servers. When you clickthe square you see:

• An entry for each server in the cluster.

• The status of the server.

• The IP address of the server.

• The hostname of the server.

• The result from the last ping the Icinga agent sent to the server, including any loss of packets,and the round trip average (RTA) travel time.

Server Status

Total numberof commands issued tomonitor thestatusof theserver since it becameoperational.Commands

Result of the commands issued to monitor the status of the server. When you click the squareyou see:

• A list of parameters for a specific server.


• Additional details about the state of the server.

Command Status






User Guide

Documents

Contrail Service Orchestration User Guide - Juniper Networks · providestheEMS,andresidesontheContrailServiceOrchestrationNode.Administration ... (VIM ... SpecifytheIPaddressofthemanagementinterface