opencontrail network virtualization
Post on 10-Jun-2015
395 Views
Preview:
DESCRIPTION
TRANSCRIPT
Open Contrail network virtualiza2on Nicolai van der Smagt
Solu2ons Architect
September 2014
Nicolai van der who?!
˥ Nicolai van der Smagt: ˥ Solu2ons Architect @ Infradata ˥ Focus on datacenter architecture ˥ GeJng old: 15 years of experience building and maintaining SP networks
Contact: nicolai@infradata.eu InfraInnovaData @ TwiRer Vandersmagt @ Linkedin
SDN > Network Virtualiza2on
˥ This presenta2on is about network virtualiza2on soVware
˥ SDN is an overly broad and excessively hyped term, it can mean anything to anybody
˥ Let’s avoid the S-‐acronym for the rest of the session
˥ Let’s talk about actual, deployable technology
Network virtualiza2on?
˥ Helps achieve beRer scalability
˥ Enables automa2on / “agility”
˥ Improves and streamlines network security
˥ Reduces cost
˥ Like MPLS for the datacenter, or “poor man’s” MPLS ˥ Enables the underlaying network to be simple
Average DC – L2/VLAN-‐based Designed for north <-‐> south traffic
L2/L3 L2/L3
L3 L3
L2 L2 L2 L2 L2 L2
L2 Switch L2 Switch
L2/L3 L2/L3
L2 L2 L2 L2 L2 L2
L2 Switch L2 Switch
Mul2-‐Chassis LAG TRUNK
VMs
ToR ToR
Servers
Average DC – Limited VLAN span
L2/L3 L2/L3
L3 L3
L2 L2 L2 L2 L2 L2
L2 Switch L2 Switch
L2/L3 L2/L3
L2 L2 L2 L2 L2 L2
L2 Switch L2 Switch
Mul2-‐Chassis LAG TRUNK
Rou2ng & Filtering between VLANs
VLAN Span Limit
ToR ToR
Rou2ng & Filtering between VLANs
No VLANs Across L3 FW
LB
FW
LB
Average DC – No built-‐in mul2-‐tenancy
L2/L3 L2/L3
L3 L3
L2 L2 L2 L2 L2 L2
L2 Switch L2 Switch
L2/L3 L2/L3
L2 L2 L2 L2 L2 L2
L2 Switch L2 Switch
Mul2-‐Chassis LAG TRUNK
VLAN Span Limit
VMs
ToR ToR
FW
LB
FW
LB Single Rou2ng Table
(No support for overlapping mul2-‐tenant space)
Cloud DC – L3 ECMP Clos network Designed for east-‐west and north-‐south traffic
L3 L3
L2-‐SW
L3 ToR
L3 ToR
L3 ToR
L3 ToR
L3 L3 L3 L3
L3
External Network
L2-‐SW L2-‐SW L2-‐SW L2-‐SW L2-‐SW L2-‐SW L2-‐SW L2-‐SW L2-‐SW L2-‐SW L2-‐SW
Servers
Average DC – Mul2-‐tenancy using VRF
L2/L3 -‐MPLS
L3-‐MPLS
L2 L2 L2 L2 L2 L2
L2 Switch L2 Switch
L2 L2 L2 L2 L2 L2
L2 Switch L2 Switch
Mul2-‐Chassis LAG TRUNK
VLAN Span Limit
ToR ToR
VRF for mul2-‐tenant isola2on
Tenant-‐VRF Tenant-‐VRF
L3-‐MPLS
L2/L3 -‐MPLS L2/L3 -‐MPLS L2/L3 -‐MPLS
MPLS – Enabled links
FW LB
FW LB
FW LB
FW LB
FW LB
FW LB
Tenant Specific HW Appliance
Services
Cloud DC – Opencontrail L2/L3 overlay
L3## L3##
L2/L3## L2/L3####
L3#ToR#
L2/L3## L2/L3## L2/L3####
L3#ToR#
L2/L3## L2/L3## L2/L3####
L3#ToR#
L2/L3## L2/L3## L2/L3####
L3#ToR#
L2/L3##
L3## L3## L3## L3##
L3##
vRouter# vRouter# vRouter# vRouter# vRouter# vRouter# vRouter# vRouter# vRouter# vRouter# vRouter# vRouter#
Hypervisor*vRouter*handles*L2/L3*
Hypervisor*vRouter*performs*NAT*
=#mul12tenant#VRF##
######## ########
Service#Inser1on# Service#Inser1on#
External Network
Servers#
Opencontrail?!
˥ Network virtualiza2on soVware
˥ Provides a tunneled overlay network over any datacenter infrastructure
˥ Tunnels can be L3 (GRE, UDP) or L2 (VXLAN)
˥ Tunnels interconnect not just hypervisors, but also bare-‐metal machines and/or network infrastructure (routers, ToR)
˥ Consists of a virtual router component in the hypervisor (vRouter) and centralized control plane (control, configura2on and analy2cs)
Standards-‐based
˥ Opencontrail is fully programmable via RESTful API
˥ Northbound network gateway func2onality is based on well-‐known and proven protocols and encaps, such as BGP/MPLS (L3VPN or EVPN) and GRE, UDP or VXLAN
˥ Southbound interface (to hypervisor) based on XMPP
˥ No constraints on the underlay physical network
Overall architecture § IETF NVO3 WG § ETSI NFV ISG
Overlay control plane protocols: § XMPP: RFC 6120, dra1-‐marques-‐l3vpn-‐end-‐system § BGP L3VPN: RFC 4364 § BGP EVPN: dra1-‐ie@-‐l2vpn-‐evpn § NetConf: RFC 6241
Overlay data plane encapsula2on: § MPLS over GRE: RFC 4797 § VXLAN: dra1-‐mahalingam-‐duE-‐dcops-‐vxlan
Underlay control plane protocols: Exis2ng layer-‐2 or layer-‐3 protocols
Open Source
˥ Apache 2.0-‐licensed; permissive open-‐source with reten2on of copyright
˥ “Redhat model”: support and packaging available from Juniper Networks, if required.
˥ Juniper provides resources and core developers, but the project is open for other developers, reviewers and bug-‐squashers
˥ Code-‐review “based on technical merit only”. No poli2cs.
˥ Available today, wai2ng for you to download and play
Opencontrail technical architecture
SDN Controller
Configura2on Analy2cs
Control
Server
VM VM VM
Server
VM VM VM IP fabric (underlay network)
Any underlay network
Any gateway router
Tenant VMs
BGP Clustering
Contrail Controller
KVM or Xen Hypervisor + Contrail vRouter (L2 & L3)
REST
XMPP
Orchestrator
XMPP BGP + Netconf
MPLS over GRE/UDP or VXLAN
Opencontrail provides: mul2-‐tenancy
L3 Network L2 Network L3 router L2 Network L2 Network
Physical Topology
Logical Topology
Mul2-‐tenancy – step 1
Mul2-‐tenancy – step 2
Mul2-‐tenancy – result
Opencontrail provides: gateway func2ons
B A C A
Data Center 1
WAN
B D D A
Data Center 2
Tenant VPN
Internet
Gateway Router Gateway
Non Virtualized Server
Gateway Switch
Opencontrail is based on MPLS VPN technology
P P PE PE
Route Reflector Route
Reflector
CE CE Underlay Switch
vRouter
Control Node Control
Node
Underlay Switch
VM VM
VM VM
vRouter VM VM
IBGP IBGP
IBGP XMPP
MPLS over MPLS
MPLS over GRE or VXLAN
Network Management System (NMS) DMI Config
Node
Orchestrator
Analy2cs Node
SDN System
MPLS L3VPN / E-‐VPN Opencontrail
L3VPN gateway: Virtual network view
Physical network view
Opencontrail provides: service chaining/NFV
FW LB Tenant Network
A Internet
NAT Tenant Network
A Tenant Network
B FW
Tenant Network
A1 Tenant Network
A2 FW
Service chaining
Policy based applica2on of virtual and physical services with scale-‐out. Firewall, Intrusion Preven3on, Load balancer, Cache, WAN op3mizer, proxy, ...
VM VM VM
Green Virtual Network
VM VM VM
Red Virtual Network
Virtual Service DPI
Virtual Service Cache
Physical Service Firewall
Policy
only HTTP NAT + DPI + Cache + Firewall
Service Chaining: Create Opencontrail service
Service chaining: Create Opencontrail policy
Service chaining: Apply policy to networks
Service chaining: Openstack topology result
Hypervisor Hypervisor Hypervisor
Hypervisor Hypervisor Hypervisor Hypervisor
Hypervisor Hypervisor Hypervisor
Hypervisor Hypervisor Hypervisor Hypervisor
Leaf Switch Leaf Switch Leaf Switch Leaf Switch Leaf Switch Leaf Switch Leaf Switch Leaf Switch
Spine Switch Spine Switch Spine Switch
Gateway Router
Gateway Router
Control Node
Config Node (Openstack) (Cloudstack)
Analy2cs Node
WebUI Node
Control Node
Config Node (Openstack) (Cloudstack)
Analy2cs Node
WebUI Node
Network
L2, L3
L3
OSPF or BGP
BGP
L3 ECMP
No VM IP informa2on in the Underlay Network
Op2onal Redundancy
Compute & Storage Rack Compute & Storage Rack Orchestra2on & Services Racks
Contrail in the physical datacenter
High availability – scale-‐out
Configura2on Nodes
Control Nodes
Analy2cs Nodes
IF-‐MAP
REST REST
XMPP
BGP
BGP, Netconf
vRouters Gateways
BGP
Designed to deal with
failures
Logically Centralized (Physically Distributed)
Horizontally Scalable
Highly Available
(Ac3ve-‐Ac3ve)
Federated
Opencontrail network security
˥ Policies create distributed security for virtual and physical workloads
˥ Policies enable micro-‐segmenta2on
˥ Without an explicit policy, traffic is denied by default
˥ Service chaining enables distribu2on of addi2onal network security (such as DDoS mi2ga2on, WAF or applica2on layer firewalling)
Orchestra2on op2ons
Cloudstack, CCP
OCS Openstack Miran2s Openstack, Fuel
Redhat Openstack (RHOS)
UnitedStack Openstack
SmartCloud Orchestrator
End of the year
Network virtualiza2on with Opencontrail
˥ Scalability ˥ Upgrade from just 4000 to much higher scale of tenant networks
˥ Automa2on / “Agility” ˥ Spin up/down resources based on demand ˥ Scale-‐out instead of scale-‐up ˥ Automa2c configura2on / DevOps for the network
˥ Network security ˥ Micro-‐segmenta2on (smaller networks with more fine-‐grained access controls) ˥ Policy-‐driven framework (with default-‐deny)
˥ Reduced cost ˥ NFV = Virtual network devices instead of expensive hardware ˥ Clos = white label switches instead of more expensive infrastructure ˥ Opencontrail soVware available free of charge
Devstack + Opencontrail in-‐a-‐box setup
For the developers in the audience:
1 Install some packages (git-‐core, ant, build-‐essen2al, pkg-‐config
2 Download DevStack (git clone git@github.com:/dse2a/devstack.git)
3 Edit localrc (set PHYSICAL_INTERFACE)
4 Run stack.sh
5 You’ll end up with Openstack glance, nova, horizon, keystone and cinder, with Opencontrail (as a Quantum plugin), ready for use
6 ?
7 Profit!
nicolai@infradata.eu
@infrainnovadata
top related