Shulou(Shulou.com)06/03 Report--

Author: Umberto Manferdini translator: TF compilation Group in the previous article, I talked about what a service chain is and how to configure a basic service chain. Let's review how the service chain is built:

One network policy (applied between two virtual networks, such as left VN and right VN)

A service instance (the network policy has been configured)

Service instance that contains port tuples (VMI reference list only)

In this case, the service instance has two defined interfaces (left and right), which means that the port tuple will have two elements

Port tuple references 2 VMI of an existing VM running on OpenStack

Traffic moving between left and right VN will pass through the firewall VM

When defining a service instance object, you can configure advanced features. These advanced features are configured in the service instance object. We show how network policies can lead to route leakage between related virtual networks. In this case, the right VN route will leak into the left VN, where the interface on the left side of the service instance is used as the next hop, and vice versa (the left VN route in the right VN uses the interface on the right side of the service instance as the next hop). This leak can be controlled by configuring a routing policy. Routing policies use Junos syntax, so if you have Junos experience, it will be easy to write these policies!

For example, the policy accepts a 0-stroke-0 route and rejects anything else (routing updates)! Apply the policy by mapping the policy to the left / right interface within the service instance object definition:

Virtual machines can use BGPaaS to announce / receive routes from Tungsten Fabric. If the virtual machine does not support BGP, you can define a static route on VMI:

First, we define static routes:

The static route applied to VMI is defined as the Interface routing Table. As you can see, these routes are not configured with the next hop. The next hop is automatically set to the VMI with a static route applied. In a service chain, when a service instance object is defined, the static route is applied at the interface level: as a result, the route on the left side of the VN is 0max 0, the next hop is the interface on the left side of the service instance, and the route on the right side of the VN is 192.168.100.3amp 32, and the next hop is the interface on the right side of the service instance. As static routes, we lack the dynamics of protocols like BGP, especially in the face of failures. As long as we do not introduce features such as "health check (Health Checks)", it may lead to such a result (static route failure). Health checks are functional components that we can apply to VMI-health checks verify the activity of VMI. There are many different types of health checks, the simplest of which is ICMP checking. VRouter sends the ICMP echo request to VMI and waits for the echo reply. If the number of replies lost exceeds the configured threshold, declare the VMI as Down and delete all routes to that VMI (including those static routes that were previously defined). In fact, just as any VNF supports ping, any VNF will support ICMP health checks. Of course, this health check is slow and does not provide fast convergence. To converge faster, we need to rely on BFD health checks. With BFD, we can detect faults faster, but VNF must support BFD. The threshold is configured within the health check object: in this example, we use BFD to send one BFD packet per second. If more than three packets are lost, the BFD is declared down. Health checks are configured within the service instance object: to sum up, we can use routing policies to control leaks between networks. In addition, we can define static routes, apply them to VMI, and rely on health checks (BFD) for fast convergence in the event of a failure. What's the next step? redundancy. We will introduce it in detail in the next article.

Talk about the TF service chain in detail

One article explains what is the service chain (multi-figure) hand-in-hand teaches you to configure the routing implementation in the background of the service chain

Series of articles on Tungsten Fabric Architecture Analysis

Part I: main features and use cases of TF

Article 2: how TF works

Part 3: detailed explanation of vRouter architecture

Part IV: service chain of TF

Part 5: deployment options for vRouter

Part 6: how does TF collect, analyze, and deploy?

Chapter 7: how to arrange TF

Part 8: TF support API list

Article 9: how TF connects to the physical network

Part 10: TF Application-based Security Policy

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.