service chaining - cloud network services at scale

SERVICE CHAININGCloud Network Services at Scale

Sergei Gotchev [email protected]

Juniper Networks Proprietary and Confidential -- printed copies of this document are for reference only

2 Copyright © 2014 Juniper Networks, Inc. www.juniper.net

HIGH LEVEL CONTRAIL ARCHITECTURE


CONTRAIL ARCHITECTURE

Analytics

CONTRAIL CONTROLLER

ControlConfiguration

x86 Host + Hypervisor

ORCHESTRATOR

x86 Host + Hypervisor

Physical IP Network(no changes)

vRouter vRouter

GatewayInternet / WAN

Legacy Infra.(VLAN, etc.)

Bi-directional real-time message bus using XMPP

Network orchestration

Standard protocol (M-BGP) to talk with other Contrail

controller instances

Compute / Storage orchestration

… Others


CONTRAIL STACK

Configuration Nodes

ControlPlane

ComputeNode

(Virtual Router)

ServiceNode

(SRX, Firefly, JSP, ...)

GatewayNode

(MX, EX/QFX, ...)

ControlPlane

ControlPlane

AnalyticsEngine

AnalyticsEngine

AnalyticsEngine

REST APIs (Configuration, Operational, and Analytics)

OpenstackCustomer OSS/BSS Cloudstack


COMPUTE NODE – HYPERVISOR, VROUTERCompute Node

VirtualMachine

(Tenant B)

VirtualMachine

(Tenant C)

VirtualMachine

(Tenant C)

vRouter Forwarding Plane

VirtualMachine

(Tenant A)

Routing Instance

(Tenant A)

Routing Instance

(Tenant B)

Routing Instance

(Tenant C)

vRouter Agent

Flow Table

FIB

Flow Table

FIB

Flow Table

FIB

Overlay tunnelsMPLS over GRE, UDP or VXLAN

JUNOSV CONTRAIL CONTROLLERCONTRAIL CONTROLLER

XMPP

Eth1Kernel

Tap Interfaces (vif)

pkt0

UserEth0 EthN

Config

VRFs Policy Table

Top of Rack Switch

XMPP

• vRouter replaces the Linux Bridge or OVS module in Hypervisor Kernel

• vRouter performs bridging (E-VPN) and routing (L3VPN)

• vRouter performs networking services like Security Policies, NAT, Multicast, Mirroring, and Load Balancing

• No need for Service Nodes or L2/L3 Gateways for Routing, Broadcast/Multicast, NAT

• Routes are automatically leaked into the VRF based on Policies

• Support for Multiple Interfaces on the Virtual Machines

• Support for Multiple Interfaces from Compute Node to the Switching Fabric


COMPUTE NODE – FORWARDING/TUNNELING

Overlay tunnelsMPLS over GRE or VXLAN

Compute Node 1


VirtualMachine 1(VN-IP1)

Routing Instance 1

Flow Table

FIB

Eth1 (Phy-IP1)


Compute Node 2


VirtualMachine 2(VN-IP2)

Routing Instance 2

Flow Table

FIB

Eth1 (Phy-IP2)


VIRTUAL

PHYSICAL

Virtual-IP2

Payload

Virtual-IP2

Payload

MPLS / VNI

Phy-IP2

Virtual-IP2

Payload

Virtual-IP2

Payload

MPLS / VNI

Phy-IP2

1. Guest OS ARPs for destination within subnet or default GW

2. VRouter receives the ARP and responds back with VRRP MAC

3. Guest OS sends traffic to the VRRP MAC, Vrouter encapsulates the packet with appropriate MPLS/VNI tag and GRE header

4. Physical Fabric Routers on Physical IP Address

5. Returning packets get forwarded to appropriate Routing Instance by the MPLS/VNI tag

6. VRouter de-capsulates the packet, and forwards it to the Guest OS


CONTRAIL SERVICE CHAINING

R1 R2

SVC 1 VMVirtual Network

Red Virtual Network

Green

G1 G2

SVC 2 VM

L3 L5

L3

L4L2 L6

R1 R2

L1

L4

Srvr = S1 Server = S2S4

L5 L6

S3

Locally significant MPLS Labels

Seamless insertion of Juniper & unmodified 3rd Party services using existing L3VPN connections

Allows multiple Services in a chain Allows multiple service chains between

virtual networks Supports L3 services without the use of

a gatewayRI for non-svc-chain traffic

LOG

ICA

LP

HY

SIC

AL

G1 G2

VIF 2 L2

Interf = VIF 1 Label = L1

VIF 4 L8

Interface = VIF 3 Label = L7

Dst Next Hop

G1 S2 L3

G2 S2 L3

R1 VIF 1

R2 VIF 2

Dst Next Hop

R1 S1 L1

R2 S1 L2

Dst Next Hop

G1 S3 L5

G2 S3 L5

Dst Next Hop

R1 S2 L4

R2 S2 L4

Dst Next Hop

G1 S4 L7

G2 S4 L8

Dst Next Hop

R1 S3 L6

R2 S3 L6

G1 VIF 3

G2 VIF 4

SVC 1 VM SVC 2 VM

X86 Servers

L1 L7 L8

Routing Instances

IP Fabric


SERVICE CHAINING FOR THE SP

9 Copyright © 2014 Juniper Networks, Inc. www.juniper.net 9 Copyright © 2013 Juniper Networks, Inc. www.juniper.net

SERVICE COMPLEX TODAY

LOAD BALANCINGAppliance

LOAD BALANCINGAppliance

Router

LIMITATIONS Even coarse service chains are complex Over provisioned network appliances to meet total demand Simplified tenant isolation for security and regulation compliance Inefficient chains with duplicate packet processing

PARENTAL CONTROLAppliance

APPLICATIONAppliance

CACHING & CONTENT Appliance

FIREWALLAppliance

NETWORK ADRESSING

ApplianceDPI/TDFAppliance

WEB AWAREAppliance

Tie awareness to policy to

monetization

Multiple routing

platforms

Appliances limit flexibility; add complexity


SERVICE CONTROL GATEWAY FUNCTIONALITY

ContrailController

SCG


SCG - SERVICE CHAINING

Service Control Gateway

VPN Internet

GGSN/PGW

Mobile accessLaptop

Smartphone

(S)Gi

Feature Phone

PCRFSPR

AAA

Wireline access

Gx

BNG

OCS

Sy

Subscriber State Machine

BSS SystemsOSS Systems

Gy

Serv

ice

Car

d DPI

HE/URL

Caching

Gx/ Sd Gyn

PFEForwarding /

Flow Table

PFEVRF/ Tunnel

Flow control API

Data Center

Servers

VMs

VAS

App

licat

ions

eg

. DP

I

VAS

App

licat

ions

eg

. TC

P P

roxy

VSwitch

Oth

er A

pps

AnalyticsBilling

Hypervisor

VMs VMs

Oth

er A

pps

AAA

Gx

Gx

SRC

AAA

ContrailController

Can manage service chaining without an SDN Controller within the confines of SCG

Requires SDN Controller to chain services outside the confines of SCG


ContrailINT GWSubs ContrailSN 1 SN 2 SN nMX

GW INTERNET

Contrail

INT GWSubs

SN 1 SN 2 SN n

MXGW INTERNET

OPEN/Close Service Chain

CLOSED

Asymmetric / Symmetric NAT @ Leaf Service Node? Single/Multiple Service Hop

OPEN DC

SERVICES CHAIN TYPES


CLOUD CPE


Simple CPE

Cloud CPE

Physical CPE’s

Routing WOC FirewallDPI

Cloud CPE

Customer Site

Network Service Provider

Virtualized ServicesServices

Gateway/Branch Router

Junos Space

OpenStack

NOVA

NEUTRON

Contrail


Internet

SP

IMPLEMENTATION OF VIRTUAL SERVICES CHAIN

Junos Space

Create Networks

ContrailController

OpenStack

NOVA

NEUTRON

CreateVM FW, DPI

Enterprise

FW, DPI, NAT, INTERNET


MANAGED ENTERPRISE SERVICE

EnterpriseCustomer

Edge

Services decoupled from Access – Centralized Complexity– Everything as a Service

Customer & network context in service chain

mediation

JS vCPE Self-care

Network Services(VPN, FW, NAT, IPS)

Data Center

BUSINESS EDGE

Virtual CE Router Service



OpenStack & Contrail Controller

Security Virtual Services(vSRX, vSA, etc)

Dynamic Service Chain


mediation

JS vCPE Self-care


Data CenterSecurity

BUSINESS EDGE

ContrailSDN Controller

Edge

EnterpriseCustomer




OpenStack & Contrail Controller

Security Virtual Services(vSRX, vSA, etc)

Dynamic Service Chain


mediation

JS vCPE Self-care


Data CenterSecurity

BUSINESS EDGE

ContrailSDN Controller

Edge

DDoS

Cache

3rd Party

EnterpriseCustomer



CONTRAIL PARTNERSHIP HIGHLIGHTS


THANK YOU

service chaining - cloud network services at scale

Technology