Вы находитесь на странице: 1из 48

Multi-tenant IaaS using

OpenStack + OpenContrail
Takashi Sogabe(@rev4t)
Internet Initiative Japan., Inc.

Who am I ?
Takashi Sogabe (@rev4t)
I develop services and devices at IIJ
Lately, I also verify software and implement
network in order to create new services
I call myself full stack engineer

What do I want to do?

Contrail is now open source!
Quickest way for engineer to understand is to
actually try
I want to view source codes with smirk on my face
First, create demo environment and play with it

What is OpenContrail ?
Its a software that can easily create IaaS that
has scalability
Its an SDN product

It works with OpenStack, CloudStack

Control plane: BGP or XMPP
Data plane: MPLS over GRE
It appears to support MPLS over UDP and VXLAN
as well

Source of Information
Documents and packages are provided here

Source codes are provided openly at github

Valuable information in Japanese regarding
OpenContrail, posted by Juniper Arimura-san on JNET

They are mature technology so you can use it
with peace of mind
ISPs are already using MPLS for IP-VPN services
Performance is maintained with lots of VPN
connections in place
Its easy to establish inter-DC connections or
hybrid clouds
Use of L3VPN router for external router makes it easy
to interconnect

What else can you do?

Service Chaining
NFV in other words
You can combine Firewall or many other features in
between VMs

Network Monitoring
You can monitor in-communication session
information from web screen
If necessary, you can tcpdump from the web screen
Imagine overlay network version of Remote SPAN (RSPAN)

Minimum configuration needed for

PC server * 1 unit
Juniper recommends 5 units or more
If its just testing purpose, 1 unit is enough

Router * 1 unit
One which can talk MPLS VPN
Juniper MX and SRX are examples
If you dont need External Router, then not

Server configuration of demo

Router for internet connection
External Router(Gateway Router)
Contrail System
OpenStack (controller, etc)

OpenContrail Architecture

Install (1)
Building from source
git + repo
Setting up is cumbersome so this is adequate for building only


Use of Binary package

OS image provided by Juniper
Rpm package (CentOS or Fedora)
Juniper.net account is needed
Juniper says if you apply from online form, an account is created for you
in a day or two

OS image is used for the demo this time

Contrail Install Media for CentOS 90-day EVAL (Release 1.02)
OpenStack Grizzly

Install (2)
1. Download OS image and install on PC
2. Run setup.sh
cd /opt/contrail/contrail_packages; ./setup.sh

3. Create testbed file

4. Install system

cd /opt/contrail/utils; fab install_contrail

(rebooted automatically)
cd /opt/contrail/utils; fab setup_all
(rebooted automatically)

Testbed file
cd /opt/contrail/utils/fabfile/testbeds
cp testbed_singlebox_example.py testbed.py
Edit vi testbed.py
ext_routers = *(srx1,
(if external router does not exist, comment out)

host1 = root@
host_build = root@
env.passwords = {
host1: <host password>,
host_build: <host password>,

Install (3)
If installation is successful, you can log in
Horizon and Contrail Web screen
http://(host ip address)/
username: admin
password: contrail123

http://(host ip address):8080/
username, password Same as Horizon

External Router configuration(1)

Interface configuration
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
ge-0/0/1 {
unit 0 {
family inet {

External Router configuration(2)

L3VPN configuration
routing-options {
static {
route next-hop;
autonomous-system 64512;
dynamic-tunnels {
setup1 {
destination-networks {;

protocols {
bgp {
group contrail-controller {
type internal;
family inet-vpn {

External Router configuration(3)

VRF configuration
routing-instances {
cusotomer-public {
instance-type vrf;
interface ge-0/0/1.0;
vrf-target target:64512:10000;
routing-options {
static {
route next-hop;

External Router configuration(4)

If you use SRX, set forwarding mode as packet based
security {
forwarding-options {
family {
inet6 {
mode packet-based;
mpls {
mode packet-based;
iso {
mode packet-based;

root> show security flow status

Flow forwarding mode:
Inet forwarding mode: packet based
Inet6 forwarding mode: packet based
MPLS forwarding mode: packet based
ISO forwarding mode: packet based
Flow trace status
Flow tracing status: off

If you use Flow base, it appears there

is no way to add dynamic tunnel in
the security zone



Network Configuration (1)

3 ways to configure
Configure from OpenContrail Web screen
Configure from OpenStack
However, some parameters cannot be configured

OpenContrail REST API

API server: http://(controller_host):8082/
There is no document at all at this time
However, you can probably use most of it if you go through
Top level URL

Tenant network

External router




external network









Create network (public)

Create IP address block (public)

Configure Global network

Activate test-public-1, test-public-2

Ping from test-public-1 to

Create Private network

Activate test-private-1, test-private-2

Ping from test-private-1

to test-public-1

Create Policy

Apply Policy

Again, Ping from test-private-1

to test-public-1

Create and assign Floating-ip

Ping from ext-router to test-public-1

root> ping routing-instance cusotomer-public

PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=62 time=31.423 ms
64 bytes from icmp_seq=1 ttl=62 time=2.510 ms
--- ping statistics --2 packets transmitted, 2 packets received, 0% packet loss

External router show route (1)

root> show route
inet.0: 5 destinations, 5 routes (4 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both

*[Static/5] 1d 20:49:14
> to via ge-0/0/0.0
*[Local/0] 1d 20:49:29
Reject *[Direct/0] 1d 20:49:14
> via ge-0/0/0.0 *[Local/0] 1d 20:49:20
Local via ge-0/0/0.0

External router show route (2)

inet.3: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both *[Tunnel/300] 1d 20:49:46
Tunnel *[Tunnel/300] 00:56:35
> via gr-0/0/0.32769

External router show route (3)

cusotomer-public.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

*[Static/5] 1d 20:49:14
> to via ge-0/0/1.0
*[Direct/0] 1d 20:49:14
> via ge-0/0/1.0
*[Local/0] 1d 20:49:19
Local via ge-0/0/1.0 *[BGP/170] 00:07:40, localpref 100, from
AS path: ?
> via gr-0/0/0.32769, Push 16

External router show route (4)

mpls.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

*[VPN/170] 02:02:08
> to via ge-0/0/1.0, Pop

bgp.l3vpn.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both
*[BGP/170] 00:07:40, localpref 100, from
AS path: ?
> via gr-0/0/0.32769, Push 16

Network Management(1)

Network Management (2)

Network Management (3)

You can monitor Flow information real-time

Network Management(4)

Verify Routing Table

Using Analyzer (1)

Imagine L3SW Remote SPAN(RSPAN) feature
became more useful
Specify network to capture packet and type of
Analyzer instance activates automatically
Administrator can peruse packet dump from OpenStack
admin screen using Wireshark

You can also log in Compute Node, directly

tcpdump tap interface, however, Analyzer is much
more easier to use

Using Analyzer (2)

Using Analyzer (3)

Very easy to use admin screen
You can monitor communications on overlay

Architecture that enables scalability

Controller workload is small as communications by
each node is doen by itself on overlay
Use of Cassandra for backend database which allows
Use of L3VPN routers for external router which allows
scalability of uplinks
I heard VXLAN can be used as well but it appears it cannot
be configured from admin screen yet

Things I would like to investigate

Service Chaining
Measure scalability by increasing number of
Terminate external router using VXLAN
I would like to try the version supporting