Вы находитесь на странице: 1из 48

Multi-tenant IaaS using

OpenStack + OpenContrail
Takashi Sogabe(@rev4t)
Internet Initiative Japan., Inc.

Who am I ?
Takashi Sogabe (@rev4t)
I develop services and devices at IIJ
Lately, I also verify software and implement
network in order to create new services
I call myself full stack engineer

What do I want to do?


Contrail is now open source!
Quickest way for engineer to understand is to
actually try
I want to view source codes with smirk on my face
First, create demo environment and play with it

What is OpenContrail ?
Its a software that can easily create IaaS that
has scalability
Its an SDN product

It works with OpenStack, CloudStack


Control plane: BGP or XMPP
Data plane: MPLS over GRE
It appears to support MPLS over UDP and VXLAN
as well

Source of Information
http://opencontrail.org/
Documents and packages are provided here

https://github.com/Juniper/contrail-controller
Source codes are provided openly at github

http://juni.pr/17tlcQh
Valuable information in Japanese regarding
OpenContrail, posted by Juniper Arimura-san on JNET

Why MPLS/BGP ?
They are mature technology so you can use it
with peace of mind
ISPs are already using MPLS for IP-VPN services
Performance is maintained with lots of VPN
connections in place
Its easy to establish inter-DC connections or
hybrid clouds
Use of L3VPN router for external router makes it easy
to interconnect

What else can you do?


Service Chaining
NFV in other words
You can combine Firewall or many other features in
between VMs

Network Monitoring
You can monitor in-communication session
information from web screen
If necessary, you can tcpdump from the web screen
Imagine overlay network version of Remote SPAN (RSPAN)

Minimum configuration needed for


testing?
PC server * 1 unit
Juniper recommends 5 units or more
If its just testing purpose, 1 unit is enough

Router * 1 unit
One which can talk MPLS VPN
Juniper MX and SRX are examples
If you dont need External Router, then not
necessary

Server configuration of demo


environment
Router for internet connection
10.0.0.1/24
External Router(Gateway Router)
.79
192.168.192.0/24
.64
Contrail System
OpenStack (controller, etc)
OpenStack(nova-compute)
vRouter

OpenContrail Architecture

Install (1)
http://juni.pr/1alNn7h
Building from source
git + repo
Setting up is cumbersome so this is adequate for building only

devstack
https://github.com/dsetia/devstack

Use of Binary package


OS image provided by Juniper
Rpm package (CentOS or Fedora)
Juniper.net account is needed
Juniper says if you apply from online form, an account is created for you
in a day or two

OS image is used for the demo this time


Contrail Install Media for CentOS 90-day EVAL (Release 1.02)
OpenStack Grizzly

Install (2)
1. Download OS image and install on PC
2. Run setup.sh
cd /opt/contrail/contrail_packages; ./setup.sh

3. Create testbed file


4. Install system

cd /opt/contrail/utils; fab install_contrail


(rebooted automatically)
cd /opt/contrail/utils; fab setup_all
(rebooted automatically)

Testbed file
cd /opt/contrail/utils/fabfile/testbeds
cp testbed_singlebox_example.py testbed.py
Edit vi testbed.py
ext_routers = *(srx1, 192.168.192.79)+
(if external router does not exist, comment out)

host1 = root@192.168.192.64
host_build = root@192.168.192.64
env.passwords = {
host1: <host password>,
host_build: <host password>,
}

Install (3)
If installation is successful, you can log in
Horizon and Contrail Web screen
Horizon
http://(host ip address)/
username: admin
password: contrail123

Contrail
http://(host ip address):8080/
username, password Same as Horizon

External Router configuration(1)


Interface configuration
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.192.79/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.0.0.1/24;
}
}
}

External Router configuration(2)


L3VPN configuration
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.192.5;
}
route-distinguisher-id 192.168.192.79;
autonomous-system 64512;
dynamic-tunnels {
setup1 {
source-address 192.168.192.79;
gre;
destination-networks {
192.168.192.0/24;
}
}
}
}

protocols {
bgp {
group contrail-controller {
type internal;
local-address 192.168.192.79;
family inet-vpn {
unicast;
}
neighbor 192.168.192.64;
}
}
stp;
}

External Router configuration(3)


VRF configuration
routing-instances {
cusotomer-public {
instance-type vrf;
interface ge-0/0/1.0;
vrf-target target:64512:10000;
routing-options {
static {
route 0.0.0.0/0 next-hop 10.0.0.2;
}
}
}
}

External Router configuration(4)


If you use SRX, set forwarding mode as packet based
security {
forwarding-options {
family {
inet6 {
mode packet-based;
}
mpls {
mode packet-based;
}
iso {
mode packet-based;
}
}
}
}

root> show security flow status


Flow forwarding mode:
Inet forwarding mode: packet based
Inet6 forwarding mode: packet based
MPLS forwarding mode: packet based
ISO forwarding mode: packet based
Flow trace status
Flow tracing status: off

If you use Flow base, it appears there


is no way to add dynamic tunnel in
the security zone

CREATING TENANT NETWORK


USING OPENCONTRAIL

Network Configuration (1)


3 ways to configure
Configure from OpenContrail Web screen
Configure from OpenStack
However, some parameters cannot be configured
usingneutron(quantum)

OpenContrail REST API


API server: http://(controller_host):8082/
There is no document at all at this time
However, you can probably use most of it if you go through
Top level URL

Tenant network
.1
Floating-ip

External router

vRouter

10.1.0.253

.254
.253

.252

external network
10.0.0.0/24
global
10.1.0.0/24

public
10.255.0.0/24
.254
vRouter

test-public-1

.253

test-private-1

test-public-2

.252

test-private-2

.254
private
10.254.0.0/24

Create network (public)

Create IP address block (public)

Configure Global network

Activate test-public-1, test-public-2

Ping from test-public-1 to 10.0.0.1

Create Private network

Activate test-private-1, test-private-2

Ping from test-private-1


to test-public-1

Create Policy

Apply Policy

Again, Ping from test-private-1


to test-public-1

Create and assign Floating-ip

Ping from ext-router to test-public-1

root> ping 10.1.0.253 routing-instance cusotomer-public


PING 10.1.0.253 (10.1.0.253): 56 data bytes
64 bytes from 10.1.0.253: icmp_seq=0 ttl=62 time=31.423 ms
64 bytes from 10.1.0.253: icmp_seq=1 ttl=62 time=2.510 ms
^C
--- 10.1.0.253 ping statistics --2 packets transmitted, 2 packets received, 0% packet loss

External router show route (1)


root> show route
inet.0: 5 destinations, 5 routes (4 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0

*[Static/5] 1d 20:49:14
> to 192.168.192.5 via ge-0/0/0.0
10.1.0.1/32
*[Local/0] 1d 20:49:29
Reject
192.168.192.0/24 *[Direct/0] 1d 20:49:14
> via ge-0/0/0.0
192.168.192.79/32 *[Local/0] 1d 20:49:20
Local via ge-0/0/0.0

External router show route (2)


inet.3: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
192.168.192.0/24 *[Tunnel/300] 1d 20:49:46
Tunnel
192.168.192.64/32 *[Tunnel/300] 00:56:35
> via gr-0/0/0.32769

External router show route (3)


cusotomer-public.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0

*[Static/5] 1d 20:49:14
> to 10.0.0.2 via ge-0/0/1.0
10.0.0.0/24
*[Direct/0] 1d 20:49:14
> via ge-0/0/1.0
10.0.0.1/32
*[Local/0] 1d 20:49:19
Local via ge-0/0/1.0
10.1.0.253/32 *[BGP/170] 00:07:40, localpref 100, from 192.168.192.64
AS path: ?
> via gr-0/0/0.32769, Push 16

External router show route (4)


mpls.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
299792

*[VPN/170] 02:02:08
> to 10.0.0.2 via ge-0/0/1.0, Pop

bgp.l3vpn.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)


+ = Active Route, - = Last Active, * = Both
192.168.192.64:2:10.1.0.253/32
*[BGP/170] 00:07:40, localpref 100, from 192.168.192.64
AS path: ?
> via gr-0/0/0.32769, Push 16

Network Management(1)

Network Management (2)

Network Management (3)

You can monitor Flow information real-time

Network Management(4)

Verify Routing Table

Using Analyzer (1)


Imagine L3SW Remote SPAN(RSPAN) feature
became more useful
Specify network to capture packet and type of
packet
Analyzer instance activates automatically
Administrator can peruse packet dump from OpenStack
admin screen using Wireshark

You can also log in Compute Node, directly


tcpdump tap interface, however, Analyzer is much
more easier to use

Using Analyzer (2)

Using Analyzer (3)

Summary
Very easy to use admin screen
You can monitor communications on overlay

Architecture that enables scalability


Controller workload is small as communications by
each node is doen by itself on overlay
Use of Cassandra for backend database which allows
scalability
Use of L3VPN routers for external router which allows
scalability of uplinks
I heard VXLAN can be used as well but it appears it cannot
be configured from admin screen yet

Things I would like to investigate


further
Service Chaining
Measure scalability by increasing number of
nodes
Terminate external router using VXLAN
I would like to try the version supporting
Havana