Contrail Enabler for agile cloud services

CONTRAILENABLER FOR AGILECLOUD SERVICES

OpenContrail Meetup

[email protected] ENGINEER / SDN TEAM

Nachi Ueno

mailto:[email protected]

This statement of direction sets forth Juniper Networks’

current intention and is subject to change at any time

without notice. No purchases are contingent upon

Juniper Networks delivering any feature or function

depicted in this presentation

ENTERPRISE DC EVOLUTION (ITAAS)

TRADITIONAL VIRTUALIZATION

LB

Policies

ACLs

FW, IPS

PoliciesSec.

Device

LB Device

Switches

Physical

Servers

Router

Standalone Applications(Dedicated Resources)

End-user

Sub-Optimal Device Util.

Static & Inflexible

TCO (Capex, Opex)

Physically Constrained

Silo’ed

Manual device config

Custom Policy Config

Deployment knowledge

Admin

Virtual

Machines

VLANs

v Security

LB

Policies

ACLs

VLAN

Config

Security

Policies

Router

End-user

Standalone Application(Virtualized Resources)

Admin

v LB

VM Orchestrator

Sub-Optimal Device Util.

Static & Inflexible

TCO (Capex, Opex)


Silo’ed

Manual device config

Custom Policy Config

Deployment knowledge

CLOUD

CLOUD-ENABLED DATA CENTER

Sub-Optimal Device Utilization

Static & Inflexible

TCO (Capex, Opex)


Silo’ed

Large, Manual Device Config

Custom / Complex Policy Config

Specialized deployment knowledge

Evolving Applications(on Resource Pool)

External Cloud

Based Resources

Virtualized Resource Pools

Resources Across Data Centers

No ACLs

End-user

Orchestrator /

Controller

All Policies

(incl. ACLs)

Virtual

NetworkVirtual

Network

Compute

Storage

LB

Security

Admin

NFV: NETWORK EDGE SECURITY

Network Function Virtualization

Scalable Virtual Service on x86

Scalable Virtual Service on x86

Private networks

SP DATACENTER

BRAS/VPN Edge

FW – IPS – PDF – DDoS

FW – IPS – PDF – DDoS

Service Load

Balancing

Service Load

Balancing

L3VPN-ENABLED

SP CORE/BACKBONE

BUSINESS EDGE

Internet

BROADBAND EDGE

MOBILE EDGE

Dynamic Service Provisioning,

Scaling; Service Chaining

Security Services – Firefly, Web

App Secure, Ddos Secure, vSA

Centralized management/orchestration

Software abstraction from physical infra

Edge delivery of virtualized security

services (Firefly, Ddos Secure, Web App

Secure, vSA

FLEXIBLE AND DYNAMIC CHAINING OF SERVICES

Host + Hypervisor Host + Hypervisor

VIRTUAL

NETWORK

GREEN

VIRTUAL

NETWORK

YELLOW

Service A Service B

IP fabric

(switch underlay)A CB

G1 G2 G3

G1

G2

G3

Y1 Y2 Y3

Y2

Y3Y1

VM and virtualized Network

function pool

VM and virtualized

Network function pool

… …

LOGICAL

PHYSICAL

Service C

L3VPN

SELF-SERVICE ENTERPRISE SERVICE CLOUD

CUSTOMER A (Branch Office)

VPN SITE 1

CUSTOMER B (Branch Office)

VPN SITE 2

CUSTOMER A (HQ)

VPN SITE 2

CUSTOMER B (HQ)

VPN SITE 1

Self-service portal with quick (< 5

min) network provisioning

Service automation

SLA-based

‘As-a-Service’ model for services

Elastic architecture with service

Scale-out

Standard Protocols to connect SP

customer to service

SLBFWUTM CDN WAN

OPT

SP Service CloudQuick, Self-Service

INTERCONNECT W/ EXISTING INFRASTRUCTUREContrail enables customers to use their legacy infrastructure for legacy apps, and expand to cloud-architectures for newer apps.

VLAN - A

VLAN - B

VLAN - C

VLAN - D

Front-End Tier

Back-End Tier

EXISTING/ LEGACY INFRASTRUCTURE CLOUD INFRASTRUCTURE

Back-End

Front-End

Security Tier

LB Tier

CONTRAIL CONTROLLER

Security

LB

Gateway

Contrail enables enterprises to continue using legacy investments and infrastructure.

Can extend portions of the network or the entire infrastructure and be able to run

new cloud-based as well as legacy applications

TECHNOLOGY

OVERVIEW

VIRTUAL

NETWORKS

VIRTUALIZED

SERVICES

THE NEW NETWORK – BUILDING BLOCKS

GATEWAYS

NETWORK AND

PACKET POLICY

PROVIDED BY OPEN BGP VPN

TECHNOLOGIES

NETWORK POLICY FOR

TOPOLOGY AND PACKET FOR

TRAFFIC CONTROL

NETWORK FUNCTIONS AND

SERVICES STITCHED TO

TOPOLOGY

CONNECTS VIRTUAL AND

PHYSICAL DOMAINS

WHAT IS NETWORK VIRTUALIZATION

•Independent of Physical Network Location or State

– Logical Network across any server, any rack, any cluster, any data-center

– Virtual Machines can migrate without requiring any reworking of security policies,

load balancing, etc

– New Workloads or Networks should not require provisioning of physical network

– Nodes in Physical Network can fail without any disruption to Workload

•Full Isolation for Multi-tenancy and Fault Tolerance

– MAC and IP Addresses are completely private per tenant

– Any failures or configuration errors by tenants do not affect other applications or

tenants

– Any failures in the virtual layer do not propagate to physical layer

THE IMPORTANCE OF ABSTRACTION

BMS

R4

OpenStackContrail

ControllerNeutronNova

VM

G1

VM

G2

VM

G3VM

R1

VM

R3

VM

R2

VM

FW

PHYSICAL TOPOLOGY

Complex

• Low level of abstraction

• Many vrouters

• Many routing-instances

• Many tunnels

• Many routes

Complex to configure

Complex to troubleshoot

Junos Space

CONTRAIL – VIRTUALIZED & AUTOMATED NETWORK

CONTROL PLANE, MANAGEMENT PLANE

NETWORK PROGRAMMABILITY

ENABLING NFV (NETWORK FUNCTION VIRTUALIZATION)

VIRTUALIZED NETWORK SERVICES

INTEROPERABILITY WITH PHYSICAL

NETWORK

NETWORK VIRTUALIZATION (PRIVATE, HYBRID)

CONVERGED NETWORK ORCHESTRATION

AUTOMATION, ANALYTICS

CONTRAIL PHILOSOPHY1

L3

L3 L3

L2/L3 L2/L3

L3 ToR

L2/L3 L2/L3 L2/L3

L3 ToR

L2/L3 L2/L3 L2/L3

L3 ToR

L2/L3 L2/L3 L2/L3

L3 ToR

L2/L3

L3 L3 L3 L3

L3

CLOUD DC - CONTRAIL L2/L3 OVERLAY

vRouter vRouter vRouter vRouter vRouter vRouter vRouter vRouter vRouter vRouter vRouter vRouter

Hypervisor vRouter handles L2/L3

Hypervisor vRouter performs NAT

= multi-tenant VRF

Service Insertion Service Insertion

External Network

Servers

CONTRAIL PHILOSOPHY2

Fault tolerance via Idempotence

RPC NIGHTMARE

Compute Node Network Node

SchedulerAPI

Do we need Distributed

transaction manager….

?

STATE SYNCHRONIZATION

Controller Agent

Full Sync

Full Sync Diff

Check local

State

& Apply diff

BGP

router router

Update

Withdraw

Check local

State

& Update

state

IFMAP

Server Clinet

Poll

Update

Check local

State

& Update

state

Data Model

Network

Subnet Subnet

PortVM

PortVM

Router

Network

Subnet

Network Policy

Subnet

Service Instance

CONTRAIL BUILDING

BLOCKS

CONTRAIL & OPENSTACK COMPONENTS

Horizon UI

Contrail Web UI

Nova

(Compute Orchestration)

Neutron Plugin

Compute NodeStorage

Keystone

(Identity / Access

Mgmt)

Cinder

(Block Storage)

Swift

(Object Storage)

Nova Agent

Contrail Agent

Contrail Config

Contrail Control

vRouter

Operator

User Logs in, Create tenant

(projects), Create IPAM, Create

virtual network, Launch VMs

VM

Get VM Image to

spawn

API

SrvrScheduler …

Select Compute node

to spawn VM

Info to

spawn VM

Hypervisor

VM Spawned

Block Storage

Assignment

Xen

Bi-directional message bus

(XMPP interaction)

Launch VM

Network related interaction

Get virtual network info

DHCP

Plug (Tap interface, Instance ID, ..)

Glance

(Image Server)

Authentication, etc.

ROLE OF CONTRAIL IN INTEGRATED STACK

Service Nodes

Internet VPN DCI WAN

Gateway Router

JunosV Contrail

Orchestrator

Compute APIs Storage APIsNetwork APIs

Server

Virtual Machine vRouter

Physical Switches

vSRX, F5 …

CONTRAIL SOLUTION OVERVIEW

OpenContrail Controller

Configuration Analytics

Control

ServerVM VM VM

ServerVM VM VMIP fabric

(underlay network)

Juniper Qfabric/QFX/EX or 3rd party underlay switches

Juniper MXor 3rd party gateway routers

Tenant VMs

BGPFederation BGP

Clustering

Contrail Controller

REST

XMPP

CONTROLLER

Control

Orchestrator

XMPP BGP + Netconf

Contrail vRouter (L2 & L3)on KVM, Xen and ESXi/HyperV/Contrainers and Bare Metal in 2014

2014

CONTRAIL COMPONENTS

Physical Network

(no changes)

Analytics

OPENCONTRAIL CONTROLLER

ControlConfiguration

Physical Host with Hypervisor

vRouter

VM VM VM VM

Physical Host with Hypervisor

vRouter

VM VM VM VM

WAN, Internet

Gateway

Accepts and converts orchestrator

requests for VM creation, translates

requests, and assigns network

Real-time analytics engine

collects, stores and analyzes

network elementsInteracts with network elements for

VM network provisioning and ensures

uptime

vRouter: Virtualized routing element

handles localized control plane and

forwarding plane work on the compute

node

Gateway: MX Series (or other router)

or EX9200 serve as gateway

eliminating need for SW gateway &

improving scale & performance

TODAY 2014

OPENSTACK INTEGRATION

Horizon

Nova API

Compute Driver

Virtual-IF

Driver

Nova Compute

Contrail Agent

vRouter (kernel)

Virtual Router

Nova Scheduler Neutron Driver

Neutron PluginConfiguration

Node

Control

Node

1Create an Instance (VM Info,

Network, IPAM, Policies, etc)

2 Schedule an Instance on the

Compute Node

3VM Network

Properties

4Create VM Interface 6 Publish VM

Intf on IFMap

5 Add Port

7VM Interface Config

over XMPP

Scripts

CONTRAIL STACK - VROUTER

Configuration Nodes

ControlPlane

ComputeNode

(Virtual Router)

ServiceNode

(SRX, Firefly, JSP, ...)

GatewayNode

(MX, EX/QFX, ...)

ControlPlane

ControlPlane

AnalyticsEngine

AnalyticsEngine

AnalyticsEngine

REST APIs (Configuration, Operational, and Analytics)

OpenstackCustomer OSS/BSS Cloudstack

COMPUTE NODE – HYPERVISOR, VROUTER

Compute Node

VirtualMachine

(Tenant B)

VirtualMachine

(Tenant C)

VirtualMachine

(Tenant C)

vRouter Forwarding Plane

VirtualMachine

(Tenant A)

Routing Instance

(Tenant A)

Routing Instance

(Tenant B)

Routing Instance

(Tenant C)

vRouter Agent

Flow Table

FIB

Flow Table

FIB

Flow Table

FIB

Overlay tunnelsMPLS over GRE or VXLAN

JUNOSV CONTRAIL CONTROLLERJUNOSV CONTRAIL CONTROLLER

XMPP

Eth1Kernel

Tap Interfaces (vif)

pkt0

UserEth0 EthN

Config

VRFsPolicy Table

Top of Rack Switch

XMPP

• vRouter is replaces the Linux Bridge or OVS

module in Hypervisor Kernel

• vRouter performs bridging (E-VPN) and routing

(L3VPN)

• vRouter performs networking services like

Security Policies, NAT, Multicast, Mirroring, and

Load Balancing

• No need for Service Nodes or L2/L3 Gateways

for Routing, Broadcast/Multicast, NAT

• Routes are automatically leaked into the VRF

based on Policies

• Support for Multiple Interfaces on the Virtual

Machines

• Support for Multiple Interfaces from Compute

Node to the Switching Fabric

COMPUTE NODE – FORWARDING/TUNNELING

Overlay tunnelsMPLS over GRE or VXLAN

Compute Node


VirtualMachine(VN-IP1)

Routing Instance

Flow Table

FIB

Eth1 (Phy-IP1)


Compute Node


VirtualMachine(VN-IP2)

Routing Instance

Flow Table

FIB

Eth1 (Phy-IP2)


VIRTUAL

PHYSICAL

Virtual-IP2

Payload

Virtual-IP2

Payload

MPLS / VNI

Phy-IP2

Virtual-IP2

Payload

Virtual-IP2

Payload

MPLS / VNI

Phy-IP2

1. Guest OS ARPs for destination within

subnet or default GW

2. VRouter receives the ARP and responds

back with VRRP MAC

3. Guest OS sends traffic to the VRRP MAC,

Vrouter encapsulates the packet with

appropriate MPLS/VNI tag and GRE header

1. Physical Fabric Routers on Physical IP

Address

1. Returning packets get forwarded to

appropriate Routing Instance by the

MPLS/VNI tag

1. VRouter de-capsulates the packet, and

forwards it to the Guest OS

CONTRAIL STACK – CONTROL NODE

Configuration Nodes

ControlPlane

ComputeNode

(Virtual Router)

ServiceNode


GatewayNode

(MX, EX/QFX, ...)

ControlPlane

ControlPlane

AnalyticsEngine

AnalyticsEngine

AnalyticsEngine



CONTRAIL - CONTROL PLANE NODE

Control Node

"BGP module"

ProxiesXMPP

ControlNode

Control Node

Compute Node Compute Node

Configuration Node

Configuration Node

IF-MAP

XMPP

IBGP

IF-MAP Client

• All Control Plane Nodes are active active

• Each vRouter uses XMPP to connect with

multiple Control Plane nodes for redundancy

• Each Control Plane Node connects to multiple

configuration nodes for redundancy

• BGP and Netconf is used to connect with

Physical Gateway Routers or Services Nodes

• Control Plane Nodes federate using BGP

• Control Nodes can run different software

versions for test-before-deploy and live

upgrades

GatewayRouters

Service Nodes

CONTROL PLANE – ROUTE DISTRIBUTION

10.1.1.1 10.1.1.2

70.10.10.1 151.10.10.1

10.1.1.2: NH = 151.10.10.1; LBL = 17 10.1.1.1: NH = 70.10.10.1; LBL = 39

10.1.1.110.1.1.2 PAYLOAD

VRF

PriSrcIPPriDstIP

10.1.1.110.1.1.2 PAYLOADLBL=17GRE70.10.10.1151.10.10.1

PubSrcIPPubDstIP

VM

VRF

PriSrcIPPriDstIP

10.1.1.110.1.1.2 PAYLOAD

PriSrcIPPriDstIP

VM

IP Network

Agent Agent

XMPP XMPPControl Node

Configuration Node

REST/API

10.1.1.2:NH = 151.10.10.1; LBL = 17 10.1.1.1:NH = 70.10.10.1; LBL = 39

(Dynamic Tunnel Encapsulation) (Dynamic Tunnel Decapsulation)

Server 1 Server 2

Control Plane

*Outer MAC header was left out intentionally to reduce clutter

10.1.1.1:NH = 70.10.10.1; LBL = 39 10.1.1.2:NH = 151.10.10.1; LBL = 17

Control PlaneIF-MAP

CONTRAIL WITH L3VPN

10.1.1.1 10.1.1.2

70.10.10.1 151.10.10.1

10.1.1.2: NH = 80.20.20.1; LBL = 417

10.1.1.110.1.1.2 PAYLOAD

VRF

PriSrcIPPriDstIP

VM

VRF

PriSrcIPPriDstIP

VM

IP Network

Agent

XMPP XMPP

Configuration

Management

DC1

REST/API


Server 1 Server 2

10.1.1.110.1.1.2 PAYLOADLBL=417GRE70.10.10.180.20.20.1

PubSrcIPPubDstIP PriSrcIPPriDstIP

10.1.1.110.1.1.2 PAYLOADLBL=17GRE160.20.20.1151.10.10.1

PubSrcIPPubDstIP PriSrcIPPriDstIP

MX MXMPLS IP Network

80.20.20.1 160.20.20.1

Control Plane


10.1.1.2:NH = 80.20.20.1; LBL = 417 10.1.1.2:NH = 151.10.10.1; LBL = 17

REST/API

BGP

Control

Nodes

10.1.1.110.1.1.2 PAYLOADLBL=217

PriSrcIPPriDstIP

MPLS Outer Label

Control Plane

I-MBGP

MX I-MBGP

200.1.1.1100.1.1.1

10.1.1.2:

NH = 80.20.20.1;

LBL = 417;RD;RTConfiguration

Management

DC2

Agent

BGP

Control

NodesMX MX

I-MBGPMX

10.1.1.2:

NH = 200.1.1.1;

LBL = 317;RD;RT

10.1.1.2:

NH = 100.1.1.1;

LBL = 217;RD;RT

10.1.1.2:

NH = 160.20.20.1;

LBL = 117;RD;RT

10.1.1.2:

NH = 151.10.10.1;

LBL = 17;RD;RT

160.20.20.180.20.20.1

E-MBGPE-MBGP

MX MX

200.1.1.1 100.1.1.1

Service Provider

10.1.1.110.1.1.2 PAYLOAD

PACKET FLOW FOR EVPN ON IP NETWORK

MAC1 MAC2

70.10.10.1 151.10.10.1

MAC2: NH = 151.10.10.1; LBL = 17 MAC1: NH = 70.10.10.1; LBL = 39

VRF

MAC1MAC2 PAYLOAD

SrcMACDstMAC

VM

VRF

MAC1MAC2 PAYLOADLBL=17GRE70.10.10.1151.10.10.1

PubSrcIPPubDstIP SrcMACDstMAC

VM

IP Network

Agent Agent

XMPP XMPPBGP Based Control Plane

Configuration Management

REST/API

MAC2:NH = 151.10.10.1; LBL = 17 MAC1:NH = 70.10.10.1; LBL = 39


Server 1 Server 2

Control Plane


MAC1:NH = 70.10.10.1; LBL = 39 MAC2:NH = 151.10.10.1; LBL = 17

MAC1MAC2 PAYLOAD

SrcMACDstMAC

CONTRAIL STACK – CONFIG NODE

Configuration Nodes

ControlPlane

ComputeNode

(Virtual Router)

ServiceNode


GatewayNode

(MX, EX/QFX, ...)

ControlPlane

ControlPlane

AnalyticsEngine

AnalyticsEngine

AnalyticsEngine



CONTRAIL – SDN AS A “COMPILER”

OrchestrationSystem

SDN System

Network(Physical and Virtual)

South-BoundNetwork Element Interfaces

East-WestPeering Interface (BGP)

Application2

ApplicationNApplications

North-bound APIs

Data Model 1

Data Model 2

Data Model M

Data Model Extensions

Interface 1 Interface 2 Interface KPlug-ins

Compilergenerates APIs

Compilergenerates APIs

CONFIGURATION NODE

Configuration Node

REST API Server

Schema Transformer

Orchestrator(OpenStack)

REST

DHT DB

IF-MAPserver

Configuration Node

ControlNode

ControlNode

IF-MAP

Distributed Synchronization

1. API Server provides Northbound REST Interface

– Orchestration System provisions using this API

service

2. DHT/NoSQL Database is used for Persistence

and High Availability of Configuration

3. Schema Transformer “compiles” the high level

data model to low level model for vRouter,

Service Nodes, and Gateway Routers

1. IF-MAP is used to represent the data-model –

Control Nodes subscribe to the subset of

configuration

Configuration Node

DHT DB

DHT DB

Message Bus

LOGICAL TOPOLOGY

VM

G1

VM

G2

VM

G3

VN G

VM

R1

VM

R2

VM

R3

VN R

PN

VM

FW

Virtual Network

Tenant Virtual Machines

Virtual Firewall

Physical Gateway Router

Physical Network (Internet, L3VPN, ...)

PHYSICAL TOPOLOGY

OpenStackContrail


Virtualized Server

Hypervisor with Contrail vRouter

Underlay Switches

Gateway Router to Internet or L3VPN

MAPPING OF LOGICAL TO VIRTUAL TOPOLOGY

VM

G1

VM

G2

VM

G3

VN G

VM

R1

VM

R2

VM

R3

VN R

L3VPN

VM

FW

OpenStackContrail


PHYSICAL LOGICAL

STARTING POINTEMPTY LOGICAL TOPOLOGY

VM

G1

VM

G2

VM

G3

VN G

VM

R1

VM

R2

VM

R3

VN R

PN

VM

FW

OpenStackContrail


PHYSICAL LOGICAL

CREATE GREEN TENANTCREATE VIRTUAL NETWORK "GREEN"

VM

G1

VM

G2

VM

G3

VM

R1

VM

R2

VM

R3

VN R

PN

VM

FW

OpenStackContrail


PHYSICAL LOGICAL

VN G

Create VN G

CREATE GREEN TENANTCREATE VIRTUAL MACHINE "G1"

VM

G1

VM

G2

VM

G3

VM

R1

VM

R2

VM

R3

VN R

PN

VM

FW

OpenStackContrail


PHYSICAL LOGICAL

VN G

Create VM G1

Attach to VN G

Nova: Create VM

VM

G1


VM

G1

VM

G2

VM

G3

VM

R1

VM

R2

VM

R3

VN R

PN

VM

FW

OpenStackContrail


PHYSICAL LOGICAL

VN G

VM

G1

Neutron:

Attach VM to VN

Create VM G1

Attach to VN G

XMPP:

Create routing-instance


VM

G1

VM

G2

VM

G3

VM

R1

VM

R2

VM

R3

VN R

PN

VM

FW

OpenStackContrail


PHYSICAL LOGICAL

VN G

Create VM G2

Attach to VN G

VM

G1

Nova: Create VM

VM

G2


VM

G1

VM

G3

VM

R1

VM

R2

VM

R3

VN R

PN

VM

FW

OpenStackContrail


PHYSICAL LOGICAL

VN G

VM

G1

Neutron:

Attach VM to VN

Create VM G2

Attach to VN G

VM

G2

XMPP:


VM

G2


VM

G1

VM

G3

VM

R1

VM

R2

VM

R3

VN R

PN

VM

FW

OpenStackContrail


PHYSICAL LOGICAL

VN G

VM

G1

Create VM G2

Attach to VN G

VM

G2

XMPP:

Exchange routes

Create tunnelsVM

G2

CREATE GREEN TENANTFORWARDING TABLES AND ENCAPSULATION

VM

G1

VM

G2

IP prefix Nexthop

VM G1Virtual ethernet port

to VM G1

Green routing-instance IP FIB

VM G2Push label L2 +

GRE encaps to server S2

MPLS label Nexthop

L1 Pop + Green routing-instance

Global MPLS FIB

IP prefix Nexthop

Server S2 Physical ethernet port

Global IP FIB

IP prefix Nexthop

VM G1Push label L1

GRE encaps to server S1

Green routing-instance IP FIB

VM G2Virtual ethernet port

to VM G2

MPLS label Nexthop

L2 Pop + Green routing-instance

Global MPLS FIB

IP prefix Nexthop

Server S1 Physical ethernet port

Global IP FIB

Inner IP headerPayload

VM G1

Source IP

VM G2

Dest IP

...

MPLS

L2

LabelGRE

...

Outer IP header

Server S1

Source IP

Server S2

Dest IP

Ethernet

Server S1

Source MAC

Server S2

Dest MAC

Packet

S1 S2


VM

G1

VM

G3

VM

R1

VM

R2

VM

R3

VN R

PN

VM

FW

OpenStackContrail


PHYSICAL LOGICAL

VN G

VM

G1

VM

G2 VM

G2

Create VM G3

Attach to VN G

Nova: Create VM

VM

G3


VM

G1

VM

G3

VM

R1

VM

R2

VM

R3

VN R

PN

VM

FW

OpenStackContrail


PHYSICAL LOGICAL

VN G

VM

G1

VM

G2 VM

G2

Create VM G3

Attach to VN G

VM

G3

Neutron:

Attach VM to VN

XMPP:



VM

G1

VM

G3

VM

R1

VM

R2

VM

R3

VN R

PN

VM

FW

OpenStackContrail


PHYSICAL LOGICAL

VN G

VM

G1

VM

G2 VM

G2

Create VM G3

Attach to VN G

VM

G3

XMPP:

Exchange routes

Create tunnels

CREATE GREEN TENANTEND STATE

VM

G1

VM

G3

VM

R1

VM

R2

VM

R3

VN R

PN

VM

FW

OpenStackContrail


PHYSICAL LOGICAL

VN G

VM

G1

VM

G2 VM

G2

VM

G3

CREATE RED TENANTSAME STEPS AS GREEN TENANT

VM

G1

VM

G3

VM

R1

VM

R2

VM

R3

VN R

PN

VM

FW

OpenStackContrail


PHYSICAL LOGICAL

VN G

VM

G1

VM

G2 VM

G2

VM

G3VM

R1

VM

R3

VM

R2

CONNECT GREEN TO RED TENANT VIA FIREWALLCREATE VIRTUAL MACHINE FOR FIREWALL

VM

G1

VM

G3

VM

R1

VM

R2

VM

R3

VN R

PN

OpenStackContrail


PHYSICAL LOGICAL

VN G

VM

G1

VM

G2 VM

G2

VM

G3VM

R1

VM

R3

VM

R2

Create VM FW

Attach to VN G

Attach to VN R

VM

FW

Nova: Create VM

VM

FW

CONNECT GREEN TO RED TENANT VIA FIREWALLATTACH FIREWALL TO RED AND GREEN VIRTUAL NETWORKS

VM

G1

VM

G3

VM

R1

VM

R2

VM

R3

VN R

PN

OpenStackContrail


PHYSICAL LOGICAL

VN G

VM

G1

VM

G2 VM

G2

VM

G3VM

R1

VM

R3

VM

R2

Create VM FW

Attach to VN G

Attach to VN R

VM

FW

VM

FW

Neutron:

Attach VM to VNs

XMPP: Create

routing-instance

CONNECT GREEN TO RED TENANT VIA FIREWALLAPPLY POLICY, EXCHANGE ROUTES, AND CREATE TUNNELS

VM

G1

VM

G3

VM

R1

VM

R2

VM

R3

VN R

L3VPN

OpenStackContrail


PHYSICAL LOGICAL

VN G

VM

G1

VM

G2 VM

G2

VM

G3VM

R1

VM

R3

VM

R2

VM

FW

VM

FW

Apply Policy

VN G ↔ VN R

XMPP:

Exchange routes

Create tunnels

CONNECT GREEN TO RED TENANT VIA FIREWALLEND STATE

VM

G1

VM

G3

VM

R1

VM

R2

VM

R3

VN R

L3VPN

OpenStackContrail


PHYSICAL LOGICAL

VN G

VM

G1

VM

G2 VM

G2

VM

G3VM

R1

VM

R3

VM

R2

VM

FW

VM

FW

CONNECT GREEN TO RED TENANT VIA FIREWALLDATA PLANE: RED ↔ GREEN TRAFFIC FORCED THROUGH THE FIREWALL

VM

G1

VM

G3

VM

R1

VM

R2

VM

R3

VN R

L3VPN

OpenStackContrail


PHYSICAL LOGICAL

VN G

VM

G1

VM

G2 VM

G2

VM

G3VM

R1

VM

R3

VM

R2

VM

FW

VM

FW

CONNECT RED TENANT TO PHYSICAL L3VPNCONFIGURE L3VPN ROUTING INSTANCE

VM

G1

VM

G3

VM

R1

VM

R2

VM

R3

VN R

OpenStackContrail


PHYSICAL LOGICAL

VN G

VM

G1

VM

G2 VM

G2

VM

G3VM

R1

VM

R3

VM

R2

VM

FW

VM

FW

L3VPN

Apply Policy

VN R ↔ L3VPN

Netconf:

Configure

routing-instance

CONNECT RED TENANT TO PHYSICAL L3VPNEXCHANGE ROUTES WITH PHYSICAL ROUTER, CREATE TUNNELS

VM

G1

VM

G3

VM

R1

VM

R2

VM

R3

VN R

OpenStackContrail


PHYSICAL LOGICAL

VN G

VM

G1

VM

G2 VM

G2

VM

G3VM

R1

VM

R3

VM

R2

VM

FW

VM

FW

L3VPN

Apply Policy

VN R ↔ L3VPN

BGP:

Exchange routes

Create tunnels

CONNECT RED TENANT TO PHYSICAL L3VPNEXCHANGE ROUTES WITH VROUTERS, CREATE TUNNELS

VM

G1

VM

G3

VM

R1

VM

R2

VM

R3

VN R

OpenStackContrail


PHYSICAL LOGICAL

VN G

VM

G1

VM

G2 VM

G2

VM

G3VM

R1

VM

R3

VM

R2

VM

FW

VM

FW

L3VPN

Apply Policy

VN R ↔ L3VPN

XMPP:

Exchange routes

Create tunnels

VROUTER HA

Discovery Server

eth0 eth1

TOR

SPINE

Gateway

LACP Linux

BondingController 1

Controller 2

vRouter

CONTRAIL COMPONENT HA

Controller 1

Discovery Server

IFMap

Neutron API

IFMap

Neutron APINeutron API

Discovery Server

Neutron APINeutron APIConfig API

HA Proxy + VIP

HA Proxy + VIP

HA Proxy + VIP

Controller 1

Neutron APICassandraCassandra

Neutron APICassandrazookeeper

Neutron APINeutron APIRabbitMQHA Proxy + VIP

HA proxy

Control Node

"BGP module"

ProxiesXMPP

IF-MAP Client

Configuration Node 3

REST API Server

IF-MAPserver

RabbitMQ

HA proxy


REST API Server

IF-MAPserver

RabbitMQ


REST API Server

DHT DB

IF-MAPserver

RabbitMQ

Control Node

"BGP module"

ProxiesXMPP

IF-MAP Client

Schema Transformer

Schema Transformer

Schema Transformer

HA proxy

Control Node

"BGP module"

ProxiesXMPP

IF-MAP Client


REST API Server

IF-MAPserver

RabbitMQ

HA proxy


REST API Server

IF-MAPserver

RabbitMQ


REST API Server

DHT DB

IF-MAPserver

RabbitMQ

Control Node

"BGP module"

ProxiesXMPP

IF-MAP Client

Schema Transformer

Schema Transformer

Schema Transformer

Down

HA proxy

Control Node

"BGP module"

ProxiesXMPP

IF-MAP Client


REST API Server

IF-MAPserver

RabbitMQ

HA proxy


REST API Server

IF-MAPserver

RabbitMQ


REST API Server

DHT DB

IF-MAPserver

RabbitMQ

Control Node

"BGP module"

ProxiesXMPP

IF-MAP Client

Schema Transformer

Schema Transformer

Schema Transformer

Down

1) Configuration node send

ALL data to Control node to

sync Control node

information

2) Overwrite new

information

HA proxy

Control Node

"BGP module"

ProxiesXMPP

IF-MAP Client


REST API Server

IF-MAPserver

RabbitMQ

HA proxy


REST API Server

IF-MAPserver

RabbitMQ


REST API Server

DHT DB

IF-MAPserver

RabbitMQ

Control Node

"BGP module"

ProxiesXMPP

IF-MAP Client

Schema Transformer

Schema Transformer

Schema Transformer

Down

Sync!

DEMO

Technology

Contrail Enabler for agile cloud services