1、CONTRAILCONTRAIL介绍介绍 -Juniper overlay SDN-Juniper overlay SDN解决方案解决方案网络虚拟化演进方向网络虚拟化演进方向Virtual Network OverlaysVirtual Network OverlaysReactive End-to-EndReactive End-to-EndVLAN configured on physical switchesRequires programming of flows No impact to physical networkManual End-to-EndManual End-to-E
2、ndPROACTIVE PROACTIVE SOFTWARE OVERLAYSOFTWARE OVERLAYOPENFLOWOPENFLOWREACTIVE APPOACHREACTIVE APPOACHVLAN VLAN APPROACHAPPROACH需要手动在每台配置每隔VLAN的信息插入服务相对比较复杂 VLAN ID一共只有4096个,支持的用户数量也是4096 用户的流量在物理网络直接传输网络虚拟化网络虚拟化-VLAN-VLAN手工控制手工控制.低效率低效率.扩展性低扩展性低.网络虚拟化网络虚拟化-OPENFLOWOPENFLOWOpenFlow需要底层交换机的支持OpenFlow
3、 需要编程每个用户的流量都要经过物理网络转发延迟较高延迟较高.扩展性低扩展性低.增加故障的考虑点增加故障的考虑点.可升级可升级.Openflow 控制器每个流量的首个数据包都要去到控制器进行分析数据包不用经过控制器,仅通过隧道进行转发通过已存在的网络转发数据用户的信息通过隧道转发,对现网没有感知,即使现网的结构在发生改变控制器运用编程手段控制虚拟的vswitch和虚拟网关网络虚拟化网络虚拟化-OVERLAYOVERLAY低延迟低延迟.高扩展性高扩展性.自动恢复能力自动恢复能力.可以在任何网络上实现可以在任何网络上实现.J JUNIPER UNIPER CONTRAIL CONTRAIL 的角色
4、与作用的角色与作用Service NodesService NodesInternetInternetVPNVPNDCI WANDCI WANGateway RouterGateway Router JunosVJunosV Contrail Contrail Orchestrator OrchestratorCompute APIsCompute APIsStorage APIsStorage APIsNetwork APIsNetwork APIsServerServerVirtual MachineVirtual MachinevRoutervRouter Physical Switch
5、esPhysical SwitchesvSRXvSRX,F5,F5 JUNIPERJUNIPER的的CONTRAILCONTRAIL以以OPENSTACKOPENSTACK为基础,通过为基础,通过APIAPI调用调用OPENSTACKOPENSTACK的组件的组件CONTRAILCONTRAIL组件组件Physical Network(no changes)AnalyticsOPENCONTRAIL OPENCONTRAIL CONTROLLERCONTROLLERControlConfigurationPhysical Host with HypervisorvRoutervRouterVM
6、VMVMVMPhysical Host with HypervisorvRoutervRouterVMVMVMVMWAN,InternetGatewayGateway通过API戒口接收VM的状态信息,包括迁移,新建等可以实时分析数据和流量通过openstack的API控制其他的节点信息vRouter:虚拟化的vswitch,为虚拟机接入提供虚拟化戒口Gateway:可以采用juniper的MX或者EX9200TODAYTODAY20142014JUNIPERJUNIPER目前完成目前完成OPENSTACKOPENSTACK的集成,后续还会支持的集成,后续还会支持VMWAREVMWARE等更多的
7、云平台系统等更多的云平台系统contrail控制器Contrail节点Contrail节点IPAM,Virtual DNSSecurityLoadBalancing3rd Party Network ServicesRich Analytics HighAvailabilityService ChainingAPIServicesRouting and SwitchingGateway ServicesC CONTRAILONTRAIL功能功能CONTRAIL CONTRAIL 控制器和节点控制器和节点 Control Node BGP moduleProxiesXMPPControl Nod
8、eControl NodeCompute NodeCompute NodeConfiguration NodeConfiguration NodeIF-MAPXMPPIBGPIF-MAP Client控制器和节点之间可以实现控制和转发分离控制器和节点之间可以实现控制和转发分离 控制器可以控制多个节点,包括路由器和控制器可以控制多个节点,包括路由器和compute nodecompute node控制层面通过控制层面通过BGPBGP协议实现路由控制协议实现路由控制转发点通过动态的转发点通过动态的GREGRE的隧道转发数据的隧道转发数据物理拓扑和交换机对于用户是透明的物理拓扑和交换机对于用户是透明
9、的Gateway RoutersService NodesCONTROL PLANE CONTROL PLANE 路由发布方式路由发布方式10.1.1.110.1.1.110.1.1.210.1.1.270.10.10.170.10.10.1151.10.10.1151.10.10.110.1.1.2:NH=151.10.10.1;LBL=1710.1.1.2:NH=151.10.10.1;LBL=1710.1.1.1:NH=70.10.10.1;LBL=3910.1.1.1:NH=70.10.10.1;LBL=3910.1.1.110.1.1.110.1.1.210.1.1.2PAYLOAD
10、VRFPriSrcIPPriDstIP10.1.1.110.1.1.110.1.1.210.1.1.2PAYLOADLBL=17GRE70.10.10.170.10.10.1151.10.10.1151.10.10.1PubSrcIPPubDstIPVMVRFPriSrcIPPriDstIP10.1.1.110.1.1.110.1.1.210.1.1.2PAYLOADPriSrcIPPriDstIPVMIP Network AgentAgentXMPPXMPPControl NodeConfiguration NodeREST/API10.1.1.2:NH=151.10.10.1;LBL=17
11、10.1.1.2:NH=151.10.10.1;LBL=1710.1.1.1:NH=70.10.10.1;LBL=3910.1.1.1:NH=70.10.10.1;LBL=39(Dynamic Tunnel Encapsulation)(Dynamic Tunnel Decapsulation)Server 1Server 2Control Plane*Outer MAC header was left out intentionally to reduce clutter10.1.1.1:NH=70.10.10.1;LBL=3910.1.1.1:NH=70.10.10.1;LBL=3910.
12、1.1.2:NH=151.10.10.1;LBL=1710.1.1.2:NH=151.10.10.1;LBL=17Control PlaneIF-MAP通过BGP协议VM的地址被宣告到控制器中转发时原始数据包经过GRE再次封装应用场景应用场景逻辑拓扑逻辑拓扑VMVMG1G1VMVMG2G2VMVMG3G3VN GVN GVMVMR1R1VMVMR2R2VMVMR3R3VN RVN RPNPNVMVMFWFW虚拟网络用户的VM虚拟防火墙物理路由器物理网络应用场景应用场景物理拓扑物理拓扑OpenStackOpenStackContrailContrailControllerControllerNe
13、utronNova虚拟VM带vrouter的Hypervisor物理交换机物理出口路由器逻辑与物理拓扑对应逻辑与物理拓扑对应VMVMG1G1VMVMG2G2VMVMG3G3VN GVN GVMVMR1R1VMVMR2R2VMVMR3R3VN RVN RL3VPNL3VPNVMVMFWFWOpenStackOpenStackContrailContrailControllerControllerNeutronNovaPHYSICALPHYSICALLOGICALLOGICAL初始化过程,网络还没有建立初始化过程,网络还没有建立VMVMG1G1VMVMG2G2VMVMG3G3VN GVN GVMV
14、MR1R1VMVMR2R2VMVMR3R3VN RVN RPNVMVMFWFWOpenStackOpenStackContrailContrailControllerControllerNeutronNovaPHYSICALPHYSICALLOGICALLOGICAL用户新建虚拟网络用户新建虚拟网络VMVMG1G1VMVMG2G2VMVMG3G3VMVMR1R1VMVMR2R2VMVMR3R3VN RVN RPNVMVMFWFWOpenStackOpenStackContrailContrailControllerControllerNeutronNovaPHYSICALPHYSICALLOG
15、ICALLOGICALVN GVN GCreate VN GCreate VN G用户新建虚拟机用户新建虚拟机VM G1VM G1VMVMG1G1VMVMG2G2VMVMG3G3VMVMR1R1VMVMR2R2VMVMR3R3VN RVN RPNVMVMFWFWOpenStackOpenStackContrailContrailControllerControllerNeutronNovaPHYSICALPHYSICALLOGICALLOGICALVN GVN GCreate VM G1Create VM G1Attach to VN GAttach to VN GNova:Create VM
16、VMVMG1G1VMVMG1G1VMVMG2G2VMVMG3G3VMVMR1R1VMVMR2R2VMVMR3R3VN RVN RPNVMVMFWFWOpenStackOpenStackContrailContrailControllerControllerNeutronNovaPHYSICALPHYSICALLOGICALLOGICALVN GVN GVMVMG1G1Neutron:Attach VM to VNCreate VM G1Create VM G1Attach to VN GAttach to VN GXMPP:Create routing-instance用户新建虚拟机用户新建虚
17、拟机VM G1VM G1用户新建用户新建VM G2VM G2VMVMG1G1VMVMG2G2VMVMG3G3VMVMR1R1VMVMR2R2VMVMR3R3VN RVN RPNVMVMFWFWOpenStackOpenStackContrailContrailControllerControllerNeutronNovaPHYSICALPHYSICALLOGICALLOGICALVN GVN GCreate VM G2Create VM G2Attach to VN GAttach to VN GVMVMG1G1Nova:Create VMVMVMG2G2用户新建用户新建VM G2VM G2V
18、MVMG1G1VMVMG3G3VMVMR1R1VMVMR2R2VMVMR3R3VN RVN RPNVMVMFWFWOpenStackOpenStackContrailContrailControllerControllerNeutronNovaPHYSICALPHYSICALLOGICALLOGICALVN GVN GVMVMG1G1Neutron:Attach VM to VNCreate VM G2Create VM G2Attach to VN GAttach to VN GVMVMG2G2XMPP:Create routing-instanceVMVMG2G2C CONTRAILONT
19、RAIL通过指令在两个服务器之间建立隧道通过指令在两个服务器之间建立隧道VMVMG1G1VMVMG3G3VMVMR1R1VMVMR2R2VMVMR3R3VN RVN RPNVMVMFWFWOpenStackOpenStackContrailContrailControllerControllerNeutronNovaPHYSICALPHYSICALLOGICALLOGICALVN GVN GVMVMG1G1Create VM G2Create VM G2Attach to VN GAttach to VN GVMVMG2G2XMPP:Exchange routesCreate tunnelsV
20、MVMG2G2用户的数据包在隧道中转发的情况用户的数据包在隧道中转发的情况VMVMG1G1VMVMG2G2IP prefixNexthopVM G1Virtual ethernet port to VM G1Green routing-instance IP FIBVM G2Push label L2+GRE encaps to server S2MPLS labelNexthopL1Pop+Green routing-instanceGlobal MPLS FIBIP prefixNexthopServer S2Physical ethernet port Global IP FIBIP p
21、refixNexthopVM G1Push label L1GRE encaps to server S1Green routing-instance IP FIBVM G2Virtual ethernet portto VM G2MPLS labelNexthopL2Pop+Green routing-instanceGlobal MPLS FIBIP prefixNexthopServer S1Physical ethernet port Global IP FIBInner IP headerPayloadVM G1Source IPVM G2Dest IP.MPLSL2LabelGRE
22、.Outer IP headerServer S1Source IPServer S2Dest IPEthernetServer S1Source MACServer S2Dest MACPacketS1S1S2S2用户新建用户新建VM G3VM G3VMVMG1G1VMVMG3G3VMVMR1R1VMVMR2R2VMVMR3R3VN RVN RPNVMVMFWFWOpenStackOpenStackContrailContrailControllerControllerNeutronNovaPHYSICALPHYSICALLOGICALLOGICALVN GVN GVMVMG1G1VMVMG
23、2G2VMVMG2G2Create VM G3Create VM G3Attach to VN GAttach to VN GNova:Create VMVMVMG3G3用户新建用户新建VM G3VM G3VMVMG1G1VMVMG3G3VMVMR1R1VMVMR2R2VMVMR3R3VN RVN RPNVMVMFWFWOpenStackOpenStackContrailContrailControllerControllerNeutronNovaPHYSICALPHYSICALLOGICALLOGICALVN GVN GVMVMG1G1VMVMG2G2VMVMG2G2Create VM G3
24、Create VM G3Attach to VN GAttach to VN GVMVMG3G3Neutron:Attach VM to VNXMPP:Create routing-instanceC CONTRAILONTRAIL在物理服务器之间再搭建两条隧道在物理服务器之间再搭建两条隧道VMVMG1G1VMVMG3G3VMVMR1R1VMVMR2R2VMVMR3R3VN RVN RPNVMVMFWFWOpenStackOpenStackContrailContrailControllerControllerNeutronNovaPHYSICALPHYSICALLOGICALLOGICALV
25、N GVN GVMVMG1G1VMVMG2G2VMVMG2G2Create VM G3Create VM G3Attach to VN GAttach to VN GVMVMG3G3XMPP:Exchange routesCreate tunnels用户的最终状态用户的最终状态VMVMG1G1VMVMG3G3VMVMR1R1VMVMR2R2VMVMR3R3VN RVN RPNVMVMFWFWOpenStackOpenStackContrailContrailControllerControllerNeutronNovaPHYSICALPHYSICALLOGICALLOGICALVN GVN G
26、VMVMG1G1VMVMG2G2VMVMG2G2VMVMG3G3两个不同用户均新建了两个不同用户均新建了VMVM以后以后VMVMG1G1VMVMG3G3VMVMR1R1VMVMR2R2VMVMR3R3VN RVN RPNVMVMFWFWOpenStackOpenStackContrailContrailControllerControllerNeutronNovaPHYSICALPHYSICALLOGICALLOGICALVN GVN GVMVMG1G1VMVMG2G2VMVMG2G2VMVMG3G3VMVMR1R1VMVMR3R3VMVMR2R2虚拟虚拟VROUTERVROUTER和出口路由
27、器之间建立隧道和出口路由器之间建立隧道VMVMG1G1VMVMG3G3VMVMR1R1VMVMR2R2VMVMR3R3VN RVN ROpenStackOpenStackContrailContrailControllerControllerNeutronNovaPHYSICALPHYSICALLOGICALLOGICALVN GVN GVMVMG1G1VMVMG2G2VMVMG2G2VMVMG3G3VMVMR1R1VMVMR3R3VMVMR2R2VMVMFWFWVMVMFWFWL3VPNL3VPNApply PolicyApply PolicyVN R VN R L3VPN L3VPNNet
28、conf:Configure routing-instanceVMVMG1G1VMVMG3G3VMVMR1R1VMVMR2R2VMVMR3R3VN RVN ROpenStackOpenStackContrailContrailControllerControllerNeutronNovaPHYSICALPHYSICALLOGICALLOGICALVN GVN GVMVMG1G1VMVMG2G2VMVMG2G2VMVMG3G3VMVMR1R1VMVMR3R3VMVMR2R2VMVMFWFWVMVMFWFWL3VPNL3VPNApply PolicyApply PolicyVN R VN R L3
29、VPN L3VPNBGP:Exchange routesCreate tunnels虚拟虚拟VROUTERVROUTER和出口路由器之间建立隧道和出口路由器之间建立隧道VMVMG1G1VMVMG3G3VMVMR1R1VMVMR2R2VMVMR3R3VN RVN ROpenStackOpenStackContrailContrailControllerControllerNeutronNovaPHYSICALPHYSICALLOGICALLOGICALVN GVN GVMVMG1G1VMVMG2G2VMVMG2G2VMVMG3G3VMVMR1R1VMVMR3R3VMVMR2R2VMVMFWFWV
30、MVMFWFWL3VPNL3VPNApply PolicyApply PolicyVN R VN R L3VPN L3VPNXMPP:Exchange routesCreate tunnels虚拟虚拟VROUTERVROUTER和出口路由器之间建立隧道和出口路由器之间建立隧道 所有的工作都是通过API 界面在调用openstack的API 所有的工作都是通过API完成 系统使用通过的编程语言 Python 和 Java libraries(others can be supported as there is interest)也可以是curl 数据模型是公开的,有对应的文档可编程接口可编程接口APIs 调用系统总结总结:CONTRAIL:CONTRAIL是是SDNSDN解决方案的创新者解决方案的创新者开发那个的平台所有的所有的Hypervisors Hypervisors 上运行的协议都是标准的上运行的协议都是标准的可以云平台可以完好的结合可以云平台可以完好的结合开放开放可以与现有网络结合,节省升级和更换设备的成本 SDN 的物理层面的架构简单化简化网络中的组件,通过虚拟化实现简单简单自动更新云平台虚拟网络的结构自动更新云平台虚拟网络的结构可以与云平台进行结合使用自带的分析系统可以分析流量智能化智能化33Thank you!Thank you!
