Openstack Users Ja Sogabe e

Multi-tenant IaaS using OpenStack + OpenContrail

Takashi Sogabe(@rev4t)

Internet Initiative Japan., Inc.

Who am I ?

Takashi Sogabe (@rev4t)

I develop services and devices at IIJ

Lately, I also verify software and implement network in order to create new services

I call myself full stack engineer

What do I want to do?

Contrail is now open source!

Quickest way for engineer to understand is to actually try

I want to view source codes with smirk on my face

First, create demo environment and play with it

What is OpenContrail ?

Its a software that can easily create IaaS that has scalability

Its an SDN product

It works with OpenStack, CloudStack

Control plane: BGP or XMPP

Data plane: MPLS over GRE

It appears to support MPLS over UDP and VXLAN as well

Source of Information

http://opencontrail.org/

Documents and packages are provided here

https://github.com/Juniper/contrail-controller

Source codes are provided openly at github

http://juni.pr/17tlcQh

Valuable information in Japanese regarding OpenContrail, posted by Juniper Arimura-san on J-NET

Why MPLS/BGP ?

They are mature technology so you can use it with peace of mind

ISPs are already using MPLS for IP-VPN services

Performance is maintained with lots of VPN connections in place

Its easy to establish inter-DC connections or hybrid clouds

Use of L3VPN router for external router makes it easy to interconnect

What else can you do?

Service Chaining

NFV in other words

You can combine Firewall or many other features in between VMs

Network Monitoring

You can monitor in-communication session information from web screen

If necessary, you can tcpdump from the web screen

Imagine overlay network version of Remote SPAN (RSPAN)

Minimum configuration needed for testing?

PC server * 1 unit

Juniper recommends 5 units or more

If its just testing purpose, 1 unit is enough

Router * 1 unit

One which can talk MPLS VPN

Juniper MX and SRX are examples

If you dont need External Router, then not necessary

Server configuration of demo environment

External Router(Gateway Router)

Contrail System OpenStack (controller, etc) OpenStack(nova-compute)

vRouter

Router for internet connection

192.168.192.0/24

.64

.79

10.0.0.1/24

OpenContrail Architecture

Install (1)

http://juni.pr/1alNn7h Building from source

git + repo Setting up is cumbersome so this is adequate for building only

devstack https://github.com/dsetia/devstack

Use of Binary package OS image provided by Juniper Rpm package (CentOS or Fedora) Juniper.net account is needed

Juniper says if you apply from online form, an account is created for you in a day or two

OS image is used for the demo this time Contrail Install Media for CentOS 90-day EVAL (Release 1.02) OpenStack Grizzly

Install (2)

1. Download OS image and install on PC

2. Run setup.sh cd /opt/contrail/contrail_packages; ./setup.sh

3. Create testbed file

4. Install system cd /opt/contrail/utils; fab install_contrail

(rebooted automatically)

cd /opt/contrail/utils; fab setup_all

(rebooted automatically)

Testbed file

cd /opt/contrail/utils/fabfile/testbeds cp testbed_singlebox_example.py testbed.py Edit vi testbed.py

ext_routers = *(srx1, 192.168.192.79)+ (if external router does not exist, comment out)

host1 = [email protected] host_build = [email protected] env.passwords = { host1: , host_build: , }

Install (3)

If installation is successful, you can log in Horizon and Contrail Web screen

Horizon

http://(host ip address)/

username: admin

password: contrail123

Contrail

http://(host ip address):8080/

username, password Same as Horizon

External Router configuration(1)

Interface configuration

interfaces { ge-0/0/0 { unit 0 { family inet { address 192.168.192.79/24; } } } ge-0/0/1 { unit 0 { family inet { address 10.0.0.1/24; } } }


L3VPN configuration

routing-options { static { route 0.0.0.0/0 next-hop 192.168.192.5; } route-distinguisher-id 192.168.192.79; autonomous-system 64512; dynamic-tunnels { setup1 { source-address 192.168.192.79; gre; destination-networks { 192.168.192.0/24; } } } }

protocols { bgp { group contrail-controller { type internal; local-address 192.168.192.79; family inet-vpn { unicast; } neighbor 192.168.192.64; } } stp; }


VRF configuration

routing-instances { cusotomer-public { instance-type vrf; interface ge-0/0/1.0; vrf-target target:64512:10000; routing-options { static { route 0.0.0.0/0 next-hop 10.0.0.2; } } } }


If you use SRX, set forwarding mode as packet based

security { forwarding-options { family { inet6 { mode packet-based; } mpls { mode packet-based; } iso { mode packet-based; } } } }

root> show security flow status Flow forwarding mode: Inet forwarding mode: packet based Inet6 forwarding mode: packet based MPLS forwarding mode: packet based ISO forwarding mode: packet based Flow trace status Flow tracing status: off

If you use Flow base, it appears there is no way to add dynamic tunnel in the security zone

CREATING TENANT NETWORK USING OPENCONTRAIL

Network Configuration (1)

3 ways to configure

Configure from OpenContrail Web screen

Configure from OpenStack

However, some parameters cannot be configured usingneutron(quantum)

OpenContrail REST API

API server: http://(controller_host):8082/

There is no document at all at this time However, you can probably use most of it if you go through

Top level URL

Tenant network

vRouter

private 10.254.0.0/24

.253

.254

.254

public 10.255.0.0/24

test-private-1

test-public-1

.253

external network 10.0.0.0/24

.252

test-private-2

10.1.0.253 global 10.1.0.0/24

Floating-ip

.254

vRouter

External router

.252

test-public-2

.1

Create network (public)

Create IP address block (public)

Configure Global network

Activate test-public-1, test-public-2

Ping from test-public-1 to 10.0.0.1

Create Private network

Activate test-private-1, test-private-2

Ping from test-private-1 to test-public-1

Create Policy

Apply Policy

Again, Ping from test-private-1 to test-public-1

Create and assign Floating-ip

Ping from ext-router to test-public-1

root> ping 10.1.0.253 routing-instance cusotomer-public PING 10.1.0.253 (10.1.0.253): 56 data bytes 64 bytes from 10.1.0.253: icmp_seq=0 ttl=62 time=31.423 ms 64 bytes from 10.1.0.253: icmp_seq=1 ttl=62 time=2.510 ms ^C --- 10.1.0.253 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss

External router show route (1)

root> show route inet.0: 5 destinations, 5 routes (4 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 1d 20:49:14 > to 192.168.192.5 via ge-0/0/0.0 10.1.0.1/32 *[Local/0] 1d 20:49:29 Reject 192.168.192.0/24 *[Direct/0] 1d 20:49:14 > via ge-0/0/0.0 192.168.192.79/32 *[Local/0] 1d 20:49:20 Local via ge-0/0/0.0


inet.3: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 192.168.192.0/24 *[Tunnel/300] 1d 20:49:46 Tunnel 192.168.192.64/32 *[Tunnel/300] 00:56:35 > via gr-0/0/0.32769


cusotomer-public.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 1d 20:49:14 > to 10.0.0.2 via ge-0/0/1.0 10.0.0.0/24 *[Direct/0] 1d 20:49:14 > via ge-0/0/1.0 10.0.0.1/32 *[Local/0] 1d 20:49:19 Local via ge-0/0/1.0 10.1.0.253/32 *[BGP/170] 00:07:40, localpref 100, from 192.168.192.64 AS path: ? > via gr-0/0/0.32769, Push 16


mpls.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 299792 *[VPN/170] 02:02:08 > to 10.0.0.2 via ge-0/0/1.0, Pop bgp.l3vpn.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 192.168.192.64:2:10.1.0.253/32 *[BGP/170] 00:07:40, localpref 100, from 192.168.192.64 AS path: ? > via gr-0/0/0.32769, Push 16

Network Management(1)

Network Management (2)

Network Management (3)

You can monitor Flow information real-time

Network Management(4)

Verify Routing Table

Using Analyzer (1)

Imagine L3SW Remote SPAN(RSPAN) feature became more useful Specify network to capture packet and type of

packet Analyzer instance activates automatically

Administrator can peruse packet dump from OpenStack admin screen using Wireshark

You can also log in Compute Node, directly tcpdump tap interface, however, Analyzer is much more easier to use

Using Analyzer (2)

Using Analyzer (3)

Summary

Very easy to use admin screen You can monitor communications on overlay

Architecture that enables scalability Controller workload is small as communications by

each node is doen by itself on overlay

Use of Cassandra for backend database which allows scalability

Use of L3VPN routers for external router which allows scalability of uplinks I heard VXLAN can be used as well but it appears it cannot

be configured from admin screen yet

Things I would like to investigate further

Service Chaining

Measure scalability by increasing number of nodes

Terminate external router using VXLAN

I would like to try the version supporting Havana