Download - SDN Controller
CONTRAIL SDN CONTROLLER
Jakub Pavlik, tcp cloud
2 Copyright © 2013 Juniper Networks, Inc.
Datacenter Use Case
3 Copyright © 2013 Juniper Networks, Inc.
CONTRAIL USE CASE 1: CLOUDENTERPRISE PRIVATE CLOUD
Finance HR Marketing
VLAN
Physical Service
Appliances
Silo'ed resource allocationManual configurationStatic service deployment
4 Copyright © 2013 Juniper Networks, Inc.
CONTRAIL USE CASE 1: CLOUDENTERPRISE PRIVATE CLOUD
Finance HR Marketing Finance HR Marketing
VLAN
Physical Service
Appliances
VirtualNetwork
Silo'ed resource allocationManual configurationStatic service deployment
Dynamic resource allocationAutomated configurationDynamic service chains
Network policies enforced as ACLs and
service chains
5 Copyright © 2013 Juniper Networks, Inc.
CONTRAIL USE CASE 2: CLOUDSERVICE PROVIDER CLOUD (IAAS, VPC)
Service ProviderInfrastructure as a Service (IaaS)
Service ProviderL3VPN, E-VPN
Public Cloud Providers, Content Providers, ...
Service ProviderManaged Virtual Private Cloud (VPC)
Enterprise Offices
End-to-End Virtual Network Orchestration and Automation
Enterprise Data Center
6 Copyright © 2013 Juniper Networks, Inc.
Network Virtualisation----
The Importance of Abstraction
"SDN as a Compiler"
7 Copyright © 2013 Juniper Networks, Inc.
WHAT IS NETWORK VIRTUALIZATION Independent of Physical Network Location or State
Logical Network across any server, any rack, any cluster, any data-center
Virtual Machines can migrate without requiring any reworking of security policies, load balancing, etc
New Workloads or Networks should not require provisioning of physical network
Nodes in Physical Network can fail without any disruption to Workload
Full Isolation for Multi-tenancy and Fault Tolerance MAC and IP Addresses are completely private per tenant Any failures or configuration errors by tenants do not affect other
applications or tenants Any failures in the virtual layer do not propagate to physical layer
8 Copyright © 2013 Juniper Networks, Inc.
CONTRAIL KEY ABSTRACTIONS"LEGO BLOCKS"
VN
VM VM
VN
VN
Virtual MachinesCloud Tenants and Virtual Network Functions
Virtual NetworksConnect Virtual Machines
Gateway DevicesConnect the Virtual to the Physical
9 Copyright © 2013 Juniper Networks, Inc.
CONTRAIL KEY ABSTRACTIONSCONSTRUCTING COMPLEX USE CASES WITH SIMPLE "LEGO BLOCKS"
VM VM VM
Virtual Network
VM VM VM
Virtual Network
Tenant Virtual Machines
Virtual Firewall
Physical Gateway RouterNon-Virtualized (Bare Metal) Server
Physical Network (Internet, L3VPN, ...)
Virtual Network
PhysicalNetwork
Virtual Load Balancer
Service Chain
11 Copyright © 2013 Juniper Networks, Inc.
VIRTUAL NETWORKAKA NETWORK SLICING, AKA MULTI-TENANCY
OpenStackCloudStack
ContrailController
VMG1
VMR1
VMG2
VMR2
Contrail Controller
REST APIs
XMPP
VirtualizedServer
Contrail vRouter
Hypervisor
Routing Instance Overlay TunnelMPLS/GRE, MPLS/UDP, VXLAN
Underlay Switch
GreenVirtual Network
VM VM VM VM
RedVirtual Network
VM VM VM VM
12 Copyright © 2013 Juniper Networks, Inc.
SERVICE CHAININGIN THE CONTEXT OF A DATA CENTER
VMG1
VMG2
VMG3
GreenVirtual Network
VMR1
VMR2
VMR3
RedVirtual Network
ContrailController
VMG
VMR
XMPP
OpenStackCloudStack
13 Copyright © 2013 Juniper Networks, Inc.
GATEWAY TO L3VPN
ContrailController
VMR1
VMR2
PhysicalL3VPN
BGP + Netconf
Overlay TunnelMPLS/GRE, MPLS/UDP, VXLAN
RedVirtual Network
VM VM VM VM
Route Reflector
LSP (RSVP, LDP)
BGPGateway Router (PE Router)
OpenStackCloudStack
14 Copyright © 2013 Juniper Networks, Inc.
GATEWAY TO BARE-METAL SERVER
ContrailController
VMR1
VMR2
BGP + Netconf
Overlay TunnelMPLS/GRE, MPLS/UDP, VXLAN
RedVirtual Network
VM VM
Gateway Router or Switch
Bare Metal Server(Non-Virtualized Server)
OpenStackCloudStack
15 Copyright © 2013 Juniper Networks, Inc.
Contrail Architecture
16 Copyright © 2013 Juniper Networks, Inc.
CONTRAIL ARCHITECTUREA GENERAL PURPOSE SDN PLATFORM
Physical NetworkInteroperability with traditional network devicesAny-to-any non-blocking low-latency fabric: Q-Fabric or Clos
Virtual Network OverlayMulti-tenancy for private and virtual public cloudsGateway functions - connect to virtual to physical networkService chaining (physical and virtual)
MarketingHRFinance
Control Plane - Physical, VirtualOpen, standards-based, federated controllerScalable and resilient
Control Plane
Configuration manager, Automation
Control Plane Control Plane
Orchestration, Automation, AnalyticsOpen source and partner eco system of orchestratorsApi and sdk for integration with OSS / BSS OSS
17 Copyright © 2013 Juniper Networks, Inc.
ROLE OF CONTRAIL IN A VIRTUALIZED ENVIRONMENTOrchestratorOpenStack, CloudStack
Contrail Controller"Logically Centralized, Physically Distributed"
Physical Network(Fabric)
Physical and
VirtualNetworkServices
VM
VM VM
VM
Server Server
Storage
Physical Network(Gateway)
Sto
rage
Com
pute
Network (Physical and Virtual)
Com
puteN
etw
ork
High Level Abstraction
Low Level Realization
Contrail vRouter
19 Copyright © 2013 Juniper Networks, Inc.
SCALE-OUT NETWORK SYSTEM
JUNOSV CONTRAIL System
Configuration Node
Configuration Node
Control Node
ControlNode
ComputeNode
(Virtual Router)
ServiceNode
(SRX, Firefly, JSP, ...)
Analytics Node
Analytics Node
GatewayNode
(MX, EX/QFX, ...)
Orchestrator(OpenStack)
REST
IBGP
IF-MAP
XMPP BGP, NETCONF
Logically Centralized(Physically Distributed)
Horizontally Scalable
Highly Available(Active-Active)
Federated
20 Copyright © 2013 Juniper Networks, Inc.
APIS FIRST
ConfigurationNodes
AnalyticsNodes
REST APIs
Contrail ControllerService Data Model
High Level of Abstraction
Generates
Contrail GUI OSS / BSS Service Orchestrator
21 Copyright © 2013 Juniper Networks, Inc.
RICH INTEGRATED ANALYTICS
23 Copyright © 2013 Juniper Networks, Inc.
OPEN CONTRAIL
Contrail is available as Open Source www.opencontrail.org. Commercial support available from Juniper.
Same features and scaling as commercial versionUses proven stable standards. Production-Ready.
Permissive license Apache 2.0
Integrated into open source virtualization stacksOpenStack, CloudStack
24 Copyright © 2013 Juniper Networks, Inc.
Contrail Detailed Walk-Through
25 Copyright © 2013 Juniper Networks, Inc.
LOGICAL TOPOLOGY
VMG1
VMG2
VMG3
VN G
VMR1
VMR2
VMR3
VN R
PN
VMFW
BMSR4
Virtual Network
Tenant Virtual MachinesVirtual Firewall
Physical Gateway RouterNon-Virtualized (Bare Metal) Server
Physical Network (Internet, L3VPN, ...)
26 Copyright © 2013 Juniper Networks, Inc.
PHYSICAL TOPOLOGY
OpenStack ContrailController
NeutronNova
Virtualized Server
Hypervisor with Contrail vRouter
Non-Virtualized (Bare Metal) Server
Underlay Switches
Gateway Router to Internet or L3VPN
27 Copyright © 2013 Juniper Networks, Inc.
MAPPING OF LOGICAL TO VIRTUAL TOPOLOGY
VMG1
VMG2
VMG3
VN G
VMR1
VMR2
VMR3
VN R
L3VPN
VMFW
OpenStack ContrailController
NeutronNova
PHYSICAL LOGICAL
BMSR4
28 Copyright © 2013 Juniper Networks, Inc.
STARTING POINTEMPTY LOGICAL TOPOLOGY
VMG1
VMG2
VMG3
VN G
VMR1
VMR2
VMR3
VN R
PN
VMFW
OpenStack ContrailController
NeutronNova
PHYSICAL LOGICAL
BMSR4
29 Copyright © 2013 Juniper Networks, Inc.
CREATE GREEN TENANTCREATE VIRTUAL NETWORK "GREEN"
VMG1
VMG2
VMG3
VMR1
VMR2
VMR3
VN R
PN
VMFW
OpenStack ContrailController
NeutronNova
PHYSICAL LOGICAL
BMSR4
VN G
Create VN G
30 Copyright © 2013 Juniper Networks, Inc.
CREATE GREEN TENANTCREATE VIRTUAL MACHINE "G1"
VMG1
VMG2
VMG3
VMR1
VMR2
VMR3
VN R
PN
VMFW
OpenStack ContrailController
NeutronNova
PHYSICAL LOGICAL
BMSR4
VN G
Create VM G1Attach to VN G
Nova: Create VM
VMG1
31 Copyright © 2013 Juniper Networks, Inc.
CREATE GREEN TENANTCREATE VIRTUAL MACHINE "G1"
VMG1
VMG2
VMG3
VMR1
VMR2
VMR3
VN R
PN
VMFW
OpenStack ContrailController
NeutronNova
PHYSICAL LOGICAL
BMSR4
VN GVMG1
Neutron:Attach VM to VN
Create VM G1Attach to VN G
XMPP:Create routing-instance
32 Copyright © 2013 Juniper Networks, Inc.
CREATE GREEN TENANTCREATE VIRTUAL MACHINE "G2"
VMG1
VMG2
VMG3
VMR1
VMR2
VMR3
VN R
PN
VMFW
OpenStack ContrailController
NeutronNova
PHYSICAL LOGICAL
BMSR4
VN G
Create VM G2Attach to VN G
VMG1
Nova: Create VM
VMG2
33 Copyright © 2013 Juniper Networks, Inc.
CREATE GREEN TENANTCREATE VIRTUAL MACHINE "G2"
VMG1
VMG3
VMR1
VMR2
VMR3
VN R
PN
VMFW
OpenStack ContrailController
NeutronNova
PHYSICAL LOGICAL
BMSR4
VN GVMG1
Neutron:Attach VM to VN
Create VM G2Attach to VN G
VMG2
XMPP:Create routing-instance
VMG2
34 Copyright © 2013 Juniper Networks, Inc.
CREATE GREEN TENANTCREATE VIRTUAL MACHINE "G2"
VMG1
VMG3
VMR1
VMR2
VMR3
VN R
PN
VMFW
OpenStack ContrailController
NeutronNova
PHYSICAL LOGICAL
BMSR4
VN GVMG1
Create VM G2Attach to VN G
VMG2
XMPP:Exchange routesCreate tunnels
VMG2
36 Copyright © 2013 Juniper Networks, Inc.
CREATE GREEN TENANTCREATE VIRTUAL MACHINE "G3"
VMG1
VMG3
VMR1
VMR2
VMR3
VN R
PN
VMFW
OpenStack ContrailController
NeutronNova
PHYSICAL LOGICAL
BMSR4
VN GVMG1
VMG2 VM
G2
Create VM G3Attach to VN G
Nova: Create VM
VMG3
37 Copyright © 2013 Juniper Networks, Inc.
CREATE GREEN TENANTCREATE VIRTUAL MACHINE "G3"
VMG1
VMG3
VMR1
VMR2
VMR3
VN R
PN
VMFW
OpenStack ContrailController
NeutronNova
PHYSICAL LOGICAL
BMSR4
VN GVMG1
VMG2 VM
G2
Create VM G3Attach to VN G
VMG3
Neutron:Attach VM to VN
XMPP:Create routing-instance
38 Copyright © 2013 Juniper Networks, Inc.
CREATE GREEN TENANTCREATE VIRTUAL MACHINE "G3"
VMG1
VMG3
VMR1
VMR2
VMR3
VN R
PN
VMFW
OpenStack ContrailController
NeutronNova
PHYSICAL LOGICAL
BMSR4
VN GVMG1
VMG2 VM
G2
Create VM G3Attach to VN G
VMG3
XMPP:Exchange routesCreate tunnels
39 Copyright © 2013 Juniper Networks, Inc.
CREATE GREEN TENANTEND STATE
VMG1
VMG3
VMR1
VMR2
VMR3
VN R
PN
VMFW
OpenStack ContrailController
NeutronNova
PHYSICAL LOGICAL
BMSR4
VN GVMG1
VMG2 VM
G2
VMG3
40 Copyright © 2013 Juniper Networks, Inc.
CREATE RED TENANTSAME STEPS AS GREEN TENANT
VMG1
VMG3
VMR1
VMR2
VMR3
VN R
PN
VMFW
OpenStack ContrailController
NeutronNova
PHYSICAL LOGICAL
BMSR4
VN GVMG1
VMG2 VM
G2
VMG3
VMR1
VMR3
VMR2
41 Copyright © 2013 Juniper Networks, Inc.
CONNECT GREEN TO RED TENANT VIA FIREWALLCREATE VIRTUAL MACHINE FOR FIREWALL
VMG1
VMG3
VMR1
VMR2
VMR3
VN R
PN
OpenStack ContrailController
NeutronNova
PHYSICAL LOGICAL
BMSR4
VN GVMG1
VMG2 VM
G2
VMG3
VMR1
VMR3
VMR2
Create VM FWAttach to VN GAttach to VN R
VMFW
Nova: Create VM
VMFW
42 Copyright © 2013 Juniper Networks, Inc.
CONNECT GREEN TO RED TENANT VIA FIREWALLATTACH FIREWALL TO RED AND GREEN VIRTUAL NETWORKS
VMG1
VMG3
VMR1
VMR2
VMR3
VN R
PN
OpenStack ContrailController
NeutronNova
PHYSICAL LOGICAL
BMSR4
VN GVMG1
VMG2 VM
G2
VMG3
VMR1
VMR3
VMR2
Create VM FWAttach to VN GAttach to VN R
VMFW
VMFW
Neutron:Attach VM to VNs
XMPP: Create routing-instance
43 Copyright © 2013 Juniper Networks, Inc.
CONNECT GREEN TO RED TENANT VIA FIREWALLAPPLY POLICY, EXCHANGE ROUTES, AND CREATE TUNNELS
VMG1
VMG3
VMR1
VMR2
VMR3
VN R
L3VPN
OpenStack ContrailController
NeutronNova
PHYSICAL LOGICAL
BMSR4
VN GVMG1
VMG2 VM
G2
VMG3
VMR1
VMR3
VMR2
VMFW
VMFW
Apply PolicyVN G ↔ VN R
XMPP:Exchange routes
Create tunnels
44 Copyright © 2013 Juniper Networks, Inc.
CONNECT GREEN TO RED TENANT VIA FIREWALLEND STATE
VMG1
VMG3
VMR1
VMR2
VMR3
VN R
L3VPN
OpenStack ContrailController
NeutronNova
PHYSICAL LOGICAL
BMSR4
VN GVMG1
VMG2 VM
G2
VMG3
VMR1
VMR3
VMR2
VMFW
VMFW
45 Copyright © 2013 Juniper Networks, Inc.
CONNECT GREEN TO RED TENANT VIA FIREWALLDATA PLANE: RED ↔ GREEN TRAFFIC FORCED THROUGH THE FIREWALL
VMG1
VMG3
VMR1
VMR2
VMR3
VN R
L3VPN
OpenStack ContrailController
NeutronNova
PHYSICAL LOGICAL
BMSR4
VN GVMG1
VMG2 VM
G2
VMG3
VMR1
VMR3
VMR2
VMFW
VMFW
46 Copyright © 2013 Juniper Networks, Inc.
CONNECT RED TENANT TO PHYSICAL L3VPNCONFIGURE L3VPN ROUTING INSTANCE
VMG1
VMG3
VMR1
VMR2
VMR3
VN R
OpenStack ContrailController
NeutronNova
PHYSICAL LOGICAL
BMSR4
VN GVMG1
VMG2 VM
G2
VMG3
VMR1
VMR3
VMR2
VMFW
VMFW
L3VPN
Apply PolicyVN R ↔ L3VPN
Netconf:Configure
routing-instance
47 Copyright © 2013 Juniper Networks, Inc.
CONNECT RED TENANT TO PHYSICAL L3VPNEXCHANGE ROUTES WITH PHYSICAL ROUTER, CREATE TUNNELS
VMG1
VMG3
VMR1
VMR2
VMR3
VN R
OpenStack ContrailController
NeutronNova
PHYSICAL LOGICAL
BMSR4
VN GVMG1
VMG2 VM
G2
VMG3
VMR1
VMR3
VMR2
VMFW
VMFW
L3VPN
Apply PolicyVN R ↔ L3VPN
BGP:Exchange routes
Create tunnels
48 Copyright © 2013 Juniper Networks, Inc.
CONNECT RED TENANT TO PHYSICAL L3VPNEXCHANGE ROUTES WITH VROUTERS, CREATE TUNNELS
VMG1
VMG3
VMR1
VMR2
VMR3
VN R
OpenStack ContrailController
NeutronNova
PHYSICAL LOGICAL
BMSR4
VN GVMG1
VMG2 VM
G2
VMG3
VMR1
VMR3
VMR2
VMFW
VMFW
L3VPN
Apply PolicyVN R ↔ L3VPN
XMPP:Exchange routes
Create tunnels
49 Copyright © 2013 Juniper Networks, Inc.
CONNECT BARE METAL SERVER TO RED TENANTUSE TOP-OF-RACK SWITCH AS GATEWAY
VMG1
VMG3
VMR1
VMR2
VMR3
VN RBMSR4
OpenStack ContrailController
NeutronNova
PHYSICAL LOGICAL
BMSR4
VN GVMG1
VMG2 VM
G2
VMG3
VMR1
VMR3
VMR2
VMFW
VMFW
L3VPN
50 Copyright © 2013 Juniper Networks, Inc.
CONNECT BARE METAL SERVER TO RED TENANTCREATE ROUTING INSTANCE
VMG1
VMG3
VMR1
VMR2
VMR3
VN RBMSR4
OpenStack ContrailController
NeutronNova
PHYSICAL LOGICAL
BMSR4
VN GVMG1
VMG2 VM
G2
VMG3
VMR1
VMR3
VMR2
VMFW
VMFW
L3VPN
Attach BMS R4to VN R
using switch S
Netconf:Configure
routing-instance
51 Copyright © 2013 Juniper Networks, Inc.
CONNECT BARE METAL SERVER TO RED TENANTEXCHANGE ROUTES WITH PHYSICAL SWITCH, CREATE TUNNELS
VMG1
VMG3
VMR1
VMR2
VMR3
VN RBMSR4
OpenStack ContrailController
NeutronNova
PHYSICAL LOGICAL
BMSR4
VN GVMG1
VMG2 VM
G2
VMG3
VMR1
VMR3
VMR2
VMFW
VMFW
L3VPN
Attach BMS R4to VN R
using switch S
BGP:Exchange routes
Create tunnels
52 Copyright © 2013 Juniper Networks, Inc.
CONNECT BARE METAL SERVER TO RED TENANTEXCHANGE ROUTES WITH VROUTERS, CREATE TUNNELS
VMG1
VMG3
VMR1
VMR2
VMR3
VN RBMSR4
OpenStack ContrailController
NeutronNova
PHYSICAL LOGICAL
BMSR4
VN GVMG1
VMG2 VM
G2
VMG3
VMR1
VMR3
VMR2
VMFW
VMFW
L3VPN
Attach BMS R4to VN R
using switch S
XMPP:Exchange routes
Create tunnels
53 Copyright © 2013 Juniper Networks, Inc.
CONNECT BARE METAL SERVER TO RED TENANTEND STATE
VMG1
VMG3
VMR1
VMR2
VMR3
VN RBMSR4
OpenStack ContrailController
NeutronNova
PHYSICAL LOGICAL
BMSR4
VN GVMG1
VMG2 VM
G2
VMG3
VMR1
VMR3
VMR2
VMFW
VMFW
L3VPN
54 Copyright © 2013 Juniper Networks, Inc.
CONTRAIL IS BASED ON MPLS VPN TECHNOLOGY
P PPE PE
RouteReflector
RouteReflector
CECE
UnderlaySwitchvRouter
ControlNode
ControlNode
UnderlaySwitch
VM
VM
VM
VM
vRouterVM VM
IBGP
IBGP
IBGP
XMPP
MPLS over MPLS
MPLS over GRE or VXLAN
Network Management System (NMS)
DMI ConfigNode
Orchestrator
AnalyticsNode
SDN System
MPLS L3VPN / E-VPN Contrail
