Juniper Networks supports packet-based forwarding on virtual interfaces using CN2
Release 22.1 or later in a Kubernetes-orchestrated environment.
Overview
By default, Contrail compute nodes use flow mode for packet forwarding on a virtual
interface. This means that every vRouter has a flow table to keep track of all flows that
pass through it. In flow mode, the virtual interface processes all traffic by analyzing the
state or session of traffic. However, in some instances you might want to switch from flow
mode to packet mode. For example, you might want to achieve higher traffic-forwarding
performance or get around certain limitations of flow mode.
In packet mode, the virtual interface processes the traffic on a per-packet basis and
ignores all flow information. The main advantage of packet mode is that the processing type
is stateless. Stateless mode means that the virtual interface does not keep track of session
information or goes through traffic analysis to determine how a session is established.
Note:
Features that require a network policy (such as ACLs, security groups, and floating IPs)
are unable to work in packet mode.
Configure Packet Mode on a Virtual Interface
To configure packet mode on a virtual interface:
-
Verify that you are running flow mode. For example:
Generate some traffic by pinging another pod in the same network. In this example, the
pod's IP address is 25.26.27.2.
root@pod-vn-1:/# ping -q -c5 25.26.27.2
PING 25.26.27.2 (25.26.27.2) 56(84) bytes of data.
--- 25.26.27.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4057ms
rtt min/avg/max/mdev = 0.059/1.721/7.620/2.955 ms
-
Use the flow command-line tool to check for flows. The following example indicates that
the
virtualMachineInterface is in flow mode.
root@minikube:/# flow -l --match 25.26.27.3
...
...
Listing flows matching ([25.26.27.3]:*)
Index Source:Port/Destination:Port Proto(V)
-----------------------------------------------------------------------------------
159692<=>400664 25.26.27.2:28 1 (3)
25.26.27.3:0
(Gen: 1, K(nh):39, Action:F, Flags:, QOS:-1, S(nh):39, Stats:5/490, SPort 64222,
TTL 0, UnderlayEcmpIdx:0, Sinfo 7.0.0.0)
400664<=>159692 25.26.27.3:28 1 (3)
25.26.27.2:0
(Gen: 1, K(nh):33, Action:F, Flags:, QOS:-1, S(nh):33, Stats:5/490, SPort 56567,
TTL 0, UnderlayEcmpIdx:0, Sinfo 5.0.0.0)
-
Enable packet mode on the
virtualMachineInterface.
Create a patch file named packet-mode-patch.yaml, and set the VMI
policy to true.
spec:
virtualMachineInterfaceDisablePolicy:true
-
Apply the patch.
[user@machine:~]$ kubectl -n vmi-disablepolicy patch vmi pod-vn-1-7d622c4d --patch "$(cat packet-mode-patch.yaml)"
virtualmachineinterface.core.contrail.juniper.net/pod-vn-1-7d622c4d patched
After you apply the patch flow mode switches to packet mode, as shown in the following
example:
[user@machine:~]$ kubectl -n vmi-disablepolicy get vmi pod-vn-1-7d622c4d -oyaml | yq .spec.virtualMachineInterfaceDisablePolicy
true
-
Verify that packet mode is active.
Generate traffic by pinging another pod in the same network that you pinged in Step
1.
root@pod-vn-1:/# ping -q -c5 25.26.27.2
PING 25.26.27.2 (25.26.27.2) 56(84) bytes of data.
--- 25.26.27.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4105ms
rtt min/avg/max/mdev = 0.051/2.725/13.388/5.331 ms
-
Use the flow command-line tool to check for flows.
root@minikube:/# flow -l --match 25.26.27.3
...
...
Listing flows matching ([25.26.27.3]:*)
Index Source:Port/Destination:Port Proto(V)
Success! No flows exist, which indicates that you are in packet mode.
