Contrail Virtual Networking QUICK TUTORIAL OPENCONTRAIL QUICK TUTORIAL

Contrail Virtual Networking QUICK TUTORIAL OPENCONTRAIL QUICK TUTORIAL

Network/Cloud Technology interchange Cloud Benefits Software-defined networking Network scale Security Resilience Networking Network Technology Overlay networking (MPLS/VXLAN) Control plane (BGP) Network load balancing (ECMP) Technology interchange benefits cloud and networks Network Benefits Service agility Self-service On-demand Elastic scaling Cloud Technology Common x 86 platform Shared service infrastructure Cloud Service automation

Contrail Virtual Networking QUICK TUTORIAL HOW CONTRAIL WORKS

CONTRAIL - BASED ON MPLS VPN TECHNOLOGY L 3 VPNs for Inter-Site Connectivity Contrail Virtual Networks in Datacenters Traffic segmentation in the WAN MPLS over MPLS label encapsulation tunnels BGP route signaling Traffic segmentation in the LAN MPLS over GRE or VXLAN label encapsulation tunnels XMPP (with BGP payload) route signaling Open. Stack Cloud Manager Contrail Controller Route Reflector XMPP (BGP) BGP VM Customer Site Hypervisor with v. Router Protocols, Architecture CE Router PE Router Server Tenant VRF Customer VRF Encapsulation Tunnel Provider Network Datacenter

Open. Stack Network Management System (NMS) Config Node DMI Route Reflector IBGP Route Reflector Control Node IBGP Analytics Node IBGP Control Node SDN System XMPP CE PE P P PE MPLS over MPLS L 3 VPN / E-VPN CE VM v. Router Underlay Switch Contrail Underlay Switch BGP v. Router VM MPLS over GRE or VXLAN Gateway

CONTRAIL ABSTRACTION ARCHITECTURE Orchestration, Automation Analytics OSS Open source and partner ecosystem of orchestrators API and SDK for integration with OSS / BSS State and status Policies and requests Control Plane - Physical, Virtual Open, standards-based, federated controller Scalable and resilient Virtual Network Overlay encapsulation implemented in hypervisor Multi-tenancy for private and virtual public clouds Gateway functions - connect to virtual to physical network Service chaining (physical and virtual) Physical Network Interoperability with traditional network devices Any-to-any non-blocking low-latency fabric: Q-Fabric or Clos Configuration model Automation Control Plane Distributed collection Global view Consolidation Aggregation

CONTRAIL COMPONENTS Accepts and converts orchestrator requests for VM creation, translates requests, and assigns network OPENCONTRAIL CONTROLLER Configuration Control Real-time analytics engine collects, stores and analyzes network elements Collector Interacts with network elements for VM network provisioning and ensures uptime VM VM VM v. Router Physical Host with Hypervisor v. Router: Virtualized routing element handles localized control plane and forwarding plane work on the compute node VM VM Physical Network (no changes) Gateway WAN, Internet VM VM VM v. Router Physical Host with Hypervisor Gateway: MX Series (or other router) or EX 9200 serve as gateway eliminating need for SW gateway & improving scale & performance

SCALE OUT, HIGHLY AVAILABLE ARCHITECTURE REST HTTP REST Logically Centralized Web UI Nodes (Physically Distributed) Horizontally Scalable Analytics Nodes Configuration Nodes Highly Available (Active-Active) IF-MAP BGP Control Nodes BGP Database Nodes Federated BGP, Netconf XMPP v. Routers Gateways https: //github. com/Juniper/contrail-controller/wiki/Roles-Daemons-Ports

COMPUTE NODE – HYPERVISOR/CONTAINER WITH VROUTER CONTRAIL CONTROLLER JUNOSV CONTRAIL CONTROLLER • v. Router is replaces the Linux Bridge or OVS module in Hypervisor Kernel Compute Node v. Router Agent Config Virtual Machine (Tenant A) Virtual Machine (Tenant B) Tap Interfaces (vif) VRFs Policy Table v. Router Forwarding Plane Routing Instance (Network X) Routing Instance (Network Y) Routing Instance (Network Z) FIB FIB Flow Table pkt 0 Eth 0 XMPP User Kernel Eth 1 Eth. N Overlay tunnels MPLS over GRE or VXLAN Top of Rack Switch XMPP • v. Router performs bridging (E-VPN) and routing (L 3 VPN) • v. Router performs networking services like Security Policies, NAT, Multicast, Mirroring, and Load Balancing • No need for Service Nodes or L 2/L 3 Gateways for Routing, Broadcast/Multicast, NAT • Routes are automatically leaked into the VRF based on Policies • Support for Multiple Interfaces on the Virtual Machines • Support for Multiple Interfaces from Compute Node to the Switching Fabric

CONTRAIL – CONTROL NODE Configuration Node IF-MAP Control Node "BGP module" Proxies (ARP, DHCP, . . ) XMPP BGP Compute Node Control Plane Nodes federate using BGP • Each v. Router uses XMPP to connect with multiple Control Plane nodes for redundancy • All Control Plane Nodes are active • Each Control Plane Node connects to multiple configuration nodes for redundancy • BGP is used to connect with Physical Gateway Routers or Services Nodes Control Node Peers IBGP IF-MAP Client • Compute Node Service Node Gateway Routers

CONFIGURATION NODE Orchestrator (Open. Stack) REST Configuration Node REST API Server DHT DB Message Bus Schema Transformer IF-MAP server Distributed Synchronization IF-MAP Control Node 1. API Server provides Northbound REST Interface – Orchestration System provisions using this API service 2. DHT/No. SQL Database is used for Persistence and High Availability of Configuration 3. Schema Transformer “compiles” the high level data model to low level model for v. Router, Service Nodes, and Gateway Routers 4. IF-MAP is used to represent the data-model – Control Nodes subscribe to the subset of configuration

INTERACTION WITH OPENSTACK Open. Stack 1 Create an Instance (Image, Network, …) Nova API Nova Scheduler Horizon 3 VM Network Properties Scripts Neutron Driver 5 Create VM Interface Configuration Node 6 Publish VM i/f on IF-MAP Control Node Neutron Plugin 7 VM Interface config over XMPP 2 Schedule an Instance on the Compute Node Nova Compute Virtual Router Compute Driver Contrail Agent Virtual-IF Driver Compute Node 4 Add Port v. Router (kernel)

COMPUTE NODE – DNS RESOLUTION Compute Node Virtual Machine (IP-VM 1) Tap Interfaces (vif) v. Router Forwarder Open. Stack Open. Contrail DNS – IP for VM 2 Compute Node Virtual Machine (IP-VM 2) Tap Interfaces (vif) v. Router Forwarder Routing Instance FIB Flow Table Eth 1 (IP-H 1) Overlay tunnels MPLS over GRE or VXLAN Eth 1 (IP-H 2) VIRTUAL PHYSICAL

COMPUTE NODE – PROXY ARP [Who is IP-VM 2] Compute Node Virtual Machine (IP-VM 1) Tap Interfaces (vif) v. Router Forwarder Compute Node Virtual Machine (IP-VM 2) Tap Interfaces (vif) v. Router Forwarder Routing Instance FIB Flow Table Eth 1 (IP-H 1) Overlay tunnels MPLS over GRE or VXLAN Eth 1 (IP-H 2) VIRTUAL PHYSICAL

COMPUTE NODE – FORWARDING/TUNNELING Payload IP-VM 2 Payload Virtual-IP 2 Compute Node Virtual Machine (IP-VM 1) Tap Interfaces (vif) v. Router Forwarder Compute Node Virtual Machine (IP-VM 2) Tap Interfaces (vif) v. Router Forwarder Routing Instance FIB Flow Table Eth 1 (IP-H 1) Overlay tunnels MPLS over GRE or VXLAN Eth 1 (IP-H 2) Payload IP-H 2 MPLS / VNI IP-VM 2 MPLS / VNI IP-H 2 IP-VM 2 Payload VIRTUAL PHYSICAL

PHYSICAL (Distrib. Policy Enforcement) LOGICAL (Centralized Policy Defn) FEATURE: DISTRIBUTED SECURITY POLICY Contrail Security Policy (Firewall-like e. g. allow only HTTP traffic) VIRTUAL NETWORK GREEN G 1 G 2 G 3 Non-HTTP traffic Contrail Policy with a Firewall Service VIRTUAL NETWORK BLUE B 1 B 2 B 3 VIRTUAL NETWORK YELLOW Y 1 Y 2 Y 3 Inter-network traffic traversing a service Intra-network traffic VM and virtualized Network function pool G 1 Y 1 B 3 G 3 B 1 Host + Hypervisor … IP fabric (switch underlay) G 2 B 2 Y 3 Host + Hypervisor …

FEDERATED DOMAINS UNIFIED CONTROL PLANE ACROSS PHYSICAL/VIRTUAL NETWORKS Cloud Management Orchestration, OSS/BSS Open. Contrail WAN Control/Mgmt Config Node NMS Route Reflector BGP … BGP Route Reflector Control Node BGP … Control Node XMPP BGP x 86 Host + Hypervisor PE PE PE v. Router x 86 Host + Hypervisor Underlay Switches Public Network IP / MPLS VPN v. Router MPLSo. GRE, MPLSo. UDP, VXLAN CLOUD DC

FEATURE: SERVICE CHAINING LOGICAL SVC 1 VM Virtual Network Red L 3 L 4 L 5 Virtual Network Green L 6 R 1 R 2 G 1 G 2 L 1 L 2 L 7 L 8 Locally significant MPLS Labels § Allows multiple Services in a chain § Allows multiple service chains between virtual networks § Supports L 3 services without the use of a gateway X 86 Servers RI for non-svc-chain traffic Routing Instances SVC 1 VM SVC 2 VM G 1 R 2 R 1 PHYSICAL § Seamless insertion of Juniper & unmodified 3 rd Party services using existing L 3 VPN connections SVC 2 VM Interf = VIF 1 Label = L 1 L 3 VIF 2 L 4 Server IP = S 2 Srvr IP = S 1 Interface = VIF 3 Label = L 7 L 6 L 5 G 2 VIF 4 L 8 Srvr IP = S 4 Srvr IP = S 3 Dst Next Hop Dst Next Hop G 1 S 2 L 3 R 1 S 1 L 1 G 1 S 3 L 5 R 1 S 2 L 4 G 1 S 4 L 7 R 1 S 3 L 6 G 2 S 2 L 3 R 2 S 1 L 2 G 2 S 3 L 5 R 2 S 2 L 4 G 2 S 4 L 8 R 2 S 3 L 6 R 1 VIF 1 G 1 VIF 3 R 2 VIF 2 G 2 VIF 4 IP Fabric For more details, see - https: //datatracker. ietf. org/doc/draft-fm-bess-service-chaining/

SERVICE VIRTUALIZATION AND CHAINING NFV: Virtual Network Functions Best in breed, from multiple vendors, including Juniper (e. g. v. SRX) SDN: Service Chaining Open. Contrail: Dynamically program network to create service chains Chain of virtual services – independent scaling Decide which traffic goes into chain Anchor Router (Classifier) DPI Firewall Load balance between service layers DPI Cache DPI IDP DPI DPI NAT Stateful services require consistent forward/reverse paths https: //datatracker. ietf. org/doc/draft-fm-bess-service-chaining/

FEATURE: ANALYTICS

FEATURE: UNDERLAY-OVERLAY CORRELATION § Visual representation of topology (discovered using LLDP) § What underlay path are taken by flows (active or historical) § Delails of VMs, v. Routers, and underlay components § Details of active flows § Ability to show historical flows as well

CONTRAIL - KEY FEATURES Routing & Switching (IPv 4, v 6) Gateway Services (L 2, L 3 GW) IPAM, DNS, DHCP SNAT, FIP, Qo. S Rich Analytics, Overlay-Underlay Correlation Load Balancing Security Policy Enf. , Distributed FW 3 rd Party Netw. Svc. Service Chaining High Availability API Services

Open. Contrail in OPNFV • Open. Contrail is upstream to OPNFV • Working with installers for B release • • Fuel JOID Apex Compass 4 nfv • Open. Contrail Sandbox on opencontrail. org • 6 server POD almost ready for CI/test in NJ Open. Lab 23 Copyright © 2014 Juniper Networks, Inc.

OPENCONTRAIL OPENSOURCE APPROACH (For more info visit www. opencontrail. org) x Open. Contrail Advisory Board (OCAB) § Industry veterans and key project users/adopters § Governance, Evangelism, Roadmap, Operational efficiency x Open Source (Users, Devs) Customers Open. Contrail Developer Community § Majority Juniper, Some External developers § Proposing features & Contribute Code § Participate in Code review process Bugs, Design Blueprints Features & Bug fixes Launchpad Continuous Integration/Development Single Github Source Code Repository Community Release Community Support (Email, IRC, Forums) Open. Contrail Community Release Juniper Contrail Releases § Hardened for Production § Licensed Software § 24 x 7 JTAC & Engineering Bug Fix Release

VNF VALIDATION PROGRAM FOR OPENCONTRAIL Launching in response to customer and VNF vendor interest Certification Tier Basics Functional Validation Silver ✓ Gold ✓ ✓ Platinum ✓ ✓ Performance Benchmarks ✓ Customizing and API Integration ✓

CONTRAIL DEMO VIDEOS PRODUCT CAPABILTIIES - DEMO VIDEOS § Bare Metal Integration through multi-vendor TOR integration https: //www. youtube. com/watch? v=Pjk. Nt 0 y. V 3 H 0 § IPv 6 DVR (Distributed Virtual Router) https: //www. youtube. com/watch? v=RLO 0 u. IXb. Dxo § Open. Stack Neutron at Scale https: //www. youtube. com/watch? v=x. N 0 r. XHD_dqk § P + V Service Chaining https: //www. youtube. com/watch? v=a 9 Hq. C 9 x 6 KTg § Multi-hypervisor, Docker Integration https: //www. youtube. com/watch? v=x 2 n 5 Q_ycx 6 o § v. Router DPDK Demo https: //www. youtube. com/watch? v=ZGi. QJr. Ko. DQM § Physical + Overlay Correlation https: //www. youtube. com/watch? v=B 8 a. Ho. Y— 1 Zs USE CASE - DEMO VIDEOS § DDo. S Protection (Contrail + DDo. S Secure) http: //www. youtube. com/watch? v=Tnv. Cea 4 fil 4 § NFV through Contrail (this is the Internet / Firewall NFV aka. v. CPE) http: //www. youtube. com/watch? v=_64 no 8 P 2 v. Uw § Contrail - Elastic cloud - IT as a Service http: //www. youtube. com/watch? v=9 g 3 EWV 8 X 64 s § SSLVPN on Contrail http: //www. youtube. com/watch? v=vf. Zfd. H 4 kk. V 4 § Caching as a Service (Junos Content Encore on Contrail https: //www. youtube. com/watch? v=-_Nt. C 34 wc. Rw § Hybrid Cloud https: //www. youtube. com/watch? v=u. C 7 n. MW 5 PXdg Demo – Today. 1: 25

Thank You 27 Copyright © 2014 Juniper Networks, Inc.