Part 3: Running OVSDB between Juniper QFX5100 and VMware NSX for vCenter

The following components were used for this example:

  • VMware NSX for vSphere 6.2.0 Build 2986609
  • Juniper QFX5100, Junos 14.1X53-D27.3, SDN Package Version 14.1X53-D26.2

The very first step on the QFX5100 is to configure it to run
OVSDB and establish a communication channel to the
NSX controller.

In the example, the NSX controller is having the IP address 172.24.2.215.

cc784fc4a5

 

The Loopback interface is configured as vtep-source interface. This means that any packet that gets encapsulated by VXLAN is using 10.0.0.3 as source IP address. The destination address is the VTEP IP address of the destination hypervisor or ToR Switch.Additionally, we instruct the switch which interfaces should be controlled by the NSX controller from now on. In this example we use ge-0/0/4. There should be no configuration on the interface.

2c60649d06

 

 

In the vSphere Web Client we go to „Network and Security“ => „Service Definitions“ => „Hardware Devices“ and click the green „+“ to add a new device.

A hardware switch is identified by a name and a certificate which needs to be entered as shown below:

juniper-vmware_04

The certificate needs to be installed on the switch before contacting the NSX controller. The NSX controller uses the certificate to identify incoming connections for the exchange of OVSDB information.

After adding the device, a new entry shows up in the vSphere Client showing that the session is established.

juniper-vmware_08

On the Juniper Switch we can verify the control-session with a simple command:


Attaching Hardware ports to logical switches

Hardware ports can be attached in vSphere Web Client with „Networking and Security“ at the following places:

  • Service-Definitions => Hardware Devices => right-click on device => Attach Logical Switch
  • Logical Switches => right-click on logical switch => Attach Hardware Port

Within NSX, Virtual Networks (VNs) are referred to as logical switches.
In this case we have a logical switch called “VN 1” that we link to the
hardware device and the physical port that should be attached as shown below.

ef43c47bce

NSX will only show available ports that have been enabled for OVSDB, in our case ge-0/0/4.

After confirming the change, the following configuration will automatically
become active on the QFX5100 for an untagged port.

1f02146b3c

If a port is tagged with a VLAN-ID of 100 on the NSX controller,

the following configuration would be seen on the QFX5100:

cac4823239

The Juniper Switch performs the configuration of the VXLAN and interface automatically based on the information

received via OVSDB from the NSX Controller. The name of the VLAN is actually the identifier of the logical switch in the NSX database. In order to check the status of the configured VXLAN the following command can be used.

2fcd115b7f

A successful configuration on both sides of the OVSDB exchange can be confirmed by the flag „Created by both“. Additionally, the MAC table of this virtual network can be seen on the QFX Switch.

72f2caac52

The IP Address 10.0.0.3 is the loopback of the QFX5100 switch that is used as tunnel source address. The address 172.24.242.50 is the address of an ESXi hypervisor which is hosting a virtual machine which is part of the same logical network.

When capturing a live communication between the virtual machine 00:50:56:ad:02:32 located on hypervisor 172.24.242.50 and the physical host 2c:6b:f5:7d:49:f7 which is a connected on the QFX switch, we can see how the overlay network works in practice.

a08b435e38

The outer IP header shown in line three has been used by user datacenter network to forward the packet. We can see that the addresses here are actually the same that were shown in the command above as VTEP addresses.

Following the IP header we can see the VXLAN header with a VNI of 5004. The VNI is associated to a virtual network, as soon as it is created in NSX. The QFX5100 switch got this piece of information from the NSX controller via OVSDB when we associated the physical port with the virtual network. This field is used on the egress hypervisor / ToR Switch to match the packet into a certain virtual network.

In the following lines we finally can see the actual MAC addresses of the devices that were part of our example.