contrail deep-dive - cloud network services at scale

CONTRAIL DEEP-DIVECloud Network Services at Scale

Sergei Gotchev [email protected]

Juniper Networks Proprietary and Confidential -- printed copies of this document are for reference only

2 Copyright © 2014 Juniper Networks, Inc. www.juniper.net

OPEN STACK AND CONTRAIL ARCHITECTURE


OPENSTACK CLOUD PLATFORM


CONTRAIL ARCHITECTURE

Analytics

CONTRAIL CONTROLLER

ControlConfiguration

x86 Host + Hypervisor

ORCHESTRATOR

x86 Host + Hypervisor

Physical IP Network(no changes)

vRouter vRouter

Gateway

Internet / WANLegacy Infra.(VLAN, etc.)

Bi-directional real-time message bus using XMPP

Network orchestration

Standard protocol (M-BGP) to talk with other Contrail

controller instances

Compute / Storage orchestration

… Others


CONTRAIL AND OPENSTACK INTEGRATION

Horizon UI

Contrail Web UI

Nova(Compute Orchestration)

Neutron Plugin

Compute NodeStorage

Keystone(Identity / Access

Mgmt)

Cinder(Block Storage)

Swift(Object Storage)

Nova Agent

Contrail Agent

Contrail Config

Contrail Control

vRouter

Operator

User Logs in, Create tenant (projects), Create IPAM, Create virtual network, Launch VMs

VM

Get VM Image to spawn

API Srvr

Scheduler …

Select Compute node to spawn VM

Info to spawn VM

Hypervisor

VM Spawned

Block Storage Assignment Bi-directional message bus

(XMPP interaction)

Launch VM

Network related interaction

Get virtual network info

DHCP

Plug (Tap interface, Instance ID, ..)

Glance (Image Server)

Authentication, etc.

Bare MetalDocker Container


CONTRAIL STACK

Configuration Nodes

ControlPlane

ComputeNode

(Virtual Router)

ServiceNode

(SRX, Firefly, JSP, ...)

GatewayNode

(MX, EX/QFX, ...)

ControlPlane

ControlPlane

AnalyticsEngine

AnalyticsEngine

AnalyticsEngine

REST APIs (Configuration, Operational, and Analytics)

OpenstackCustomer OSS/BSS Cloudstack


COMPUTE NODE – HYPERVISOR, VROUTER

Compute Node

VirtualMachine

(Tenant B)

VirtualMachine

(Tenant C)

VirtualMachine

(Tenant C)

vRouter Forwarding Plane

VirtualMachine

(Tenant A)

Routing Instance

(Tenant A)

Routing Instance

(Tenant B)

Routing Instance

(Tenant C)

vRouter Agent

Flow Table

FIB

Flow Table

FIB

Flow Table

FIB

Overlay tunnelsMPLS over GRE, UDP or VXLAN

JUNOSV CONTRAIL CONTROLLERCONTRAIL CONTROLLER

XMPP

Eth1Kernel

Tap Interfaces (vif)

pkt0

UserEth0 EthN

Config

VRFs Policy Table

Top of Rack Switch

XMPP

• vRouter replaces the Linux Bridge or OVS module in Hypervisor Kernel

• vRouter performs bridging (E-VPN) and routing (L3VPN)

• vRouter performs networking services like Security Policies, NAT, Multicast, Mirroring, and Load Balancing

• No need for Service Nodes or L2/L3 Gateways for Routing, Broadcast/Multicast, NAT

• Routes are automatically leaked into the VRF based on Policies

• Support for Multiple Interfaces on the Virtual Machines

• Support for Multiple Interfaces from Compute Node to the Switching Fabric


COMPUTE NODE – FORWARDING/TUNNELING

Overlay tunnelsMPLS over GRE or VXLAN

Compute Node 1


VirtualMachine 1(VN-IP1)

Routing Instance 1

Flow Table

FIB

Eth1 (Phy-IP1)


Compute Node 2


VirtualMachine 2(VN-IP2)

Routing Instance 2

Flow Table

FIB

Eth1 (Phy-IP2)


VIRTUAL

PHYSICAL

Virtual-IP2

Payload

Virtual-IP2

Payload

MPLS / VNI

Phy-IP2

Virtual-IP2

Payload

Virtual-IP2

Payload

MPLS / VNI

Phy-IP2

1. Guest OS ARPs for destination within subnet or default GW

2. VRouter receives the ARP and responds back with VRRP MAC

3. Guest OS sends traffic to the VRRP MAC, Vrouter encapsulates the packet with appropriate MPLS/VNI tag and GRE header

4. Physical Fabric Routers on Physical IP Address

5. Returning packets get forwarded to appropriate Routing Instance by the MPLS/VNI tag

6. VRouter de-capsulates the packet, and forwards it to the Guest OS


CONTRAIL CLOUD REFERENCE ARCHITECTURE

Compute Pool Storage Pool Network Pool…

Application/VNF Pool

+ Reference architecture design guide+ Standard COTS hardware for compute and storage+ Networking hardware(MX, vMX, QFX, EX)

Cloud hardware reference architecture

Freedom of Choice Any cloud and NFV deployment

model Best-of-breed solution

components No expensive vendor lock-in

Intelligent Automation Analytics-powered insights and

decision Policy-based infrastructure

Always-on Reliability High availability Robust security Elastic scalability

Contrail Cloud Platform

Dynamic compute, storage and network resource orchestration

Automated server management & monitoring Cloud application life cycle management Dynamic network and security service chaining Rich and prescriptive analytics

Ongoing Support for individual products – JTAC

Juniper professional services and system integration partners to assist in cloud system design

Support and Professional Services

Building Open, Intelligent and Reliable Cloud and NFV

OpenStack UI - 12GB RAM, 24GB HDD, dual-core x86/x64 CPU,2 x Control Node - 12GB RAM, 24GB HDD, dual-core x86/x64 CPU2 x Compute Node - 64GB RAM, 120GB HDD, quad-core x86/x64 CPU


CONTRAIL PRODUCT EVOLUTION

INCREASING LEVEL OF INTEGRATION

Contrail Networking

Cloud Networking Network Virtualization Virtualized Network Services Multiple Orchestration

Support OpenStack, CloudStack

Contrail Cloud Platform

Cloud Orchestration Server Management Distributed & Scale-Out

Storage Compute Orchestration + Contrail Networking

MetaFabric Cloud DC Reference Architecture

Integrated Cloud PODs Reference Architecture–PODs Integrated Management + Contrail Cloud Platform


KEY USE-CASES


WHO ARE WE TARGETTING ?

SERVICE PROVIDER

ENTERPRISE

EMERGING

Ne

w T

ec

hn

olo

gy

Ad

op

tio

n

Infrastructure Spend

Public Cloud Repatriation

Software-as-a-Service

Virtual Private Cloud

IT-as-a-Service

Infrastructure-as-a-Service

Network Functions Virtualization

Platform-as-a-Service

Move from public to private cloud as company grows; ensure flexibility across hybrid environment

Create an enterprise private cloud to run mission critical workloads

Move non-essential workloads to public clouds (hybrid cloud)

Offer ITaaS for the employees

NFV at the mobile, subscriber, business edge IaaS and PaaS: are needed for

o Offering Public cloud (ala AWS, GCE)o For their own enterprise (SP IT Cloud)

USE CASES

Hybrid Cloud


USE-CASE 1: VIRTUALIZED MOBILITYSolution DescriptionCustomer Needs

1 NFV Platform (Contrail) Modern L3-overlay based network built for scale,

resiliency, automation Virtualized 3rd party SGSN/MME network function

Reduce operational and capital costs to run services in mobile core

Simplify management of mobile packet core functions Reduce professional services expenses in customizing

network Ensure interoperability between different EPC functions Independent scale-out of 2G and 3G data path

Contrail SW offers a robust & resilient NFV platform for the mobile packet core functions

Radio Access Network

SGSN / MMEVNF

Internet

S / P -GW

Charging, Policy Control

MX

3 Simplified Management = operational efficiency Contrail, Openstack and Space used to centrally provision

network elements

4 Integration with MX Programmatic traffic steering on MX from the VNF MX as anchor-point for service chain

2 Reduced TCO * (Contrail) Standard X86 hardware, and open-source hypervisor

/orchestration systems Better resource utilization through automated service scale-out

1

4

Contrail / Openstack / Space

3

2

* According to a recent ACG research, the estimated cost reduction is 53%


Service Delivery Gateway

VPN Internet

USE CASE 2 – SERVICE CHAINING FOR MOBILE AND WIRELINE SUBCRIBERS

GGSN/PGW

Mobile accessLaptop

Smartphone

(S)Gi

Feature Phone

PCRFSPR

AAA

Wireline access

Gx

BNG

OCS

Sy

Subscriber State Machine

BSS SystemsOSS Systems

Gy

Ser

vic

e C

ard DPI

HE/URL

Caching

Gx/ Sd Gyn

PFEForwarding /

Flow Table

PFEVRF/ Tunnel

Flow control API

Data Center

Servers

VMs

VA

S A

pplic

atio

ns

eg.

DP

I

VA

S A

pplic

atio

ns

eg. T

CP

Pro

xy

VSwitch

Oth

er A

pps

AnalyticsBilling

Hypervisor

VMs VMs

Oth

er A

pps

AAA

Gx

Gx

SRC

AAA

ContrailController

Can manage service chaining without an SDN Controller within the confines of SDG

Requires SDN Controller to chain services outside the confines of SDG


Fair Usage at Session LevelFair Usage at Application Level

Tethering Control

VAS Traffic SteeringTiered QoS at Session Level

Tiered QoS at Application Level

HTTP Header ManipulationApplication Based Charging

Home & Location based PCCReporting and Analytics Feed

SCG Use Cases

Policing

Steering

EnrichmentMonitoring

SubscriberAwareness

L7 Application detection

L7 metadata detection

USE CASE 2 – SERVICE CHAINING FOR MOBILE AND WIRELINE SUBCRIBERS


USE-CASE 3: ENTERPRISE NFV SERVICESolution DescriptionCustomer Needs

Multi-tenant VPNaaS, FWaaS, WAN Optimization – aaS, vCPE capability

Reduced TCO from low-cost CPE devices, and reduced customer support costs

Improved agility in introducing new (& upgrading existing) services Self-care portal for service enablement

Scale-out and on-demand security and connectivity services to business customers with light-weight device at customer premise1 Contrail enabling Service Chaining on the vCPE

Security and connectivity services chained at the PE Svcs co-located with PE (no need for separate SP svc DC) APIs integration with self-care portal

3 Contrail’s robust L3VPN overlay architecture Seamless integration with SP’s existing L3VPN offering Integrates with existing / legacy underlay networks

4 Integration with MX (PE) Dynamic traffic steering to services, using standards-based

approach (BGP Flowspec) Anchor point for service chains

2 Multi-tenant services for business customers Separate VNF instance for separate customers Traffic segregation between customers using virtual networks Overlapping address space for tenants

Basic CE

Basic CE

PEPE

P P

VPN IP/MPLS

VCPE VCPE

Contrail / Openstack /

Space

Internet

4

12

3


USE-CASE 4: HYBRID CLOUDSolution DescriptionCustomer Needs

Transparent workload migration from on-prem to cloud (cloud bursting)

‘as-a-service’ model for network/security functions (VPNaaS, LBaaS, FWaaS, etc.)

Seamless policy creation and service insertion Automated management and real-time monitoring OSS / BSS Integration

Using Contrail to offer Hybrid cloud to enable automated migration of workload from on-premise to cloud

1 Abstraction and automation through Contrail APIs Infra APIs to implement network policies Analytics APIs for network / app monitoring Allows for integration with OSS/BSS Uniform APIs for on-prem and cloud orchestration

3 Interconnect between private and public cloud (Contrail) Virtual networks spanning enterprise DC and public cloud Simplified mgmt through potential Integration with 3rd party

CMPs (Cloud Mgmt Platforms)

2 Rapid and seamless insertion of unmodified virtualized services to offer -aaS model for VNFs

DATA CENTER (P+V)

ENTERPRISE

IP VPN

Contrail / Openstack

1

InternetPublic Cloud

2

3

4 Integration (using MX Gateway) Use of virtualized services and appliance based services VMs and Bare metal servers within same virtual network

4


USE-CASE 7: PRIVATE CLOUD (SAAS)Solution DescriptionCustomer Needs

1 Dynamic DC network (Contrail) Modern L3 network for scale, resiliency, automation Virtualized on-demand services

3 Scale-out & policy configuration (Contrail) Automated scale-out of SaaS applications based on

customer demand Dynamic and intelligent configuration of network/security

policies

4 Hybrid cloud MX gateway to expose SaaS applications to customers Extensible across multiple clouds

Cloud infrastructure for SaaS On-demand service creation with dynamic resource scaling Rapid deployment of new services Automated network/security configuration Support for hybrid clouds

2 Self-provisioned service deployment (Contrail) Controlled migration of SW from development to production

cloud Seamless integration of new features

13

4

PRODUCTION

Public CloudsInternet

DEVELOP-MENT

2

Contrail SW offering, leveraging “Open Compute” and commodity hardware


USE CASES - VIRTUALIZED SERVICES (NFV)JUNIPER SERVICES OR 3RD PARTY

http://www.juniper.net/us/en/partners/technology-alliances/nfv-vnf/


THANK YOU

contrail deep-dive - cloud network services at scale

Technology

compute node hypervisor

vxlan compute node

contrail controller

juniper networks proprietary

vrouter forwardi

plane virtual machine

hypervisor kernel vrouter

routing l3vpn vrouter