Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
CONTRAIL 
ENABLER FOR AGILE 
CLOUD SERVICES 
OpenContrailMeetup 
NUENO@JUNIPER.NET 
DISTINGUISHED ENGINEER / SDN TEAM 
Nac...
This statement of direction sets forth Juniper Networks’ current intention and is subject to change at any time without no...
ENTERPRISE DC EVOLUTION (ITAAS) 
TRADITIONAL 
VIRTUALIZATION 
LB 
Policies 
ACLs 
FW, IPS Policies 
Sec. Device 
LB Device...
CLOUD 
CLOUD-ENABLED DATA CENTER 
Sub-Optimal Device Utilization 
Static & Inflexible 
TCO (Capex, Opex) 
Physically C...
NFV: NETWORK EDGE SECURITY 
Network Function Virtualization 
Scalable Virtual Service on x86 
Scalable Virtual Service on ...
FLEXIBLE AND DYNAMIC CHAINING OF SERVICES 
Host + Hypervisor 
Host + Hypervisor 
VIRTUAL NETWORK GREEN 
VIRTUAL NETWORK YE...
L3VPN 
SELF-SERVICE ENTERPRISE SERVICE CLOUD 
CUSTOMER A (Branch Office) 
VPN SITE 1 
CUSTOMER B (Branch Office) 
VPN SITE...
INTERCONNECT W/ EXISTING INFRASTRUCTURE 
Contrail enables customers to use their legacy infrastructure for legacy apps, an...
TECHNOLOGY OVERVIEW
VIRTUAL NETWORKS 
VIRTUALIZED SERVICES 
THE NEW NETWORK –BUILDINGBLOCKS 
GATEWAYS 
NETWORK AND PACKET POLICY 
PROVIDED BY ...
WHAT IS NETWORK VIRTUALIZATION 
•Independent of Physical Network Location or State 
–Logical Network across any server, an...
THE IMPORTANCE OF ABSTRACTION 
BMSR4 
OpenStack 
ContrailController 
Neutron 
Nova 
VMG1 
VMG2 
VMG3 
VMR1 
VMR3 
VMR2 
VM...
CONTRAIL –VIRTUALIZED & AUTOMATED NETWORK 
CONTROL PLANE, MANAGEMENT PLANE 
NETWORK PROGRAMMABILITY 
ENABLING NFV (NETWORK...
CONTRAIL PHILOSOPHY1 
L3
L3 
L3 
L2/L3 
L2/L3 
L3 ToR 
L2/L3 
L2/L3 
L2/L3 
L3 ToR 
L2/L3 
L2/L3 
L2/L3 
L3 ToR 
L2/L3 
L2/L3 
L2/L3 
L3 ToR 
L2/L3...
CONTRAIL PHILOSOPHY2 
Fault tolerance via Idempotence
RPC NIGHTMARE 
Compute Node 
Network Node 
Scheduler 
API 
Do we need Distributed transaction manager…. ?
STATE SYNCHRONIZATION 
Controller 
Agent 
Full Sync 
Full Sync Diff 
Check local State 
& Apply diff
BGP 
router 
router 
Update 
Withdraw 
Check local State 
& Update state
IFMAP 
Server 
Clinet 
Poll 
Update 
Check local State 
& Update state
Data Model
Network 
Subnet 
Subnet 
Port 
VM 
Port 
VM 
Router 
Network 
Subnet 
Network Policy 
Subnet 
Service Instance
CONTRAIL BUILDING BLOCKS
CONTRAIL & OPENSTACK COMPONENTS 
Horizon UI 
Contrail Web UI 
Nova 
(Compute Orchestration) 
Neutron Plugin 
Compute Node ...
ROLE OF CONTRAIL IN INTEGRATED STACK 
Service Nodes 
Internet 
VPN 
DCI WAN 
Gateway Router 
JunosVContrail 
Orchestrator ...
CONTRAIL SOLUTION OVERVIEW 
OpenContrail Controller 
Configuration 
Analytics 
Control 
Server 
VM 
VM 
VM 
Server 
VM 
VM...
CONTRAIL COMPONENTS 
Physical Network(no changes) 
Analytics 
OPENCONTRAIL CONTROLLER 
Control 
Configuration 
Physical Ho...
OPENSTACK INTEGRATION 
Horizon 
Nova API 
Compute Driver 
Virtual-IF 
Driver 
Nova Compute 
Contrail Agent 
vRouter(kernel...
CONTRAIL STACK -VROUTER 
Configuration Nodes 
ControlPlane 
ComputeNode(Virtual Router) 
ServiceNode(SRX, Firefly, JSP, .....
COMPUTE NODE –HYPERVISOR, VROUTER 
Compute Node 
VirtualMachine(Tenant B) 
VirtualMachine(Tenant C) 
VirtualMachine(Tenant...
COMPUTE NODE –FORWARDING/TUNNELING 
Overlay tunnelsMPLS over GRE or VXLAN 
Compute Node 
vRouterForwarding Plane 
VirtualM...
CONTRAIL STACK –CONTROL NODE 
Configuration Nodes 
ControlPlane 
ComputeNode(Virtual Router) 
ServiceNode(SRX, Firefly, JS...
CONTRAIL -CONTROL PLANE NODE 
Control Node 
"BGP module" 
Proxies 
XMPP 
ControlNode 
Control Node 
Compute Node 
Compute ...
CONTROL PLANE –ROUTE DISTRIBUTION 
10.1.1.1 
10.1.1.2 
70.10.10.1 
151.10.10.1 
10.1.1.2: NH = 151.10.10.1; LBL = 17 
10.1...
CONTRAIL WITH L3VPN 
10.1.1.1 
10.1.1.2 
70.10.10.1 
151.10.10.1 
10.1.1.2: NH = 80.20.20.1; LBL = 417 
10.1.1.1 
10.1.1.2...
PACKET FLOW FOR EVPN ON IP NETWORK 
MAC1 
MAC2 
70.10.10.1 
151.10.10.1 
MAC2: NH = 151.10.10.1; LBL = 17 
MAC1: NH = 70.1...
CONTRAIL STACK –CONFIG NODE 
Configuration Nodes 
ControlPlane 
ComputeNode(Virtual Router) 
ServiceNode(SRX, Firefly, JSP...
CONTRAIL –SDN AS A “COMPILER” 
OrchestrationSystem 
SDN System 
Network(Physical and Virtual) 
South-BoundNetwork Element ...
CONFIGURATION NODE 
Configuration Node 
REST API Server 
Schema Transformer 
Orchestrator(OpenStack) 
REST 
DHT DB 
IF-MAP...
LOGICAL TOPOLOGY 
VMG1 
VMG2 
VMG3 
VN G 
VMR1 
VMR2 
VMR3 
VN R 
PN 
VMFW 
Virtual Network 
Tenant Virtual Machines 
Virt...
PHYSICAL TOPOLOGY 
OpenStack 
ContrailController 
Neutron 
Nova 
Virtualized Server 
Hypervisor with Contrail vRouter 
Und...
MAPPING OF LOGICAL TO VIRTUAL TOPOLOGY 
VMG1 
VMG2 
VMG3 
VN G 
VMR1 
VMR2 
VMR3 
VN R 
L3VPN 
VMFW 
OpenStack 
ContrailCo...
STARTING POINTEMPTY LOGICAL TOPOLOGY 
VMG1 
VMG2 
VMG3 
VN G 
VMR1 
VMR2 
VMR3 
VN R 
PN 
VMFW 
OpenStack 
ContrailControl...
CREATE GREEN TENANTCREATE VIRTUAL NETWORK "GREEN" 
VMG1 
VMG2 
VMG3 
VMR1 
VMR2 
VMR3 
VN R 
PN 
VMFW 
OpenStack 
Contrail...
CREATE GREEN TENANTCREATE VIRTUAL MACHINE "G1" 
VMG1 
VMG2 
VMG3 
VMR1 
VMR2 
VMR3 
VN R 
PN 
VMFW 
OpenStack 
ContrailCon...
CREATE GREEN TENANTCREATE VIRTUAL MACHINE "G1" 
VMG1 
VMG2 
VMG3 
VMR1 
VMR2 
VMR3 
VN R 
PN 
VMFW 
OpenStack 
ContrailCon...
CREATE GREEN TENANTCREATE VIRTUAL MACHINE "G2" 
VMG1 
VMG2 
VMG3 
VMR1 
VMR2 
VMR3 
VN R 
PN 
VMFW 
OpenStack 
ContrailCon...
CREATE GREEN TENANTCREATE VIRTUAL MACHINE "G2" 
VMG1 
VMG3 
VMR1 
VMR2 
VMR3 
VN R 
PN 
VMFW 
OpenStack 
ContrailControlle...
CREATE GREEN TENANTCREATE VIRTUAL MACHINE "G2" 
VMG1 
VMG3 
VMR1 
VMR2 
VMR3 
VN R 
PN 
VMFW 
OpenStack 
ContrailControlle...
CREATE GREEN TENANTFORWARDING TABLES AND ENCAPSULATION 
VMG1 
VMG2 
IP prefix 
Nexthop 
VM G1 
Virtual ethernet port to VM...
CREATE GREEN TENANTCREATE VIRTUAL MACHINE "G3" 
VMG1 
VMG3 
VMR1 
VMR2 
VMR3 
VN R 
PN 
VMFW 
OpenStack 
ContrailControlle...
CREATE GREEN TENANTCREATE VIRTUAL MACHINE "G3" 
VMG1 
VMG3 
VMR1 
VMR2 
VMR3 
VN R 
PN 
VMFW 
OpenStack 
ContrailControlle...
CREATE GREEN TENANTCREATE VIRTUAL MACHINE "G3" 
VMG1 
VMG3 
VMR1 
VMR2 
VMR3 
VN R 
PN 
VMFW 
OpenStack 
ContrailControlle...
CREATE GREEN TENANTEND STATE 
VMG1 
VMG3 
VMR1 
VMR2 
VMR3 
VN R 
PN 
VMFW 
OpenStack 
ContrailController 
Neutron 
Nova 
...
CREATE RED TENANTSAME STEPS AS GREEN TENANT 
VMG1 
VMG3 
VMR1 
VMR2 
VMR3 
VN R 
PN 
VMFW 
OpenStack 
ContrailController 
...
CONNECT GREEN TO RED TENANT VIA FIREWALLCREATE VIRTUAL MACHINE FOR FIREWALL 
VMG1 
VMG3 
VMR1 
VMR2 
VMR3 
VN R 
PN 
OpenS...
CONNECT GREEN TO RED TENANT VIA FIREWALLATTACH FIREWALL TO RED AND GREEN VIRTUAL NETWORKS 
VMG1 
VMG3 
VMR1 
VMR2 
VMR3 
V...
CONNECT GREEN TO RED TENANT VIA FIREWALLAPPLY POLICY, EXCHANGE ROUTES, AND CREATE TUNNELS 
VMG1 
VMG3 
VMR1 
VMR2 
VMR3 
V...
CONNECT GREEN TO RED TENANT VIA FIREWALLEND STATE 
VMG1 
VMG3 
VMR1 
VMR2 
VMR3 
VN R 
L3VPN 
OpenStack 
ContrailControlle...
CONNECT GREEN TO RED TENANT VIA FIREWALLDATA PLANE: RED ↔ GREEN TRAFFIC FORCED THROUGH THE FIREWALL 
VMG1 
VMG3 
VMR1 
VMR...
CONNECT RED TENANT TO PHYSICAL L3VPNCONFIGURE L3VPN ROUTING INSTANCE 
VMG1 
VMG3 
VMR1 
VMR2 
VMR3 
VN R 
OpenStack 
Contr...
CONNECT RED TENANT TO PHYSICAL L3VPNEXCHANGE ROUTES WITH PHYSICAL ROUTER, CREATE TUNNELS 
VMG1 
VMG3 
VMR1 
VMR2 
VMR3 
VN...
CONNECT RED TENANT TO PHYSICAL L3VPNEXCHANGE ROUTES WITH VROUTERS, CREATE TUNNELS 
VMG1 
VMG3 
VMR1 
VMR2 
VMR3 
VN R 
Ope...
VROUTERHA 
Discovery Server 
eth0 
eth1 
TOR 
SPINE 
Gateway 
LACP Linux Bonding 
Controller 1 
Controller 2 
vRouter
CONTRAIL COMPONENT HA 
Controller 1 
Discovery Server 
IFMap 
Neutron API 
IFMap 
Neutron API 
Neutron API 
Discovery Serv...
HA proxy 
Control Node 
"BGP module" 
Proxies 
XMPP 
IF-MAP Client 
Configuration Node 3 
REST API Server 
IF-MAPserver 
R...
HA proxy 
Control Node 
"BGP module" 
Proxies 
XMPP 
IF-MAP Client 
Configuration Node 3 
REST API Server 
IF-MAPserver 
R...
HA proxy 
Control Node 
"BGP module" 
Proxies 
XMPP 
IF-MAP Client 
Configuration Node 3 
REST API Server 
IF-MAPserver 
R...
HA proxy 
Control Node 
"BGP module" 
Proxies 
XMPP 
IF-MAP Client 
Configuration Node 3 
REST API Server 
IF-MAPserver 
R...
DEMO
Contrail Enabler for agile cloud services
Upcoming SlideShare
Loading in …5
×

Contrail Enabler for agile cloud services

2014/9/11 に開催しましたOpenContrail Meet-upでの弊社上野(Distinguished Engineer, SDN Team, Juniper Networks, Inc.)のセッション資料です。 ぜひ、ご覧ください。

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Contrail Enabler for agile cloud services

  1. 1. CONTRAIL ENABLER FOR AGILE CLOUD SERVICES OpenContrailMeetup NUENO@JUNIPER.NET DISTINGUISHED ENGINEER / SDN TEAM Nachi Ueno
  2. 2. This statement of direction sets forth Juniper Networks’ current intention and is subject to change at any time without notice. No purchases are contingent upon Juniper Networks delivering any feature or function depicted in this presentation
  3. 3. ENTERPRISE DC EVOLUTION (ITAAS) TRADITIONAL VIRTUALIZATION LB Policies ACLs FW, IPS Policies Sec. Device LB Device Switches Physical Servers Router Standalone Applications (Dedicated Resources) End-user Sub-Optimal Device Util. Static & Inflexible TCO (Capex, Opex) Physically Constrained Silo’ed Manual device config Custom Policy Config Deployment knowledge Admin Virtual Machines VLANs vSecurity LB Policies ACLs VLAN Config Security Policies Router End-user Standalone Application (Virtualized Resources) Admin vLB VM Orchestrator Sub-Optimal Device Util. Static & Inflexible TCO (Capex, Opex) Physically Constrained Silo’ed Manual device config Custom Policy Config Deployment knowledge
  4. 4. CLOUD CLOUD-ENABLED DATA CENTER Sub-Optimal Device Utilization Static & Inflexible TCO (Capex, Opex) Physically Constrained Silo’ed Large, Manual Device Config Custom / Complex Policy Config Specialized deployment knowledge Evolving Applications (on Resource Pool) External Cloud Based Resources Virtualized Resource Pools Resources Across Data Centers No ACLs End-user Orchestrator / Controller All Policies (incl. ACLs) Virtual Network Virtual Network Compute Storage LB Security Admin
  5. 5. NFV: NETWORK EDGE SECURITY Network Function Virtualization Scalable Virtual Service on x86 Scalable Virtual Service on x86 Private networks SP DATACENTER BRAS/VPN Edge FW –IPS –PDF –DDoS FW –IPS –PDF –DDoS Service Load Balancing Service Load Balancing L3VPN-ENABLED SP CORE/BACKBONE BUSINESS EDGE Internet BROADBAND EDGE MOBILE EDGE Dynamic Service Provisioning, Scaling; Service Chaining Security Services –Firefly, Web App Secure, DdosSecure, vSA Centralized management/orchestration Software abstraction from physical infra Edge delivery of virtualized security services (Firefly, DdosSecure, Web App Secure, vSA
  6. 6. FLEXIBLE AND DYNAMIC CHAINING OF SERVICES Host + Hypervisor Host + Hypervisor VIRTUAL NETWORK GREEN VIRTUAL NETWORK YELLOW Service A Service B IP fabric(switch underlay) A C B G1 G2 G3 G1 G2 G3 Y1 Y2 Y3 Y2 Y3 Y1 VM and virtualized Network function pool VM and virtualized Network function pool … … LOGICAL PHYSICAL Service C
  7. 7. L3VPN SELF-SERVICE ENTERPRISE SERVICE CLOUD CUSTOMER A (Branch Office) VPN SITE 1 CUSTOMER B (Branch Office) VPN SITE 2 CUSTOMER A (HQ) VPN SITE 2 CUSTOMER B (HQ) VPN SITE 1 Self-service portal with quick (< 5 min) network provisioning Service automation SLA-based ‘As-a-Service’ model for services Elastic architecture with service Scale-out Standard Protocols to connect SP customer to service SLB FW UTM CDN WAN OPT SP Service Cloud Quick, Self-Service
  8. 8. INTERCONNECT W/ EXISTING INFRASTRUCTURE Contrail enables customers to use their legacy infrastructure for legacy apps, and expand to cloud-architectures for newer apps. VLAN -A VLAN -B VLAN -C VLAN -D Front-End Tier Back-End Tier EXISTING/ LEGACY INFRASTRUCTURE CLOUD INFRASTRUCTURE Back-End Front-End Security Tier LB Tier CONTRAIL CONTROLLER Security LB Gateway Contrail enables enterprises to continue using legacy investments and infrastructure. Can extend portions of the network or the entire infrastructure and be able to run new cloud-based as well as legacy applications
  9. 9. TECHNOLOGY OVERVIEW
  10. 10. VIRTUAL NETWORKS VIRTUALIZED SERVICES THE NEW NETWORK –BUILDINGBLOCKS GATEWAYS NETWORK AND PACKET POLICY PROVIDED BY OPEN BGP VPN TECHNOLOGIES NETWORK POLICY FOR TOPOLOGY AND PACKET FOR TRAFFIC CONTROL NETWORK FUNCTIONS AND SERVICES STITCHED TO TOPOLOGY CONNECTS VIRTUAL AND PHYSICAL DOMAINS
  11. 11. WHAT IS NETWORK VIRTUALIZATION •Independent of Physical Network Location or State –Logical Network across any server, any rack, any cluster, any data-center –Virtual Machines can migrate without requiring any reworking of security policies, load balancing, etc –New Workloads or Networks should not require provisioning of physical network –Nodes in Physical Network can fail without any disruption to Workload •Full Isolation for Multi-tenancy and Fault Tolerance –MAC and IP Addresses are completely private per tenant –Any failures or configuration errors by tenants do not affect other applications or tenants –Any failures in the virtual layer do not propagate to physical layer
  12. 12. THE IMPORTANCE OF ABSTRACTION BMSR4 OpenStack ContrailController Neutron Nova VMG1 VMG2 VMG3 VMR1 VMR3 VMR2 VMFW PHYSICAL TOPOLOGY Complex •Low level of abstraction •Many vrouters •Many routing-instances •Many tunnels •Many routes Complex to configure Complex to troubleshoot JunosSpace
  13. 13. CONTRAIL –VIRTUALIZED & AUTOMATED NETWORK CONTROL PLANE, MANAGEMENT PLANE NETWORK PROGRAMMABILITY ENABLING NFV (NETWORK FUNCTION VIRTUALIZATION) VIRTUALIZED NETWORK SERVICES INTEROPERABILITY WITH PHYSICAL NETWORK NETWORK VIRTUALIZATION (PRIVATE, HYBRID) CONVERGED NETWORK ORCHESTRATION AUTOMATION, ANALYTICS
  14. 14. CONTRAIL PHILOSOPHY1 L3
  15. 15. L3 L3 L2/L3 L2/L3 L3 ToR L2/L3 L2/L3 L2/L3 L3 ToR L2/L3 L2/L3 L2/L3 L3 ToR L2/L3 L2/L3 L2/L3 L3 ToR L2/L3 L3 L3 L3 L3 L3 CLOUD DC -CONTRAIL L2/L3 OVERLAY vRouter vRouter vRouter vRouter vRouter vRouter vRouter vRouter vRouter vRouter vRouter vRouter Hypervisor vRouter handles L2/L3 Hypervisor vRouter performs NAT = multi-tenant VRF Service Insertion Service Insertion External Network Servers
  16. 16. CONTRAIL PHILOSOPHY2 Fault tolerance via Idempotence
  17. 17. RPC NIGHTMARE Compute Node Network Node Scheduler API Do we need Distributed transaction manager…. ?
  18. 18. STATE SYNCHRONIZATION Controller Agent Full Sync Full Sync Diff Check local State & Apply diff
  19. 19. BGP router router Update Withdraw Check local State & Update state
  20. 20. IFMAP Server Clinet Poll Update Check local State & Update state
  21. 21. Data Model
  22. 22. Network Subnet Subnet Port VM Port VM Router Network Subnet Network Policy Subnet Service Instance
  23. 23. CONTRAIL BUILDING BLOCKS
  24. 24. CONTRAIL & OPENSTACK COMPONENTS Horizon UI Contrail Web UI Nova (Compute Orchestration) Neutron Plugin Compute Node Storage Keystone (Identity / Access Mgmt) Cinder (Block Storage) Swift (Object Storage) Nova Agent ContrailAgent Contrail Config Contrail Control vRouter Operator User Logs in, Create tenant (projects), Create IPAM, Create virtual network, Launch VMs VM Get VM Image to spawn API Srvr Scheduler … Select Compute node to spawn VM Info to spawn VM Hypervisor VM Spawned Block Storage Assignment Xen Bi-directional message bus (XMPP interaction) Launch VM Network related interaction Get virtual network info DHCP Plug (Tap interface, Instance ID, ..) Glance (Image Server) Authentication, etc.
  25. 25. ROLE OF CONTRAIL IN INTEGRATED STACK Service Nodes Internet VPN DCI WAN Gateway Router JunosVContrail Orchestrator Compute APIs Storage APIs Network APIs Server Virtual Machine vRouter Physical Switches vSRX, F5 …
  26. 26. CONTRAIL SOLUTION OVERVIEW OpenContrail Controller Configuration Analytics Control Server VM VM VM Server VM VM VM IP fabric(underlay network) Juniper Qfabric/QFX/EX or 3rdparty underlay switches Juniper MXor 3rdparty gateway routers Tenant VMs BGPFederation BGPClustering Contrail Controller REST XMPP CONTROLLER Control Orchestrator XMPP BGP + Netconf Contrail vRouter(L2 & L3) on KVM, Xenand ESXi/HyperV/Contrainersand Bare Metal in 2014 2014
  27. 27. CONTRAIL COMPONENTS Physical Network(no changes) Analytics OPENCONTRAIL CONTROLLER Control Configuration Physical Host with Hypervisor vRouter VM VM VM VM Physical Host with Hypervisor vRouter VM VM VM VM WAN, Internet Gateway Accepts and converts orchestrator requests for VM creation, translates requests, and assigns network Real-time analytics engine collects, stores and analyzes network elements Interacts with network elements for VM network provisioning and ensures uptime vRouter: Virtualized routing element handles localized control plane and forwarding plane work on the compute node Gateway: MX Series (or other router) or EX9200 serve as gateway eliminating need for SW gateway & improving scale & performance TODAY 2014
  28. 28. OPENSTACK INTEGRATION Horizon Nova API Compute Driver Virtual-IF Driver Nova Compute Contrail Agent vRouter(kernel) Virtual Router Nova Scheduler Neutron Driver Neutron Plugin Configuration Node Control Node 1 Create an Instance (VM Info, Network, IPAM, Policies, etc) 2 Schedule an Instance on the Compute Node 3 VM Network Properties 4 Create VM Interface 6 Publish VM Intfon IFMap 5 Add Port 7 VM Interface Configover XMPP Scripts
  29. 29. CONTRAIL STACK -VROUTER Configuration Nodes ControlPlane ComputeNode(Virtual Router) ServiceNode(SRX, Firefly, JSP, ...) GatewayNode(MX, EX/QFX, ...) ControlPlane ControlPlane AnalyticsEngine AnalyticsEngine AnalyticsEngine REST APIs (Configuration, Operational, and Analytics) Openstack Customer OSS/BSS Cloudstack
  30. 30. COMPUTE NODE –HYPERVISOR, VROUTER Compute Node VirtualMachine(Tenant B) VirtualMachine(Tenant C) VirtualMachine(Tenant C) vRouterForwarding Plane VirtualMachine(Tenant A) Routing Instance(Tenant A) Routing Instance(Tenant B) Routing Instance(Tenant C) vRouterAgent Flow Table FIB Flow Table FIB Flow Table FIB Overlay tunnelsMPLS over GRE or VXLAN JUNOSV CONTRAIL CONTROLLER JUNOSV CONTRAIL CONTROLLER XMPP Eth1 Kernel Tap Interfaces (vif) pkt0 User Eth0 EthN Config VRFs Policy Table Top of Rack Switch XMPP •vRouteris replaces the Linux Bridge or OVS module in Hypervisor Kernel •vRouterperforms bridging (E-VPN) and routing (L3VPN) •vRouterperforms networking services like Security Policies, NAT, Multicast, Mirroring, and Load Balancing •No need for Service Nodes or L2/L3 Gateways for Routing, Broadcast/Multicast, NAT •Routes are automatically leaked into the VRF based on Policies •Support for Multiple Interfaces on the Virtual Machines •Support for Multiple Interfaces from Compute Node to the Switching Fabric
  31. 31. COMPUTE NODE –FORWARDING/TUNNELING Overlay tunnelsMPLS over GRE or VXLAN Compute Node vRouterForwarding Plane VirtualMachine(VN-IP1) Routing Instance Flow Table FIB Eth1 (Phy-IP1) Tap Interfaces (vif) Compute Node vRouterForwarding Plane VirtualMachine(VN-IP2) Routing Instance Flow Table FIB Eth1 (Phy-IP2) Tap Interfaces (vif) VIRTUAL PHYSICAL Virtual-IP2 Payload Virtual-IP2 Payload MPLS / VNI Phy-IP2 Virtual-IP2 Payload Virtual-IP2 Payload MPLS / VNI Phy-IP2 1.Guest OS ARPs for destination within subnet or default GW 2.VRouter receives the ARP and responds back with VRRP MAC 3.Guest OS sends traffic to the VRRP MAC, Vrouterencapsulates the packet with appropriate MPLS/VNI tag and GRE header 1.Physical Fabric Routers on Physical IP Address 1.Returning packets get forwarded to appropriate Routing Instance by the MPLS/VNI tag 1.VRouterde-capsulates the packet, and forwards it to the Guest OS
  32. 32. CONTRAIL STACK –CONTROL NODE Configuration Nodes ControlPlane ComputeNode(Virtual Router) ServiceNode(SRX, Firefly, JSP, ...) GatewayNode(MX, EX/QFX, ...) ControlPlane ControlPlane AnalyticsEngine AnalyticsEngine AnalyticsEngine REST APIs (Configuration, Operational, and Analytics) Openstack Customer OSS/BSS Cloudstack
  33. 33. CONTRAIL -CONTROL PLANE NODE Control Node "BGP module" Proxies XMPP ControlNode Control Node Compute Node Compute Node Configuration Node Configuration Node IF-MAP XMPP IBGP IF-MAP Client •All Control Plane Nodes are active active •Each vRouteruses XMPP to connect with multiple Control Plane nodes for redundancy •Each Control Plane Node connects to multiple configuration nodes for redundancy •BGP and Netconfis used to connect with Physical Gateway Routers or Services Nodes •Control Plane Nodes federate using BGP •Control Nodes can run different software versions for test-before-deploy and live upgrades GatewayRouters Service Nodes
  34. 34. CONTROL PLANE –ROUTE DISTRIBUTION 10.1.1.1 10.1.1.2 70.10.10.1 151.10.10.1 10.1.1.2: NH = 151.10.10.1; LBL = 17 10.1.1.1: NH = 70.10.10.1; LBL = 39 10.1.1.1 10.1.1.2 PAYLOAD VRF PriSrcIP PriDstIP 10.1.1.1 10.1.1.2 PAYLOAD LBL=17 GRE 70.10.10.1 151.10.10.1 PubSrcIP PubDstIP VM VRF PriSrcIP PriDstIP 10.1.1.1 10.1.1.2 PAYLOAD PriSrcIP PriDstIP VM IP Network Agent Agent XMPP XMPP Control Node Configuration Node REST/API 10.1.1.2:NH = 151.10.10.1; LBL = 17 10.1.1.1:NH = 70.10.10.1; LBL = 39 (Dynamic Tunnel Encapsulation) (Dynamic Tunnel Decapsulation) Server 1 Server 2 Control Plane *Outer MAC header was left out intentionally to reduce clutter 10.1.1.1:NH = 70.10.10.1; LBL = 39 10.1.1.2:NH = 151.10.10.1; LBL = 17 Control Plane IF-MAP
  35. 35. CONTRAIL WITH L3VPN 10.1.1.1 10.1.1.2 70.10.10.1 151.10.10.1 10.1.1.2: NH = 80.20.20.1; LBL = 417 10.1.1.1 10.1.1.2 PAYLOAD VRF PriSrcIP PriDstIP VM VRF PriSrcIP PriDstIP VM IP Network Agent XMPP XMPP Configuration Management DC1 REST/API (Dynamic Tunnel Encapsulation) (Dynamic Tunnel Decapsulation) Server 1 Server 2 10.1.1.1 10.1.1.2 PAYLOAD LBL=417 GRE 70.10.10.1 80.20.20.1 PubSrcIP PubDstIP PriSrcIP PriDstIP 10.1.1.1 10.1.1.2 PAYLOAD LBL=17 GRE 160.20.20.1 151.10.10.1 PubSrcIP PubDstIP PriSrcIP PriDstIP MX MX MPLS IP Network 80.20.20.1 160.20.20.1 Control Plane *Outer MAC header was left out intentionally to reduce clutter 10.1.1.2:NH = 80.20.20.1; LBL = 417 10.1.1.2:NH = 151.10.10.1; LBL = 17 REST/API BGP Control Nodes 10.1.1.1 10.1.1.2 PAYLOAD LBL=217 PriSrcIP PriDstIP MPLS Outer Label Control Plane I-MBGP MX I-MBGP 200.1.1.1 100.1.1.1 10.1.1.2: NH = 80.20.20.1; LBL = 417;RD;RT Configuration Management DC2 Agent BGP Control Nodes MX MX I-MBGP MX 10.1.1.2: NH = 200.1.1.1; LBL = 317;RD;RT 10.1.1.2: NH = 100.1.1.1; LBL = 217;RD;RT 10.1.1.2: NH = 160.20.20.1; LBL = 117;RD;RT 10.1.1.2: NH = 151.10.10.1; LBL = 17;RD;RT 160.20.20.1 80.20.20.1 E-MBGP E-MBGP MX MX 200.1.1.1 100.1.1.1 Service Provider 10.1.1.1 10.1.1.2 PAYLOAD
  36. 36. PACKET FLOW FOR EVPN ON IP NETWORK MAC1 MAC2 70.10.10.1 151.10.10.1 MAC2: NH = 151.10.10.1; LBL = 17 MAC1: NH = 70.10.10.1; LBL = 39 VRF MAC1 MAC2 PAYLOAD SrcMAC DstMAC VM VRF MAC1 MAC2 PAYLOAD LBL=17 GRE 70.10.10.1 151.10.10.1 PubSrcIP PubDstIP SrcMAC DstMAC VM IP Network Agent Agent XMPP XMPP BGP Based Control Plane Configuration Management REST/API MAC2:NH = 151.10.10.1; LBL = 17 MAC1:NH = 70.10.10.1; LBL = 39 (Dynamic Tunnel Encapsulation) (Dynamic Tunnel Decapsulation) Server 1 Server 2 Control Plane *Outer MAC header was left out intentionally to reduce clutter MAC1:NH = 70.10.10.1; LBL = 39 MAC2:NH = 151.10.10.1; LBL = 17 MAC1 MAC2 PAYLOAD SrcMAC DstMAC
  37. 37. CONTRAIL STACK –CONFIG NODE Configuration Nodes ControlPlane ComputeNode(Virtual Router) ServiceNode(SRX, Firefly, JSP, ...) GatewayNode(MX, EX/QFX, ...) ControlPlane ControlPlane AnalyticsEngine AnalyticsEngine AnalyticsEngine REST APIs (Configuration, Operational, and Analytics) Openstack Customer OSS/BSS Cloudstack
  38. 38. CONTRAIL –SDN AS A “COMPILER” OrchestrationSystem SDN System Network(Physical and Virtual) South-BoundNetwork Element Interfaces East-WestPeering Interface (BGP) Application2 ApplicationN Applications North-bound APIs Data Model 1 Data Model 2 Data Model M Data Model Extensions Interface 1 Interface 2 Interface K Plug-ins Compilergenerates APIs Compilergenerates APIs
  39. 39. CONFIGURATION NODE Configuration Node REST API Server Schema Transformer Orchestrator(OpenStack) REST DHT DB IF-MAPserver Configuration Node ControlNode ControlNode IF-MAP Distributed Synchronization 1.API Server provides Northbound REST Interface –Orchestration System provisions using this API service 2.DHT/NoSQLDatabase is used for Persistence and High Availability of Configuration 3.Schema Transformer “compiles” the high level data model to low level model for vRouter, Service Nodes, and Gateway Routers 1.IF-MAP is used to represent the data-model – Control Nodes subscribe to the subset of configuration Configuration Node DHT DB DHT DB Message Bus
  40. 40. LOGICAL TOPOLOGY VMG1 VMG2 VMG3 VN G VMR1 VMR2 VMR3 VN R PN VMFW Virtual Network Tenant Virtual Machines Virtual Firewall Physical Gateway Router Physical Network (Internet, L3VPN, ...)
  41. 41. PHYSICAL TOPOLOGY OpenStack ContrailController Neutron Nova Virtualized Server Hypervisor with Contrail vRouter Underlay Switches Gateway Router to Internet or L3VPN
  42. 42. MAPPING OF LOGICAL TO VIRTUAL TOPOLOGY VMG1 VMG2 VMG3 VN G VMR1 VMR2 VMR3 VN R L3VPN VMFW OpenStack ContrailController Neutron Nova PHYSICAL LOGICAL
  43. 43. STARTING POINTEMPTY LOGICAL TOPOLOGY VMG1 VMG2 VMG3 VN G VMR1 VMR2 VMR3 VN R PN VMFW OpenStack ContrailController Neutron Nova PHYSICAL LOGICAL
  44. 44. CREATE GREEN TENANTCREATE VIRTUAL NETWORK "GREEN" VMG1 VMG2 VMG3 VMR1 VMR2 VMR3 VN R PN VMFW OpenStack ContrailController Neutron Nova PHYSICAL LOGICAL VN G Create VN G
  45. 45. CREATE GREEN TENANTCREATE VIRTUAL MACHINE "G1" VMG1 VMG2 VMG3 VMR1 VMR2 VMR3 VN R PN VMFW OpenStack ContrailController Neutron Nova PHYSICAL LOGICAL VN G Create VM G1Attach to VN G Nova: Create VM VMG1
  46. 46. CREATE GREEN TENANTCREATE VIRTUAL MACHINE "G1" VMG1 VMG2 VMG3 VMR1 VMR2 VMR3 VN R PN VMFW OpenStack ContrailController Neutron Nova PHYSICAL LOGICAL VN G VMG1 Neutron: Attach VM to VN Create VM G1Attach to VN G XMPP: Create routing-instance
  47. 47. CREATE GREEN TENANTCREATE VIRTUAL MACHINE "G2" VMG1 VMG2 VMG3 VMR1 VMR2 VMR3 VN R PN VMFW OpenStack ContrailController Neutron Nova PHYSICAL LOGICAL VN G Create VM G2Attach to VN G VMG1 Nova: Create VM VMG2
  48. 48. CREATE GREEN TENANTCREATE VIRTUAL MACHINE "G2" VMG1 VMG3 VMR1 VMR2 VMR3 VN R PN VMFW OpenStack ContrailController Neutron Nova PHYSICAL LOGICAL VN G VMG1 Neutron: Attach VM to VN Create VM G2Attach to VN G VMG2 XMPP: Create routing-instance VMG2
  49. 49. CREATE GREEN TENANTCREATE VIRTUAL MACHINE "G2" VMG1 VMG3 VMR1 VMR2 VMR3 VN R PN VMFW OpenStack ContrailController Neutron Nova PHYSICAL LOGICAL VN G VMG1 Create VM G2Attach to VN G VMG2 XMPP: Exchange routes Create tunnels VMG2
  50. 50. CREATE GREEN TENANTFORWARDING TABLES AND ENCAPSULATION VMG1 VMG2 IP prefix Nexthop VM G1 Virtual ethernet port to VM G1 Green routing-instance IP FIB VM G2 Push label L2 + GRE encapsto server S2 MPLS label Nexthop L1 Pop + Green routing-instance Global MPLS FIB IP prefix Nexthop Server S2 Physical ethernet port Global IP FIB IP prefix Nexthop VM G1 Push label L1GRE encapsto server S1 Green routing-instance IP FIB VM G2 Virtual ethernet port to VM G2 MPLS label Nexthop L2 Pop + Green routing-instance Global MPLS FIB IP prefix Nexthop Server S1 Physical ethernet port Global IP FIB Inner IP header Payload VM G1 Source IP VM G2 DestIP ... MPLS L2 Label GRE ... Outer IP header Server S1 Source IP Server S2 DestIP Ethernet Server S1 Source MAC Server S2 DestMAC Packet S1 S2
  51. 51. CREATE GREEN TENANTCREATE VIRTUAL MACHINE "G3" VMG1 VMG3 VMR1 VMR2 VMR3 VN R PN VMFW OpenStack ContrailController Neutron Nova PHYSICAL LOGICAL VN G VMG1 VMG2 VMG2 Create VM G3Attach to VN G Nova: Create VM VMG3
  52. 52. CREATE GREEN TENANTCREATE VIRTUAL MACHINE "G3" VMG1 VMG3 VMR1 VMR2 VMR3 VN R PN VMFW OpenStack ContrailController Neutron Nova PHYSICAL LOGICAL VN G VMG1 VMG2 VMG2 Create VM G3Attach to VN G VMG3 Neutron: Attach VM to VN XMPP: Create routing-instance
  53. 53. CREATE GREEN TENANTCREATE VIRTUAL MACHINE "G3" VMG1 VMG3 VMR1 VMR2 VMR3 VN R PN VMFW OpenStack ContrailController Neutron Nova PHYSICAL LOGICAL VN G VMG1 VMG2 VMG2 Create VM G3Attach to VN G VMG3 XMPP: Exchange routes Create tunnels
  54. 54. CREATE GREEN TENANTEND STATE VMG1 VMG3 VMR1 VMR2 VMR3 VN R PN VMFW OpenStack ContrailController Neutron Nova PHYSICAL LOGICAL VN G VMG1 VMG2 VMG2 VMG3
  55. 55. CREATE RED TENANTSAME STEPS AS GREEN TENANT VMG1 VMG3 VMR1 VMR2 VMR3 VN R PN VMFW OpenStack ContrailController Neutron Nova PHYSICAL LOGICAL VN G VMG1 VMG2 VMG2 VMG3 VMR1 VMR3 VMR2
  56. 56. CONNECT GREEN TO RED TENANT VIA FIREWALLCREATE VIRTUAL MACHINE FOR FIREWALL VMG1 VMG3 VMR1 VMR2 VMR3 VN R PN OpenStack ContrailController Neutron Nova PHYSICAL LOGICAL VN G VMG1 VMG2 VMG2 VMG3 VMR1 VMR3 VMR2 Create VM FWAttach to VN GAttach to VN R VMFW Nova: Create VM VMFW
  57. 57. CONNECT GREEN TO RED TENANT VIA FIREWALLATTACH FIREWALL TO RED AND GREEN VIRTUAL NETWORKS VMG1 VMG3 VMR1 VMR2 VMR3 VN R PN OpenStack ContrailController Neutron Nova PHYSICAL LOGICAL VN G VMG1 VMG2 VMG2 VMG3 VMR1 VMR3 VMR2 Create VM FWAttach to VN GAttach to VN R VMFW VMFW Neutron: Attach VM to VNs XMPP: Create routing-instance
  58. 58. CONNECT GREEN TO RED TENANT VIA FIREWALLAPPLY POLICY, EXCHANGE ROUTES, AND CREATE TUNNELS VMG1 VMG3 VMR1 VMR2 VMR3 VN R L3VPN OpenStack ContrailController Neutron Nova PHYSICAL LOGICAL VN G VMG1 VMG2 VMG2 VMG3 VMR1 VMR3 VMR2 VMFW VMFW Apply Policy VN G ↔ VN R XMPP: Exchange routes Create tunnels
  59. 59. CONNECT GREEN TO RED TENANT VIA FIREWALLEND STATE VMG1 VMG3 VMR1 VMR2 VMR3 VN R L3VPN OpenStack ContrailController Neutron Nova PHYSICAL LOGICAL VN G VMG1 VMG2 VMG2 VMG3 VMR1 VMR3 VMR2 VMFW VMFW
  60. 60. CONNECT GREEN TO RED TENANT VIA FIREWALLDATA PLANE: RED ↔ GREEN TRAFFIC FORCED THROUGH THE FIREWALL VMG1 VMG3 VMR1 VMR2 VMR3 VN R L3VPN OpenStack ContrailController Neutron Nova PHYSICAL LOGICAL VN G VMG1 VMG2 VMG2 VMG3 VMR1 VMR3 VMR2 VMFW VMFW
  61. 61. CONNECT RED TENANT TO PHYSICAL L3VPNCONFIGURE L3VPN ROUTING INSTANCE VMG1 VMG3 VMR1 VMR2 VMR3 VN R OpenStack ContrailController Neutron Nova PHYSICAL LOGICAL VN G VMG1 VMG2 VMG2 VMG3 VMR1 VMR3 VMR2 VMFW VMFW L3VPN Apply Policy VN R ↔ L3VPN Netconf: Configure routing-instance
  62. 62. CONNECT RED TENANT TO PHYSICAL L3VPNEXCHANGE ROUTES WITH PHYSICAL ROUTER, CREATE TUNNELS VMG1 VMG3 VMR1 VMR2 VMR3 VN R OpenStack ContrailController Neutron Nova PHYSICAL LOGICAL VN G VMG1 VMG2 VMG2 VMG3 VMR1 VMR3 VMR2 VMFW VMFW L3VPN Apply Policy VN R ↔ L3VPN BGP: Exchange routes Create tunnels
  63. 63. CONNECT RED TENANT TO PHYSICAL L3VPNEXCHANGE ROUTES WITH VROUTERS, CREATE TUNNELS VMG1 VMG3 VMR1 VMR2 VMR3 VN R OpenStack ContrailController Neutron Nova PHYSICAL LOGICAL VN G VMG1 VMG2 VMG2 VMG3 VMR1 VMR3 VMR2 VMFW VMFW L3VPN Apply Policy VN R ↔ L3VPN XMPP: Exchange routes Create tunnels
  64. 64. VROUTERHA Discovery Server eth0 eth1 TOR SPINE Gateway LACP Linux Bonding Controller 1 Controller 2 vRouter
  65. 65. CONTRAIL COMPONENT HA Controller 1 Discovery Server IFMap Neutron API IFMap Neutron API Neutron API Discovery Server Neutron API Neutron API ConfigAPI HAProxy + VIP HAProxy + VIP HAProxy + VIP Controller 1 Neutron API Cassandra Cassandra Neutron API Cassandra zookeeper Neutron API Neutron API RabbitMQ HAProxy + VIP
  66. 66. HA proxy Control Node "BGP module" Proxies XMPP IF-MAP Client Configuration Node 3 REST API Server IF-MAPserver RabbitMQ HA proxy Configuration Node 2 REST API Server IF-MAPserver RabbitMQ Configuration Node1 REST API Server DHT DB IF-MAPserver RabbitMQ Control Node "BGP module" Proxies XMPP IF-MAP Client Schema Transformer Schema Transformer Schema Transformer
  67. 67. HA proxy Control Node "BGP module" Proxies XMPP IF-MAP Client Configuration Node 3 REST API Server IF-MAPserver RabbitMQ HA proxy Configuration Node 2 REST API Server IF-MAPserver RabbitMQ Configuration Node1 REST API Server DHT DB IF-MAPserver RabbitMQ Control Node "BGP module" Proxies XMPP IF-MAP Client Schema Transformer Schema Transformer Schema Transformer Down
  68. 68. HA proxy Control Node "BGP module" Proxies XMPP IF-MAP Client Configuration Node 3 REST API Server IF-MAPserver RabbitMQ HA proxy Configuration Node 2 REST API Server IF-MAPserver RabbitMQ Configuration Node1 REST API Server DHT DB IF-MAPserver RabbitMQ Control Node "BGP module" Proxies XMPP IF-MAP Client Schema Transformer Schema Transformer Schema Transformer Down 1) Configuration node send ALL data to Control node to sync Control node information 2) Overwrite new information
  69. 69. HA proxy Control Node "BGP module" Proxies XMPP IF-MAP Client Configuration Node 3 REST API Server IF-MAPserver RabbitMQ HA proxy Configuration Node 2 REST API Server IF-MAPserver RabbitMQ Configuration Node1 REST API Server DHT DB IF-MAPserver RabbitMQ Control Node "BGP module" Proxies XMPP IF-MAP Client Schema Transformer Schema Transformer Schema Transformer Down Sync!
  70. 70. DEMO

×