Note: This blog is done with user’s own lab environment and all third party references/performance characterization needs to be verified with third party vendor in question.
OPENCONTRAIL GATEWAYS – Use Cases and Setup Guide
1 INTRODUCTION
Gateway in a virtualized network refers to an entity that allows network traffic to move back and forth between the virtual and the physical networks or between virtual networks operating on different set of technologies. In many cases, the virtual network is created using overlay (i.e. tunneling) technologies and, therefore, a gateway needs to understand the protocols of the overlay network traffic in order to allow traffic to pass back and forth through it.
OpenContrail is based on a standard-based control plane protocols and encapsulation mechanisms to operate. As a result of this approach, industry standard routing platforms can be used as gateways to the virtual networks differentiating OpenContrail from some of the available solutions. In this blog, we will see various approaches in setting up and using a Gateway to a OpenContrail Cloud. In particular, we will focus on three different gateways options which will also cover a vendor agnostic solution and a virtualized gateway as an option. Following gateway options will be covered –
- Juniper MX
- Cisco ASR 903
- Software Gateway
2 Use Cases that require a Gateway to a Cloud Environment
2.1 Hybrid Cloud Use Case
In this use case, a gateway is required to have an enterprise private cloud connect to a public cloud environment (like AWS) VPC gateway
2.2 Data Center Interconnect – A Distributed Cloud Scenario
In this use case, multi-site Data Centers are interconnected to create a distributed cloud environment by constructing a L3VPN domain over EBGP across the gateways
2.3 Cloud Interconnect + NFV Security Service via L3 VPN Gateway
BGP MPLS VPN capable Data Center Gateway Router device allows for providing connectivity between the Enterprise customer’s virtual network assets residing in the Data Center and the existing physical PIP L3 VPN network using a standard Inter-AS VPN connectivity methodology. The Data Center edge router will act in an Inter-AS VPN ASBR role bridging the ASN used in the Contrail virtual-network overlay topology to the ASN used in the service provider L3 VPN core.
2.4 Software Gateway to a Virtualized Cloud
3 What does a Gateway need?
A L3 gateway to OpenContrail virtual cloud environment requires standard feature to be supported for control plane signaling
- L3VPN
- MBGP
And the following for Data plane functionality
3. Dynamic GRE tunnels
4 Juniper MX as a Gateway
In this section, we will cover Junos configuration elements required to enable MX as a gateway router to a OpenContrail cloud environment.
- Routing instance for the virtual network’s prefixes to show up
- Logical tunnels or Rib groups to leak route between routing instances or inet.0
- Dynamic tunnel to enable GRE tunnels to
Here are the MX configuration snippets:
sroot> show configuration
##Enables Dynamic Tunnels on the chassis
chassis {
fpc 0 {
pic 0 {
tunnel-services;
}
}
}
interfaces {
## For Route leaking between Contrail VRF for Public access and Global Routing Table
lt-0/0/0 {
unit 0 {
encapsulation frame-relay;
dlci 1;
peer-unit 1;
family inet;
}
unit 1 {
encapsulation frame-relay;
dlci 1;
peer-unit 0;
family inet;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.84.18.254;
route 10.84.53.80/28 next-hop lt-0/0/0.0;
}
route-distinguisher-id 10.84.18.253;
autonomous-system 64512;
## Dynamic Tunnel config with source and destination networks. For each destination network learnt over BGP, there is a dynamic GRE tunnel automatically established to the Compute node.
dynamic-tunnels {
dynamic_overlay_tunnels {
source-address 10.84.18.253;
gre;
destination-networks {
10.84.18.0/24;
}
}
}
}
protocols {
mpls {
interface all;
}
## Control path , BGP peering to each control node
bgp {
group Contrail_Controller {
type internal;
local-address 10.84.18.253;
keep all;
family inet-vpn {
unicast;
}
neighbor 10.84.18.12; #Contrail Control node 1
neighbor 10.84.18.13; #Contrail Control node 2
}
}
}
routing-instances {
## Usually, one VRF per Cluster
public {
instance-type vrf;
interface lt-0/0/0.1;
vrf-target target:64512:10000;
routing-options {
static {
route 0.0.0.0/0 next-hop lt-0/0/0.1; #Default route
}
}
}
}
Some CLI/Operation commands to verify Control and Data path:
##Upon Configuring the BGP peering on Contrail Web UI
root> show bgp summary
Groups: 1 Peers: 2 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
bgp.l3vpn.0
78 69 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
10.84.18.12 64512 22019 23624 0 1 1w0d12h Establ
bgp.l3vpn.0: 9/9/9/0
public.inet.0: 1/1/1/0
10.84.18.13 64512 22023 23624 0 1 1w0d12h Establ
bgp.l3vpn.0: 0/9/9/0
public.inet.0: 0/1/1/0
## Routes being advertised by 18.13 control node
root> show route receive-protocol bgp 10.84.18.13
..
public.inet.0: 4 destinations, 6 routes (4 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
10.84.53.93/32 10.84.18.13 100 ?
bgp.l3vpn.0: 69 destinations, 78 routes (69 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
10.84.18.13:1:0.0.0.0/0
10.84.18.13 100 ?
10.84.18.13:1:1.0.2.253/32
10.84.18.13 100 ?
10.84.18.13:1:10.84.53.93/32
10.84.18.13 100 ?
10.84.18.13:1:192.168.10.252/32
10.84.18.13 100 ?
10.84.18.13:1:192.168.10.253/32
10.84.18.13 100 ?
10.84.18.13:2:10.84.53.93/32
10.84.18.13 100 ?
10.84.18.13:3:250.250.1.253/32
10.84.18.13 100 ?
10.84.18.14:1:192.168.20.253/32
10.84.18.14 100 ?
10.84.18.14:2:250.250.2.253/32
10.84.18.14 100 ?
## To reach 10.84.53.93 VM, dynamic GRE tunnel path from Gateway to the compute node hosting the VM
root> show route 10.84.53.93/32
public.inet.0: 4 destinations, 6 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.84.53.93/32 *[BGP/170] 20:40:33, localpref 100, from 10.84.18.12
AS path: ?, validation-state: unverified
> via gr-0/0/0.32772, Push 22
[BGP/170] 20:40:33, localpref 100, from 10.84.18.13
AS path: ?, validation-state: unverified
> via gr-0/0/0.32772, Push 22
5 ASR 903 as a Gateway
Configuration below covers leveraging Cisco ASR1k as a Gateway
asr903#show running-config
Building configuration...
Current configuration : 4347 bytes
!
! Last configuration change at 14:20:21 UTC Tue Aug 25 2015
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname asr903
!
boot-start-marker
boot system bootflash:Image/packages.conf
boot-end-marker
!
!
vrf definition Contrail
rd 64512:10000
route-target export 64512:10000
route-target import 64512:10000
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$RAyL$SjMKm.r.vzr3sXehjMYNv1
!
no aaa new-model
!
ip vrf mgre
rd 1:1
!
ip domain name englab.juniper.net
!
!
!
ipv6 multicast rpf use-bgp
!
!
multilink bundle-name authenticated
!
!
redundancy
mode sso
!
controller wanphy 0/0/0
!
controller wanphy 0/1/0
!
controller wanphy 0/2/0
!
controller wanphy 0/3/0
!
!
!
ip tftp source-interface GigabitEthernet0
lldp run
!
!
!
!
!
interface Loopback10
no ip address
!
interface Loopback30
vrf forwarding Contrail
ip address 30.30.40.253 255.255.255.255
!
interface Loopback100
vrf forwarding Contrail
ip address 10.250.250.10 255.255.255.255
!
interface Loopback102
ip address 192.0.2.1 255.255.255.255
!
interface Loopback103
ip address 192.0.2.2 255.255.255.255
!
interface Tunnel102
ip address 192.168.0.129 255.255.255.252
tunnel source Loopback102
tunnel destination 192.0.2.2
!
interface Tunnel103
vrf forwarding Contrail
ip address 192.168.0.130 255.255.255.252
tunnel source Loopback103
tunnel destination 192.0.2.1
!
interface TenGigabitEthernet0/0/0
no ip address
shutdown
!
interface TenGigabitEthernet0/1/0
no ip address
shutdown
!
interface TenGigabitEthernet0/2/0
no ip address
shutdown
!
interface TenGigabitEthernet0/3/0
no ip address
shutdown
!
interface GigabitEthernet0/4/0
ip address 10.84.40.190 255.255.255.224
negotiation auto
!
interface GigabitEthernet0/4/1
vrf forwarding Contrail
ip address 30.30.0.3 255.255.255.0
no ip redirects
ip local-proxy-arp
ip route-cache same-interface
negotiation auto
!
interface GigabitEthernet0/4/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/4/3
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/4/4
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/4/5
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/4/6
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/4/7
ip address 10.84.40.253 255.255.255.192
negotiation auto
cdp enable
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.84.61.201 255.255.254.0
negotiation auto
!
l3vpn encapsulation ip MGRE
transport ipv4 source GigabitEthernet0/4/7
!
router ospf 101 vrf Contrail
redistribute connected
redistribute static
network 192.0.2.130 0.0.0.0 area 0
!
router ospf 100
redistribute connected
redistribute static
network 192.0.2.129 0.0.0.0 area 0
!
router bgp 64512
bgp router-id 10.84.40.253
bgp log-neighbor-changes
neighbor 10.84.30.39 remote-as 64512
neighbor 10.84.30.39 update-source GigabitEthernet0/4/7
!
address-family ipv4
no neighbor 10.84.30.39 activate
default-information originate
exit-address-family
!
address-family vpnv4
neighbor 10.84.30.39 activate
neighbor 10.84.30.39 send-community extended
neighbor 10.84.30.39 route-map SELECT_UPDATE_FOR_L3VPN in
exit-address-family
!
address-family ipv4 vrf Contrail
redistribute connected
redistribute static
default-information originate
exit-address-family
!
no ip forward-protocol nd
!
no ip http server
ip route 0.0.0.0 0.0.0.0 10.84.40.254
ip route 10.84.40.0 255.255.255.192 10.84.40.189
ip route 10.84.40.64 255.255.255.192 10.84.40.189
ip route 10.84.40.128 255.255.255.224 192.168.0.130
ip route vrf Contrail 0.0.0.0 0.0.0.0 192.168.0.129
ip route vrf Contrail 5.5.5.0 255.255.255.0 Null0
!
cdp run
!
route-map setnh-out permit 10
!
route-map SELECT_UPDATE_FOR_L3VPN permit 10
set ip next-hop encapsulate l3vpn MGRE
!
route-map set-nh permit 10
!
route-map set-nh permit 20
!
route-map set-nh-contrail permit 10
!
route-map set-nh-ip permit 200
!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 0 0
no login
line vty 5 16
exec-timeout 0 0
login
!
!
!
end
asr903#
asr903#show ip route vrf Contrail
Routing Table: Contrail
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 192.168.0.129 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.0.129
5.0.0.0/24 is subnetted, 1 subnets
S 5.5.5.0 is directly connected, Null0
10.0.0.0/32 is subnetted, 2 subnets
B 10.84.40.131 [200/0] via 10.84.30.39, 00:22:56, Tunnel0
C 10.250.250.10 is directly connected, Loopback100
30.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 30.30.0.0/24 is directly connected, GigabitEthernet0/4/1
L 30.30.0.3/32 is directly connected, GigabitEthernet0/4/1
C 30.30.40.253/32 is directly connected, Loopback30
192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.0.128/30 is directly connected, Tunnel103
L 192.168.0.130/32 is directly connected, Tunnel103
asr903#
asr903#
asr903#sh
asr903#show ip route vrf Contrail 10.84.40.131
Routing Table: Contrail
Routing entry for 10.84.40.131/32
Known via "bgp 64512", distance 200, metric 0, type internal
Last update from 10.84.30.39 on Tunnel0, 00:23:08 ago
Routing Descriptor Blocks:
* 10.84.30.39 (default), from 10.84.30.39, 00:23:08 ago, via Tunnel0
Route metric is 0, traffic share count is 1
AS Hops 0
MPLS label: 20
MPLS Flags: MPLS Required
asr903#
asr903#
asr903#show ip cef vrf Contrail 10.84.40.131 detail
10.84.40.131/32, epoch 2, flags rib defined all labels
nexthop 10.84.30.39 Tunnel0 label 20
asr903#
asr903#show tunnel endpoints
Tunnel0 running in multi-GRE/IP mode
Endpoint transport 10.84.30.39 Refcount 3 Base 0x3067EEF8 Create Time 00:23:56
overlay 10.84.30.39 Refcount 2 Parent 0x3067EEF8 Create Time 00:23:56
asr903#
asr903#show l3vpn encapsulation ip MGRE
Profile: MGRE
transport ipv4 source GigabitEthernet0/4/7
protocol gre
payload mpls
mtu default
Tunnel Tunnel0 Created [OK]
Tunnel Linestate [OK]
Tunnel Transport Source GigabitEthernet0/4/7 [OK]
asr903#
asr903#
6 Software Gateway
In this section, we will see configuration snippets for using Juniper a virtual SRX (firefly perimeter) as a Software gateway to OpenContrail Cloud. Additional details including configuration is published in the link below and is very similar to the Junos MX gateway configuration
7 CONCLUSION
OpenContrail uses truly open standard based control and data plane signaling and hence can interoperate with any standard gateway to realize real complex use cases.