[openstack 스터디] openstack with contrail

OPENSTACKWITH CONTRAILSoftware Defined Networking

And Cloud infrastructure

KOREA DATA CENTER ARCHITECT GROUP

KwonSun Bae as known as “BeBe”

FIRST,WHAT IS THE SDN?

Why we want SDN?

Software Defined Network

소프트웨어정의네트워크

SDN?SDDC? OPENSTACK? SDN이무엇인가.

NetworkDefinedSoftware

서버 자원 네트워크와 보안 설정

시간

가상화 이후

주

초

통신상의

지연

SOFTWARE DEFINED NETWORK실질적인네트워크문제점

Business의변화

유연하고민첩한 Infra의필요

자동화.

SDN? SDN은왜필요한가.

유연하고

빠르게

확장가능한

Network

네트워크가상화의진화

각스위치별 VLAN 수동설정

신규서비스확장이복잡

성능관리확장성 Scale -

4096 Tenant IDs

VLAN

기존물리네트워크안에서Tenant 지원

수동적. 비효율적. 낮은확장성.

네트워크가상화의진화Reactive OpenFlow Approach

OpenFlow 를지원하는장비가필요로함

OpenFlow는flow에대한

프로그래밍이필요

각 Tenant 상태정보는각장비가관리함

높은 LATENCY. 낮은확장성. FLOW관리의복잡성. CONTROLLER 의존도향상.

Centralized

Openflow

Controller

모든 Traffic flow의첫packet은 controller로

올라감

How Does SDN or Software Defined Networking Work?

Controller

Southbound APIs

Northbound APIs

https://www.sdxcentral.com/resources/sdn/what-the-definition-of-software-defined-networking-sdn/

SOFTWARE DEFINED NETWORKOpenFlow는 SDN 기술중하나이다.

https://www.sdxcentral.com/resources/sdn/what-the-definition-of-software-defined-networking-sdn/

네트워크가상화의진화

Packet forwarding은각장비에서처리

기존에운영중인 Underlay

네트워크이용

기존네트워크장비는 overlay

네트워크의 Tenant정보등을몰라도됨.

Controller는가상네트워크에대한프로그래밍만사전에수행

Proactive Overlay Networks

빠른 LATENCY. 높은확장성. 낮은리스크. CONTROLLER 부하감소.

SDN 의장점

Agility and Flexibility.

https://www.sdxcentral.com/resources/sdn/why-sdn-software-defined-networking-or-nfv-network-functions-virtualization-now/

SOFTWARE DEFINED NETWORKThe Time for Changes in Networking is Now!

https://www.sdxcentral.com/resources/sdn/why-sdn-software-defined-networking-or-nfv-network-functions-virtualization-now/

• HARDWARE CENTRIC

• DEDICATED HARDWARE

• LENGTHY SERVICE CHANGES

• MANUAL PROCESSES

• LIMITED EXPENSIVE SCALE & HA

• STATIC WORKLOADS/OPERATION

• SOFTWARE CENTRIC & VIRTUALIZED

• FLEXIBLE INFRASTRUCTURE

• DYNAMIC & AGILE ORCHESTRATION

• AUTOMATED IT WORKFLOWS

• INNATELY RESILIENT & SCALABLE

• DYNAMIC WORKLOAD MODELS

Cloud

• SOFTWARE CENTRIC CONTROL

• SOFTWARE OVERLAYS

• DYNAMIC & AGILE ORCHESTRATION

• AUTOMATED IT WORKFLOWS

• INNATELY RESILIENT & SCALABLE

• DYNAMIC CONFIG & OPERATION

SDN

SDN is an IMPERATIVE for CLOUD

CLOUD is an IMPERATIVE for ENTERPRISE

CONTRAIL –가상화및자동화네트워크

CONTROL PLANE, MANAGEMENT PLANE

NETWORK PROGRAMMABILITY

ENABLING NFV (NETWORK FUNCTION VIRTUALIZATION)

VIRTUALIZED NETWORK SERVICES

INTEROPERABILITY WITH PHYSICAL

NETWORK

NETWORK VIRTUALIZATION (PRIVATE, HYBRID)

CONVERGED NETWORK ORCHESTRATION

AUTOMATION, ANALYTICS

METAFABRIC END-TO-END NETWORKSMulti-Data Center, Multi-Cloud, One Network

Internet

MX (USG)

Virtual & PhysicalSecurity

QFX, EX, and QFabic Switching

Private Cloud

Hosted/Managed

MX (USG)



Private Cloud

Public Cloud(Hybrid)

Campus and

Branch

Junos Space

Network Director

WAN

WAN

METAFABRIC END-TO-END NETWORKS

Internet

MX (USG)



Private Cloud

Hosted/Managed

MX (USG)



Private Cloud


Campus and

Branch

P

End-to-end virtual networking

VLANs & EVPN

Application VPNs & Tenant VPNs

(L3VPN & EVPN)

VPC networks VPC networks

VPC networks

VPC networks

Junos Space

Network Director

Any IP* underlay physical network

NSXController

NSX-MHController

vSphere server

VM VM VM VM VM VM VM VM VM

DVS

vSphere ESXi

DVS

vSphere ESXi

DVS

vSphere ESXi

VN VN VN


OVS, vSwitch

KVM, Xen, ESXi

OVS, vSwitch

KVM, Xen, ESXi

OVS, vSwitch

KVM, Xen, ESXi

VN VN VN

Optional vCD, vCAC Two editions of NSX

• NSX for Multi-hypervisor

• NSX for vSphere

• L2/L3 Virtual networking

• Add-ons: NAT, FW, LB, VPNs

NSX-MHController


OVS, vSwitch

KVM, Xen, ESXi

OVS, vSwitch

KVM, Xen, ESXi

OVS, vSwitch

KVM, Xen, ESXi

VN VN VN

NSX CROSS SELL OPPORTUNITY

QFX5100

IP, VC, VCF or QF fabric

MX/EX9200

USG features

Appliances(eg SRX)

Bare Metal(eg HPC)

VLAN

Junos Space Network Director

Virtual security portfolio is a cross-sell though not NSX-integrated

WAN

METAFABRIC END-TO-END NETWORKS

Internet

MX (USG)



Private Cloud

Hosted/Managed

MX (USG)



Private Cloud


Campus and

Branch

P

Junos Space

Network Director

• Hardened OpenStack

• Contrail Networking

• Distributed storage

• Server management

BYO

VM FW VM VM VM VM VM VM VM

Contrail vRouter

KVM, Xen, ESXi, Docker

Contrail vRouter


Contrail vRouter


VN VN VN

MX(or any PE router)

Appliances(eg SRX)

Bare Metal(eg HPC)

Bare Metal(eg HPC)

Any IP underlay physical network

Contrail vRouter

Linux OS

VLAN

Virtual Appliance(eg Firefly)

ContrailController

DISTRIBUTION

SDNJUNIPER CONTRAIL

Overview

CONTRAIL 요소

Physical Network

(no changes)

Analytics

CONTRAIL CONTROLLER

ControlConfiguration

Physical Host with Hypervisor

vRouter

VM VM VM VM

Physical Host with Hypervisor

vRouter

VM VM VM VM

WAN, Internet

Gateway

Orchestrator의요청을받아들여

VM 생성및네트워크적용

실시간트래픽, VM 분석및네트워크요소들을관리하고분석

네트워크요소들과통신하며

Uptime 관리및 Provisioning

vRouter: 가상화라우팅 요소로써Control Plan 과 Forwarding Plane

사이에서트래픽을전달

GateWay :

Juniper Router 혹은타벤더라우터를통한 GateWay 연동지원

REST API

BGP

Clustering

BGP

XMPP XMPP

CONTRAIL & OPENSTACK COMPONENTS

Horizon UI

Contrail Web UI

Nova

(Compute Orchestration)

Neutron Plugin

Compute NodeStorage

Keystone

(Identity / Access

Mgmt)

Cinder

(Block Storage)

Swift

(Object Storage)

Nova Agent

Contrail Agent

Contrail Config

Contrail Control

vRouter

Operator

User Logs in, Create tenant

(projects), Create IPAM, Create

virtual network, Launch VMs

VM

Get VM Image to

spawn

API

SrvrScheduler …

Select Compute node

to spawn VM

Info to

spawn VM

Hypervisor

VM Spawned

Block Storage

Assignment

Xen

Bi-directional message bus

(XMPP interaction)

Launch VM

Network related interaction

Get virtual network info

DHCP

Plug (Tap interface, Instance ID, ..)

Glance

(Image Server)

Authentication, etc.

OPENSTACK INTEGRATION

Horizon

Nova API

Compute Driver

Virtual-IF

Driver

Nova Compute

Contrail Agent

vRouter (kernel)

Virtual Router

Nova Scheduler Neutron Driver

Neutron PluginConfiguration

Node

Control

Node

1Create an Instance (VM Info,

Network, IPAM, Policies, etc)

2 Schedule an Instance on the

Compute Node

3VM Network

Properties

4Create VM Interface 6 Publish VM

Intf on IFMap

5 Add Port

7VM Interface Config

over XMPP

Scripts

컴퓨트노드 – 하이퍼바이저, VROUTER

Compute Node

VirtualMachine

(Tenant B)

VirtualMachine

(Tenant C)

VirtualMachine

(Tenant C)

vRouter Forwarding Plane

VirtualMachine

(Tenant A)

Routing Instance

(Tenant A)

Routing Instance

(Tenant B)

Routing Instance

(Tenant C)

vRouter Agent

Flow Table

FIB

Flow Table

FIB

Flow Table

FIB

Overlay tunnelsMPLS over GRE or VXLAN

JUNOSV CONTRAIL CONTROLLERJUNOSV CONTRAIL CONTROLLER

XMPP

Eth1Kernel

Tap Interfaces (vif)

pkt0

UserEth0 EthN

Config

VRFsPolicy Table

Top of Rack Switch

XMPP

• vRouter는하이퍼바이저커널상에서 Linux

Bridge 또는 OVS 모듈을대체합니다.

• vRouter는브리징(E-VPN)및라우팅(L3VPN)을수행합니다.

• vRouter는보안정책적용, NAT, 멀티캐스트,

미러링, 로드밸런싱등의네트워킹서비스를제공합니다.

• 서비스노드나 라우팅, 브로드캐스트, 멀티캐스트,

NAT를위한 L2/L3 게이트웨이가필요치않음.

컴퓨트노드 – 포워딩/터널링

Overlay tunnelsMPLS over GRE or VXLAN

Compute Node


VirtualMachine(VN-IP1)

Routing Instance

Flow Table

FIB

Eth1 (Phy-IP1)


Compute Node


VirtualMachine(VN-IP2)

Routing Instance

Flow Table

FIB

Eth1 (Phy-IP2)


VIRTUAL

PHYSICAL

Virtual-IP2

Payload

Virtual-IP2

Payload

MPLS / VNI

Phy-IP2

Virtual-IP2

Payload

Virtual-IP2

Payload

MPLS / VNI

Phy-IP2

1. Guest OS는 ARP를 보낸다.

2. vRouter는 ARP를 받고응답으로 VRRP

MAC을 보낸다.

3. Guest OS는트래픽을 VRRP MAC으로보내고, vRouter는패킷에해당하는MPLS/VNI 태그와 GRE헤더를 붙힌다.

4. 그후물리적인 라우터로 전송하고,

받는다.

5. 응답패킷을 MPLS/VNI 태그를 확인하여해당라우팅인스턴스로 전달한다.

6. vRouter는태그를 제거하고 Guest OS로전달한다.

SDNJUNIPER CONTRAIL

Let’s Virtual Networks

LOGICAL TOPOLOGY

VM

G1

VM

G2

VM

G3

VN G

VM

R1

VM

R2

VM

R3

VN R

PN

VM

FW

Virtual Network

Tenant Virtual Machines

Virtual Firewall

Physical Gateway Router

Physical Network (Internet, L3VPN, ...)

PHYSICAL TOPOLOGY

OpenStackContrail

ControllerNeutronNova

Virtualized Server

Hypervisor with Contrail vRouter

Underlay Switches

Gateway Router to Internet or L3VPN

MAPPING OF LOGICAL TO VIRTUAL TOPOLOGY

VM

G1

VM

G2

VM

G3

VN G

VM

R1

VM

R2

VM

R3

VN R

L3VPN

VM

FW

OpenStackContrail


PHYSICAL LOGICAL

STARTING POINTEMPTY LOGICAL TOPOLOGY

VM

G1

VM

G2

VM

G3

VN G

VM

R1

VM

R2

VM

R3

VN R

PN

VM

FW

OpenStackContrail


PHYSICAL LOGICAL

CREATE GREEN TENANTCREATE VIRTUAL NETWORK "GREEN"

VM

G1

VM

G2

VM

G3

VM

R1

VM

R2

VM

R3

VN R

PN

VM

FW

OpenStackContrail


PHYSICAL LOGICAL

VN G

Create VN G

CREATE GREEN TENANTCREATE VIRTUAL MACHINE "G1"

VM

G1

VM

G2

VM

G3

VM

R1

VM

R2

VM

R3

VN R

PN

VM

FW

OpenStackContrail


PHYSICAL LOGICAL

VN G

Create VM G1

Attach to VN G

Nova: Create VM

VM

G1


VM

G1

VM

G2

VM

G3

VM

R1

VM

R2

VM

R3

VN R

PN

VM

FW

OpenStackContrail


PHYSICAL LOGICAL

VN G

VM

G1

Neutron:

Attach VM to VN

Create VM G1

Attach to VN G

XMPP:

Create routing-instance


VM

G1

VM

G2

VM

G3

VM

R1

VM

R2

VM

R3

VN R

PN

VM

FW

OpenStackContrail


PHYSICAL LOGICAL

VN G

Create VM G2

Attach to VN G

VM

G1

Nova: Create VM

VM

G2


VM

G1

VM

G3

VM

R1

VM

R2

VM

R3

VN R

PN

VM

FW

OpenStackContrail


PHYSICAL LOGICAL

VN G

VM

G1

Neutron:

Attach VM to VN

Create VM G2

Attach to VN G

VM

G2

XMPP:


VM

G2


VM

G1

VM

G3

VM

R1

VM

R2

VM

R3

VN R

PN

VM

FW

OpenStackContrail


PHYSICAL LOGICAL

VN G

VM

G1

Create VM G2

Attach to VN G

VM

G2

XMPP:

Exchange routes

Create tunnelsVM

G2

CREATE GREEN TENANTFORWARDING TABLES AND ENCAPSULATION

VM

G1

VM

G2

IP prefix Nexthop

VM G1Virtual ethernet port

to VM G1

Green routing-instance IP FIB

VM G2Push label L2 +

GRE encaps to server S2

MPLS label Nexthop

L1 Pop + Green routing-instance

Global MPLS FIB

IP prefix Nexthop

Server S2 Physical ethernet port

Global IP FIB

IP prefix Nexthop

VM G1Push label L1

GRE encaps to server S1

Green routing-instance IP FIB

VM G2Virtual ethernet port

to VM G2

MPLS label Nexthop

L2 Pop + Green routing-instance

Global MPLS FIB

IP prefix Nexthop

Server S1 Physical ethernet port

Global IP FIB

Inner IP headerPayload

VM G1

Source IP

VM G2

Dest IP

...

MPLS

L2

LabelGRE

...

Outer IP header

Server S1

Source IP

Server S2

Dest IP

Ethernet

Server S1

Source MAC

Server S2

Dest MAC

Packet

S1 S2


VM

G1

VM

G3

VM

R1

VM

R2

VM

R3

VN R

PN

VM

FW

OpenStackContrail


PHYSICAL LOGICAL

VN G

VM

G1

VM

G2 VM

G2

Create VM G3

Attach to VN G

Nova: Create VM

VM

G3


VM

G1

VM

G3

VM

R1

VM

R2

VM

R3

VN R

PN

VM

FW

OpenStackContrail


PHYSICAL LOGICAL

VN G

VM

G1

VM

G2 VM

G2

Create VM G3

Attach to VN G

VM

G3

Neutron:

Attach VM to VN

XMPP:



VM

G1

VM

G3

VM

R1

VM

R2

VM

R3

VN R

PN

VM

FW

OpenStackContrail


PHYSICAL LOGICAL

VN G

VM

G1

VM

G2 VM

G2

Create VM G3

Attach to VN G

VM

G3

XMPP:

Exchange routes

Create tunnels

CREATE GREEN TENANTEND STATE

VM

G1

VM

G3

VM

R1

VM

R2

VM

R3

VN R

PN

VM

FW

OpenStackContrail


PHYSICAL LOGICAL

VN G

VM

G1

VM

G2 VM

G2

VM

G3

CREATE RED TENANTSAME STEPS AS GREEN TENANT

VM

G1

VM

G3

VM

R1

VM

R2

VM

R3

VN R

PN

VM

FW

OpenStackContrail


PHYSICAL LOGICAL

VN G

VM

G1

VM

G2 VM

G2

VM

G3VM

R1

VM

R3

VM

R2

CONNECT GREEN TO RED TENANT VIA FIREWALLCREATE VIRTUAL MACHINE FOR FIREWALL

VM

G1

VM

G3

VM

R1

VM

R2

VM

R3

VN R

PN

OpenStackContrail


PHYSICAL LOGICAL

VN G

VM

G1

VM

G2 VM

G2

VM

G3VM

R1

VM

R3

VM

R2

Create VM FW

Attach to VN G

Attach to VN R

VM

FW

Nova: Create VM

VM

FW

CONNECT GREEN TO RED TENANT VIA FIREWALLATTACH FIREWALL TO RED AND GREEN VIRTUAL NETWORKS

VM

G1

VM

G3

VM

R1

VM

R2

VM

R3

VN R

PN

OpenStackContrail


PHYSICAL LOGICAL

VN G

VM

G1

VM

G2 VM

G2

VM

G3VM

R1

VM

R3

VM

R2

Create VM FW

Attach to VN G

Attach to VN R

VM

FW

VM

FW

Neutron:

Attach VM to VNs

XMPP: Create

routing-instance

CONNECT GREEN TO RED TENANT VIA FIREWALLAPPLY POLICY, EXCHANGE ROUTES, AND CREATE TUNNELS

VM

G1

VM

G3

VM

R1

VM

R2

VM

R3

VN R

L3VPN

OpenStackContrail


PHYSICAL LOGICAL

VN G

VM

G1

VM

G2 VM

G2

VM

G3VM

R1

VM

R3

VM

R2

VM

FW

VM

FW

Apply Policy

VN G ↔ VN R

XMPP:

Exchange routes

Create tunnels

CONNECT GREEN TO RED TENANT VIA FIREWALLEND STATE

VM

G1

VM

G3

VM

R1

VM

R2

VM

R3

VN R

L3VPN

OpenStackContrail


PHYSICAL LOGICAL

VN G

VM

G1

VM

G2 VM

G2

VM

G3VM

R1

VM

R3

VM

R2

VM

FW

VM

FW

CONNECT GREEN TO RED TENANT VIA FIREWALLDATA PLANE: RED ↔ GREEN TRAFFIC FORCED THROUGH THE FIREWALL

VM

G1

VM

G3

VM

R1

VM

R2

VM

R3

VN R

L3VPN

OpenStackContrail


PHYSICAL LOGICAL

VN G

VM

G1

VM

G2 VM

G2

VM

G3VM

R1

VM

R3

VM

R2

VM

FW

VM

FW

CONNECT RED TENANT TO PHYSICAL L3VPNCONFIGURE L3VPN ROUTING INSTANCE

VM

G1

VM

G3

VM

R1

VM

R2

VM

R3

VN R

OpenStackContrail


PHYSICAL LOGICAL

VN G

VM

G1

VM

G2 VM

G2

VM

G3VM

R1

VM

R3

VM

R2

VM

FW

VM

FW

L3VPN

Apply Policy

VN R ↔ L3VPN

Netconf:

Configure

routing-instance

CONNECT RED TENANT TO PHYSICAL L3VPNEXCHANGE ROUTES WITH PHYSICAL ROUTER, CREATE TUNNELS

VM

G1

VM

G3

VM

R1

VM

R2

VM

R3

VN R

OpenStackContrail


PHYSICAL LOGICAL

VN G

VM

G1

VM

G2 VM

G2

VM

G3VM

R1

VM

R3

VM

R2

VM

FW

VM

FW

L3VPN

Apply Policy

VN R ↔ L3VPN

BGP:

Exchange routes

Create tunnels

CONNECT RED TENANT TO PHYSICAL L3VPNEXCHANGE ROUTES WITH VROUTERS, CREATE TUNNELS

VM

G1

VM

G3

VM

R1

VM

R2

VM

R3

VN R

OpenStackContrail


PHYSICAL LOGICAL

VN G

VM

G1

VM

G2 VM

G2

VM

G3VM

R1

VM

R3

VM

R2

VM

FW

VM

FW

L3VPN

Apply Policy

VN R ↔ L3VPN

XMPP:

Exchange routes

Create tunnels

FLEXIBLE AND DYNAMIC CHAINING OF SERVICES

Host + Hypervisor Host + Hypervisor

VIRTUAL

NETWORK

GREEN

VIRTUAL

NETWORK

YELLOW

Service A Service B

IP fabric

(switch underlay)A CB

G1 G2 G3

G1

G2

G3

Y1 Y2 Y3

Y2

Y3Y1

VM and virtualized Network

function pool

VM and virtualized

Network function pool

… …

LOGICAL

PHYSICAL

Service C

WHY CONTRAIL?Cloud Service node가많지않다면?

L3 Gateway

Load-Balancing

Network Extension

WHY CONTRAIL?Cloud Service node가늘어난다면?

Resource Mgmt

Elastic Services

Dynamic Config &

Operations