Documente Academic
Documente Profesional
Documente Cultură
Contrail Cloud
2.a
Student Guide
Volume 1 of 2
Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
YEAR 2000 NOTICE
Juniper Networks hardware and software products do not suffer from Year 2000 problems and hence are Year 2000 compliant. The Junos operating system has no known
time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
SOFTWARE LICENSE
The terms and conditions for using Juniper Networks software are described in the software license provided with the software, or to the extent applicable, in an agreement
executed between you and Juniper Networks, or Juniper Networks agent. By using Juniper Networks software, you indicate that you understand and agree to be bound by its
license terms and conditions. Generally speaking, the software license restricts the manner in which you are permitted to use the Juniper Networks software, may contain
prohibitions against certain uses, and may state conditions under which the license is automatically terminated. You should consult the software license for further details.
Contents
This two-day course is designed to provide students with the knowledge required to work with the Juniper Contrail
software-defined networking (SDN) solution. Students will gain in-depth knowledge of how to use the OpenStack and
Contrail Web UIs and APIs to perform the required tasks. Through demonstrations and hands-on labs, students will gain
experience with the features of Contrail. This course is based on Contrail Release 2.21.
Course Level
Network Automation Using Contrail Cloud is an intermediate-level course.
Intended Audience
This course benefits individuals responsible for working with software-defined networking solutions in data center,
service provider, and enterprise network environments.
Prerequisites
The prerequisites for this course are as follows:
• Basic TCP/IP skills;
• General understanding of data center virtualization;
• Basic understanding of the Junos operating system;
• Attendance of the Introduction to the Junos Operating System (IJOS) and Juniper Networks SDN
Fundamentals (JSDNF) courses prior to attending this class; and
• Basic knowledge of object-oriented programming and Python scripting is recommended.
Objectives
After successfully completing this course, you should be able to:
• Define basic SDN principles and functionality.
• Define basic OpenStack principles and functionality.
• Define basic Contrail principles and how they relate to OpenStack.
• List and define the components that make up the Contrail solution.
• Explain where Contrail fits into NFV and SDN.
• Describe the functionality of the Contrail control and data planes.
• Describe Nova Docker support in Contrail.
• Describe extending Contrail cluster with physical routers.
• Describe support for TOR switches and OVSDB.
• Describe the OpenStack and Contrail WebUIs.
• Create a tenant project.
• Create and manage virtual networks.
• Create and manage policies.
• Create and assign floating IP addresses.
• Add an image and launch an instance from it.
• Describe how a tenant is created internally.
• Use Contrail's API to configure OpenStack and Contrail.
• Describe service chaining within Contrail.
• Set up a service chain.
• Explain the use of Heat Templates with Contrail.
Day 1
Chapter 1: Course Introduction
Chapter 2: Contrail Overview
Chapter 3: Architecture
Chapter 4: Basic Configuration
Lab: Tenant Implementation and Management
Day 2
Chapter 5: Service Chaining
Lab: Service Chains
Chapter 6: Contrail Analytics
Chapter 7: Troubleshooting
Lab: Performing Analysis and Troubleshooting in Contrail
Appendix A: Installation
Lab: Installation of the Contrail Cloud (Optional)
Franklin Gothic Normal text. Most of what you read in the Lab Guide and
Student Guide.
CLI Input Text that you must enter. lab@San_Jose> show route
GUI Input Select File > Save, and type config.ini
in the Filename field.
CLI Undefined Text where the variable’s value is the Type set policy policy-name.
user’s discretion or text where the
ping 10.0.x.y
variable’s value as shown in the lab
GUI Undefined guide might differ from the value the Select File > Save, and type filename in
user must input according to the lab the Filename field.
topology.
We Will Discuss:
• Objectives and course content information;
• Additional Juniper Networks, Inc. courses; and
• The Juniper Networks Certification Program.
Introductions
The slide asks several questions for you to answer during class introductions.
Course Contents
The slide lists the topics we discuss in this course.
Prerequisites
The slide lists the prerequisites for this course.
Additional Resources
The slide provides links to additional resources available to assist you in the installation, configuration, and operation of
Juniper Networks products.
Satisfaction Feedback
Juniper Networks uses an electronic survey system to collect and analyze your comments and feedback. Depending on the
class you are taking, please complete the survey at the end of the class, or be sure to look for an e-mail about two weeks
from class completion that directs you to complete an online survey form. (Be sure to provide us with your current e-mail
address.)
Submitting your feedback entitles you to a certificate of class completion. We thank you in advance for taking the time to
help us improve our educational offerings.
Courses
You can access the latest Education Services offerings covering a wide range of platforms at
http://www.juniper.net/training/technical_education/.
Junos Genius
The Junos Genius application takes certification exam preparation to a new level. With Junos Genius you can practice for
your exam with flashcards, simulate a live exam in a timed challenge, and even build a virtual network with device
achievements earned by challenging Juniper instructors. Download the app now and Unlock your Genius today!
Find Us Online
The slide lists some online resources to learn and share information about Juniper Networks.
Any Questions?
If you have any questions or concerns about the class you are attending, we suggest that you voice them now so that your
instructor can best address your needs during class.
We Will Discuss:
• Basic software-defined networking (SDN) principles and functionality;
• The four planes of networking software;
• The functions of orchestration; and
• The basic components of Contrail.
SDN Overview
The slide lists the topics we will discuss. We discuss the highlighted topic first.
What Is SDN?
Enterprises and service providers are seeking solutions to their networking challenges. They want their networks to adjust
and respond dynamically, based on their business policy. They want those policies to be automated so that they can reduce
the manual work and personnel cost of running their networks. They want to quickly deploy and run new applications within
and on top of their networks so that they can deliver business results. And they want to do this in a way that allows them to
introduce these new capabilities without disrupting their business. This list is a tall order, but SDN has the promise to deliver
solutions to these challenges. How can SDN do this? To decode and understand SDN, we must look inside networking
software. From this understanding, we can derive the principles for fixing the problems.
The SDN solution must also solve the current challenges of the network. Networks must adjust and respond dynamically to
changes in the network. This network agility can be accomplished through a decoupling of the control and forwarding planes
on individual network devices. The decoupling of the control and forwarding plane also lends to alleviating the need for
manually configuring each and every network device.
SDN Vendors
Many vendors are now offering their “SDN solution” which might fit the classic definition of SDN, might borrow certain
aspects of it, or might stretch the definition so far that it probably shouldn’t even be called SDN.
SDN Flavors
The following is an overview of the three flavors of SDN. While these aren’t officially a standard, they are used here to
illustrate the general differences between the three most common types of solutions that have the software defined
networking name attached to them.
• Open SDN
• SDN as an Overlay
• SDN via API
Overlay Networking
VNs are implemented using two networks—a physical underlay network and a virtual overlay network. This overlay networking
technique has been widely deployed in the Wireless LAN industry for more than a decade but its application to data center
networks is relatively new. It is being standardized in various forums such as the Internet Engineering Task Force (IETF)
through the Network Virtualization Overlays (NVO3) working group and has been implemented in open source and
commercial network virtualization products from a variety of vendors.
The role of the physical underlay network is to provide an IP fabric—its responsibility is to provide unicast IP connectivity from
any physical device (server, storage device, router, or switch) to any other physical device. An ideal underlay network provides
uniform low-latency, non-blocking, high-bandwidth connectivity from any point in the network to any other point in the
network.
The vRouters running in the hypervisors of the virtualized servers create a virtual overlay network on top of the physical
underlay network using a mesh of dynamic tunnels amongst themselves. In the case of Contrail these overlay tunnels can be
MPLS over generic routing encapsulation (GRE), MPLS over User Datagram Protocol (UDP), or VXLAN tunnels.
The underlay physical routers and switches do not contain any per-tenant state: they do not contain any media access
control (MAC) addresses, IP address, or policies for virtual machines. The forwarding tables of the underlay physical routers
and switches only contain the IP prefixes or MAC addresses of the physical servers. Gateway routers or switches that connect
a VN to a physical network are an exception—they do need to contain tenant MAC or IP addresses.
Continued on the next page.
Contrail Overview
The slide highlights the topic we discuss next.
What Is Contrail?
Juniper’s Contrail is a simple, open, and agile SDN solution that automates and orchestrates the creation of highly scalable
virtual networks. These virtual networks let you harness the power of the cloud—for new services, increased business agility,
and revenue growth. Contrail adheres the following concepts:
• Simple: Creates virtual networks that integrate seamlessly with existing physical networks, and that are easy to
manage and orchestrate.
• Open: Avoids expensive vendor-lock with an open architecture that interoperates with a wide range hypervisors,
orchestration systems, and physical networks.
• Agile: Speeds time to market for new services by automating the creation of virtual networks that interconnect
private, hybrid, and public clouds.
Service providers can use Contrail to enable a range of innovative new services, including cloud-based offerings and virtualized
managed services. For enterprises, Contrail can increase business agility by enabling the migration of applications and IT
resources to more flexible private or hybrid cloud environments.
Network virtualization enables programmatic network and device provisioning and management by abstracting a network
layer that consists of both physical and virtual infrastructure elements. This network virtualization simplifies physical and
virtualized device management model resulting in increased network agility and overall cost reduction.
Continued on the next page.
OpenContrail
OpenContrail is an Apache 2.0-licensed project that is built using standards-based protocols and provides all the necessary
components for network virtualization–SDN controller, virtual router, analytics engine, and published northbound APIs. It has
an extensive REST API to configure and gather operational and analytics data from the system. Built for scale, OpenContrail
can act as a fundamental network platform for cloud infrastructure.
OpenContrail is designed to operate in an open source cloud environment to provide a fully integrated end-to-end solution:
• The OpenContrail System is integrated with open source Kernel-based Virtual Machines (KVM) hypervisor.
• The OpenContrail System is integrated with open source virtualization orchestration systems such as
OpenStack and CloudStack.
• The OpenContrail System is integrated with open source physical server management systems such as Chef,
Puppet, Cobbler, and Ganglia.
OpenContrail is available under the permissive Apache 2.0 license—this essentially means that anyone can deploy and
modify the OpenContrail System code without any obligation to publish or release the code modifications.
Juniper Networks also provides commercial versions of the OpenContrail system, that are discussed on one of the following
slides. The open source version of the OpenContrail System is not a teaser—it provides the same full functionality as the
commercial version both in terms of features and in terms of scaling.
OpenContrail does also support VMware ESXi hypervisor (note that it is not open source). It is discussed in more details in
the Appendix A.
Contrail Controller
The Contrail system consists of two main components—the Contrail controller and the Contrail vRouter.
The Contrail controller is a logically centralized but physically distributed SDN controller that is responsible for providing the
management, control, and analytics functions of the virtualized network. The Contrail controller provides the logically
centralized control plane and management plane of the system and orchestrates the vRouters.
Contrail vRouter
The Contrail vRouter is a forwarding plane (of a distributed router) that runs in the hypervisor of a virtualized server. It
extends the network from the physical routers and switches in a data center into a virtual overlay network hosted in the
virtualized servers. The Contrail vRouter is conceptually similar to existing commercial and open source vSwitches such as
the Open vSwitch (OVS). It also provides routing and higher layer services including distributed firewall capabilities to
implement policies between virtual networks (hence vRouter instead of vSwitch).
We Discussed:
• Basic software-defined networking (SDN) principles and functionality;
• The four planes of networking software;
• The functions of orchestration; and
• The basic components of Contrail.
Review Questions
1.
2.
3.
Chapter 3: Architecture
Network Automation Using Contrail Cloud
We Will Discuss:
• Contrail components, in depth;
• Contrails control and data planes; and
• Additional options for deploying Contrail.
Gateway to L3VPN
In this use case, tenants connect to the Internet or an enterprise network through a virtual private network (VPN). The VPN
can be a Layer 3 VPN, Layer 2 VPN, an Secure Sockets Layer (SSL) VPN, an IP Security (IPsec) VPN, and so forth. The data
center gateway function is responsible for connecting the tenant networks to the Internet or the VPNs. The gateway function
can be implemented in software or in hardware (for example, using a gateway router).
Contrail Stack
The slide highlights the topic we discuss next.
Route Distribution
The slide demonstrates how the route distribution works. A general flow of the events involved is as follows:
1. After a VM is instantiated, the vRouter advertises a route to the VM’s IP address with a next hop of the physical
server. A label is also included. In our example, VM-A has been instantiated and a route to 10.1.1.1, a next hop
of 70.10.10.1, and a VRF label of 39 has been communicated by the vRouter, through XMPP, to the Control
Nodes.
2. VM-B has been turned up and its route of 10.1.1.2, next hop of 150.10.10.1, and VRF label of 17 has been
distributed to the Control Nodes.
3. Now, let’s assume VM-A wants to get a packet to VM-B. This is a standard IPv4 packet with a source address,
destination address, and some payload.
4. The vRouter gets this IPv4 packet and does a lookup for the destination address. It finds a next hop of
151.10.10.1 and a label to use of 17.
5. The vRouter pushes a GRE header onto the IPv4 packet using the public IP address, 70.10.10.1 and
151.10.10.1, for source and destination, respectively, and an MPLS label of 17.
6. The packet then traverses the GRE overlay tunnel and arrives at Server 2. Server 2 performs a decapsulation of
the GRE header and does lookup on the 17 label.
7. At this point, Server 2 does a standard IPv4 lookup against 10.1.1.2 and forwards the packet on to the correct
destination VM.
Deployment Options
The slide highlights the topic we discuss next.
We Discussed:
• Contrail components, in depth;
• Contrails control and data planes; and
• Additional options for deploying Contrail.
Review Questions
1.
2.
3.
We Will Discuss:
• How a tenant is created internally;
• How to manage network policies;
• How to create and assign floating IPs;
• The Device Manager; and
• Using OpenStack and Contrail APIs.
VM Creation Zoom-In
Contrail and OpenStack work together in the overall SDN solution. The slide shows details about component interaction
during the process of VM creation.
Note that because OpenStack’s Neutron is built to be a pluggable open architecture, plug-ins can be used to add
functionality to OpenStack's networking platform. One example of a vendor plug-in is Contrail, which interfaces directly with
Neutron.
The steps of VM creation are as follows:
1. When a user requests a new VM, OpenStack submits a VM creation request to the Nova agent on the server
where the VM is to reside.
2. The Nova agent, in turn, requests network configuration via the Neutron API in OpenStack.
3. This request is passed to the Contrail Controller via the Contrail plug-in for Neutron. The plug-in translates the
request from the OpenStack object model and API to the object model and API of Contrail. Each API call
specifies the host (physical server) on which the VM will be created, and the network to which each VM
interface should belong.
4. The Contrail Controller determines whether a new VRF must be created to support a new network on a host,
configures each VRF to be attached to specific virtual interfaces of the new VM, and installs routes in each VRF
to which a new interface has been attached. The installed routes provide connectivity to other systems as
allowed by network policies defined in the Contrail Controller.
5. Once the virtual machine is created, the Nova Agent informs the vRouter agent, who configures the virtual
network for the newly created virtual machine (e.g. new routes in the routing-instance).
Creating VN A
We start with an empty topology, and we must first create VN A. As you will see later in this chapter, you can define VNs using
the Contrail Web UI. An important detail to be aware of at this point is that you cannot launch a VM instance without creating
a VN first, but you do not instantiate the VN anywhere in the infrastructure until that VM instance has been deployed. This
concept means that you must define the topology ahead of time, the whole topology and all the rules that connect it. Then, it
is not programmed into the infrastructure until there is a VM that is spun up that needs it. Notice how the slide shows that
even though we have defined VN A, it is not programmed on any of the virtualized servers in the topology, but it is in the
Contrail controller because you must reference it when you deploy a VM instance. This concept applies to the entire topology,
no matter which VM instance you are deploying.
Spinning Up VM A-1
Now that you have created VN A, you can create VM A-1. The slide shows how the process of deploying a VM instance occurs.
First, you must create a VM and attach a VN to it through OpenStack. You cannot instantiate a VM instance using the Contrail
Web UI—you must use the OpenStack Web UI. Once you launch a VM instance through OpenStack, the Nova component,
which handles the compute orchestration, goes through its iterations, and chooses a server to spin up the VM. Note that
Nova uses an internal algorithm to choose a virtualized server that has more resources than the other available servers.
However, you can manually specify the name of the compute node to choose which virtualized server spins up the VM.
Assigning the VN
OpenStack now communicates with the Contrail controller, through the Neutron plug-in, and tells it to associate VM A-1 with
VN A. Then, through the Extensible Messaging and Presence Protocol (XMPP), Contrail configures the vRouter to associate
VM A-1 with VN A. Currently, the only routing information in VN A is how to get to VM A-1.
Spinning Up VM A-2
Now VM A-2 is spun up. This process is exactly the same as spinning up VM A-1 in which you must launch a VM instance and
associate it with a network. In this case, you are spinning up VM A-2 and associating it with VN A. The only difference in this
case is that OpenStack uses the Nova plug-in to assign the VM to a virtualized server, or compute node, that does not have
any VMs currently running.
Spinning Up VM A-3
Now VM A-3 is spun up. This process is exactly the same as spinning up VM A-1 and VM A-2 in which you must launch a VM
instance and associate it with a network. In this case, you are spinning up VM A-3 and associating it with VN A. Again,
OpenStack uses Nova to assign the VM to a virtualized server, or compute node, that does not have any VMs currently
running.
Creating Customer B
Customer B is much like customer A; you must first create VN B, then launch the associated VMs. The VMs associated with
VN B are placed on the compute node, or virtualized servers. Then, routes are exchanged through XMPP, and the tunnels are
created to provide reachability between the VMs in VN B.
Note that even at this point a policy has not been created to facilitate communication between the two VNs. This current
absence of a policy stops VN A from communicating with VN B and hosts on the Internet, but it does not stop VN B from
communicating with hosts on the Internet. A network policy is used to permit inter-VN communication and to modify intra-VN
traffic—intra-VN communication does need a policy to permit the traffic. However, further steps, that do not relate to a policy
must be enacted to facilitate the communication between VN B and hosts on the Internet.
Network Policies
A network policy describes which traffic is permitted, or not permitted, to pass between virtual networks. All traffic between
VNs is denied by default, and intra-VN traffic is allowed. Note that when you create a network policy you must then associate
it with a VN to have any effect (several policies may be associated with one VN at the same time). Each policy contains a list
of rules that are evaluated in the top-down fashion, and evaluation ends when the first match is found (this is also known as
“terminal behavior”).
Adding Rules
Once you create a policy you can add rules to the policy by clicking the Edit Rules button. Then, you are presented with
the Edit Network Policy Rules window. Now you can create a rule that matches traffic to pass, or deny it based on
the criteria in the rule. Note that you can develop very specific rules and add multiple rules to each policy. The rules in a
policy are processed in a top down order and if the traffic matches one rule, further rule processing does not occur. For
example, if traffic passes through a policy with two rules and matches on the first rule, the action of the first rule is applied to
the traffic and the traffic is not processed by the second rule.
A description of each of the fields for a rule is listed below.
• Sequence Id: This field lets you define the order in which to apply the current rule.
• Action: Define the action to take with traffic that matches the current rule. The options of Pass and Deny permit
or silently drop the traffic, respectively.
• Direction: Define the direction in which to apply the rule, for example, to traffic moving in and out, or only to
traffic moving in one direction. The options of Bidirectional or Unidirectional are available.
• IP Protocol: Select from a list of available protocols: ANY, TCP, UDP, ICMP.
• Source Network: Select the source network for this rule. Choose Local (any network to which this policy is
associated), Any (all networks created under the current project) or select from a list of all sources available
displayed in the drop-down list, in the form: domain-name:project-name:network-name.
Continued on the next page.
Security Groups
Security groups are another security mechanism of the OpenStack/Contrail solution that are used to filter traffic to or from a
VM instance in addition to policies. They can be configured in either Contrail or OpenStack GUI.
A security group is a named collection of network access rules that are used to limit the types of traffic that have access to
VM instances. When you launch an instance, you can assign one or more security groups to it. If you do not create security
groups, new instances are automatically assigned to the default security group, unless you explicitly specify a different
security group.
The associated rules in each security group control the traffic to instances in the group. Any incoming traffic that is not
matched by a rule is denied access by default. You can add rules to or remove rules from a security group, and you can
modify rules for the default and any other security group.
Instances that use the default security group cannot, using default settings, be accessed from any IP address outside of the
cloud. If you want those IP addresses to access the instances, you must modify the rules for the default security group.
The slide shows the predefined rules in the default security group (such group is created automatically for every new project).
Selecting a security group as the source allows any other instance in that security group access to any other instance via this
rule, thus, any external hosts will not be able to access VM instances by default.
Verifying Communication
As with any network related situation, no client or customer really cares what happens in the background, they just want the
application to work well. To that end, before you can call any project a success you must verify that communication can occur
the way you expect it to. By examining the routing information and testing communication on the remote host we can
determine that communication can occur between the remote host and the internal VM instance using the floating IP
address.
To confirm the communication further, you could examine the current flows for the specific vRouter that is servicing the VM.
If the expected flows are present you can confirm that communication is occurring.
Test Communication
The slide shows a ping initiated from a Host routing instance (that emulates a remote device in the lab) to a floating IP
address. You can see that the ping is successful.
OpenStack APIs
We start with a discussion of OpenStack’s APIs. It turns out that each OpenStack component (such as Nova, Neutron,
Keystone) has its own API. Several API versions are supported for backwards compatibility so you can safely install the latest
library packages even if you are using, for some reason, the older API version.
On the following slides we will discuss several examples of using the OpenStack API. The complete API reference is available
on the OpenStack website.
Listing Images
The second half of the slide is an example API call that is used to list the images available.
Create a VM
This script is using Nova API to create a new VM instance in OpenStack.
First we provide credentials and initialize the client object. Then we obtain, using the shown find-methods, references to
image “Core-Linux-Image”, flavor “Linux-Core” and virtual network “VN-A”. Finally we use the create() method
to instantiate a VM and use image, flavor and VN as arguments.
Note that examples provided here do not perform any error checking. If an API server is unavailable, or a VM already exists,
or a required image or flavor can not be found, the script will fail. To make the scripts more robust, you typically use try/
except operators to catch and process exceptions.
<xsd:complexType name="IpamSubnetType">
<xsd:all>
<xsd:element name="subnet" type="SubnetType"/>
<xsd:element name="default-gateway" type="IpAddressType"/>
<xsd:element name="dns-server-address" type="IpAddressType"/>
<xsd:element name="subnet-uuid" type="xsd:string"/>
<xsd:element name="enable-dhcp" type="xsd:boolean" default="true"/>
<xsd:element name="dns-nameservers" type="xsd:string" maxOccurs="unbounded"/>
<xsd:element name="allocation-pools" type="AllocationPoolType" maxOccurs="unbounded"/>
<xsd:element name="addr_from_start" type="xsd:boolean"/>
<xsd:element name="dhcp-option-list" type="DhcpOptionsListType"/>
<xsd:element name="host-routes" type="RouteTableType"/>
<xsd:element name="subnet-name" type="xsd:string"/>
</xsd:all>
</xsd:complexType>
<xsd:complexType name="SubnetType">
<xsd:all>
<xsd:element name="ip-prefix" type="xsd:string"/>
<xsd:element name="ip-prefix-len" type="xsd:integer"/>
</xsd:all>
</xsd:complexType>
It is seen that, indeed, VnSubnetsType references IpamSubnetType, which in its turn references SubnetType.
Associate Floating IP
This example shows scripting commands needed to allocate a floating IP from an existing pool and associate it to the
particular VM interface. The last command is, as usual, a call to VncApi method and applies changes on the API server.
We Discussed:
• How a tenant is created internally;
• How to manage network policies;
• How to create and assign floating IPs;
• The Device Manager; and
• Using OpenStack and Contrail APIs.
Review Questions
1.
2.
3.