Today I’m starting this off with a little series.
I’m writing about one of the wildest VM hosts you could ever try.
One of the most capable firewalls on the market,
an incredible implementation of OpenVSwitch with DPDK. A management for PCIe virtual functions that lets you control them down to the virtual wire level.
_And sometimes the cheapest XeonD server you can find on Ebay. (*)
The Juniper NFX series!
Currently the series consists of these models, all 1U height, varying between 4 and 16 CPU cores. With local SSD (not just for storing a few packet traces), enough RAM (between 16 and 128GB) for VMs and lots of switched gigabit and 10gigabit ports.
This is what they look like:
vCPE and Services on a chain
Their intended use case is as a platform for so-called virtual CPEs. Meaning, features that your ISP sells to you that improve your network connectivity, insights etc. – and you have them delivered not in a big box, you don’t pay for another appliance, you don’t need to manage the lifecycle and h/w maintenance of another appliance, etc. The price points of those pieces end up lower meaning you can maybe also run them in places where it would not have been economical.
examples could be…
- running a WAN optimizer right on the edge of your network, practically IN the cable.
- running a virtual load balancer
- running two firewalls
The NFX takes care of all the networking tasks in this, you can essentially plug together the virtual machines inside, one into another, and also do anything you want with the physical ports it gives you. So a certain port could be plugged into a VM directly. A port could be in a VLAN that is hooked up to a few VMs. Your WAN traffic could land in JunOS, undergo some modification, then be passed to a Palo Alto or FortiGate VM and then hit a k8s cluster on your lan. Or just a VM running a static webserver in the same box. That’s something the telco world calls ‘service chaining’
The feature list is pretty much endless, you can see more here:
I have tried to keep this inside… but… but…
it’s a bit like what the Unifi Dream Machine Pro is for the home/SMB network, just for the big multinational carriers/ISPs and the clients of theirs that need a redundant 10g link to a ‘small site’.
If wanting to be able to deploy a new service using VMs or containers within minutes after it’s been ordered (And I guess that’s what they call a virtual network function)
A bit more serious, this is one of the most capable systems you can get your hands on. Capable in terms of broadness of possibilities and puzzle pieces falling into place.
There’s better individual solutions for many things, but the sum is the interesting part here, and seems unparalleled to me. There’s still quite a few things they need to work on to make it round enough to be worth considering for anyone NOT a national
(*) caveat: and then you’ll find out there’s no
factory-reset command or pinhole. But I wanna invite you to keep reading for a bit.
What will we look at
- The hardware
- The current state of the software
I’ll not try to explain everything, especially since I don’t understand everything myself. Instead I’ll also share the links that I used for understanding the hole stuff.
And I’ll show you practical uses, meaning various virtual thinggies running on the NFX.
Classical NFV like Firewalls, Analyzers. And, say, my mail server. Because, why not.