Service Chaining - Cloud Network Services at Scale
Click here to load reader
-
Upload
marketingarrowecscz -
Category
Technology
-
view
1.025 -
download
0
Transcript of Service Chaining - Cloud Network Services at Scale
SERVICE CHAININGCloud Network Services at Scale
Sergei Gotchev [email protected]
Juniper Networks Proprietary and Confidential -- printed copies of this document are for reference only
2 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
HIGH LEVEL CONTRAIL ARCHITECTURE
3 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
CONTRAIL ARCHITECTURE
Analytics
CONTRAIL CONTROLLER
ControlConfiguration
x86 Host + Hypervisor
ORCHESTRATOR
x86 Host + Hypervisor
Physical IP Network(no changes)
vRouter vRouter
GatewayInternet / WAN
Legacy Infra.(VLAN, etc.)
Bi-directional real-time message bus using XMPP
Network orchestration
Standard protocol (M-BGP) to talk with other Contrail
controller instances
Compute / Storage orchestration
… Others
4 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
CONTRAIL STACK
Configuration Nodes
ControlPlane
ComputeNode
(Virtual Router)
ServiceNode
(SRX, Firefly, JSP, ...)
GatewayNode
(MX, EX/QFX, ...)
ControlPlane
ControlPlane
AnalyticsEngine
AnalyticsEngine
AnalyticsEngine
REST APIs (Configuration, Operational, and Analytics)
OpenstackCustomer OSS/BSS Cloudstack
5 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
COMPUTE NODE – HYPERVISOR, VROUTERCompute Node
VirtualMachine
(Tenant B)
VirtualMachine
(Tenant C)
VirtualMachine
(Tenant C)
vRouter Forwarding Plane
VirtualMachine
(Tenant A)
Routing Instance
(Tenant A)
Routing Instance
(Tenant B)
Routing Instance
(Tenant C)
vRouter Agent
Flow Table
FIB
Flow Table
FIB
Flow Table
FIB
Overlay tunnelsMPLS over GRE, UDP or VXLAN
JUNOSV CONTRAIL CONTROLLERCONTRAIL CONTROLLER
XMPP
Eth1Kernel
Tap Interfaces (vif)
pkt0
UserEth0 EthN
Config
VRFs Policy Table
Top of Rack Switch
XMPP
• vRouter replaces the Linux Bridge or OVS module in Hypervisor Kernel
• vRouter performs bridging (E-VPN) and routing (L3VPN)
• vRouter performs networking services like Security Policies, NAT, Multicast, Mirroring, and Load Balancing
• No need for Service Nodes or L2/L3 Gateways for Routing, Broadcast/Multicast, NAT
• Routes are automatically leaked into the VRF based on Policies
• Support for Multiple Interfaces on the Virtual Machines
• Support for Multiple Interfaces from Compute Node to the Switching Fabric
6 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
COMPUTE NODE – FORWARDING/TUNNELING
Overlay tunnelsMPLS over GRE or VXLAN
Compute Node 1
vRouter Forwarding Plane
VirtualMachine 1(VN-IP1)
Routing Instance 1
Flow Table
FIB
Eth1 (Phy-IP1)
Tap Interfaces (vif)
Compute Node 2
vRouter Forwarding Plane
VirtualMachine 2(VN-IP2)
Routing Instance 2
Flow Table
FIB
Eth1 (Phy-IP2)
Tap Interfaces (vif)
VIRTUAL
PHYSICAL
Virtual-IP2
Payload
Virtual-IP2
Payload
MPLS / VNI
Phy-IP2
Virtual-IP2
Payload
Virtual-IP2
Payload
MPLS / VNI
Phy-IP2
1. Guest OS ARPs for destination within subnet or default GW
2. VRouter receives the ARP and responds back with VRRP MAC
3. Guest OS sends traffic to the VRRP MAC, Vrouter encapsulates the packet with appropriate MPLS/VNI tag and GRE header
4. Physical Fabric Routers on Physical IP Address
5. Returning packets get forwarded to appropriate Routing Instance by the MPLS/VNI tag
6. VRouter de-capsulates the packet, and forwards it to the Guest OS
7 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
CONTRAIL SERVICE CHAINING
R1 R2
SVC 1 VMVirtual Network
Red Virtual Network
Green
G1 G2
SVC 2 VM
L3 L5
L3
L4L2 L6
R1 R2
L1
L4
Srvr = S1 Server = S2S4
L5 L6
S3
Locally significant MPLS Labels
Seamless insertion of Juniper & unmodified 3rd Party services using existing L3VPN connections
Allows multiple Services in a chain Allows multiple service chains between
virtual networks Supports L3 services without the use of
a gatewayRI for non-svc-chain traffic
LOG
ICA
LP
HY
SIC
AL
G1 G2
VIF 2 L2
Interf = VIF 1 Label = L1
VIF 4 L8
Interface = VIF 3 Label = L7
Dst Next Hop
G1 S2 L3
G2 S2 L3
R1 VIF 1
R2 VIF 2
Dst Next Hop
R1 S1 L1
R2 S1 L2
Dst Next Hop
G1 S3 L5
G2 S3 L5
Dst Next Hop
R1 S2 L4
R2 S2 L4
Dst Next Hop
G1 S4 L7
G2 S4 L8
Dst Next Hop
R1 S3 L6
R2 S3 L6
G1 VIF 3
G2 VIF 4
SVC 1 VM SVC 2 VM
X86 Servers
L1 L7 L8
Routing Instances
IP Fabric
8 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
SERVICE CHAINING FOR THE SP
9 Copyright © 2014 Juniper Networks, Inc. www.juniper.net 9 Copyright © 2013 Juniper Networks, Inc. www.juniper.net
SERVICE COMPLEX TODAY
LOAD BALANCINGAppliance
LOAD BALANCINGAppliance
Router
LIMITATIONS Even coarse service chains are complex Over provisioned network appliances to meet total demand Simplified tenant isolation for security and regulation compliance Inefficient chains with duplicate packet processing
PARENTAL CONTROLAppliance
APPLICATIONAppliance
CACHING & CONTENT Appliance
FIREWALLAppliance
NETWORK ADRESSING
ApplianceDPI/TDFAppliance
WEB AWAREAppliance
Tie awareness to policy to
monetization
Multiple routing
platforms
Appliances limit flexibility; add complexity
10 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
SERVICE CONTROL GATEWAY FUNCTIONALITY
ContrailController
SCG
11 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
SCG - SERVICE CHAINING
Service Control Gateway
VPN Internet
GGSN/PGW
Mobile accessLaptop
Smartphone
(S)Gi
Feature Phone
PCRFSPR
AAA
Wireline access
Gx
BNG
OCS
Sy
Subscriber State Machine
BSS SystemsOSS Systems
Gy
Serv
ice
Car
d DPI
HE/URL
Caching
Gx/ Sd Gyn
PFEForwarding /
Flow Table
PFEVRF/ Tunnel
Flow control API
Data Center
Servers
VMs
VAS
App
licat
ions
eg
. DP
I
VAS
App
licat
ions
eg
. TC
P P
roxy
VSwitch
Oth
er A
pps
AnalyticsBilling
Hypervisor
VMs VMs
Oth
er A
pps
AAA
Gx
Gx
SRC
AAA
ContrailController
Can manage service chaining without an SDN Controller within the confines of SCG
Requires SDN Controller to chain services outside the confines of SCG
12 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
ContrailINT GWSubs ContrailSN 1 SN 2 SN nMX
GW INTERNET
Contrail
INT GWSubs
SN 1 SN 2 SN n
MXGW INTERNET
OPEN/Close Service Chain
CLOSED
Asymmetric / Symmetric NAT @ Leaf Service Node? Single/Multiple Service Hop
OPEN DC
SERVICES CHAIN TYPES
13 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
CLOUD CPE
14 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
Simple CPE
Cloud CPE
Physical CPE’s
Routing WOC FirewallDPI
Cloud CPE
Customer Site
Network Service Provider
Virtualized ServicesServices
Gateway/Branch Router
Junos Space
OpenStack
NOVA
NEUTRON
Contrail
15 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
Internet
SP
IMPLEMENTATION OF VIRTUAL SERVICES CHAIN
Junos Space
Create Networks
ContrailController
OpenStack
NOVA
NEUTRON
CreateVM FW, DPI
Enterprise
FW, DPI, NAT, INTERNET
16 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
MANAGED ENTERPRISE SERVICE
EnterpriseCustomer
Edge
Services decoupled from Access – Centralized Complexity– Everything as a Service
Customer & network context in service chain
mediation
JS vCPE Self-care
Network Services(VPN, FW, NAT, IPS)
Data Center
BUSINESS EDGE
Virtual CE Router Service
17 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
MANAGED ENTERPRISE SERVICE
OpenStack & Contrail Controller
Security Virtual Services(vSRX, vSA, etc)
Dynamic Service Chain
Customer & network context in service chain
mediation
JS vCPE Self-care
Network Services(VPN, FW, NAT, IPS)
Data CenterSecurity
BUSINESS EDGE
ContrailSDN Controller
Edge
EnterpriseCustomer
Services decoupled from Access – Centralized Complexity– Everything as a Service
18 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
MANAGED ENTERPRISE SERVICE
OpenStack & Contrail Controller
Security Virtual Services(vSRX, vSA, etc)
Dynamic Service Chain
Customer & network context in service chain
mediation
JS vCPE Self-care
Network Services(VPN, FW, NAT, IPS)
Data CenterSecurity
BUSINESS EDGE
ContrailSDN Controller
Edge
DDoS
Cache
3rd Party
EnterpriseCustomer
Services decoupled from Access – Centralized Complexity– Everything as a Service
19 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
CONTRAIL PARTNERSHIP HIGHLIGHTS
20 Copyright © 2014 Juniper Networks, Inc. www.juniper.net
THANK YOU