Upload
ngokhanh
View
234
Download
1
Embed Size (px)
Citation preview
1 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
JUNIPER NETWORKS This is already real: Ten times more scalability and performance in virtual networks with Juniper Contrail
Ivan Sandano - Systems Engineer
2 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
SOLUTION
ADVANTAGES
• Any physical IP network switch underlay
• Broad DCIM automation compatibility
• Virtual network management additions to
Horizon
• Multi-vendor router and switch gateways
using open standards federation:
• BGP, EVPN, OVSDB control plane
• MPLS over GRE/UDP, VXLAN data plane overlays
CONTRAIL NETWORKING OVERVIEW
DC Interconnect
controller
VM VM VM VM VM VM VM VM
VN VN VN
Network
Appliances (eg SRX)
Bare Metal (e.g. SQL Server)
e.g. IP, VCF, QF or Junos Fusion
un
de
rla
y
Any DC Edge Router
Virtual Compute Server Infrastructure
Any IP Network
e.g. MX (USG)
VL
AN
BGP control plane
vRouter
Hypervisor
vRouter
Hypervisor
vRouter
Hypervisor
VNF
XMPP control plane
includes vRouter and Controller Compute Linux BMS
DCIM $fab
3 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
MARKET CONTEXT & TRENDS
4 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
WHAT IS CLOUD ? DATA CENTER EVOLUTION
TRADITIONAL VIRTUALIZATION
LB
Policies
ACLs
FW, IPS
Policies Sec.
Device
LB Device
Switches
Physical
Servers
Router
End-user
Sub-Optimal Device Util.
Static & Inflexible
TCO (Capex, Opex)
Physically Constrained
Silo’ed
Manual device config
Custom Policy Config
Deployment knowledge
Admin
Standalone Applications (Dedicated Resources)
Virtual
Machines
VLANs
v Security
LB
Policies
ACLs
VLAN
Config
Security
Policies
Router
End-user
Standalone Application (Virtualized Resources)
Admin
v LB
VM
Orchestrator Sub-Optimal Device Util.
Static & Inflexible
TCO (Capex, Opex)
Physically Constrained
Silo’ed
Manual device config
Custom Policy Config
Deployment knowledge
Main Challenges Some are solved …
5 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
DYNAMIC APPS
CUSTOM APPS
ENTERPRISE EVOLUTION TRENDS
EXCHANGE
(e.g. Equinix, etc.)
… ENTERPRISE PRIVATE CLOUDS (100’s)
TRADITIONAL / STANDARD APPS
CRM
ERP Auth
BI
Expense Database
…
…
Helpdesk PUBLIC CLOUDS
…
MULTIPLE SAAS CLOUDS
…
What-If
Analysis Analytics
Provide high
speed connectivity
enabling Hybrid
Clouds
EMERGENCE OF SAAS CLOUDS
App Vendors are migrating to
SaaS Clouds Almost every
traditional app has a SaaS
offering
ENTERPRISE DC (1000’s)
Today large number of enterprises
run all Ent. Apps on-prem
PRIVATE CLOUDS (100’s)
Fewer Private Clouds
Financials, Healthcare, Hi-Tech,
Oil & Gas & Govt. sectors
Cost, Compliance & Security
primary drivers
PUBLIC CLOUD MIGRATION
Custom Apps are migrating to
Public and SaaS Clouds
Dynamic Apps are migrating to
Public Clouds – but some still
remain on-prem
6 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
HYPERVISORS AND CONTAINERS
Type 1 Hypervisor VMWare, Hyper-V, Xen
Type 2 Hypervisor KVM/QEMU, VirtualBox
Container LXC, Docker
7 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
• Containers are “orders of
magnitude” better then virtual
machines
• Share OS
• Multi-tenancy at OS Level
• Building VMs take minutes
instead of hours
• Launching VMs takes seconds
instead of minutes
• Less storage requirements
• Less memory requirements
• Limited tools / OS options
• Weaker isolation
HYPERVISORS AND CONTAINERS
8 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
CLOUD PROVIDERS ARE INNOVATING FASTER
Time to Service
Deployment
Operating
Expenses
Operational
Complexity
Servers managed per admin
# of SKUs to manage
Code to production launch Telco: 6-7 Months
Amazon: Few seconds
Telco: < 100
Google: 1 per 15,000 srvrs
Google: 10 Configs
Telcos: 1,000’s
Every 11 seconds; Avg 10K or max 30K servers at
a time using continuous integration & deployment
China Mobile Quote: 6-7 months per service; mostly manually
Operator DC: Each admin can manage upto ~100 servers large headcount
Each admin can operate ~15,000 servers
NSN: 1000’s of SKUs to manage makes it overly complex
Google: ~10 shared hardware system bundles
Opportunity for accelerating TTM, reducing costs and optimizing operations for Telcos.
Dynamic network service automation is the key priority for Service Providers
9 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
Bundle of open source software to orchestrate compute, networking and storage, in order to manage and
offer virtual machines
Allow enterprises/Service Providers to built their on AWS-like cloud
WHAT IS OPENSTACK
10 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
OPENSTACK ECOSYSTEM
11 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
CLOUD CUSTOMER ASKS INTERCONNECT MULTIPLE HETEROGENOUS ENVIRONMENTS
LB
WAN OPT
FIREWALL
Physical Svc Appliances
Virtualized
Svc VMs Legacy Servers & Storage
(VLAN, VMware based) Public Clouds
AWS
…
SE
RV
ICE
OV
ER
LA
Y
UN
DE
RL
AY
GCE
Legacy
Interconnect
Hybrid
Cloud
DC or POP 2
Multi-DC
Distributed
Cloud
Phy + Virt
Interconnect
Phy. + Virtual
Svc Insertion
MG
MT
VMs & Containers
DC or POP 1
Gateway
router
Gateway
router
Bare-metal Servers & Storage
CPE
Customer Branch
vCPE
12 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
PRODUCT OVERVIEW
13 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
PRODUCT EVOLUTION
Contrail Cloud
Reference Architecture Contrail Cloud Contrail Networking
Cloud Orchestration Server Management
Distributed & Scale-out Storage
Compute Orchestration (OpenStack)
Server (Ubuntu)
+ Contrail Networking
Integrated Cloud PODs Reference Architecture – PODs
Integrated Management
+ Contrail Cloud
Cloud Networking Network Virtualization
Virtualized Network Services
Multiple Orchestration Support Openstack, VMware ESXi,
vCenter, IBM CO
INCREASING LEVELS OF INTEGRATION
14 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
CONTROLLER BASED VS. CONTROLLER-LESS FABRIC
Centralized management
Higher level of abstraction Group based policies & service chaining Integration with virtualization stack (VMWare, Contrail)
Network centric view
Lower level of abstraction Serves Bare-metal workloads
Overlay at the network edge instead of host
15 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
OPENSTACK LOGICAL DEPLOYMENT TOPOLOGY
16 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
OPENSTACK & CONTRAIL
Horizon UI
Contrail Web UI
Nova
(Compute Orchestration)
Neutron Plugin
Compute Node
Storage
Keystone
(Identity / Access
Mgmt)
Cinder
(Block Storage)
Swift
(Object Storage)
Nova Agent
Contrail Agent
Contrail Config
Contrail Control
vRouter
Operator
User Logs in, Create tenant
(projects), Create IPAM, Create
virtual network, Launch VMs
VM
Get VM Image to
spawn
API
Srvr Scheduler …
Select Compute node
to spawn VM
Info to
spawn VM
Hypervisor
VM Spawned
Block Storage
Assignment
Xen
Bi-directional message bus
(XMPP interaction)
Launch VM
Network related interaction
Get virtual network info
DHCP
Plug (Tap interface, Instance ID, ..)
Glance
(Image Server)
Authentication, etc.
17 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
PRODUCT PHILOSOPHY
Use standard protocols for multi-vendor system integration (BGP, XMPP, OVSDB, …)
Support 3rd Party / Multi-vendor NF out-of-the-box (Technology alliance partners VNF validation, enable svc chaining using routing …)
Support both virtual and physical (installed base) (VNF + PNF, Bare Metal Server integration…)
Open-source product (Contrail Networking, OpenStack …)
Leverage Hardware Offload wherever possible (Offload to NIC, Smart NICs, etc. …)
18 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
CONTRAIL KEY FEATURES
Routing & Switching
(IPv4, v6)
Network Services
(IPAM, DNS, DHCP
SNAT, FIP, QoS)
Load Balancing
(customizable ECMP)
Security Policy Enf.,
Distributed FW 3rd Party Netw. Svc.
Gateway Services
(L2, L3 GW)
Rich Analytics,
Overlay-Underlay
Correlation
Service Chaining
(PNF, VNF, etc.) High Availability API Services
(multi-vendor Orch.)
19 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
ARCHITECTURE
20 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
Physical IP Fabric
(no changes)
CONTRAIL ARCHITECTURE
CONTRAIL
CONTROLLER
ORCHESTRATOR
Host O/S vRouter
Network / Storage
orchestration
Gateway
…
Internet / WAN or Legacy Env.
(Config, Control, Analytics, Svr Mgmt)
(Windows, Linux ….) on BMS
TOR
Compute
orchestration
Virtual Network
Blue
Virtual Network
Red
FW
Logical View
…
Cen
traliz
ed
Po
licy D
efinitio
n
Dis
trib
ute
d
Po
licy E
nfo
rcem
ent
BGP
BGP XMPP OVSDB
21 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
CONTRAIL (MULTI-VENDOR) ARCHITECTURE
Physical IP Fabric
(no changes)
CONTRAIL
CONTROLLER
ORCHESTRATOR
Host O/S vRouter
Network / Storage
orchestration
Compute orchestration
Gateway
Config Plane: Bi-directional real-time
message bus using XMPP
…
Scale-out Multi-vendor VNFs can
run on the same platform
Interoperates with different
Orchestration systems
Integrates with
different Linux Hosts,
multiple hypervisors, Containers
multi-vendor X86 servers Multi-vendor SDN Gateway (any router that can
talk BGP and the dynamic tunneling protocols)
Data Plane: Overlay Tunnels
(MPLSoGRE, MPLSoUDP, VXLAN)
Control Plane: BGP Control Plane
(logically centralized, physically
distributed Controller elements)
Automation: REST APIs to integrate
with different Orchestration Systems
Internet / WAN or Legacy Env.
(Config, Control, Analytics, Svr Mgmt)
Control /Config Plane: for Bare Metal
support - OVSDB
Multi-vendor TOR support to connect
Bare Metal Servers, using standard
control plane & config plane protocols
(Windows, Linux ….) on BMS
TOR
22 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
CONTRAIL (MULTI-VENDOR) ARCHITECTURE
23 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
CONTRAIL (MULTI-VENDOR) ARCHITECTURE
24 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
DATA PLANE FOR LAYER 3 OVERLAYS (MPLS/GRE)
VM
G1
VM
G2
Payload IP
Src = IP G1
Dst = IP G2
Server S1 Server S2
Eth
Src = MAC G1
Dst = 00-00-5E-00-01-00
Packet
VM G1 ARPs for VM G2
vRouter S1 replies to VM G1 ARP request with VRRP MAC
VM G1 sends packet to VM G2
25 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
VM
G1
VM
G2
L3 forwarding table
VM G2 → Push MPLS label allocated by vRouter S2 +
Send over GRE tunnel to server S2
Server S1 Server S2
Packet
Payload IP
Src = IP G1
Dst = IP G2
DATA PLANE FOR LAYER 3 OVERLAYS (MPLS/GRE)
26 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
VM
G1
VM
G2
Server S1 Server S2
Payload IP
Src = IP G1
Dst = IP G2
MPLS
Label allocated
by vRouter S2
GRE
IP
Src = IP S1
Dst = IP S2
Eth
Src = MAC S1
Dst = MAC S2
L2 forwarding table
MAC S2 → Switch X3
L2 forwarding table
MAC S2 → Switch X2
L2 forwarding table
MAC S2 → Server S2
Switch
X1
Switch
X2 Switch
X3
Packet
DATA PLANE FOR LAYER 3 OVERLAYS (MPLS/GRE)
27 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
VM
G1
VM
G2
L3 forwarding table
VM G2 → Local, send to virtual interface of VM G2
Server S1 Server S2
Payload IP
Src = IP G1
Dst = IP G2
Packet
DATA PLANE FOR LAYER 3 OVERLAYS (MPLS/GRE)
28 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
VM
G1
VM
G2
Server S1 Server S2
Payload IP
Src = IP G1
Dst = IP G2
Packet
Eth
Src = 00-00-5E-00-01-00
Dst = MAC G2
DATA PLANE FOR LAYER 3 OVERLAYS (MPLS/GRE)
Junos Automation Architecture Overview / saltstack
Compute and Storage
Virtualized
servers
Non-
virtualized
servers
Storage
Physical Network
Routers (MX, PTX, T ...)
3rd party)
Gateways (MX, EX ...)
Switches (EX, QFX, QFabric ...)
Services (SRX, SDG, SA ...)
Virtual Network
vMX &
vRouters
vSwitches (3rd party)
vServices (Juniper or
3rd party)
CSD SD ND
Space Platform
Space System
REST
NetConf / YANG
XMPP BGP / NetConf
NetConf
Orchestration System (OpenStack, VMware vCloud Center, Tivoli, Chef, Puppet or proprietary OSS/BSS)
Ansible
Chef
Puppet
Cobbler
Ganglia…
REST / Other
REST / Other
REST / Other
App
1
App
2
App
N
3rd Party
Applications
API / NetConf /
Rest
Scripts & Tools
NetConf / YANG
/OpenConfig /
PCEP / I2RS / REST /
OpenFlow / SLAX / SNMP
REST REST/ Other
REST / Other
App 1 App 2 App K
Contrail Platform
Contrail System
NorthStar controller
PCEP
…
REST / Other Management Protocols
REST
30 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
SECURITY AND SERVICE CHAINING
31 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
VIRTUAL
NETWORK
GREEN
Host + Hypervisor Host + Hypervisor
MICROSEGMENTATION / DISTRIBUTED FW
VIRTUAL
NETWORK
BLUE
VIRTUAL
NETWORK
YELLOW
Contrail Security Policy
(e.g. allow only HTTP traffic)
Contrail Policy
with a Firewall
Service
IP fabric
(switch underlay)
G1 G2 G3
B3
B1 B2
G1
G3
G2
Y1 Y2 Y3 B1 B2 B3
Y2 Y3 Y1
VM and virtualized Network
function pool
Intra-network traffic Inter-network traffic traversing a service
… …
LO
GIC
AL
(Po
licy D
efinitio
n)
PH
YS
ICA
L
(Po
licy E
nfo
rcem
en
t)
Non-HTTP
traffic
Security
Groups
32 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
MICROSEGMENTATION - NETWORK POLICIES
At a high level of abstraction, applied at the boundaries of virtual networks
33 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
MICROSEGMENTATION - SERVICE CHAINING
Policy based application of virtual and physical services with scale-out
Firewall, IPS, Load Balancer, Cache, WAN Optimizer, etc...
34 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
MULTI-VENDOR SERVICE CHAINING
SVC 1 VM SVC 2 VM
L4 L6
L3
L5 L3
R1 R2
L4
Srvr IP =
S1
Server IP =
S2 Srvr IP =
S4
L5 L6
Srvr IP =
S3
Locally significant MPLS Labels
Seamless insertion of Juniper & unmodified
3rd Party services using existing L3VPN
connections
Allows multiple Services in a chain
Allows multiple service chains between virtual
networks
Supports L3 services without the use of a
gateway
RI for non-svc-chain traffic
LO
GIC
AL
P
HY
SIC
AL
G1 G2
VIF 2
L2
Interf = VIF 1
Label = L1
VIF 4
L8
Interface = VIF 3
Label = L7
Dst Next Hop
G1 S2 L3
G2 S2 L3
R1 VIF 1
R2 VIF 2
Dst Next Hop
R1 S1 L1
R2 S1 L2
Dst Next Hop
G1 S3 L5
G2 S3 L5
Dst Next Hop
R1 S2 L4
R2 S2 L4
Dst Next Hop
G1 S4 L7
G2 S4 L8
Dst Next Hop
R1 S3 L6
R2 S3 L6
G1 VIF 3
G2 VIF 4
SVC 1 VM SVC 2 VM
X86 Servers
Routing Instances
R1 R2
Virtual Network
Red
L2 L1
Virtual Network
Green
G1 G2
L7 L8
IP Fabric
35 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
SERVICE CHAINING SALIENT FEATURES
SVC 1 VM SVC 2 VM
R1 R2
Virtual Network
Red
Virtual Network
Green
G1 G2
Service Policy
(for all traffic between
VN-red and VN-Green
use the SFC
Multiple Services in a Service Chain Multiple Service Chains between 2 networks
SVC 1 VM SVC 2 VM
R1 R2
Virtual Network
Red
Virtual Network
Green
G1 G2
SVC 3 VM
Policy-based Service Chaining
(e.g. for a particular 5-tuple use SFC 1 else use SFC2)
SVC 1 VM SVC 2 VM
R1 R2
Virtual Network
Red
Virtual Network
Green
G1 G2
Scale out Services
(Active-Active HA)
Multiple Service Instances (Scale-out aka active-active HA)
SVC 1 VM SVC 2 VM
R1 R2
Virtual Network
Red
Virtual Network
Green
G1 G2
Service Instances Active-backup HA
Active-back-up
Services
36 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
GATEWAY AND BARE METAL INTEGRATION
37 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
BMS INTEGRATION WITH L2 / L3 GATEWAY
Bare Metal
Server
Virtual Machines on
any Hypervisor
Top of Rack Switch
Virtual
Network
VM1
VM2
L3 GW
…
VLAN
Green
PHYSICAL
VM1
VM2
WAN / Internet
L3 GW
LOGICAL
Control using EVPN (BGP) for QFX
Config using OVS-DB/XMPP / Netconf
Config using XMPP / Netconf
Control using BGP (L3VPN / EVPN)
VXLAN
Tunnels
Contrail enables Legacy VLAN based
architecture interconnecting with a Cloud
architecture
Does not need a gateway when going from
one VN to another on the Contrail overlay
VLAN
Blue
Green
VM4
VM5 VM4
VM5
Blue
VM3
Virtual
Network
VM3
Contrail allows inter-VN traffic
in the overlay without having to
go through the L3 GW
For traffic from VM in overlay
to non-overlay VMs or BMS,
traffic needs to go through the
L3 GW
Intra-VN traffic from VM to
BMS goes through the TOR.
39 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
Router V-Server
V-Server
V-Server
Server
Switch
Switch
Legacy
Appliance
Legacy
Server
40 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
ANALYTICS
41 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
CONTRAIL ANALYTICS
42 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
ANALYTICS - UNDERLAY-OVERLAY CORRELATION
Visual representation of
topology (discovered
using LLDP)
What underlay path are
taken by flows (active or
historical)
Delails of VMs,
vRouters, and underlay
components
Details of active flows
Ability to show historical
flows as well
43 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
CONTRAIL PHYSICAL AND VIRTUAL TOPOLOGY DISCOVERY AND VISUALIZATION
Physical topology discovery using
SNMP and LLDP MIB
Physical to virtual adjacency
discovery using SNMP and MAC MIB
Virtual topology discovery using
OpenStack integration
44 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
CONTRAIL MAP OVERLAY FLOW TO UNDERLAY PATH – CURRENT FLOWS (PROBE)
Current flows
Find path using standard
probe (without detailed
statistics)
45 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
CONTRAIL MAP OVERLAY FLOW TO UNDERLAY PATH – HISTORICAL FLOWS
Choose from list of
all observed flows
(even past flows)
Underlay path discovery
uses sFlow or IPFIX
Overlay to underlay
mapping using vRouter
Sandesh
Many flows in overlay map to
64K flows in underlay (entropy
in source port).
46 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
VMWARE INTEGRATION
47 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
VMWARE VCENTER
48 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
VCENTER & CONTRAIL
ESXi Host KVM Host
ESXi Host KVM Host
Nova Compute
vCenter
ESXi Host
vCenter
OPTION 1:
OpenStack
with ESXi
(Currently
Supported)
OPTION 3:
Planned
“vCenter as a
Compute”
OPTION 4:
vCenter with
L2/L3
Gateway
(Planned
with OVSDB
support)
OPTION 2:
vSphere with
Contrail
(currently
supported)
Operator
Operator
Operator
ESXi Host KVM Host
L2 / L3 GW VXLAN
VLAN
OVSDB
vCenter Operator
XMPP XMPP
XMPP XMPP
Network Orchestration
Compute Orchestration
Admin UI Interaction
Nova
Compute
49 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
50 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
CONTAINER INTEGRATION
51 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
52 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
KUBERNETES & CONTRAIL
Kubernetes is Google’s Open Source orchestration system for Docker containers.
Handles scheduling onto nodes in a compute cluster and actively manages workloads to ensure
that their state matches the users declared intentions.
Using the concepts of ”services" and "pods", it groups the containers which make up an
application into logical units for easy management and discovery. Uses “labels” for annotations.
O V E R V I E W
I M P L E M E N T A T I O N D E T A I L S F E A T U R E S
New daemon - listens to Kubernetes API on the
Master.
Creates virtual networks on demand.
Connects VNs together using the Labels /
Annotations present in app deployment template.
A plugin script running on the minion/node then
connects the container veth-pair to the
OpenContrail vrouter rather than the
docker0 bridge.
OpenShift Origin v3 leverages the K8s + Contrail
implementation
Virtual Network – for a collection of
PODs. (replicated using RC)
IP per POD.
Floating IP for Cluster IP (for policies)
ECMP Load-balancing across Service
PODs.
vRouter on Nodes
Source: http://googlecloudplatform.blogspot.com/2015_01_01_archive.html
Listens to
K8s API
Daemon
53 Copyright © 2014 Juniper Networks, Inc. Juniper Confidential. Provided to Telefonica. Subject to NDA.
SCALABILITY AND PERFORMANCE
54 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
OVERLAY PERFORMANCE - HOW FAST SW HAS TO WORK
1.488 Millions of 64 bytes per second on 1GE Interface
14.88 Millions of 64 bytes per second on 10GE Interface
1.8Ghz -> 1 cycle = 0.56ns
1 packet -> 120 cycles * 0.56 = 67.2ns
55 Copyright © 2014 Juniper Networks, Inc. Juniper Confidential. Provided to Telefonica. Subject to NDA.
VROUTER OVERVIEW - STANDARD
vRouter
Kernel Space
User SpaceQEMU Layer
Kernel Space
User Space
Guest VM
tap-xyz(vif)
vHOST
tap-xyz(vif)
VIRTIO
Nova Agent
vRouter Host Agent
Application VM
Linux Kernel Overhead
• System calls
• Data Copying from kernel to user space
• Interrupt handling in kernel
• Context switching on blocking I/O
950 ns
56 Copyright © 2014 Juniper Networks, Inc. Juniper Confidential. Provided to Telefonica. Subject to NDA.
DPDK VROUTER OVERVIEW
Kernel Space
User SpaceQEMU Layer
Kernel Space
User Space
Application VMDPDK
Guest VMNova Agent
vRouter Host Agent
vRouter (VRFWD)
eth0
VIF: TAP
eth1
VIF: TAP
The Data Plane Development Kit (DPDK) is a set
of data plane libraries and network interface
controller drivers for fast packet processing. The
DPDK provides a programming framework for
Intel x86 processors and enables faster
development of high speed data packet
networking applications.
DPDK can improve packet processing
performance by up to ten times. It's possible to
achieve over 80 Mbps throughput on a single
Intel® Xeon® processor, and double that with a
dual-processor configuration.
57 Copyright © 2014 Juniper Networks, Inc. Juniper Confidential. Provided to Telefonica. Subject to NDA.
DPDK VROUTER ARCHITECTURE
VM (Virtual Machine)
VIRTIO RingVIRTIO
Frontend
User Space vHost (libvirt 1.2.7)
vHost-Net : Kernel Space (Before QEUMU 2.1) vHost-User: User Space vHost (QEMU 2.1)
vRouter (User-Space)
VRFWD hugetlbfs (DPDK Ring)
User-Space
Qemu Uvhost client
Kernel Space
Virtio ring
Mmap’ed memory in VRFWD from hugetlbfs
Uvhost Server
Unix Socket(Message exchanged
once VM isUP)
1 2 3 4
NIC Queues (1,2..N)
DPDK NIC
DPDK vRouter
1 2 3 4
DPDK lcores
Lcores to NIC Queue Mapping 1-1
Poll
vRouter Forwarding
netlink
pkt0
VRF
Config
Policy Tables
vRouter Agent(vnswad)
Uvhost Server: Assigns lcore to virtio interfaces based on Unix Socket Message communications
TCP Connection
(routes/nexthops/
interfaces/flows
Created by DPDK EAL(Environment Abstraction Layer)
Created by DPDK EAL(Environment Abstraction Layer)
VIRTIOBandend
HostCompute Node
QEMU 2.2 Process Per VM
Host Process per VM
DPDK 2.0 Libraries
Guest
58 Copyright © 2014 Juniper Networks, Inc. Juniper Confidential. Provided to Telefonica. Subject to NDA.
VROUTER PERFORMANCE WITH DPDK
Setup has 2 compute nodes, dual socket Xeon E5-2640 (2.5GHz)
Each server has one VM running a DPDK application
VM1 sends a continuous stream of 64 byte packets to VM2
One core in vrouter dedicated to reading packets transmitted by VM on sender (as multi-queue virtio is not
supported), others are forwarding cores
Performance (pps) measured as a function of number of cores used by vrouter on sender
Number of forwarding
cores on sender
64bytes PPS Bits per second
2 2.8M 1.34 Gbps
3 4.9M 2.35 Gbps
4 7.0M 3.34 Gbps
5 8.9M 4.25 Gbps
59 Copyright © 2014 Juniper Networks, Inc. Juniper Confidential. Provided to Telefonica. Subject to NDA.
VROUTER PERFORMANCE SMARTNIC
64bytes PPS Bits per second
25M 12 Gbps
64bytes PPS Bits per second
2.5M 1.2 Gbps
Contrail vRouter with SmartNIC OVS with DPDK
60 Copyright © 2014 Juniper Networks, Inc. Juniper Confidential. Provided to Telefonica. Subject to NDA.
OPENSTACK OVS VERSUS CONTRAIL VROUTER COMPARISON
OVS (OpenVswitch)
scale limitations per architectural challenges.
Limited Network throughput
No Analytics
No ISSU
Contrail vRouter
Tested with at least 2000 nodes and 10k VMs
SmartNIC and DPDK allow for Mpps scaling for Telco VNFs
Detail Cluster real time and historical analysis information
200 nodes
2000 nodes
OVS
Contrail
61 Copyright © 2014 Juniper Networks, Inc. Juniper Confidential. Provided to Telefonica. Subject to NDA.
OPENCONTRAIL
62 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
CONTRAIL IS OPENSOURCE www.opencontrail.org
63 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
IN SUMMARY …
64 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
CASES
SaaS / IaaS Enterprise Private Cloud Service Provider
SaaS Enterprise Security Enterprise
SaaS Social Net. Public Cloud
Hosting IaaS/Enterprise
65 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
Perf Monitoring
TECHNOLOGY PARTNERS
NFV
Cloud,
System
Integrators
Elastic CDN vSBC ADC / LB, vLB / Ph. LB
NFV Orch. (NCSO)
Ubuntu, OIL, Juju MOS, Fuel RHEL/RHOSP, OSPd, OpenShift
DPI (VPTS)
ICO 2.4, ICM 4.3
WAN Optimization
Smart NIC Agilio, vRouter Smart NIC Smart NIC
66 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
Case Studies
67 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
Key Requirements • Agile DevTest environment
• Reduce manual intervention/avoid mistakes
• Best overlay for any underlay
• Clear segmentation between departments
Contrail Empowers: • On-demand & scale-out network services
• Fully automated network provisioning
• Massive amount of ROI with existing gateway
• Secure multitenancy
http://www.juniper.net/us/en/company/case-studies/service-provider/symantec/
Agile Private Cloud for IaaS
68 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
SAAS CLOUD Solution Description Customer Needs
1 Integration of Private & VPC using Openstack
Multiple Private DCs & Public Cloud Service Locations
Same Security Framework across Hybrid Cloud
3 Strong Security & Governance Framework
Reduced Security Rules Complexity on Firewall All Traffic
Flows are Logged and Stored
4 On-Demand Virtualized Network Services
FW-as-a-Service implemented using Virtual SRX
LB-as-a-Service implemented using F5 BIG-IP or Contrail
Highly Multi-tenanted & High Scale SaaS Workloads
Security framework for Governance, Audit, and Compliance
Self Service Environment for Test-Dev & Production
Hybrid Cloud Support – Public & Private
2 Self-service with Mix of Resource Types across IaaS
Developer can request services across multiple clouds (AZs)
Some Applications not Virtualized (KVM) – run on Docker (BM)
Controlled migration from development to production on
Shared Cloud
2 3
1
PRODUCTION
Public Clouds Internet
DEVELOP-
MENT
“Open Compute” Platform, Openstack Orchestrator, KVM &
Docker, Contrail Network Virtualization
SRX
F5
4
69 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
SDWAN / CLOUD CPE ELASTIC SERVICE INFRASTRUCTURE (NTTI3)
Solution Description Customer Needs
1 Flexible Service Chaining
Service Catalog / Marketplace with choice of services
Service Chaining of Security and Network services
Services run in POP or customer premises (ESE)
APIs integration with self-service portal
Multi-tenant LBaaS, FWaaS, WanOpt-aaS capability
Reduced TCO from low-cost CPE devices, ( cust support costs)
Improved agility in introducing new (& upgrading existing) services
Self-care portal for service enablement
Scale-out and on-demand security and connectivity services to
business customers with light-weight device at customer
premise
3 Open, interoperable Carrier-grade SDN Platform
OpenContrail - scalable, performant & available SDN
platform
BGP & other standards-based protocol for interoperability
4 Software Defined WAN
Built on top of the Internet, using secure connection for data
and control traffic
Integrates with existing L3VPN (wherever applicable)
2 Central management, monitoring, troubleshooting
ESI Controller manages & monitors the environment
centrally
OpenStack Heat to create service templates
Customer
Branch
Customer
DC
Software
Defined WAN
(L3VPN)
ESI
Controller
4
2
ESE ESE
ESE ESE ESE
ESI POP
ESE ESE ESE
ESI POP
ESE ESE Customer
HQ
Customer
Premise
ESI POP
(NTT DC)
COTS HW (X86, ARM, )
SDN / NFV Software Stack
VNFs MARKET PLACE
…
3
1
Internet
70 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
VIRTUAL CPE Solution Description Customer Needs
Multi-tenant VPNaaS, FWaaS, WanOpt-aaS capability
Reduced TCO from low-cost CPE devices, and reduced customer
support costs
Improved agility in introducing new (& upgrading existing) services
Self-care portal for service enablement
Scale-out and on-demand security and connectivity services to
business customers with light-weight device at customer
premise 1 Contrail enabling Service Chaining on the vCPE
Security and connectivity services chained at the PE
Svcs co-located with PE (no need for separate SP svc DC)
APIs integration with self-care portal
3 Contrail’s robust L3VPN overlay architecture
Seamless integration with SP’s existing L3VPN offering
Integrates with existing / legacy underlay networks
4 Integration with MX (PE)
Dynamic traffic steering to services, using standards-based
approach (BGP Flowspec)
Anchor point for service chains
2 Multi-tenant services for business customers
Separate VNF instance for separate customers
Traffic segregation between customers using virtual networks
Overlapping address space for tenants
Basic
CE
Basic
CE PE PE
VPN IP/MPLS
VCPE VCPE
Contrail /
OpenStack
Internet
4
1
2
3
71 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
ENTERPRISE PRIVATE CLOUD (HADOOP) Solution Description Customer Needs
1 Contrail overlay on L3 underlay
Pure L3 routing in underlay to the top of rack switch
CLOS-based network architecture to provide high-
bandwidth capacity between compute nodes
Virtualized (compute) and bare metal (Hadoop) servers
3 Centralized security policy definition, distributed enforcement
API-based policy definition
Security policy at virtual network level and VM level
4 Self-provisioned service / app deployment
Controlled migration of apps from development to production
clouds
Seamless integration of new features / apps
2 Juniper MX / SRX
MX as a gateway router to Interconnect public internet &
L3VPN capability
SRX used as a firewall
Contrail enabling a private cloud infrastructure for Big Data
application development and deployment Secure, multi-tenant private cloud environment
On-demand creation and dynamic scale-out of custom services
Rapid, seamless deployment of new services to internal users
Hadoop support: massive storage, on-demand data ingest,
real-time stream processing, DB-as-a-Service (NoSQL / SQL)
‘As-a-service’ model for network functions (LB-aaS, DNS-aaS)
Contrail /
Openstack
Big Data Racks Infra Racks Openstack Racks
MX GW
SRX Dynamically scaled
application edge
Scale-out Big Data Apps
A10
2
1
4 3
72 Copyright © 2015 Juniper Networks, Inc. www.juniper.net
Thank you Thank you