contrail enabler for agile cloud services
Post on 26-Dec-2014
574 Views
Preview:
DESCRIPTION
TRANSCRIPT
CONTRAILENABLER FOR AGILECLOUD SERVICES
OpenContrail Meetup
NUENO@JUNIPER.NETDISTINGUISHED ENGINEER / SDN TEAM
Nachi Ueno
This statement of direction sets forth Juniper Networks’
current intention and is subject to change at any time
without notice. No purchases are contingent upon
Juniper Networks delivering any feature or function
depicted in this presentation
ENTERPRISE DC EVOLUTION (ITAAS)
TRADITIONAL VIRTUALIZATION
LB
Policies
ACLs
FW, IPS
PoliciesSec.
Device
LB Device
Switches
Physical
Servers
Router
Standalone Applications(Dedicated Resources)
End-user
Sub-Optimal Device Util.
Static & Inflexible
TCO (Capex, Opex)
Physically Constrained
Silo’ed
Manual device config
Custom Policy Config
Deployment knowledge
Admin
Virtual
Machines
VLANs
v Security
LB
Policies
ACLs
VLAN
Config
Security
Policies
Router
End-user
Standalone Application(Virtualized Resources)
Admin
v LB
VM Orchestrator
Sub-Optimal Device Util.
Static & Inflexible
TCO (Capex, Opex)
Physically Constrained
Silo’ed
Manual device config
Custom Policy Config
Deployment knowledge
CLOUD
CLOUD-ENABLED DATA CENTER
Sub-Optimal Device Utilization
Static & Inflexible
TCO (Capex, Opex)
Physically Constrained
Silo’ed
Large, Manual Device Config
Custom / Complex Policy Config
Specialized deployment knowledge
Evolving Applications(on Resource Pool)
External Cloud
Based Resources
Virtualized Resource Pools
Resources Across Data Centers
No ACLs
End-user
Orchestrator /
Controller
All Policies
(incl. ACLs)
Virtual
NetworkVirtual
Network
Compute
Storage
LB
Security
Admin
NFV: NETWORK EDGE SECURITY
Network Function Virtualization
Scalable Virtual Service on x86
Scalable Virtual Service on x86
Private networks
SP DATACENTER
BRAS/VPN Edge
FW – IPS – PDF – DDoS
FW – IPS – PDF – DDoS
Service Load
Balancing
Service Load
Balancing
L3VPN-ENABLED
SP CORE/BACKBONE
BUSINESS EDGE
Internet
BROADBAND EDGE
MOBILE EDGE
Dynamic Service Provisioning,
Scaling; Service Chaining
Security Services – Firefly, Web
App Secure, Ddos Secure, vSA
Centralized management/orchestration
Software abstraction from physical infra
Edge delivery of virtualized security
services (Firefly, Ddos Secure, Web App
Secure, vSA
FLEXIBLE AND DYNAMIC CHAINING OF SERVICES
Host + Hypervisor Host + Hypervisor
VIRTUAL
NETWORK
GREEN
VIRTUAL
NETWORK
YELLOW
Service A Service B
IP fabric
(switch underlay)A CB
G1 G2 G3
G1
G2
G3
Y1 Y2 Y3
Y2
Y3Y1
VM and virtualized Network
function pool
VM and virtualized
Network function pool
… …
LOGICAL
PHYSICAL
Service C
L3VPN
SELF-SERVICE ENTERPRISE SERVICE CLOUD
CUSTOMER A (Branch Office)
VPN SITE 1
CUSTOMER B (Branch Office)
VPN SITE 2
CUSTOMER A (HQ)
VPN SITE 2
CUSTOMER B (HQ)
VPN SITE 1
Self-service portal with quick (< 5
min) network provisioning
Service automation
SLA-based
‘As-a-Service’ model for services
Elastic architecture with service
Scale-out
Standard Protocols to connect SP
customer to service
SLBFWUTM CDN WAN
OPT
SP Service CloudQuick, Self-Service
INTERCONNECT W/ EXISTING INFRASTRUCTUREContrail enables customers to use their legacy infrastructure for legacy apps, and expand to cloud-architectures for newer apps.
VLAN - A
VLAN - B
VLAN - C
VLAN - D
Front-End Tier
Back-End Tier
EXISTING/ LEGACY INFRASTRUCTURE CLOUD INFRASTRUCTURE
Back-End
Front-End
Security Tier
LB Tier
CONTRAIL CONTROLLER
Security
LB
Gateway
Contrail enables enterprises to continue using legacy investments and infrastructure.
Can extend portions of the network or the entire infrastructure and be able to run
new cloud-based as well as legacy applications
TECHNOLOGY
OVERVIEW
VIRTUAL
NETWORKS
VIRTUALIZED
SERVICES
THE NEW NETWORK – BUILDING BLOCKS
GATEWAYS
NETWORK AND
PACKET POLICY
PROVIDED BY OPEN BGP VPN
TECHNOLOGIES
NETWORK POLICY FOR
TOPOLOGY AND PACKET FOR
TRAFFIC CONTROL
NETWORK FUNCTIONS AND
SERVICES STITCHED TO
TOPOLOGY
CONNECTS VIRTUAL AND
PHYSICAL DOMAINS
WHAT IS NETWORK VIRTUALIZATION
•Independent of Physical Network Location or State
– Logical Network across any server, any rack, any cluster, any data-center
– Virtual Machines can migrate without requiring any reworking of security policies,
load balancing, etc
– New Workloads or Networks should not require provisioning of physical network
– Nodes in Physical Network can fail without any disruption to Workload
•Full Isolation for Multi-tenancy and Fault Tolerance
– MAC and IP Addresses are completely private per tenant
– Any failures or configuration errors by tenants do not affect other applications or
tenants
– Any failures in the virtual layer do not propagate to physical layer
THE IMPORTANCE OF ABSTRACTION
BMS
R4
OpenStackContrail
ControllerNeutronNova
VM
G1
VM
G2
VM
G3VM
R1
VM
R3
VM
R2
VM
FW
PHYSICAL TOPOLOGY
Complex
• Low level of abstraction
• Many vrouters
• Many routing-instances
• Many tunnels
• Many routes
Complex to configure
Complex to troubleshoot
Junos Space
CONTRAIL – VIRTUALIZED & AUTOMATED NETWORK
CONTROL PLANE, MANAGEMENT PLANE
NETWORK PROGRAMMABILITY
ENABLING NFV (NETWORK FUNCTION VIRTUALIZATION)
VIRTUALIZED NETWORK SERVICES
INTEROPERABILITY WITH PHYSICAL
NETWORK
NETWORK VIRTUALIZATION (PRIVATE, HYBRID)
CONVERGED NETWORK ORCHESTRATION
AUTOMATION, ANALYTICS
CONTRAIL PHILOSOPHY1
L3
L3 L3
L2/L3 L2/L3
L3 ToR
L2/L3 L2/L3 L2/L3
L3 ToR
L2/L3 L2/L3 L2/L3
L3 ToR
L2/L3 L2/L3 L2/L3
L3 ToR
L2/L3
L3 L3 L3 L3
L3
CLOUD DC - CONTRAIL L2/L3 OVERLAY
vRouter vRouter vRouter vRouter vRouter vRouter vRouter vRouter vRouter vRouter vRouter vRouter
Hypervisor vRouter handles L2/L3
Hypervisor vRouter performs NAT
= multi-tenant VRF
Service Insertion Service Insertion
External Network
Servers
CONTRAIL PHILOSOPHY2
Fault tolerance via Idempotence
RPC NIGHTMARE
Compute Node Network Node
SchedulerAPI
Do we need Distributed
transaction manager….
?
STATE SYNCHRONIZATION
Controller Agent
Full Sync
Full Sync Diff
Check local
State
& Apply diff
BGP
router router
Update
Withdraw
Check local
State
& Update
state
IFMAP
Server Clinet
Poll
Update
Check local
State
& Update
state
Data Model
Network
Subnet Subnet
PortVM
PortVM
Router
Network
Subnet
Network Policy
Subnet
Service Instance
CONTRAIL BUILDING
BLOCKS
CONTRAIL & OPENSTACK COMPONENTS
Horizon UI
Contrail Web UI
Nova
(Compute Orchestration)
Neutron Plugin
Compute NodeStorage
Keystone
(Identity / Access
Mgmt)
Cinder
(Block Storage)
Swift
(Object Storage)
Nova Agent
Contrail Agent
Contrail Config
Contrail Control
vRouter
Operator
User Logs in, Create tenant
(projects), Create IPAM, Create
virtual network, Launch VMs
VM
Get VM Image to
spawn
API
SrvrScheduler …
Select Compute node
to spawn VM
Info to
spawn VM
Hypervisor
VM Spawned
Block Storage
Assignment
Xen
Bi-directional message bus
(XMPP interaction)
Launch VM
Network related interaction
Get virtual network info
DHCP
Plug (Tap interface, Instance ID, ..)
Glance
(Image Server)
Authentication, etc.
ROLE OF CONTRAIL IN INTEGRATED STACK
Service Nodes
Internet VPN DCI WAN
Gateway Router
JunosV Contrail
Orchestrator
Compute APIs Storage APIsNetwork APIs
Server
Virtual Machine vRouter
Physical Switches
vSRX, F5 …
CONTRAIL SOLUTION OVERVIEW
OpenContrail Controller
Configuration Analytics
Control
ServerVM VM VM
ServerVM VM VMIP fabric
(underlay network)
Juniper Qfabric/QFX/EX or 3rd party underlay switches
Juniper MXor 3rd party gateway routers
Tenant VMs
BGPFederation BGP
Clustering
Contrail Controller
REST
XMPP
CONTROLLER
Control
Orchestrator
XMPP BGP + Netconf
Contrail vRouter (L2 & L3)on KVM, Xen and ESXi/HyperV/Contrainers and Bare Metal in 2014
2014
CONTRAIL COMPONENTS
Physical Network
(no changes)
Analytics
OPENCONTRAIL CONTROLLER
ControlConfiguration
Physical Host with Hypervisor
vRouter
VM VM VM VM
Physical Host with Hypervisor
vRouter
VM VM VM VM
WAN, Internet
Gateway
Accepts and converts orchestrator
requests for VM creation, translates
requests, and assigns network
Real-time analytics engine
collects, stores and analyzes
network elementsInteracts with network elements for
VM network provisioning and ensures
uptime
vRouter: Virtualized routing element
handles localized control plane and
forwarding plane work on the compute
node
Gateway: MX Series (or other router)
or EX9200 serve as gateway
eliminating need for SW gateway &
improving scale & performance
TODAY 2014
OPENSTACK INTEGRATION
Horizon
Nova API
Compute Driver
Virtual-IF
Driver
Nova Compute
Contrail Agent
vRouter (kernel)
Virtual Router
Nova Scheduler Neutron Driver
Neutron PluginConfiguration
Node
Control
Node
1Create an Instance (VM Info,
Network, IPAM, Policies, etc)
2 Schedule an Instance on the
Compute Node
3VM Network
Properties
4Create VM Interface 6 Publish VM
Intf on IFMap
5 Add Port
7VM Interface Config
over XMPP
Scripts
CONTRAIL STACK - VROUTER
Configuration Nodes
ControlPlane
ComputeNode
(Virtual Router)
ServiceNode
(SRX, Firefly, JSP, ...)
GatewayNode
(MX, EX/QFX, ...)
ControlPlane
ControlPlane
AnalyticsEngine
AnalyticsEngine
AnalyticsEngine
REST APIs (Configuration, Operational, and Analytics)
OpenstackCustomer OSS/BSS Cloudstack
COMPUTE NODE – HYPERVISOR, VROUTER
Compute Node
VirtualMachine
(Tenant B)
VirtualMachine
(Tenant C)
VirtualMachine
(Tenant C)
vRouter Forwarding Plane
VirtualMachine
(Tenant A)
Routing Instance
(Tenant A)
Routing Instance
(Tenant B)
Routing Instance
(Tenant C)
vRouter Agent
Flow Table
FIB
Flow Table
FIB
Flow Table
FIB
Overlay tunnelsMPLS over GRE or VXLAN
JUNOSV CONTRAIL CONTROLLERJUNOSV CONTRAIL CONTROLLER
XMPP
Eth1Kernel
Tap Interfaces (vif)
pkt0
UserEth0 EthN
Config
VRFsPolicy Table
Top of Rack Switch
XMPP
• vRouter is replaces the Linux Bridge or OVS
module in Hypervisor Kernel
• vRouter performs bridging (E-VPN) and routing
(L3VPN)
• vRouter performs networking services like
Security Policies, NAT, Multicast, Mirroring, and
Load Balancing
• No need for Service Nodes or L2/L3 Gateways
for Routing, Broadcast/Multicast, NAT
• Routes are automatically leaked into the VRF
based on Policies
• Support for Multiple Interfaces on the Virtual
Machines
• Support for Multiple Interfaces from Compute
Node to the Switching Fabric
COMPUTE NODE – FORWARDING/TUNNELING
Overlay tunnelsMPLS over GRE or VXLAN
Compute Node
vRouter Forwarding Plane
VirtualMachine(VN-IP1)
Routing Instance
Flow Table
FIB
Eth1 (Phy-IP1)
Tap Interfaces (vif)
Compute Node
vRouter Forwarding Plane
VirtualMachine(VN-IP2)
Routing Instance
Flow Table
FIB
Eth1 (Phy-IP2)
Tap Interfaces (vif)
VIRTUAL
PHYSICAL
Virtual-IP2
Payload
Virtual-IP2
Payload
MPLS / VNI
Phy-IP2
Virtual-IP2
Payload
Virtual-IP2
Payload
MPLS / VNI
Phy-IP2
1. Guest OS ARPs for destination within
subnet or default GW
2. VRouter receives the ARP and responds
back with VRRP MAC
3. Guest OS sends traffic to the VRRP MAC,
Vrouter encapsulates the packet with
appropriate MPLS/VNI tag and GRE header
1. Physical Fabric Routers on Physical IP
Address
1. Returning packets get forwarded to
appropriate Routing Instance by the
MPLS/VNI tag
1. VRouter de-capsulates the packet, and
forwards it to the Guest OS
CONTRAIL STACK – CONTROL NODE
Configuration Nodes
ControlPlane
ComputeNode
(Virtual Router)
ServiceNode
(SRX, Firefly, JSP, ...)
GatewayNode
(MX, EX/QFX, ...)
ControlPlane
ControlPlane
AnalyticsEngine
AnalyticsEngine
AnalyticsEngine
REST APIs (Configuration, Operational, and Analytics)
OpenstackCustomer OSS/BSS Cloudstack
CONTRAIL - CONTROL PLANE NODE
Control Node
"BGP module"
ProxiesXMPP
ControlNode
Control Node
Compute Node Compute Node
Configuration Node
Configuration Node
IF-MAP
XMPP
IBGP
IF-MAP Client
• All Control Plane Nodes are active active
• Each vRouter uses XMPP to connect with
multiple Control Plane nodes for redundancy
• Each Control Plane Node connects to multiple
configuration nodes for redundancy
• BGP and Netconf is used to connect with
Physical Gateway Routers or Services Nodes
• Control Plane Nodes federate using BGP
• Control Nodes can run different software
versions for test-before-deploy and live
upgrades
GatewayRouters
Service Nodes
CONTROL PLANE – ROUTE DISTRIBUTION
10.1.1.1 10.1.1.2
70.10.10.1 151.10.10.1
10.1.1.2: NH = 151.10.10.1; LBL = 17 10.1.1.1: NH = 70.10.10.1; LBL = 39
10.1.1.110.1.1.2 PAYLOAD
VRF
PriSrcIPPriDstIP
10.1.1.110.1.1.2 PAYLOADLBL=17GRE70.10.10.1151.10.10.1
PubSrcIPPubDstIP
VM
VRF
PriSrcIPPriDstIP
10.1.1.110.1.1.2 PAYLOAD
PriSrcIPPriDstIP
VM
IP Network
Agent Agent
XMPP XMPPControl Node
Configuration Node
REST/API
10.1.1.2:NH = 151.10.10.1; LBL = 17 10.1.1.1:NH = 70.10.10.1; LBL = 39
(Dynamic Tunnel Encapsulation) (Dynamic Tunnel Decapsulation)
Server 1 Server 2
Control Plane
*Outer MAC header was left out intentionally to reduce clutter
10.1.1.1:NH = 70.10.10.1; LBL = 39 10.1.1.2:NH = 151.10.10.1; LBL = 17
Control PlaneIF-MAP
CONTRAIL WITH L3VPN
10.1.1.1 10.1.1.2
70.10.10.1 151.10.10.1
10.1.1.2: NH = 80.20.20.1; LBL = 417
10.1.1.110.1.1.2 PAYLOAD
VRF
PriSrcIPPriDstIP
VM
VRF
PriSrcIPPriDstIP
VM
IP Network
Agent
XMPP XMPP
Configuration
Management
DC1
REST/API
(Dynamic Tunnel Encapsulation) (Dynamic Tunnel Decapsulation)
Server 1 Server 2
10.1.1.110.1.1.2 PAYLOADLBL=417GRE70.10.10.180.20.20.1
PubSrcIPPubDstIP PriSrcIPPriDstIP
10.1.1.110.1.1.2 PAYLOADLBL=17GRE160.20.20.1151.10.10.1
PubSrcIPPubDstIP PriSrcIPPriDstIP
MX MXMPLS IP Network
80.20.20.1 160.20.20.1
Control Plane
*Outer MAC header was left out intentionally to reduce clutter
10.1.1.2:NH = 80.20.20.1; LBL = 417 10.1.1.2:NH = 151.10.10.1; LBL = 17
REST/API
BGP
Control
Nodes
10.1.1.110.1.1.2 PAYLOADLBL=217
PriSrcIPPriDstIP
MPLS Outer Label
Control Plane
I-MBGP
MX I-MBGP
200.1.1.1100.1.1.1
10.1.1.2:
NH = 80.20.20.1;
LBL = 417;RD;RTConfiguration
Management
DC2
Agent
BGP
Control
NodesMX MX
I-MBGPMX
10.1.1.2:
NH = 200.1.1.1;
LBL = 317;RD;RT
10.1.1.2:
NH = 100.1.1.1;
LBL = 217;RD;RT
10.1.1.2:
NH = 160.20.20.1;
LBL = 117;RD;RT
10.1.1.2:
NH = 151.10.10.1;
LBL = 17;RD;RT
160.20.20.180.20.20.1
E-MBGPE-MBGP
MX MX
200.1.1.1 100.1.1.1
Service Provider
10.1.1.110.1.1.2 PAYLOAD
PACKET FLOW FOR EVPN ON IP NETWORK
MAC1 MAC2
70.10.10.1 151.10.10.1
MAC2: NH = 151.10.10.1; LBL = 17 MAC1: NH = 70.10.10.1; LBL = 39
VRF
MAC1MAC2 PAYLOAD
SrcMACDstMAC
VM
VRF
MAC1MAC2 PAYLOADLBL=17GRE70.10.10.1151.10.10.1
PubSrcIPPubDstIP SrcMACDstMAC
VM
IP Network
Agent Agent
XMPP XMPPBGP Based Control Plane
Configuration Management
REST/API
MAC2:NH = 151.10.10.1; LBL = 17 MAC1:NH = 70.10.10.1; LBL = 39
(Dynamic Tunnel Encapsulation) (Dynamic Tunnel Decapsulation)
Server 1 Server 2
Control Plane
*Outer MAC header was left out intentionally to reduce clutter
MAC1:NH = 70.10.10.1; LBL = 39 MAC2:NH = 151.10.10.1; LBL = 17
MAC1MAC2 PAYLOAD
SrcMACDstMAC
CONTRAIL STACK – CONFIG NODE
Configuration Nodes
ControlPlane
ComputeNode
(Virtual Router)
ServiceNode
(SRX, Firefly, JSP, ...)
GatewayNode
(MX, EX/QFX, ...)
ControlPlane
ControlPlane
AnalyticsEngine
AnalyticsEngine
AnalyticsEngine
REST APIs (Configuration, Operational, and Analytics)
OpenstackCustomer OSS/BSS Cloudstack
CONTRAIL – SDN AS A “COMPILER”
OrchestrationSystem
SDN System
Network(Physical and Virtual)
South-BoundNetwork Element Interfaces
East-WestPeering Interface (BGP)
Application2
ApplicationNApplications
North-bound APIs
Data Model 1
Data Model 2
Data Model M
Data Model Extensions
Interface 1 Interface 2 Interface KPlug-ins
Compilergenerates APIs
Compilergenerates APIs
CONFIGURATION NODE
Configuration Node
REST API Server
Schema Transformer
Orchestrator(OpenStack)
REST
DHT DB
IF-MAPserver
Configuration Node
ControlNode
ControlNode
IF-MAP
Distributed Synchronization
1. API Server provides Northbound REST Interface
– Orchestration System provisions using this API
service
2. DHT/NoSQL Database is used for Persistence
and High Availability of Configuration
3. Schema Transformer “compiles” the high level
data model to low level model for vRouter,
Service Nodes, and Gateway Routers
1. IF-MAP is used to represent the data-model –
Control Nodes subscribe to the subset of
configuration
Configuration Node
DHT DB
DHT DB
Message Bus
LOGICAL TOPOLOGY
VM
G1
VM
G2
VM
G3
VN G
VM
R1
VM
R2
VM
R3
VN R
PN
VM
FW
Virtual Network
Tenant Virtual Machines
Virtual Firewall
Physical Gateway Router
Physical Network (Internet, L3VPN, ...)
PHYSICAL TOPOLOGY
OpenStackContrail
ControllerNeutronNova
Virtualized Server
Hypervisor with Contrail vRouter
Underlay Switches
Gateway Router to Internet or L3VPN
MAPPING OF LOGICAL TO VIRTUAL TOPOLOGY
VM
G1
VM
G2
VM
G3
VN G
VM
R1
VM
R2
VM
R3
VN R
L3VPN
VM
FW
OpenStackContrail
ControllerNeutronNova
PHYSICAL LOGICAL
STARTING POINTEMPTY LOGICAL TOPOLOGY
VM
G1
VM
G2
VM
G3
VN G
VM
R1
VM
R2
VM
R3
VN R
PN
VM
FW
OpenStackContrail
ControllerNeutronNova
PHYSICAL LOGICAL
CREATE GREEN TENANTCREATE VIRTUAL NETWORK "GREEN"
VM
G1
VM
G2
VM
G3
VM
R1
VM
R2
VM
R3
VN R
PN
VM
FW
OpenStackContrail
ControllerNeutronNova
PHYSICAL LOGICAL
VN G
Create VN G
CREATE GREEN TENANTCREATE VIRTUAL MACHINE "G1"
VM
G1
VM
G2
VM
G3
VM
R1
VM
R2
VM
R3
VN R
PN
VM
FW
OpenStackContrail
ControllerNeutronNova
PHYSICAL LOGICAL
VN G
Create VM G1
Attach to VN G
Nova: Create VM
VM
G1
CREATE GREEN TENANTCREATE VIRTUAL MACHINE "G1"
VM
G1
VM
G2
VM
G3
VM
R1
VM
R2
VM
R3
VN R
PN
VM
FW
OpenStackContrail
ControllerNeutronNova
PHYSICAL LOGICAL
VN G
VM
G1
Neutron:
Attach VM to VN
Create VM G1
Attach to VN G
XMPP:
Create routing-instance
CREATE GREEN TENANTCREATE VIRTUAL MACHINE "G2"
VM
G1
VM
G2
VM
G3
VM
R1
VM
R2
VM
R3
VN R
PN
VM
FW
OpenStackContrail
ControllerNeutronNova
PHYSICAL LOGICAL
VN G
Create VM G2
Attach to VN G
VM
G1
Nova: Create VM
VM
G2
CREATE GREEN TENANTCREATE VIRTUAL MACHINE "G2"
VM
G1
VM
G3
VM
R1
VM
R2
VM
R3
VN R
PN
VM
FW
OpenStackContrail
ControllerNeutronNova
PHYSICAL LOGICAL
VN G
VM
G1
Neutron:
Attach VM to VN
Create VM G2
Attach to VN G
VM
G2
XMPP:
Create routing-instance
VM
G2
CREATE GREEN TENANTCREATE VIRTUAL MACHINE "G2"
VM
G1
VM
G3
VM
R1
VM
R2
VM
R3
VN R
PN
VM
FW
OpenStackContrail
ControllerNeutronNova
PHYSICAL LOGICAL
VN G
VM
G1
Create VM G2
Attach to VN G
VM
G2
XMPP:
Exchange routes
Create tunnelsVM
G2
CREATE GREEN TENANTFORWARDING TABLES AND ENCAPSULATION
VM
G1
VM
G2
IP prefix Nexthop
VM G1Virtual ethernet port
to VM G1
Green routing-instance IP FIB
VM G2Push label L2 +
GRE encaps to server S2
MPLS label Nexthop
L1 Pop + Green routing-instance
Global MPLS FIB
IP prefix Nexthop
Server S2 Physical ethernet port
Global IP FIB
IP prefix Nexthop
VM G1Push label L1
GRE encaps to server S1
Green routing-instance IP FIB
VM G2Virtual ethernet port
to VM G2
MPLS label Nexthop
L2 Pop + Green routing-instance
Global MPLS FIB
IP prefix Nexthop
Server S1 Physical ethernet port
Global IP FIB
Inner IP headerPayload
VM G1
Source IP
VM G2
Dest IP
...
MPLS
L2
LabelGRE
...
Outer IP header
Server S1
Source IP
Server S2
Dest IP
Ethernet
Server S1
Source MAC
Server S2
Dest MAC
Packet
S1 S2
CREATE GREEN TENANTCREATE VIRTUAL MACHINE "G3"
VM
G1
VM
G3
VM
R1
VM
R2
VM
R3
VN R
PN
VM
FW
OpenStackContrail
ControllerNeutronNova
PHYSICAL LOGICAL
VN G
VM
G1
VM
G2 VM
G2
Create VM G3
Attach to VN G
Nova: Create VM
VM
G3
CREATE GREEN TENANTCREATE VIRTUAL MACHINE "G3"
VM
G1
VM
G3
VM
R1
VM
R2
VM
R3
VN R
PN
VM
FW
OpenStackContrail
ControllerNeutronNova
PHYSICAL LOGICAL
VN G
VM
G1
VM
G2 VM
G2
Create VM G3
Attach to VN G
VM
G3
Neutron:
Attach VM to VN
XMPP:
Create routing-instance
CREATE GREEN TENANTCREATE VIRTUAL MACHINE "G3"
VM
G1
VM
G3
VM
R1
VM
R2
VM
R3
VN R
PN
VM
FW
OpenStackContrail
ControllerNeutronNova
PHYSICAL LOGICAL
VN G
VM
G1
VM
G2 VM
G2
Create VM G3
Attach to VN G
VM
G3
XMPP:
Exchange routes
Create tunnels
CREATE GREEN TENANTEND STATE
VM
G1
VM
G3
VM
R1
VM
R2
VM
R3
VN R
PN
VM
FW
OpenStackContrail
ControllerNeutronNova
PHYSICAL LOGICAL
VN G
VM
G1
VM
G2 VM
G2
VM
G3
CREATE RED TENANTSAME STEPS AS GREEN TENANT
VM
G1
VM
G3
VM
R1
VM
R2
VM
R3
VN R
PN
VM
FW
OpenStackContrail
ControllerNeutronNova
PHYSICAL LOGICAL
VN G
VM
G1
VM
G2 VM
G2
VM
G3VM
R1
VM
R3
VM
R2
CONNECT GREEN TO RED TENANT VIA FIREWALLCREATE VIRTUAL MACHINE FOR FIREWALL
VM
G1
VM
G3
VM
R1
VM
R2
VM
R3
VN R
PN
OpenStackContrail
ControllerNeutronNova
PHYSICAL LOGICAL
VN G
VM
G1
VM
G2 VM
G2
VM
G3VM
R1
VM
R3
VM
R2
Create VM FW
Attach to VN G
Attach to VN R
VM
FW
Nova: Create VM
VM
FW
CONNECT GREEN TO RED TENANT VIA FIREWALLATTACH FIREWALL TO RED AND GREEN VIRTUAL NETWORKS
VM
G1
VM
G3
VM
R1
VM
R2
VM
R3
VN R
PN
OpenStackContrail
ControllerNeutronNova
PHYSICAL LOGICAL
VN G
VM
G1
VM
G2 VM
G2
VM
G3VM
R1
VM
R3
VM
R2
Create VM FW
Attach to VN G
Attach to VN R
VM
FW
VM
FW
Neutron:
Attach VM to VNs
XMPP: Create
routing-instance
CONNECT GREEN TO RED TENANT VIA FIREWALLAPPLY POLICY, EXCHANGE ROUTES, AND CREATE TUNNELS
VM
G1
VM
G3
VM
R1
VM
R2
VM
R3
VN R
L3VPN
OpenStackContrail
ControllerNeutronNova
PHYSICAL LOGICAL
VN G
VM
G1
VM
G2 VM
G2
VM
G3VM
R1
VM
R3
VM
R2
VM
FW
VM
FW
Apply Policy
VN G ↔ VN R
XMPP:
Exchange routes
Create tunnels
CONNECT GREEN TO RED TENANT VIA FIREWALLEND STATE
VM
G1
VM
G3
VM
R1
VM
R2
VM
R3
VN R
L3VPN
OpenStackContrail
ControllerNeutronNova
PHYSICAL LOGICAL
VN G
VM
G1
VM
G2 VM
G2
VM
G3VM
R1
VM
R3
VM
R2
VM
FW
VM
FW
CONNECT GREEN TO RED TENANT VIA FIREWALLDATA PLANE: RED ↔ GREEN TRAFFIC FORCED THROUGH THE FIREWALL
VM
G1
VM
G3
VM
R1
VM
R2
VM
R3
VN R
L3VPN
OpenStackContrail
ControllerNeutronNova
PHYSICAL LOGICAL
VN G
VM
G1
VM
G2 VM
G2
VM
G3VM
R1
VM
R3
VM
R2
VM
FW
VM
FW
CONNECT RED TENANT TO PHYSICAL L3VPNCONFIGURE L3VPN ROUTING INSTANCE
VM
G1
VM
G3
VM
R1
VM
R2
VM
R3
VN R
OpenStackContrail
ControllerNeutronNova
PHYSICAL LOGICAL
VN G
VM
G1
VM
G2 VM
G2
VM
G3VM
R1
VM
R3
VM
R2
VM
FW
VM
FW
L3VPN
Apply Policy
VN R ↔ L3VPN
Netconf:
Configure
routing-instance
CONNECT RED TENANT TO PHYSICAL L3VPNEXCHANGE ROUTES WITH PHYSICAL ROUTER, CREATE TUNNELS
VM
G1
VM
G3
VM
R1
VM
R2
VM
R3
VN R
OpenStackContrail
ControllerNeutronNova
PHYSICAL LOGICAL
VN G
VM
G1
VM
G2 VM
G2
VM
G3VM
R1
VM
R3
VM
R2
VM
FW
VM
FW
L3VPN
Apply Policy
VN R ↔ L3VPN
BGP:
Exchange routes
Create tunnels
CONNECT RED TENANT TO PHYSICAL L3VPNEXCHANGE ROUTES WITH VROUTERS, CREATE TUNNELS
VM
G1
VM
G3
VM
R1
VM
R2
VM
R3
VN R
OpenStackContrail
ControllerNeutronNova
PHYSICAL LOGICAL
VN G
VM
G1
VM
G2 VM
G2
VM
G3VM
R1
VM
R3
VM
R2
VM
FW
VM
FW
L3VPN
Apply Policy
VN R ↔ L3VPN
XMPP:
Exchange routes
Create tunnels
VROUTER HA
Discovery Server
eth0 eth1
TOR
SPINE
Gateway
LACP Linux
BondingController 1
Controller 2
vRouter
CONTRAIL COMPONENT HA
Controller 1
Discovery Server
IFMap
Neutron API
IFMap
Neutron APINeutron API
Discovery Server
Neutron APINeutron APIConfig API
HA Proxy + VIP
HA Proxy + VIP
HA Proxy + VIP
Controller 1
Neutron APICassandraCassandra
Neutron APICassandrazookeeper
Neutron APINeutron APIRabbitMQHA Proxy + VIP
HA proxy
Control Node
"BGP module"
ProxiesXMPP
IF-MAP Client
Configuration Node 3
REST API Server
IF-MAPserver
RabbitMQ
HA proxy
Configuration Node 2
REST API Server
IF-MAPserver
RabbitMQ
Configuration Node 1
REST API Server
DHT DB
IF-MAPserver
RabbitMQ
Control Node
"BGP module"
ProxiesXMPP
IF-MAP Client
Schema Transformer
Schema Transformer
Schema Transformer
HA proxy
Control Node
"BGP module"
ProxiesXMPP
IF-MAP Client
Configuration Node 3
REST API Server
IF-MAPserver
RabbitMQ
HA proxy
Configuration Node 2
REST API Server
IF-MAPserver
RabbitMQ
Configuration Node 1
REST API Server
DHT DB
IF-MAPserver
RabbitMQ
Control Node
"BGP module"
ProxiesXMPP
IF-MAP Client
Schema Transformer
Schema Transformer
Schema Transformer
Down
HA proxy
Control Node
"BGP module"
ProxiesXMPP
IF-MAP Client
Configuration Node 3
REST API Server
IF-MAPserver
RabbitMQ
HA proxy
Configuration Node 2
REST API Server
IF-MAPserver
RabbitMQ
Configuration Node 1
REST API Server
DHT DB
IF-MAPserver
RabbitMQ
Control Node
"BGP module"
ProxiesXMPP
IF-MAP Client
Schema Transformer
Schema Transformer
Schema Transformer
Down
1) Configuration node send
ALL data to Control node to
sync Control node
information
2) Overwrite new
information
HA proxy
Control Node
"BGP module"
ProxiesXMPP
IF-MAP Client
Configuration Node 3
REST API Server
IF-MAPserver
RabbitMQ
HA proxy
Configuration Node 2
REST API Server
IF-MAPserver
RabbitMQ
Configuration Node 1
REST API Server
DHT DB
IF-MAPserver
RabbitMQ
Control Node
"BGP module"
ProxiesXMPP
IF-MAP Client
Schema Transformer
Schema Transformer
Schema Transformer
Down
Sync!
DEMO
top related